On June 19, 2022, false rocket-warning sirens were activated in Jerusalem and Eilat, caused by a stunning cyber attack by Iran.
Israel’s cyber authorities at the time tried to downplay the hack, which seemed to have significant national security implications.
However, in a recent interview with The Jerusalem Post, Israel National Cyber Directorate Chief Gaby Portnoy gave the most comprehensive explanation to date of that event. In a surprise revelation, he said the IDF’s early-warning system for rocket fire was not hacked by Tehran.
Rather, Jerusalem’s and Eilat’s civilian municipalities have alarm systems relating to the start of Shabbat, which were hacked. Basically like standard intercom systems, some have no password protection and could have been hacked by a child (if the child had noticed their existence), Portnoy explained.
This event illustrates how intense, destabilizing, and confusing cyberwars have become in 2022-2023.
The US and Israel have been and will continue to be in a persistent state of cyberwar with a number of adversaries, such as China, Russia, Iran, North Korea, and Hezbollah.
America has more hostile cyber conflicts with China, Russia, and North Korea, though also some issues with Iran.
Israel’s main foe is the Islamic Republic, next Hezbollah, and a bit of Hamas, although it also deals with fending off more general cyber spying by China and Russia.
While some of the dangers are directly from state entities, often there is a mixing and matching of these entities with criminal enterprises – which might advance a state’s goal to destabilize the US, Israel, or some other Western country or Sunni Arab country.
In the midst of the criminal ransomware war, Deputy National Cyber Director Chris DeRusha has told The Jerusalem Post, “As we say in the National Cybersecurity Strategy, our vision is to build a digital future that is defensible and resilient.
“This affirmative vision requires close collaboration with our allies and partners. For instance, we have partnered with the government of Israel, as a member of the International Counter Ransomware Initiative, in a global effort to stop ransomware,” DeRusha, who speaks at conferences but rarely interacts directly with the media, told the Post in a statement.
DeRusha and his team are focused mostly on defense and resilience, but the US and Israel have also recently gone very much on a series of counterattacks.
One of the largest developments in this persistent cyberwar came in May when the FBI dismantled Russia’s elite Turla cyberwar group within its FSB intelligence agency.
This was considered one of the biggest US moves against Moscow’s cyberwar groups in years because FSB’s Turla was considered the #1 group, markedly more talented than even Russia’s GRU military intelligence cyber group.
Regarding the bust itself, on the one hand, sending the FBI in to close a file and issue indictments maximized the embarrassment to Russia and made the lives of anyone associated with these units more difficult should they ever want to travel.
Some might even say that this level of embarrassment can deter Russia’s cyber hackers from going too far against certain American digital interests.
But the flip side is criticism that revealing the US and the FBI’s penetration of this elite Russian unit ends what might have been much longer-term potential intelligence collection opportunities.
As soon as Russia’s cyber attackers see they have been compromised and some of the details of what has been compromised, they can immediately go about fixing their holes, such that American intelligence will no longer be able to track their moves and intentions.
THIS DECISION of whether to bust an adversary or keep them in play so as to continue collecting intelligence on them is an age-old dilemma.
Normally, the two alternatives are arrest/kill the antagonist in question or keep spying on their spying.
Put differently, once some intelligence has been collected about a spy, neither the US nor anyone else wants to allow the spy to continue working against them, lest the spy causes harm greater than whatever the intelligence about them might be worth.
So the spy can be removed from the game.
With cyber spying, the solution is less likely to be eliminating a cyber adversary and much more likely to be exercising diplomatic pressure. Analyzing the value of that diplomatic pressure without even removing the hacker from the state of play is another level of nuance for handling spying on cyber spies/hackers.
Cyber attacks in Israel were up by 38% in 2022.
There have been 130 new serious hacks that caused substantial damage in Israel.
Israeli cyber chief Portnoy did not publicize the details of what Jerusalem has done to those who have been trying to hack the Jewish state.
But he did make it known that Israel has hit back at them and publicized three names in a June 27 speech at Tel Aviv University.
Two are key players in Iranian intelligence: “Farazin Karimi and Majteba Matzafi, who set up the Radwan Academic Group, which trains hackers for bad purposes.” Further, he flagged Ali Hidari, who operates out of Beirut and “coordinates cyber operations between Iran and Hezbollah, which causes harm to the Lebanese civilian sector in the cyber area.”
Regarding defense, Portnoy has told the Post, “It is not just about cyber defense but about maintaining the public’s faith in the digital sphere. We take technology and embrace it to enable Israel to thrive. We want to achieve reliability and security.
