Source Jerusalem Post

JERUSALEM, Israel--The Jerusalem Post was only the first of many newly hacked victims that cyberwarfare will claim in 2022, as threats from China, Russia, Iran, North Korea and others go into overdrive.

Yes, the US is the world’s greatest superpower, and aspects of Israel’s cyber power leave it rated between third to fifth after China and Russia and interchangeable with England depending on the issue.

But there are two problems that leave the US and Israel hopelessly outmatched.

The first is that cyber offense always beats cyber defense, and the second is that in some asymmetric matchups, Washington and Jerusalem are like communities in glass houses fighting adversaries in mud huts.

Cyber offense always beats cyber defense because any wall or defense, physical or digital, has vulnerabilities. Give an adversary unlimited time and resources, and eventually they will find and exploit those vulnerabilities.

Sometimes those vulnerabilities will be part of the digital infrastructure and defense itself, and sometimes they will be a single employee who foolishly clicks on a link that they thought their colleague or aunt (cleverly impersonated using social engineering and data mining) sent them.

The glass houses and mud huts analogy was recently put forth by Kevin Mandia, CEO of cybersecurity firm Mandiant, which first uncovered Moscow’s mega SolarWinds supply-chain hack of almost the entire US government and wide swaths of the global economy.

Without putting down US and Israeli adversaries, and with the point being that the quality of life and reliance on technology being is so much higher in the US and Israel, we all just have far more to lose.

Washington and Jerusalem can succeed at a dozen cyberattacks on Iran or some other adversary, and that adversary can then do more harm and cause greater disruption, or the perception of greater disruption, with one successful counterattack.

Furthermore, it is no longer only China and Russia that have cyber weapons that are virtually unstoppable when used on a focused narrow target. Tehran now also has some of these cyber weapons and is constantly updating its malware products in a systemic and relentless manner.

Anyone who watched Hamas outmatch the state-of-the-art Iron Dome with its weak homemade rockets firing an overwhelming volume all at once, and at one town, will see that Israel’s and the US’s cyber adversaries can breach any digital defense in cyberspace, where their capabilities are more impressive.

Put differently, the US and Israel may be heavyweights in the cyber sphere, but they are nowhere near as dominant as they can be in the physical military world.

That is not the only reason why Israeli hospitals like Hillel Yaffe Medical Center in Hadera, insurance companies such as Shirbit, defense companies including Israel Aerospace Industries, major server hosts for companies like Cyberserve and so many more will continue to be hacked, as they already were in 2021.

In recent years, it was already known that US and Israeli cyber adversaries sometimes used state-sponsored cyber criminals, often under the guise of ransomware attacks, to do their dirty work. But there was still a relatively small number of such outfits that could do major damage, and that made them more traceable.

As cyber weapons continue to spread, “democratising” the digital sphere, there are more and more of these groups – and some of them end up causing geopolitical trouble later, even without state sponsorship.

If combating ISIS and al-Qaeda felt like an endless game of whack-a-mole over the last two decades, fighting these expanding non-state cyber outfits with increasing nation-state-like capabilities is becoming increasingly unmanageable.

Next, turning critical infrastructure all “smart” is not looking so smart in 2022. As more and more even small towns make their infrastructure – including water, electricity and transportation – networked, there are a limitless number of poorly defended (if at all) targets whose hacking can cause physical chaos and potentially death.

There still has not yet been a mega-death cyberattack in the West, but this is increasingly looking like a matter of “when” as opposed to “if.”

Rushing into the digital sphere during the coronavirus era only exacerbated the problem.

Maybe the only bright spot in this impending cyber avalanche is that the public, businesses and governments are belatedly getting the hint. New policies making each layer of society own additional responsibility and liability, educational awareness and funding has started to alter the cyber landscape.

And yet Israel, with no new elections and a government capable of passing a budget, still is incapable of passing a cyber law to, once and for all, set the extent of liability of the private sector for protecting clients’ information and for updating what should be considered “critical” infrastructure and differentiating levels of what “critical” means.

Maybe the inevitable cyber disasters of 2022 will finally get that law and general societal awareness to make the full and necessary paradigm shift to survive the dark scenarios we are tumbling into at full speed.