Interview

“Cybersecurity can’t remain voluntary,” says National Cyber Directorate executive

Meital Arik, Head of the Cyber Guidance and Regulation Division at the Israel National Cyber Directorate talks about how combating cyberattacks is an existential need, the lasting effects of the pandemic and the significance of regulation.

Diana Bahur-Nir and Raphael Kahan 21:2325.04.21
Meital Arik is the Head of the Cyber Guidance and Regulation Division of the Israel National Cyber Directorate. She talked to Calcalist about how combating cyberattacks is an existential need, the lasting effects of the pandemic and the significance of regulation.

 

What does your job entail?

 

“I’m the head of the branch that directs the civilian market so that it will be better protected against cyberattacks: we pass along warnings, provide guidance, as well as actual technological assistance. When there is a warning, they pass through the Prime Minister’s Office Cyber Directorate's relevant channels. We are considered a security entity and operate as such.”

 

Cyberattacks have increased by 50% during the pandemic. Photo: Shutterstock Cyberattacks have increased by 50% during the pandemic. Photo: Shutterstock

 

How much have cyberattacks thrived during the pandemic?

 

“The pandemic has increased cyber events and the intensity of cyberattacks, and there was also a leap in the quality of attacks: our operational branch received 9,000 reports this year that were identified as cyber events, showing a 50% increase compared to the year prior. This occurred in part due to the transition to working remotely. The transition to the cloud and the need to work from home doesn’t necessarily go hand in hand with companies and people protecting themselves, while attackers were already prepared for this shift and found plenty of opportunities to attack. If you are an expert in providing protection, it’s a lucrative field with easy money as the cyber market in Israel is suffering from a dramatic lack of manpower.”

 

What recent events were you involved in?

 

“The cyber hack at Ben-Gurion University of the Negev and ransomware attacks on the Shirbit Insurance company are things I personally managed. Ben-Gurion was involved in a hack in which some of its servers were breached and it was close to losing all its data which is really crazy.”

 

“We approached them with information that some of their servers were hacked - information which we obtained through tools that other countries use, along with information that came to us through various channels. Once we identified the incident, we recommended that the university publish a message about the hack and manage it with full transparency. Since it was managed correctly, the incident was contained. Small organizations don’t address the issue until it hits them - and those who made dramatic changes are ultimately the ones that were hit, suffered losses, and crashed.”

 

Will it happen to the Shirbit insurance company again?

 

“Shirbit reported that it lost all its profits from the last quarter because of the cyberattack. Since then it has invested dramatically in protection, which an organization its size isn’t accustomed to doing, meaning it went from one extreme to another, and is now super-protected. It probably won’t happen to Shirbit again. But if it followed regulation demands earlier, then it most likely wouldn’t have been attacked like that.”

 

This investment in cybersecurity could weigh down small and medium-sized businesses’s profits.

 

“You don’t have to be the most protected company in the world, it’s enough to integrate basic protection that the Cyber Directorate recommends, and attackers will always look for easier places to attack. If you minimize and protect external data, they’ll head somewhere else. That’s also how we operate: as soon as we identify a weakness, we approach businesses and companies and tell them to protect themselves. For example, when Microsoft released a security update warning those against using its Microsoft Exchange email server, we found 1,400 organizations that didn’t shut down the program and warned them. We had situations where entities came to us, they didn’t shut down weaknesses, and were attacked a few months later.”

 

“We don’t want attackers to press that red button”

 

How many organizations did you turn to who were attacked since they didn’t treat security breaches?

 

“As of 2020, there were 2,000 entities who received warnings from us, and didn’t treat those systems, of the 6,000 total that we reached out to. We are involved in places where an attack could harm public interest or national security. Similarly to the case where the financial company K.L.S. Capital (where a group of hackers hacked into the company’s system and put some of its data on the market, including credit card numbers, drivers licenses, passport photos, and Israeli ID cards), or Shirbit for that matter, who retained many customer details throughout the years.”

 

How do you deal with organizations that refuse help?

 

“For those that refuse, we take whatever legal action to ensure they take the necessary steps. In most cases, organizations comprehend the severity of the scenario, and cooperate. In the case of Ben-Gurion, at one point the university president told me: ‘take my credit card and do whatever you can to make sure that the attacker won’t press that red button and erase part of the university.’ When an attacker decides to erase data or encrypt it - you reach a point of no return. You don’t always have all your files backed up, and restoring them isn’t easy and could take a good few days, as well as shutting down operations for the time being, and also seriously harms an organization's reputation.”

