Threat actors linked to Hamas and its allies have been incessantly targeting Israel since the onset of the Israel–Hamas conflict in October 2023. According to the Israel National Cyber Directorate (INCD), which is responsible for securing Israel’s national cyberspace, the intensity of cyberattacks has increased threefold since the beginning of the conflict.1 The head of the agency also shared concern over coordinated attacks by Iran and Hezbollah across various sectors in Israel. In response to growing attacks against its infrastructure by formidable adversaries like Iran and its proxies, Israel recently announced that they are building a ‘cyber-dome’ or a digital ‘Iron Dome’ system to protect Israel’s cyberspace to defend against online attacks.2
Explaining Cyber Dome
While there are no definite details regarding the mechanism and tools that constitute the cyber-dome initiative, one can parse the official statements and specific initiatives to get an overview of the rationale behind such a system. The concept can be traced back to the first public speech in 2022 by Gaby Portnoy after being appointed as the Director General of INCD. He presented the cyber-dome as a new big data and AI-driven approach to proactively defending domestic cyberspace.3 He singled out Iran as Israel’s dominant rival in cyberspace. The initiative aims to provide tools and services to elevate the protection of national assets by synchronising real-time detection of threats at a national level to mitigate emerging threats. Furthermore, Portnoy also emphasised the need to replicate cybersecurity protocols used for critical infrastructure in other sectors.
The cyber-dome also leverages generative AI platforms to filter out genuine threats from a plethora of available threat intelligence.4 Consolidation of strengths and expertise from various agencies augments the efficacy of the initiative. Officials who are involved come from a wide range of agencies and departments within Israel’s security establishment. These individuals are drawn from the Defence Intelligence Unit 8200, J6 Cyber Defence Directorate, and other cyber units of intelligence services.5
The joint coordinated efforts, coupled with AI and secretly built Israel Defence Forces (IDF) platforms are used for threat detection, followed by intelligence sharing with stakeholders. Once the threat intelligence is shared, the Computer Emergency Response Team of Israel (CERT-IL), which is the operational unit of INCD, takes appropriate action.6 The AI-powered systems collect, analyse and interpret data to detect anomalies and alert national systems.
Despite the fact that the project is in its initial phase, the synergy between various agencies and the integration of efforts to tackle emerging threats in cyberspace offers an interesting test case to other countries. The cyber-dome initiative also includes a multinational component, reflecting the global nature of cyberattacks. Given the nature of the conflict in cyberspace the escalation often transcends beyond the primary parties involved, encompassing their allies as well. For instance, nations that are supposedly seen as supporting Israel have faced a rise in cyber incidents since the beginning of the armed conflict.7
Other INCD-led initiatives can potentially complement the cyber-dome initiative, with a particular focus on international cooperation. One such project is ‘Global Cybernet’, which aims to share information about cyber defence between countries.8 Touted as the first network of its kind in the world, it was built to share cyber incidents or any anomaly to respond effectively. Moreover, Israel has also been attempting to gather regional partners to explore concrete defensive solutions to address cyber threats. One such summit mulled over the merits of rapid information sharing and conducting joint cyber investigations to augment the efficacy of responding to cyber threats.9 Furthermore, the participants also contemplated the possibility of developing a joint regional cyber-dome.
Cyber incidents targeting Israel
According to INCD’s assessment, Israel has witnessed a surge in cyber incidents against its infrastructure, particularly since the beginning of IDF’s operation in the Gaza Strip.10 Drawing parallels between the techniques, tactics and procedures (TTP) being deployed in the Ukraine–Russia war, the assessment revealed the use of influence operations against Israel by using social media networks. Israeli networks are also facing ransomware threats and increased use of wipers, a class of malware intended to render data inaccessible and unusable.11
The report also uncovered the pattern that threat actors have been using to get unauthorised access to Israeli networks and systems. Threat actors are increasingly employing spraying attacks and distributed denial of service (DDoS) attacks and have also made attempts to breach managed service providers (MSPs), which constitute a critical part of the supply chain. These attacks encompass almost all the essential sectors, including health, academic, energy and transportation sectors, including maritime shipping.
