Israel should build a cyberdefense coalition that includes all the Middle Eastern countries that helped defend Jerusalem against Iran’s ballistic missiles in two attacks in 2024, former director-general of the Israel National Cyber Directorate (INCD) Gaby Portnoy told the Magazine in his first interview since recently exiting the role.
Despite the ongoing Middle East war, “International cyber cooperation is important and strong. With the US, Germany, and England, and with the UAE, relations were not harmed by the war. We and the UAE still have an international project to combat cybercrime. We are building a platform for information sharing among 33 countries,” said the outgoing INCD chief, who ran the authority since early 2022.
Portnoy, 56, told The Jerusalem Post that Israel and the UAE had added 20 new countries to the initiative in the last year. This meant that the number of countries actively sharing information jumped from 13 to to 33, and those passively on the platform jumped from 40 to 70 a couple of years ago.
However, there were questions about the future, given that the platform was a White House initiative under the Biden administration and that the Trump administration has severely cut back on its cyber and foreign affairs departments.
Still, Portnoy said that despite the position of the US, “we and the UAE eventually took ownership of the initiative” and are continuing to develop the initiative.
Progress in cyber-relations
Also, despite the war, in cyber relations with Morocco and Bahrain “there is also progress,” though there are other countries with which he acknowledged it was possible that cyber relations had been slowed due to the war, such as Saudi Arabia.
Portnoy hopes that ongoing diplomatic processes, with American help, would bring in the Saudis and other Middle Eastern countries so that joint cyberdefense against Iran can be at as high and broad a level as the Middle East regional missile defense alliance, including the Saudis.
An example of some of the exchanges, which are ongoing, showing a stronger alliance, occurred as part of a virtual conference of 60 countries on November 1, 2023, when Portnoy requested 10 minutes to speak about the personal impact of Hamas’s invasion on Israel and the INCD on October 7.
He told them, the war has been “a very personal event for Israelis.... I told them about the Epstein family, whose son jumped on a bomb to save others.... I told them of co-workers’ wives or nephews who were killed, and of one of my assistants, whose partner was murdered while she was speaking with him on the phone on October 7. I told them this brought all Israelis together. They got the message.
“I have a vision of building a cyber dome for them and to coordinate between countries’ cyber domes among the democracies of the world,” stated the outgoing INCD chief.
Cyber threats after Oct. 7
Portnoy was asked how much worse cyber threats are now, given that at earlier points in the war he had told conferences that threats had tripled in volume.
He was also asked whether after years of increased focus on cyber threats pre-October 7, if the post-October 7 renewed focus on the need for old-fashioned infantry and tanks is coming at the expense of investing in the digital battle space.
“In 18 months, there was not a significant episode which brought down the country’s ability to operate,” Portnoy said with pride, adding how honored he was to lead the talented staff of the INCD.
“The potential to bring down the country was there,” he said, “with triple the cyber threats, and the people and resources we had were the same, but we stopped the vast majority of attacks and stopped all attacks from impacting functionality.
“But we cannot pat ourselves on the back and be complacent. There are still many gaps,” he warned.
Further, he cautioned, “Cyberdefense isn’t just about reducing the existing gaps, it is about always keeping pace with the technological race. For example, artificial intelligence helps both the attackers and the defenders improve.“All of Iran and its proxies, especially Tehran and Hezbollah, used escalating cyberattacks on Israel starting by October 8, 2023,” he said.
Moreover, Portnoy emphasized, “Hezbollah continues cyberattacks on Israel even after the November 27, 2024, ceasefire, but Hamas has lost its cyberattack capabilities.
“There are still more minor attacks by Hamas and allies overseas, but they are weaker than what Hamas’s cyber forces were in Gaza,” he remarked.
He gave significant credit to his staff for racing onto war footing early on October 7.
That day, he said, he arrived at his office at 9:30 a.m., with others arriving at the office by 10 a.m. By 12 noon, he sent a warning to be on cyber war footing to the entire market – a high-flying pace at which the INCD has remained since then.
CrowdStrike
Asked to give an example of the kind of major October 7-style cyber mass invasion or hack Israel could face, Portnoy gave the example of the July 19, 2024, crash of around 8.5 million digital systems worldwide – the largest outage ever of information technology – due to a faulty update by American cybersecurity company CrowdStrike.
