In our five-minute CIO series, Lior Tabansky explains how cyberattacks could have a seismic effect on the world order.
Lior Tabansky is a cyber power scholar at the Blavatnik Interdisciplinary Cyber Research Center (ICRC) and the director of strategy in Tel-Aviv-based cybersecurity consultancy firm CSG.
Tabansky brings a refreshing interdisciplinary approach to cybersecurity to the table, facilitated by his political science and security studies, 15 years of hands-on IT professional practice, and high-level think tank, policy and corporate experience.
His strategic cybersecurity expertise stems from a unique combination: service in the Israeli Air Force, subsequent career designing and managing business ICT infrastructure, postgraduate political science education and a proven commitment to interdisciplinary, academic policy-oriented research.
Tabansky recently wrote an insightful and timely book – Cybersecurity in Israel – co-authored with Prof Isaac Ben-Israel and published by Springer.
This comprehensive yet concise work offers an ‘insider’ strategic analysis of Israeli cyber power, with invaluable lessons to be learned by governments and corporations alike.
How does one become a cyber scholar?
I was always interested in politics and international relations because, since high school, I figured out this was important and I wanted to know how the world works. In parallel, around the mid-90s, the whole PC revolution happened and it fascinated me. And then you realise that things don’t work like they are supposed to, and I learned on my own to play with it and fix it and from there on, I pursued parallel academic tracks. One track was political science and security studies and, in parallel, I began working in IT as an admin because they paid more than other professions.
Around 2003, I was doing a master’s on the role of IT in counter-terrorism and that’s how I became more established academically in this field. From there on, technology changed, and I was studying mostly the development of how it can challenge national security.
Is most of your work academic?
First of all, this subject is not very fashionable in academia because it is mostly current affairs; it relates to policy issues and is constantly moving, so it is on the fringes of the academic world.
I had a lot of backlash for trying to pursue proper academic research with things that are constantly moving. It’s a conceptual issue.
On top of that, the centre we established at Tel-Aviv University is more like a think tank in terms of influencing policy debates –it is mostly pure research. We also hold our Cyber Week conference in the summer, which attracts 5,000 people and delegations from 50 countries.
With cyberattacks on the rise, every individual is threatened. How do you see the world we are in?
This is not a purely defence issue, each one of us is affected. This is precisely why, as a civilisation, we build societies, states, cities and so on. The primary duty of the state is to provide security for society. Of course, you need to change a lot and adapt and this is where I think the west, and particularly the US, are doing a particularly bad job.
They were the first to develop the whole field, to recognise and publish the deep implications of technology, and yet they are still all the time complaining about China, and now it has switched to Russia; but their governments fail to protect the companies, the citizens and civil society, and maybe they are not even trying.
So, the failure is not even trying. This is a very typical problem. We are in the midst of a revolution similar to the industrial revolution and, unless society and states adapt, we will see dramatic shifts in world power.
And, sitting where we are sitting, that is not a good thing. The shakes and tremors will come at everyone’s expense.
Most of the rest of the world doesn’t like the western world’s dominance, and these are the ones who will continue to challenge the western way of life – it is a dangerous situation.
Do you feel that the way the western world is going about cybersecurity – with an emphasis on surveillance rather than defence – is the wrong approach?
Yes. It is not a resource issue. The US, for example, has by far the largest resources of all their competitors combined, definitely in defence and security. The NSA has been the largest employer of mathematicians for decades, so they are way ahead of all of us in that field.
The problem is politics. How you work these things out and the balance between all sorts of values and security is very difficult, and, of course, no one knows how to get it right.
It’s not a resource issue. The US has unlimited resources, manpower and technology, and they can get it right.
If you try to focus too much on defence and security, you will harm civil liberties and so on, and no one wants that.
The thing is, while we are figuring out how to solve it over the last few decades, your adversaries will try to act more and more in their interests.
Has Israel gotten it right?
There is much more to be done. We are relatively in a good situation compared to other western democracies. However, it is far away from the ideal situation that we have in security affairs. We pay taxes, we get security, and it works pretty well.
Europe is in a great historic anomaly of having several decades of zero wars. This is only because societies got the defence issue right, which includes economics, diplomacy and other things. Unless we get it right in the cyber area, there will be changes. This is what history is about.
And if we don’t get it right? Will some countries do better than others?
There are a lot of instruments for cooperation between like-minded countries in terms of official bodies such as the EU and NATO and, more importantly, bilateral. This is where the strengths of the west lie, in the freedom to have people meet and develop new ideas. This is our best chance. It is a case of western civilisation versus the rest of the world that wants to compete with us.
And yet, when it comes to security, organisations spend a fortune on cyber defence, only to have it unravel because one individual opens a phishing email …
I’m happy to hear from you as a technology journalist acknowledge that technology can have human failure. From an information security perspective, we have a good empirical knowledge of how things happen. Most of the important breaches involve insiders; everything involves human behaviour.
The top four strategies for cyber defence will mitigate 94pc of all breaches. There are already so many readily available, built-in technology solutions that we can use and yet we don’t, and the problem is with humans.
This again brings me to society and politics, and policy and government issues, which are more complicated than a single solution or bunch of solutions. The other issue is, we do not know what the threats will look like. It is much worse when it is cyber because of the rate of change.
Therefore, I don’t know if that is the official position of Israeli strategy but the underlying notion is, we don’t know what capability we will need in the future.
It’s not like we can design a great aeroplane and it would take 20 years and we get there; we need to have an ecosystem in place that’s dynamic enough to identify changes and to adapt rapidly.
It’s a dramatically different mindset from other defence issues. You can’t just plan ahead. It is much more complicated and you need to involve sectors of society, the private sector (whether they like it or not), the education system, academia. The main responsibility for national defence should be the defence organisations.
In the last year, attacks such as WannaCry, and the various DDOS attacks on the internet of things and cloud organisations, suggest a worrying spike in attack capabilities. Do you agree?
It is very predictable: if you take Moore’s Law and subsequent laws in networking and memory, and continue to extrapolate forward, yes, the internet of things is definitely going to happen.
The complexity is growing, the number of potential threat vectors is growing, and it only means that you need to put in place better policies and prioritise where to put the limited funds we have.
Unlike the Americans who have unlimited resources, in Israel, we don’t consider DDOS attacks a big problem, but of course we do things to prevent them. The Israeli government’s networks have been withstanding DDOS attacks, larger than the Estonians suffered in 2007, routinely.
You need to assume things will go wrong and focus on the more narrow, more critical elements, because we cannot cover everything.
Has the best attack not yet been invented?
Since 2002, the government has legislated an arrangement for critical infrastructure protection. The concern was not information under threat, but the symbiosis between the operational technology and the information technology.
I think this remains the major threat scenario: a disruptive or destructive attack on the systems that underpin our modern life.
What would be the typical attack volume on Israel, what are you dealing with?
State of the art! Whatever appears on the market, we usually get it first.
Even 10 years ago, we had a lot of solutions readily available to deploy to mitigate massive DDOS attacks; even today, it is a matter of where you put your investment.
If you spend enough money, you can mitigate any volume of DDOS attack, but is it worth the effort?
Attackers are not interested in achieving the specific volume of attack, they are interested in achieving an effect. And the better your defences are, the more it helps you to incur higher costs on them.