“An army hacker does not sit all by himself with a pizza and a Coke,” says Lt. Col. M. and Capt. A., two senior officers serving in the Israeli Defense Forces (IDF) cybersecurity lineup. “We must work together, and we have to practice brainstorming and to allocate tasks. Ultimately, we are running against the clock. These are the qualities we are looking for in our soldiers — teamwork and the ability to think outside the box.”
Lt. Col. M., 39, is in charge of the [cyber] defense lineup — or the “blue team,” as it is called in IDF jargon. The defense lineup, which is responsible for the maintenance of all monitoring and security systems designed to handle cyber threats, forms a part of the LOTEM unit, which operates under the command of the IDF Information and Communications Technology (ICT) Branch. Capt. A. heads the “red team” in the cybersecurity lineup, whose task is to simulate attacks and mock up attempts to break into the system from an outside location — this, with the aim of testing the preparedness of the cybersecurity system.
The red team, then, is constantly trying to attack the system by simulating break-in attempts and creating cybersecurity events, while the role of the blue team is to protect the system against such attacks. Together, the two teams maintain IDF preparedness in the face of any potential cyber threat. Lt. Col. M. and Capt. A. are also in charge of imparting the professional know-how acquired by their teams to all cybersecurity, ICT and intelligence bodies in the IDF.
Protecting human lives
“We have an edge over civilian companies,” says Capt. A., comparing the team he is in charge of against the world's leading security companies, which have similar teams that perform online intrusion attacks and test preparedness. “They are at a disadvantage in comparison to us, since we are developing our own tools, just as the enemy that attacks us does. We have the edge not only in terms of technological level, but also in terms of motivation: We are protecting human lives, and our soldiers are thus far more motivated than civilian security specialists. We entrust our lives to our [cybersecurity] system, and that’s where its significance lies.
Lt. Col. M. is therefore not really concerned about the reports that the American National Security Agency (NSA) has found a way around the [Internet-level] encryption protocols of most of the civilian computer systems worldwide — which draw on the information leaked by former NSA employee Edward Snowden.
“Our job is to monitor the goings-on and keep track of the technological developments, and we need to know what the threats and risks in cyberspace are. In any event, to protect strategic assets, encryption systems that we develop ourselves in-house, rather than off-the-shelf products, are customarily used.”
Military defense systems may be exposed to threats not only from without, but also from within, as demonstrated in the case of Anat Kam, the IDF soldier convicted [October 2011] of disclosing classified information to the press. According to Lt. Col. M., such cases are handled primarily on the educational, informative level. “Cases of information leakage are dealt with first, by raising the awareness of both the command echelon and the rank and file to the importance of information security and enforcement. And second, there are network monitoring systems.”
The two [cybersecurity] lineups were set up several years ago. And while the IDF realized the importance of cyber warfare long ago, it is only recently that it has recognized the need to prepare for any scenario and regularly conduct quality assurance tests of the system. Last year, the IDF launched a professional cybersecurity training program. Many of its graduates join the teams led by Lt. Col. M. and Capt. A.
What is your daily routine?
Lt. Col. M.: “It isn’t easy work. We are a technological body, but also an operational lineup. On the one hand, we have our routine work, the development of tools, know-how and technology. On the other hand, we have to be on the alert, poised to respond, at any moment, to some threat or another. It is by no means a simple job.”
Capt. A.: “We are constantly preparing for the next war or the next drill. And in between, we may have some fun dissecting the system and drawing conclusions together. The idea is to instruct the monitoring bodies, [and] to make them understand what they should look for and how to respond.”
Capt. A., 27, is a gamer and a graduate of computer science, having completed his academic studies and earned a bachelor of science degree while still in high school. The squad of hackers under his command is of the same profile. "We count on the tracking and recruitment system of LOTEM to do its job. However, it is the way of thinking and the personal knowledge that I deem most important. We seek to impart the value of creative thinking to all our soldiers. You have to constantly think of new ways to attack. That’s why we recruit young people with fresh and original thinking. At the end of the day, hacking is like any other knowledge. With time, one can become rather conservative and adopt a fixed way of thinking."
Lt. Col. M. adds: “Quite often, when devising an attack, originality is reflected in the detection of system vulnerabilities that may be used to break into it, rather than in the use of new tools of intrusion.” It is therefore of the utmost importance that the soldiers be familiar, as far possible, with the systems. “Security holes can be found anywhere. The point of hacking is to find the system vulnerability and leverage it to undermine the entire system.”
Capt. A. notes, "The best way to break into a system is not by running head-on into it. Rather, the most sophisticated attacks, the ones that you can brag about, are those that take advantage of a hidden security hole. A few months ago, there was a wet exercise simulating a cyber attack. For several hours, we were hitting end-point nodes, trying to find a way to break in. Our intrusion attempts were seen by soldiers watching us across all army units."
The conceptual flexibility of the unit is reflected also in the way ranks are regarded in the unit. “We are blind to ranks in the unit,” says Lt. Col. M. “It is not unusual for a sergeant to give orders to higher-ranking officers. Each one in the unit is measured by his capabilities. On a certain level, it holds true for the entire technological lineup, but it is especially manifest in our unit. When we present technologies and capabilities to the senior staff, it is not necessarily me, but rather the junior officer or non-commissioned officer credited with the developments who is called to present his innovations. We let our people show off their creativity.”
Capt. A. adds that the majority of soldiers recruited to the unit are academics — for the most part, graduates of the IDF's elite programs or soldier students [studying at the university in the course of their military service]. We aim to build a varied and multidisciplinary workforce, knowledgeable in the fields of communications, hardware, software, security, physics and more.
The image of a stereotypic hacker is that of a lone wolf, typically a man. Are there women soldiers in your lineups?
Capt. A.: “Unfortunately, we see very few women in the interviews for recruitment to the unit. I would like to see many more women applicants. Yet, the cybersecurity war room is headed by a woman commander, and I do hope that it is the first step in the right direction. By the way, I am going to be replaced in office by a woman.”
The [apparent] rivals are collaborating
Although we hear more and more about hacker attacks on Israeli websites, these attacks do not usually threaten the IDF. Such intrusion attempts are generally aimed at private sites or at government websites, which are protected by the civilian TEHILA system.
Capt. A.: “We are aware of the threat of independent hackers, and we are prepared to deal with it, too. In any event, more often than not, they don’t pose a real threat and don’t really bother our teams. But, of course, it should be borne in mind that no system can be totally protected. Any system can be penetrated if enough fire is directed at it. The question is how much money and time, and how many human resources the attacker has at his disposal. On the basis of the [simulated] cyber attacks mounted by the red team, the blue team led by Lt. Col. M. learns where it needs to invest and how it can best protect the system against such attacks.”
So, who usually wins? The reds or the blues?
Lt. Col. M.: "The team of A. always manages to surprise us. In the wet exercises, his team met all the goals set for it, and played out all the scenarios outlined in advance. However, we too made it through. We took the right action to identify the attack and the source of attack, and to try to contain the attack. In the end, we both won. The IDF has remarkable professional capabilities and an apt response process. The two teams join forces and collaborate to a large extent, and they share information and know-how. At the same time, I would rather not limit my people to a fixed mode of operation. True, the two teams have much in common, in terms of professional know-how and way of thinking. But, naturally, once the exercise is over, there is a lot of bantering going on, and the competitive spirit is alive and well.”