Abstract

Mr Roy Zur, retired major from the Israeli Defence Force – Unit 8200 – discusses the future of cyber warfare and cyber intelligence.

This podcast series is presented by Dr Alessandro Arduino, Principal Research Fellow at the Middle East Institute, National University of Singapore.

Listen to the full podcast here:

Full Transcript:

[Alex Arduino]: Welcome to our Middle East Institute (MEI NUS) podcast series Boots off the Ground (BOTG) security and transition from the Middle East and beyond. In this series, we look at the future of warfare and uniformed soldier or boots on the ground, being replaced by private military companies, autonomous weapons system and cyber weapons. Previously we have been discussing the future of AI in cybersecurity with Omri Lavie, now we are looking explore the future of cyber warfare and cyber intelligence. I’m your host, Alessandra Arduino and I’m extremely excited to have with us today on BOTG, Roy Zur, Roy is a cyber intelligence expert. He is also the founder and CEO of several cyber company, including Cybint, a the cyber education company that Mr. Zur has developed in Israel and Singapore. In this respect, Mr. Zur has more than 15 years of experience in cybersecurity and intelligence operation from the Israeli Defense Force famous Unit 8200. He has developed cyber education program and technological solution for company education institution and government agency worldwide. Thank you for taking your time to be with us today. Roy, and especially thank you for make sense of the development of cybersecurity. And how to train the future generation of cyber expert.

[Roy Zur]:  Thank you. It’s a really great pleasure to be here and I’m excited to be part of this amazing podcast.

[Alex Arduino]: Israel is well known all over the world being called the ‘’startup nation’’ and you managed to transition from unit 8200 to a successful career in the private sector. So how, in your opinion, your personal experience in unit 8200 influenced your future career as a businessman and what are, in a nutshell, the critical lessons that you learn?

[Roy Zur]: I think that one of the unique things about the Israeli Defense Forces and specifically the intelligence units and unit 8200 is the fact that from a very young age, you get significant responsibility, so significant that in the age of 20, or 21, I was already doing things that maybe only now I’m starting to do again. I found myself in a very young age 21 managing hundreds of people in a very complex environment. I was sent to the US for bilateral discussions with other peers of intelligence forces that were twice my age. And that was something that put me in a position that forced me to grow up very fast and to take a lot of responsibility very fast. And I think that sometimes we underestimate what young people whenever they are given an important mission can do, especially in a very short time. This is one thing that I learned from the unit and also specifically in the context of cybersecurity and cyber intelligence unit, of course, opened the world for me to see cyberwarfare from within to identify the challenges and to learn the skills. I did it, like we like to say hands on not necessarily with academic approach.

[Alex Arduino]: I think it recall quite ample discussion that we had with Omri on the  ‘’hands on approach’’ versus academic one. But in this respect, there are two things that stem out from your answer. The first and it is very important, is the young age part, and I’m sure also the attitude to risk taking at a young age is quite different from the same risk that you can look at now. The second is the so called 8200 model. Is it possible that this model is going to be a model that you can apply outside Israel? Meaning that other countries or other business entity can try to duplicate it or it is just something that is possible only in from Israel? And it is a fact that most Israeli startups tend to emerge from unit 8200. Also as you are a retired cyber intelligence mayor, you have been trained to groom talent in your organization. So my question is, how cyber intelligence training is going to shape the future in business and how if it’s possible to other country follow Israel’s path.

[Roy Zur]: Cyber Intelligence and cyber security are going to become an essential part of every digital initiative and in every company that deals with data, which is becoming more and more diffuse. Even low-tech companies are now dealing a large amount of data or system oriented or online challenges. Therefore, putting this aside and assuming that the future we also the present, but the future for sure, will be much more effected by cyber intelligence and cybersecurity. Now, specifically, there are a lot of different things that unit 8200 or the Israeli approach has that some of them cannot be necessarily replicated due to culture. By the way, it’s not necessarily a good or a bad thing. There are some negative aspects of the of the culture and you can replicate also the negative parts.