The faulty update to its Falcon Sensor security software caused a variety of errors with Microsoft Windows computers which could not even properly restart, causing up to an estimated $10 billion in financial harm.
The outage disrupted daily life, businesses, and governments around the world, such as the airline industry, banks, gas stations, hotels, hospitals, manufacturing, stock markets, communications, and emergency services.Globally, more than 5,000 flights, around 4.6% of those scheduled that day, were canceled, with a much worse nationwide shutdown of US airports.
Temporarily, the CrowdStrike crash shut down 14 Israeli hospitals and four major banks. Falcon, CrowdStrike’s platform for detecting and responding to hack attempts, was deeply embedded into the most critical aspects of individual computers’ operating systems. The platform regularly sent automatic updates for “patching” newly discovered security holes, but one of these updates had a mismatch between 20 lines and 21 lines of code, which caused an error and then system-wide crashes.
Later, CrowdStrike revealed that this error was missed essentially because the company had overly automated its process for checking errors in “routine” updates, as opposed to errors in major fundamental coding changes.
Cyber first responders
Despite the mass disaster globally and in Israel, the INCD was able to send dozens of cyber first responders across the country, and given that the attack occurred on Israel’s weekend, by the time the Israeli work week opened on Sunday, all the major institutions that had been hit were back up and running.
Portnoy said, “We had a secure Zoom with top INCD officials. Then we called everyone back to the office or sent them directly to the organizations needing assistance.”
But Portnoy was clear that hackers could use similar methods in the future for a mass hacking effect.In addition, he warned about social media influence campaign impacts, stating, “October 7 was much bigger than the cyber impacts... there were also social media attacks, and using AI.”
Collectively, hacks and disinformation social media campaigns put “the state, private sector, and civilians all ‘on the front’ at the same time.
“Not all harmful attacks even need to be very sophisticated,” he added.
An analogy of a hacking issue that could expand into a much bigger issue would be if Hezbollah or some other Israeli adversary would figure out a way to reverse some version of the beeper mass sabotage against Israel.Portnoy said that he had known about the beeper plans long before heading INCD, from his prior roles in Israeli Military Intelligence.
“Israel’s beepers attack on Hezbollah opened up the spectrum of scenarios of what kind of mass Oct. 7-style disaster could hit Israel’s ability to function as a nation,” he warned.
He noted that the beepers explosions freaked Hezbollah out so much that they lost the capacity to rely on any electronic items, from communications devices to air-conditioning units to smart hot water heaters.
Iran-Hezbollah axis
One of the most likely actors to try to go after Israel with such cyber and other weapons would be Iran.Iran has doubled its investment in cyber weapons over the last 18 months, said the outgoing INCD chief.
Moreover, he stated that if in the past the Islamic Republic was sometimes less effective because of internal fighting between its Intelligence Services Ministry and the Islamic Revolutionary Guard Corps, these groups are now working together seamlessly for cyberattacks.
Also, during the current war, “Hezbollah became completely integrated with Iran’s cyberattack infrastructure against Israel, such as honing in on targets, collecting intelligence, and sharing capabilities.”
Kinetic targeting
All of this can also be to support kinetic targeting by Iran and Hezbollah.
Portnoy noted that the Shin Bet (Israel Security Agency) has published numerous reveals about Iran’s combined cyber and physical spying efforts against Israel.
Moreover, he said that Tehran has lost any sense of restraint on the kind of Israeli institutions it will try to hack.
“Before, they did not launch cyberattacks against hospitals. Now they attack all of them,” he said, noting the numerous cyberattacks on Ziv Medical Center – beyond the one successful hack of the hospital in December 2023. However, other than the one successful hack of Ziv, “all the other cyberattacks on Israeli hospitals were stopped by the medical centers and the INCD in support,” he stated.
In that December 2023 attack, the main problem was Iran’s theft of private information, and less a question of the hospital’s medical devices being vulnerable.
Also, all of Israel’s universities were cyberattacked during this war, but without much success, Portnoy noted.He acknowledged that in some cases, foreign hackers succeeded in obtaining information that was not all that secret during some of their hacking attempts on Israeli institutions.
