Let’s not go there in this video… Love’em or hate’em, Israel is pretty good at hacking. Fighting off invasions by neighboring countries from day one, it’s since consolidated into a cyber superpower. Flame, Stuxnet, Duqu, Gauss.
Offensive cyber toolkits like these have frustrated Iran’s nuclear programs again and again. Israel’s even hacked Kaspersky, catching the Russian government using their anti-virus software as a global search engine for classified data. From monitoring mobile comms, intercepting satellite traffic, tapping undersea fiber cables, some consider Israeli intelligence to be on par with the NSA, maybe even spying on them too, having been ranked the third most aggressive actor against America.
And that’s not counting the private sector, second only to the US in its VC funding for cybersecurity. We’re punching 200 times above our weight. Besides the usual buffet of cybersecurity firms, there’s boutique ones too, specializing in offensive cyber.
Companies like WiSpear, which sells interception vans, NSO Group, which crafts zero-day mobile phone exploits, and other shady companies selling off-the-shelf hacking tools to organizations who are willing to pay premium prices for nation-state level cyber capabilities. So that got me thinking. .
. How does a country with a population of about New York city even get so good at cyber? I mean at a glance, there’s really not much there.
Let’s go back to the beginning, to one of Israel's lowest moments. The Yom Kippur War was the biggest Intelligence failure in Israel’s history. Caught off guard in a joint invasion by Egypt and Syria, Israel suffered unexpected losses in the opening days of fighting.
Positions being overrun, panic and confusion spreading across the country… Lack of strategic depth is one of Israel’s biggest weaknesses; its narrowest point being only 9. 3 miles wide. So being unprepared for battle is a quick path to defeat and extinction.
1973 was an embarrassment that forced the entire military-political establishment to resign, leading Israel to completely revamp its intelligence forces into an early warning system like no other. Yehida Shemone Matayim, Unit 8-200. 8200 has become one of the largest units in Israel, from 5,000 to 10,000 people if you include reservists.
In charge of signals intelligence, they’re also the offensive cyber operations arm for the country. Involved with every major operation, it supplies 90% of all Israel’s intel for clients like the Mossad, Shin Bet, and other special units. These relationships combine physical and remote hacking methods to help them project regional power.
Take Operation Outside the Box, a bombing run of Syria’s nuclear reactors. The Mossad broke into a Syrian official’s hotel room to plant malware on his computer, which then let 8200 discover secret nuclear plans and pictures. To verify the target, they monitored communications in the area, while commandos raided the facility to collect soil samples.
During the bombing run, a hacking plane injected code into Syria’s air defense systems to show clear-skies on enemy radar screens. Ever since its Yom Kippur humiliation, Israel has become an intelligence powerhouse, anticipating conflict far in advance. Its cyber units are designed to support Israel’s national defense strategy of avoiding long wars of attrition and projecting the image that Israel can act on its own without any allies.
Strike first, defensible borders, deterrence, decisive victory, and close coordination with traditional military units for kinetic action. It’s kind of like Krav Maga, their close combat system, where you avoid fighting, but strike with massive violence when provoked, targeting body parts that cause permanent injury or death. That’s the basis of Israel’s cyber-intelligence apparatus: to enable its defense policy of fighting in a way that makes up for any size or numeric disadvantages.
You might be thinking of ganging up on me. But just remember what I do to people who try to hurt me. But hold on a second: how do you actually build up a cyber force that can support all this in the first place?
There’s no crotch kicking your way to success when it comes to cybersecurity. I’m wondering if there’s anything we can learn as a reproducible model for cyber security teams and other countries to follow. Let's find out!
So there’s a concept called Revolution in Military Affairs, that lets a country boost its power by orders of magnitude. I first came across the term in the book, Unrestricted Warfare, written by two senior PLA colonels. It’s one of the first to introduce legal, economic, and cyber as other forms of warfare.
The authors really liked this guy called Andy Marshall. He ran a secret Pentagon think tank called the Office of Net Assessment. According to Marshall, RMA is all about how well you operate and organize your people with technology.
For instance, before WW2 the French and Germans both had access to planes, tanks, and radios. But the French layered on old WW1 doctrines, producing the Maginot Line. an expensive series of fortresses focused on a defensive war of attrition.
