"Attack the Cyber Enemy in their Burrows"

Exclusive: in anticipation of the CyberTech 2017 Conference, Israel Defense paid a rare visit to the cyber warfare facilities of the Israel Security Agency (ISA) and spoke with the "certified hackers" of the State of Israel

At the height of the 'knife terrorism' surge Israel faced during the first half of 2016, many ISA operatives were committed to the operational activity. This time, the ISA personnel did not consist exclusively of hardened field agents armed with handguns, but also included numerous youngsters who operated out of high-tech style open-space offices in central Israel. Their theaters of operations were, in this case, the social media. Working around the clock, the cyber specialists of ISA searched for groups forming and organizing to initiate and execute terrorist attacks.

In fact, these specialists practically "lived" inside those social media. In some cases, the information they collected led to preventive arrests made by IDF and ISA warfighters – those who do operate in the field. In cases where the danger of a terrorist attack was regarded as less imminent, warnings were issued over the telephone: ISA operatives contacted the parents of youngsters from the Judea and Samaria region, and made it clear that if their child were to execute a terrorist attack, the whole family would pay dearly.

"There were times we actually heard the parents slapping their children on the other side of the line, even before the call was over. The parents immediately pledged to assume responsibility for their children's actions," they say at the SigInt-Cyber Branch of ISA. "We estimate that many terrorist attacks were prevented in this way."

We paid a rare journalistic visit to the cyber warfare units of ISA in anticipation of the CyberTech 2017 Conference, to be held between January 30 and February 1 at the Tel-Aviv Convention Center.

The visit provided numerous surprises, as the people of ISA spoke with us very openly about cyber warfare and because the physical environment of the ISA cyber warfare operations is nothing like the standard image that comes to mind in the context of a secret security agency – there are no dark cellars or dull rooms branching out of grey corridors. On the contrary, some of the cyber warfare specialists work in open-space offices located at Israel's bustling high-tech centers (naturally, you will not be able to find any signs on the doors indicating their true organizational affiliation). Others operate from the ISA HQ building, where the work spaces are brightly-lit and the walls are covered with colorful wallpaper. The rest areas have slush and espresso machines along with Playstation and X-Box consoles – as if these were the offices of Apple or Google.

We spoke about the entire cyber warfare setup of ISA, most of which stands at the cutting edge of cyber technology and includes proactive cybersecurity methods. This setup identified and foiled a massive cyberattack against Israel about two years ago, which remained unknown to the public, but we'll get to that.

The Third Revolution

Generally, the cyber warfare setup of ISA is facing a major revolution in 2017 under the leadership of ISA Chief Nadav Argaman. Yet in order to fully understand this significant organizational revision, we must go back to the first revolution. This revolution took place more than 20 years ago, in the 1990's, at the height of the suicide attack offensive against Israeli urban centers alongside the Oslo agreements.

In the context of that first revolution, the ISA Chief at the time, Ami Ayalon, had the organization step up to a new era of information technology, and the outcome was new methods of operation, capable of 'fishing' terrorists out of a sea of digital information. In the early 2000s, The ISA Security Division even established the National Information Security Authority, which assumed responsibility for defending the critical infrastructures of the State of Israel against cyberattacks.

The second revolution took place at the outset of the present decade, when new cyber warfare and SigInt divisions were established by ISA, which operated alongside two primary staff branches – the SigInt-Cyber branch and the Information Technology (IT) branch. SigInt (Signals Intelligence – collection of digital information) and cyber warfare became an inseparable part of every operation, and with regard to the defensive aspect – ISA shifted from focusing on passive cybersecurity methods to offensive cybersecurity. In the context of the third revolution, which is about to take place, one SigInt and Cyber branch will be established and the SigInt-Cyber and Technology divisions of the various branches will be subordinated to it.

"In 2010, four new divisions were established practically overnight. Now we are taking them and merging them into a single SigInt-Cyber and and technology branch, thereby establishing a single organ that would function as a powerful fist," they say at ISA.