Therefore I don’t think that the Israeli culture necessarily is the key. I think one of the key aspects that can maybe be implemented in other countries is the zero to hero approach. And it’s directly connected to the to the young age and I’ll explain, in general, my approach and maybe that’s the approach of the unit as well, is that we can actually take people from diverse backgrounds from nontraditional backgrounds, but we identify their attitudes and their motivation. Once we identify their potential, we actually invest in them in, let’s say, training them or bringing them to the level we want. And I think that this is something unique about Israel, that is very open for an Israeli business culture. That is very and it comes from the military because in the military, we get 18-year-olds straight out of high school, we don’t have the privilege to get them well educated with degrees, and in a matter of months, we need to position them in the most sophisticated and challenging places in the unit. Consequently, we have to find ways to accelerate their learning processes. And I think that if we will be open to do this also and we are in Israel, but if we will be open to do it globally, to find people based on their potential and then invest in their education, then we can actually find out that there is a lot more talent out there than what then we think. Moreover, it will allow us in our companies to grow much faster and will bring people with a lot more I would say intrapreneurial more intrapreneurs to this to this situation.

[Alex Arduino]: I am shifting our conversation from the business part to the defense part. As you correctly mentioned that low tech is also affected; cybersecurity affects all the spectrum not only the technological part but also the security one. Especially in the latest decade, there’s been a lot of talk about cyber warfare, with some highlights talking about let’s say starboard Armageddon, or even cyber Pearl Harbor. This has been a constant trope in the military and defense circle for a really long time. But recently, with the Russian invasion of Ukraine, we didn’t see this kind of cyber-attack happening. There was no cyber-Armageddon, no cyber Perabo and everybody were expecting brazen attack on power grid and so on. It didn’t happen. Therefore my question is: Are we overestimating the physical impact of the damage coming from the cyber sphere?

[Roy Zur]: I don’t think we’re overestimating the potential. I think that like many different aspects in war, it’s kind of like we say, well, nuclear war is a disaster. But look, it doesn’t happen. So, you know, so nuclear is okay, nuclear weapon is okay. I think that the potential of a global cyber warfare or even the local cyber warfare when everyone removes their gloves and actually use all the cyber warfare weapon available at their disposal hitting critical infrastructures: water, power systems, weapon system,s transportation system and I think it’s definitely a doomsday scenario or Armageddon scenario. Now, I think that the situation is, of course related to offense and defense. And as we see this potential effect in many countries, of course, and that’s including countries like Ukraine, and that’s including countries like Singapore, are investing heavily in their security. Hence, I think that one of the reasons we see less of this, maybe or we don’t see yet, the Armageddon case is first because we have this situation of defense and offense going on and both sides on the world or both sides in every conflict are of course investing a lot in that. I think we should be as cautious as possible and we should invest as much as possible in preventing this situation because this can dramatically change our way of life. So, I don’t think we are overestimated, but you know, Hollywood and the movie, the movie industry is always presenting the worst-case scenarios. Hopefully we will not be in that scenario, but we can know for sure. Therefore we need to be prepared.

[Alex Arduino]: Most of the time at BOTG, we are looking at the role of mercenaries and it’s quite interesting because I’m sure from our audience now there will be the question related to why we are talking about cyber security, while looking at mercenary. But recently the United Nation has been looking with at cyber mercenarism.  Trying to define cyber mercenary is a very daunting task for a very simple fact that everybody know what a mercenary is, but nobody agrees on a perfect definition. And for decades, the UN especially the working group on mercenary activity, have been trying to do that. And especially of course the UN is focusing on the human rights impact that cyber mercenary could cause on civilian during conflict and especially even during peacetime. The UN Working Group of mercenaries mention end that they are looking at activities, companies or even individual that use word rate cyber weapon to do the bidding for foreign power non state actor and as also happen for criminal and terrorist organization. And they try to define them as cyber mercenary. So now I’m asking you a question that is based on your previous life as a lawyer. In your opinion, what differentiate cybersecurity company from cyber mercenary, especially what kind of suggestion you can offer to international body attempting to regulate this industry. Let me rephrase it in a nutshell. Can we say that an individual, a group or a company in cyberspace is a mercenary and why?

[Roy Zur]: I think it’s a very, very interesting question and it’s a complex answer. First, I think we need in cybersecurity to differentiate, to understand the differences between defense-oriented cybersecurity companies from offense oriented cybersecurity companies. Most companies in the industry are developing generally defensive tools. Defensive not even as a weapon but more as a think about it there’s a wall or is it guard or is the monitor; it’s almost like saying that a company that develops fences or a company that develop walls would be considered as another scenario if these walls or fences are being, used to protect a specific territory. I don’t think that from the defensive side you could define in my point of view, these companies as mercenaries because they’re they are actually in a way they’re even contributing to peace. Not necessarily to world peace, but the actually can contributing to lowering crime and minimizing the damage from attacks and I think that’s the defense companies.

