Two weeks ago, Israeli Prime Minister Benjamin Netanyahu announced the creation of a new cyber defense authority to defend Israel’s civilian networks. This is the latest in a series of steps taken by Israel’s government to bridge the public-private cyber divide and bolster the country’s position as a global leader in cybersecurity.
Washington, in contrast, suffers from a severe lack of new ideas on cybersecurity. U.S. policymakers struggle to understand the technical aspects of key issues and avoid meaningful engagement with the private sector, academics, and NGO community. The U.S. government often prioritizes security over innovation, privacy, and access, and unfortunately ignores the long-term risks of its own approach. This week marks the start of the 11th annual National Cyber Security Awareness Month, which is a perfect occasion for the U.S. government to learn from Israel’s example and embrace much-needed new thinking on cybersecurity.
Israel has been labeled the “Startup Nation” because it boasts the highest per capita density of startups worldwide. How Israel ascended to the top of the technology world is a matter of debate, but one factor is undoubtedly the country’s precarious security situation and the government’s pattern of response. Since its founding, Israel has placed a premium on ingenuity and creative ways to stretch its limited resources, including through technological innovation. Its government has also fostered a sense of individual responsibility among its citizens – including by requiring mandatory military service – to confront the national security threats facing the country. Mandatory military service not only inculcates leadership skills, but also fosters specialized skillsets in fields like engineering that are particularly relevant for the technology industry.
This reality was palpable during my recent visit to Israel as part of a bipartisan think-tank delegation. Israelis from all walks of life exude a sense of common purpose on security issues –especially those involving Iran, whose cyber-attacks are a growing concern. In an interview, Michael McNerney, a Silicon Valley based cybersecurity expert and former Cyber Policy Advisor in the Office of the U.S. Secretary of Defense, stressed how “Israel is smart to focus on a collective and participatory approach to online security because the interconnectedness of online systems and proliferation of mobile devices make every individual a potential access point for a cyber-breach.”
In contrast to the United States, Israel’s government interacts closely with the private sector, academia, and civil society on cybersecurity issues. In fact, in 2013 Israel inaugurated an Advanced Technology Park at Ben Gurion University to serve as an international center of excellence for “cybernetics and cybersecurity.” The Technology Park brings together companies, academics, and the Israeli Defense Forces (IDF) to collaborate on projects, share research and information, and foster new thought leadership.
The wider Israeli government also takes a collaborative approach to cybersecurity. In 2011, Israel created a National Cyber Bureau (NCB) responsible to coordinate cybersecurity efforts among the private sector, academia, and the Israeli government with the goal of keeping the economy and infrastructure safe from attacks. Over the past year, NCB has been engaged in a turf battle with Israel’s domestic intelligence agency Shabak (also known by its Hebrew initials as ShinBet) over which organization has the lead in defending key Israeli companies, such as El Al Airlines and pharmaceutical firm Teva, from cyber-attacks. ShinBet traditionally has been responsible for protecting Israel’s government agencies and critical infrastructure, such as utilities and financial institutions, but not commercial entities.
The creation of a new cyber defense authority to protect civilian networks not only resolves the turf battle between NCB and ShinBet (the new agency will report to the head of the NCB), but also diminishes the influence of Israel’s intelligence community in civilian cyber defense. The new agency’s mission is to foster stronger cooperation between government and the private sector, coordination among leading cybersecurity experts, and long-term research and analysis of cyber threats.
Meanwhile, Washington struggles to conceptualize an innovative, long-term strategy to manage cyber risks. The U.S. is hampered by an outdated bureaucratic structure that empowers military and intelligence agencies over civilian ones – even those civilian agencies with technical knowledge and skills, such as the Department of Homeland Security and Department of Commerce. Andrew Borene, a national security attorney with Steptoe Johnson LLP, highlighted in an interview that “mistrust of purely military or intelligence agency leadership on cybersecurity creates significant challenges for information sharing about threats in a globalized international economy.”
The concentration of cybersecurity resources, information, and decision-making authority within a single individual – the dual-hatted Director of the National Security Agency (NSA) and head of the U.S. Cyber Command – also creates a structural prioritization of security (over privacy, access, and innovation) that is impossible to balance out. Congress meanwhile, lacks the technical knowledge to conduct oversight of U.S. cybersecurity policies and update outdated or incomplete laws.
According to Matthew Rhoades, Director of the Cyberspace and Security Program at the Truman National Security Project, “recent revelations about U.S. surveillance activities not only made consumers and companies question government activities in cyberspace, but also eroded trust between U.S. cybersecurity practitioners and experts from academia, the private sector, and civil society.” That lack of trust coupled with the government’s tendency not to share information or meaningfully engage with non-government experts contributes to a fragmented cyber security field. As a result, the U.S. cybersecurity community lacks a common vocabulary with which to exchange views and create balanced policy frameworks that weigh long-term tradeoffs among security, access, and innovation. It also creates obstacles to new thought leadership on cybersecurity.
But it’s not too late for the U.S. government to change course and embrace a more open and cooperative approach like Israel does. Borene emphasized that the “U.S. government has a lot to learn from successful examples in allied nations. With more compromise and reform, there is plenty of reason for hope.” And Rhoades believes that “a cybersecurity partnership between government, business, and individuals built on trust is possible, and would promote more resilient networks as well as creative thinking on cybersecurity.”
For example, Washington should consider creating a new agency focused on information sharing and cybersecurity research modeled after the U.S. Centers for Disease Control (CDC). A cyber-CDC would help build trust within the U.S. cyber field by serving as a neutral clearinghouse for up-to-date data about cyber threats and effective defenses, just as the CDC does with infectious diseases. Its creation would help fill the deep gap that currently exists between public and private sector cybersecurity efforts by funding joint research to catalyze creative solutions to ever-changing cyber threats.
The active role played by the IDF in Israel’s cybersecurity field may raise concerns in the U.S. about the prudence of emulating Israel’s approach, especially given how the NSA already dominates the U.S. cybersecurity discourse. But the Israeli government’s proactive engagement and collaboration with academic, private sector, and civil society cyber experts builds trust, facilitates a deeper a discourse, and fosters new ideas. Washington would be wise to take note and show that it too can learn something new during National Cyber Security Awareness Month.