Israel’s New National Cyber Operations Center

A first glimpse at the new operations center known as CERT 1.0. Nir Peleg, senior division head at the National Cyber Bureau explains how the new center operates

In the cyber world, boundaries are blurred and the issue of prompt cooperation is critical,” says Nir Peleg, while presenting the national cyber operations center, established in a trial version during the month of August 2014, for the first time.

At this stage, the cyber operations center is physically located in a standard-size room at the National Cyber Bureau which resides in a standard high-tech office building in northern Tel-Aviv. There are no signs outside the building to indicate the activities taking place inside. In about a year, the operations center will reside at Cyberpark (the cyber environment combining technological incubators, start-up companies, established IT companies, the Ben-Gurion University and in the future – units of the IDF Intelligence and C4I Directorates that had relocated to the south). The cyber operations center will employ dozens of computer specialists, operating around the clock.

The threats are very real: Nir Peleg told us that during Operation Protective Edge, for example, the State of Israel was under a constant cybernetic attack. That attack caught the new cyber operations center just as it was setting up the trial version, known as CERT 1.0.

“We have seen the trend of increase in the number of attacks against Israel as a state and against Israeli websites,” says Peleg. “We have also seen the diversity of the attacks. During Operation Protective Edge, which was a fairly long campaign, many offensive efforts were made, and I think the major challenges are still ahead of us, as it is an evolving, asymmetrical combat zone with no boundaries. Cooperation must be international as well as local, between corporations and organizations. That is the only way in which we will be able to cope with the extensive range and diversity of cybernetic threats that keep growing all the time.

“This particular space presents a low level of risk to the attackers. The ability to catch and damage them – just like in the physical world – is limited. This encourages the attackers to keep on attacking. At the same time, despite the large number of attacks during Operation Protective Edge, eventually there were no highly irregular incidents, or incidents that had an effect on the functional continuity at the state level. This says something about our situation, as in some areas we provides effective solutions, however we are not looking at the threats of today, but at those we can expect in two to three years from now.”

Israel’s National Cyber Bureau

The National Cyber Bureau, established in early 2012 by the Prime Minister, operates along the "seam" between the covert and overt worlds, although the bulk of its activity takes place in the civilian sector. Heading the Bureau is Dr. Evyatar Matanya, formerly the commander of the "Talpiot" program of the IAF and a former senior executive of the Weapon System & Future Infrastructure R&D Administration at IMOD.

The National Cyber Bureau relies on a dedicated government budget with the objective of developing Israeli cyber industries as a primary lever of the local economy as well as to leverage activities that promote cyber education and training at various educational institutions, from high schools to academia. This year, the National Cyber Bureau supported the establishment of two national research centers in the field of cyber, at the Ben-Gurion University and the Tel-Aviv University.

Since the National Cyber Bureau was established, the number of high-school students enrolled in cyber programs has increased dramatically (the “Magshimim” program, in cooperation with the Rashi Foundation and IMOD, will soon include not less than 1,000 students). More than 100 start-up companies have been established (many of whom have already raised investments amounting to millions of dollars each, from Israeli and overseas investors). At the CyberTech conference produced by Israel Defense last January, Prime Minister Benjamin Netanyahu said that the National Cyber Bureau promotes his vision and that Israel is a cyber superpower.

According to Nir Peleg, the establishment of the national cyber operations center as part of the National Cyber Bureau was also intended to improve the efficiency of the defenses against cybernetic attacks at the national level.

How will it Work?

“In the context of the activities of the National Cyber Bureau, a three-tier national defense concept was consolidated. The first tier involves the reinforcement of organizational defenses, with the emphasis on regulation tools and on the improvement of the protective measures of the various organizations.

“The second tier involves the state-level defenses, and the third tier involves international cooperation, as cyber is global. We develop connections between states, opposite international corporations, including corporations and superpowers in the field of cyber, such as Google, Microsoft and others, in order to jointly establish a potential for cooperative alliances and exchange of information.”

Peleg serves as a senior division head at the National Cyber Bureau, in charge of encouraging and promoting technologies, including the establishment of the CERT 1.0 operations center. He told us that the idea for the operations center was taken from non-cyber realms, and that in fact, the center consists of a national-level computer emergency response team (CERT is an acronym for Computer/Cyber Emergency Response Team).

How does the CERT operations center fit into the three-tier defense concept?

“At the state tier, the national CERT is a platform intended to be a reliable central point – to share information and cooperate on cybernetic incidents. This platform has analytical and first-response assistance capabilities. It constitutes a liaison element between the internal elements and organizations that address it up to the level of large organizations and complete sectors. At the international level, it constitutes an infrastructure for exchanging information and for managing crisis situations and incidents of a global nature.

“When you look at the challenges we face, which guide and determine the development of an entity like CERT – we see a constant routine of attacks by various elements: from the world of activists to the world of cybernetic crime. State-sponsored groups or elements operating on behalf of states – that is the first axis of the attack routine. The second axis is associated with the asymmetry of the attacker opposite the defender: namely – it is easy to duplicate attacks and inflict severe damage on complete sectors.

“The third challenge is the rate of complexity and the dependence of cyberspace. In cyberspace, things happen very quickly. Regarding the complexity of the systems, the intention is that in every type of organization – from heavy industry to the high-tech worlds – the dependence on computer systems is substantial.

“In view of these three challenges, we think that the response at the state level should be to advance from a world of prevention and border defense to an effort aimed at increasing the national strength, namely – developing the ability to resist the attacks instead of just waiting for them passively, with nothing to rely on but a firewall.”

“Cyber is alive and has entered our lives, so we must know how to manage the risks in this world. Another thing is to develop cooperation and information realms that are reliable – in a secure manner.

