Building a security concept for Volkswagen cars

Tamir Bechor / Photo: Eyal Izhar, Globes
Tamir Bechor / Photo: Eyal Izhar, Globes

Former top Israeli security operative Tamir Bechor talks about car cybersecurity company Cymotive, which he founded with two other former security service colleagues.

Dr. Tamir Bechor founded car cybersecurity company Cymotive in 2016 together with his friends - fellow former Israel Security Agency veterans Yuval Diskin and Tsafrir Kats. In an interview with "Globes," he talks about the challenges in the auto market and what it is like to be an older entrepreneur, and explains the advantage of the model in which Volkswagen owns 40% of the company: "We do our development with the customer, and don't have to go to exhibitions to do our selling."

"I recently went to buy a car in the US, and I took my 17 year-old son with me. When my father took me to buy a car, I asked one question - what the engine volume was. My son didn't even know there was an engine. He asked how many devices could be connected to Bluetooth, and whether he could still listen to the song on Spotify in the car. We chose a car that contained mainly gimmicks. He wanted the car to have an iPhone, not cogwheels and screws. My son is the future auto manufacturer and the future customer, so that's how it will look. Cars will be based more on software, so it's more challenging for a company like us - a cybersecurity company."

That is how Cymotive cofounder Tamir Bechor answers the million-dollar question of what the auto market will look like 10 years from now. He is convinced that there will be an autonomous car on the road sooner or later. "The problem isn't the technology; it's regulation on matters pertaining to ethics, privacy, and trust," he says.

Bechor, 56, served 30 years in the Israel Security Agency (ISA) (Shin Bet) before being released in 2008. He started working in the ISA in computer and technology jobs, and finished with the rank of staff member, corresponding to a major general in the IDF. At the time he was released, he was responsible for all of the ISA's computer and information systems, and its operational technology operations. While working at the ISA, he completed his doctorate, and is now a lecturer in digitization and cybersecurity at Claremont University in California.

Bechor founded Cymotive with two friends from the ISA: former director Yuval Diskin, now Cymotive's chairman, and Tsafrir Kats, Cymotive's CEO, who headed ISA's technological unit. Bechor heads Cymotive's business development activity. In 2012, after the last of the three left the ISA, they began jointly providing consultation to enterprises. "There wasn't any specific moment when we decided that we'd do this together; it evolved that way. There was an opportunity to provide consultancy work, and we got together ad hoc for the work. Things started rolling from there. Because our character is adaptive, the business model developed as we progressed, and it became something more orderly and financed in 2016," Bechor explains.

"Globes": More orderly and financed with Volkswagen, no less. How did that happen?

Bechor: "That's a good question; you should ask Volkswagen. I think that the years preceding the founding of Cymotive, when we worked with them, created a lot of trust on the interpersonal level. We worked on individual projects. Also because of the challenges and the dynamic environment, there was a feeling there that they had to build their long-term cybersecurity capability, and they thought that Israel was a good place to do it, because capabilities in Germany were limited. They thought we were suitable partners professionally and personally, and in early 2016 they said, on their own initiative, 'Let's create something more strategic, long-term, and infrastructural, and build together cybersecurity capability for any corporation.'"

Volkswagen holds 40% of the shares, and the three founders hold 60%. The main customer, which is actually putting money into the company, is Volkswagen with all of its brands: Skoda, Audi, Porsche, Lamborghini, etc.; trucks like Scania; and so forth. At the same time, Volkswagen does not have exclusivity; Cymotive also works with other customers. Cymotive has 100 employees: 85 in Israel and the rest in Germany. The company has no sales activity; the great bulk of the jobs are technological. The company emphasizes that a third of its staff are women. They also say that its employees range in age from 20 to 70.

A lot of auto companies rely on tier-1 suppliers, such as Continental, which acquired Israeli company Argus Cyber Security. Volkswagen decided to do this by itself. Is this a common model?

"No, the model is unique. Most cybersecurity companies work on a limited scale with a specific product or a specific service, and usually in an ecosystem with tier-1 suppliers. Working directly with manufacturers on our scale is rare or non-existent, and there are advantages for both sides."

Aren't you concerned about being dependent on Volkswagen? You have eliminated the risk of reaching the market prematurely, but there is always anxiety that it will end, for example because of professional or organizational political reasons.

