Publications
Memorandum No. 153, Tel Aviv: Institute for National Security Studies, March 2016
In recent years, activity in cyberspace has developed at a rapid and intense pace. In 2002, the government of Israel addressed this challenge by establishing the National Information Security Authority. Since then, Israel’s functional continuity has become even more dependent on technology in general, and on cyberspace activity in particular. As a consequence of this dependence, the threats to Israel’s functional continuity have intensified. Numerous states and enemies are systematically developing capabilities and acting against various systems and elements in Israel. In January 2012, the Israeli government established the National Cyber Bureau to regulate activity in cyberspace. The subsequent establishment of a National Cyber Defense Authority represents another step in this direction. In parallel, Israel must work to consolidate and outline a national strategy for activity in cyberspace, which will serve as the cornerstone of national growth in cyberspace. The primary document should be a national policy framework for cyberspace activity, which will define the overall national goals in the field of cyber activity and the methods for integrating them in defense, the economy, and other national efforts. Thereafter, each state entity will be required to formulate its own organizational strategy for cyber activity.
Executive Summary
In the past few years, activity in cyberspace in the State of Israel has developed at a rapid and intense pace. In 2002, the government of Israel addressed this challenge by establishing the National Information Security Authority. Since then, Israel’s functional continuity has become increasingly dependent on technology in general, as have other countries worldwide, and on cyberspace activity in particular. As a consequence of this dependence, the threats to Israel’s functional continuity have intensified. Numerous states and enemies are systematically developing capabilities and acting against various systems and elements in Israel.
Several years ago, the Israeli government established the National Cyber Bureau to promote and regulate activity in cyberspace. The establishment of a National Cyber Defense Authority represents another step in this direction.
In parallel, Israel must work to consolidate and outline a national strategy for activity in cyberspace, which will serve as the cornerstone of national growth in cyberspace. The document outlining the national strategy should be one of several documents. The primary document should be the national policy {image} framework for cyberspace activity, which will define the overall national goals in the field of cyber activity and the methods for integrating them in the defense, economy, and other national efforts. Finally, each state entity operating in this space will be required to formulate its own organizational strategy for cyber activity.
Activity in cyberspace includes a number of components: one is defense, which is a fundamental element. The following entities in Israel require defense: institutions responsible for state security; institutions supplying essential services, and those responsible for administrative procedures and everyday life; and the institutions for which an attack would influence morale and the general sense of order, governance, and sovereignty. The sources of the cyber threat are multiple, and include hostile states, enemy states, terror organizations, hacktivists, and even private individuals. In parallel, the State of Israel is also exposed to criminal activity in cyberspace, including business espionage and intellectual property theft, financial crime, and other types of crime that take advantage of the cybernetic space (drug dealing, pedophilia, arms dealing, and so forth).
In addition to the defense component, Israel also must address the offensive component on a national level. Naturally, the ability to cover these components in this paper is extremely limited. Rather, the goal of this document is to propose guidelines for formulating a national cyber strategy in the field of defense and offense. These guidelines do not encompass all aspects of the field; they do not relate to the legal features nor to issues relating to Israel’s cyber industry.
The primary objective of a national cyber defense strategy is to maintain the state’s functional continuity. A second goal is to enable the relevant Israeli authorities to decide upon and implement operations against enemies in the cybernetic and kinetic space, with confidence in the state’s ability to withstand a cyberattack. In the defense strategy, we propose to differentiate between three types of attacks: 1) advanced persistent threat (APT) – penetration into the depth of an organization’s computer system; 2) rapid, superficial attack, which has immediately recognizable results, and aims to change the site or prevent access to it and to the services it provides in the cybernetic space (Defacing, DDoS); 3) infrastructure attack – by damaging hardware components.
We suggest the following recommendations for preventing and defending against the three types of attacks:
1. Construct the system with a combination of tools and capabilities that do not require previous information and knowledge of attack components and methods, with an advanced capabilities system based on previous knowledge, specifically for defense against APT attacks.
2. Implement inter-organizational information exchange of reports on attacks.
3. Formulate a continuous and broad national cybernetic status assessment by organizations such as a national Computer Emergency Response Team (CERT).