“We don’t want to always be focusing on [a defensive mentality] and checking if Iran attacked us. We want to build technology to operate properly from the start.”
Portnoy elaborated, “We see a goal and have a joint national effort. We don’t and cannot defend everyone, but everyone is a partner: from the public sector to the defense sector to the private sector to the international sphere.
“There is a balancing act between privacy and empowering cyber defense. There are a series of calculated risks, ethics and transparency – which all play a role” in shaping proper cyber policy.
Portnoy opined that the general public still does not take cyber threats even close to seriously enough. He explained it is still hard to even get the public to work smarter on the basics, such as choosing passwords that are harder to crack than the generic 1234, and avoiding clicking on links from unknown sources.
New law, national strategy
A central priority for Portnoy is to rewrite Israel’s cyber strategy in the next few months, before the end of 2023.
He would also like some form of cyber law to move forward to set clear relations between the government and the private sector regarding cyber defense.
But this does not make Portnoy a fan of “regulation.”
Rather, he may be more in favor of a law and strategy which facilitate greater cooperation between the public and private sectors, as opposed to a straight relationship of the public sector enforcing rules on the private sector.
For example, when it comes to the cyberwars fought as part of Russia’s invasion of Ukraine, one perspective is that the main parties that have kept Ukraine’s digital sphere afloat have not been governments like the US or even Israel. Instead, they are private sector companies like Microsoft, Google, Amazon, and Twitter. These are giant companies which have huge significance as players in the world of cyber defense.
“We need to look at cooperation with them as like cooperation with countries,” he said.
The thinking is that there needs to be a strategic decision to have a greater level of trust in them, since many experts would say they bring even more to the table in the cyber arena than countries in places like Africa or South America.
“We are part of an ecosystem” and need to see ourselves as part of that ecosystem.
Portnoy said if you have positive dialogue with an organization and with other partners, including satisfying them regarding their privacy concerns, then the cyber authority, police, and intelligence agencies can, at regular intervals, interact with the organization to boost its defenses and provide added value. This occurred with the Technion, which recovered from the hack within three weeks instead of taking several months, which was the time that others like Hillel Yaffe Medical Center near Hadera took in the past, where cooperation was weaker and involuntary.
There is an increasing trend that part of trusting the private sector will be allowing them to be around some of the Israel National Cyber Directorate (INCD)’s advanced cyber tools when INCD officials are doing their work at a given private company. This would be in contrast to the approach where the INCD comes in – the private sector employees exit while the INCD does its work – and then the private sector staff return when the INCD leaves.
Figuring out the strength of an energy or transportation company and then deducing how the INCD and the government can provide them added value on a mix of cyber defense and business issues will be crucial.
An additional piece is convincing the private sector that the INCD understands their business image concerns and recovery strategies.
Progress stalled, then rejuvenated?
At some point, there were concerns by pundits that Prime Minister Benjamin Netanyahu and his new coalition might never address the cyber regulation issue because no one important was campaigning for it. At the time, only Otzma Yehudit MK Tzvika Fogel, who has little power, seemed to champion the issue. This only exposed that no senior official was pressing for more cyber regulation.
Government sources noted that for several months in the first half of 2023, almost no issues were moving forward because the judicial overhaul situation was bringing all other issues to a standstill. It also probably did not help that Netanyahu’s initial leaning is to be against any new regulations in any area.
But with no cyber law, Israel got stuck in recent years with the mega hacks of the Shirbit Insurance giant, Hillel Yaffe Medical Center, and Cyberserve, which hosted Atraf’s LGBT dating platform.
It is also unclear whether Israel has new ideas for mitigating some of the negative attention some Israeli private sector cyber offense firms have attracted when their technology has, allegedly, been used to violate foreigners’ human rights and privacy.
Yet, there may have been a positive new turning point on the matter.
In a June 18 statement, the prime minister said he had “held a meeting of the country’s key ministers and cyber leaders” and “directed the ministers to improve the defense of any critical infrastructure within their ministry’s jurisdiction.” Netanyahu also said they should “formulate and implement regulations for cyber defense regarding any entities under their authority.” These were all priorities emphasized by Portnoy.
In the past year, Portnoy told Netanyahu and ministers present that there are three times as many disparate attackers as the year before, and two-and-a-half times as many attempted attacks.
He said that although any “traditional” critical infrastructure like electricity is well defended in the digital sphere by the INCD, newer areas that have become critical to regular citizens’ everyday routines – which may fall under ministries with weaker cyber backgrounds – are much more poorly defended.