In fact, it may be concluded that you are establishing a first-of-its-kind cyber warfare arm, combining defensive and offensive capabilities. Although the IDF had discussed the establishment of such an arm but have not actually established it (in December 2016, the IDF General Staff decided to retain the separation between defensive and offensive cyber warfare operations – A.R.)?

"We are not doing anything parallel to the processes initiated by IDF or other armed forces. In our case, it is a fist that is suitable to the present era, where everything is intermixed, the physical reality on the ground and the cybernetic world. In such a reality, even a field coordinator in the territories requires a technological linkage. It is not enough to be a good warfighter or a sophisticated field agent operator. The Internet is breaking down all the walls.

"Fifteen years ago, only 4% of all ISA personnel served in the cyber warfare and SigInt units. Today they account for not less than 25% of our manpower," the people at ISA presented this amazing bit of data to illustrate the revolution – and that percentage is expected to grow further.

"Israel's databases are the most substantial in the Middle East, and one of the biggest and most complex in the world, owing to our technological advantage, and they require on-going protection," they say at ISA.

"Unlike past periods, the elements that affect the situation the most are not countries but the Internet and telecom giants from Silicon Valley, California. Every minor change that takes place in Palo Alto rocks the entire cybernetic world."

As far as you are concerned, how significant is the approach of offensive cybersecurity?

"It is highly significant. Information security was the first issue with which we had to cope years ago. This led to information system security, and in 2012 we realized that even that was not sufficiently effective, and unless we address cyberspace as a whole – we will fail.

"As far as we are concerned, just like in the physical world they do not deal with terrorist attacks by Hamas only by positioning security guards at shopping mall entrances, but actively pursue the terrorists wherever they may be, in the burrows and alleys, and attack them even at the places where they plan their attacks – the same should take place in the context of the cyber warfare effort. The approach being applied today is definitely offensive, and involves even deception tactics."

To illustrate this different approach, the people at ISA revealed the following example, which is being publicized here for the first time: about three years ago, the cyber warfare specialists of ISA had identified a carefully planned offensive, executed by one of Israel's most sophisticated enemies in the region. In the context of that offensive, the enemy 'deployed' at several sensitive nodes of the Israeli communication layout. Apparently, the intention was to remain at those nodes in dormant mode and execute a carefully-timed attack when the time comes. The intention may have been to simultaneously dominate an extensive range of television and radio broadcasts.

According to the traditional cybersecurity methods, ISA could have driven the "attackers" away from the sensitive nodes or enhanced security for those nodes. Instead, they opted for a different course of action. The cyber warfare specialists on the Israeli side monitored the way the enemy attack evolved and studied the methods of operation and even the working hours of the attacking hackers. Then, they took advantage of a prolonged holiday on the other side in order to eliminate the attack and stage a counterattack. One of the ways to attack enemy hackers is to reveal their details in communities of other hackers on the web. "In the hacker world, there is nothing more humiliating than this," they say at ISA, without specifically referring to the details of the counterattack staged by ISA (after all, they are not at liberty to openly discuss all of the aspects of the cyber wars).

The cyberattack foiled was one of the most sophisticated attacks with which ISA had to deal in the last few years, unlike the case of December 2012, when the satellite broadcast of one of Israel's TV channels was replaced by a written message from Hamas. In that case, the enemy took advantage of the fact that the satellite signals were being broadcast at very low power settings, for economic considerations. When the hostile takeover was identified, the power setting was increased and the Hamas message promptly disappeared.

Can we say that a cyberattack that causes physical damage is more dangerous than a propaganda attack like the takeover of a communication broadcast? Is the connection between the physical world and the cybernetic world the main issue today?

"In our opinion, no. Everyone likes to talk about that at every professional discussion forum, but the estimate is that the risk of a propaganda attack is more serious. Such an attack can even bring about the collapse of a bank, which would have far-reaching consequences, or the collapse of the stock exchange, as was the case a few years ago pursuant to a false report planted into the editorial board of the AP news agency.

