Israel’s example holds three key takeaways for EU cybersecurity

The whole world saw Iran’s unprecedented direct attack on Israel and watched as Israel’s allies and the Arrow defense system knocked three hundred missiles and Shahed drones out of the sky.

Behind this intimidating display of kinetic force though, a different kind of war was raging, one based in cyberspace. The Iranian hackers’ group Handala sent 500,000 text messages claiming to have breached RADA Electronic Industries, an Israeli company responsible for the country’s vital radar infrastructure. The messages ended with a threat - abandon Israel or else suffer the consequences. However, it soon became obvious that no real breach had occurred. The operation was a cyber information mission designed to demoralize and confuse the Israeli public at their most vulnerable moment.

Israel is more than prepared to counter such an operation. While the Arrow and the Iron Dome may be more media-famous, the country is a global leader in cybersecurity, nipping 3,380 operations similar to Handala in the bud last year alone. Indeed, when it comes to cyber intelligence and defensive capabilities, the nation of just nine million people ranked only behind the United States and on par with the United Kingdom, France, Russia, and China in the latest International Institute for Strategic Studies evaluation.

The secrets to its enduring success offer great lessons for players like the European Union who are looking to build their future cybersecurity capacity. Detailed in a new book by top experts in the field, “Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power”, the formula rests on three fundamental pillars: human capital through proactive education, a vibrant and resilient private cyber sector, and a flexible national cyber strategy.

Israel is a pioneer in cyber education, selecting the best and brightest for a cybersecurity career starting from their school days. Since 2010, it has been the first country to give high school students the chance to obtain a cyber studies degree via several training programs. The most well-known of these is the prestigious Magshimim (“Dream Fulfillers”), which offers university-level instruction in 25 different locales and 142 active classes for gifted high schoolers from underprivileged backgrounds with a proven talent in coding and hacking. At least 30% of those serving in Israel’s elite unit 8200 (the equivalent of the US National Security Agency or the EU’s Agency for Cybersecurity) and 65% of the wider Israeli intelligence community are Magshimim graduates.

Of course, early investments in human capital would not matter if there was no way to apply that knowledge to Israelis’ cybersecurity needs and wants. Israel thus made it a national security priority to cultivate ease of doing business and become the attractive global destination for cyber R&D investment, venture capital, and innovation it is today. It is the state with the highest number of tech startups per capita (600 yearly) and features a third of all existing cybersecurity unicorns. It is not for nothing that corporate giants like Microsoft house their strategic global development centres in the “Silicon Wadi”: the greater Tel-Aviv area is the biggest high-tech cluster outside of Silicon Valley, boasting the highest number of scientists and research personnel per capita anywhere (at 135 for every 10,000 people in 2017, above the US’s 85 per 10,000). Hence, the future of cybersecurity in domains like artificial intelligence arrives in Israel first. In military terms, that means the nation enjoys an enormous technological advantage over its opponents.

Underlining the explosive growth of the private sector and expansion of human capital is a regulatory framework that sought to nurture a cyber-ecosystem rather than a controlling top-down structure.

Because of Israel’s fractured coalitional politics, power struggles between civilian and military administrations, and an independently-minded strategic culture used to saying “no” to authority figures, the state does not have a comprehensive national security strategy or even a written defense doctrine to guide its decision-making.

Uniquely in the case of cybersecurity, this informality is a conscious choice by consecutive Israeli governments to keep up with the pace of technological evolution. The approach crystallized in Cabinet Decision 3611 of 2011, which cites the guiding policy principle of promoting cooperation between academia, the private sector, the government, and the defense establishment. It continues to our present times in the Israeli National Cyber Directorate’s 2017 Strategy, detailed in a 2020 report in English.

Despite its references to “comprehensiveness”, the most recent document portrays the same preference for general principles over specific requirements. The Israeli National Cyber Directorate assumes a supportive role by classifying the type of threats that Israel faces, strengthening the public and private sectors’ abilities to repel attacks, providing professional guidance in best practices and preparedness plans, encouraging systemic resilience through a swift recovery after a cyber-attack for firms like RADA Electronic Industries, and building cyber-awareness educational programs.

Of course, it would be impossible to emulate Israel’s performance perfectly. After all, no one could reproduce unique factors like its geopolitical situation or its long history of compulsory military service.

But the European Union would still benefit enormously from taking these lessons to heart.  To even begin to compete with Israel’s cyber-education, European High Educational Level programs should finally introduce cybersecurity courses and allow anyone to finish high school with a degree in the subject matter that is recognized throughout the EU. Policymakers need to further recognize that barriers to business are becoming a security risk and reduce regulatory overreach. They must also refrain from strictly defining cybersecurity targets within the fledgling EU Cybersecurity Act, no matter how tempting that may be from a theoretical or administrative standpoint.  Ideally, they would seek to maintain their general commitment to EU-wide coordination and certification by incorporating an equivalent to the Israeli National Cyber Directorate’s proportionality norm in the legislation, whereby heavy-handed interventions are called for only in dire situations. 

The three fundamental pillars helped Israel get ready to face its digital threats, come what may. It remains an open question whether Europe will follow suit.