4. Establish rapid response teams, using research and data on attack tools and attack groups.
5. Cooperate with commercial defense and intelligence organizations, as well as international bodies.
6. Develop ongoing intelligence collection about enemies and opponents for the purpose of warning.
7. Formulate a plan for cybernetic response as part of a possible means of deterrence.
8. Develop the ability to recover from an attack when possible, with the understanding that the line of defense is bound to be breached, and thus Israel must organize for rapid recovery following successful enemy attacks.
9. For superficial attacks – establish the ability to recover rapidly and provide the bandwidth that overcomes blocks, by integrating with internet suppliers in the civilian sector.
10. Use ability to rapidly transfer attacked sites to alternative, temporary host sites.
11. Establish a national capability for analyzing hardware attacks due to the technological difficulty of identifying hardware attacks. This should be done in parallel to the use of locally manufactured hardware in cases requiring an exceptional level of security.
We analyzed additional issues in the chapter on defense. The need to develop a national capability to recover from a cyberattack is critical, in the understanding that the “line of defense is bound to be breached” as a determined enemy will succeed in penetrating any defense, no matter how sophisticated. Therefore, Israel will need to construct appropriate mechanisms for recovery and return to routine as soon as possible. In addition, we examined the organizational issue, through an understanding that the State of Israel should be able to provide a response, both for the security sector and for civilian sector. The security organizations must continue to manage the cyber defense of the state’s security sector, while cyber activity targeting the civilian sector will be handled by Israel’s law enforcement bodies, headed by the Israel Police. The National Cyber Defense Authority will demand cooperation and synchronization between all entities and monitor the existence and enforcement of regulation in the civil arena, which is most exposed to cyberattacks. In this context, we recommend adopting a regulatory approach in the civil sector that will mandate the cyber defense field as a component integrated within existing statutory processes, both in the founding stages for business initiatives (licenses from the various statutory planning committees) and in their operational process (business licensing law). We suggest that in this framework, businesses should be required to issue a cyber resilience report. This document will serve as the main statutory tool for identifying and analyzing the vulnerability of a business to a cyberattack, and for formulating processes of defense of these vulnerable points.
This document also relates briefly to cyberattacks and examines several attack scenarios, including attack in overt and obscure situations; attack as a method of communicating a message; and attack as part of a covert campaign. The main recommendations in this context are as follows:
1. Israel’s security organizations should be required to integrate tools for cyberattacks in their operative plans and in the actual use of force in battle, in both emergency and routine situations.
2. Cyberattack should not stand alone. It must be part of a general plan in order to wield influence in a comprehensive, overt conflict.
3. An effective attack is not necessarily a sophisticated APT attack. We recommend to fully utilize the ability to implement an effective cyberattack on a specific target through superficial, rapid, broad attacks on targets, even if these are not so-called “gold targets” (military targets, national infrastructure).
4. An effective cyberattack can be implemented through proxies, without the need to take responsibility.
5. A significant cyberattack requires build-up of force, knowledge of the target, and advanced planning.
6. A cyberattack can represent a stage in “dialogue” between countries, when the goal of the attack is to communicate a message.
7. Attackers should be integrated within Israel’s central cyber defense system, as part of the regular planning and operation of the defense system.
In conclusion, this document recommends leveraging the informality of Israeli culture. Israeli society enjoys inherent characteristics of broad personal connections through social networking, a casual manner of interaction, desire to help others, willingness to participate in activities of a national and patriotic nature, and a need to be “at the center of things” and to prove personal and professional relevance. These attributes enable recruitment of many individuals when needed, whether to assist friends or for a national goal, and all the more so in cases that combine these two motives. This type of informal activity is constant and occurs in a high percentage of cases that require it. Because it is voluntary, based on good will, and reinforced by Israeli culture, it is more intense and sometimes of even higher quality than cooperation due to structured, legal, or regulatory obligation. This type of activity can make a significant contribution to cyber defense in Israel, and should be utilized.
Finally, a substantial part of the strategy document should remain open to the public. Such a document should also include sections for classified issues that should remain undisclosed and that will assist in coordination and synchronization of the defense organizations operating in Israel, as far as this is possible. Formulating the document is an important and achievable challenge that can determine Israel’s status as a global leader in the cyber field.