The WannaCry cyberattack in May 2017 was one of the broadest attacks in recent years. An estimated 230,000 computers in 150 countries using the old Microsoft XP operating system were affected. The victims included hospitals in the UK, Spanish communications company Telefonica, German railway company Deutsche Bahn, delivery company FedEx, and many other concerns. North Korea was behind the attack. Estimates of the damage caused range from several hundred million dollars to several billion dollars.
"Some of those damaged by the attack were totally unaware that they had been damaged. Some did not want to report it, while others wanted to report it, but didn't know to whom they should report. The agency responsible for cyber defense in countries that were attacked had no effective way of spreading the information about the attack to the parties involved," says Israel National Cyber Directorate Technology Unit chief executive director Hudi Zack in order to demonstrate the need for a government agency to connect the state agencies and economic concerns and enable them to deal effectively and quickly with cyber attacks.
An existing agency operating as part of the Cyber Directorate, called CERT - the national cyber response team, is responsible for the reporting mechanism between the Cyber Directorate and businesses. The technology unit, however, is now developing a completely new system to add another defense layer that will help take preventative action. The name of the system, which is designed to monitor and rank cyber risks in government agencies and companies, is called Display Window. The capabilities and know-how assembled in the Cyber Directorate will be integrated in tools acquired from the industry. Use will be made of information from government and private organizations and will be cross-referenced with intelligence sources and independent external measures. A joint comprehensive picture of the level of risk to which the entities are exposed will be created in real time.
The system, revealed here for the first time, is in the development stages. Its purpose is to improve Israel's readiness for the mounting threats, and to counter those threats at a national level. "People in the Cyber Directorate are guiding critical infrastructure agencies in the implementation of their security policy. They are supposed to use the system we are now building to enable them to go to entities like Israel Electric Corporation or the blood bank and tell them, 'We see a problem here. Let's work on it together before something happens that will really damage the country's national resilience.' In this way, we'll be able to also create a broad picture of the national situation," says Zack, who points out that there are still no commercial tools convenient and cheap enough to carry out a top-level risk analysis. The first part of the system, which is designed for state-owned critical infrastructure agencies, is scheduled to become operational by the end of 2020. The second stage of the system, which is designed for the entire economy on a voluntary basis, is scheduled for launching in 2021.
"I circulate at international conferences and tell colleagues around the world about cooperation between the sectors in Israel. They are astounded that a private concern is willing to share information with the government. In many Western countries, this is completely unacceptable," Zack explains. "We already have over 1,000 entities in Israel, such as insurance companies and banks. Quite a few of them not only get information from us, but also give us information. There are discussions now in all sorts of entities around the world that want to replicate this model."
"Compared with the rest of the world, our situation isn't bad"
The National Cyber Directorate was founded in early 2018 by government decision. It amalgamated two agencies that preceded it that operated simultaneously: the National Cyber Bureau and the National Cyber Security Authority, which assumed authority that previously belonged to the Israel Security Agency. The Cyber Directorate is responsible for devising Israel's cyber strategy and for Israel's resistance to cyber attacks. The Cyber Directorate, which operates as part of the Prime Minister's Office, is headed by Yigal Unna.
Zack calls the technology unit that he heads the "engine and the compass" of the system. "The engine because we supply the know-how, the systems, and the capabilities that will enable everyone to do their work, and the compass because we're the only ones with the ability to look years ahead and ask about the effect of subjects such as artificial intelligence or quantum computing on cyberspace," he declares.
"Our mission is to bring Israel to a significantly higher level of defense and coping with cyber threats than in the current situation. Compared with the rest of the world, our situation isn't bad, certainly in comparison with most of the world, including the advanced countries. But we definitely feel that there's a need for a quantum leap in the level of our handling of the existing threats," Zack explains.
