ISA in the Cyber Era: An Inside Look

IsraelDefense exclusive: A peek into the SigInt & Cyber Division established by the ISA in the context of the recent intelligence revolution. "A hackers' paradise as well as a counterintelligence agency in an era of information overflow"

ISA in the Cyber Era: An Inside Look

If anyone thinks that in the age of cyber, effective defense can be achieved only by high walls – they are wrong!" so they reason at ISA, Israel Security Agency. "Walls will always be penetrable."

These things are being said at ISA against the background of the recent intelligence and cyber revolution, which has also affected this agency, the agency charged with counterintelligence, prevention of terrorism inside Israel and defending the national infrastructure and utility facilities against cyber attacks. A rare peek into the intelligence and cyber world of ISA reveals that the organization has been recruiting many computer specialists and has dramatically diversified its range of activities: not only field operators who meet with their sources in dark alleys, but also virtual agents and a countless number of resources for extracting intelligence from computer networks and cellular telephones.

SigInt & Cyber Division

ISA conducts its cyber efforts from buildings in central Israel which, on the outside, appear as the office buildings of a high-tech company to all intents and purposes. The operating environment is high-tech as well: ISA had begun to adapt to the changes in the intelligence reality as early as 2012, at which time the agency reorganized its defender-attacker linkage and established an integrative cyber layout that integrates all of the agency's cyber-related activities. Heading the SigInt & Cyber Division is a senior ISA officer whose rank is the equivalent of a major-general in the IDF.

The IDF clearly distinguish between defensive cyber, which is the responsibility of the IDF C4I Division, and offensive cyber, which is the responsibility of Unit 8200, the central intelligence gathering unit of the IDF Corps of Intelligence. ISA, on the other hand, is the only organization in charge of both defense and offense in the cyber world. Although in the virtual realm there are no physical state boundaries, the division of responsibilities between the IDF and ISA remains traditional in this field, too – ISA operates against threats from within the national boundaries, from the Gaza Strip and even from the Sinai, while the IDF focus on defense against external enemies in the military theater.

The SigInt & Cyber layout of ISA consists of five major units, including a department charged with the development of offensive cyber capabilities and tools. Serving with such a unit can be regarded as a 'hackers' paradise' for people who constantly challenge themselves.

On the defensive side, until the Division was established, a department known as the Information Security Authority, established in 2002, had operated within ISA. At the time, the name of this department reflected the concept according to which the primary cyber effort focused on information security in the national computer networks. Today, this department deals with cyber defense and the current concept maintains that the national infrastructure/utility facilities can become the objectives of an actual attack by hostile elements, and that includes the concerns about physical damage inflicted by computer attacks. Information security is only a part of it, and not necessarily the most substantial threat.

The cyber defense department of ISA has, in the last year, increased the number of organizations defined as critical. Thus far, 27 organizations were regarded as critical, and this year the list was augmented by 10 infrastructure/utility services. If these services sustain any damage, that damage can paralyze almost the entire country.

This category is made up of national organizations and corporations, from government ministries to the cellular vendors and the Bezeq Telecommunication Company, Israel Railways and the Israel Electrical Corporation. ISA was even involved in the planning of the future infrastructure for the light railway in Tel-Aviv: they fear that if a sophisticated hacker succeeded in remotely dominating the computers of Israel Railways, for example, he would be able to cause an accident between trains.

Israeli banks are regarded as world leaders as far as their cyber defenses are concerned, but they are not supervised by ISA by law, so that the counter-cyber organization will not have formal access to the information in the bank accounts of Israeli and foreign citizens. However, an agreement coordinated between the commercial banks and ISA determined that the agency will direct and guide the banks on how to prepare for a cyber attack.

"The struggle for defending Israel's critical infrastructure/utility services against cyber attacks involves a battle of minds," say ISA sources. "The walls are definitely not enough, and various tricks are required, such as the use of double agents and other creative inventions, on the web, of course."

Generally, the SigInt & cyber field is currently one of the ISA's most significant activities. Hundreds of computer specialists already work for the agency, as 'hackers', as computer engineers and as programmers. The opponent is highly sophisticated, be it the national cyber agencies of Iran or computer buffs devising evil plots on behalf of Hamas in Gaza. ISA seeks brilliant computer minds even among youngsters (with the intention of convincing them to join the agency when they grow up), and mainly among the alumni of the IDF intelligence gathering and computer units and the graduates of computer science schools. But not every ISA cyber person needs a diploma – even uncertified hackers who had not left their keyboards since youth and are familiar with all of the entities in Darknet (the net that exists under the Internet world we know through Google) may prove suitable – either for defensive tasks or offensive tasks. Right now ISA is recruiting dozens of additional computer people of all types to its SigInt & cyber units.

The people at ISA constantly develop resources that would enable collection of information from the computers and telephones of terrorist elements, as well as from Internet social networks, where terrorist groups assemble – even the people of World Jihad. Spotting an item that is of interest to ISA out of the ocean of information on the Internet is one challenge, necessitating cutting-edge technologies capable of analyzing phrases in a text without structured form and extracting word combinations that could be suspect.

But the most substantial challenge with which the people at ISA have to cope in the new intelligence era is the fusing of data received from countless different sources – from the social networks, from telephone taps, from interrogations of agents or suspects (HumInt) or from massive, freely-accessible databases, where you can learn everything you need to know about various construction plans – and that is just one example. Some of the systems being developed not only analyze the information, but also present it in a processed and user-friendly format to the decision makers.

"Data fusion and information integration apply not only to SigInt. There is also technological data, media information and geographic information – the ability to present intelligence questions and extract the desired knowledge from all of this information, that is our greatest challenge," they say at ISA.

In order to put some order into a world exploding with masses of information, a special department at the SigInt & Cyber Division prioritizes the cybernetic missions facing the agency.

In the context of the dramatic growth in personnel in all of the agency's activities, two of the required qualities the ISA looks for as a prerequisite for being accepted to the agency are the absence of technophobia (dislike of advanced technology) and – in particular – creativity. Cyber specialists sometimes take part in special operations – so that an operation in a Palestinian village can include a "cyber move", for example. This kind of work reflects the approach that maintains that cyber has evolved into a combat effort to all intents and purposes – and not just within the military realm, as they believe in the IDF as well as in the counterintelligence organs (at ISA as well as at the Mossad).

The people at ISA are aware that the confrontation is not taking place ex parte: the opponents are constantly improving, either by acquiring offensive weapons on the Darknet, for ridiculous prices, or by developing cybernetic capabilities on their own. The one characteristic that sets cyber warfare apart is the fact that it goes on all the time.

Difficult Environment

Other restrictions imposed on ISA activities stem from reports around the world about attacks attributed to Israel and the USA, such as the Flame virus or the Stuxnet worm, and, naturally, from the revelations in the USA about the extensive monitoring activities of the NSA.

These reports heighten awareness and suspicion among ISA 'objectives'. These elements are currently more apprehensive than ever before about the use of mobile telephones or the Internet, but the battle of minds continues: efforts are under way to overcome this hindrance, too.