For example, Iran did successfully hack some technology in a children’s nursery school network in March. But Portnoy was dismissive of this as low-hanging fruit, where there is little reason to protect from hackers. “How low can you go? What – you want to do a hack to scare some young kids?”
Russia-Iran axis
But Tehran is not alone. It has powerful friends, like Moscow, which could give, or may already have given, it cutting-edge cyber weapons for striking Israel.
“Cyber has no borders. A big question has been regarding geopolitical impacts relating to the cyber world. Iran provides drones to Russia against Ukraine. We had a fear that Russia will give Iran great power cyber weapons, and we are tracking this issue carefully,” Portnoy said.
However, he updated, “We have not seen this play out yet. There are some training elements of cyber they [Russia] have helped [Iran] with, but they didn’t give them real tools.
“When we identify Iranian attacks and we are looking for the ‘Russian scent,’ one place to look is Russian tactics in social media influence campaigns. We have seen the use of tools to erase information” by Iran evocative of Russian hacks.
“These are different tactics than what the Iranians did before. But still, they are not a true cyber power; Russia did not give them zero-day attack cyber weapons,” he stated.
All of this is also a larger concern because Russia-Israel relations have declined since Moscow’s invasion of Ukraine in early 2022.
But what about China?
China
Portnoy recognized that Beijing and the US, and to some extent the entire West, are in a broad long-term trade war, and that Israel must be ready for all kinds of unpredictable impacts from such a battle.
However, to date, he noted, even as China publicly slams Israel at the UN and assists Israeli enemies like Iran with certain issues, Beijing has maintained robust economic relations with Israel, and there has been no sign that it “would risk a direct conflict with Israel,” meaning not even using cyber weapons, at least to date.
In addition, Portnoy was skeptical about some Western attempts to isolate China.
He noted the on-again, off-again attempts by US President Donald Trump to close down Chinese social media giant TikTok within the US.
His implication was that not only had Trump balked in the end at the consequences of shutting down TikTok, but also that if he had shut it down, Beijing would have found some other way to penetrate American social media feeds.
For example, the US in 2020 and 2022 tried to blacklist Chinese telecommunications giant Huawei to weaken it as an arm of Chinese policy and potential spying.
But Huawei eventually maneuvered, got additional Chinese government backing, and is stronger than ever today, cutting into a variety of new technological areas of competition.
Likewise, if Israelis are concerned about purchasing Chinese electric cars lest they have some back door for being hackable, Portnoy noted that Tesla and Volvo electric cars are also made in China and could have risks as well.
Online tools
Portnoy is still concerned that average Israelis should acquire “the right tools for acting properly online. We need Israeli customers to understand cyber threats” and disinformation campaigns.
And he said, “I am happy the Defense Ministry stopped a competitive bidding process” from being open to China regarding developing one of the new key lines of the Jerusalem light rail.
But at this time, he does not see direct cyber threats from China or any real success in banning the Chinese from services industries where it is hard to truly isolate them, while agreeing that it is better to have less Chinese involvement in building and operating critical infrastructure.
Trump’s cyberdefense cuts
On April 4, US National Security Agency and Cyber Command chief Gen. Timothy Haugh was unceremoniously fired by Trump for no particular reason or error other than that he had the misfortune of being promoted to take over those roles during the Biden administration, and Trump was indiscriminately cleaning house of all Biden appointees, no matter how technical and apolitical their roles were.
Simultaneously, Trump has suggested cutting at least $500 million out of a $3b. budget from the US Cybersecurity and Infrastructure Security Agency, including many of the agency’s 3,600 employees, allegedly to push back on censorship of Republican causes.
But James Curtis, a cybersecurity expert and former US Air Force officer, has told Politico, “It’s open season on the US... we are unilaterally making the environment a good hunting season for them” by cutting back on cyberdefense just as the cyber wars between America and Russia, China, Iran, and North Korea are hitting new levels.
Asked about how the US’s falling from its top cyber tier could impact its “little brother” Israel in the broader balance of cyber power, Portnoy said, “It hurts everyone.” But he added that private companies have begun to heavily supplement the roles once played solely by governments.
