Israel-UK cyber-security lessons - shared concerns, shared responses
Israel-UK cyber-security lessons - shared concerns, shared responses
Unit 8200 is the largest unit in the Israel Defence Forces, comprising several thousand soldiers responsible for collecting signal intelligence (SIGINT) and code decryption. Conscripts with an aptitude for cyber-security, often identified while still at school, provide a constant refresh of new talent, with 25 percent annual turnover. Many of its alumni have gone on to be highly successful cyber-security entrepreneurs – including some of those who gathered at the Israel-UK Ambassadors roundtable at the Royal Society last week, held under the auspices of the Anglo-Israel Association.

Key themes included cyber-warfare, cyber-terrorism and the overlap with cyber-crime, as well as innovation and resilience. The roundtable was not about Israel-Palestine issues.

Israel's newly appointed deputy ambassador to the UK, Sharon Bar-Li, noted the shared democratic ideals of both countries before describing some of the factors that make Israel such a leader in the sector. Not least among these is that Israel is ‘a start-up nation', plus the perspective that: “The future is one where we have to keep a technological upper hand to prevent these threats... [adding] strength in cyber-security stands behind our economic, military and intelligence strength.”

Israel's Deputy Ambassador, Sharon Bar-Li

Bar-Li also noted how Israel is following the UK's .gov programme to digitise public services, replicating its DMARC approach, that it has renewed agreements between Cert UK and Cert Israel, cooperates commercially on tech hubs and commercial company developments as well as on children's digital education programmes.

Nigel Inkster, director of Future Conflict and Cyber Security at the International Institute for Strategic Studies (IISS), noted that cyber-capabilities have enhanced the “ambitions and capabilities of major non-states and sub-state actors whose doctrines are offensive to us, few of whom are deterred by rule of law and norms we are trying to develop.”

However, although we have seen progressive militarisation of the cyber-domain, he adds, “In practice we don't have a clear idea of what cyber-warfare amounts to – from Cyber Armageddon to day-to-day activities that signals intelligence agencies have always engaged in against each other, well below an armed attack as defined by the UN charter.”

Professor Sir David Omand of the department of war studies, Kings College London, and former director of GCHQ, asked, “Are we talking about cyber-war or cyber-conflict… cyber espionage and subversion?” He noted how a malware attack was suited to sabotage and subversion for enhancing the effectiveness of military operations, where a war was not confined to cyberspace. But for attackers, it “may require using scarce zero-day exploits. Can the attackers be really sure [that they will achieve their aims]?” The parallel was drawn with special forces which are commanded at a strategic level for shock and effect, and not squandered lightly.

However, Omand added, “If significant real damage were to be inflicted it would be classed as an armed attack and may evoke a kinetic response. If it was sufficiently serious, attribution will be a political judgement [rather than absolute technical certainty].”

Traditional arms control approaches won't stop intelligence gathering, says Omand, given that the difference between offensive action and intelligence gathering “may only by a few lines of code”.

The question was asked, is digital intelligence gathering itself destabilising? Current problems identified include the sheer scale of intel gathering going on right now, with no agreed norms of good behaviour [notwithstanding Tallinn 2]. The incentives are to act in advance of need which will be seen as aggressive and so provoke a response of more intel gathering which runs the risk of creating a hacking arms race.

The issue of false attribution was also covered by Ormand. In April 2015, the French TV station TV5Monde was taken off air by the ‘cyber caliphate'. But this previously unheard of group had undertaken a very sophisticated state-sponsored level of attack, and the question was, why? Was it a warning to France (from prime suspect Russia?), a test to see if false attribution to the Caliphate would deceive France. Or was it preparation for interference in the French election?

True covert action was considered not rampant in the digital space and often only possible using secret intelligence, nonetheless digital media clearly allows offensive cyber-operations, such as Stuxnet, as well as subversion by social media.

High confidence was expressed that APT 29 attacks were part of an influence campaign ordered by the Russian President Putin in 2016 to cast doubt on US presidential contender Hillary Clinton's authority if elected.  Putin had described the Panama papers disclosure and Olympic doping scandal as efforts to discredit Russia and this was seen as Russia's response.

