Elements of a National Cyber Security Strategy: the View from Israel
A national cyber security strategy ought to have three key layers, Dr. Eviatar Matania, Head of Israel's National Cyber Directorate, said, "robustness, resilience, and national defense." The government plays a different role in each.
Government can regulate robustness and support resilience (since "companies can't stand on their own"). Most attacks can be handled, "solved" at these two levels. But there are cases where the government must move to the third layer—national defense—which is necessary for mitigation, deterrence, and retaliation. The central cyber authority handles mitigation. The military may be called in for retaliation, and law enforcement agencies for criminal investigation and counter-terrorism.
Israel has found, Matania stressed, that a single central authority able to synchronize cyber security is indispensable. Israel's government is now in the process of implementing this recommendation. This, however, hasn't been the path taken in most countries, where one sees a great deal of capability building within agencies and within sectors. "In most countries, if you ask who's responsible for cyber, you get a list. We think this won't work."
Israel's unified approach might serve in particular as a useful model for smaller countries. It helps to align concepts of operations and structure, and to back these with capacity building. A central authority, they've found, serves as a place where different points-of-view "from throughout the ecosystem" can come together.
Matania offered an aphorism in response to a question about lessons the United States might learn from Israel's cyber ecosystem: to encourage innovation, permit failure. If you do this, and share risk, enough success will emerge from the foreseeable failures. And as a matter of policy, let the elements of the ecosystem collaborate.
In terms of international relations, Matania dismissed questions about specific threat actors as fundamentally uninteresting. "It's unhelpful to think in terms of actors. You must be prepared for a shifting threat. You can retaliate against those who do it again and again, but defenses shouldn't concentrate on any actor." There's a role for international cooperation against cyber threats, but such cooperation must, in Matania's view, be build on trust, which takes time to establish. He acknowledged the importance of international norms of conduct of the sort recently proposed by the White House, but he cautioned that countries need to do more than merely sign them. For example, it's great to agree to no attacks on critical infrastructure, but without clarity about what actually counts as critical infrastructure, such declarations will be of limited interest. "We prefer to have very narrow and accurate definitions of norms," Matania said. "Begin with something relevant, and move from there."