 

In Israel, there aren’t any cyber laws, doesn’t that curtail your organization’s influence?

 

“If large businesses decide not to cooperate - they know they still can. In any case, we don’t even touch their keyboards, they’re supposed to do everything themselves. Today, we are engaged in a persuasion campaign, and if there is a conflict with a particular entity, then we conduct a discussion between legal consultants on liability damages that they could be exposed to. In the financial field, for example, there are strong regulations that can help convince an organization to adopt certain safety precautions. In the end, the reality is that it’s still voluntary. Especially when talking about a body with no regulating authority, and that’s why urgent legislation will give the directorate authority when it comes to an asset under risk or the public interest and we will be able to fix the issue. There are some companies you have never heard of, but in the case of an attack they are connected to several other companies. Such attacks alway seem small at first.”

 

But yet the lack of legislation still benefits the refusers.

 

“For those who refuse, we hit a wall. They understand that we don’t have any legislation backing us up, and tell us: ‘you have no authority to continue. Let’s halt this discussion.’ It’s incredibly frustrating. What’s important is not that these companies are attacked, but that an attack on them can lead to other places. Meaning, that within a few months, we could find ourselves with an entirely new attack variant that has spread to another organization. It’s unbearable.”

 

What will a government order grant you?

 

“A government order will ultimately give us the ability to reach results through discussion, or in an administrative or through a judge’s warrant. When it comes to a body that relays to me that they heard my recommendation, but chose to address it on their own, in their own time, we could limit their ability to do so. We want to ensure that this chosen method will address the problem, and it’s important to set deadlines. From a national standpoint, it can’t remain voluntary.”

 

“Having a cybersecurity service is like having an accountant”

 

For small businesses, cyber services don’t always make sense.

 

“Just like you’d hire an accountant or lawyer, you should also hire cyber services. If that doesn’t concern you, you can hire a professional who can address these issues (protect your website, emails, the organization's network). During the pandemic, we released a list of service providers because after the Shirbit hack we received several inquiries from CEOs who told us they can’t sleep at night.”

 

What does that list include?

 

“It’s based on a declaration we issued for cyber companies which grants them a platform to offer their cyber services, especially during the pandemic when many companies struggled financially. We looked into the situation and checked providers are actually offering what they claim to. There are around 150 companies and products today with different categories of protection that companies can equip themselves with.”

 

What about small and medium-sized businesses who for profitable reasons, have no incentive to invest?

 

“We don’t expect everyone to hire a cyber defense manager and an information security manager. If that isn’t your main concern, no problem. You can hire external consultants. There are plenty of companies that provide full services and can provide you with peace of mind. We’re seeing examples of outsourcing that work quite well, and that’s why we encourage it.”

 

Could an attacker lock a computer belonging to the Prime Minister’s Office through a ransomware attack?

 

“In Israel, we have a combination of several factors that make us an attractive target, including technological developments that the Start-Up Nation has created along with the volatile region we live in. All this increases Israel as an attractive target for a cyberattack. In general, we always say that there is no such thing as 100% protection. We’ve made investments, have taken respectable efforts, and are equipped with significant defense systems on behalf of the Information and Communications Technology Authority to ensure that such scenarios won’t happen, and the fact is we haven’t seen it happen.”

 

On a personal note, when you managed the IT Center for Critical Cyber Infrastructure at the Cyber Directorate you were diagnosed with breast cancer. How did you cope?

 

“I was diagnosed in March 2017 with a tumor in one breast. I was only 37, which is pretty young for such a diagnosis, and it became clear that it was metastasizing. It was a big shock, and I had a type of panic attack. I underwent a year and a half of chemotherapy, radiation, and biological treatments. Since the age of 18, I have been reading up on the relationship between body and mind, and built up a library on the topic at home, took courses, and attended workshops. I told myself: ‘it’s time to use these tools on myself.’ When I saw that it helped me, and after seeing enough women trapped in this situation, I decided to pass along what worked for me to others in workshops. In both vectors - whether personal or professional - it’s about dealing with a crisis and finding ways to cope. The way to overcome it is to learn to retreat a bit, to recharge in between. Amid the storm, everything seems terribly difficult. There’s no night and day and all resources are directed toward this. I thank my partner, family, and friends who helped me during that process. When it’s over, you feel like you grew a bit.”