Wednesday’s news that Hamas’s offensive cyber social engineering strategies against Israel have gotten more sophisticated was just the tip of the iceberg of threats Jerusalem faces, compared to, say, the Iranian threat, especially after new cyberweapons have been used in Russia’s invasion of Ukraine.
A quick anecdote illustrates how big the consequences are for the cyberwar with the Islamic Republic and how fast it moves.
It was late October and an official from the Israel National Cyber Directorate (INCD) warned Cyberserve, an online domain provider for a plethora of Israeli companies, on a Thursday that they were imminently in danger of being hacked by Iran-affiliated groups.
Despite the INCD official repeatedly insisting that Cyberserve (which provided a domain to the LGBT website Atraf, among many others) plug holes in its cyberdefenses immediately, the private sector cyber defender official said he would get to it on Sunday due to his weekend plans.
By Sunday, Cyberserve and Atraf had become the black eye of cyberdefense train wrecks in Israel, with mayhem created by sensitive and intimate personal details leaked online.
How is it that the Cyberserve official was able to ignore the INCD warning back then, and could still ignore a similar warning today? Will anything change after the stunning new cyber malware and strategies the world has seen unleashed against Ukraine?
The short answers are: 1) Israel has persistently failed to move at all on a five-year-old cyber law that would allow it to compel companies like Cyberserve and Atraf to comply with cyberdefense standards; 2) all signs are that even the dark shadow of cyber chaos in Ukraine is unlikely to change a thing.
Three men represent a big part of the reason for this: Benjamin Netanyahu, Naftali Bennett and Benny Gantz – and none of them would apologize.
Although these three often have little in common in terms of political alliances and policy, in one area they seem to be in lockstep: favoring a deregulation approach to private sector cyberdefense.
Prime Minister Bennett, without using names, in March told over his own version of the above story regarding Cyberserve and Atraf, which pretty much confirmed the INCD’s version.
But if you might have expected Bennett’s next statement to be that the story illustrates why the cyber law must pass to empower the government to more strongly regulate the private sector, he went in a completely different direction.
“We have many cases of advanced intelligence on cyberattacks, of real-time intelligence on cyberattacks. We want to train folks in advance to protect themselves. We have ongoing channels with these organizations so when there is a new attack, they can within minutes upgrade or close a hole,” Bennett said.
“The government doesn’t have the authority to command a commercial company to protect itself. I am not sure I want to be able to tell a company it must protect itself. I am not sure. Maybe it is something we have to work through. But I want companies to protect themselves, because people get harmed,” he stated.
In addition, Bennett said he has a group of former hi-tech colleagues whom he checks in with to make sure there is no new “dumb stuff” the government is doing to overregulate the hi-tech sector.
Bennett’s reference to being unsure about forcing commercial companies to defend themselves through legislation alluded to this concern about unintentionally harming the hi-tech and cyber sectors.
So even after the Cyberserve/Atraf disaster, a similar prewarning ignored by Hillel Yaffe Medical Center and many other such examples, Bennett is more afraid of overregulation than he is of lacking the power to save the private sector from its own occasional cyber laziness or cheapness.
At the same conference, Netanyahu echoed similar themes. The former prime minister was emphasizing the challenges of defending the Mossad and other security agencies from cyberattacks when it comes to their support services.
“If want to defend [against a cyber] attacker regarding the military, the Mossad and the Shin Bet, it’s easy to defend them, put on a fence around them. How do you defend the cleaning company which sweeps their offices or the medical company which treats their personnel?” Netanyahu said.
“These are complex questions. Do you force companies to join cyberdefense requirements? Where do you draw the line? No one knew. Each of the leading countries asked the others. Nobody knows!” he said.
Despite Netanyahu’s portrayal of no one knowing where to draw regulation lines, most of the government’s cyber experts have presented multiple options for empowering government to enforce cyberdefense standards in the private sector since 2017, but they have been ignored.
From his account, his known position in favor of deregulation and his next story about the dangers of government abuse of cyber power against individual citizens – in this particular case he was talking about the Pegasus spying affair – it was clear that he blocked the cyber law for years on principle.
