Exclusive: Ex-Israeli cyber chief sheds light on virtual offensives

Israel’s former cyber chief, Buky Carmeli, opens up on taboo topics such as cyberattacks, doomsday weapons, China and Russia hacks, and working with the Shin Bet.

By YONAH JEREMY BOB
Updated: AUGUST 25, 2018 10:15
A man holds a laptop computer as cyber code is projected on him (photo credit: KACPER PEMPEL/REUTERS)
A man holds a laptop computer as cyber code is projected on him
(photo credit: KACPER PEMPEL/REUTERS)
"Do you have the energy for this?” Prime Minister Benjamin Netanyahu asked him.
It was December 2015 and Buky Carmeli was interviewing to become the first director of the National Cyber Security Authority.
The answer must have been affirmative, because the institution has turned into a powerhouse that has taken the nation’s cyber sector by storm (or, rather, defended it from destructive cyber storms) since 2016.
In an exclusive first interview since recently leaving that profoundly influential office, Carmeli told The Jerusalem Post that during his meeting with Netanyahu, he had already been questioned substantially to make sure he had the unique combination of security establishment, academic, and private sector credentials that the prime minister was looking for.
The prime minister has a strong interest in cyber issues and wanted someone who could bridge the different worlds. But he was testing whether Carmeli was a match for the job of protecting a massive amount of the country’s sectors from cyberattacks.
With 21 years in IDF Unit 8200, “the Israeli NSA,” and the Defense Ministry under his belt, Carmeli said he assured Netanyahu that he was ready to dive into the job with whatever it would take.
The two shook hands, and Netanyahu said to him “Be on your way.” Carmeli said he was not sure whether Netanyahu had just given him the position or was just saying it was time for him to head back to Tel Aviv. But Netanyahu’s military secretary confirmed that Netanyahu wanted him for the job. He started working officially on January 3, 2016, after also being accepted by the official committee vetting process.
From then until recently, Carmeli, 55 and a native of Ramat Gan with a deep family history in the defense establishment, was at the center of all crucial cyber offensive and defensive decisions and had the prime minister’s ear.
A CENTRAL but taboo question he dealt with and that both Israel and the US are confronting is how far to go in using their tremendous cyber offensive abilities. Generally, officials from both countries barely comment on the highly sensitive issue.
Just two months ago, on June 17, the Post reported that retired IDF Brig.-Gen. Ehud Schneorson, the former chief of Unit 8200, made a rare departure, implying that Israel has the ability to wreck Iran’s energy sector and should do so at the outset of any broader conflict with the Islamic Republic. But Schneorson has been out of office longer than Carmeli.
Does Carmeli agree with Schneorson in terms of cyber offensive target selection?
“Personally, I do not think it’s good to talk about this in public, though it is true the world is not closed today” as it once was, said Carmeli, still appearing to carry the weight of responsibility of his recent office on his shoulders.
But free from that office, Carmeli finally discussed the forbidden topic (without revealing any secret information) in detail with the Post for the first time.
“We see many kinds of cyberattacks on Israel from states, groups and companies identifying with Hamas or Hezbollah after some kind of major event,” he said. “This is still only a small part of the problem” for national defense.
He made that introductory comment to explain that a discussion of cyberattacks should not be in a vacuum that mentions only cyber. Rather, the virtual and physical worlds are connected regarding national offense and defense.
“You need to set an overall policy and coordinate it [cyber operations] with your other non-cyber operations,” he said.
Elaborating, he asked, “When do you decide that you want to bomb an adversary’s electrical company? It’s the same answer for when you would launch a cyberattack on their electricity sector – it is just a question of how you do it.”
While Carmeli still does not want to come out and say when Israel should launch a system-crashing cyberattack, the clear implication is that it should be used only in circumstances in which Israel was ready to launch a similarly devastating conventional forces attack.
But even if Israel wanted to launch such a cyberattack, could such an attack really bring down Iran’s energy sector so easily?
Despite claims that cyber powers like the US and Israel already could easily bring down whole sectors of their adversaries, Carmeli said that “completely bringing down an entire system” in the physical world, more than just briefly, is “very, very hard. It is not impossible, but it is very hard.”
