‘The coming cyber winter is worse than all estimates’

The ‘Magazine’ takes an insider tour of the National Cyber Directorate’s classified command center

INSIDE THE INCD: The US, UAE and Singapore are currently its three most central partners in cyber. (photo credit: MARC ISRAEL SELLEM)
INSIDE THE INCD: The US, UAE and Singapore are currently its three most central partners in cyber.
(photo credit: MARC ISRAEL SELLEM)
The arrows blink incessantly on the electronic map. Moving across the globe, they originate in different locations until they all end up in Israel. The arrows represent the volume of ongoing cyberattacks – from multiple continents – at any given moment.
This is the Beersheba-based operations room for Israel’s National Cyber Directorate (INCD), the government body charged with ensuring that Israel is defended against the myriad of cyber threats that lurk across our networks.
Between its headquarters in Tel Aviv and the Beersheba operations room, the INCD has around 350 employees, up from a fraction of the size staff that it had just five years ago. Each room houses a team with a different specialty-sector focus, hotwired with the latest computers and networking technology to monitor and defend the country from cyberattacks.
The command center has an unusual mix of personnel, from the relaxed vibe of civilian start-ups with workers in casual dress alongside a pulsing, intense rhythm underneath the low-key veneer. The officials there displayed and were proud of establishing a first “cybernet” that could engage different units working on issues in a real-time basis. They were also investing tremendous efforts in scouring the Darknet and other odd spots for cyber intelligence to anticipate and prevent the next potential attack.
Looking at the screen of flickering arrows, “L,” head of the Cyber Emergency Response Team (CERT), explained that sometimes hackers stage their hostile attacks from a friendly third-party country in an attempt to mask their true origin. Just last year, the unit helped Romanian hospitals counter-hack the malware that ransomware hackers tried to use to bring the country to its knees.
“When I got to my interview with the prime minister, he explained to me that Israel needs to remain in the top five leading cyber powerhouses,” Israel National Cyber Directorate chief Yigal Unna told the Magazine in a recent interview.
With a mischievous look, he added, “I asked him why only the top five and not the top three, so I looked into the issue. We worked on it in the cyber directorate and today I can tell you that Israel is among the two strongest, second only to the US in certain areas, such as industry, global investment and academic research.” Among the INCD’s sub-units in Beersheba are the National Incident Management Center as well as the government, public security, financial and energy sectors – with the environmental, transportation and communications sector due to have specialized monitoring units within two years.
Despite Israel’s tremendous capabilities, the cyber threats Jerusalem is confronting are continuing to grow as the recent ransomware attack against Israeli insurance giant Shirbit clearly illustrated. Within days of the attack being announced – and its consequences are still unknown – Check Point, a global leader in network security, announced that between September and November Israel saw a sharp spike in ransomware attacks, possibly including attacks with nation-state support.
“The cyber winter is coming, and it is faster and stronger than the worst estimates,” Unna warned in an interview conducted before the Shirbit attack.
“Cyber weapons can be compared to nuclear weapons in their [destructive] power, but the ease with which they can be obtained or used makes them more similar to a spear or a bow and arrow. The cost of a failed attack is much lower since the weapon is usually a code based on man-made letters and numbers.” Next, he remarked, “The world economic forum published an annual global risk report that rated the cyber threat as the highest-rated man-made threat in the world.” But at the same time, “the biggest threat is also relatively the easiest to deal with, compared to other man-made threats. It starts on the level of the individuals, goes to organizations and then to the state level. The Israeli cyber defense concept that the INCD implements has proved its utility based on the basic Israeli power components: consent-based; partnerships; integrated; open and embracing; sharing information; innovation; a supportive work environment; and an industry-academia-government-military ecosystem.” These are “all based on the most important element in cyber: people. It’s all about working together. Most of these components are integrated in practice in our operation’s center in the cyber park in Beersheba.”
In terms of what the INCD prioritizes, Unna said, “Speed is the name of the game in cyber. The race is against the fastest threat actors. Therefore, Israel is taking a proactive approach that views the critical vulnerable points in infiltrating organizations’ information systems and activity to close them quickly. Our goal is to prevent the possibility of a broad cyberattack against the economy so there is no wide impact or damage. The INCD is also taking proactive measures to reduce exposure of economic organizations to cyberattacks.
