Shin Bet vets team up with Volkswagen to revolutionize automotive cybersecurity

In Tsafrir Kats’s office, near his desk, hangs a photograph of an old race car with a signature. He’ll probably protest that I’m referring to the Porsche 917 that way, a race car that brought the company its first win in the 24-hours Le Mans race in 1970, after years of Ferrari and Ford dominance. The signature belongs to Ferdinand Karl Piëch, Ferdinand Porsche’s grandson, who oversaw the company’s car development, which kicked off his career, and ultimately led to his rebuilding and leading of the Volkswagen Group for two decades.

“This happened when we just started to work with the Germans, when both sides were still debating whether to collaborate, and we were introduced. Back then, Piëch wasn’t the CEO, but the head of the Group’s advisory board, still very influential and respected, and still receiving credit for turning the car manufacturing company into the largest in the world, with plenty of acquisitions and technological developments. Right away I told him, perhaps with a little bit of chutzpah: ‘with all due respect, this car is your greatest engineering feat,’ and I gave him this photo to sign.”

How did he respond?

“I’m not sure that anyone who worked with him knew his personal motor history to that extent. He was a quiet man, but at that moment he smiled, and autographed the photo.”

CYMOTIVE Technologies is currently celebrating five years since its establishment, being co-founded by Volkswagen (who controls 40% of its shares), and three former Israeli Shin Bet security agency figures - Yuval Diskin, a former Shin Bet director who now serves as CYMOTIVE’s Chairman of the Board; Kats, a former head of Shin Bet’s Technology Division who currently serves as CEO; and Dr. Tamir Bechor, a former head of the Computing Services Unit in the Shin Bet. In 2012, the Israeli trio met with their German counterparts for the first time, and after a few years of keeping it all under wraps, the connection transformed into a business partnership.

The big money these days is in offensive cyber companies, such as the NSO Group. Do you regret not heading in that direction?

“Not at all. When we first started, we made three decisions: we’d only focus on defensive cybersecurity, because offensive cyber needs to be a tool only the state holds. We didn’t want people to claim that we were taking advantage of our connections with the defense sector. I see what is happening today, and am even happier that we chose this path.”

There are other Israeli automotive cybersecurity companies that work with some major car manufacturers, like Karamba, Argus, and Arilou, but Volkwagen is the only one to have co-founded a company with Israelis, granting the trio responsibility in this sensitive sector at the corporations 12 different car brands that include Audi, Skoda, SEAT, Porsche AG, Bentley Motors Limited, Bugatti, Lamborghini, Ducati, MAN, Scania AB, and VW Commercial Vehicles.

“Our values are the same as they were at our previous job. We deal with protection, just in this case it’s vehicles and their users, and we are enabling the revolution of the next decade of the autonomous and connected vehicles. CYMOTIVE is sort of between a startup and a large company. On one hand, we’ve got an Israeli crew with all their innovation and creativity. On the other hand, we are part of the development of new vehicles from the first moment, even though we come from a country in which there isn’t really a car industry. This is an industry with many regulations, checks and processes and that isn’t really an Israeli thing. I meet German engineers who proudly tell me how their children would stand near the Porsche race tracks, just like we boast about which military unit our children served in. These are completely different cultures that we must learn to connect and incorporate. I always remind our Israeli crew to be humble. Remember that you don’t understand cars like they do, so don’t go over and think you know it all. We understand what we do, but we’re constantly learning more.”

For years we've heard about cyber threats, about hackers who will crash cars remotely, steal their data, or take control of them for ransom purposes. But aside from experiments that identify or highlight breaches, we still haven’t yet heard about major attacks or disasters.

“Until 9/11, would you have believed that terrorists could take control over a plane filled with passengers and crash it into a symbol like the Twin Towers? The potential for attacking vehicles also exists, it’s simply a matter of time until someone decides to do something beyond the attempts we’ve seen to retrieve information on vehicles, whether trying to figure out if it’s worth tracking the car owner or whether to obtain their credit card number. These are attacks that even 13-year-olds around the world can attempt. Until recently, many vehicles weren’t always connected to a system or the cloud. That really changed over the past few years. That’s why there are already a million cars with our protection systems. It’s a huge responsibility, which we were prepared for, thanks to the structure of our partnership with the Germans and that of our three founders who have seen a thing or two in their lives.”

The Germans can also decide they want to build their own cyber protection.

“We’re little more than a dot compared to Volkswagen - a company that manufactures nearly 10 million cars a year and is valued at $140 billion, and are ultimately dependent on their decisions. We constantly need to prove that their investment in CYMOTIVE is worthwhile, and plan to grow along with them. The very fact that we were founded as a partnership company, and not simply as a service provider through one of the large suppliers in the automotive industry shows that the Germans consider our operations significant.”

