Exclusive: in anticipation of the CyberTech 2017 Conference, Israel
Defense paid a rare visit to the cyber warfare facilities of the Israel
Security Agency (ISA) and spoke with the "certified hackers" of the
State of Israel
At
the height of the 'knife terrorism' surge Israel faced during the first
half of 2016, many ISA operatives were committed to the operational
activity. This time, the ISA personnel did not consist exclusively of
hardened field agents armed with handguns, but also included numerous
youngsters who operated out of high-tech style open-space offices in
central Israel. Their theaters of operations were, in this case, the
social media. Working around the clock, the cyber specialists of ISA
searched for groups forming and organizing to initiate and execute
terrorist attacks.
In fact, these specialists practically "lived" inside those
social media. In some cases, the information they collected led to
preventive arrests made by IDF and ISA warfighters – those who do
operate in the field. In cases where the danger of a terrorist attack
was regarded as less imminent, warnings were issued over the telephone:
ISA operatives contacted the parents of youngsters from the Judea and
Samaria region, and made it clear that if their child were to execute a
terrorist attack, the whole family would pay dearly.
"There were times we actually heard the parents slapping
their children on the other side of the line, even before the call was
over. The parents immediately pledged to assume responsibility for their
children's actions," they say at the SigInt-Cyber Branch of ISA. "We
estimate that many terrorist attacks were prevented in this way."
We paid a rare journalistic visit to the cyber warfare
units of ISA in anticipation of the CyberTech 2017 Conference, to be
held between January 30 and February 1 at the Tel-Aviv Convention
Center.
The visit provided numerous surprises, as the people of ISA
spoke with us very openly about cyber warfare and because the physical
environment of the ISA cyber warfare operations is nothing like the
standard image that comes to mind in the context of a secret security
agency – there are no dark cellars or dull rooms branching out of grey
corridors. On the contrary, some of the cyber warfare specialists work
in open-space offices located at Israel's bustling high-tech centers
(naturally, you will not be able to find any signs on the doors
indicating their true organizational affiliation). Others operate from
the ISA HQ building, where the work spaces are brightly-lit and the
walls are covered with colorful wallpaper. The rest areas have slush and
espresso machines along with Playstation and X-Box consoles – as if
these were the offices of Apple or Google.
We spoke about the entire cyber warfare setup of ISA, most
of which stands at the cutting edge of cyber technology and includes
proactive cybersecurity methods. This setup identified and foiled a
massive cyberattack against Israel about two years ago, which remained
unknown to the public, but we'll get to that.
The Third Revolution
Generally, the cyber warfare setup of ISA is facing a major
revolution in 2017 under the leadership of ISA Chief Nadav Argaman. Yet
in order to fully understand this significant organizational revision,
we must go back to the first revolution. This revolution took place more
than 20 years ago, in the 1990's, at the height of the suicide attack
offensive against Israeli urban centers alongside the Oslo agreements.
In the context of that first revolution, the ISA Chief at
the time, Ami Ayalon, had the organization step up to a new era of
information technology, and the outcome was new methods of operation,
capable of 'fishing' terrorists out of a sea of digital information. In
the early 2000s, The ISA Security Division even established the National
Information Security Authority, which assumed responsibility for
defending the critical infrastructures of the State of Israel against
cyberattacks.
The second revolution took place at the outset of the
present decade, when new cyber warfare and SigInt divisions were
established by ISA, which operated alongside two primary staff branches –
the SigInt-Cyber branch and the Information Technology (IT)
branch. SigInt (Signals Intelligence – collection of digital
information) and cyber warfare became an inseparable part of every
operation, and with regard to the defensive aspect – ISA shifted from
focusing on passive cybersecurity methods to offensive cybersecurity. In
the context of the third revolution, which is about to take place,
one SigInt and Cyber branch will be established and the SigInt-Cyber and
Technology divisions of the various branches will be subordinated to
it.
"In 2010, four new divisions were established practically
overnight. Now we are taking them and merging them into a
single SigInt-Cyber and and technology branch, thereby establishing a
single organ that would function as a powerful fist," they say at ISA.
