Unit 8200, once cautiously dubbed “the central intelligence collection unit of the Intelligence Corps,” is today a huge information enterprise. The number of soldiers serving there, both enlisted and career soldiers, is larger than the workforce of the Mossad or the Shin Bet security service. And counting all the unit’s active reservists, its manpower outnumbers both of those agencies put together.
The continual rise in the size of Unit 8200 over the past two decades reflects three intertwined processes, in Israel and abroad. First, intelligence collected by technology has overtaken, in extent and importance, human intelligence, which relies on agents. Second, when it comes to technology, signals intelligence, which relies on bugging and listening, has begun to cede its importance in recent years to cyberintelligence, which relies on hacking computer systems. And third, within cyberoperations itself, alongside growing intelligence collection abilities, offensive capabilities are also improving – the ability to disrupt the enemy’s systems and thus affect an enemy country or organization's ability to function.
The three processes have added an offensive dimension to the work of units like 8200 and its counterparts abroad for the first time. In Israel, this is closely connected to another development: Iran as Israel’s prime enemy. Iran and Israel are battling each other despite not sharing a border, and cyber operatives, particularly those from 8200, have become a central component of the campaign.
Physically, the soldiers from 8200 are stationed mainly in central Israel – although they are slated to move to the Negev toward the end of the decade – but their work takes place abroad. This is a relatively new component in war, and it recalls the difference between pilots and drone operators. These assailants make essential contributions, but they themselves do not see combat and their offensives do not put them at risk.
A similar process is also taking place in defense. The increased reliance of the state, and of society in general, on digital systems has exposed it to more hacking, most of which has been criminal, rather than government-sponsored. The defensive efforts are led by the National Cyber Directorate, but the IDF also plays a central role, both because of its personnel's skills and because it needs to protect its own systems, which, if damaged, could shut them down during combat. Consequently, the military's Joint Cyber Defense Directorate has grown considerably and taken on skilled soldiers.
Over more than a decade, the IDF deliberated over the structure of its cyber realm. For the time being, plans have been frozen to establish a cybercommand to oversee all of its units and capabilities. It decided to make do with a basic division of labor, and it serves the army’s purposes reasonably well in the meantime. Military Intelligence, through Unit 8200, coordinates the collection of cyberintelligence and offensive action; the C4I and Cyber Defense Directorate is responsible for the IDF's systems, and their defense by means of the Joint Cyber Defense Directorate.
A good many of these entities' operations – and particularly the technical details – are still classified. Nevertheless, along with the high-tech's transformation into the engine of Israel's economy, the status of IDF's cyber personnel has soared. Many parents now dream that their children will be drafted to 8200: a prestigious unit promotes security – and also has clear economic potential down the road.
These changes require a bit more openness on the part of these soldiers, in order to talk to the Israeli public, to convey messages to enemy powers and sometimes to correspond with global names in cybertechnology – first and foremost American tech giants. This is apparently what inspired the army’s decision to allow Haaretz access to two of its senior officers in the field. Both are now concluding their long military careers.
Col. Uri Stav is the deputy commander of Unit 8200’s offensive unit; Col. Omer Grossman’s last posting was as commander of the "cyber advantage center,” and in normal language – head of the defense department in the C4I and Cyber Defense Directorate. This is a relatively rare opportunity to hear directly from people involved in critical areas, but they are still cautious. After years of strict discipline in cybersecurity, Stav, for example, has trouble using the actual words “cyber offensive,” and usually chooses euphemisms.
Unlike most enlisted soldiers, Stav, 43, came to the unit after getting his academic degree, and later earned his doctorate in computer science at Tel Aviv University. In recent years he has focused on signals intelligence and cyphers. “I worked much more with literature than with intelligence material. I didn’t think I would continue beyond my initial contract in the career army," he says, adding that he considered entering academia full time. "But I discovered that I enjoy commanding and instructing. I wanted to do big things, to have an impact on people here.”
Even though Stav made this decision while high-tech companies were trying to entice personnel to enter the private sector, most of the courting was indirect, he said. "My decision to stay, at any point, was the right choice for me among good possibilities.”
