Key to Israel’s cyber-success is that Prime Minister Benjamin Netanyahu put himself in charge of cyber as he had identified it as both one of the biggest threats facing the country as well as one of its biggest business opportunities.
At dinner in Tel Aviv with Rami Efrati, former head of the Civilian Division of the Israel National Cyber Bureau in the Prime Minister’s office, and Iddo Moed, cyber coordinator at the Ministry of Foreign Affairs, SC Media UK joined international journalists for an informal briefing on the Israeli government’s approach to developing a cyber-ecosystem in the country.
Efrati suggest that it is not possible to dictate the direction of development of cyber-security, and all the government (in this case, of Israel) can do is: “Set the course then do your best,” to encourage industry to follow that course.
But Israel is clearly doing something right with Moed reporting that some 300 heads of state and foreign ministers had visited the country specifically seeking to learn how Israel covered what he called the two Ts, terrorism and tech – with cyber security the most important area of tech.
The Ecosystem created in Israel is described as combining Academia, government, the military and business. However the government is taking a deliberately low key approach to regulation so as to avoid stifling innovation. The key to Israel’s success, according to Efrati, is that back in 2012 the Prime Minister Benjamin Netanyahu decided to put himself in charge of cyber as he had identified it as both one of the biggest threats facing the country as well as one of its biggest business opportunities.
The consequence was that all departments needed to cooperate as the PM dictated the budget; it also meant that the Israeli cyber-directorate reported direct to the PM. Another development in the country was that back in 1997 Israel introduced its eGovernment initiative, effectively making it a primary target for attackers. As a consequence it is now one of the most secure departments in the country.
And in 2010 the National Infrastructure Security Authority was established to protect critical national infrastructure, and a list of 28 organisations was identified, and the organisation also became the regulator.
Culturally too, Israel’s national service and a clear external threat has added to both national cohesion and an understanding of the need for a security-conscious mindset, with a positive view of government involvement by young start-ups.
And the success of US$ 200 million cyber-IPOs has even had an effect on the nation’s mothers – no longer seeking lawyers or medical doctors for their children to marry, but instead preferring that they go for a “cyber-mensch” suggested Efrati.
Plus, via the infamous Unit 8200 alumni, the country has a pipeline of young cybersec experts with real-world practical experience, with national service acting as an incubator, combining all sections of society – rich and poor and geographically disparate. Though it is a small country and connections made are easily maintained.
Efrati suggests that two of the main things taught by the Unit 8200 are out-of-the-box thinking; and leadership and cooperation – with companies being formed not just by members of the unit, but colleagues who worked alongside each other.
The government sees its role as focussing on identifying and tackling those issues which are truly critical.
Yet another development was resolution 361 coming from the Prime Minister which articulated the aim of making Israel in the top five countries in cyber-security. It was accepted that this would need to country to allocate a lot of money as cyber is not cheap. And also that to increase the supply of people would entail more investment in education, hence the first Masters Degree in cyber security at the University of the Negev. The reason for a dedicated degree rather than an offshoot of say computing is that it was recognised as an interdisciplinary subject that also entailed software, engineering, ethics, business and management. Ideally you want to have the best people in your own country working on it. “We want everyone in Israel to know how to deal with a cyber-attack,” says Efrati.
Practical government steps include providing 50 percent funding for R&D and support for start ups – with the knowledge that many will fail, some will be sold to global giants, and some may become giants themselves.
In addition Israel consciously sought to attract other US and European companies to establish R&D facilities in Israel, and it has succeeded with the arrival of Microsoft, IBM, Paypal, Amazon and Intel among others.
As well as establishing a national CERT, Israel also established vertical sector CERTS for Finance and Energy, with plans for others including Traffic Control and Environment. It is also looking at non-financial use of blockchain; automated car security and cyber security in health.
Efrati’s initial comment about the annual pro-Palestinian rights OpIsrael attacks by Anonymous on the Israeli government’s web presence was to say it improved their defences and, “we don’t even have to pay for it,” but he then went on to confirm that the government does in fact take these, primarily DDoS attacks and web defacement attacks, seriously as they could be deception cover for a different type of attack. Involvement of volunteers from different companies to aid defences is also seen as a contributor to cross-sector relationships, trust building and cooperation with sharing of information.
Another aspect of helping companies ensure business continuity was assistance in how to deal with the media when there is an attack, whether on companies or the country. Advice from Efrati included, “Never lie to the media. Say you don’t know if you don’t know.”
The role of the government in relation to cyber also extends to facilitating regulation, as companies need to share regulation, but in some circumstances competitors can’t sit together (for fear of breaking rules to prevent anti-competitive collaboration) thus forums to make this legal are required, including information sharing via CERTs.
Further clarification is expected when the new draft cyber law is posted for discussion in the Knesset next autumn and expected to implemented by the end of the year, fixing responsibilities so that companies will know what is required of them – rather than cooperating via the CERT while signing NDAs.
No mention was made of Stuxnet, but by 2016 the government had apparently decided not to use cyber as an offensive weapon as it was not considered safe. Despite current reports of voting interference, Israel is continuing to work on its eVoting system, with Efrati commenting, “No system is fully secure, but we believe the government has done what it can and knows how to secure itself.”
Efrati concluded that ensuring Israel is a leading country in cyber is costing a fortune, “But it’s worth it.”