Israel’s National Cyber Directorate, which is in charge of defending critical infrastructure, needs to study every detail of the massive suspected Russian cyber breach of 250 government and private-sector networks recently uncovered in the United States, a former senior Shin Bet intelligence agency official has told JNS.
Ron Shamir, who retired in 2013 from the Shin Bet after 24 years on the job, served as the intelligence agency’s former Technology Division head. He said it was imperative to understand how “the most basic” features of cyber defense appear to have been overlooked, including the ways in which attackers took advantage of the SolarWinds IT management company, which provided software to the attacked entities.
“It’s like breaking into a police station and hiding in the truck delivering the food. When exploiting the weakest link, the attack doesn’t have to be the most sophisticated,” said Shamir.
“I hope that the Israel National Cyber Directorate studies every bit of information on this attack. It would be tragic if the lessons learned in the United States are not applied here,” he added.
“The event is unusual in its scope,” he said. “Most of the public isn’t focused on it here in Israel because of the coronavirus and the political crisis. But it is a huge event. The American cyber-defense system is in a very difficult hour. Not only did the attack last many months, but it was only detected by a private company. This, after billions of dollars were invested in cyber security,” he stated, referring to the exposure of the attack by the FireEye cyber-security company. “This was a supply-chain attack, which is a well-known type of attack using the weakest link. Once such a link is discovered, it is a paradise for attackers.”
Asked how well-prepared Israel is, Shamir said it’s difficult to provide a clear-cut answer, noting the recent cyber attack on Israel’s large Shirbit insurance company and other incidents.
“We have to differentiate—not everything can be defended at the same level. Israel prioritized critical infrastructure many years ago,” he said. That includes electricity, water and other vital sectors needed for the state to continue to function. Large state resources were invested in protecting these, resulting in what Shamir described as a high level of protection, although he warned that “in the cyber sphere, there is no 100 percent defense. The assumption has to be that every organization can be breached.”
He noted reports of Iranian cyber attacks on the Mekorot national water company in May, an attack that nevertheless did not enable the assailants to disrupt Israel’s water supply.
Prior to the formation of the Israel National Cyber Directorate, the Shin Bet itself was designated with the task of defending critical infrastructure, though as time went by, it handed over the task to the Directorate, which grew in size.
Other important sectors, such as banks, are not defined as critical infrastructure but could still benefit from state support, said Shamir.
“This is a reminder that many sectors need defense. Hospitals and the health maintenance organizations (HMOs) need protection, and they are receiving it since any significant harm to them can cost lives,” he said.
The National Cyber Directorate operates a control room, CERT (Computer Emergency Response Team), in Beersheva that monitors Israeli communications networks and seeks to detect forming cyber attacks in real time, issuing alerts to organizations that are under threat. The Directorate is headed by an experienced former Shin Bet official, Yigal Unna.
“There is a tension here, as the Directorate cannot directly help every store,” said Shamir. “There is a limitation of personnel. But it can provide best practice instructions, recommendations, and in some cases, offer direct assistance.”
‘An unprecedented American security failure’
Micky Aharonson, the former senior director for foreign policy at the Israeli National Security Council in the Prime Minister’s Office, said that while the attack itself—if it did indeed originate from Russia—did not come as a surprise. “What is extraordinary is the scope and how successful it was,” she said
“If the Russians attacked, they will likely attack in the future. The United States will likely do the same,” she said. “What is here is an unprecedented American security failure.”
American media reports have cited officials as suspected Russia’s foreign intelligence agency, SVR, as being behind the attack. Aharonson noted that a few days after the massive breach was exposed, Russian President Vladimir Putin visited CDVR to mark its 100th anniversary, in full public view, a visit she said carried symbolism.
A primary function of such an attack would be to search for data and an ability to work against an administration that Russia has defined as an adversary, she explained.
“In the event that this was a Russian attack, there is also a message here to the incoming American government. Moscow would be saying, ‘Look at our capabilities; see what we can do. Do not write us off.’ ”
The attack cannot be disconnected from Russia’s interest to enter negotiations with the Biden administration on multiple issues from a position of strength, she said, most importantly, over renewing the New Start (Strategic Arms Control Reduction Treaty), which calls for halving the number of nuclear missile-launchers, and is due to expire in the coming weeks.
“The Russians want to talk about it. The fact that this happened before such a discussion looks like a signal, saying, ‘it’s worth your while to talk to us,’ ” said Aharonson.
The United States has also rejected a Russian invitation to hold a dialogue on cyber security, viewing it as a ruse.
Domestically, noted Aharonson, the attack could allow the Kremlin to present Russia as a great power on the world stage, which the Russian government is always keen to do to shore up support.
Meanwhile, the newly passed U.S. defense bill calls for crippling sanctions against the Nord Stream 2 energy project, an initiative viewed with great importance by Moscow, for the creation of a network of natural-gas pipelines from Russia to Germany.
“The attack, assuming it is from Russia, would therefore part of a deterrent Russian message as well, saying, if the United States wants Russia to behave differently, it has to give Russia something,” explained Aharonson. “The Russians are looking for a deal.”