“As part of this activity, earlier this year, we worked hard to protect the civilian cyberspace from a vulnerability found – and published globally – in a widespread technology implemented in thousands of organizations in Israel. Within three months, we contacted more than 3,000 organizations with specific instructions about how to mitigate the risk and prevent the specific kind of cyberattack from happening.” According to Unna, “Attempts and actual attacks happen all the time. Once there is an attack, the INCD mission is not only to mitigate the attack, but mainly to prevent substantial damage from it and prevent it from spreading like a pandemic, thwarting any impact on essential services or the critical infrastructure.”
Photo: Marc Israel SellemPhoto: Marc Israel Sellem
THE STORY of Israel’s success in cyber during Unna’s era can be told by numbers.
In the first half of 2020, Israel’s cyber sector saw $1.2 billion of funding in 43 rounds, up 50% from last year, as well as 12 Israeli companies that were acquired for a total of $4.2 billion. Some 29% of cyber investment worldwide is in Israel with 20% to 25% of cyber “unicorns” (billion-dollar companies) currently based in the Jewish state.
How does Israel do it?
Unna said that Israel’s disproportionate talent in cyber, compared to its small population, “is not just due to the education system. It is also because at the age of 18, we take those [students] who already have 10-12 years of experience and give them a license to not only do interesting things in the cyber arena for the state, but also train them for one thing: not to be afraid to try, to take risks or experience failures. The leading rule of success for cyber is the approach that only after you have failed a certain number of times as part of a learning process are you able to learn how to avoid failure and thereby succeed.” Unna also hopes that a long-anticipated cyber law will soon be passed that would set clearer parameters for public-private sector relations. The proposed bill has significant support in principle, but has languished since 2018 due to multiple rounds of elections, the coronavirus crisis and ongoing coalition instability preventing new initiatives in general.
On public-private sector cooperation, Unna affirmed, “In Israel, we have a basic philosophy that sharing and cooperating between private and public sectors is crucial for building a strong cyber ecosystem. In some cases, the government should give the industry something more valuable than money to help them get better. Sometimes it’s best practices or even intelligence. It is important because the industry has immediate impact on national cyber security.” Israel’s success can also be seen in international cyber cooperation.
“Many countries are not willing to deal with the Israeli industry without state backing. I’m authorized by the government to provide this backing. Since I took office, I met with dozens of heads of states and we have already signed 15 agreements with states and international organizations. All in all we have 90 info-sharing agreements worldwide. The UAE is one of them. We all have a common threat [Iran] and the enemy of my enemy is my friend.” Speaking of Iran and other cyber adversaries, Unna raised eyebrows in late May when referring to a major cyberattack on the Islamic Republic’s Shahid Rajaee Port on May 9 during a virtual cyber conference. While Unna neither admitted nor denied that Israel had counterattacked Iran, in unusually open terms for a senior defense official, he strongly implied that Tehran should watch out if it intends future attacks on Israel’s civilian infrastructure.
“We will remember this last month, May 2020, as a changing point in the history of modern cyberwarfare, what we faced here in Israel… the attempted attack, synchronized and organized,” targeting civilian water infrastructure. “If it had been successful… we would now be facing in the middle of the corona crisis, extensive damage to the civilian population, a lack of water,” said Unna.
While tiptoeing around the issue of attributing the attack to Iran at an official level, Unna noted a Fox News accusation against Iran and made it clear that Israel was hacked by an enemy nation-state and not just lone-wolf cybercriminals.
RETURNING TO the importance of Israel’s new relations with the UAE, on the wall of a major conference room at the Tel Aviv headquarters, there are three clocks listing the times of three foreign countries: the US, UAE and Singapore. INCD indicated that these countries are currently Israel’s three most central partners and areas of focus in the cyber arena.
Recently, in a joint webinar with the UAE, Unna told Emirati counterpart Dr. Mohamed al-Kuwaiti, “We are threatened by the same threats... because of the nature of the region, because of the nature of our new, ‘outed’ relations and because of who we are – strong economically and technologically.” “The purpose of the agreements is info-sharing that operates around the clock. If something happens in South America at night – say, for example, an attack on a hospital there – they report it to our CERT immediately. By sunrise, we are ready to go with all the information necessary to protect our hospitals,” he said.
