“Cybersecurity can’t remain voluntary,” says National Cyber Directorate executive
Meital Arik, Head of the Cyber Guidance and Regulation Division at the Israel National Cyber Directorate talks about how combating cyberattacks is an existential need, the lasting effects of the pandemic and the significance of regulation.
Diana Bahur-Nir and Raphael Kahan | 21:23, 25.04.21
Meital Arik is the Head of the Cyber Guidance and Regulation Division of the Israel National Cyber Directorate. She talked to Calcalist about how combating cyberattacks is an existential need, the lasting effects of the pandemic and the significance of regulation. What does your job entail? “I’m the head of the branch that directs the civilian market so that it will be better protected against cyberattacks: we pass along warnings, provide guidance, as well as actual technological assistance. When there is a warning, they pass through the Prime Minister’s Office Cyber Directorate's relevant channels. We are considered a security entity and operate as such.”
“We don’t want attackers to press that red button” How many organizations did you turn to who were attacked since they didn’t treat security breaches? “As of 2020, there were 2,000 entities who received warnings from us, and didn’t treat those systems, of the 6,000 total that we reached out to. We are involved in places where an attack could harm public interest or national security. Similarly to the case where the financial company K.L.S. Capital (where a group of hackers hacked into the company’s system and put some of its data on the market, including credit card numbers, drivers licenses, passport photos, and Israeli ID cards), or Shirbit for that matter, who retained many customer details throughout the years.” How do you deal with organizations that refuse help? “For those that refuse, we take whatever legal action to ensure they take the necessary steps. In most cases, organizations comprehend the severity of the scenario, and cooperate. In the case of Ben-Gurion, at one point the university president told me: ‘take my credit card and do whatever you can to make sure that the attacker won’t press that red button and erase part of the university.’ When an attacker decides to erase data or encrypt it - you reach a point of no return. You don’t always have all your files backed up, and restoring them isn’t easy and could take a good few days, as well as shutting down operations for the time being, and also seriously harms an organization's reputation.” In Israel, there aren’t any cyber laws, doesn’t that curtail your organization’s influence? “If large businesses decide not to cooperate - they know they still can. In any case, we don’t even touch their keyboards, they’re supposed to do everything themselves. Today, we are engaged in a persuasion campaign, and if there is a conflict with a particular entity, then we conduct a discussion between legal consultants on liability damages that they could be exposed to. In the financial field, for example, there are strong regulations that can help convince an organization to adopt certain safety precautions. In the end, the reality is that it’s still voluntary. Especially when talking about a body with no regulating authority, and that’s why urgent legislation will give the directorate authority when it comes to an asset under risk or the public interest and we will be able to fix the issue. There are some companies you have never heard of, but in the case of an attack they are connected to several other companies. Such attacks alway seem small at first.” But yet the lack of legislation still benefits the refusers. “For those who refuse, we hit a wall. They understand that we don’t have any legislation backing us up, and tell us: ‘you have no authority to continue. Let’s halt this discussion.’ It’s incredibly frustrating. What’s important is not that these companies are attacked, but that an attack on them can lead to other places. Meaning, that within a few months, we could find ourselves with an entirely new attack variant that has spread to another organization. It’s unbearable.” What will a government order grant you? “A government order will ultimately give us the ability to reach results through discussion, or in an administrative or through a judge’s warrant. When it comes to a body that relays to me that they heard my recommendation, but chose to address it on their own, in their own time, we could limit their ability to do so. We want to ensure that this chosen method will address the problem, and it’s important to set deadlines. From a national standpoint, it can’t remain voluntary.”
“Having a cybersecurity service is like having an accountant” For small businesses, cyber services don’t always make sense. “Just like you’d hire an accountant or lawyer, you should also hire cyber services. If that doesn’t concern you, you can hire a professional who can address these issues (protect your website, emails, the organization's network). During the pandemic, we released a list of service providers because after the Shirbit hack we received several inquiries from CEOs who told us they can’t sleep at night.” What does that list include? “It’s based on a declaration we issued for cyber companies which grants them a platform to offer their cyber services, especially during the pandemic when many companies struggled financially. We looked into the situation and checked providers are actually offering what they claim to. There are around 150 companies and products today with different categories of protection that companies can equip themselves with.” What about small and medium-sized businesses who for profitable reasons, have no incentive to invest? “We don’t expect everyone to hire a cyber defense manager and an information security manager. If that isn’t your main concern, no problem. You can hire external consultants. There are plenty of companies that provide full services and can provide you with peace of mind. We’re seeing examples of outsourcing that work quite well, and that’s why we encourage it.” Could an attacker lock a computer belonging to the Prime Minister’s Office through a ransomware attack? “In Israel, we have a combination of several factors that make us an attractive target, including technological developments that the Start-Up Nation has created along with the volatile region we live in. All this increases Israel as an attractive target for a cyberattack. In general, we always say that there is no such thing as 100% protection. We’ve made investments, have taken respectable efforts, and are equipped with significant defense systems on behalf of the Information and Communications Technology Authority to ensure that such scenarios won’t happen, and the fact is we haven’t seen it happen.” On a personal note, when you managed the IT Center for Critical Cyber Infrastructure at the Cyber Directorate you were diagnosed with breast cancer. How did you cope? “I was diagnosed in March 2017 with a tumor in one breast. I was only 37, which is pretty young for such a diagnosis, and it became clear that it was metastasizing. It was a big shock, and I had a type of panic attack. I underwent a year and a half of chemotherapy, radiation, and biological treatments. Since the age of 18, I have been reading up on the relationship between body and mind, and built up a library on the topic at home, took courses, and attended workshops. I told myself: ‘it’s time to use these tools on myself.’ When I saw that it helped me, and after seeing enough women trapped in this situation, I decided to pass along what worked for me to others in workshops. In both vectors - whether personal or professional - it’s about dealing with a crisis and finding ways to cope. The way to overcome it is to learn to retreat a bit, to recharge in between. Amid the storm, everything seems terribly difficult. There’s no night and day and all resources are directed toward this. I thank my partner, family, and friends who helped me during that process. When it’s over, you feel like you grew a bit.”