“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation.”
Leon Panetta, Former Head of CIA and former US Secretary of Defense
Cybersecurity in Israel is hot, sizzling hot. Wherever you turn in the startup nation today you bump into cybersecurity tech. In the Israeli field, there are hundreds of startups, a handful of large businesses, cyber labs, companies in every phase of the commercial lifecycle—pre-exit, post-exit. There are those working out in the open and those operating in stealth mode. Investments are coming in and acquisitions are being made. Estimates as to the number of cybersecurity companies in Israel range anywhere from 250 – 500.
And it makes sense. Here in Israel—with the combination of hi-tech leadership and our inherent proclivity for security—we should be top-heavy with cybersecurity. But at the same time it is important to ask whether this cybertech neighborhood is too big or too crowded, at what point does a market or domain go from robust to unsustainable, and what makes an expanding market turn into something that can burst—a cyber-bubble?
Applying 9/11 Lessons to a Cyber 9/11: Fragmentation
Analyzing an issue such as the viability of a market is best done on the basis of a model. For example, investors and business leaders look at previous tech bubbles, draw conclusions and apply lessons: smaller investments, more controls, demands that companies employ a business model that generates income now rather than just promising stellar future success. While these lessons are relevant to the cybersecurity market—after all it is a tech market—they are not enough, because cybersecurity is also a unique area of technology, in a class of its own.
Cybersecurity is about something much deeper than other aspects of hi-tech; it is much more significant than those areas that deal with culture and social interactions (like Facebook and Linkedin), more than commerce and business (like Amazon and eBay), more than communications (like Skype, email and messaging apps) and more than all the infrastructure that drives those services. Ultimately, cybersecurity works to assure survival and existence. Therefore, it is critical to assess not only the commercial viability of cybersecurity companies but also the nature of their products; do they solve the problem? Can the set of cybersecurity technologies being built in Israel today prevent a cyber disaster?
9/11 was both the ultimate terror attack and the ultimate failure of heading off what is believed to have been a preventable catastrophe.
The report of the US government committee tasked with investigating 9/11 states, “We believe the 9/11 attacks revealed four kinds of failures: in imagination, policy, capabilities, and management.”
The Israeli cybersecurity industry excels with “policy” as well as with “capabilities”. However, I am worried about their abilities with “management” and “imagination”.
9/11 “failures of management” manifested in the lack of information sharing across related agencies. Had the CIA, FBI, State Department and others all shared the information they had about Al-Qaeda, 9/11 could have been diverted. Failures of management are failures of not seeing the whole, the sin of fragmentation.
Over recent years my company has worked with dozens of cybersecurity businesses. These companies are staffed by young, bright, determined computer scientists, mathematicians, cryptographers and security experts. Many of these people have worked in cybersecurity in military units and secret governmental organizations. They are the best and the brightest.
But they are all sinning the sin of fragmentation. They don’t talk to each other or work together. This tunnel vision precludes their forming a unified approach to any colossal threat.
Each cybersecurity company focuses on a different part of the puzzle. Some are focused on a specific threat type (DDOS, SQL Injection, code vulnerabilities, network intrusion, etc.), while others deal with particular types of prevention (endpoint security, authentication, data loss protection, threat detection, etc.). Some companies claim that their solution is so special that it alone can solve all cyber threats. However, most admit that they are working on only one part of the puzzle.
The essential problem is that no one has seen the picture on the top of the puzzle box! Cyber-terror has many branches and yet it is a single problem. Instead of collaborating industry wide, individual Israeli companies—from the hundreds working in the field—work on disparate, disjointed solutions. Each company provides a few puzzle pieces and may even snap together a couple of those pieces. None has a concept of the whole. The result is dispersed, fragmented collections of non-intelligible forms, puzzle pieces of random shapes and sizes.
Cybersecurity, by its nature, demands a cohesive, holistic approach. Data and data management have been compared to water and water management. Whether the concern is data penetrating into an organization (for example, hackers breaking in to access things they shouldn’t) or data leaking out (for example, stealing financial information or sensitive codes), all that is required is the smallest gap or fault in the structure, and leaks spring up all over.
The price paid for a fragmented, leaky cybersecurity solution could be huge. Once water/data begins to flow in or out, the entire system is compromised, because the water spreads, pressure builds and colossal damage and disaster could be imminent.
More Lessons: Failures of Imagination
Again, citing the report by the National Commission on Terror Attacks upon the United States, “The most important failure was one of imagination. We do not believe leaders understood the gravity of the threat… [the] new brand of terrorism presented challenges to U.S. governmental institutions that they were not well-designed to meet.”
