He uses neither Facebook nor Twitter and has no cybernetic signature. “It can do more harm than good. I cannot share anything about the Department’s local color anyway,” says the Head of the Cyber Defense Department at the IDF C4I Directorate in an exclusive interview to Israel Defense.
Colonel N., Head of the Cyber Defense Department, had risen through the ranks of the IDF combat world – more precisely, the Magalan Unit, following his enlistment in the IDF in 1987. “The most significant period we had was when Tal Rousso commanded the Unit. In 1992, the Unit was practically rebuilt from a trial unit to a new operational unit, as the implementation of lessons drawn from the First Gulf War. I rose through the ranks in that unit all the way up to G3 (staff officer for operations & planning) at the rank of major. Subsequently, I became Head of the Reconnaissance Section and trained all of the IDF reconnaissance units. I come from the realm of the feet, not the head – and that gives me some advantages in this position. I then took a break to study computer engineering at the Technion and decided to end the combat chapter and transfer to computers, before I forget what I had studied. Back in my high-school days, I studied computers at a technological school in Haifa. I transferred to the Intelligence Directorate – the world of the technological units. I was already a lieutenant-colonel, but served in several major’s positions.”
I assume this transfer was not a simple matter…
“It was a fascinating transfer. They have an operational perspective. When you arrive at the technological world it is a dramatic change. For them, it was a change when someone with a red beret came over. I started from the bottom so as to familiarize myself with the material, and after three positions at the Intelligence Directorate, I transferred to the C4I Directorate. I served as Head of the Shoham Department, then as commander of MAMRAM and I have served as Head of the Cyber Defense Department for the past two years.
“The story of cyber warfare is an actual connection between the operational world and technology. Naturally, there’s a lot of technology in this realm, but it is a combat zone with an operational concept. If you come here possessing only technological knowledge, you will remain in the world of information security, which is the old world. If you analogize it with the battlefield, it’s like the antitank ditches in the Syrian sector opposite the ‘Pitta’ localities. Proper defense should be mobile and possess operational capabilities. If you failed to erect a defensive barrier high enough in the face of the enemy, you would have to compensate for it elsewhere. You must be able to understand the weaknesses within your spaces, and when you have weaknesses you can protect them either by special protective measures that you develop, or by assigning special people who possess special capabilities and can look at what’s happening over there.”
Can you plant a ‘loophole that beckons to the thieves’ in order to lure potential attackers into a cybernetic ambush?
“If you have a weakness, you do not always have to seal it. You can lure the thief to the point where you want him and wait in ambush, and then your defense will be much more sophisticated.”
When switching from defensive cyber to offensive cyber, are you required to ‘pass the baton’ to the Offensive Cyber Department at the Intelligence Directorate?
“It does not work like that. The switch from defensive action to offensive action is not so fast. As this warfare is secret, it is sometimes to your advantage that the opponent does something, you learn about the thief and then you can block him at the point of your choice without him knowing that you are there. The story of cyber warfare is not ‘he hurt me so I’ll hurt him back’. If someone does something you do not have to run and tell everyone. If you expose it, he will fold and you will lose your lead on him. We are conducting an on-going situation appraisal where we try to understand whether it would be worthwhile to expose or not, or whether we should continue to just collect information about him. I can go out and publicize the fact that I had identified an attacker who does this and that. Security companies that deal with cyber defense expose loopholes and threats and develop vaccines against them.”
I assume the decision not to publicize a certain cyber warfare attack by the enemy is not made at random?
“I can publicize and say that I had identified and attacker who did this and that. We have no interest in publicizing anything that had happened or what it was. I believe with regard to certain aspects this may change, if it serves any purpose, and then it will be publicized. In some cases it is the decision of IDF and in other cases it is decided beyond IDF. If a state staged a cyber warfare attack against IDF, it could have repercussions.”
What can you tell us about the offensive cyber warfare capabilities of our opponents who are not state opponents?
“Hamas and Hezbollah possess offensive cyber warfare capabilities. They have cyber warfare organizations. The difference is in the competence and the training. There is a connection between the ability to establish a cyber warfare infrastructure and the extent of investment. The more money and more connections you have – let’s take a state that has partnerships with other parties – the more effectively you will be able to establish such an organization. The more sophisticated you want your offensive capability to be, the more training activities you will require, so there is a direct connection: he who has more money has the more advanced cyber warfare capabilities.”
What do I have to gather from this about the cyber warfare capabilities of Hamas, which is the weakest and poorest opponent of the State of Israel?
“They possess cyber warfare capabilities but let me say this: Hamas is not the element I am most concerned about, but I do not underestimate them either, as I always know only what I know. I know a lot about the attacks against us. I know more than I do not know. I am not blind opposite Hamas and we know enough.”
Did Hamas attempt to stage cyber warfare attacks against Israeli systems during Operation Protective Edge?