This is the first point. A temporary hack of part of a system is one thing. Permanently bringing down an entire system is a whole different level of challenge.
There are also other difficulties.
“It is not simply like shooting long-range missiles where one day you just click a button,” he said. Rather, if such a major offensive hack is doable, it requires tremendous amounts of time, preparation and precursory penetrations without getting caught.
Also, he said, “you need to think: If you use a cyber weapon, you are also putting it out there, and eventually other players could potentially use it” against you or your allies. You always need to remember that the [cyberattacks] ball may continue rolling” and cause unintended consequences.
But this very fear of unintended consequences has sometimes led to paralysis in the areas of cyber defense and deterring adversaries from attacking. The Obama administration was accused of insufficiently deterring Russia and China from hacking aspects of the US’s national security cyber sphere.
TO AVOID that paralysis, Carmeli says one needs to make a strategic paradigm shift in thinking about cyber operations.
On July 21, new US Cyber Command head Gen. Paul Naksone said that a main mistake people make with cyber defense and deterrence is trying to divide everything into peacetime and wartime. He advised avoiding these binary choices and being prepared for constant low-grade cyber combat.
Carmeli said, “I identify a lot with what he says.... People use lots of physical-world words. You have peacetime, a war like 2014 Operation Protective Edge, a terrorist incident or some other uptick in violence. War in cyber does not have any of this. Cyber is an endless battle – you are always playing chess with the other side.”
He came back to the chess analogy to explain another important point about how Israel, private companies and other countries should construct their cyber strategies today.
“In chess, sometimes you lose a pawn. Maybe you weigh trading losing a bishop in order to take someone else’s knight. You need to look at the full spectrum of priorities. And you do not deal with every threat,” he said.
He said that the next generation of cyber defense is “not another wall but an ambush. With a wall, the bad guys know how to find weaknesses. But deception can be used against cyber hackers to reveal where they are hacking and to prioritize keeping them away from key areas.”
Essentially, the idea is that you allow infiltration by adversaries into certain secondary systems to get them overconfident and then lead them into preconstructed duplicates of your critical systems, which are really set up to track the hackers’ activities and learn their goals.
Can you deter adversaries by placing cyber booby traps or sleeper viruses in their critical infrastructure, as the Obama administration did with Russia after Russia’s cyber hacking of the US 2016 presidential election?
“Someone can put a hostile autonomous program” in an adversary’s infrastructure, but “where is the deterrence?” asks Carmeli. “How do I know he did it? If I find it, won’t I take it out? If I don’t find it, then has the deterrence message failed?”
Rather, Carmeli suggested again to think more broadly and “to go beyond cyber in order to deter attacks within the cyber realm,” including leaving signs to be picked up on by the adversary, but not too many signs, which would be enough for the adversary to parry the attack.
What about defending against the cyber “doomsday” weapon?
Within the realm of cyber defense, there is an unending debate about whether it is more important to defend against a cyber doomsday weapon (advocated by top experts like former CIA director David Petraeus) or against the seemingly innocuous but potentially devastating “little hack” (advocated by top experts such as former Israeli NSA director Nadav Zafrir).
Carmeli says that “the cyber doomsday weapon is a threat,” implying mixed motives for some who understate the threat. Then he delivered a complex message. “The ability to temporarily distract and disrupt a country, like the May 15, 2017, WannaCry hack did, is not just theoretical.... The ability to hit an entire sector is still just theoretical.... But how do you deal with a doomsday weapon?” he asked.
Continuing, he asked, “Is your electrical sector the only thing you need to defend? Maybe they will go after two million individual citizens’ systems. For the state, maybe nothing has happened, but if two million people are severely hacked,” it becomes a country-sized problem. “So you need to be specific about defining which doomsday weapon” you are trying to defend against.
At the same time, Carmeli agreed that “most cyberattacks are not too complex.... They try to exploit a known weakness that certain systems did not bother to fix.”
In a dramatic story about cyber defense, Carmeli recounted Netanyahu’s calling him at home late at night after the global WannaCry attack.
