In a Country Known for National-Security Emphasis, Many Firms Are Unprepared for Hacking Attacks

TEL AVIV—In January, a hacker nicknamed 0xOmar jolted Israel by infiltrating an online coupon retailer and exposing credit-card information for tens of thousands of customers.

A half year later, a large swath of Israeli businesses and consumers remain prone to cyber attacks, placing individuals, companies—and perhaps the economy—at risk in a country believed to at the forefront of a cyber-espionage effort against Iran´s nuclear program and targeted by political hackers.

"I haven´t done one [system] penetration test in which I didn´t get access to sensitive information, like CEO email mailboxes,´´ said Yuval Nativ, 23, an antihacking instructor at See Security Technologies Ltd. who advises companies on the weaknesses of their computer system. "Israel´s private sector is really unprepared for cyber attacks."

It is an ironic twist for a country with a reputation as a high-tech and cyber-warfare powerhouse. Israel´s military—renowned for cyber- intelligence units like "8200" that churn out technology entrepreneurs—is believed to be behind the Stuxnet virus and the Flame spying software that targeted Iran´s nuclear program.

And Israel´s critical electricity and financial grids are among the best secured in the world against cyber attacks that threaten national security, according to a January report by security firm McAfee Inc.

But it is a different story among Israeli companies.

Most businesses are reluctant to invest in cyber defenses because they don´t consider an attack a serious enough threat. Top managers often have little appreciation that their intellectual property, emails, data files and even factory blueprints are compromised by subpar security. Israel also lacks strong legal incentives to compel corporations to take the necessary precautions.

Israel´s computing talents are also drawn to offensive hacking projects, while cyber defense is considered mundane work and carries lower salaries.

Shahar Maor, an information-technology analyst at Israeli market research firm STKI, estimated that compared with large companies associated with defense or critical infrastructure, lower tier Israeli companies hire one-fifth as many information-security employees relative to computer users.

"Israel is a very secure state in terms of information security; Israelis—as individuals—are poorly secured,´´ said Nimrod Kozlovski, chairman of Altal Security Ltd., a Tel Aviv-based information- security consultant firm.

In addition to exposing Israel´s credit-card holders, hackers from outside the country are believed to be responsible for temporarily slowing down the websites of the Tel Aviv stock exchange and El Al Israel Airlines Ltd. in January.

However, information-security experts draw a distinction between those incidents, considered to be the work of politically motivated "hacktivists,´´ and attacks like Flame and Stuxnet, which are many times more elaborate and more dangerous to national security.

In order to change the cyber mindset in Israel, information-security experts say that Israel´s government needs to update laws and regulation governing information security to give companies more of an incentive to boost investment in cyber security.

For one, there are no laws requiring companies to report cyber attacks to any public agency like in the U.S., reducing transparency on the size and scope of the attacks.

In the past year, Israel established a National Cyber Directorate to encourage more research and development in cyber security and to create a national "Situation Room" to handle attacks on government and private systems.

One of the goals of the Cyber Directorate is to promote R&D in Israeli universities and in the private sector, creating an eco- system of cyber technology that will keep Israel at the forefront, said Yitzhak Ben Yisrael, a Tel Aviv University information-science professor who helped launch the directorate.

The Cyber Directorate was endowed with $500 million over five years. This year it announced that it would invest $12 million in cyber research and development and scholarships for students studying information security.

Mr. Ben Yisrael said Israel is exposed to 1,000 attacks per minute.

"To protect private-sector companies, you need awareness and you need regulation,´´ Mr. Ben Israel said. "If the smaller ones will be attacked, it will be more of a harassment than a major disaster. Still if you harass hundreds of thousands of people it´s a problem and we should take care of it.´´

On a smaller scale, Israel´s government needs to push universities to focus on cyber instruction and to encourage more venture-capital investment.

"When talking about research for solutions, I have a lot of friends with concepts and proof of concepts, but we don´t have the investors,´´ said Avi Weissman, chief executive of See Security Technologies, a company which runs a cyber college and offers consulting services. "People all over the world expect that Israel is strong in information security, which means cyber defense, but I´m not sure. We have the knowledge, but we don´t have organization."

See Security offers a course in "expert´´-level hacking where students are taught advanced techniques for breaking into computer systems and then practice hacking virtual computer networks designed specially for the course.

But most of the students in the course come from Israel´s Defense Ministry and the military rather than from private companies.

In a course run by Mr. Nativ this week, students were instructed how to clone social-networking websites to gain access to personal data. "They will be better defenders because they know how attackers think,´´ he said. (Copyright © Dow Jones & Company, Inc.) 07/26/12)