“Even if you hide in a cave and don’t use a computer, your name ‘Netta Ahituv’ still has an entry in an Interior Ministry file. You have a digital identity, someone can vote in your place, conduct transactions at banks in your name. You are a cyber entity by definition, and the scale of this will only increase,” I’m told by Erez Kreiner, who established the first cyber-protection unit in Israel within the framework of the Shin Bet security service in 1996.
A few years ago, at a hackers’ conference in Tel Aviv, the unit distributed brochures, Kreiner relates. “One side of the brochure said, ‘If you’re good, call us.’ The other side read, ‘If you’re really good, go to this site and try to solve the riddle.’ It was a four-stage riddle. We received about 600 entries to the site, of which six solved all four elements.
“We contacted all six and invited them to a job interview,” he continues. “Three were eliminated straight off because of personality incompatibility, and the other three were 14-15 years old. We brought them to a recruitment facility and spoke with their parents. I remember it took me a long time to convince one of the mothers that we weren’t from some mafia-type organization. At the end of the process we took these guys to work for us in all kinds of jobs that you can do at that young age without a security clearance. The state got a good contribution from them, and some interesting work came out of it.
“In the cyber realm it’s enough to put a few smart people in a room with a few computers and you can create weapons,” adds Kreiner, who subsequently left the Shin Bet and started his own consulting company, called CyberRider. He will be taking part in Cybertech 2017 next week (Jan. 30-Feb. 1) at the Tel Aviv Fairgrounds. “Things happened that were worrisome enough to persuade all the Western countries to establish vast protection systems for their critical computer infrastructures – the ones that support our everyday life, such as energy and communications.”
Most of the incidents Kreiner is alluding to are not public knowledge. In many cases cyberattacks are blocked and their occurrence is not publicized. But there have been other cases as well. The most recent and notorious of these is the Russian interference in the U.S. presidential election. American intelligence agencies believe that Moscow’s intervention began as a simple cyber operation intended to collect information and morphed into a concrete attempt to undermine the prospects of Hillary Clinton to be elected and improve those of her adversary, Donald Trump.
Russia has also been linked to another immense and unprecedented cyberattack. It occurred in early 2016, when three power plants of the western Ukraine electricity company (Prykarpattyaoblenergo) were cut off from the electrical grid for several hours by means of an intrusion by an external computer program. Hundreds of thousands of households were left without power during the winter. It was the first time that a cyberattack succeeded in shutting down power systems on a scale of that magnitude. Ukrainian authorities were quick to blame Russia for the attack, which was apparently a result of the mounting tension between the two countries following Russia’s annexation of Crimea in 2014.
In October 2016, the public learned about another large-scale cyberattack, one that had been kept secret for more than a year. It turned out that in April 2015, 12 channels of the French television network TV5Monde went off the air simultaneously, and stayed off for 18 hours. In this case, it was the “Cyber Caliphate,” aka the Islamic State Hacking Division, that claimed responsibility.
It also became known last October that access to a number of global websites – such as Twitter, PayPal, Amazon, CNN, The New York Times, Airbnb, Netflix and Spotify – had been blocked in the wake of three cyberattacks on the servers of the American DNS (domain name system) provider Dyn. The attackers in that case claimed to be from Anonymous, one of the world’s most well-known hacking groups, whose members term themselves activists and launch actions against religious, governmental and corporate interests. Just two months after the users of those sites recovered from their loss of confidence in the web, the biggest cyberattack to date was carried out: More than one billion email accounts held by California-based Yahoo! were hacked, and all the account holders were requested to change their passwords.
Recently it was learned that the Israel Defense Forces was the victim of a cyberattack staged by Hamas during the past year. Unsophisticated as the method of operation may have seemed, it was effective: By means of online profiles of fictitious women on social networks, hackers from the Islamist organization made contact with soldiers, mainly from combat units. Following the initial correspondence, the “attractive woman” asked the man on the other end to download an app that would allow video chats. After the download, the soldiers received a message that the installation had failed – and the mysterious woman vanished.
This was actually a Trojan-horse attack. That is, by means of the app download, malware was installed in the soldiers’ smartphones through which information such as phone numbers, text messages, photos and files could be collected. A more sophisticated method enables the phone to be operated remotely, making it possible for the attacker to take photographs and listen in on conversations – a kind of remote-controlled espionage device. The IDF subsequently drew up new guidelines for soldiers’ behavior on social networks.