Portnoy also alleged that Iran-affiliated groups are proactively targeting Israeli infrastructure and have also been directing operations against Israel’s key allies.12 A major cyber incident attributed to Iran and Hezbollah was an attempted breach in Ziv Hospital in November 2023.13 Joint investigation by the INCD, IDF and the Israeli Security Agency noted that the attack was orchestrated by the group affiliated with the Iranian Ministry of Intelligence and Hezbollah’s cyber unit.14
Iranian influence operations have evolved through distinct phases since the beginning of Israel–Hamas armed conflict, according to an assessment. In the first phase, Iranian-linked cyber operations appeared reactive following the Hamas terror attack on 7 October 2023.15 During this time, threat actors used pre-existing access and re-used old data for leaks. In the second phase, the Iran-linked group made concerted efforts to disrupt Israeli infrastructure, with dozens of groups involved. In the third phase, these threat actors expanded their operations to target countries like Albania and Bahrain, perceived as supporters of Israel.16
Israel’s cybersecurity strategies
In 2017, INCD issued a national cybersecurity strategy with the aim of streamlining national efforts to ensure a stable and secure cyberspace.17 The document put forth a strategy with three distinct operational layers—aggregate cyber robustness, systemic cyber resilience and national cyber defence. The distinct role of private organisations is also envisioned in the document. Given the nature of cyberspace, these layers are conceptualised as mutually dependent and complementing each other.18
The first layer is designed to strengthen the public and private sector’s overall ability to prevent and mitigate cyberattacks to ensure robustness across industries. The second layer is crucial as it charts out a plan to build systematic ability to confront cyberattacks. This layer is event-driven. In times of an unauthorised breach, systemic cyber resilience will ensure that the affected organisation continues its operation while mitigating the threat. To facilitate seamless operation in times of crisis, the document encourages information sharing and assisting organisations during cyber incidents. The national cyber defence layer is required against ‘severe threats by determined, resource-rich attackers’ suggestive of state actors or those supported by states. The three-layer approach takes into account the level of risk, the nature of the threat, and the appropriate response.
To complement the national cybersecurity strategy and to address the global aspect of cyber threats, the INCD issued the Israel International Cyber Strategy in 2021.19 The international strategy outlines the need for collective resilient efforts through information sharing, securing the global supply chain, and financially incentivising security in organisations. The document also summarised Israel’s position in global cybersecurity discourse.
The cyber-dome initiative fundamentally constitutes an active defence encompassing enhanced detection, investigation and mitigation of threats along with the expansion of existing information-sharing mechanisms. The coordinated detection and response efforts involving all agencies, including the IDF, underscore the importance of collaborative action in an interconnected domain. The centralised, real-time and AI-enabled system proactively protecting Israeli cyberspace is an extension of its national and international cybersecurity strategy.
Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.
18. Charles D. Freilich, Matthew S. Cohen and Gabi Siboni, Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power, Oxford University Press (Kindle Edition).
Threat actors linked to Hamas and its allies have been incessantly targeting Israel since the onset of the Israel–Hamas conflict in October 2023. According to the Israel National Cyber Directorate (INCD), which is responsible for securing Israel’s national cyberspace, the intensity of cyberattacks has increased threefold since the beginning of the conflict.1 The head of the agency also shared concern over coordinated attacks by Iran and Hezbollah across various sectors in Israel. In response to growing attacks against its infrastructure by formidable adversaries like Iran and its proxies, Israel recently announced that they are building a ‘cyber-dome’ or a digital ‘Iron Dome’ system to protect Israel’s cyberspace to defend against online attacks.2
Explaining Cyber Dome
While there are no definite details regarding the mechanism and tools that constitute the cyber-dome initiative, one can parse the official statements and specific initiatives to get an overview of the rationale behind such a system. The concept can be traced back to the first public speech in 2022 by Gaby Portnoy after being appointed as the Director General of INCD. He presented the cyber-dome as a new big data and AI-driven approach to proactively defending domestic cyberspace.3 He singled out Iran as Israel’s dominant rival in cyberspace. The initiative aims to provide tools and services to elevate the protection of national assets by synchronising real-time detection of threats at a national level to mitigate emerging threats. Furthermore, Portnoy also emphasised the need to replicate cybersecurity protocols used for critical infrastructure in other sectors.
The cyber-dome also leverages generative AI platforms to filter out genuine threats from a plethora of available threat intelligence.4 Consolidation of strengths and expertise from various agencies augments the efficacy of the initiative. Officials who are involved come from a wide range of agencies and departments within Israel’s security establishment. These individuals are drawn from the Defence Intelligence Unit 8200, J6 Cyber Defence Directorate, and other cyber units of intelligence services.5
The joint coordinated efforts, coupled with AI and secretly built Israel Defence Forces (IDF) platforms are used for threat detection, followed by intelligence sharing with stakeholders. Once the threat intelligence is shared, the Computer Emergency Response Team of Israel (CERT-IL), which is the operational unit of INCD, takes appropriate action.6 The AI-powered systems collect, analyse and interpret data to detect anomalies and alert national systems.