Other global cooperation includes, “agreements with the Development Bank of Latin America and the World Bank. They currently have Israeli cyber experts working there who were appointed on our recommendation. Their job is to promote and improve cyber defense in countries worldwide. Part of our mission is to help improve the global cyber security because cyber is a lot like a biological pandemic – it spreads between countries regardless of borders and ethnicity. But unlike a biological pandemic cyber is caused by human actors with malicious intentions, and we need to join forces to push them back.” There are other countries in the region with whom Israel may already have forged quieter cyber ties, but at this sensitive moment, Unna still cannot publicly discuss them.
BORN IN 1971, Unna was named director-general of the INCD in January 2018.
His career started in the field of SIGINT (signals intelligence) as a captain in the IDF’s 8200 Intelligence Unit, also known as “Israel’s NSA.” In 1995, he was
recruited by the Shin Bet (Israel Security Agency), where he went on to hold a series of senior management positions in the SIGINT and cyber sectors. These combined intelligence, active operations, strategic development and integrating new technologies.
During his Shin Bet tenure, he served as chief of Cyber-SIGINT Directorate as well as several subdivisions, including the Cyber Division; also heading up the Cyber-SIGINT Infrastructure Department; Communications Research and Data Mining Department; and Cyber Warfare Unit. Many of these new subunits were founded by Unna, who developed them from the ground up, as well as establishing the basis for their operations. In many ways, this was akin to a series of national security start-ups.
After 22 years in the Israel Security Agency, Unna moved to the INCD where he was tasked with setting up the new Cyber Bureau’s technology unit as well as leading it until he later took over the entire INCD. Unna holds a bachelor’s degree in Management and Middle Eastern History, in addition to an MBA, both from Tel Aviv University. He speaks Hebrew, English and Arabic fluently and is married with three children.
ONE SINGULAR problem in the cyber sphere is the lack of a true boundary between offense and defense. There is an increasing awareness in the cyber sphere that anytime Israel or the US uses a cyber weapon against an adversary, that same weapon can likely be reverse-engineered and later used against them and other Western countries.
Hacks of US intelligence units have reportedly allowed bad actors access to certain cyber weapons. Some US intelligence officials alleged that the US and Israel’s reported use of the STUXNET virus to delay Iran’s nuclear program in 2009-2010 spilled over into Iran giving the Islamic Republic new cyber weapons of its own.
“When a kinetic missile is fired, explodes and causes damage, or it doesn’t cause damage or misfires, you cannot launch it in reverse against whoever fired,” Unna said. “A unique phenomenon of cyber warfare is that cyber weapons – because at the end of the day it is code – can be used to counterattack whoever originally used it.” Yet Israel works hard to prepare even for such boomerang effects. For example, during the 2017 WannaCry worldwide cyberattacks, a cyber weapon at least partially based on the US NSA’s cyber activities, Israel was harmed much less than England and other countries.
Unna has quite a few “war stories” to tell at this point. At the height of the coronavirus crisis this past April, he recalled a massive attack on hospitals and academic research centers (studying corona issues) in the Czech Republic. As part of Jerusalem’s cooperation with Prague, Unna led the INCD’s efforts, along with other Israeli cyber industry partners, in breaking down the problems in real time and arriving at conclusions regarding the attack.
Similarly, in the major cyber ransomware attack incident on hospitals in Romania last year, when the authorities there appealed to Israel for aid, Unna said that he and his unit were able to help them counter-hack the malware placed by the ransomware hackers on the hospitals’ networks. Moreover, INCD helped prevent the ransomware virus from infecting dozens of other hospitals.
A central accomplishment of Unna’s tenure was successfully ensuring that Eurovision’s broadcast from Israel in May 2019 went uninterrupted. He said there were hacking attempts, but with the exception of a few minutes in which part of the Kan broadcaster’s website was sabotaged, the broadcast itself went off without a hitch. He said the cyber security provided was at least as comprehensive as the huge physical security provided for the event and that no prior Eurovision event had been as substantially protected in the cyber sphere.
A further cyber incident that Unna and his team handled was a broad attack against Israeli online networks last year. Thousands of computers were attacked with ransomware along with tens of thousands of websites all at the same time. The tactic used by the attackers was to infect a large-scale supplier hooked into businesses’ networks with malware so that the businesses did not see the “friendly” attack coming. Due to INCD’s efforts, the immense attack was prevented from its primary goal of leaking out into the general Israeli public to spread across the entire country.