The Germans had their military stripped down after losing, and had to completely reorganize everything. They made a lighter, mobile strategy called blitzkrieg, using tanks and air support in ways never seen before. You can probably guess who won the fight.
When it comes to cyber power, it’s no different. Everyone pretty much has access to the same technologies and tools. The key differentiating factor is all about how you organize human capital, and innovate on operational concepts, and that’s where Israel wins.
So the IDF is like one big HR department for the country. Each year, over 60,000 guys and gals assess into different units based on school grades, personality, and IQ tests. High scores mean tech units like 8200, while low scores mean the border police.
Getting into the right one is key for job interviews down the road in your professional career. It’s a lot of brand-signaling, kind of like going to Harvard or MIT. But the selection process begins as early as kindergarten, with teachers using games and activities to form class distributions later.
Elementary school kids take intelligence tests, with high performers getting better extracurricular development. In high school, afterclass cyber programs help train and identify young talent for military tech units. When it’s time to enlist, formal interviews and tests screen for recruits who are self-taught learners who can solve problems creatively, and are also nice to work with.
But just getting in the door of 8200 doesn’t prove you’re actually good. There’s tons of sub-units and even more subtopics within. For placement into the right team, you go through a 6-month mind bootcamp, where from dawn to dusk, you’re learning programming, Arabic, project management, and intelligence tradecraft.
You’re then organized in small teams working on projects that mimic real-world missions with tight deadlines. There’s a similar model used at Carnegie Mellon’s capture-the-flag team, one of the best in the world. First, get lots of high school students to try out in PicoCTF and pick the top 50 performers.
For those who end up at Carnegie Mellon, train them with coursework and actual CTFs. Then have these guys run the next year’s PicoCTF selection process. You basically funnel the most people through the smallest filter, invest in the ones that make it, then use them to recruit new replacements.
But technical chops aren't everything. You also gotta find personalities with the right cultural fit. There’s four key traits that technological units like 8200 look for: Chutzpah, audacious, doing what no one else is willing to do.
Rosh Gadol, taking initiative and doing things the best way possible, even if it means more work because you see the bigger picture. Bitzua, being resourceful at getting things done. Davka, doing things despite a situation and rubbing it in just on purpose.
So there was this one chemistry test in middle school where I left my calculator at home, and the teacher wouldn't let me borrow another one. Super frustrating, I had to figure out which clear liquid was alcohol or antifreeze. Just to spite her, I taste-tested them when she wasn’t looking and passed the test.
Now, I’m far from being an IDF poster boy, but that’s the kind of person I’d look for to hack into people’s networks. But being a motivated nerd with authority problems isn’t enough. You’ve also got to be good at getting along with others you work with.
When you go from being the smartest person in the room to being surrounded by others who are just as good or smart as you, it’s easy to be stubborn and try to one-up others to prove yourself. That’s why learning to work with others collaboratively in a group is also a quality they look for, especially in later stage practical assessments. Brains, personality, and teamwork.
People who have these traits often end up in units doing the most exclusive offensive cyber and intelligence work in the IDF. Something doesn’t quite add up. Just getting the best people is half the battle.
You need to put them in the right environment too and figure out how to retain that talent. When I was in the military doing cybersecurity, one of the biggest problems was retention. Basically every single person who had some technical ability left as soon as they could.
It really boiled down to three things: meaningful work with other talented people for a higher purpose you truly believed in. But the environment we were in just didn’t make it possible. All the smart folks ended up doing admin work, and those lucky few that got a technical role were surrounded by others who really weren’t qualified for the job.
The layers of bureaucracy were crushing, and it didn’t feel like your individual actions had much of an impact on the big picture. Price’s law suggests that the square root number of people in an organization does half the work. So with 100 people, that’s just 10.
36 people, it’s 6. In a tall hierarchy, your best players get separated by layers of bureaucracy. So imagine an organization of 6400 people.
That’s like 1% of the organization doing all the work. To make things worse, your friends in the private sector are making 3-4 times as much money doing things they actually want, and expressing any desire to leave the service to join them is strongly discouraged. So after you do finally get out, people want to run as far away from that old life as they can, for instance, a YouTuber.