“There were cyber warfare attacks by Hamas during Operation Protective Edge. They were not essentially different in terms of their intensity and scope from what they had done prior to Operation Protective Edge. You could see an increase in the number of attacks but not in the level of sophistication. It would be my estimate, if I tried to analyze the kinetic battle that took place over there that they do not keep too many rabbits in their hats as far as the cyber warfare aspect is concerned, just like they did not have too many rabbits as far as the kinetic aspect was concerned.”
What does a cyber warfare attack by Hamas look like? Do they have to operate a computer in Gaza?
“This type of attack is intended to overload servers and existing infrastructures so as to deny the services we should provide. I must clarify: the defensive layout of IDF is set up so it would be impossible to deny service in the top secret spaces. They can do it in the networks, in the websites of the IDF. They can access IDF websites located in what we call the ‘black areas’: through an interface of IDF with civilian companies, for example. They can scratch the surface there and attempt to penetrate. The black area network was touched a few times, nothing significant. For example, the Tehila website (the government infrastructure for the Internet era, or E-Government – O.H.), websites that provide information to the public, for example. The IDF Spokesperson’s website, for example. These things have never amounted to any real damage from a cyber warfare point of view. The IDF Spokesperson’s website reflects a certain picture to the outside world and you do not want to allow an appearance that the IDF are sustaining damage. They can use servers on the Internet, and the attack does not have to be staged from a server in Gaza to a server in Israel. A sophisticated attacker skips from one server to another in order to camouflage his path and his origin. It is all a matter of sophistication and know-how on the attacker’s part, and on the other hand the defender has defensive capabilities. I can say that no real damage was inflicted during Operation Protective Edge. No cyber warfare attack disrupted the maneuver of IDF or the operational activity of IDF.”
What about cyber warfare attacks staged against Israeli websites other than IDF websites during Operation Protective Edge?
“There were significant attacks against the websites of banks, with the intention of denying service substantially and causing damage. The energy sector was attacked, Internet vendors. They had scheduled a coordinated cyber warfare attack to be executed on the Iranian ‘Jerusalem Day’. The graphs indicating the attack intensity showed an increase. If they attacked the parties that develop our systems – and I provide services to the IAF and to the Navy as well – if they attacked, for example, an Israeli company that develops defensive products or weapon system products of any kind, I would like to ensure that such a company does not have anything that pertains to us.”
Do our opponents possess the ability to inflict a kinetic damage on Israel through a cybernetic attack?
“That is a tough question. It depends on the type of kinetic damage. In my estimate – no. But I am telling you that they strive for such offensive capabilities. Eventually, a kinetic capability can amount to what you saw in foreign reports about the computer worm planted in the Iranian nuclear project.
“About three years ago there was an Iranian cybernetic attack against gas companies that resulted in the deletion of the computers of those companies in the Persian Gulf. They know it was an Iranian attack. A security company revealed it and you realize that the Iranians had the ability to penetrate and delete the computers of those companies. You cannot blame those companies for being particularly defenseless, if you watch their corporate image video clips. Those companies have quite a few management and intervention and consultation elements, most of them American, but they sustained such a deletion nevertheless. The Iranians are working on it.”
How do you switch from defensive action to the offensive action in cyber warfare?
“It is important to understand one more concept of the cyber warfare world: prevention. In order to conduct defensive action, you are required to initiate all kinds of activities where you move in the context of mobile defense. This involves moving all sorts of things that the enemy understands and blurring his vision of the space and changing it so that he will see it differently, or searching the areas you are interested in before he attacks you. This is a kind of prevention. This policy has evolved significantly over the last year. You can call it offensive defense. I call it cybernetic prevention. Network prevention. I go into all sorts of areas, while coordinating it with all sorts of elements. In the spaces where I am present, there is someone in charge for each space. For any space where you want to operate there is someone in charge. There is no cybernetic space that is like international waters. There is no router dumped somewhere that does not belong to anyone.”
Is it possible for a country that is not considered an enemy to help an enemy of Israel? Let’s say China and Russia?
“I hope not, but I cannot say unequivocally that it does not happen. There are substantial capabilities possessed by opponent countries that may be leaked to enemies and we sincerely hope it does not happen. Eventually, in cyberspace, if you manage to reach a certain place using a certain tool, it will all depend on the question of what that tool can do. If it has collection and recording capabilities – then it will serve as a collection tool. We monitor the enemy and hope that he does not possess those capabilities.”
Does the way an organization like ISIS utilize cyberspace of any concern to IDF?
“Cyberspace is a primary tool in the combat strategy of ISIS, but not in the sense of cyber warfare attacks. They use cyberspace to recruit all of their troopers, and quite frankly, I have not seen, in the context of the war against ISIS, anyone denying them their cyber infrastructure so as to prevent their recruitment effort, even in the realm of Facebook. If the story about the Stuxnet worm in Iran could work, then it is probably possible to prevent the recruitment effort of ISIS through Facebook. Their entire empowerment capability relies on cyberspace. The fear they instilled by their beheadings was created in cyberspace. They exploit it in an amazing way.
“Everything that was developed and built by humans, can be damaged by humans. You will always find a smarter person who can do the opposite.”