The challenges and opportunities of national cyber defense

What constitutes an effective cyber-defense? Who are its captains? What should it entail? National Cyber Directorate experts offer insight into a fast-growing, critical field

The challenges and opportunities of national cyber defense

The past few years have seen a growing awareness as to the importance of cyberspace as one vital to the activity of both nations and organizations, as part of the global modernization trend. This manifests in increasing activity in the fields of civilian infrastructure, economics, national security, civilian defense, inter-organizational communication, education, government and more.

The more dependant countries and organizations have become on computerized systems, the bigger the potential for damaging these system has become as well. The tension pulsing through the risk-advantage spectrum of using computerized systems characterizes many civilian, business and national procedures; and grows stronger in light of ongoing globalization, which mandates linking various computerized systems that are external to organizations, such as the Internet, smartphones, private cell phones etc.

The increase in cyber attacks over the past few years have also taken on a more sophisticated nature and targets – industrial espionage, malware, spamming etc. – and many players take part in them, from individual hackers, through crime syndicates, to nations.

Accordingly, nations and organizations worldwide alike are increasing their investments in cyber-defense: more resources are allocated to such efforts, including for the development of designated technologies and defense doctrines.

All of these have helped promote the higher-ups' understanding that cyberspace and cyber protection are of national importance – a frame of mind that includes dealing with complex issues, especially on an organizational or national level.

From Information Security to Cyber Defense

For a long time the protection of computerized systems was referred to as "information security," a notion stemming from the perception that the main thing that needed protection was sensitive information (be it classified intelligence, business information etc.); but over the years this approach has evolved to encompass threats beyond compromised information, such as crashing vital services.

On a national level, the definition protecting computerized systems has evolved into "cyber protection." Even without delving into the exact definition, the term aims to include the variety of actions that need to be taken as part of a comprehensive defense doctrine in the cyber sphere.

These actions include, other than security, early intelligence gathering, real-time monitoring, prevention, pursuing designated technology, increasing awareness, enhancing detection and event-isolation capabilities, developing recovery contingencies and more.

Many of the key issues, however, collide when cyber protection is applied on a national level, but they do illustrate the complexities of adapting defensive doctrines and technological developments on the organizational and sectorial levels, to an overall national perception.

Question of Jurisdiction

Cyber-threats stem from the critical role computerized systems are taking up in modern life and is enhanced by the fact that many critical systems are based online. This virtual sphere was created by various systems and sectors interfacing as part of accelerated economical and technological development and sans security links.

Once the need to apply such security links arose, the natural question was – who has jurisdiction?

To illustrate, the same can be applied to the national aerial sphere: the Israel Air Force is tasked with protecting Israel's airspace. When a hostile aircraft is approaching Israel's skies, it is the IAF's job to prevent it from breaching our airspace. It does not matter if the hostile aircraft means to crash into a military or civilian target, nor does it matter if it is a military craft or a civilian one (like a hijacked civilian plane). Defending Israel's airspace is under the sole jurisdiction of the Air Force.

But to whom does this responsibility fall in regards to cyberspace? Is the military best suited for this job, as it is to protecting other spheres? Most countries do not see the military as the appropriate entity for this. Israel has yet to define it as well, and the definition seems impossible, given the organizational and domestic "invasion" it would require.

Some of the world's nations view their national security agencies or intelligence agencies as those meant to provide them with the necessary protection; but here too things are far from providing a comprehensive answer, as many aspects, like regulation and awareness, remain uncovered.

In Israel, which does not have an official national security agency but several entities bearing some of such an agency's duties, the situation is even more complex.

As things are now, properly dealing with cyber-threats would require a combined answer by several entities – both civilian and defensive – that would cover the various aspects of cyber-defense.
Constructing a comprehensive dogma and dividing responsibilities according is a serious, challenging task counties worldwide – including Israel – have begun.

Dawn of a News Age

In the past, the roles of the defense establishment and civilian entities were clearly separated: armies fought to ensure the home front was protected. As terror activity expanded to include the civilian sphere, various military and civilian bodies began collaborating. For example: the police train security guards that are stationed in malls.

The various issues of military and civilian collaboration extend even further in cyberspace, where such ties become tighter because the civilian sphere is a main target and because cyber-assault on civilian cyberspace can indicate as to any intention to mount similar assaults on the defense one.

Here, however, several questions become more poignant: how do you share a cyber-intelligence alert with civilian entities without compromising sensitive sources? What kind of assistance should civilian bodies get from the defense establishment? Where is the line between maintaining civil rights and the right to privacy and maintaining security needs?

