With double the number of scientists and engineers per capita compared to the US and 10 times more active-duty soldiers relative to its total population, Israel already has impressive human capital in scientific fields such as cybersecurity. But now it is also tapping everything from high school classrooms to venture capital firms to extract cream-of-the-crop cyber experts, hone their skills and ideas, and fund their development.
Israel’s model, though tailor-made for its unique size and capabilities, offers potential lessons for other countries looking to improve their cybersecurity game, including the United States, according to US cybersecurity experts familiar with Israel’s approach.
The US has numerous programs in place to attract and train the best cyber talent, and President Obama recently proposed expanding the cybersecurity budget by nearly $1 billion after an annual US intelligence survey ranked the threat of cyberattacks on banks, power grids, and other infrastructure as higher than terrorism or weapons of mass destruction.
But quality can matter more than quantity in this emerging battlefield, where a team of pony-tailed hackers fueled by pizza, Coke, and plum salaries may be enough to design major attacks or help bolster US defenses against them.
Some American experts say Israel may be zeroed in to an even greater degree than the US on developing cyber Top Guns with the ability to write and modify computer code, spot software vulnerabilities, move clandestinely inside networks, and manipulate systems, rather than just develop cybersecurity policy.
“What Israel has done is focus much more heavily on technical skills and leave the political work to the politicians,” says Alan Paller of the SANS Institute, who examined Israeli cybersecurity strategy as part of the US Department of Homeland Security’s Task Force on CyberSkills last summer. “Their skill level [per capita] … outdoes everyone, even China,” he adds, despite China’s “massive program” for developing skilled cyber experts.
Professor Isaac Ben Israel, a driving force behind the creation of Israel’s new National Cyber Bureau last year, says Israel has “the pleasure, the benefit, of selecting the right people for the right positions,” thanks in large part to mandatory military service, which pools the country’s talent and makes for efficient recruiting.
Such expertise helped Israel achieve a top-3 ranking in preparedness for cyberattacks in a 2012 report (PDF) by security technology company McAfee, along with Finland and Sweden and ahead of the US, China, and Russia. In addition, Israel’s critical infrastructure has been required by law to protect itself against cyberattacks since 2002, a decade before US Congress tried and failed to pass similar legislation. Israel has also implemented a host of new strategies in the past few years, including more math and science emphasis in schools, cybersecurity competitions, and major conferences such as Prof. Ben Israel’s 3rd Annual International Cyber Security Conferencethat opens June 12 at Tel Aviv University with an all-star lineup of speakers, from Russia’s Eugene Kaspersky to former White House official Richard A. Clarke.
Even so, Israeli experts remain concerned about enemies like Iran, which has the capacity to work on long-term attacks that require significant manpower, robust funding, and intelligence agents necessary to determine the location and type of computers used at, say, a power production company.
“In relative terms, we are in good shape,” says Ben Israel, a former major general in the air force and one of Israel’s most prominent cybersecurity experts. “In absolute terms, we are not in the required shape. Unfortunately we have more threats than Finland, Sweden, or even the United States.”
New cyber incubator
One of the recommendations made by Ben Israel’s task force was to further integrate academia, hi-tech industry, and the military. Together, all three fields create an ecosystem for cultivating cyber talent, both in cyberwarfare and the growing commercial market for cybersecurity software.
Exhibit A of this ecosystem is the southern Israeli city of Beersheva. It is home to Ben Gurion University (BGU), which last year became the first Israeli university to offer a graduate track in cybersecurity, as well as a massive new military communications complex set to open in 2014, which will include the main cybersecurity training center for the Israel Defense Forces (IDF).
Adjacent to the IDF campus is the Advanced Technologies Park in Beersheva, a 2 million square-foot complex that is set to open its first building in July and is wooing multinational corporations with government incentives that include up to 10 years of tax exemption and salary subsidies of up to 50 percent. Among the outfits already committed to the park are Deutsche Telekom and EMC, whose RSA division is involved in cybersecurity, as well as a new cybersecurity incubator, JVP Cyber Labs.
Jerusalem Venture Partners (JVP), which was recently ranked as one of the world’s 10 most successful venture capitalist firms, has among their holdings CyberArk, which began as a start-up with two graduates of the Israeli military’s IT unit and today serves 7 of the 10 largest banks in the world. The founders’ military service gave them, like many other former soldiers, a clear sense of where key security weaknesses lay.
“You can create great companies around that,” says Gadi Tirosh, general partner at JVP. “So that’s one area of talent that gives us in Israel a secret sauce to our Cyber Valley here in Israel.”
JVP benefits from Israel’s Chief Scientist Program, which contributes $500,000 for the first $100,000 investment JVP makes in its start-ups. “We can experiment with many more ideas at lower risk,” says Mr. Tirosh, noting that JVP can conduct a $1 million “experiment” for half the cost.
The new JVP incubator in Beersheva is aiming to invest in four start-ups per year, with the first to be announced early in the fourth quarter of 2013.
“The Cyber Labs team is already active in identifying potential first investments, with key themes including zero-day attacks, advanced persistent threats, mobile security, and big data forensics,” says JVP partner Yoav Tzruya, a former Air Force intelligence officer who is leading the incubator in cooperation with BGU.
JVP is benefiting from military-honed expertise not only in Mr. Tzruya but also venture partner Nimrod Kozlovsky, a former captain in the IDF’s electronic warfare unit.
New cybersecurity grad program
Bracha Shapira, the head of BGU’s Information Systems Engineering department, says the proximity of the new military campus and the new technology park with the JVP incubator will boost the university both financially and in terms of research opportunities.
“When you collaborate, industry gives you money to research,” she says. “Also, you work on more interesting things because you understand the real problems that industry and defense [are facing] …. You get good sources of data, and really get to work on cutting-edge technology.”
The government is also offering scholarships of up to 300,000 shekels ($83,000) as part of a 50 million shekel program to promote research on protecting Israel’s networks and websites as well as exploring ethical and psychological questions related to cybersecurity.
Given the uptick of interest and funding in the field, Professor Shapira says she hopes to roughly double the number of students in the new cybersecurity graduate track from 16 this past year to 30.
Military hones program for high-school cyber geeks
The IDF sends select soldiers to universities such as BGU for specialized training, especially in the sciences. But given the urgent need for talent, the IDF launched a special program three years ago to identify exceptionally qualified high school students and begin their cybersecurity training as early as 10th grade. Currently 200 students are enrolled in the program, but graduates have so outperformed their peers in the IDF that commanders are clamoring for more. So this year the program will double in size, and the IDF hopes to see 1,000 students involved within two years.
“It costs money but they’re willing to spend more money. If they’re willing to pay you, it means you deliver,” says Lt. Col. Sagi, who helps manage the Magshimim program, which is supported by the national cyber bureau and the private Rashi Foundation as well as the IDF. “And we think we deliver very good students, or cyber experts.”
The application process is highly competitive, and includes a two- to three-hour written test as well as a one-on-one interview. Each week, students meet six hours after school and do two to four hours of homework. They are taught by university students but the overall structure of the program is overseen by the IDF, which built it from scratch as no other similar models existed.
“We change it every year, because as you know when you build something from scratch you have a lot of changing and a lot of tuning to do,” says Sagi. “I think it’s getting better every year.”
But so are Israel’s cyber enemies.
Indeed, the number of cyberattacks on Israel is rising “exponentially,” says Ben Israel. “We have to run very fast in order to stay in the same place. But we are doing it.”