Contrast that with Israel’s cyber units where people coming in the door are heavily pre-screened so there’s a baseline standard of quality people to work with. Recruits are organized into smaller, flatter, flexible teams, in a culture where it’s encouraged to challenge the status quo. In some cases, it feels less like the military and more like working at a tech startup, where your hard work has a clear and direct impact on the outcome and mission.
IDF cyber soldiers are given lots of responsibility from a young age, so while their peers in other countries are spending their formative years iin college, partying away at academic life, they’re grinding 18 hour days on real-world missions, stressing out if the targets they helped bomb were terrorists or Palestinian families. They’ve fully brought into the idea that what they do matters, and working hard to deliver the right intel means life or death for people. Because after it’s all over, there's a lucrative career path waiting for them on the other side.
Coming from brand-name training grounds like Unit 8200, 81, Talpiot, and Havazalot means there's a community of old grads from those same units working in industry waiting to usher you into the next level of Israeli society. So instead of scattering off to the four winds after the IDF, all this human capital that Israel’s refined and developed gets concentrated in the same local geography with veterans continuing to serve in the reserves until they’re 48. Everyone knows everyone, with one degree of separation, creating rich social networks that form what Harvard Business Review calls “Economic Clusters”.
These dense communities are what Silicon Valley is for tech and Wall Street is for finance, geographic hubs that drive innovation and productivity at the world-class level. Israel’s small size has actually become a key part of its strategic cyber advantage. Somewhere in the Negev desert, Israel’s building this advanced technologies park, where companies, academia, and military cyber units are co-locating.
It’s a military-technological complex, blending policy, theory and practice together. Public-private partnerships like these are incubators for a new source of cyber talent, where young service members get to work in tandem with civilian researchers, entrepreneurs and industry practitioners. A sneak peak at Ben Gurion University’s Cyber Labs shows 12 ways to hop an air gap using malware.
They have proof-of-concept covert channels to communicate over heat, LED, infrared, magnetic fields, hard drive sounds, fan vibrations, and more. In Israel, academic research projects like these may one day be operationalized on a mission or productized in a startup. So how does a country create a cyber ecosystem like this in the first place?
Well, it all boils down to building up human capital, and reinvesting it back into the community to compound over time, which could look something like this: First, you need to have the political will to wanna be a cyber power to begin with. It could be a high-profile attack, something existential or humiliating at the national level that motivates leaders across the country to want to spend money on your cyber force, and more importantly, cut out any bureaucracy that would get in the way. The next step is to recruit a group of practitioner-educators from the private sector with existing expertise in cybersecurity, to staff and train the unit.
Concentrate the initiative in a small geographic area, ideally somewhere cosmopolitan and a nice place to live. Have these guys design and build programs and assessment pipelines that draw from school-age students. During selection, pick candidates who are self-taught learners and creative at figuring out problems they’ve never seen before, especially when it comes to programming, networking, and security topics.
You want to find novices who can quickly get to the intermediate level with just a little formal training. You’re also looking for personality traits that make them independent self-starters who are daring at getting things done. These are the guys that makes it to the training pipeline.
During the training, don’t just dole out lectures and homework. Organize recruits into small teams working on projects modeled after real-world scenarios that the teaching staff has experienced themselves. Harvard Business School’s case study method is a great place to start.
Put the recruits in stressful group projects with tight deadlines and screen for the ones who can quickly learn to work with each other as a team and drop the ones who are self-absorbed or struggle to adapt. Once you’ve got the cream of the crop, get them leveled up for a few years working high-impact missions with plenty of freedom, funding, and minimal bureaucracy. Invest in their personal development along the way, take action on their feedback, and help them transition to the private sector if they want to move on somewhere else.
This way, you’re building a brand-name reputation for the unit as a hard place to get into, an awesome place to work, and a launchpad for promising future careers. But before they leave, put the guys on their way out in charge of running the selection process for new recruits to close the loop on your cybersecurity human capital engine. By having the best talent reinvest in the next generation and seed more organizations when they leave.
You’ll eventually build a diverse community of cyber talent, cross-pollinating across business, academia, and government. In 10-20 years, you’ll be well on your way towards becoming a cybersecurity powerhouse. So, what do you think makes Israel so good at hacking, and is their model reproducible in other countries?
Let me know in the comments below! If you enjoyed this video, share it with friends and other people you know. Thanks so much for watching and hope to see you soon!