Defense Minister Gantz has not spoken out on this specific issue, but spent time in the private sector in some cyber-related areas and has done all he could to defend Israeli private sector company NSO Group from global criticism.
So his sympathies are also likely with the private sector, which usually favors deregulation, and not with the government experts who are pro-regulation, many of whom think that only the government, not NSO, should sell cyber offensive capabilities.
WHAT DO some leading voices in the private sector think and what are some other models that countries like the US are embracing for regulation?
Former Unit 8200 chief and co-founder and managing partner of cybersecurity powerhouse Team8 Nadav Zafrir said that “the key is being descriptive rather than prescriptive. That is, to create regulation that is based on what are the unwanted outcomes.”
Zafrir was referring to the debate point that favors descriptive regulations that establish flexible general requirements and security principles that are easy to understand and allow more discretion to make moves based on the specific threats being faced.
In contrast, Zafrir was discouraging prescriptive regulations that state exactly how to achieve cybersecurity in a detailed manner, including requiring specific techniques or methods.
Those who favor prescriptive regulations do not trust the private sector to make the right choices for the general public with its discretion, and expect it to act more in short-term, narrow, self-interested ways.
However, Zafrir, who has both the public and private sector views, was emphasizing descriptive regulation, which supporters say is potentially more effective because it does not limit organizations’ abilities to evolve their defenses to confront new and unexpected threats, as prescriptive regulation might.
Until now, the INCD has used more informal contacts with the private sector to gain its cooperation for cyberdefense and has often found this tactic to work.
But the above cases of Cyberserve/Atraf, Hillel Yaffe and others show there is a downside to lacking regulatory power.
Former National Security Agency and US Cyber Command chief Adm. Mike Rogers explained some of the latest trends on cyber regulation in the US.
“The most important thing the government can do is to make it as easy as possible for the private sector to inform the government about cyber activity they
[the private sector] are seeing of concern and its impact,” said Rogers, now an operating partner at Team8.
Next, he was pressed about a dispute between the FBI and other US agencies about whether reporting should be only to the Cybersecurity and Infrastructure Security Agency (CISA), or whether in some instances reporting should be to the FBI.
Responding, he said, “To me, that means identifying a single government POC [point of contact] and then tasking that government entity to ensure the information is further shared within the USG [US government].”
Continuing, he said, “That would best be DHS [Department of Homeland Security] and its CISA organization, which has the overall US government lead for USG support to the private sector with respect to cybersecurity.”
“Asking/expecting the private sector to figure out who and under what circumstances they should contact the US regarding cyber activity is not optimal in my view - particularly as in most circumstances there is no one single government entity that is solely in need of awareness with respect to cyber activity,” Rogers stated.
Rogers was also asked about the pitfalls
of overregulation and whether Israel’s informal regulation model could work for the US.
“What works in a nation of nine million people with respect to a legal notification (or the lack thereof) regime may not be appropriate for a nation of 335 million individuals and the world’s largest economy,” he said. “The informal approach does not seem to be working in the US.
“Having said that, I acknowledge there are multiple options here – from imposing a legal reporting requirement (which the US has just implemented for the first time in the form of the requirement to notify the USG of cyber penetration or ransomware payment within 72 hours) to perhaps asking how could the government address corporate concerns around liability associated with reporting cyber penetrations or hacks (which is often one of the primary private sector concerns with respect to acknowledgment of such cyber activity),” said Rogers.
“Or we could count on an informal approach,” he added, “but doing more of the same and expecting different results seems like a strategy with a pretty low probability of success.”
Some of the models proposed in Israel since 2017 (and some even earlier) include widening the number of fields considered critical infrastructure, where the government can take over cyberdefense, if necessary; immediate reporting requirements when there is a hack; liability to the private sector for failing to report to the government; and even a stratified system of different levels of liabilities and reporting requirements based on the field or company size.
Despite the many regulatory ideas in Israel making the rounds and supported by almost all government cyber experts, including recently retired INCD chief Yigal Unna, all signs are that between Bennett, Netanyahu and Gantz, no serious regulation will be moving forward anytime soon.
Some in the private sector may be happy about this. But then again, when it is their turn to be hacked, they and the general public may suddenly be a lot less happy.