"I don't know about anxiety; it's a question of business model. The industry today is not sustainable, so this model is naturally more secure. It requires excellence from us, and the end consumer is measuring us every day and every minute, but this is an advantage. I see a lot of companies that are product companies, and selling to auto corporations is tough, because these corporations are conservative. Many technologies don't mature not because the technology isn't good, but because companies have no access to auto companies. The fact that we've developed such great trust with the customer enables us to develop for over half of the global auto industry.

"We also have the advantage of having grown up in a very political and corporate environment, and we know how organizations work. This is a key element. More than 500,000 people in 160 countries work in the corporation. Volkwagen is a power, and like any power, it has organizational politics, power, conservatism, and resistance to change. Had we not been able to work in an organizational environment, we wouldn't have succeeded in getting our product accepted.

"Imagine the contribution that three senior ISA operatives can make in organizations. It's not just the ISA; let's call it a way of life. You work a lot in the industry, see other organizations, and work in institutions of higher education. We realize that the level of security is the Achilles heel, so if you want to protect yourself, you have to build a concept, not a product. However good they may be, product companies sell a product, not general protection. We learned in the ISA that the ability to defend, detect, or respond lies in building an end-to-end concept, the ability to connect systems, and view things breadthwise. The automotive industry is not just the car; it's also the data center - the mobile device that opens the car and performs other actions, plus things not related to the car. You have to build a concept of end-to-end defense. That's what we did before, and that's what we're doing now.

"Auto companies don’t know how to buy cybersecurity. The connection with Volkswagen enables Cymotive to operate differently from other cybersecurity companies, and to fit into the manufacturer's development and production chain, from the initial development to the systems integrated in vehicles that are already on the road. Cymotive works in three main areas: providing services for cybersecurity and risk management throughout the process of manufacturing and developing the car and content services, developing products for detecting and preventing cyber attacks, and real-time command and control of the car fleet after delivery to the customer (now being built). The company also provides cybersecurity consultation for senior management in setting priorities for risk management and financial investments in the sector."

Instead of being a cybersecurity solution inserted just before the product goes to market, you say, "We need to be already be there in development.

"That's very true, and this is also dictated by regulation. An auto manufacturer has to prove that it's emphasizing cybersecurity during development. There are a great many companies that do risk management and testing as part of the quality assurance process. We're there throughout the entire process.

"Also because of regulation, Volkswagen is now legally required to provide a solution that will already ensure a safe environment for its cars in a number of aspects at the car development stage - a complicated process involving various suppliers. Cymotive is present throughout the development process, from the design to the systems specifications. The process is called design by security, and it's the best thing - to start thinking from the perspective of an attacker as early as the idea stage, and to see whether it has weaknesses and problems. It's a matter of awareness, but that's not enough - in the end, professionals are needed to actually carry it out.

"Even that's not enough, though. The hackers are more sophisticated, and there are things lacking. We have to develop products together with the entire industry that we'll install in a car or outside it, and which will make it possible to detect attacks after the car goes on the road, if the system is not resistant and durable enough. We have a significant advantage here, too, because unlike other companies, which develop a product in the laboratory and then go to exhibitions to try to sell it, we started from an auto manufacturer, and the development process takes place in a real environment - in Volkswagen's laboratories."

What is your function in the company?

"We work in Israel and Germany, where we have a separate business entity. Up until recently, we managed the German entity. Because it developed, we thought that the right thing to do was to hire a German CEO able to manage the German environment. My job is to work in the customer's environment, identify the needs and directions in which Volkswagen - and the auto industry as a whole - is moving, and try to adapt both the company's capabilities and business plan for the future. Today, three full years after the venture called Cymotive began, we're looking ahead and building a new business plan encompassing areas that we haven't been involved in before. My job is to create the future plan."

Have you abandoned a sales arm, or do you have limited activity?

"Since we work with other auto corporations, we still have to reach them, but we don't work through exhibitions and brochures. We're not youngsters; we're on our second careers, so we developed a network of connections, and we're able to reach these corporations. It saves time."

What led you to start detection of attacks in real time?