In fact, it may be concluded that you are
establishing a first-of-its-kind cyber warfare arm, combining defensive
and offensive capabilities. Although the IDF had discussed the
establishment of such an arm but have not actually established it (in
December 2016, the IDF General Staff decided to retain the separation
between defensive and offensive cyber warfare operations – A.R.)?
"We are not doing anything parallel to the processes
initiated by IDF or other armed forces. In our case, it is a fist that
is suitable to the present era, where everything is intermixed, the
physical reality on the ground and the cybernetic world. In such a
reality, even a field coordinator in the territories requires a
technological linkage. It is not enough to be a good warfighter or a
sophisticated field agent operator. The Internet is breaking down all
the walls.
"Fifteen years ago, only 4% of all ISA personnel served in
the cyber warfare and SigInt units. Today they account for not less than
25% of our manpower," the people at ISA presented this amazing bit of
data to illustrate the revolution – and that percentage is expected to
grow further.
"Israel's databases are the most substantial in the Middle
East, and one of the biggest and most complex in the world, owing to our
technological advantage, and they require on-going protection," they
say at ISA.
"Unlike past periods, the elements that affect the
situation the most are not countries but the Internet and telecom giants
from Silicon Valley, California. Every minor change that takes place in
Palo Alto rocks the entire cybernetic world."
As far as you are concerned, how significant is the approach of offensive cybersecurity?
"It is highly significant. Information security was the
first issue with which we had to cope years ago. This led to information
system security, and in 2012 we realized that even that was not
sufficiently effective, and unless we address cyberspace as a whole – we
will fail.
"As far as we are concerned, just like in the physical
world they do not deal with terrorist attacks by Hamas only by
positioning security guards at shopping mall entrances, but actively
pursue the terrorists wherever they may be, in the burrows and alleys,
and attack them even at the places where they plan their attacks – the
same should take place in the context of the cyber warfare effort. The
approach being applied today is definitely offensive, and involves even
deception tactics."
To illustrate this different approach, the people at ISA
revealed the following example, which is being publicized here for the
first time: about three years ago, the cyber warfare specialists of ISA
had identified a carefully planned offensive, executed by one of
Israel's most sophisticated enemies in the region. In the context of
that offensive, the enemy 'deployed' at several sensitive nodes of the
Israeli communication layout. Apparently, the intention was to remain at
those nodes in dormant mode and execute a carefully-timed attack when
the time comes. The intention may have been to simultaneously dominate
an extensive range of television and radio broadcasts.
According to the traditional cybersecurity methods, ISA
could have driven the "attackers" away from the sensitive nodes or
enhanced security for those nodes. Instead, they opted for a different
course of action. The cyber warfare specialists on the Israeli side
monitored the way the enemy attack evolved and studied the methods of
operation and even the working hours of the attacking hackers. Then,
they took advantage of a prolonged holiday on the other side in order to
eliminate the attack and stage a counterattack. One of the ways to
attack enemy hackers is to reveal their details in communities of other
hackers on the web. "In the hacker world, there is nothing more
humiliating than this," they say at ISA, without specifically referring
to the details of the counterattack staged by ISA (after all, they are
not at liberty to openly discuss all of the aspects of the cyber wars).
The cyberattack foiled was one of the most sophisticated
attacks with which ISA had to deal in the last few years, unlike the
case of December 2012, when the satellite broadcast of one of Israel's
TV channels was replaced by a written message from Hamas. In that case,
the enemy took advantage of the fact that the satellite signals were
being broadcast at very low power settings, for economic considerations.
When the hostile takeover was identified, the power setting was
increased and the Hamas message promptly disappeared.
Can we say that a cyberattack that causes physical
damage is more dangerous than a propaganda attack like the takeover of a
communication broadcast? Is the connection between the physical world
and the cybernetic world the main issue today?
"In our opinion, no. Everyone likes to talk about that at
every professional discussion forum, but the estimate is that the risk
of a propaganda attack is more serious. Such an attack can even bring
about the collapse of a bank, which would have
far-reaching consequences, or the collapse of the stock exchange, as was
the case a few years ago pursuant to a false report planted into the
editorial board of the AP news agency.