I don’t see them as mercenaries regarding companies that develop offensive tools. In cybersecurity, or offer services for cybersecurity attacks. I think that’s where it becomes a bit more complicated. I believe that if you are an individual or a company, that you offer your services or your tools as a weapon to companies or regions in conflict, and there are companies that do that, and there are individuals that do that, that offer their services. And I believe that, that that may be yes to your question. Maybe in that case, if I’m an individual or a group of individuals or a company that offer a tech services or a tech tools to companies to sorry to countries or organizations or regions in conflict, then it may be the fact that yes, maybe I am. I could could be considered as a mercenary. The question is, if I’m developing other tools, and these are being weaponized by others, and I didn’t have the intention of these tools will be weaponized. I’m not sure it could be defined as mercenary because you know a lot of companies in different industries, develop things that later are weaponized. I’m not talking about weapon I’m talking about you know, you can take metals or you can take specific chemicals that you develop for one purpose and others are using it for military purposes. So I think I would, as a lawyer, I would focus on the intention and focus on what is the purpose of the activity and if the purpose of the activity is to develop a specific or to provide a specific solution or a product that is directly designed to be used as a weapon, then the answer would be yes. In other cases, I think that, that that’s a more complicated situation.

[Alex Arduino]: The intention part is very fascinating because it’s one of core issue that has been looked mostly from a legal standpoint on mercenary, especially in the post African conflict, and recently, more recently in Iraq and Afghanistan. But then unfortunately the gray area is typical and it surround mercenary activity. As you mentioned we have a passive stance, and an active stance, but that there is something in the middle, that it can be a proactive stance, pre-emptive one. Therefore, this is the stance that create more issues, also from a legal point of view. I recall an example a real world one, not the one in the cyber sphere, then it was just a company as you mentioned ‘’defending a wall’’ in Baghdad green zone. Every morning they were shelled by insurgents’ mortar fire. One day in the morning, nobody could find the contractors defending the area. They came back later on with the mortar the shoulder so they prepare a trap, there was a preemptive strike to avoid getting shot again, but then we are talking is still passive stance? Especially in the cyber sphere it’s a compelling issue. But now I want to move up in discussing more depart on offense than defensive so in the cyberspace, attackers move at lightning speed. They cross multiple national borders in matter of seconds. And this is a very huge challenge for a country specially to address where the threat come from, and to attribute the attack to a culprit. In this respect, pinpointing the attribution of a cyber-attack is a very dire daunting problem. And in the future, not so far the number of attacks, even if we don’t see an Armageddon as mentioned before is going to increase. In your opinion, are we going to say and to witness a cyber attack that is going to be a casus belli?

[Roy Zur]: In my point of view, I think about a situation and it’s already happening between different countries. Even if I’m looking at the situation between Israel and Iran. I think the situation is an ongoing and I can’t address too much of this. But there is an ongoing conflict, cyber conflict and cyber-attacks happening in the background and some of it is also leaking to the physical space.  It’s not yet to a war, but in a specific situation, definitely, if one country, or one organization that is government led hits another country’s critical infrastructure or causes significant damage, it can be conducted to be a kind of like casus belli or triggering a war between these countries. And the matter is exactly the attribution case, this is an example I like to give sometimes to students or even in the military, is about attribution, because sometimes the fact that things can be hidden or it’s not easy to attribute it to a specific country or a specific organization can actually in this case, prevent a war.

I’ll explain let’s say right now, there is a specific cyberattack in a specific country, let’s say Israel as an example. Something happens here and there is attack in the streets of Israel, not a formal attack of another country, and a few people are getting hit. And the intelligence forces of Israel know that there is another country behind it, but it’s not known to the public. Therefore, it’s very hard to attribute it to a specific country. Although the intelligence forces known in this case the chances of Israel will start a war against this other country, even though people die then an attack happen are very limited.