- Secretive Israeli Cyber Firm Selling Spy-tech to Saudi Arabia
- Israeli army foiled dozens of Iranian cyberattacks in past year
- Revealed: The Israelis Selling Cyberweapons to Latin America
Stav describes commanding the unit as the “crowning glory of the experience here. These are very high-quality people – in character, values and talent. But their motivation is complex. The challenge in commanding here is unique. You often expect them to invent things, to solve problems that other people don’t know how to solve. You can’t force someone to find a solution. They have to feel connected to the mission, with a high degree of trust in their commanders.”
Is this talent management? Do you have to act like a soccer coach, with Messi and Neymar on your team?
“It’s definitely talent management, but not of divas. You're like a coach that has to spur them on, to see how the goal remains clear and significant to them all the time. There are thousands of people here. Out of those, a few dozen or hundreds are unique in their skillsets. They give the X factor to the unit, more power and quality. We try very hard to maintain them and keep them. Anyone who chooses to stay here, in the career army, makes concessions. We want to make sure the attitude toward them is healthy and respectful. On the other hand, we'll pass up soldiers who make unsuitable demands.”
The ability to collect cyber- or signals intelligence means gravely invading the privacy of people on the enemy side, many of whom are not directly involved in threats to security. In 2014, dozens of former members of Unit 8200 wrote an open letter to then-Prime Minister Benjamin Netanyahu and top military officials, saying they would refuse to do reserve service because of this "political persecution."
Stav says that "there are tensions that we encounter in these worlds. We deal with this every day. Some of the signatories to the letter were previously under my command. I don’t feel that these are complex dilemmas. In the end, every action we take has a good and specific reason. Even if you collect a lot of data and some of it is sensitive, you don’t use it without anyone knowing. We know how to extract what we need using artificial intelligence; somebody’s dental x-rays, on the other hand, are of no interest to us.”
He adds: “Some of the reasons that 8200 is more open – including this interview – have to do with the code of ethics, our rules and norms. We are very proud of them. We have a role at this time that involves shaping these norms, in the country and in global conduct. It is also has to do with our dialogue with partners overseas. Cyberdefense is a bit different from classic military areas; there are also tech giants. They are big players that influence the rules of the game.”
Stav alludes to the upheaval these companies experienced after their close collaboration with the American security establishment was revealed, following Edward Snowden's leaking of secrets from the National Security Agency – Unit 8200's American counterpart. The unit has working relations with major tech companies, and at the same time closely cooperates with intelligence units and counterparts in the West. “We are a lot better known than we were in the past,” Stav adds. “We have dialogues with others in the industry. Globally too, we want to take an active part in shaping the reality and organization of the world. You can’t do that behind the scenes alone.”
That sounds like an ambitious goal. Why is that your role?
“Part of operational ability is connected to how the area looks – it's not just enemies that operate in it. What is possible, what’s allowed, what’s not? We’ll lose a lot if we sit on the sidelines and don’t have an impact on it. We also want to contribute to standards in this realm: we must demonstrate proportionality, pinpointed activity, responsibility.
"Our conflict with Iran has no parallel in the cyber-realm anywhere in the world. Iran attacks us and talks about destroying us. This relates to actions they have carried out that we have identified, such as attempts to sabotage the water system, to the point of poisoning it. These are unparalleled actions; other countries usually show restraint, a degree of responsibility. But in the face of such action, how do you respond? How do you neutralize the threat? How do you formulate a response to this equation that will protect civilians? This a unique case.”
The offensive side of the cyber-realm, Stav says “will remain almost totally secret. It gives us an advantage in the direct campaign against Iran, in a place where geography has no meaning. One of the challenges is that Iran supports organizations that are on our borders, but are physically distant from us. When it comes to cyberwarfare, distance doesn’t exist."
Another reason the state is involved in cyberoffensives, he says, is that "this is the place where we are really in thepremiere league of countries in the world, in skills, quality, power – but of course, not in quantity. We don’t compete with the world powers in terms of human resources.
"I’ll say cautiously that when it comes to cyber, both defensive and non-defensive, we possess the most advanced capabilities in the world. It’s our responsibility to take advantage of this vis-à-vis Iran. There’s simply an opportunity here. The awareness of this at a senior level, the backing from the military command level and the politicians, is very strong,” Stav says. “We have the complex role of revealing and explaining the sensitivity and risks, and to put on the table options and the opportunities that they may not know to ask us for.”
