Cybertech 2016 convened this week in Tel Aviv, and I was in the audience for Prime Minister Benjamin Netanyahu’s plenary address, courtesy of the America-Israel Friendship League and the Israeli Foreign Ministry. Israel has an ambitious domestic and international agenda designed to make it one of the world’s super cyber powers.
The prime minister has made cybersecurity one of his trademark issues and is a big promoter of the idea that better network defenses are essential for national security and that the information security industry is a driver of economic growth (Israel now has more than 300 cybersecurity companies, exports of $6 billion, and 20 percent of the world’s private investment in cyber). In his speech, Netanyahu stressed two large themes. First, there is a need for action now, and as a result some policies may be incomplete or eventually reversed, but the general direction has been decided and everyone needs to start moving. He returned to a metaphor from the army that he has used before of forces in the field changing direction even if every detail is not yet in place.
Second, Netanyahu highlighted a contradiction between the necessity of and the risks inherent in cooperation. The Israeli government is actively looking to partner with other countries and the private sector, but sharing information and capabilities will always be a calculated risk.
Four specific points in the speech were of interest. First, the standing up of the National Cyber Authority and the delineation of its authorities are running into some resistance, presumably primarily from the Shin Bet, Israel’s internal security agency. The Shin Bet is responsible for defending critical infrastructure, has much of the country’s cyber capability, and does not want to give up influence. The prime minister spoke of challenging vested interests, including the intelligence agencies; the officials I spoke with took the resistance as an entirely predictable outcome of bureaucratic politics and expected the turf battles to be resolved quickly.
Second, the prime minister used a medical metaphor to explain the government’s responsibilities in defending the country against cyberattacks. The government’s role is to immunize organizations and individuals by developing best practices and standards that everyone should be expected to implement. The government will treat certain types of infections, and in some instances of massive, widespread attacks that could be likened to epidemics, the government will use military force and the intelligence agencies to "both treat the attack and treat the attacker."
Third, and unsurprisingly given Israel’s long-held skepticism towards the United Nations, Netanyahu disparaged the idea of a universal code of cyber norms. Instead, he advocated a meeting of like-minded countries to define norms and sanctions against those who violate those standards. The government will use the annual June meeting at Tel Aviv University to push this agenda.
Fourth, the government will soon release new guidance on export control laws for cybersecurity products. The approach is going to be pro-business; anything that is not explicitly prohibited will be allowed. Government officials explained the notice was necessary to eliminate uncertainty among companies about what they could do, but an entrepreneur told me the measures would have the opposite effect. Government attention would only raise anxiety among investors and companies where there was none before. Officials were clearly trying to avoid reproducing the controversy in the United States over application of the Wassenaar export control regulations, but do not seem to be succeeding.
Cyber power is built on technology, a strong relationship with the private sector, and a good story. There may be different narratives—Erel Margalit, a member of the Knesset, Israel’s legislature, contrasted his vision of Israel as a cyber hub connected to its neighbors with what he called Netanyahu’s vision of Israel as a fort—but it is clear that Israel is putting many of the fundamentals in place.