Menny Barzilay, cofounder of 42 Cyber Security Professional Services, commented, “Vladimir Putin has really good lawyers, because he has pitched his activity just below where the Tallinn Manual would [regard it as] an intervention point as an act of war. But there are a lot of unfriendly acts, such as making a router not work, destructive or not; there is quite a lot a state can do.”

AI and IOT

Guy Leibovitz, an Israeli entrepreneur, CEO and founder of D-Day labs who has previously served in Israeli intelligence, spoke on the issue of cyber-terrorism, but also explained how AI was being used, and could potentially be used by either side in a conflict.

Guy Leibovitz (r).

Examples range from the use of AI driven bots to lure Israeli soldier victims into danger  through to work at MIT to use AI for zero-day discovery – an ideal task for AI because it isvery tedious, difficult and requires a lot of expertise for a human to find.

The generation of malwares using AI is also happening, creating infinite numbers that detection systems can't find. Right now it's described as ‘pre-mature' tech, but deep reinforcement learning teaches machines to learn like a human and allows them to learn better than a human. And tools can be built by AI and put in Cyber Warfare settings, which, after hours of training, can steal data and undertake espionage.

Given that it's harder to defend than attack, Leibovitz called for pre-emptive defence. He said, the best form of defence is attack so, “take preemptive action [attacking our own networks] to find the loopholes in our networks before the hackers come.”

Keren Elazari, a prominent Israeli security researcher and industry analyst, describes herself as a ‘friendly hacker' and provided  a hacker's perspective of the future of cyber-crime. She emphasised the twin themes of convergence and multiplicity, as well as the trend for the boundaries between traditional and cyber-warfare to be eroded, as well as criminals adopting state tactics and tools.

Keren Elazari

Elazari described how bits and bytes can influence our physical reality, in an age where government, civilian and commercial boundaries are decreasing while the internet itself continues to expand exponentially, so that a single company or organisation can no longer make sense of it.

Yet it largely runs on software designed by humans sometime in the receding past, software that is not being changed and which has many vulnerabilities. Even our reliance on GPS is a vulnerability, she said.

There is a convergence between different groups, with shared tools and techniques between criminals, hackers, hacktivists, terrorists and other non-state actors. Espionage can also be about having an economic impact, so there is cyber-crime as a tactic for cyber-warfare.

Inkster asked, how realistic is it to have IOT devices required to be able to be upgraded? Or to be able to turn off functions that users think are not working as intended – referring to the recording capabilities of some toys. He went further saying, “Introducing software liability and criminal liability could be possible. Other companies and sectors – cars, medical, etc are liable for their products. But software does not have liability.”

Barzilay called for equipment and software to be made secure by default, especially in the IOT and smart meters sectors.

Leibovitz suggested that changes to UK regulation with implementation of GDPR, and heavy fines for failure to comply, will drive more cyber-security, move liability into the boardroom and result in defining what needs to be protected.

Omand concurred, noting that data protection will still need to comply with GDPR after Brexit, and regarding IOT devices, he commented: “The genie is out of the bottle.”

On a more positive note, Omand suggested that public education will get us 80 percent of the way to cyber-security, but for the 20 percent of APTs it will require nation states to tackle the issue.

Tom Ilube, CEO at Crossword Cybersecurity, suggested that it will take a fatality to shift the perspective in the boardroom, saying, “Until a FTSE 100 or 250 goes out of business, they [boards] won't take it seriously.”

Barzilay disagreed, saying that the board is not the problem and that most boards now have regular cyber-security discussions. He says that the problem is the cyber-security industry. “When they ask what we need to defend ourselves, we say, no number equals spending enough, you should do more. And we'll still not be safe. It's not that boards don't care, they don't know what to do.”

Baroness Neville Jones, who sits on the Science and Education Committee in the House of Lords, noted that educating the consumer only gets you so far. “See the automotive sector – public opinion demanded that industry make cars safer. Understanding of what goes on under the bonnet is not much greater than previously, and I expect it to be the same in cyber.”