Zack has a rich background in security and cyber. He is a graduate of Talpiot, the Israeli military intelligence technology unit. After serving in the air force, he says, he was one of the first generation of founders of the Israel Missile Defense Organization, responsible for defense against ballistic missiles, and was involved in the first Oren Yarok (Green Pine) radar project for the Arrow missile for Elta. He has been working in the private sector for nearly 20 years.
Zack entered the cyber field five years ago when he was appointed the first manager of Verint's cyber security division, which is currently in the headlines because of the severe cyber attack against it. After Verint, Zack was COO of cyber startup Cytegic, which also deal with risk analysis. He came to the Cyber Directorate a little over a year ago, and was immediately made responsible for planning. "What motivated me was a feeling that there was a real need here on the national level," he told "Globes."
Switching from questionnaires to intelligence gathering
Even before Display Window, which is now being developed, the Cyber Directorate's defense envelope had three layers designed to help all of the sensitive entities in Israel: "Matzod Harama" (High-Level Hunt), a system for detecting and investigating threats in Israeli cyberspace that collects and analyzes information; "Kadur Bedulach" (Crystal Ball), a system that combines generating insights with intelligence data obtained from commercial and non-commercial concerns; and Cyber Net, a system of sharing and distributing information among economic concerns. Display Window is the fourth layer.
"Globes": How does it actually look and function?
Zack: "It's not like e-mail. It's an unclassified network, but it's closely guarded, with chat rooms according to segments in which it is possible to report anonymously. A banks that reports a cyber risk doesn't necessarily want to say who it is, but it does want other banks to know. The problem is that today, an entity that wants to know about its level of preparedness against cyber threats does this through external companies, which come once a year and distribute questionnaires to the relevant people in the organization. These firms, large and small, collect the answers to the questionnaires analyze them, put them into Excel, and issue a report."
What is wrong with that?
"Quite a few of the companies subjectively report what they think, or what they want to report. Some may not even realize what they're being asked. If cyber defense is being outsourced, then the inspection company asks questions, and the company sends this to its subcontractor that handles its IT and cyber security. Then the contractor asks himself, 'What do they want from me? I'm not getting money for this,' and marks 'x' in all the boxes. These processes are partial, manual, subjective, and even if they succeed in arriving at an accurate diagnosis, it's relevant only to that point in time, and you can't compare it to previous reports or similar companies."
What broad problem can occur, and what significance is it liable to have?
"The most illuminating example is the NotPetya attack, also in 2017, which affected mainly Ukraine. The attacker succeeded in paralyzing many organizations by implanting malware on Ukrainian bookkeeping software. Every organization that used this software became in effect an agent of the attacker until he decided to activate it.
"Why am I telling you this? Because there is also local bookkeeping software in Israel, and if someone attacks through such software, which is specific to Israel, it's important for us to understand what is connected to what - something that we can only learn through the national picture. Not long ago, it was reported that Iranian hackers had stolen sensitive information for 10 years from a certain company offering remote access services to employees of the organization. In this case, we have to check what other places the software was installed and where handling is needed, because it is possible that the problem is broader."
What information do you need from the organizations for this purpose?
"Where the solution is concerned, we're talking here about a big data record that connects information from organizations, obviously with their consent and knowledge. It's important to me to say this. In principle, we want to collect information also within the organization - where its critical assets are, and its important processes are, where its most sensitive servers are, and what the level of their handling is, and to check whether they are being handled correctly.
"In other words, it's nice that you have a firewall, but if you haven't updated it for a year, it's worthless. This is the dimension that we will study within the organization, but there is also gathering outside the organization, based on what we can see from outside. Although we ostensibly can do this without asking anyone, we're still doing it voluntarily and with consent. The second part of the system will be based on gathering outside the organization. This will be the part that will enable organizations to understand what their risk level is.
"This will be an unclassified system based on the system built for critical infrastructure, and joining it will be voluntary. 'Are you calling to realize what your level of risk is? We have a system of an authorized and objective party. You can try it out, put some information on it, maybe let us monitor some of your things.' There will obviously be far less depth in the system, but it will give an organization a better idea of where it stands in view of the current situation."
