A special visit to Israel's national CERT in the southern city of Beer-Sheva provides a rare glimpse into the country's cyber warfare operations. “We provide a sort of Cyber Iron Dome,” they say at the National Cyber Directorate
It happened during the Passover holiday of 2018, when many places of work were closed for the holiday: a “mild” cyberattack. The websites of the Israel teacher union, the municipalities of Hertzliya and Eilat and several hospitals were disabled. Cyber specialists said about these attacks that they were “Unsophisticated; it was easy to reconstruct the data. These hackers focused on relatively small websites, where no substantial resources had been invested in security.”
One example of a more serious hacking attempt that took place recently involved a focused Phishing campaign against the state – an attempt to hack into tens of thousands of mailboxes. This event was handled by the National Cyber Directorate, and no damage was sustained. The implication: the State of Israel is threatened on a daily basis by groups or individuals. Since the threat had been identified and defined, the State of Israel has been investing substantial resources in the war against cyber threats. The state-government executive arm is the National Cyber Directorate. The primary security resource is the cyber warfare operations center in Beer-Sheva – the national CERT.
From the moment the cyber threats facing the State of Israel had been identified, the Israeli Government, headed by Prime Minister Benjamin Netanyahu, acted with determination toward the establishment of dedicated organs that would fight cyberattacks. The people of the National Cyber Directorate told us that the Prime Minister had identified the significance of the threat at an early stage, so he is regarded as the patron of the National Cyber Directorate.
As early as August 2011, the Israeli Government sanctioned the establishment of the National Cyber Bureau, followed by the establishment of the Cyber Security Authority, and in late 2017, the Government decided to merge the two individual organs – the National Cyber Bureau and the Cyber Security Authority – into a single unit, the National Cyber Directorate. According to the official definition, the Directorate is responsible for all aspects of cybersecurity in the civilian world, for policy consolidation, for the build-up of technological power and for operational cybersecurity.
Yigal Unna, the Head of the National Cyber Directorate, defined the nature of the threat at the CyberTech 2018 conference held in Tel-Aviv last January: “The cyber threats are growing more and more sinister. The cyber winter is already here, and Israel is no exception.” Unna’s predecessor, Dr. Eviatar Matania, said that “The cyber threat is global, so the methods and solutions for dealing with it must be global as well.”
The aggressive trend of hackers – individuals or state-sponsored – in attacking targets is a worldwide phenomenon: more and more incidents are being recorded of attempts to damage critical infrastructures, civil aviation (according to some reports, the number of threats to aviation increased since the introduction of Boeing’s newest passenger aircraft, the Dreamliner), there are more cases of cyber intervention in national elections and even attempts to affect national morale. The hackers attempt to damage both software and hardware elements.
Rafi Franco, Head of the Resilience Complex at the Cyber Directorate told Israel Defense that “The State of Israel faces cyberattack attempts on a daily basis. The threats are severe, but Israel is well-prepared for the threats and for various scenarios involving critical infrastructures, government, and energy. The state is well prepared.
“The Resilience Complex contains security resources for all of the critical infrastructures that we call CSI – Critical State Infrastructures: electrical power, water, natural gas, railroads and trains, the Airports Authority, the oil refineries, the electrical power generation and service grid, government ministries, state agencies, and hospitals – a total of 26 critical infrastructures which we oversee directly. Our guidance includes directives and training, dissemination of training materials on security methods and measures, and increasing awareness of the dangers of cyber warfare. We at the National Cyber Directorate provide a sort of ‘Cyber Iron Dome’ – a security system intended to prevent Denial of Service (DoS) attacks. Right now we are hard at work writing the national cybersecurity doctrine for the Israeli economy.”
The Cyber Directorate has already published a voluminous document titled “Organizational Cybersecurity Doctrine,” the introduction to which stated: “Cyberspace is an inseparable part of our lives. We search for information on the Internet, we navigate our road trips using navigation apps, communicate using cellular telephones, and some of us have a pacemaker or an insulin pump connected to the Internet – all of these are parts of cyberspace. In the business world, we use credit cards, manage customer databases, run global organizations using computer networks, market, buy and sell – all while relying on cyberspace.”ogist.