On the one hand, when it comes to imagining the possibilities of a catastrophic cyber-attack, significant work is being done. Scenarios are being mapped out— from intrusions that shut down electric plants, thereby endangering cities, to assaults that combine physical and cyber terror to create total chaos. But on the other hand, we lack imagination with regards to the solutions we are preparing. Generally, these solutions are built on top of the existing infrastructure—more firewalls, better policies, tougher authentication requirements. These solutions are reactive rather than proactive and imaginative. Today we are patching what is broken instead of designing and implementing a better, more inherently secure way of doing things.
For example, one must ask if the internet as we know it today is the appropriate backbone for most of our business networks, communications, telephony, TV services and financial systems. It certainly was not designed with all of that in mind. The thought of replacing the internet with something else (in an evolutionary manner over a few generations of technology) is daunting, but it may actually be less work than the effort it would take to clean up and recover from the damage of a cyber 9/11.
Since 9/11, hundreds of billions of dollars have been spent on new security measures and new technologies. Major systems (think air travel) have been turned upside-down and inside out. Imagine what could have been done if the threats had been addressed with more imagination, and more proactive thinking.
A cyber-9/11 could result in even greater upheavals if we respond to such an attack with reactive emergency measures, including the imposition of restrictions on access to internet-centric activities (services we take for granted and use dozens of times every day). Since cyber-technologies touch every part of our daily lives, a need to restructure their security post-facto could bring with it crippling damage to how we live our lives and how our economy and our world function.
Just imagine the loss of some or all of these services from our lives (all of which depend on or are vulnerable to the cyber world in some way), during an extended recovery period: telephony – land and cell, messaging, online banking, email, electricity, air travel, TV, etc.
It would be better to analyze our cybersecurity needs, today, to define a new architecture (as if we were just starting to build all the infrastructure now, from scratch), to re-imagine the way our world works, and to start working on all of this now, than it would be to find ourselves responding after the fact to a cyber disaster and then scrambling to get back on our feet.
When Does a Cyber-Bubble Burst?
A cyber-bubble bursts when there is a cyber disaster and the technologies and procedures deployed did not succeed at stopping it. There is major damage and a long, slow, painful, incomplete recovery. The burst brings down the related businesses, but what’s worse, it leaves society feeling vulnerable and unprotected.
So, can Israeli tech companies help prevent a cyber 9-11?
No. Not the way things are today.
We are in a cyber-bubble and if this bubble bursts the impact will not only be on the economy, but on the very existence and welfare of whatever country is attacked and on Israel’s credibility as a global player in this area.
We are building a jumbled mix of pieces to patch security holes in today’s infrastructures. We should be designing and building a newly conceived, newly imagined, unified architecture that can be implemented over a few generations.
Who Can do This?
At the recent Cybertech conference in Tel Aviv I was pleasantly surprised to find that the most impressive speakers were not from the business sector but were, rather, academics and government representatives. As opposed to the company heads (who again, were focusing on fixes for today’s immediate problems), the academics and governmental players were grappling with the challenges of cybersecurity on a larger, grander scale, and confronting the amorphous nature of cybersecurity. For example, the head of the police’s cybercrime department raised critical issues, including the lack of clearly defined borders for his department:
- What exactly is his jurisdiction?
- Does the cyber crime have to take place in Israel?
- Do those involved have to be Israelis?
His answer was encouraging (he thinks that his department should be involved in any cyber scenario that has any kind of Israeli involvement, regardless of where in the world those people are physically located) but what I found to be most significant was his imagination. He was grappling with important questions, not rushing to market with an incomplete solution to a partially defined problem.
I envision a new Israeli standards committee consisting of representatives from academia, government and private industry. The committee’s task will be to define the architecture for a secure infrastructure that is imaginative, multi-dimensional and multi-generational.
Being multi-generational means that it provides answers for the short term (which may look very similar to those currently being built) but also defines evolutionary changes (ultimately, revolutionary) in our infrastructure and the security elements they require, so that we meet the challenge of being imaginative and proactive. The technologies that surround us in ten years can and should be completely different than those of today – and this should happen because we planned it so, and not in response to cyber terror.
Rather than today’s situation where each cybersecurity company randomly chooses an area of focus, every company will want to declare where they fit into the newly defined architecture. Investors will not take seriously companies that just do their own thing. But companies that can show they are working on solutions that fit into the unified architecture should be incentivized by the Chief Scientist and benefit from greater interest by investors.
A Shift in Hi-Tech Culture
“… a destructive cyber-terrorist attack could virtually paralyze the nation.”
Israeli cybertech companies have a lot going for them; knowledge, smarts, security experience. But the cybertech market in Israel is in its infancy. It needs guidance and direction. That guidance can come from cybersecurity leadership—from academia, government and industry. If this happens, it will constitute a reshaping of the hi-tech market in Israel (perhaps with a greater sense of communal responsibility); it is possible, and it could bring great value of many kinds.