Tal Mozes (l) and Baroness Ramsay of Cartvale

Anti-terrorist experience

Tal Mozes, leader of the EY Hackticks Security Centre, described how his experience during national service in the Israeli army provided a demonstration of how weaknesses in defence identified by one group will quickly be used by another. Mozes was a hacker/fracker at 14, making pocket money illegally. He joined a hacker group and dropped out of school at 15, so rather than going straight into unit 8200, as you would expect for a hacker, he found himself a sniper patrolling the border looking for smugglers. What became apparent was that when the criminals found a path for smuggling, it wasn't long before others used the route for terrorist purposes.

And the same applies to hacking. As Mozes notes, via cyber-security, you can carry out terrorist acts and not be caught, so you get the feeling of belonging, and carry out terrorist activity with very low risk – whereas in real life, few of those who share an ideology would actually carry out a terrorist act, so the threshold from thought to action is lower.

Tal Mozes

He explained, “To become a cyber-terrorist, you don't need to be the world's best hacker, you don't plan for a year etc, you can go to a public place, and do something very simple, such as change a TV screen to say, ‘There is a bomb'.”

Elazari noted the limitations of government: while it can impose shutdowns on accounts used by ISIS to promote terrorists, it's very difficult to draw the link between hacktivists, terrorists and governments. Consequently terrorist propagandist actors using social media – Twitter, darknet, Telegram – often cannot be stopped by governments, but they can be opposed by hackers.

While influencing public opinion and physical acts is different, ISIS influence has an impact. Although we haven't seen a major cyber-attack by terrorists, such as shutting down the power supply, most commentators agree that it's just a matter of time before a terrorist group has that capability.

Consequently, as Baroness Ramsay of Cartvale pointed out, intelligence services do now keep an eye on targets in the physical world, where potential for really skilled attackers could cause real damage, well beyond the propaganda value of low level attacks aimed at defacing websites.

Mozes agreed that intelligence agencies are now looking for those groups before such attacks happen. Consequently, critical infrastructure and secondary critical infrastructure is being protected. But advanced persistent threats are not currently the threat posed by terrorists who would  attack SMEs and countries not doing much to protect themselves, and who should protect these targets – the police, the army, someone else?

Defining what we mean by terrorism was not clear cut, the speakers said. Notwithstanding the loss of life, differentiating in cyberspace between terrorists and criminals, terrorists being those who pursue ideology and criminals are those seeking gain, is difficult.

One clue is terrorists tend to take responsibility while  criminals try and hide, but as in the case of the 16 known Russian-language cyber-criminal gangs, some are thought to be aligned with the state while  some are not.

And there are the unintended consequences of the way social media algorithms work, putting you in contact with like-minded people. Thus, Facebook can inadvertently draw more people into a pro-terrorist grouping, adding new extremist and becoming more extreme, and effectively encourage extremist ideologies. This risks need to be highlighted and tools introduced to prevent this happening.

In fact, Barzilay suggested that any country wanting to conduct espionage would have spies within Facebook, and asked if perhaps Facebook should be declared a national asset, and whether the NSA should be vetting its staff.

Start-up nation – innovation

One area of outstanding success for Israel has been bringing innovation to market and achieving commercial success from ideas in the cyber-security sector, including 140 start-ups in the past 2½ years under its accelerator programme. For instance, over 90 percent of automotive cyber-security solutions are reported to come from Israel.

By contrast, the UK approach to innovation for the 50 years leading up to the year 2000 was: huge university research for five to 10 years; then it goes to government, military or others to take and develop secretly for five to 10 years; then it comes to the big tech companies that use the technology; finally it ends up with consumers one to three years after that – thus taking 10 to 25 years to progress from research to the consumer.

Today innovation in the UK happens across all parts of industry, with no hierarchy, innovation coming from students, government and citizens – thanks to the internet. .

The barriers to entry are minimal, you don't need any infrastructure as you can go to the cloud and start. Now you just need the person and it is zero cost. With the internet and mobile, distribution costs are also almost zero. You can develop an app and put it on Google or the App store and get sales. So the limit is not the technology, it's us.