Israel is undertaking its own share of Trojan-horse attacks as well, or so it is assumed, since the connection between the Stuxnet virus and Israel (as well as the United States, which is also believed to have been involved in its design) has never been acknowledged. Stuxnet is a sophisticated computer “worm” that was first identified in 2010. The worm targets industrial computer systems and causes damage to them. It is known that it penetrated the Iran’s nuclear program at least once during 2010, and did significant damage. Its sophistication includes the software’s ability to erase itself and leave no track of its creators.
According to another Cybertech 2017 participant, Zori Kor, formerly head of the technology and information security department in the Shin Bet, Israel has been preparing for cyberattacks for years. “In 1996,” he notes, “after the assassination of [Prime Minister] Yitzhak Rabin, Ami Ayalon was appointed head of the Shin Bet. Given the indisputable fact that the assassination was [the result of] a huge failure by the security service, Ayalon asked, ‘What else could happen? What more should we prepare for?’
“This led to comprehensive research about possible future threats,” Kor continues. “That staff work was the beginning of Israel’s journey into the technological world of information security. In the physical world, first the threat is created and then you respond to it – for example, Hamas manufactures Qassam rockets, so you install Iron Dome. But here there was a Shin Bet stroke of brilliance: First we developed the protection and afterward came the concrete threat. It’s amazing that as early as 1996 Israel understood that it was necessary to protect power, water, energy, fuel, drilling and other systems.”
Crime in cyberspace
In 2010, Israel established the National Cyber Initiative, which includes representatives from the main official bodies engaged in the field and engaged in R&D. In 2012, the initiative became the National Cyber Bureau, which is subordinate to the prime minister and also responsible for drawing up and implementing the country’s cyber policy. Most of the powers in this area that formerly resided with the Shin Bet were transferred to the NCB.
“We are in the golden age of Israeli industry in the cyber world. The demand for cyber protection will increase, and the Israelis will be the strongest players in that field,” boasts Kor. “Few countries are capable of coping with a cyberattack as well as Israel,” he adds. Kreiner agrees. “The cyber world very much suits the Israeli character,” he explains. “Everyone is familiar with the scenario in which a few guys are sitting in a café and building something. This one knows that one, the other one knows someone else, and before you know it a cyber-protection company is founded. The minimal degrees of separation between people in Israel suit the dynamics of the cyber world.”
As individuals, can we ever feel protected against cyberattacks?
Kreiner: “Not really. It won’t be long before we’ll have small computerized systems on our clothing and on our body, meaning more breach points for cyberattacks. But in contrast to the physical world, in which you can identify the assailant, when a cyberattack occurs, most of the time you don’t even smell the smoke. Even when you do smell it, you don’t necessarily see the gun. When you see the gun, you don’t yet see the hand that’s holding it. When you see the hand, you still can’t know who pulled the trigger. It’s a completely different process from what we’re familiar with in the world of physical combat. Much of it isn’t grasped by our senses. It’s a world that’s difficult to apprehend with everyday intuition.”
Crime is also now shifting to cyberspace, Kor observes. “We are seeing fewer and fewer cases of bank robberies with motorcycles and masks, but that doesn’t mean that fewer banks are being robbed. It means that they are being robbed via their computer systems.”
In addition, he explains another new aspect of cyber-related thinking: The concept that it’s necessary to protect the organizational envelope of computer systems against hacking has played itself out.
Kor: “Today, it’s more correct to assume that the attacker is already inside, within my systems, and that now I have to find the best way to neutralize his damage and prevent him from getting to the information he’s interested in obtaining. That could be done, for example, by shutting down certain systems at certain times of the day. Once the attacker realizes that there’s a confrontation, he may well back off, even before aiming for his target. It will be a constant rebuffing of attacks, like in a volleyball game.”
Will cyberattacks supplant other security threats, or will they be added to all the evils that already exist?
Kreiner: “The ability to stab someone with a knife will remain. Cyber adds a new dimension to the old threats but doesn’t replace them. On the other hand, it can also protect us from some of the existing threats. For example, weapons today can ‘talk’ among themselves and be far more accurate, thereby averting the danger of friendly fire. And clearly the cyber world will be of use in many life-saving situations.”
Will we soon be seeing cyber diplomacy between countries, as we saw the development of environmental diplomacy – countries fashioning diplomatic relations on the background of shared environmental threats?
Kor: “Definitely. There will be attempts to regulate sector boundaries between what’s allowed and what’s forbidden. On the other hand, there will be countries that have not engaged in physical confrontation but will start to develop cyber confrontations – as we see now in the tension between the United States and Russia.”
