How did it alter the basic fundamentals of the cyber playing field – and will it actually prevent future mega hacks of Washington and Jerusalem following a series of cyber disasters?
There are two ways to analyze the issue.
One is about comparing US and Israeli capabilities at incident response when a key aspect of one of the countries’ private sector companies or government agencies is hacked.
At this level, the US is still playing catch-up in some ways to Israel.
Since Israeli cabinet decision 2443 in 2015 established much of Israel’s current cyber protection architecture, the Israel National Cyber Directorate became a powerhouse which oversees significant portions of the private sector’s cyber security.
In a visit to the INCD’s Beersheba operations command center, The Jerusalem Post witnessed firsthand the massive amount of real-time data the cyber agency observes and collects about cyber threats across the governmental and key private sectors.
With Israel’s small land area, the directorate can often have an emergency response team at a private sector office in less than an hour or a few hours. This way, it can help the company defend itself or at least contain the malware so that it cannot spread across the country.
In some ways, the US executive order is about just starting this process – or finally starting to take it seriously.
To that extent, it will take America some time to catch up to Israel. This is especially true given that it is much more spread out geographically and has a much larger cyber surface to defend.
BUT THERE is an entirely different side to this story, where the US is making history and starting a process of cyber defense that neither Israel, nor even the EU, could have managed on their own.
These new defensive measures will start in the US, but could benefit the entire world.
According to INCD legal adviser Amit Ashkenazi, there are some things that, “only the US can do, to take action in the wider world, in technology and in the global market.”
Calling the magnitude and scope of the executive order unprecedented in US cyber history, he said it was “very practical. They are not waiting for politics,” which can fall into partisan disputes and pet projects.
The new executive order’s provisions addressing “software vulnerability and liability and labeling,” even if they are focused on the US technology industry, “are also relevant to Israel,” he said.
The cyber lawyer commented that much of the world “ignores software vulnerability and responsibility. It is a dilemma we have known about for many years,” but without ever addressing the issue head-on.
To compare, the US’s Food and Drug Administration generally does not allow new pharmaceuticals to be sold to the general population until they have been checked several times over an extended period of years, Ashkenazi said.
In contrast, when it comes “to software, as soon as it’s ready, it goes out immediately without being checked.”
The only exception to date would be for software relating to weapons such as missiles and military aircraft.
The Biden approach was smart, he said, because it tells software developers, “Now, I am watching you – this is very important.”
Put simply, with deadlines of between 60 days to a year, all companies who have contracts with the US government must bring their software and cloud technologies – the latter of which now dominate the world of data storage and protection – up to a new standard of defensibility.
UNTIL NOW, cyber defense was sometimes only done from outside these systems, but not demanding improvements in the internal systems themselves.
If Israel or another smaller country would try to use its purchasing power to force an improvement in software and other suppliers’ standards, they would run into ironclad contract provisions which prevent buyers from exercising any influence.
As great as the INCD’s after-incident response time is, Ashkenazi’s point was that no response time can be as powerful as impacting the vulnerable software itself before it gets to users and can be attacked. Also, the US may now get certain early-warning intelligence from embedding sensors among technology giants it does business with, which Israel usually lacks the leverage to demand.
Regarding labeling indicators of compromise (IOCs) or warning customers about the cyber vulnerabilities of networked house products, he said that also there, Israel does not have the leverage over top technology companies or distributors to impose such requirements.
Israel, like most countries, has instead been stuck dealing with the fallout of hacks of networked products after-the-fact because only the US can impact both the markets’ supply and demand side, he said.
Usually, Israel is providing applications, security and other secondary services for a major US technology company, but is not developing the basic software most of the world uses.
One thing about the labeling rule which he said will be critical is for the Biden administration to ensure that labels are uniform. “If they are not uniform, it will not help,” Ashkenazi said. “You need to know how to use the data – like for medicines which describe side effects. For people to know, the warnings need to be clear.”
Much of what the US was doing, he emphasized, was not regulation in the strictest sense of the word as much as it was America directing funds to move the market in the direction it wants.
Now, “suppliers to the government will be much more secure and that this can improve them also for services they provide to the private sector,” he said. This means that for the private sector, the issue would require follow-up and oversight.
BESIDES QUICK response time, what can Israel do despite lacking some of America’s superpower advantages?
A huge problem is that much of the world’s governments run on older and more vulnerable “legacy” networked systems.
To solve this issue, Israel has already changed the entire apparatus for storing information, he explained.
Now, the Jewish state sends everything to the cloud – and protects and regulates the cloud.
The government has two main cloud suppliers, Ashkenazi said, adding that aspects of cyber security regarding their operations in Israel might be more advanced than in the US because the Jewish state is smaller and easier to cover from a cyber security perspective.
A challenge for all countries is that by the time they are ready to issue new regulations, the technology has often changed so radically, even in a period of a few years, that the “new” regulations may already be obsolete.
Will all of these changes stop mega attacks?
Not anytime soon.
As stated, many of the US changes will only start to kick in a year from now. Further, when it comes to deep industry-shifting changes, a year may just be the beginning of the process.
But if there was one sign of optimism from Ashkenazi, it was that the US, and therefore potentially other countries like Israel, may be starting to look at cyber defense with a much greater readiness to make sweeping reforms – even if those reforms are extremely difficult to make.