These, and other similar issues, raise significant social, security, ethical and legal questions; and comprehensive answers are needed to devise the proper way to deal with them. It is possible that the cyber-threat signals the beginning of a new age in inter-agency collaboration between military and civilian organizations serving in traditional defense and security roles.

Checks and Balances

On the one hand, the State is responsible for physical security in the public sphere. On the other hand, it demands that the public and business organization demonstrate personal and organizational readiness (i.e. – secure rooms, bars, fire extinguishers etc.) What is the cyber equivalent?

For example: is it reasonable for a nation, or its proxies, hack a personal computer in order to bolster its defenses? The answer would seem to be "No" – on both the individual and the network levels. But how can you protect a network whose end points are "dirty"? This is only one of the questions that arise when dealing the how deep should national cyber-defense delve and how important it is for any such activity to be balanced – especially in a democratic state that values privacy, rights, a free market etc.

The challenge of balancing individual rights with national security, the right to privacy and the needs of the market joins the need to integrating security and civilian entities in a comprehensive defense dogma. This delicate balance is also likely to differ between nations.

The Big Picture

The independent evolution of communication networks in various Israel entities, combined with the various possibilities for cyber-defense on the organizational level and the lack of obligatory regulations and uniformed methodology, have created a situation where each organization implements different defenses.

Some of the systems are constantly monitored, other have certain protection measure that vary, some are maintained offline and some services are hosted on overseas servers.

Trying to create a national cyber portrait (who is attacking us? How vulnerable are we?) is a complex process; unlike the organizational process, where traditionally all network operations had handled by one official and have a form of uniform protection and its relevant lingo.

Forming a national cyber portrait is a critical component in the ability to make decision on a national level, both in real time – detecting the threat, stopping it, devising a recovery plan; and as a matter of routine – the appropriation of R&D funds etc.

In the cyber sphere, where all entities are linked, certain attacks can be duplicated between entities. Nations and organization share information out of the understanding that it is the best form of defense – this kind of cooperation cannot be taken lightly when it involved business rivals, or organizations that are under regulatory limitations.

What about Israel?

Israel was one of the first nations worldwide to recognize the importance of protecting vital computerized systems; starting with the 1998 Public Bodies Security Law, which aimed, among other things, to define critical computerized systems and their defense needs. The legislation followed the 1997 formation of "Tehila," or the Governmental Infrastructure for the Internet Era Project. In 2002 the government passed bills for the protection of computerized infrastructure in Israel, the defining of critical computerized infrastructure and the formation of the National Information Security Administration, which instructs civil entities on information security.

In November of 2011, face with the growing sphere of cyber-threats, the prime minister ordered the formation of a national taskforce to formulate a national plan meant to pose Israel among the world's top-five cyber-leaders.

The National Cyber Project, which operated by the proxy of the High Commission of Science and Technology, was led by Chairman Prof. Major-General (Ret.) Yitzhak Ben Yisrael and included a team of professionals from all of Israel's top cyber entities (R&D, protections etc.), who together explored the components vital for Israel's prudent cyber-behavior, as well as offered insights on the economic, academic and national security levels.

Delving into the aforementioned dilemmas – and firstly the absence of a dominant security institution to meet the threats – soon gave birth to the taskforce's main recommendation – forming the National Cyber Bureau, which will be at the government disposal and will answer directly to the prime minister. The NCD aims to promote and regulate the pan-government cyber activity, while maintaining a broader view, both defense-wise and civilian-wise.

The government adopted the recommendations, forming the National Cyber Bureau at the beginning of the year and naming Dr. Evyatar Matanya its chief. It is already operating to formulate a comprehensive, national cyber defense policy; while also prompting plans to foster human capital in the fields of government, the private sector, industry, academia, the defense establishment and raising public awareness to the issue.

This issue makes for an expansive debate, both in Israel and the world over, about what constitutes cyber-defense, who are its captains and what it should look like. We view the issues raised here an imperative part of the debate on the nature of the national cyber defense and believe that the relevant thinking process must be kept broadminded – both in and outside Israel.

We also believe that as the measures, methods and dogmas become more sophisticated they will become better suited to dealing with the ever-changing cyberspace; and we believe that these measures will pose conceptual breakthroughs in regards of civilian-security cyber-defense cooperation.

Rami Efrati is the assistant-director of the National Cyber Directorate. Lior Yafeh was certified by the Tel Aviv University Security Studies Program