On the other hand, if an airplane or like like a specific tool/weapon of this country will get into the, into the territory of Israel and will fire a weapon in Israel. Nothing will happen but this weapon in Israel and then go back to their country, then most likely this will trigger a war because it’s easily can be can easily be attributed to this country. And it’s, it’s a very public and violent act of war. So, I think that what the cyber warfare allows countries is to manage a war that is hidden. It’s kind of like the rules is that be contained in a way and I think that that’s why a lot of time, there is actually an active war going on in the cyberspace and you still don’t call it war. You still say that there were no casus belli that happened here and this triggered the war. But it’s just a matter of time in my point of view and my point of view, once cyber-attacks will influence more and more to physical space for example, shutting down at full system which transportation etc. Then we’ll start seeing countries also retaliate in the in the physical space so that’s, that’s how I see it.

[Alex Arduino]: Your answer is very interesting, because it’s quite similar to a question that I asked to an expert on drone warfare a while ago. If an unmanned aerial vehicle that you are not able to attribute where it’s coming from, who is the guy behind remote controller that is going to hit another country, and it will start a war? And the answer was quite similar to yours: It was not the case. Probably in the future. When this weapon system became more sophisticated, there are swarms system controlled by AI and so on. But it also in my opinion, looking at data, both on cyber-attack and both on drone strike. One thing that I’m quite sure is that increase the propensity for of aggression, because there is this perception that drones don’t generate body bags being sent back home. At the same time a cyber attack is something that is neutral, it is online, but then as you mentioned that is going to increase to have effect on the physical world. Especially we see cyber attack on hospitals, cyber attack on power grids, and so on. Therefore it is definitely something that we need to look at in terms of law regulation, but also in terms of ethical approach to this issue. But then again, we are talking about drone and cyber attack or something that it looks like all controlled by machines, not by human. Nevertheless, human are still at the center of this and all over the world that there is a race to find the right person, the right talent. And as you mentioned at the from Unit 8200 to your company, I’ll say nurturing talents is important and it’s very strategical issue. Looking at areas especially coming back from the Middle East to areas nearer to us like Singapore, the first question is that here in Singapore, digital financial market protection is critical, and everyone is looking to recruit cyber talents but the pool of talent is shrinking by the day. How do you cope with this recruiting problem.

[Roy Zur]: It’s a great question and it’s also directly connected to what I’ve been doing in the past 15 plus years first in the military, then in the in the industry today. And you know from looking at my company Cybint, now we joined forces with another company and now we are called Thrive DX, digital transformation. The focus is exactly about how we bring more talent into the talent pool. Because right now all the companies and organizations and government agencies are fighting or competing on the same talent pool. But there is a huge talent shortage out there they estimation is between 3.5 million to 4 million people missing in the market right now. And if you think about the traditional education process, it takes many years of different degrees to generate talent, and even this most degrees technological degrees are not directly around cybersecurity. Hence, we take people that studied computer science and you add like another cybersecurity course but they didn’t do a lot of cybersecurity and the amount of degrees and kind of like cybersecurity master degrees are pretty limited versus the millions that are missing. In my opinion, the answer in that case is that we have to find creative ways to generate talent in a very accelerated organist, significantly, much more accelerated way than we do it today. And in that approach, what we are promoting, personally I’m doing it in my company Thrive DX and we see it also other organizations and are doing are thinking out of the box thinking of these bootcamp approach of taking people to a very intense learn experience can be three months it can be six months and by the way, we’ve been doing this in Singapore, including with financial institutions, and more organizations understand that they need to start generating their own talents.

It can either be by taking people from their organization from within the organization or it can be it people or other types of people that actually want to convert or to move to rescale themselves in cybersecurity and rescale them or taking people from different backgrounds not necessarily people that work in cybersecurity, but work by focus on an accelerated way to teach them the right cybersecurity skills. I think that if we will try to solve our cybersecurity problems just based on the talent pool that exists today, and just based on people that are coming out of universities after years of academic experience we’ll just we’ll never be able to cover the gap. And we need to take a proactive approach here. And we need to start opening our gates to new diverse talent and to be open to take people with bootcamp experience. We’re going to retrain our people with boot camps and not necessarily wait for five years’ experience before we started working like we’re doing at unit 8200, as I mentioned earlier we have to take them straight out of high school. There are 18 year old, they don’t have a university degree, but they’re still working in one of the most challenging environments in the world.

[Alex Arduino]: Looking at the broader view, not only from a talent point of view, you mentioned before the cyber friction between Israel and Iran, but there is another friction that I want to look at now and it is the friction between the United States and the People’s Republic of China. This increase in friction is going to lead to a bifurcation of the digital ecosystem and sooner than later countries will have to make a choice in which part of the Cyber Wall they will chose to stay. In your opinion, this divided word what would mean for Israel?

