What Canada can learn from Israel and Estonia’s rise to cybersecurity royalty: It’s complicated
A little over a year ago, I had the pleasure of presenting at CANARIE’s 2017 National Summit in Ottawa with my good friend, Roni Zehavi, CEO of Israel-based CyberSpark. A cross-section of scientists, practitioners, academics, entrepreneurs and professionals, the Summit showcased the interconnectedness of science, society and cyber–how it began, its evolutionary path, and what the future holds as this global convergence unfurls before our eyes. The contributions were rich and thought-provoking, providing a glimpse into the power of technology in our day-to-day lives.
Totally in my wheelhouse, I presented A Cyber Retrospective and Peek into the Future that focused on the Internet’s monumental impact on social change and what we can look forward to with Web 3.0, artificial intelligence, open identity, ubiquitous connectivity and more. Journeying from the analogue Internet to the World Wide Web’s rich multimedia and then exploring deep trends that enriched every aspect of our lives, I wrapped up with a bonus Gangnam Style dance-a-long. The crowd was lit.
Roni’s presentation, Cybersecurity Sparking Research and Innovation, was serious. Actually, it was hardcore–it wasn’t where we were and where we might be going but a definitive statement of claim and rapid-fire account of Israel’s extraordinary success and growth in the sector. Spotlighting Israel as a powerhouse of cyber capabilities and rigorous, military-inspired approaches, Roni described how this shaped what it has brought to the global table–along with Singapore, Malaysia, U.S., UK and Estonia. Not surprising, the crowd was crushing on Israel.
A few decades ago, the road ahead for Israel seemed to be predicted, as if they had paved it themselves. In a way, they had–although not without challenges, some of which they are experiencing today. Irrespective of that, Israel is unrivalled in its self-promotion of how it has come to be one of the leaders in cybersecurity; it’s not just smoke and mirrors.
One part political, one part cultural and maybe another one part historical, it is not surprising that the Israeli government’s strategy on cybersecurity (actually, security in general) is rooted in achieving success where failure is not an option. As it should be, right? After all, cybersecurity permeates every sector, making it the backbone of product and service integrity for many businesses and governments, stretching to military, cyber warfare and national security.
Israel flexes its cyber muscles
How exactly did Israel rise to international excellence in cybersecurity? Well, Israel’s foray into what is now an $82 billion dollar industry was complicated and a much slower trajectory than it appears. Possibly un-replicable, Israel’s cyber sector crowning resulted out of necessity, market opportunity and Israel’s history, with the Israeli government playing a key role in its positioning.
Long before cyber was a thing, Israel was already forward-thinking and independently vigilant in national security, making it central to its governmental strategy. Looking back, it is easy to see how Israel’s current political and social climate manifested its autonomy and resilience, arising from historical events, such as Israel’s independence in 1948, the Palestine conflict and the Arab League boycott of Israel. These legacies are inextricable from their culture–it’s in their blood and part of their habitus.
In the 1990s, Israel became one of the first countries to both legislatively and operationally defend its critical systems. By developing the e-Gov project Government Infrastructure for the Internet Age and adopting Resolution 84/b, that defined critical computerized infrastructure, Israel set the foundation for comprehensive cyber responses. Shortly after, Israel developed the National Information Security Authority (NISA), the authoritative and governing body for information security and critical infrastructures, further entrenching and framing its future capabilities.
With the National Cyber Initiative developed in 2010 to address the differentiation of threats and to analyze the benefits of the sector to the economy, academia and national security, Israel was in the top five advancing countries in cyber innovation[. With no one factor responsible in attaining its success in cyber, Israel had perfectly strategized a storm of change with its cultural, historical and political uniqueness and market readiness.
Notably, the Israeli government took on the role of business catalyst, investing heavily in human and technology capital, incubating their own and other nations’ start-ups, and seeding innovation in the most unlikely of areas–the military. Israel did more than think outside the box: they re-designed the box. This fostered outstanding technologies like SCADAfence’s technology that monitors utility and manufacturing operations and Secret Double Octopus which “shreds” data, sending it over multiple channels (like WIFI, cell networks or Bluetooth), and securely reassembles it on the other end.
One that point, part of Israel’s success hinges on their incubator and accelerator facilities which are better described as fully commercialized, academic compounds of internally groomed cyber expertise. Referred to as ecosystems, these facilities host multinationals and coordinate bilateral exercises from around the globe, allowing access to skilled graduates from Ben Gurion University and the Israel Defense Forces’ cyber and intelligence bases.
However, in recent years Israel has been faltering in some aspects of the cyber sector, although this varies depending on the index referenced. While some cyber readiness and performance indices measure policy, economy, infrastructure, R&D spending and research infrastructure, others consider all or any combination of these. In the Preparing for Disruption: Technological Readiness Ranking by The Economist’s Intelligence Unit[, Israel is expected to slide back a few spots in Technological Readiness from 2017, but it has maintained its Cybersecurity Preparedness and leads in R&D spending, exceeding 4 per cent of their GDP (2015).
With the cyber skills shortage a looming concern for many nations, Israel may weather a bit better than its counterparts due to its existing skills base, mature training programs and ability to retain domestic talent through competitive salaries. According to the Organisation for Economic Co-operation and Development, Israeli cybersecurity experts earn nearly three-and-a-half times more than the average salary in the local economy[ and over two times more internationally.