He asked me, “What is the state of the nation beyond specific technical issues. Heads of state all over the world were talking about it.”
It was too early to give a full picture, and Carmeli said his staff is still evaluating the damage and the threat. But he said that as the country’s cyber chief, he had to rise in the midst of the crisis to give the prime minister the best information for acting on at the time, however incomplete.
Moving on to a recent Yediot Aharonot story claiming that, in the cyber sphere, Israel was more compromised by Russia and China than it has admitted – and far more by them than by its arch enemies Iran and Hezbollah – he said that the ability of major world cyber powers like them and the US is unmatched.
On the other hand, he said that “we do not find them in places that are really disturbing.”
HE GAVE credit to the Shin Bet (Israel Security Agency) for initiating a serious cyber defense as early as 2002.
“This meant the authority could take over, after the Shin Bet had invested in cyber defense for around 15 years. So it is not surprising we were ready, or that we are able to uncover trails from these cyber powers. And we find them mostly in noncritical systems – sometimes you need to give a pawn” to win the long game, he said.
Reacting to allegations that the Chinese had used elaborate sham business negotiations to try to appropriate Israeli technologies, he said, “I would rather live in a state where we are inventing things and then defend them, than in a state that doesn’t have these people and new ideas.”
A major issue that Carmeli had to deal with during his term was cooperation and competition with the Shin Bet regarding cybersecurity issues. Carmeli gave the Post the most comprehensive accounting of those issues, usually kept hidden, that has been made public to date.
The Shin Bet had initially seriously questioned “if there was even a need for a separate cyber authority,” and then there was a second debate leading to an initial division of authorities. “The new cyber bureau would work on policy and coordination, but would not have authority regarding operations,” he said.
Eventually, he said, the new cyber bureau was “peacefully established.”
Once the cyber bureau was established, there were ongoing debates with the Shin Bet “over lines of authority, resources, different professional opinions on strategic issues” in which Carmeli said both sides had legitimate viewpoints. While some media coverage portrayed the debates as contentious personal fights, Carmeli said that “you cannot make big decisions lightly” and without serious debate. “Cyber is a very murky arena, and it was correct” to fully debate the issues.
“In the end, there was a decision” in which Carmeli’s authority was granted massive responsibility. “It could have even been a different decision.... There were strong points for both sides.... The most important thing was how it would be implemented.”
A few months into his office and after the lines of authority were worked out, Shin Bet director Yoram Cohen “came to shake hands with me. He told me, ‘If you work well with the Shin Bet, they will work well with you.’”
Carmeli complimented current Shin Bet director Nadav Argaman and especially Argaman’s deputy, “R,” for an excellent working relationship in 2016-2018 with no disputes and regular meetings to iron out complicated issues. The Post has learned that the Shin Bet also viewed its cooperation with Carmeli as excellent.
How did the Shin Bet and the Cyber Security Authority resolve questions of overlapping responsibility?
Carmeli explained that the starting point was that “the Shin Bet’s mission is to thwart terrorism. Terrorists do not just use knives. It can also be cyber.”
He said he suggested to the Shin Bet that it focus on dealing with the cyberattackers themselves and that the authority would defend specific institutions, such as Israel’s energy sector. Broadly speaking, the Shin Bet would also be more focused on offense, while the authority would be more focused on defense.
Another distinction was that the Shin Bet was concerned with the country’s physical security, while the authority had advantages in knowing how to protect the country’s economic security.
Carmeli concluded by addressing the ongoing problems with recruiting top talent to remain in the public sector. He said he succeeded in hiring around 200 top cyber employees from scratch by working on two main points.
First, he got them salaries that were within 10%-20% of what they could make in the private sector. Second, he said he appealed to their desire to work in an area that was more interesting, where they could be more hands-on and have a greater impact on the country.
In addition to those persons, Carmeli said he brought on many top cyber people from the Shin Bet and the Mossad from his prior defense contacts.
Taking an optimistic view of Israel’s cyber future, Carmeli – who is currently advising various government entities on cybersecurity and on the verge of an initiative releasing important new cybersecurity products – said, “People should not underestimate the power of Zionism still as a strong motivator,” he said.