Israel Is Under Attack. Where Is the Cyber Authority?

Send in e-mailSend in e-mail
Send in e-mailSend in e-mail
FILE PHOTO: A worker at a cyberdefense center
FILE PHOTO: A worker at a cyberdefense centerCredit: AP
Amitai Ziv

Israel has seen an unprecedented wave of cyberattacks, with dozens of organizations hit at a great cost. Tower Semiconductor was forced to pay hackers millions of dollars in ransom money; Habana Labs, which develops special processors for artificial intelligence – and which was recently sold to Intel for $2 billion – lost a large part of its intellectual property to hackers. Shirbit insurance paid large sums to consultants to bolster its security after a major cyber break-in.

The wave of cyberattacks makes one wonder about the role of the Israel National Cyber Directorate. Critics of the government agency, which is under the auspices of the Prime Minister’s Office, view it as an operational organization that has lost its way. They accuse it of wasting its time on marginal matters – and see the latest wave of cyberattacks as proof of its failure.

Credit: Haaretz

Cyber paper pushers?

The cyber directorate was established in its current format in 2018, a merger of the National Cyber Security Authority and the Israeli National Cyber Bureau in the Prime Minister’s Office. It’s founding reflected Prime Minister Benjamin Netanyahu’s great interest in cybersecurity – which has been described as a personal obsession. The directorate employs 340 people. Its budget is $250 million shekels ($78 million) – and it falls under the auspices of the PMO. 

The cyber authority likes to issue position papers. According to its annual report, in 2019 it published 21 position papers. For example, in November it released its “Recommendations on Cyber Protection of Fire Suppression and Discovery Systems,” in Hebrew. In September, “Constructing and Conducting Cyber Exercises for the Organization.” Another paper issued that month focused on cyberdefense for “supply chains”.

These position papers are about important issues, but aren’t there other ways to learn about these? Other questions are whether anyone actually reads these whitepapers, and whether this is the best use of taxpayer money.

The cyber directorate was not established to be just another body publishing reports on cyber policy, says a senior executive in the industry, who is familiar with its activities. 

“You can take position papers from the [U.S. National Institute of Standards and Technology] too and other sources. It’s not enough to sit in the ivory tower. You also need to carry out enforcement activities. That is the difference between an academic organization and an operational organization,” he added.

An example of a similar operational body can be seen in the Defense Ministry’s unit of the Director of Security of the Defense Establishment, known in Hebrew by its acronym: Malmab. One of its responsibilities is information security for defense organizations. It is a body that “instructs the defense industries, but it does not make do with just papers – it also conducts inspections” of the organizations it oversees, said the senior cyber executive.    

‘Hercules Project’

In September 2018, the Cyber Directorate announced its “Hercules Project” to fend off cyber threats against the aviation industry. The project includes mapping the cyber threats to airports, control towers and airlines.The Cyber Directorate contracted a private company, Matrix, to help and later it was announced that the project would be completed by the start of 2021. 

Why the directorate chose to focus on the aviation industry, and not on hospitals, for example, remains unknown. Was there a specific problem concerning information security for airlines? The directorate “has made a sharp turn to long-term projects, but the operational world is not built like that,” said the cyber exec.

The directorate employs professionals, who are paid high salaries and one of their responsibilities is to develop new systems. For example, they have developed a cyber intelligence system to evaluate an organization’s level of protection, called “Picture Window.”  

A ransom note sent by hackers to Israeli insurance firm Shirtbit, as published on their TelegramCredit: Screen capture

But who needs such systems? Companies can buy similar tools from government companies such as Rafael Advanced Defense Systems and Israel Aerospace Industries. If necessary, they can also turn to the Defense Ministry’s Administration for the Development of Technological Weapons and Infrastructure, better known as Mafat.   

Cyber diplomats

Before the coronavirus crisis began, employees of the Cyber Directorate flew abroad quite often for meetings. Ruth Shoham – until recently the director of strategy division and the woman responsible for the authority’s foreign relations – said in an interview: “Cyber does not stop at Israel’s borders. The strategy is to create international connections to build a good defensive network. Sharing knowledge is critical, and we have relations with over 85 countries.”