"In November 2016, in the USA, you could see up close how hackers create chaos in the election campaign. Admittedly, physical damage, like damage inflicted on electrical turbines for example, could have extremely serious consequences, but in this case the objective is like a fortified locality that is very difficult to reach. The damage of a propaganda attack, on the other hand, involves the 'softest' objective. You must cover multiple risks continuously."

The changes within ISA are not only organizational. The cybernetic revolution has also led to a renewed definition of the respective responsibilities and the boundaries between ISA and other organizations like the IDF Intelligence Directorate and the Cyber Authority, established as part of the National Cyber Bureau in 2016.

Opposite the IDF, the arrangement is fairly simple: ISA, as always, is responsible for preventing damage to national security, including espionage operations, while the IDF cyber operations are aimed primarily at military objectives.

With regard to the Cyber Authority – the Authority and ISA signed a treaty last June, which is reported here for the first time. ISA Chief Nadav Argaman and the Head of the National Cyber Bureau, Dr. Eviatar Matania, finalized the treaty that put an end to the conflict over authority and responsibilities that had taken place a few years previously. (Dr. Matania and Buki Carmeli, who heads the Cyber Authority of the National Cyber Bureau, will be among the primary speakers at the CyberTech 2017 Conference, alongside Prime Minister Benjamin Netanyahu and cyber technology leaders, at the national level and from the industry, from around the world).

According to the treaty, the Authority is responsible for the business continuity of the civilian sector in Israel and for protecting that sector against cyberattacks. The Authority has recently inaugurated the National CERT (Cyber Emergency Response Team) Center in Beersheba, headed by Dato Hasson – himself a former senior ISA officer. The Authority assumed responsibility for cybersecurity in two-thirds of the layouts regarded as vital national infrastructures, including energy and electricity, while ISA is still responsible for the remaining third, including communication infrastructures. The responsibility for thwarting cyberterrorism and espionage remains with the ISA.

Does the arrangement work well?

"The very fact that we did not have to open the agreement even once since it had been signed last June says everything," they say at ISA. "It is important to understand that the cybersecurity effort is not divided but combined. We conduct elliptical table discussions, attended by the Cyber Authority, the Mossad, IDF Intelligence Directorate and the Director of Security of the Defense Establishment (MALMAB). These are people who know each other very well from previous positions, among other things. It is not a battleground. On the contrary, the trick has to do with how you develop the cooperative alliances. No single agency can do it all on its own."

"Being a Certified Hacker"

With the dramatic increase in the number of cyber specialists within ISA, their average age is dropping, and the present figure is 34.

"The factor that leads to success or to failure are the people," at ISA they were proud to note that their cyber specialists won a major part of the annual prizes for distinction, awarded at ISA by the Prime Minister in late December 2016.

Are you successful in filling your ranks, despite the struggle over quality personnel opposite the civilian companies?

"Yes, we have 100% staffing, as we offer a state-of-the-art working environment, good pay and stability (even if the pay is a little lower than the standard of the civilian sector), and in particular something else, which is the dream of the young people: to be a legitimate, certified cyber specialist and to be involved in the most sophisticated operations, that are difficult to even imagine."

The work of the ISA cyber specialist – is it teamwork or solo work?

"Both. There is a lot of room for individualistic work, depending on the mission. In the SigInt sections, work is predominately teamwork. Generally, we create an environment where youngsters can flourish and feel like racehorses carrying as little weight as possible.

"Beyond the on-going missions, the environment produces non-stop technological startups. In the civilian sector, you are focusing on a single startup at most. In our case, every cyber warfare specialist can be involved in multiple startups simultaneously. They are practically serial start-uppers."

Do you have a problem with the fact that some of these people eventually develop civilian companies using similar knowledge, after they leave and join the civilian sector?

"Naturally, we see to it that the truly sensitive knowledge does not leak out, but we live in peace with the situation of our people using the rest of the knowledge. It is a part of reality that we also benefit from. Sometimes we receive a telephone call from Palo Alto, with amazing technological proposals from people who had grown up here and never forgot where they came from."