Stav emphasizes that not "all means are legitimate in the name of security,” referring to NSO, the Israeli cyberoffensive company that found itself blacklisted by the Biden administration after its dubious activities were exposed worldwide. In retrospect, it turned out that its deals were made with the encouragement of the Israeli government and security establishment, and that during the term of former Prime Minister Benjamin Netanyahu, the policy of “offensive cyber-diplomacy” was part of creating closer ties with some countries in the Middle East and the developing world.
According to Stav, “one of the problems with the use of technology is that, when a company creates a method or a system and it’s exposed, you can’t distinguish among its clients and their objectives. When you use this, you lose your ability to control which actions you are associated with. We chose not to buy anything from NSO, because we realized that we want to be in full control of the technology’s distribution and its objectives.”
He confirms that “There are very strong technologies out there and we decided not to go with some of them out of choice, because first and foremost, we maintain proportionality and full control of the technology. The Israeli [intelligence] community – the Defense Ministry, us, the civilian companies – have come a long way in recent years. We understand how the market should conduct itself. I believe that these standards will also be adopted by the companies outside."
As for the change the unit has undergone, Stav says: “We have become much more proactive in obtaining information. This has changed us a great deal. It is related to the abundance of data that exists today from a great many sensors, and the ability to reach it by means of more extensive insights. I experienced this myself in my 20-something years here – the opportunities that are created through connectivity, internet connectivity, greater numbers of computers and cellphones. That creates many new technologies that have to be understood and learned.
"The biggest gift we have is the quality of the manpower that arrives every year. It’s precisely the lack of experience and rapid turnover that help quick changes and quick responses to changes in the environment. They grow into the technology that’s changing all the time. They are less set in their ways, and very often change comes from the bottom-up.
"In my first assignment as head of a department, I commanded people who worked in a field that did not exist when I came to the unit five years before. Today, most of the unit changes its professional focus every 10 years," Stav says. “Hardly anyone here dealt with data science or machine learning 10 years ago. Many areas in the field of cyberdefense didn’t exist a decade ago. At that time, it was mostly the Shin Bet that dealt with it, and there were far fewer threats.
"We are in the midst of a transformation. Some of the roles are changing. There will be a big change in translation that we’ll encounter in the next three or four years,” Stav says, hinting at machine translation. "A fusion of a great many types of information is underway. A change was made in Military Intelligence three years ago, in the linkup of data systems and databases and the ability to create smart algorithms that examine all the sensors from different places. That allows us to generate more precise intelligence, and has thwarted quite a few attacks.”
Within 8200, a good deal of the commanders’ efforts is devoted to the quality of the unit's manpower over time. The commanders ascribe great importance to keeping Israel's compulsory draft law, without which, they fear, exceptionally talented young people will not desire to join the unit. If the law is overturned, Stav says, “in the course of a few years, we wouldn't be able to complete our missions. People would go straight into high-tech, and our quality would be seriously compromised. Our ability to be strong with a smaller group of people depends on the compulsory draft. We are based on the idea that graduates of computer, math and robotics Olympiads come to this unit or similar units in Military Intelligence every year.”
The unit is making a simultaneous push to increase its potential: learning programs in middle and high schools in the country's periphery, a cyber training program for combat soldiers at the end of their mandatory service and encouraging girls to choose scientific and technological programs in schools. Within the unit, Stav talks about "a significant increase in female officers in the ranks of captain to lieutenant colonel, in core positions. We have increased from 5 percent to 25 percent, but this is still far from reaching the potential for women. This is a problem at the level of the state and the education system, and despite several attempts at change, it never took off."
Stav joined 8200 in the late 90s. At that point in the unit, he says, "a professional challenge met developing technology and a unique DNA. The guys wanted to understand what could be done better." He compares their beginnings to the Palmach – the elite strike force of the pre-state Haganah militia: "There was a lot of trial and error, mostly error, but in the end the experiment worked. The next potential is continued development in the worlds of data science, and this will require major changes in the unit in the future. If we stick to this and act effectively, proportionately and responsibly, it will be a large part of the country's strength in the coming decades."
