Lessons From Israel’s Rise as a Cyber Power
A review of “Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power” by Charles D. Freilich, Matthew S. Cohen, and Gabi Sabonoi.
Published by The Lawfare Institute
in Cooperation With
“Israel and the Cyber Threat” is an ambitious and timely book, one that both scholars and national security practitioners should read. The Russia-Ukraine and Israel-Hamas wars have underscored the role of cyberspace in contemporary armed conflict. Current wartime experience is augmenting insights already gained from years of strategic cyber competition involving cyber operations and campaigns below the threshold of armed conflict.
Israel’s cyber history is uniquely instructive because Israel has been engaged in “militarized disputes” with Iran and its proxies for decades, and these have spilled over into cyberspace. The country “faces a near constant barrage of cyber-attacks ... ranging widely in terms of the types of targets chosen, extent of damage intended, and level of sophistication. Attackers have targeted virtually every possible network in Israel, during times of both peace and conflict[.]” Militarized disputes involve deliberate, overt, government-sanctioned, and government-directed threats, displays, or uses of force between two or more states over short periods. Thus, when not in direct armed conflict, the conduct of Israel’s national security policies, including cyber operations, fluctuate among crisis management, disruptive intrusions, and cyber activities that cause effects equivalent to those caused by a kinetic attack. This intense level of competition, with sophisticated cyber actions on both sides, has been experienced by few other states.
For scholars studying the role of cyberspace capabilities, operations, and campaigns across the spectrum from competition to armed conflict, for policymakers investing in and deploying cyber capabilities and forces, and for warfighters operating in and through cyberspace to achieve effects above and below the threshold of armed attack, a deeper understanding of Israel’s experiences and policy deliberations is invaluable. The authors, two of whom are former Israeli defense officials, acknowledge that rapidly evolving cyber developments make it difficult to keep their analysis up to the minute, that Israel’s strategic thinking is still maturing, and that an open-source study on sensitive military and intelligence topics cannot be comprehensive. Yet, they draw upon a rich array of open-source materials, including official government documents and academic scholarship, as well as interviews with many senior Israeli defense and intelligence officials to produce a comprehensive study of Israel’s cyber enterprise.
Chapter 1 lays the groundwork by defining terms, discussing the state of cyber threats around the globe, and walking through what the authors judge is—and is not—distinctive about the nature of cyber weapons, attacks, and their effects. Chapter 2 describes global cyber threats by actor, a useful overview for generalists. Chapter 3 reviews several debates in the cyber literature, carefully presenting arguments and counterarguments. Many topics will be familiar to national security specialists: deterrence, attribution, escalation, the balance between offense and defense, military doctrine, and the impact of cyber capabilities on armed conflict. Chapters 4 and 5 revert to the pattern of Chapter 2, offering a description of cyber threats to Israel and an analysis of Iran’s increasing use of offensive cyber operations against its many adversaries. The next five chapters constitute the empirical meat of the book. They examine Israel’s whole-of-nation response to cyber threats. In the book’s final section, the authors make recommendations for a more effective Israeli national cyber strategy.
The book’s empirical chapters detail civil and military strategy; policy development, decision-making, and bureaucratic rivalries; and capacity building, talent management, and industrial policy. Israel has made impressive inroads adapting to the central feature of cyberspace—interconnectedness—which requires synergy and integration within and across organizations and sectors. Determined to be a top cyber power, Israel early on established the Israel National Cyber Directorate, a single agency responsible for governmental, public, and private-sector cyber policy, security, and capacity building. Its remit includes preventing and mitigating threats to critical infrastructure, managing cyber incidents, investigating advanced attacks, and interfacing with the defense establishment. Israel also deliberately set out to develop a national cyber ecosystem through close collaboration across the government, defense establishment, academia, and the commercial sector. “The basic idea was to create a self-perpetuating cycle: academic research was to generate scientific knowledge, which would be used to develop new technologies and commercial applications with high added value; the defense establishment would benefit from the knowledge and capabilities created, further spur academic research and commercial applications on the basis of its own needs, and provide some of the outstanding personnel needed; and the entire cycle would be continually repeated.” According to Freilich and his co-authors, developing this ecosystem has been at the core of Israel’s cyber policy and every cabinet decision on cybersecurity policy since 2002. As could have been expected, organizational challenges have sometimes hindered fully effective coordination. Unlike other dimensions of military operations for which the Israel Defense Forces (IDF) is solely responsible, in the cyber area responsibility is shared with Israel’s foreign intelligence and internal security agencies. And within the IDF, offensive and defensive capabilities remain organizationally split in different branches.