Despite the fact that the project is in its initial phase, the synergy between various agencies and the integration of efforts to tackle emerging threats in cyberspace offers an interesting test case to other countries. The cyber-dome initiative also includes a multinational component, reflecting the global nature of cyberattacks. Given the nature of the conflict in cyberspace the escalation often transcends beyond the primary parties involved, encompassing their allies as well. For instance, nations that are supposedly seen as supporting Israel have faced a rise in cyber incidents since the beginning of the armed conflict.7
Other INCD-led initiatives can potentially complement the cyber-dome initiative, with a particular focus on international cooperation. One such project is ‘Global Cybernet’, which aims to share information about cyber defence between countries.8 Touted as the first network of its kind in the world, it was built to share cyber incidents or any anomaly to respond effectively. Moreover, Israel has also been attempting to gather regional partners to explore concrete defensive solutions to address cyber threats. One such summit mulled over the merits of rapid information sharing and conducting joint cyber investigations to augment the efficacy of responding to cyber threats.9 Furthermore, the participants also contemplated the possibility of developing a joint regional cyber-dome.
Cyber incidents targeting Israel
According to INCD’s assessment, Israel has witnessed a surge in cyber incidents against its infrastructure, particularly since the beginning of IDF’s operation in the Gaza Strip.10 Drawing parallels between the techniques, tactics and procedures (TTP) being deployed in the Ukraine–Russia war, the assessment revealed the use of influence operations against Israel by using social media networks. Israeli networks are also facing ransomware threats and increased use of wipers, a class of malware intended to render data inaccessible and unusable.11
The report also uncovered the pattern that threat actors have been using to get unauthorised access to Israeli networks and systems. Threat actors are increasingly employing spraying attacks and distributed denial of service (DDoS) attacks and have also made attempts to breach managed service providers (MSPs), which constitute a critical part of the supply chain. These attacks encompass almost all the essential sectors, including health, academic, energy and transportation sectors, including maritime shipping.
Portnoy also alleged that Iran-affiliated groups are proactively targeting Israeli infrastructure and have also been directing operations against Israel’s key allies.12 A major cyber incident attributed to Iran and Hezbollah was an attempted breach in Ziv Hospital in November 2023.13 Joint investigation by the INCD, IDF and the Israeli Security Agency noted that the attack was orchestrated by the group affiliated with the Iranian Ministry of Intelligence and Hezbollah’s cyber unit.14
Iranian influence operations have evolved through distinct phases since the beginning of Israel–Hamas armed conflict, according to an assessment. In the first phase, Iranian-linked cyber operations appeared reactive following the Hamas terror attack on 7 October 2023.15 During this time, threat actors used pre-existing access and re-used old data for leaks. In the second phase, the Iran-linked group made concerted efforts to disrupt Israeli infrastructure, with dozens of groups involved. In the third phase, these threat actors expanded their operations to target countries like Albania and Bahrain, perceived as supporters of Israel.16
Israel’s cybersecurity strategies
In 2017, INCD issued a national cybersecurity strategy with the aim of streamlining national efforts to ensure a stable and secure cyberspace.17 The document put forth a strategy with three distinct operational layers—aggregate cyber robustness, systemic cyber resilience and national cyber defence. The distinct role of private organisations is also envisioned in the document. Given the nature of cyberspace, these layers are conceptualised as mutually dependent and complementing each other.18
The first layer is designed to strengthen the public and private sector’s overall ability to prevent and mitigate cyberattacks to ensure robustness across industries. The second layer is crucial as it charts out a plan to build systematic ability to confront cyberattacks. This layer is event-driven. In times of an unauthorised breach, systemic cyber resilience will ensure that the affected organisation continues its operation while mitigating the threat. To facilitate seamless operation in times of crisis, the document encourages information sharing and assisting organisations during cyber incidents. The national cyber defence layer is required against ‘severe threats by determined, resource-rich attackers’ suggestive of state actors or those supported by states. The three-layer approach takes into account the level of risk, the nature of the threat, and the appropriate response.
To complement the national cybersecurity strategy and to address the global aspect of cyber threats, the INCD issued the Israel International Cyber Strategy in 2021.19 The international strategy outlines the need for collective resilient efforts through information sharing, securing the global supply chain, and financially incentivising security in organisations. The document also summarised Israel’s position in global cybersecurity discourse.
The cyber-dome initiative fundamentally constitutes an active defence encompassing enhanced detection, investigation and mitigation of threats along with the expansion of existing information-sharing mechanisms. The coordinated detection and response efforts involving all agencies, including the IDF, underscore the importance of collaborative action in an interconnected domain. The centralised, real-time and AI-enabled system proactively protecting Israeli cyberspace is an extension of its national and international cybersecurity strategy.
Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.