What type of software or features will Volkswagen try to sell us?

“The key words here are personalization and customization: how to make your car different from that of your neighbor, so that it’ll be just the way you like it. Let’s say you have a Porsche and are planning on taking a two-week vacation. You can download a temporary upgrade of an additional 100-horsepower to the car’s engine through a software update that will serve you on the racecourse. The possibilities are endless, and this is a potential source of large revenue for many companies.”

CYMOTIVE employs 140 people, including 30 in Germany, and is in a constant state of growth. Lately, the company has started operating a branch in the Bar Lev High-Tech Park in the Galil, as part of an effort to recruit talent in the northern part of the country, with an emphasis on Arab professionals who live in peripheral areas.

“We are planning on opening another branch in Germany in Ingolstadt (where the main Audi facility resides), or nearby in Munich. Germany also has a manpower problem, and Mercedes and BMW are now recruiting talent for their cyber operations too. Volkswagen preceded them with its massive entry into the field, and by spotting the field’s importance early on.” How are you coping with the tough competition for manpower in Israel?

“Money is a condition, but it isn’t the only thing that will get people to come to work. We need to create an atmosphere that will make people want to wake up in the morning and come to work, or at least encourage them to happily open their computer at home. We must challenge them, offer them a horizon for development, and we can do that by transferring from development to cyber penetration testing, or offering management positions, or the possibility of relocating to our German office. We need to be the type of managers that employees want to work with. I served for 28 years in the Shin Bet due to my commanding officers. The job is also interesting, this idea of being part of an automotive revolution, including the transition to eco-friendly electric vehicles. I’m not the only one who sees a Bugatti car, and tries to figure out how to take it for a spin.”

And then there’s the trivial matter of salary.

“I can’t compete with other salaries that other companies in the market are willing to pay. We must be rational about salaries, otherwise we won’t last long. If salaries continue to climb, foreign companies will begin to ask themselves what they are doing in Israel, since not everyone here is a genius. It’s now more expensive to hire a cyber engineer in Israel than one in Germany, so we have to prove that we have that edge to justify that.”

How many of your employees served in the Shin bet, or the IDF’s Unit 81, or Unit 8200?

“Naturally, there are plenty but that’s not everyone. We really invest in diversity, and employ 30% women, and have secular Israelis working alongside the ultra-Orthodox, 22 year-olds who finished their army service working next to 70-year olds. We also employ new immigrants. I really respect Technion graduates, but am also looking for out-of-the-box thinking. That’s why those with ADHD or dyslexia bring an advantage to the cyber industry.”

But we need new sources of manpower to face the shortage.

“I want to hire Israeli combat veterans, and train them in cyber. There are those who scored high on their high school matriculation exams in math or computer science, but in the military chose to serve in combat units, or weren’t accepted to the more technological positions. I think we owe veterans something after their brave service, and I also think they could be an asset to the cyber industry. We can train whoever has the talent, but hasn’t put it to good use yet through an abridged training track. We’d ask them to stay with our company for two years before embarking on their own path.”

And then Ferrari called

The company’s contract with Volkswagen allows it to work with other car manufacturers separately. Thus while simultaneously working with the German manufacturer, CYMOTIVE is already working with an autonomous truck company that Kats refrains from disclosing. “The autonomous truck revolution will precede that of private vehicles, since it’s far easier to make changes to truck routes, who typically transport goods via defined roads five days a week. They’re a fascinating customer and have helped us enter an entirely new arena,” he says. However, he is prepared to disclose another customer: the sports car giant Ferrari. For two or three years, his team has worked with the luxury Italian car manufacturer, which seems to be Volkswagen’s polar opposite.

“In the past, exotic car manufacturers weren’t involved in the cyber sector, since these boutique makers had an older operating system that no hacker bothered learning to unravel due to the small number of vehicles. Now that is changing, and even supercar makers need to transition to the same Linux operating systems as everyone else, which makes them more vulnerable. They must follow the industry’s standardization, and even as a small company we need to be prepared to respond in real-time to car-hacking attempts, and protect against vulnerabilities that could emerge in our systems throughout the car’s lifespan.”

How does working with Italians differ from working with Germans?

“First of all, it differs because the German industry mass produces cars, while Ferrari is an elite brand. Volkswagen’s main operating center in Wolfsburg - where our team works - spits out a new car every eight seconds. Ferrari works at a wildly different rate: in the two years we’ve been working with them, we still haven’t touched an actual car. It also took some time before Volkswagen allowed Israelis to even touch their cars. In the beginning, we were involved in protecting their production lines and various facilities. They know that we understand cyber, but hey, the Sussita (a car once manufactured in Israel) wasn’t exactly a Volkswagen Golf.”