Below the escalation threshold
Col. Omer Grossman is the same age as Stav, and has performed his service at the same time on the other side of the IDF's technological space: in the SignalCorps, the Computing and Information Systems Center, and the Teleprocessing Corps, while at the same time on loan to other security organizations. Grossman was entrusted with cyber defense, from the early days of the Joint Cyber Defense Department, "when we were just a department head, a driver, a clerk and me." He later established a Incident Response and Hunting branch, "like a Sayeret Matkal intervention team," he says, referring to the elite combat unit, which was called in to deal with emergencies.
His description of the challenges of cyberdefense seems to be a mirror image of what Stav illustrates from the attacking side. "The uniqueness of cyberspace is the attacker's ability to deny it. You can work below the threshold of escalation, play with the firepower — and for you, as a defender, it is very difficult to give attribution, to say with certainty who attacked you."
Part of the difficulty stems from the lack of an international law for cyberwarfare. "There are really no agreed norms, with the exception of the Budapest Convention on Cybercrime. You can suddenly encounter ransomware" – a cyberattack used for extortion – that becomes significant, and can even have an effect on national resilience." In recent months, Grossman's people helped deal with the major cyberattack on the Hillel Yaffe Medical Center in Hadera. In the United States, he says, "the Cyber Command has been given responsibility for dealing with cybercrime. They put it high on the list of national threats."
When the war in Ukraine broke out, most experts estimated that Kyiv was expected to face serious cyber attacks by Moscow, as happened in the past in several of the wars led by the Putin regime. These predictions, like many others at the beginning of the war, did not come true. Grossman believes that still, "when the guns are roaring, cyber has less of an effect. There is no point in lowering the electricity infrastructure in a city that has already been destroyed by shelling." Other senior officials in the IDF believe that the early help the Ukrainians received from Western cyber powers may have helped to contain the Russian attack. Grossman mentions "the stand taken by companies and individuals in the West in favor of Ukraine. Elon Musk is operating a satellite infrastructure to help them."
Israel, he says, is vulnerable to cyber attacks "precisely because we are technologically advanced. It is a democratic and digital country, so the attack surface against us is large. The digital wealth creates vulnerability." The cyber division thwarts dozens of attack attempts a year, some of which are directed against the IDF's computerized systems. This is the result of our small advantage, as well as the sense of urgency and the shared military and security background of most of those involved."
The vast majority of attacks are thwarted, says Grossman, "but the working assumption is that there is no such thing as 100 percent success. When the line of defense has already been breached, the trick is to locate and draw conclusions quickly. Part of this is related to civil responsibility, such as wearing a seat belt in the car or wearing a mask during the COVID-19 pandemic. Simple steps like downloading updates to cell phones and having basic computer security reduce 99 percent of the risk. A citizen must understand that in 2022, his information on the internet is at risk. Cyber crimes are here to stay. The ransom industry is a lucrative economic business that generates a lot of money. The criminals estimate that in order to save lives, countries will pay. It can come to hundreds of thousands of dollars in one attack. Organized, international criminal organizations of all kinds are involved. It does not directly threaten the IDF, because most of the time our systemic capability is within a managed network and therefore less vulnerable. We are a little outside this jungle."
In 2021, the Cyber Defense Division received the Israel Defense Prize. Grossman says that "the strategic equation in cyber is just now taking shape, unlike kinetic fire against Hezbollah or Hamas, where the rules of the game are known." The Iranian cyber threat preoccupies him, but he is not overly impressed by the capability Tehran has demonstrated so far.
"The enemy must never be underestimated, as a rule. But I can say with full confidence that the abilities on our side are infinitely higher. This is not the same league at all, not even the same sport. To date, there has been no functional damage to our systems as a result of attacks by Iran." The threat, he estimates, will increase in the coming years. "This is part of all of us growing up. There is a new fighting dimension here." This dimension will sometimes also include Israeli responses outside the familiar terrain of cyberspace. "Those who act against us through a keyboard should understand that there are consequences to their acctions, and not just in the world of cyber."