Last month the Tel Aviv University Blavatnik Interdisciplinary Cyber Research Center hosted the 13th annual “CyberWeek” event. The event, and activities surrounding it are a good jumping off point to look at what works, what could work, and what doesn’t work in public/private partnerships in a small but heterogeneous nation like Israel. For this article, we will put aside internal Israeli politics, but look at reasons that Israel has one of the highest per capita investments in cyber defense and cyber security and whether this is a sustainable model for other countries.

The Good

As a nation, Israel is known for its technological innovation and thriving cybersecurity ecosystem, both in the government sector and in the commercial sector. At the CyberWeek event, it was not unusual to see dozens of young Israelis with nametags identifying themselves as the “CEO” of some company — at an age where most people in the U.S. are looking to write a resume or find their first job. There appears to be a culture both of innovation, corporate and investor risk taking, and cooperation and coordination with the Israeli government. How much of this translates into either innovative product/solution or comprehensive adoption waits to be seen. But Israeli cyber defenders appear to be motivated to create and deploy home grown solutions, and to invest in them as necessary. While the cyber investment boom has been slowed somewhat by both COVID and the shrinking investment dollar, the skyline of Tel Aviv itself shows building after building springing up (oy, the traffic) many of which are dedicated to the high-tech sector in general and cybersecurity in particular. For a country the size of New Jersey, they have a disproportionate number of cyber companies, from tiny startups to well established concerns.

Israel’s cybersecurity landscape is fortified by robust public-private partnerships, emphasizing collaboration between the government, academia, and the private sector. These partnerships serve as a catalyst for knowledge sharing, joint research, and development, and effective incident response mechanisms. By pooling resources and expertise, stakeholders in the cybersecurity ecosystem foster a collective defense against evolving cyber threats. What is unclear however is the extent of cooperation between cyber-attackers (think Mossad, IDF) and cyber-defenders. While much of what was visible was standard cyberdefense strategies (intrusion prevention, incident response, use of AI, AI and AI for “cyber”) these same strategies can be (and are being) deployed by hackers and governments as well. Better defenders make better attackers and vice versa, AMIRITE?

There is also a genuine “go to market” strategy deployed in Israel. IDF officers, particularly those seeped in cybersecurity, are eager to commercialize what they have learned by starting or joining innovative cybersecurity commercial enterprises that dot the landscape of Tel Aviv. While this undoubtedly excludes classified military tech, start ups pop up all over with venture capital (a bit less these days, but still around) looking for the next thing – big and small.

Other countries, notably the U.S. and Western Europe, there is more distance (and in the U.S. more distrust) between the government (particularly the military) and the private sector. Years of movies like the Forbin project, War Games, Hackers, and Mission Impossible Dead Reckoning Part I reflect a genuine antipathy about government control of offensive and defensive cyber projects (unless a profit can be made in selling to the government). Government contracting regulations in the U.S. make many cybersecurity companies form separate divisions (or separate companies) to deal with “commercial” sales and “government” sales. The situation in Israel could be equally described as “cooperative” or, if you like, “incestuous.”

No Comprehensive Regulation of Cybersecurity

When it comes to Israel protecting its own infrastructure, the results are mixed.  Of course, information about how the government protects itself, particularly entities like Shin Bet, the Mossad, the Mishteret and the IDF, the tools and methods are, as one would expect, shrouded in secrecy.

When it comes to government actions to protect Israeli “critical infrastructure,” Israel, like many countries, falls victim to the “sectoral silo” problem. One critical challenge lies in the absence of universal cybersecurity requirements across industries. While Israel has implemented mandatory security requirements for critical infrastructure sectors, other industries, including healthcare, remain largely unregulated. This discrepancy creates vulnerabilities that adversaries could exploit, potentially undermining the overall cybersecurity posture of the nation. Essentially, the regulatory environment is split into thirds. “Critical Infrastructure” including power, water, telecom, etc., appear to be integrated into the nation’s Cyber command infrastructure, with individual CERTs for each sector (well, a room designated as a CERT for each sector). The national CERT takes feeds from each sector CERT, but incident reporting seems to be both automated and limited. The Israelis have set up a SCADA/ICS lab where they attempt to simulate (and resolve) attack scenarios on various ICS systems (including legacy ICS and IoT) with dozens of different ICS systems and controllers being simulated. This includes that German elevator company Schinder ICS systems being tested and evaluated,(“Schindler’s lift.”) So certain aspects of Israeli critical infrastructure is reasonably well protected — or more accurately, is the best protected of the infrastructures. Even here though, Israel takes a different approach to defining “critical infrastructure” based on its perception of threat and criticality. As an country with little access to fresh water, the water sector – generating, desalinization, distribution, storage — is critical. The Israeli National Cybersecurity Directorate applies basic cybersecurity principles of identification, protection, resilence and recovery to these infrastructures.

Another reason the critical infrastructure seems protected is the fact that they benefit not only from regulation, but also from information sharing with the government and the fact that Israeli CISO’s and cyber folk seem to be only a year or so removed from military service. While in the U.S. most cyber security people have little government experience and few government contacts in DoD, in Israel, there is near universal military service and therefore strong connections — both personal and technical — with the government.