"At the end, when the car goes on the road, its lifespan isn't three years, like a telephone, but 20 years. By the nature of things, the car changes, and can become unprotected at any time. Vehicles today have a lot of software, Tesla cars for example - you buy them with a certain horse power. You can enter the site and buy more horse power, and then software is loaded into the motor, like updating a smartphone. A potential attacker can put a virus into the software that will disable the brakes, so you have to monitor cars in real time. That could be the number one challenge for auto companies in the future.

"We acquired these capabilities in the ISA - to take inputs from all sorts of places, generate a picture, and detect a problem. Companies have to respond not only in the technical aspect, but also in the legal sphere. The question arises of what to do when there is an attack on a million cars, for example if the braking system doesn't work, or more simply, the volume becomes too high. What do you tell the customer traveling in an unprotected car? If you immediately announce that the car is unreliable, you will create panic, so it's important to give companies reliable information, not false alarms."

Do you think that there are too many auto cybersecurity solutions?

"I agree with Zohar Zisapel, who recently said that there was a bubble in auto cybersecurity. It's like any growing industry - there are expectations that good things will happen, and a lot of people enter the field.

"The companies that last will be those that have something to offer beyond a single product - an overall concept that is more than the sum of the products. The auto companies don't know how to buy a cybersecurity product. They ask questions like how the product will work, how it will be connected, and whether putting it in means that they are protected - of course not. I think that Cymotive is ahead of the market in this aspect, and I hope that the company is more sustainable. A lot of companies will vanish."

Many companies are looking for an exit or an IPO. Few of them rely on dividends. What are your intentions?

"We're trying to build something that will be sustainable. What financial value will it give in the long term? We don't bother with these calculations; we're busy building something good. There are a number of possibilities. Volkswagen may want this capability for itself. We may want to sell more to other corporations and generate a return on the investment. There are also many business models in which Cymotive can develop. Right now, we're emphasizing building the company; the financial value will come later. As of now, we're being financed through projects. An investor usually puts money in, which gets burned. Here, there's an investment that both owns shares and brings orders. It's more than a smart investor, because it's also a customer. We entered several other companies, and I'm glad to that say that although Volkswagen is a shareholder, the customers weren't afraid of it."

What is it like founding a startup at age 53?

"I read an article not long ago that said that older people were founding startups. I don't know whether this is statistically correct. As far as we're concerned, what's nice is that when we look back, a lot of things that we have to do now - we acquired the knowledge over the years. There's a type of maturity, and there's also no pressure. We also complement each other's characteristics, and give each other room."

"Getting information is easy, analyzing it is hard"

Cymotive's founders led a technological revolution in the ISA in the 1990s. "We realized then in the service that technology was a very important element, and technological apparatuses were founded that enabled the service to accomplish its goals. I worked on the development of information systems, some of them operational. We developed the ability to obtain much more data in real time, process it, separate the wheat from the chaff, and in effect realize that there was a problem that had to be addressed. One of the things that the ISA developed was the ability to cooperate with other agencies, and to look at other intelligence units in Israel and around the world. The technology was what made it possible."

In recent years, the technology giants have been making huge investments in research and development. Aren't intelligence agencies losing part of their advantage?

"There's a lot of information available in the world. Once upon a time, intelligence agencies worked very hard at getting information. It's easier and quicker now, but the problem is the ability to derive insight from it. This is the challenge. Artificial intelligence and machine learning are sometimes an essential condition, but sometimes you need human insight. The ability to analyze information correctly and wisely, and to present it in a good form, can sometimes be what distinguishes one organization from another.

"The challenge is to create something that is greater than the sum of its parts. If you're able to gather three scraps of information and create something new, there's value in it. It's a challenge for anyone dealing in this aspect of intelligence who wants to generate an informative picture. We did it in the past, and what's nice now is that a lot of civilian industries, such as the automotive industry, ecommerce, and the banks want to understand what's going on with the customer, with the product, with the supply times, and with the quality. The question also arises of which information you shouldn't gather. In the past, these questions weren't asked."

Published by Globes, Israel business news - - on September 1, 2019

© Copyright of Globes Publisher Itonut (1983) Ltd. 2019

Tamir Bechor / Photo: Eyal Izhar, Globes
Tamir Bechor / Photo: Eyal Izhar, Globes
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018