Whether that plus Israel’s capabilities, investments and expertise is enough to re-position and sustain it through what will be a tough period remains one of many questions.
e-Estonia: A digital society emerges from cyber disaster
About 4300 kilometres north of Israel, Estonia, often referred to as the most advanced digital society in the world, also enjoys a place of prestige in cybersecurity and operations–for a very different reason than Israel. Many will remember when the small Baltic country was the target of massive cyber-attack on government, banking, media and public services’ systems in 2007, purported to be the first cyber-attack against an entire nation. Simple but well-coordinated, unprecedented levels of internet traffic orchestrated by botnets swamped target servers for weeks.
Initially thought to be a dry-run to test the impacts of a massive denial of service attack, it was later found to be an act of political retaliation and aggression, and an unlikely event emerged as the apparent impetus for the attacks. The Bronze Soldier, originally known as the “Monument to the Liberators of Tallinn”, was erected by Soviet authorities in 1947 as a tribute to Red Army soldiers, viewed as liberators by Russia. To ethnic Estonians, they were anything but, and the statue only served as a reminder of fifty years of Soviet oppression. In April 2007, the Estonian government decided to move the statue out of the city center to the outskirts of town, spurring two nights of rioting and violent protests by Russian-Estonians. Then came the waves of cyber-attacks. At that time, all that was known was that the attacks came from Russian IP addresses with online instructions in the Russian language. It did not go unnoticed that appeals for help from Moscow were ignored.
Once the political dust had settled a little, Estonia developed a multi-faceted cyber strategy that addressed their national cyber requirements, enhanced public safety, the real-time economy and digital democracy, as well as collaboration on international cyber law. Estonia turned what was the biggest unauthorized cyber-vulnerability test into the springboard for specialization: expertise in public services, government and infrastructure programs, such as e-Governance, e-Tax, X-Road, Digital ID, i-Voting, e-Health and e-Residency.
Through its partnership with NATO and allies, Estonia took the lessons learned from the attack and made them core to the formation of the NATO Cooperative Cyber Defence Centre of Excellence (CCD COE), which now also hosts the world’s largest annual cyber defence exercise. To firmly establish legislative and policy governance, the Tallinn Manual, a set of guidelines interpreting international law for cyberspace, was created and published in 2013. In 2017, the second edition was expanded to address attacks that fell below the threshold of armed conflict.
To sustain its accomplishments in the global cyber arena, Estonia developed highly skilled resources as a critical success factor, similar to Israel’s unique approach in utilizing military expertise. The Estonian government established the Cyber Defence Unit, a heavily vetted, anonymous volunteer base of the country’s leading IT experts. Trained by the Ministry of Defence, members donated their time to what may be the world’s first cyber defense reserves, engaging in incident responses to simulated and probable attack scenarios.
While Israel and Estonia have both emerged as leaders in cyber, their respective origins and paths were markedly unique. However, one common factor can be appreciated: when events or incidents strike the nation’s collective conscious and values, amazing and transformative things can happen. In both cases, effective response was not just about technology, resources, skills, training, venture support or strategy. It was about all of those in concert–and apparently it helps to have a complicated (political) past.
Takeaways for Canada
Where does that leave Canada? We are not exactly left in the wake since most would agree that Canada has a wealth of skills and policy measures in cybersecurity and innovation. Still, Israel and Estonia impart some valuable lessons for Canada and others. Creating a balanced national strategy that spans cyber response and readiness for government and sectors bound by legislation and policy, collaboration with allies on international cyber law, incubating and accelerating innovation through training, funding and commercialization all appear to be crucial.
Also, leveraging existing professionalized skills and military strength in cyber, as Israel and Estonia did, makes sense in the context of the defense and “war” models. Canada seems to have recognized this and appears to be moving in the same direction through programs such as the Military Veterans in Cyber Security by the Canadian Armed Forces and Veterans Affairs Canada. Providing military veterans an opportunity to put their skills, training and defense mindset into second careers in the cybersecurity industry, the program has successfully married government and private sector initiatives.
There may also be merit in recognizing the cultures of vigilance fostered by Israel and Estonia–Israel’s emerging from a series of historical events and Estonia’s as a response to a specific nation-wide attack. Having yet to experience our own tipping point, one that would propel us toward offensive planning and capabilities, may be Canada’s Achilles heel in attaining robust readiness. For now, possibly the most effective measure of our capabilities, rather than relying on performance indices, may be assessing intercepted and resolved attacks (shut-down of command and control and wide-spread resolution of vulnerabilities), attribution and interdiction.
In coming years, much of the cyber landscape, its players and capabilities will change, as will the threats and their delivery. Responding to that constant ebb and flow will be essential for any nation–especially Canada–in order to establish and then maintain overall cybersecurity expertise and resilience. The ability to prevent and detect threats with precision, forecast technological impacts and trends, respond with agility and continuous improvement, and invest heavily in government and private sector strategies and programs cannot be underestimated.
Canada certainly has the grassroots
elements to establish a comprehensive, renewable and truly sustainable
long-term national strategy–one that becomes part of our habitus. But only time
will tell; it will be up to leadership to enlist the experts to activate these
core components. To that, Roni and I will certainly share a stage again in the
coming years, and next time, I hope to give him a run for his money as I reveal
how Canada transformed from a cybersecurity demagogue to a global
heavy-hitter. I may even leave time for a Gangnam Style dance-along.