Talent is the key limiting factor for every cyber power. Israel’s cyber human resource development is worthy of emulation. Deliberate efforts to expand the national pool of talent begin with early education and continue with specialized programs throughout high school. Every Israeli university offers cybersecurity, computer science, and computer engineering courses. Outreach to populations underrepresented in the relevant technical fields, extensive adult education programs, and innovative IDF programs—including placing personnel in private firms—augment Israel’s cyber human capital strategy. Facilitating the ability of cyber talent to move fluidly between government and industry through special models of military service—for example, “industrial capsules” that allow cyber personnel to work in industry and then return to military service—is another example of Israeli officials putting into practice at scale what their counterparts elsewhere only talk about.
The authors undertake several tasks. First, as a study in political science, they advance a causal explanation for Israel’s responses to the cyber threats it faces based on realism and constructivism, two of the three major schools of thought in international relations. Second, they weigh in on several debates that have animated the cyber subfield of security studies, particularly whether cyber deterrence is feasible and whether cyber operations are inherently escalatory. Third, they trace the development of Israel’s cyber policy, strategy, and doctrinal deliberations. Finally, in the book’s last two chapters, they offer policy recommendations intended for Israel but often of great value to officials in other countries as well. To do justice to the richness of the volume, one must engage its theoretical arguments, empirical claims, and policy recommendations.
Sources of Israeli Policy and Strategy
The authors argue that many of the factors that have led Israel to rely on technological innovation as a central component of its security policy have also fueled its development of advanced cyber capabilities. Above all, strategic and socioeconomic necessity—stemming from an extremely hostile external environment and the Arab world’s combined quantitative superiority in military and economic resources—have merged with a strategic culture that emphasizes technological solutions to economic and military challenges to make Israel a leading cyber power. Israel pursues advanced technological capabilities not only to attain a qualitative military edge but also to fuel socioeconomic development. Faced with a new threat of cyberattacks beginning in the 1990s, Israel rapidly adapted, innovated, and developed what the authors characterize as “outsized” cyber capabilities.
The volume makes a compelling case, based on realist theory, that strategic necessity drives innovation. Israel faces a particularly harsh geopolitical environment. It is at risk from a multitude of actors. The country lacks strategic depth, and it sits in geographic proximity to threatening states and proxies, several of which do not formally recognize its existence and some of which seek its destruction. Pure realists might contend that this strategic environment alone created an imperative for aggressive technological innovation. Few countries exist in a perpetual condition of insecurity over their very existence. The events of Oct. 7, 2023 show that fears of annihilation are not merely legacy cultural beliefs but reflect current reality. If necessity is the mother of invention, why aren’t Israel’s extreme security challenges sufficient to explain its aggressive innovation?
But the authors also introduce elements of constructivist analysis, contending that strategic necessity is not enough to account for Israel’s rapid development of first-rate cyber capabilities. Constructivism challenges core tenets of realist theory by attributing change to international norms and institutions. By focusing on “local” or unit-level identity, that is, the norms specific to a national or organizational community, the authors imply that cultural explanations usefully supplement realism’s focus on geopolitical forces. Israel’s strategic culture, the authors contend, stems from a deep-seated fear of destruction because of the Jewish people’s long history of persecution. The resulting preoccupation with security reinforces structural realist incentives for military innovation, making technological prowess over-determined.
A problem arises in how the authors delineate the content of Israel’s strategic culture. They claim it extols self-reliance, flexibility, improvisation, and creativity. It is offensive and proactive. It embodies resistance to authority as well as a collectivist sentiment. So many ideas are folded into the concept of strategic culture that it becomes unwieldy. Concentrating on the level of cultural diversity tolerated in society might give the authors a more persuasive explanation for innovation. Culture is not static, but a diverse amalgam of values and beliefs developed and accreted over time. Leaders who tolerate cultural diversity, with its contradictions and tensions, foster innovation and risk-taking. Innovation is less about the content or potential of the national culture than the attitudes of leaders toward ideological diversity. This aligns with the authors’ discussion of Israel’s “innovative cyber culture,” with its heterogeneous immigrant society of many different nationalities and cultural backgrounds, “each with its own unique experiences, values, and ways of doing things, resulting in a constant state of social and cultural tension.” Israeli leaders in the public and private sectors tolerate a high level of diversity and ferment, and thus benefit from the innovation it fosters. By failing to consult the rich literature on culture and military change, the authors missed an opportunity to sharpen their analysis and contribute an important case study to this subfield of political science.
Cyber Quandaries
“Israel and the Cyber Threat” provides important evidence for cyber theory and policy debates that increase our base of knowledge for measured conclusions. For example, the authors take the view that cyberattacks have fewer escalatory ramifications than many others have thought. They assess that cyber tilts inherently neither to offensive nor to defensive dominance. They lend support to an emerging consensus that cyber capabilities alone cannot deter or substitute for kinetic effects in conflict but can play important roles in helping deter aggression and win in war.