For his part, Kreiner doesn’t see cooperation on defensive measures taking place. “When it comes to cyber issues, no country admits to launching cyberattacks, and this situation is unlikely to change in the near future. Why admit to it if you can conceal it, if you can cause damage without others knowing? In addition, neither states nor commercial firms are eager to acknowledge that they have been attacked. Everyone tries to hide it, in order not to display weakness, which will complicate diplomacy. Besides, it’s difficult to identify the origins of a cyberattack. I’ll give you an example. Some of the cyberattacks on Israel originate in the United States. It’s not because the United States has decided to attack Israel, but rather that attacks come from different places and their last stop before Israel is the United States.”
Geography is “of no importance” in cyber issues, Kreiner adds. “A Hamas activist could be situated in China or Australia. Or the attack might have been perpetrated by an Australian who supports the Palestinian cause. The identity of the adversary becomes meaningless, he becomes vague. For purposes of the discussion, let’s say Israel has 10 enemies that are capable of attacking it with missiles. When it comes to cyberattacks, Israel’s enemies are the whole world. It could be a group of Greens in England who object to kosher slaughter in Israel and attack the database of the Chief Rabbinate. So does the rabbinate counterattack? That’s not practical. On top of which, it’s difficult to enact laws and lay down regulations on this subject. I can’t think of one cyber-related law that was appropriate 20 years ago and remains so today. The mechanisms of legislation and regulation are too slow for the dynamics of the cyber world.”
Unlike Kreiner, who sees the whole world as an enemy, Kor identifies five specific types of potential cyberattacks. “By states, by terrorist organizations, by hackers for financial profit, by young people who want to show that they are geniuses, and by frustrated employees who decide to take revenge on their companies. Those are the five players. When they are identified it’s easier to rebuff them or prevent the attack in advance.”
It’s also a very privatized realm, with the primary burden of defense falling on private companies.
Kreiner: “At present almost the whole cyber realm is managed by private bodies. You rely on the government of Israel to protect you from the Iranian army and on the Israel Police to protect you from muggers, but you don’t rely on those bodies to protect your computer from an Iranian virus. Protection of cyber assets, both of private individuals and of commercial firms, falls primarily on the shoulders of citizens and business. Today, responsibility of CEOs and board chairpersons includes cybersecurity. Thus, it’s clear to you that responsibility for your bank account not being hacked lies with the bank’s CEO. Governments and governmental organizations can deal with critical infrastructure and assist private firms, but in the end the protection of virtual assets is up to you and the companies that provide you with services.”
The classic example of CEO responsibility is a cyberattack that was launched against the Target retail chain in the United States in 2013. The details of 40 million credit cards belonging to the chain’s clients were stolen. It’s known that information from between one and three million of the cards reached the black market and was sold for $27 per account. The fate of the others isn’t known, and to date no one has been implicated. Target did not reveal the scale of the data stolen, but estimates ranged from $250 million to $500 million earned by selling the card numbers or their owners’ data. Target’s chief executive officer, Gregg Steinhafel, resigned in the wake of criticism by customers and the board of directors that he hadn’t responded quickly enough to the hack and hadn’t heeded signs that anticipated the breach in the computer system.
Are we on the way to a complete loss of privacy?
Kreiner: “There’s inherent tension between cybersecurity and privacy. On the one hand, I want cyberattacks to be contained, and certainly for terrorists to be caught by spying on them via computers. At the same time, I don’t want my privacy to be compromised. But how will information about potential terrorists be collected without penetrating the information of private citizens? It’s hypocritical to demand that Facebook transmit to the government everything it knows about crime at the same time you demand that it not transmit my personal details along the way.
“Without taking a stand on the new Israeli biometric database, I want to say that people forget that a number of biometric databases of Israel’s citizens already exist. One of the largest is the IDF’s database of everyone who ever served in the army. The army knows the shoe size, eye color and health situation of every soldier. When you think of it in that way, the question of the privacy of the biometric database becomes superfluous.”
Kor: “The era of privacy is over. We live in a world where privacy barely exists, and that’s not necessarily a bad thing. Whereas the attacker has almost no inhibitions and restraints – he wants to infiltrate your privacy and doesn’t ask permission – the protectors still have to ask your permission to penetrate your privacy. The result is that the attackers have the edge over the protectors, and that’s not good. So, we need to understand that in order to protect ourselves we have to forgo some of our privacy. And in truth, that’s not as awful as it sounds.”