In 2018, some 31 areas were considered critical infrastructure. Portnoy would not reveal to the Post the current number, other than to say that it had grown and would be constantly updated according to socioeconomic and technological developments.
Portnoy presented to Netanyahu and the ministers the fact that Israel is behind Germany, Australia, England, the US, and the EU in providing regulations that obligate the public and private sector to focus on new critical infrastructure, to file reports within set amounts of time (often 24-72 hours) if there is a hack, and what steps the government can taker to enforce cyber defense standards and reporting.
Only a week later, Portnoy also helped to coordinate and conduct a meeting with Netanyahu and cyber chiefs from 10 countries at Shin Bet headquarters.
Cyber threats in color
Portnoy has a chart of threats that are color coded. Red stands for Iran, Hezbollah, and Hamas –Israel’s classic enemies. “We are following Iran and Hezbollah’s capabilities to carry out cyber attacks.” There are also indications that the INCD is constantly monitoring the Russian-Iranian alliance, which can also impact the cyber sphere.
More criminal enterprises are also becoming similarly high-level threats, as well as certain anarchists.
The color blue represents Israel’s critical assets that must be protected at all costs, even if other areas are partially vulnerable. The color white is the global Internet, often where enemies lay malware infrastructure to conceal the threat of later impending attacks.
Israel wants to make it harder for its enemies to set up cyber infrastructure in foreign countries as platforms to attack it. In this way, an Iranian hacking attack on Albania is viewed as bad for both Albania and Jerusalem.
Likewise, the strategy for dealing with cyber attacks on hospitals must address how to broadly improve the medical sector’s cyber defenses – not just look at stopping attacks by Iran specifically.
Part of this is because hackers perform research before an attack so they know exactly where to target to maximize their profits.
“In the medical arena, 300 hospitals in the US were hit with cyber attacks in 2022. The relative numbers in France have been similar. If someone attacked civilians in a hospital with physical arms, it would be considered a crime against humanity; but in the cyber arena, some countries are acting like this is fine. The norms are different and, unfortunately, are still not set,” he said.
Cyber Abraham Accords stay strong despite counter trends
One major positive in the cyberwars is that the Abraham Accords “cyber dome” being built between Israel and moderate Sunni Arab allies remains strong. Portnoy said this was true despite several counter-trends in other areas.
“In recent years, Israel has tried to develop a cyber defense dome with the same effectiveness as the Jewish state’s Iron Dome against rockets,” stated Portnoy.
For example, the deal between the Saudis and Iran and the explosion of violence in the West Bank have harmed Israel’s standing in the region and in the West in general.
Morocco has even postponed follow-ups to the Negev Summit to express anger at Israeli policies regarding the Palestinians, and the UAE abandoned a US-sponsored regional maritime coalition.
But in the cyber arena, Portnoy said Israel’s new partners have only gotten tighter and closed ranks (though there are indications that Portnoy does not yet deal directly with Saudi officials as the Mossad and some IDF officials have).
On June 27, UAE cyber chief Muhammad al-Kuwaiti credited Israel with recently helping his country fend off a serious distributed denial of service cyber attack.
Speaking at the Tel Aviv Cyber Week Conference, he said, “Thank God for the Abraham Accords... I am sure you heard my dear friend Gabi [Portnoy] when he mentioned the importance of working together. Our cyber strategy has five main pillars,” one of which is partnerships with allied states.
“It has a pillar about protecting and defending. And this is where we plug into the great Start-Up Nation [Israel], where we have many of those companies helping us, as a matter of fact, to build up that cyber dome, or to extend that cyber dome,” to defend against cyber attacks.
In fact, Israel is a design partner for the UAE’s new digital infrastructure from the bottom up.
At that same conference, Israel and the UAE announced they had launched a 40-nation platform with Microsoft for sharing cyber intelligence, potential hacks, and post-hack data to better anticipate and combat future hacks.
Portnoy told the Post, “We meet regularly with Bahrain, the UAE, Morocco, including Cybertech conferences. At one event during the World Cup tournament, during the Morocco versus Spain game, it was clear that Moroccan cyber chief Brig.-Gen. El Mostafa Rabii wanted to know the score in the game but was too polite to check his cellphone.”
“Myself being the audacious Israeli, I helped Rabii check the score on my cellphone,” he shared. “It was a small moment, but the many small moments like these have built strong ties and trust.”
Just how crucial is all of this international partnering? More crucial than ever, since Israel’s and the US’s cyber enemies’ capabilities to pose a threat are likewise more serious than ever.