A Visit to the Cyber “Pit”
The war room – the national cybersecurity “pit” or operations center, is the national CERT located in Beer-Sheva. The official name is CERT-IL, with “CERT” standing for “Cyber Emergency Readiness/Response Team.” In Hebrew, it translates to “Information Security Event Coordination Center (ISECC),” also known as the “center for handling cyber events in the civilian sector.” The CERT’s missions are to research and respond to security events, coordinate the actual handling of events as they occur, monitor information sources to identify threats, cooperate with CERTs around the world so as to block attacks from overseas, provide information and publicity. The national CERT and its activities were presented for the first time ever – to Israel Defense.
The national CERT operates around the clock, year-round, at the cyber campus in Beer-Sheva, close to Ben-Gurion University and the industries. It was erected by Rafael in cooperation with Matrix, EMC, and IBM. It is manned by response teams trained to provide solutions to cyber events. The national CERT communicates with some 60 similar centers around the world and about 80 major financial organizations. It has been the focal points of visits by numerous dignitaries and government officials: so far, visitors from dozens of different countries, including heads of cybersecurity agencies, the Homeland Security & Counterterrorism Adviser to the President of the USA, the Cyber Minister of Australia, the Homeland Security Minister of Canada, the President of Bulgaria and government ministers from Japan have all visited the national CERT.
The national CERT consists of two parts: the first tier consists of a hospital emergency ward of sorts, where calls from the public are processed by operators using computers. These operators sort the calls, provide a preliminary response to the caller and refer the call to the adjacent hall, which constitutes the operations and investigation center. The missions of the national CERT operations center: assemble a cyber intelligence picture; develop the situation and the tools required in order to assemble a national (civil rather than military) status picture; issue instructions to the public; develop and provide guidance for cyber-related regulation aspects; train cybersecurity personnel; and maintain and operate cybersecurity facilities at various organizations, corporations, industries and offices.
Franco explains: “Every protective wall has a hole, and sometimes more than one hole. The task of the CERT is to go into action when a cyber event, an attempted cyberattack or even a suspected attack are encountered. When required, the CERT will dispatch an Incident Response (IR) team. This team consists of the best specialists. They will go to the facility that was attacked and help the local people eliminate the event and minimize the damage.
“Another task assigned to us is building up the technological power – developing and providing ‘blue and white’ (Israeli made) cybersecurity technologies for protected spaces in Israel and overseas. Israel is highly respected within the global cyber industry – 20% of the global investments in cyber are made in Israeli companies, and our exports amount to close to four billion US dollars per year.
“The national CERT is one busy installation – we get about 140 calls per month and handle 81 events each month. What is an event? An attempt to pose as a website using Phishing or an attempt to insert a malicious code or any other malware. We also issue about 500 cyber alerts each month, with security instructions. This includes alerts on cyberattacks overseas. We disseminate the information using the Cybernet network or by E-Mail to the various companies. We disseminate our alerts according to activity categories, like finance, energy and so forth, with the information focusing on security for each specific category.
“The national CERT operates opposite several fields of activity in the civilian sector, notably SOCs (Sector Operational Centers), finance, energy, and government. The person handling the financial field will be the one who knows this field better than anyone else, who speaks the language of the finance and banking people and can profoundly understand the alerts regarding cyberattacks in this particular field. This function will normally be assigned to a person who hails from the financial world.”
Who are the attackers?
“I am not dealing with an attacker but rather with an attack technology – that is what I am interested in,” Franco replies.
He told us that this year, the state will launch the “Yovel” system – a technological system through which every organization in the local economy will be able to independently check its cybersecurity performance and competence, and based on the data, obtain recommendations as to how to prepare, revise and improve its security.
This year, the Cyber Directorate will publish, in line with the applicable regulations, the list of cybersecurity vocational skills in the context of an effort to professionally regulate this field of activity. We can report that the list will include five vocational skills: cyber implementation specialist, cyber analyzer, vulnerability analyzer, cyber technologist and cyber methodol