Countries must develop the capability to use their intelligence to block and mitigate devastating cyberattacks in real time, a senior Israel cyber official said June 18.
Hudi Zack, chief executive director for technology at the Israel National Cyber Directorate, said that development of this competency is imperative, although unfortunately some countries might not do so until after a few more large-scale cyber incidents take place. He made the comments in a speech at the "CybertechLive: Intelligence in the Cyberspace" online conference.
"If there is one thing we learned from the COVID-19 pandemic, that in catastrophic scenarios, only the relevant national-level government organizations have the combination of competence and authority to be able to foresee and fully understand such a complicated situation, analyze the implications, and most importantly translate them to necessary actions that can be enforced to safeguard the population at risk," Zack said.
"The difference between countries that were able to manage this process effectively during the coronavirus crisis and those that didn't was unfortunately manifested by massive loss of lives in the less capable nations. In cyber, due to many technological, historical, political and even psychological factors, no nation today has the ability to translate the intelligence it presumably has to immediate, wide and effective action and to block and mitigate large-scale attacks in real time."
There is a twofold problem in identifying such attacks at an early stage, the senior official said. "First, to be able to find the needle in the haystack, in other words, fish out of the huge flow of data the few relevant indications to connect the dots to understand what is going on. And second, to realize what needs to be done and respond in a timely manner to an attack which in many cases is developing and impacting the organization we are trying to protect in very short timeframes."
Zack noted that in cyberspace so much data is collected by a plethora of tools and systems, with many alerts and alarms sent by various sensors, which are then recorded and analyzed. As a result, when almost any cyber event is investigated in retrospect, there are numerous indications of the attack that were observed before the damage was done, but by and large all of this important data is usually ignored or mishandled, enabling the attack to continue and succeed, he said.
According to Zack, in the case of the Israeli National Cyber Directorate and similar organizations in other countries, "the defender's footprint is so large and heterogenic, and there is so much going on at any given time that you constantly have to choose your battles, decide what indications of compromise you discard, even if they represent a real ongoing attack, and which ones you go forward with, and analyze."
This requires not only "a very powerful automated investigation platform" that identifies false alarms and minor hacking events, but also a real-time risk analysis mechanism that identifies serious threats or the potential for substantial damage, "be it endangering human lives, harming critical infrastructure, or massive losses to the countries, organizations and citizens," said the senior official.
This analysis consists, first of all, of a clear and thorough mapping of the critical processes and assets in the country level to be able to respond once they are in danger; second, a comprehensive picture of the vulnerabilities and risk factors across the nation, to identify which potential exploit may have a large-scale impact if utilized; and third, the gathering of all possible potential attack indications, which will then be cross-referenced with alerts received from various cyber intelligence sources, be it commercial vendors or national agencies, he said.
The National Cyber Directorate, Zack said, has been working over the last couple of years to build and integrate these three capabilities and has managed to leverage them to gain operational success in quite a few cyber events.
But once this integration is achieved, there is an even more complicated and fundamental question of how should the government respond once it identifies that a cyber epidemic is spreading nationwide, and what tools it must use to contain the attack and minimize the damage. A widespread cyberattack can develop in a matter of hours or sometimes minutes, so simply sharing the information with the population using e-mails and press announcements may not be able to prevent significant harm, Zack said.
The main challenge of any intelligence professional, according to the senior official, is less about gathering and bringing forth data and facts, and more about insightful analysis of these facts and the drawing of actionable conclusions.
Israel is trying to stay ahead of the curve by planning a pilot program called "lighthouse", in cooperation with telecom operators and major technology vendors, to inject "cyber vaccinations" in order to immunize the population against future severe attacks, and help already infected entities during ongoing outbreaks, which will be combined with effective isolation to prevent the epidemic from spreading any further, Zak said.
He added that if this pilot succeeds and develops into a countrywide platform, it will only be used selectively and responsively to deal with attacks that have the potential to cause significant damage on the national scale and avoid as much as possible any business interruption to the protected entities, which will have to consent to receiving this type of protective umbrella from the government.Read more: https://www.israeldefense.co.il/en/categories/cybertech