world’s top ethical hacker on hollywood and estonian e-⁠Residency

According to world-renowned cyber expert Ralph Echemendia aka The Ethical Hacker there are no shortcuts to cybersecurity.

This post has been translated and adapted from an article first published in Estonian in Eesti Päevaleht on 15 November 2021.

Ralph Echemendia is internationally renowned for working with the world’s top organisations, including NASA, Google, Microsoft, IBM, Intel and Boeing, as well as big budget Hollywood productions, such as "Snowden", "Savages" and TV series "Mr. Robot". Although his cyber career is long and storied, today his main efforts are focused on advising companies and governments on cybersecurity issues.

As such, Echemendia gets paid for hacking various high-level IT systems to uncover potential security risks. “I can’t be hired to hack your ex,” laughed the Estonian e-⁠resident and cybersecurity expert, who physically resides in Los Angeles.

In 2011, Echemendia was called to help when Eminem’s album was leaked online before its official release. The same year, he was also the lead technical investigator on the “The Twilight Saga: Breaking Dawn – Part 1” security breach, when the hotly anticipated blockbuster was leaked online. After these two projects, Hollywood opened its doors to Ralph who has now lent his expertise to a number of acclaimed film productions and TV series.

Conflicting meanings

Echemendia points out that the concept of ethics has contradictory meanings. What we consider ethical today may not be ethical in ten years’ time. The same applies to cybersecurity, as soon as we fix security vulnerabilities, the perpetrators find new opportunities to go about their business. It is a non-stop race and Echemendia, who has amassed nearly 30 years of experience, knows that achieving 100% security is an impossible task because “acceptable risk” will always be there. However, there’s also a risk when crossing the road of being hit by a car and ending up in a hospital.

“Hackers have always targeted businesses. The only difference is that now these cases are made public. Thirty years ago, when companies were hacked, it was swept under the rug and kept secret or simply not known. Nevertheless, these things happened, even geopolitical cyber attacks. Nowadays, all such cases must be reported because of legal and regulatory requirements," explains Echemendia.

Thus far, the most serious cyber attacks targeting Estonian government agencies and major companies took place in 2007, following the relocation of the Bronze Soldier, a World War II monument for the Soviet Army that had stood in the centre of Tallinn for nearly 60 years. It was the world’s first cyber attack involving two sovereign states that received such widespread public attention. Echemendia considers it an important milestone, because people finally began to address the problem more widely and take cybersecurity more seriously. According to Jaan Priisalu, then Head of the Estonian Information System Authority, commenting on the issue in 2011, Estonians went public and were not ashamed to admit that they were attacked in such an unprecedented manner.

Since then, the world has evolved rapidly and cybersecurity has become an integral part of national defence strategies. What is more, NATO’s collective defence principle has been expanded to include cyber attacks, in addition to traditional armed attacks. Furthermore, as a result of what happened in 2007, NATO set up its Cooperative Cyber Defence Centre of Excellence in Estonia.

Deceiving people has become much easier

When asked to pinpoint the main cybersecurity challenges facing companies and governments today, Echemendia does not need a lot of time to ponder. “In my view, the most common are ransomware attacks. No other type of attack can paralyse a company in the same way as malicious access to its critical data," he said. According to Echemendia, ransomware attacks pose extremely high reputational and business risks if perpetrators gain access to a company’s databases and sensitive data.

By analysing the bigger picture and looking also to countries and governments, who are also at great risk of falling victim to cyber attacks, Echemendia highlights wetware as the weakest link in most cases, i.e.  people themselves. “Hardware and software can always be upgraded to make them more secure, but when it comes to people, it is more difficult. We are much easier to fool," said Echemendia.

Different types of ransomware attacks target people to take the criminal’s bait by clicking on something they shouldn’t touch in the first place. Therefore it is of paramount importance that people are made aware of potential risks. “The situation in Estonia is actually quite good because it has faced numerous cybersecurity issues during a relatively short period. The government has also invested in raising public awareness, starting from a very young age," praised Echemendia.