According to the directorate’s 2019 report, it hosted some 150 foreign delegations at its headquarters for “international conferences”. It is not clear whether these visits, intended to foster “dialogue”, translated into better cyberdefense for Israel. 

>> Cyberattacks on Israel: The state’s stupidity is putting officials at risk | Analysis

Yigal Unna, head of the Israel National Cyber DirectorateCredit: Oded Karni

Another issue that requires discussion is the actions of the head of the directorate, Yigal Unna, who is quite busy taking trips. In the middle of December, at the height of the cyberattacks, he flew to a four-day conference in Dubai. In July, when Foreign Minister Gaby Ashkenazi came for a visit the directorate’s headquarters in Be’er Sheva – Unna hosted him. Unna also met there with former-Communications Minister Yoaz Hendel. He recently visited a religious girls high school as part of a program for training young women for cyber professions. 

In addition to the facility in Be’er Sheva, the directorate’s offices are spread out in three other locations in the center of Israel. In 2020, the Cyber Directorate decided to consolidate all three offices and rented a 5,500 square meters of space on three floors in norther east Tel Aviv. The offices are considered to be of a relatively high standard compared to other government offices. Overall it spends 645,000 shekels a month on rent. As of now, the new offices are at 50 percent occupancy.

A thankless business

The senior and mid-level management of the directorate has been abandoning ship. Shoham left the directorate after two years, and Lavi Stockhammer, a senior official at its Cyber Emergency Response Team (CERT), announced a month ago that he too is leaving. 

Danit Leybovich-Shati, founder of Alpha Forensics, says: 'The problem is that the purpose of the directorate has not been determined'Credit: Eyal Taueg

The deputy head of the directorate, Rafi Franco, also announced he is leaving. Eyal Sela, a senior cyber intelligence analyst, left his job after less than a year at the directorate.

Critics of the directorate view it as an organization busy with diplomacy, position papers and long-term projects – at a time when Israel needs cyber protection right now. As a result, the directorate’s resources are allocated incorrectly, and they are wasting public funds, argue the critics.  

In response to such criticism, some argue that the latest wave of cyberattacks against Israeli industry does not prove anything. A senior Cyber Directorate official said: “Cyber is not an arena with 100 percent [certainty]. There will always be problems, because of amateurism or because of stinginess, and then they remember to ask where the government is. It’s a thankless and ungrateful profession.” 

The official explained the importance of foreign ties in fending off international cyber attacks and the role of position papers in making sure resources are used well.

Danit Leybovich-Shati, founder of Alpha Forensics, a firm that specializes in digital forensics and technology law, says the “main problem is that the overall purpose of the directorate has not been determined.”

Leybovich-Shati worked for the directorate until 2020 and says it is a matter of approach: “Behind the team that jumps into action there needs to be a support system too that will conduct intelligence research. The directorate operates in the best way when it links up with similar groups around the world – for that you need diplomacy.”

However, when “they say the directorate was established to protect and defend the ‘resilience of the economy,’ you need to ask: what is the definition of ‘resilience’ and how do you define ‘defense?’ The directorate was founded through a cabinet decision, no law was ever passed to authorize its activities. Information security regulations are under the jurisdiction of [the Justice Ministry’s] Privacy Protection Authority.” 

Leybovich-Shati notes that part of the problem is that the draft version of the Cyber Protection Law has been passed around between government ministries since 2018, but because of the political situation it has not made any progress. “As long as there is no legislation, it is impossible to say if the directorate is operating according to its goals,” she added.

The never-ending battle

The National Cyber Directorate said: “The mission of the Cyber Directorate is the prevention of significant damage as a result of a cyberattack. The directorate uses a range of tools to protect Israeli cyberspace at the national level: Instruction, discovery and identification, monitoring, handling incidents, locating weaknesses and proactive activities to reduce exposure and distribute focused and broad warnings – alongside sharing information between countries, raising awareness to various threats, defining professions, promoting industry and more.”

“Over the past year, the directorate has blocked many dozens of significant cyber events with the potential of widespread damage to hundreds of organizations [in Israel], through discovery, containment and removal, along with other means. The battle is never-ending.”

Click the alert icon to follow topics:

Comments