Thriving Startup Culture: A Breeding Ground for Innovation

Israel’s vibrant startup culture has played a significant role in shaping its cybersecurity landscape. The nation’s entrepreneurial spirit, risk-taking mindset, and technological prowess have led to the establishment of numerous successful cybersecurity companies. These startups, led by young CEOs, bring fresh perspectives and cutting-edge solutions to address emerging cyber threats.

However, the lack of universal requirements for cybersecurity poses a challenge in ensuring consistent security standards across startups and small businesses. While some startups prioritize cybersecurity, others may fall short due to limited resources or a lack of regulatory frameworks. Bridging this gap is crucial to safeguarding the entire ecosystem and ensuring a resilient cybersecurity landscape. For companies outside the critical infrastructure, its a hard sell to ramp up their cybersecurity, and there, like in the U.S. cybersecurity is promoted as a good and reasonable thing to do, rather than regulatory compliance.

Government Initiatives and Regulatory Frameworks: Protecting Critical Infrastructure

The Israeli government has made commendable efforts to protect critical infrastructure and regulated industries through various initiatives and regulatory frameworks. For critical infrastructure sectors such as energy, water, transportation, finance, and communications, cybersecurity regulations exist to mitigate risks and protect essential services.

Similarly, regulated industries like banking and healthcare have implemented sector-specific cybersecurity requirements. For instance, the Bank of Israel and the Ministry of Health have established guidelines to protect sensitive data and maintain secure operations. However, the lack of universal regulations poses challenges, as unregulated sectors may become potential entry points for cyber attackers.

Challenges and Aspirations: Universal Requirements and CyberDome

Despite the progress made in specific sectors, the absence of universal cybersecurity requirements is a significant challenge for Israel’s cybersecurity landscape. Universal requirements would ensure a consistent and comprehensive approach to cybersecurity, reducing vulnerabilities across industries. Implementing such requirements would require concerted efforts from government bodies, industry leaders, and cybersecurity experts.

Additionally, the proposed CyberDome, inspired by Israel’s successful Iron Dome defense system, aims to protect critical infrastructure from cyber threats. However, the practicality of implementing CyberDome remains a subject of debate. The complexity of securing diverse and interconnected systems, along with the rapidly evolving nature of cyber threats, raises questions about the feasibility and cost-effectiveness of such an initiative.

Regional Cooperation: Strengthening Collective Defense

Israel has witnessed a growing trend of regional cooperation in the realm of cybersecurity. Despite political differences, countries in the region, including potential adversaries like the United Arab Emirates (UAE) and Saudi Arabia, recognize the mutual benefits of collaborating to combat cyber threats. This philosophy is based on the understanding that securing all nations’ digital infrastructure enhances overall stability and security, including that of Israel.

By engaging in regional cooperation, Israel expands its network of partnerships, shares threat intelligence, and collaborates on joint defense initiatives. This approach contributes to the collective defense against cyber threats, promoting stability and fostering trust among nations.

Call the Cybercops!

Israel has also established a national cybersecurity “call center,” where anyone — and I do mean anyone — can call a phone number (“119 – 911 backwards”) and reach a Tier 1 cyber responder. This ranges from a car salesman in Haifa to a elderly grandmother (Bubbie) in Bat Yam. While the call center numbers of responses is respectable (in the thousands), there are some issues I would raise. First, one party that seems to be missing in the infrastructure and response (maybe it just wasn’t that visible) was the Mishteret — the Israeli national police. Protecting critical infrastructure in Israel is seen as a technical, governmental and political issue – not as a law enforcement issue as far as I could tell. While U.S. hacking victims are encouraged to report to the FBI’s Internet Crime Complaint Center, Israeli’s appear to call engineers, not cops.

The Ugly

The coordination and relationship between the government and the private sector leads to problems like those the Pegasus problem — spyware created by an Israeli company and deployed in theory only to those entities which have a good track record on human rights. Right? The power of such software, and its ability to be deployed in ways that harm individuals and nations make the need for transparency urgent. When we speak of using the product for “good” purposes, who gets to decide? With the incestuous relationship between cyber companies and the Israeli government, those “good” purposes may simply be those that serve or benefit a specific government. That’s very dangerous.

Conclusion:

Israel’s cybersecurity landscape has achieved remarkable milestones, thanks to its public-private partnerships, thriving startup culture, and government initiatives. Collaboration between stakeholders has yielded innovative solutions and bolstered defenses against cyber threats. However, challenges such as the absence of universal cybersecurity requirements, practicality of proposed initiatives like CyberDome, and gaps in regulation across industries must be addressed for a more comprehensive and resilient cybersecurity ecosystem.

The philosophy of defending all countries, even potential adversaries, reflects Israel’s commitment to regional stability and security. By engaging in regional cooperation, Israel strengthens collective defense and fosters trust among nations.

As Israel continues to advance its cybersecurity ecosystem, a balance must be struck between innovation and regulation. Universal cybersecurity requirements, practical initiatives, and enhanced collaboration will ensure the nation’s continued leadership in cybersecurity and contribute to a safer digital landscape for all. L’Hitraot.

 

 

Mark D. Rasch, Esq.

Law Office of Mark Rasch

Admitted in MA, NY. MD

mdrasch@gmail.com

Tel: 301 547 6925