[Roy Zur]: It’s not new to Israel. Israel has been always in the middle of different conflicts in the past, it could be United States and the Soviet Union back then, where Israel was a more ally of the United States, but in a region that most of the countries around were allies of Soviet Union back then. Now, and it’s even today you see conflicts of Israel with some of its neighbors. Let’s take Syria, for example. There is a very dominant Russian presence in Syria, and Israel is trying to keep the good relationship with Russia in that case, but still is, I would say, a stronger ally of the United States in different conflicts and situation. And even right now, the war in Ukraine is affecting, Israel. Therefore, I think that Israel is trying in these cases to stay as neutral as possible, mainly because it’s small and vulnerable and needs its global allies. And I think this is an estimation that’s in a situation were west versus east or kind of like China versus United States approach. I think in that case, Israel will be more in the western group than on the eastern group just because of the dependency of Israel and the Israeli market in the United States. The United States is by far the most significant partner of Israel in both military and civilian purposes. Again, I’m not a politician, and I’m not a military expert at this point. Therefore, I cannot foresee the future, but this is my estimation.

[Alex Arduino]: You just mentioned foreseeing future. So, you just helped me to rope in the next question, but as mentioned when I criticized the notion of cyber Armageddon but at the same time I ended up with the old trope of the Iron Curtain, albeit a Cyber Iron Curtain. So there’s something that we will see in the future. Unfortunately, in this uncertain time, when the global security architecture is changing, transitioning really fast from point A, and we really have no idea where point B is going to lead us. I’m going to ask a very difficult question that in your opinion, is not tomorrow is not in two year in the next coming 30 years. What it will be the future of cyber intelligence.

[Roy Zur]: So I think in general, as I said before, first cyber security and cyber intelligence will become something that is much more essential and common, first than then what we see today if today we think it’s common, but it’s still there is there is some kind of a mystery around that, you know, people think about us, actually, I participated in a conference in the United States in Atlanta, just a few weeks ago, and the topic of the conference was demystifying cybersecurity. And I think that’s still how people see it, a mysterious thing. And I think that with time first it will become common, as we think about technology today with technology you have cyber security and cyber intelligence practices. So that’s in generally becomes something that is much more available to the markets, available to people, accessible to people and more people also choose it as a career path, which right now it’s a bit more challenging.

Now specifically from a technological point of view. Well, it’s hard for me to, to estimate exactly but we see the involvement of AI, increasingly in everything and including in cybersecurity and cyber intelligence, meaning that attacks and defense that is being created by a machine and not necessarily by a person so not necessarily defining rules to the system, but allowing the system to learn and create its own rules and create his own defense mechanisms and code itself.

Also, I think that we’ll see much more attacks that are being initiated by machines and defense mechanisms that are being created by machines and learning machines and learning processes. And we see it in general in many fields, not just in cybersecurity, but in cybersecurity, we can find weapons that are being created by machines or defense mechanisms that are being created by machines. So I think that one thing that will become much more significant is that this field will have a strong AI presence.

Having said that, I think we will also see the growing role of the human factor in cyber breaches and in cyber cases. In this respect, while the machines will become more and more sophisticated, what you see is that the weakest thing is becoming the human vulnerability.

And you will see it also today where attackers are taking advantage of while the systems are sophisticated and hackers maybe can break the system or find a way to break into the system, then it’s sometimes easier to make a person to open the door for you or to make a person to give you the key especially if you want to get into the most sophisticated safe in the world. But if you have next to the person has the code and the key and you can actually get the code and the key from the person it’s easier. So I think that will also see this that humans will become, and already are, but will become the weakest link in this in this cybersecurity situation.

[Alex Arduino]: Thank you very much. You just made me remember Kevin Mitnick .He was a very famous American hacker. I think he also ended up in prison for his skill and being a good coder was an important part but he was really a good social engineer. He was able to make people tell him the password without to brute force the system. I mean, we can go on talking about this for hour but unfortunately our time arrived at the end and Roy really thank you very much for joining us today. Listening to your insight has been extremely informative. And I just want to close this episode to plug in the following podcast that is going to talk about the evolution of cybersecurity. But pivoting from Israel to Europe and looking at this new role of cyber security. Stay tuned and enjoy a great day.