“Big technology companies like Microsoft, Google, Starlink, and Amazon, as well as cybersecurity focused companies like Check Point and CrowdStrike, have visibility on the world stage and sometimes have as much impact as nation-states,” he said, arguing that the US private sector could heavily support Israel, even if the government’s cyber efforts get weaker.
He urged the US government “to rebuild what is being lost rapidly,” while expressing confidence in Haugh’s successor, new NSA and Cyber Command director general William Hartman, as being “very qualified.”
“Still, it is very worrying, including what is happening with the FBI,” he warned, referring to large-scale firings of FBI officials, which can also impact cyberdefense and all sorts of national security investigations.
Temporary emergency cyber wartime regulations
During the war, temporary cyber regulations have given special powers to INCD to intervene in certain private sector, especially critical infrastructure-related, industries to avoid widespread hacking problems.
The basis of these powers, which have recently been extended until at least October of this year, are that the interconnectivity of the modern economy makes hacking of one business area a danger for many other areas.
Some years ago, the Post reported that the state had already designated 31 critical infrastructure sectors. Portnoy would not reveal the latest number, but said it had increased significantly.
He added, “We need to always be asking: where is the new critical infrastructure which needs to be defended which we have not yet thought about?”
Discussing the concept of a cyber dome or cyber shield, similar to Iron Dome against rockets, he stated, “we should detect a cyber threat within an organization’s digital network and stop it automatically. We use a mix of defensive tools, as with air defense where there is the Arrow, David’s Sling, and also Iron Dome – each of them with a different defensive role.”
Moreover, he said, “We can see certain technological logs, sort of like the general metadata without seeing the content inside or like being able to see that there are many cars in a traffic jam on a street, but without being able to see who is in each of the cars.”
The idea of seeing certain information, but not other deeper aspects is to be only able to see data necessary for cyber defense, but not to expose private information unnecessary to that defense.
When Portnoy entered office, he had criticized prior terms of the INCD for demanding too much access to private companies’ networks to help them defend themselves or to help them undo a hack, which is why he has also been much more proactive about offering huge amounts of data to private companies, often in real time, and in any event, long before he might need to enter their networks.
“There must be a balance between privacy concerns and security, the rule of law and democracy,@ he said.
Portnoy explained that “the temporary emergency war cyber law did not make a total change. It only gives permission to INCD to enter private companies’ digital space if there is a grave cyber situation. This must be proven before the Attorney-General’s Office, which has a special cyber advisory team.”
However, to handle the issues of supply chains and cyber security network chains, he said that not mere temporary regulations, but rather a permanent full-fledged cyber law is needed.
New permanent cyber law failed, might be passed soon
The idea of a new cyber law is not new, but goes back around a decade.
Portnoy himself told the Post shortly after taking office that he would finally be the one to get it passed after his predecessors had fought hard and come up short.
According to Portnoy, the battle really has been nearly one and the law could be months away from passing.
In early 2023, Portnoy presented to Netanyahu and his ministers the fact that Israel was already behind Germany, Australia, England, the US and the EU in providing regulations which obligate the public and private sector to focus on new critical infrastructure, to file reports within set amounts of time (often 24-72 hours) if there is a hack and what steps the government can taker to enforce cyber defense standards and reporting.
If he made so much progress, why did Portnoy himself not finish reh job off even earlier? He responded, “We decided that the cyber law needed to be a national cyber law not just covering the INCD, but also covering the whole country which greatly increased its complexity.”
“We needed to identify and delegate specific kinds of authorities to each government ministry and also coordinate with all of the country’s diverse security bodies. Each security body has their idea of how things should be,” he said.
But Prime Minister Benjamin Netanyahu pushed things forward, he said, even as the two have not had the closest personal relationship.
The Shin Bet and the IDF needed to define their cyber vision and goals and each agency had to define their specialty since the INCD “can’t do it alone.”
Defining the INCD for the purposes of the new law, he said, “We are an operational body in all ways. We were ready for war…We even had operational ‘reserves’ to call in. But we could still get better and the length of the war has challenged our reserves.”
At the same time, he stated INCD is “also a technological body. We need to give state-wide solutions for Israel.”
As Portnoy rides off into the sunset, or at least back into other slightly less constantly “operational” endeavors, he is proud that Israel’s cyber dome stood strong on his watch.