The relation between cyber (as a capability, a domain, and a strategic environment) and deterrence as a strategy is familiar ground for scholars and practitioners. Debates over the applicability of a strategy of deterrence to the cyber strategic environment are consequential for policy and strategy, and thus demand conceptual precision. Such precision has grown in recent years, though the authors seem unaware of the maturation of this debate. For instance, their use of the phrase “cyber deterrence” is confusing. Do they mean the use of cyber capabilities and operations to deter attacks of any kind from enemies, or do they mean deterring hostile cyber activity? The authors define cyber deterrence as “the ability to use cyber means as a way of affecting the adversary’s cost/benefit analysis for similar purposes.” This aligns with the former notion of cyber deterrence. They also suggest “the very prevalence of cyber-attacks is held to be proof that they cannot be deterred.” This aligns with the latter understanding of cyber deterrence. This lack of clarity about cyber deterrence resurfaces in their policy recommendations.
To the credit of Israel’s early cyber policymakers, they did avoid a premature rhetorical clarity and let doctrine and policy evolve. In short, they “made a conscious policy decision not to adopt a doctrinal approach, in the belief that technology was evolving so rapidly that governmental policy would be unable to adapt quickly enough.” If the United States had not enshrined deterrence and a doctrine of restraint into its early cyber strategy documents (2011 and 2015), it might have achieved greater strategic innovation earlier.
Policy Recommendations
The authors offer recommendations in the form of a proposed Comprehensive National Cyber Strategy for Israel. They recognize that not all of their recommendations are original because many states share similar cyber challenges. “It is the integration of the existing wisdom, based on a systematic analysis of Israel’s circumstances and needs, together with our original contributions, that make these recommendations the first effort to present a comprehensive Israeli national cyber strategy.”
Many of the authors’ recommendations are directed to an Israeli audience. But some will be of particular interest to policymakers outside Israel as well. Recommendation 2, for example, calls on Israel to formulate a military cyber strategy and integrate it into its national security strategy. This would be an important step toward integration across bureaucratic elements. A national cyber strategy should at a minimum be whole-of-government, preferably whole-of-nation, and ideally whole-of-nation-plus, that is coordinated with allies. If reinforced by implementation of Recommendations 5 (ensuring designation of a lead cyber agency under the prime minister) and 7 (effective coordinating mechanisms across agencies with streamlined authorities), Israel would be far ahead of its democratic counterparts—at least if that lead agency is empowered, staffed, and resourced to coordinate not only during times of normal bureaucratic competition but also during times of crisis and armed conflict.
Recommendation 6 calls for the IDF to optimize its force structure by streamlining regional and functional commands and integrating offensive and defensive cyber forces and operations, either in a cyber command or through an interagency task force. Israel’s delay in locking in a model may not be such a drawback. The United States was the first country to establish a cyber command. Nevertheless, its commander, Gen. Paul Nakasone, recently spoke out about the need to restructure the cyber force and its organization, “We built our force in 2012 and 2013. We’ve had tremendous experience. But the scope, scale, [and] sophistication of the threat ha[ve] changed. The private sector has changed, our partners have changed. I think that we’ve got to be able to take a look at how we’re going to change as well.”
Recommendations 16, 17, 23, and 25 call for a cyber deterrent posture. These are nice sentiments, but they fall flat because of the authors’ vague definition of deterrence noted above.
On a more general level, the authors should answer one crucial question as they propose alternative policies and a new strategy. How has Israel fared so well without a military cyber strategy and a cyber command? According to the authors, Israel has successfully handled attacks to date and faced few successful cyberattacks of significance. Public and private organizations work together to a degree hard to find in other democracies. Cabinet decision-making has been effective. The IDF’s force structure may not be optimal, but it has enabled Israel to execute some exquisite cyber operations, such as blinding Syrian air defenses in order to enable a successful bombing run against a nuclear reactor under construction in 2007. Cyber, the authors conclude, has strengthened Israel’s overall national power and partially upended the regional balance of power by providing Israel with critical advantages over authoritarian regimes whose leaders view cyberspace as a threat to regime stability since the Arab Spring. Managing policymakers’ expectations of the strategy they adopt is an important advantage that detailed empirical analysis such as that offered in this volume can provide.
But these are comparatively minor complaints—more points for debate and inquiry than objections to the authors’ method, evidence, and findings. “Israel and the Cyber Threat” is a timely book that deserves a wide audience in the United States and its allies.