"In November 2016, in the USA, you could see up close how
hackers create chaos in the election campaign. Admittedly, physical
damage, like damage inflicted on electrical turbines for example, could
have extremely serious consequences, but in this case the objective
is like a fortified locality that is very difficult to reach. The damage
of a propaganda attack, on the other hand, involves the 'softest'
objective. You must cover multiple risks continuously."
The changes within ISA are not only organizational. The
cybernetic revolution has also led to a renewed definition of the
respective responsibilities and the boundaries between ISA and other
organizations like the IDF Intelligence Directorate and the Cyber
Authority, established as part of the National Cyber Bureau in 2016.
Opposite the IDF, the arrangement is fairly simple: ISA, as
always, is responsible for preventing damage to national security,
including espionage operations, while the IDF cyber operations are aimed
primarily at military objectives.
With regard to the Cyber Authority – the Authority and ISA
signed a treaty last June, which is reported here for the first time.
ISA Chief Nadav Argaman and the Head of the National Cyber Bureau, Dr.
Eviatar Matania, finalized the treaty that put an end to the conflict
over authority and responsibilities that had taken place a few years
previously. (Dr. Matania and Buki Carmeli, who heads the Cyber Authority
of the National Cyber Bureau, will be among the primary speakers at the
CyberTech 2017 Conference, alongside Prime Minister Benjamin Netanyahu
and cyber technology leaders, at the national level and from the
industry, from around the world).
According to the treaty, the Authority is responsible for
the business continuity of the civilian sector in Israel and for
protecting that sector against cyberattacks. The Authority has recently
inaugurated the National CERT (Cyber Emergency Response Team) Center in
Beersheba, headed by Dato Hasson – himself a former senior ISA officer.
The Authority assumed responsibility for cybersecurity in two-thirds of
the layouts regarded as vital national infrastructures, including energy
and electricity, while ISA is still responsible for the remaining
third, including communication infrastructures. The responsibility for
thwarting cyberterrorism and espionage remains with the ISA.
Does the arrangement work well?
"The very fact that we did not have to open the agreement
even once since it had been signed last June says everything," they say
at ISA. "It is important to understand that the cybersecurity effort is
not divided but combined. We conduct elliptical table discussions,
attended by the Cyber Authority, the Mossad, IDF Intelligence
Directorate and the Director of Security of the Defense Establishment
(MALMAB). These are people who know each other very well from previous
positions, among other things. It is not a battleground. On the
contrary, the trick has to do with how you develop the cooperative
alliances. No single agency can do it all on its own."
"Being a Certified Hacker"
With the dramatic increase in the number of cyber
specialists within ISA, their average age is dropping, and the present
figure is 34.
"The factor that leads to success or to failure are the
people," at ISA they were proud to note that their cyber specialists won
a major part of the annual prizes for distinction, awarded at ISA by
the Prime Minister in late December 2016.
Are you successful in filling your ranks, despite the struggle over quality personnel opposite the civilian companies?
"Yes, we have 100% staffing, as we offer a state-of-the-art
working environment, good pay and stability (even if the pay is a
little lower than the standard of the civilian sector), and in
particular something else, which is the dream of the young people: to be
a legitimate, certified cyber specialist and to be involved in the most
sophisticated operations, that are difficult to even imagine."
The work of the ISA cyber specialist – is it teamwork or solo work?
"Both. There is a lot of room for individualistic work,
depending on the mission. In the SigInt sections, work is predominately
teamwork. Generally, we create an environment where youngsters can
flourish and feel like racehorses carrying as little weight as possible.
"Beyond the on-going missions, the environment produces
non-stop technological startups. In the civilian sector, you are
focusing on a single startup at most. In our case, every cyber warfare
specialist can be involved in multiple startups simultaneously. They are
practically serial start-uppers."
Do you have a problem with the fact that some of
these people eventually develop civilian companies using similar
knowledge, after they leave and join the civilian sector?
"Naturally, we see to it that the truly sensitive knowledge
does not leak out, but we live in peace with the situation of our
people using the rest of the knowledge. It is a part of reality that we
also benefit from. Sometimes we receive a telephone call from Palo Alto,
with amazing technological proposals from people who had grown up here
and never forgot where they came from."