Security is compromised by rushing

According to Echemendia, it is important for companies to be able to identify and distinguish between normal and abnormal traffic in their IT systems. “For some reason, many businesses and countries find it very hard. Their systems manage huge amounts of traffic due to the interaction between different tools and applications, most of which are encrypted. However, it is essential that organisations undertake regular analysis of their network operations and implement measures that would signal any abnormal traffic. That would help prevent major losses," explained Echemendia.

Another serious problem is due to the fact that technology is built in a rush in order to put it on the market as soon as possible. “Everyone, including investors, wants a solution or service to be delivered to end users quickly. Security is always compromised by rushing and when security considerations are not given the same weight as functionality and performance," said Echemendia. Fortunately, the situation has begun to improve, with organisations across the world increasingly aware of this problem and developers better equipped to detect possible vulnerabilities.

Echemendia points out that people in management positions are key to solving this problem and that is the reason he has focused his efforts on training business and public sector leaders. They are the ones who can make a difference in the area of cybersecurity because they control how money is spent. “When talking about cybersecurity, there are no shortcuts or quick fixes, no magic tools or services that make the problem go away. Improving cybersecurity is a comprehensive and continuous process that requires specific know-how, and people who control the budgets of large organisations do not have such knowledge. They just don’t speak that language," explains Echemendia.

In his work, Echemendia’s main task is to map out what technology a particular company uses, what are the available resources and professional skills. In addition, he also advises top managers when and how to spend their money. “Back when I started in this business, my main job was sitting behind a computer, but now I mainly work as a consultant, focusing on the private sector and related cybersecurity concerns,” described Echmendia.

Cleaning staff is key

In the course of the interview, Echemendia posed an interesting question: what is the most important position in the company? Without further ado, he provided the answer – the cleaning staff. There is deep insight behind this somewhat unexpected response because seemingly inconsequential nuances often play a critical role in cybersecurity. “Nowadays, cleaning services are usually sourced from third parties and they are not part of the company’s regular staff. All you need is just one key to have access to the company’s most sensitive information. Thus, it is important to understand that when it comes to security, each and every person has a role to play and therefore everyone must also be part of the solution," explained Echemendia.

“Over time, the understanding of cybersecurity has improved. We have gained more knowledge and resources to deal with these challenges. However, the cyber world is akin to medicine – being a surgeon does not guarantee that the person would know anything about midwifery. The same applies to cybersecurity, which requires in-depth specialisation and competencies developed over a long period of time," said Echemendia.

Echemendia approaches hacking as a creative endeavour, considering that hackers must keep up with ever-changing technologies and IT systems. “Hackers are a creative people who have the knack for going in deep and fast without having any prior knowledge in that specific area. It requires a particular mindset and resilience, as well as the ability to notice details that system developers have overlooked," he explained.

Echemendia believes that cybersecurity has solidified its position as one of the top priorities for both businesses and governments. “Top managers have no time to deal with specific cybersecurity issues, their focus is on maximising profit and reducing the risk and cost of potential cyber attacks,” said Echemendia.

Estonia is a trailblazer

E-⁠Residency has allowed businesses from around the world to access Estonia’s advanced e-services and transparent and secure business environment with minimal red tape.

According to Echemendia, the programme is a trailblazing project in the global arena:

With regard to e-governance in general, Echemendia estimates that other countries are lagging far behind Estonia. “In IT, this is referred to as backward compatibility, i.e. allowing interoperability with older legacy systems. Many countries are wary of technological innovation, opting for tried and true methods that have been used for years, if not decades. They seem to think that if it ain’t broke, no need to fix it," said Echemendia.

According to Echemendia, this type of attitude is holding back the enormous potential of IT applications in e-governance and public services that could benefit the whole of humanity. “This is most unfortunate,” concluded Echemendia.

This post has been translated and adapted from an article first published in Estonian in Eesti Päevaleht on 15 November 2021.