“The direction we follow involves the concentration of national capabilities and resources, as the government can reduce the balance of terror between the defender and the attacker. From inter-organizational platforms, such as, for example, at the sector level, all the way to a national CERT – which calls for investment by the state in order to develop an infrastructure that would provide solutions to civilian organizations.

“We did not invent CERT. It already exists worldwide and progresses intensively in some countries. In those countries, too, it involves a state-sponsored center for initial response and assistance when incidents take place. The American CERT, for example, has been in operation for 11 years in various sectors, under their Department of Homeland Security, and we maintain close contacts with them.

“The European Union has also entered this field – after having issued a directive to all of the European countries, instructing them to establish such organizations that would enable inter-state cooperative alliances inside Europe. At this point in time, most of those countries either have a CERT or are in the process of establishing it. We have seen it in the East, too – Japan and Southern Korea have active CERT centers. There is also a union of several CERTs from around the world, known as FIRST – the Forum of Incident Response and Security Teams.”

Does Israel have agreements with the other CERTs?

“Yes. A part of what we do in developing our cooperation with other countries is associated with the development of our ability to share information, naturally – based on mutual trust. In some cases we even need to develop special tools for transferring that information. Additionally, the CERTs hold monthly discussions regarding specific incidents. There are periodic summaries, joint case studies – these capabilities are being developed continuously.”

In 2014, the establishment of new cooperative alliances in the field of cyber, with England and Italy, was announced. Are these alliances associated with the exchange of information at the national CERT level?

“Yes. Countries with whom we have friendly relations, notably the USA, England and other European countries, have significant CERTs. We develop cooperative alliances with them so as to manage incidents and expand our space of threat identification and recognition in a lateral and international way. In the world of cyber, these are the rules of the game. “For instance, one of the examples of international cooperation from the last year has to do with a weakness known as Heart Bleed. It is a major weakness that has affected the entire infrastructure of the Internet.

“In fact, it is a security weakness in an encryption mechanism used extensively by Internet infrastructures. Initially, it was detected within a very limited forum (analysts from a Finnish company and from Google were the ones who detected it), and as soon as the circle of partners aware of this weakness expanded, it became globally necessary to act very promptly, because as soon as you are aware of a weakness, you can develop a tool to hack passwords laterally which provides the opportunity to steal information items on a massive scale from websites and from information available on the web. In fact, as soon as this information was detected, CERTs around the world conducted group discussions and consolidated ways for coping with the weakness. A race against time began to close the loophole before it could be exploited by criminal elements.”

Cooperation with Giant Corporations

According to Nir Peleg, international cooperation is reflected even in times when coordinated DDOS attacks are staged against a certain country, as in the case of the attacks staged by the Anonymous organization with the intent of immobilizing traffic in the objectives being attacked (Israel is attacked by Anonymous once every few months. One such attack took place during Operation Protective Edge).

In such cases, the CERTs of the various countries can share information about servers out of which numerous attacks are being staged. If necessary, the CERTs call in enforcement agencies or contact the communication companies that own those servers, in order to assist in blocking the attacks that come out of those servers.

The CERT is not regarded as an enforcement agency or as a directing authority (like ISA, which issues directives to several dozen national infrastructure companies regarded as critical on how to defend themselves against cybernetic attacks), but any organization or entity may contact it and obtain advice and assistance – even private individuals.

Peleg told us that once the national CERT has completed its running-in stage, a website containing extensive information about protective measures and methods will be launched, and a direct telephone number to the national cyber operations center will be published.

“In fact, the CERT offers three service categories. The first category includes the reactive services, which are essentially responsive services, namely – management of incidents. The second category includes proactive services, where the CERT contacts an organization at its own initiative and issues specific alerts that pertain to it. The third category includes high-quality communication services. This category creates risk management tools and analytical tools for improving awareness at the level of the organizations, which help to measure themselves and acquire the ability to evaluate the organization before it comes under attack.

“These are tools and methods the CERT develops as a knowledge hub, and it should help organizations by providing them with the tools and with the ability to cope and effectively evaluate their situation with regard to defense.”

Will the CERT acquire services from existing companies in the cyber protection industry?

“Apparently, the CERT acquires knowledge and services and also develops long-term agreements with strategic corporations. The agreements provide unique access to databases which not every entity can afford. Through the international cooperative alliances, a reliable sharing network is established, which enables the users to share information regarding global incidents. Managing the information vis-à-vis various organizations is of the utmost importance, as a company or organization that share certain information with the CERT may not be interested in that information being passed on to other parties. Consequently, the knowledge sharing agreements with the various organizations are of the utmost importance.”

According to Nir Peleg, during the year 2015, CERTs for specific sectors will start operating in addition to the national CERT in Beersheba. The first two sectors that would have their own CERTs are the energy sector (led by the Head of Security at the Ministry of National Infrastructures, Energy and Water Resources, Tamir Schneiderman) and the government ministry sector.

“We are currently at the beginning of the process of specifying a cyber defense center for the government sector, in cooperation with the government C4I,” says Peleg. “The objective is to serve all of the ministries laterally and centrally. Today, the government ministries have an ‘Available Government’ system that regulates the use of the Internet, but there is no one to provide a solution or assistance for internal incidents on the web, mainly at the smaller and medium ministries.”

During Operation Protective Edge, some Israeli websites were shut down, but we generally escaped the fighting in cyberspace relatively unharmed. So, is it possible that the threat is not so severe?

“The fact that we managed to go through one incident unharmed means nothing. In the world of cyber, the rate at which changes take place is mind-boggling – much faster than the time required in order to develop such weapon systems as aircraft, missiles and other kinetic threats. Consequently, we must be prepared to deal with the threats lurking around the corner, not just with the ones that have already appeared on the scene.”