Previously, large corporations would create a lab of our best engineers improving their product by 10 percent. Or they'd buy a small innovative company via M&A – only to end up killing it because of the culture clash.

Another area of discussion was the need to understand what makes humans innovative and disruptive. The analogy, with Israel is that sometimes a nurturing environment is a hostile one, when attacked an organism evolves.

In Israel, defence, start-ups, academia, and enterprise overlap in a process of attrition and acquisition with people switching between them.

Moshe Ferber described some of the other activities contributing to developing the country's cyber industry, including the Magshim programme to get kids from less mainstream backgrounds to join cyber-units, a programme to get 30 percent women in high tech industries, the first Hassidic start-up, and outreach to Arabs and particularly Arab women via community leaders, as well as autistic soldiers, and establishing Israel as a cyber-incident response centre.  It was not one single thing, but a combination of things that were seen as responsible for Israel's success in cyber-security, not least necessity.

UK perspective

Paddy McGuinness, deputy national security adviser at the UK Cabinet Office, emphasised how his role, covering intelligence, security and resilience, was impacted by the need for strong cyber defences, and that the new NCSC had been added to all the existing network defence services as an extra layer to engage with the private sector.

McGuiness explained how, in the 2010-2015 period, there had been an £840 million stimulus to develop cyber-security capabilities – in addition to IT spend by the vertical sector departments themselves. The aim was to incentivise companies and groups to improve their own defences, and improve incentives for cyber-insurance.  

In terms of creating a ‘kitemark' for what constitutes secure, McGuinness says the programme “didn't work”. There was huge resistance from industry to take the necessary measures, and the example of TalkTalk – where the vulnerability exploited was older than the hackers – just emphasised how the basics were not being done.

From November, a new strategy was launched which has marked a different approach to dealing with state and non-state sector actors.

For the less sophisticated attacks the aim is to eliminate the most basic infrastructure vulnerabilities. So all backbone providers plus GCHQ were invited to look at what malware was flowing through the UK during a one-month period and that's when it was found that 78 percent of malware and exploits could be defended against with patching and basic defences. To be more secure, the focus should be on that 80 percent of threats. Sometimes firms buy the highest spec kit but do the equivalent of failing to shut the door, he said.

It was therefore apparent that we can't rely on the understanding of companies to do it themselves. Twelve sectors were identified, from high health and safety sectors such as civil nuclear down to less critical areas where the approach was one of having a certain level of toleration, in much the same way as credit card companies ‘tolerate' a certain fraud level.

With the NCSC, the advantages of the state's capabilities, including those of GCHQ and other agencies, can be leveraged to maximise their effect to make the UK a more difficult target. These capabilities range up to the most extreme, which is interference with equipment overseas, which may potentially be used to prevent a DDoS attack. Domain-based Message Authentication, Reporting and Conformance (DMARC) is being put in place.

While adversaries have shown their ability to impact a Ukrainian power station, most attacks depend on basic techniques such as spear phishing and watering hole attacks. The defence posture will be to do more at the devices to the backbone level, so that in the future there will likely be fewer, but more capable attacks which can then be focused upon. Most recent breaches have been enabled by humans, and insider threats remain a concern that requires human security. Regarding state or criminal outsiders, at a time of tension it is necessary to know who is likely to attack.

ISPs in particular were seen as an area where more could be done, but they currently had no financial motive to do more, so how can they be persuaded to ‘buy in' to more security was an issue to be tackled.

But most will rely on BT or other backbone providers as these are fewer and can see what is happening on their network and potentially so can their governmental partners such as the NSA and GCHQ.

The meeting ended with agreement that there were indeed lessons for the UK in leveraging talent including via both formal and informal networks and encouraging and supporting innovation through to commercial development, while Israel was able to ‘borrow' some of the UK's larger state infrastructural approaches to reduce the threat surface, and adopt formal structures for public and private sectors to share best practice - and both countries agreed on the need to cooperate and share both intelligence and best practice, including with other like-minded states against their common adversaries.