How do you do this?
"All sorts of engines that we use, for example services of cyber rating companies, such as BitSight, which we cross-reference with intelligence. This an advantage we have over many companies, because good intelligence is expensive and difficult. The organization gets service for free or for a nominal payment, and is told what its level of risk is, and how it will change.
The Cyber Directorate is nevertheless a security agency. Is service for small businesses and help in saving on cyber costs a good enough reason for connecting your systems to theirs?
"The basic phase is monitoring from outside. The organization doesn't have to do anything other than agree. I don't install anything with it."
Why should a private organization go to a government service when there are commercial concerns offering cyber rating services?
"Beyond the fact that we use the services of commercial companies, which any organization can also contact directly, I think that what we give it is something a little more holistic. A commercial company has its own specialty. Were there in Israel a private or non-private entity giving such service with reasonable quality, I wouldn't be here. Usually, in the US, Verizon tries to present a similar solution, but they're only at the beginning."
Can you be more specific about the benefit of this measure
"I provide organizations, even small law firms and a supermarket chain, with access to a system that will facilitate risk management. I help them manage resources and strategy and obtain better protection. Increasing their safety contributes to the safety of the economy as a whole, because the Cyber Directorate is able to generate a broad statistics picture of the attacks and potential failures at the macroeconomic level. In this way, we'll be better able to instruct the public.
"Another aspect is cyber insurance - a matter that we prefer to encourage as a matter of policy. The difficulty of assessing the risk increases premiums, which deters concerns from buying cyber insurance. Once there is an acceptable system of cyber rating, however, the knowledge that an organization is connected to it is already significant. It's like saying that I may not know how healthy a person is, but if I know that he goes to the doctor every six months, I feel easier about insuring him."
Isn't this liable to encourage people to avoid responsibility?
"It gives some kind of indication that the organization in general is dealing with the problem in some structural way. Also, you can see that if it's improving with time or getting worse. On this basis, you can then assess what premium to charge it and what level of coverage you're willing to give it."
How can you know about the state of an organization without delving deeply into it?
"Through external monitoring, cross-referencing information between several sources and several different technologies, comparing with reference characteristics, and connecting all of the information into a single framework. Cross-referencing is also done with a reference threat menu that we compile that is relevant to Israel or to various sectors in Israel. In principle, the threat to the Bank of Israel differs from the threat to a delivery company in France or a hospital in the US. The attackers are different, the types of attack are different, there are groups that are more active here and less elsewhere, and vice versa.
"If some of the organizations are willing to provide us with information from their network in order to improve the analysis that we're capable of giving, it will be a very good thing, but we're not counting on it. We're very sensitive to this aspect of not being Big Brother."
How much is being invested in the system? Will there be things on it that are not on a system designed for critical infrastructure?
"This system relies on the capabilities that we're building for critical state infrastructure in the first stage. There's no additional development here. The efforts will be more in the direction of downsizing the first system and making it more accessible. If we see that there is a demand, it's likely to lead us to go faster, and maybe even work on the two systems simultaneously. As I said, there's is great interest in the system in the insurance market. We may add a component for quantifying the risk in monetary terms, something that is less relevant in a critical infrastructure system, because the damage caused to the Israel Electric Corporation doesn't interest me so much; what interest me is whether or not the supply of electricity stops."
What will happen if a private concern comes along and offers a better service than yours? Will you restrict them in this?
"I'll go further than that. If, two years after we have built the system, a private concern comes along and offers something more or less the same, I'll turn our entire system off. My goal is to make the economy more resilient. If I feel that the economy's resilience is being achieved without my help, that's great."
Published by Globes, Israel business news - en.globes.co.il - on May 5, 2019
© Copyright of Globes Publisher Itonut (1983) Ltd. 2019