Former soldiers at Israel’s Intelligence Corps have set up perhaps hundreds of infosec start-ups. In contrast, tech firms hiring ex-NSA or GCHQ staffers remain something of a rarity.
Keren Elazari, an industry analyst with GIGAOM Research who covers cyber security, said there are several reasons that might explain this phenomenon. Amongst these are demographic, social, and cultural factors (such as the zeitgeist of the post-Stuxnet cyber security industry), she explained.
"For the typical bright young Israeli, screening and recruiting for elite technology and intelligence IDF units begins at age 17, sometimes even earlier – and it takes into consideration high school studies like math & computer science," Elazari explained. "When the youngsters reach 18, they are conscripted into service and undergo intense educational courses and on [the] job training - several months at least, for both generic military purposes but also for the professional roles they are assigned to with their elite units. This happens at an age when most Americans attend college, which is a much more 'loose' experience."
Elazari's work keeps her in touch with a lot of security startups in Israel as well as a lot of more established companies from Silicon Valley, allowing her to make these types of demographic comparisons. Going into the military rather than college when they leave home gives Israelis a leg up in gaining real world experience, particularly when it comes to technology.
"Most Israelis serve three years,” explains Elazari. “Some stay for more 'professional army' years as they attend officer training as well – which means, by the time they are 21-23 and out of the army, they have very solid experience with very demanding 'real world' situations, towards mission critical goals – working long hours, weekends, etc – and both short term and long term goals can change rapidly pending on their military assignment. This is almost like 'startup bootcamp', if you will.”
"At the same time, around age 22-23, their U.S. hypothetical counterpart might still be in college, struggling to find professional focus, or perhaps still going through the military ranks or 'agency corporate ladder' , trying to fit in as part of the colossus which is the American US-CYBERCOM/NSA complex."
Social factors also come into play, such as the Israeli aptitude for innovation and admiration for those to strike out in business, even if they aren't successful.
“Israelis love to innovate,” said Elazari. “They love to invent new things, and often, because of limited resources and other constraints, they've learned they have to get crafty in order to survive. This is embedded in the Israeli DNA, even outside the technology industry. This also means that choosing a path of entrepreneurship is highly regarded by society – even if you are not a successful entrepreneur."
You need chutzpah for this to work – and Blighty just can't measure up
Examples of previous success act as a template.
"Even if you've started three companies which all went bust after a year or two, you are a 'serial entrepreneur' and command respect from other Israelis. Israelis are not afraid to try, and they possess 'chutzpah'*, audacity, which is a very Israeli resource.
"This isn't to say Americans aren't aggressive in business - just that Israelis, even young, inexperienced in the business world, fresh out of the military, are more likely to go out into the world and try their luck. and the established success stories of big security vendors like Check Point, Imperva, Trusteer and CyberArk, for example, provide inspiration and ample opportunists for those who would like to first cut their teeth in the 'big business world' - often seen as a pit stop on the way to starting their own company," she added.
The cyber security industry has undergone a lot of changes in recent years, many could be traced back to the "summer of Stuxnet" in 2010.
Elazari explained that Stuxnet "really shook up the industry and also created a lot of business opportunities as governments and large organizations around the world scrambled to 'do something about cyber security'".
"In Israel, ever since 2010-2011, the current prime minister (Binyamin Netanyahu) and an entire cadre of industrial development advisers, ministers and organizations, sought to leverage the Israeli advantage in cyber security innovation. The PM speaks about 'turning the startup nation into the cyber nation' in many speeches, and the government has allotted many grants and other development vehicles to promote the local cyber security start up industry," Elazari told El Reg.
This promotion come in the form of grants for universities, R&D programs, the new national cyber bureau and many other initiatives. Multinational companies – such as RSA, Cisco and many more – have opened cyber security 'centres of excellence' in Israel, seeking Israeli talent.
"At the same time, in the US, a lot of the 'cyber’ buzz was generated by the large defense companies like Boeing, Lockheed Martin and Northrup Grumman – all setting up new business lines surrounding generic 'cyber solutions' – whatever that means," Elazari added. "These huge companies that have strong ties have also recruited out of the same pool of potential CYBERCOM/NSA graduates – most of whom are older and perhaps less willing to go for 24 hour-long coding sprees or figuring out new features on the fly. On top of that, I’m not sure there is any comparable government decision in the US to support a budding startup ecosystem, or anything similar to the strong support we experience here in Israel."
The investor's view
Shlomo Kramer founded datacentre security firm Imperva after he co-founded Check Point Software more than 20 years ago. Kramer has participated as an early investor and board member in a number of security and enterprise software companies, including Palo Alto Networks and Trusteer, that trace their origins back to the IDF's Unit 8200. Start-ups such as Cyberreason and Argus are trying to emulate his success.
Kramer told El Reg that over the years he's moved over from an operational role and became more of an investor. He said that state-sponsored hacking and industrial espionage is becoming a driver for growth in the infosec market.
"Nation state involvement is not going to go away and in fact is becoming much more mainstream," Kramer explained. "In some cases there is a cross-pollination between nation states and cybercriminals."
Military doctrine tales about cyber as the fifth realm of conflict alongside land, sea, air and space. It's tempting to think that the internet has become militarised over recent years, with privacy and confidence in e-commerce among the casualties.
Winning the Cold War against the Soviets brought a peace dividend in terms of reduced military spending, at least for a few years. And the space race brought fringe benefits such as non-stick frying pans.
Argus's Heilbronn had no confidence that the seemingly inexorable rise in surveillance technologies would result in benefit for either corporate security or the internet as a whole. The surveillance dividend is "for the state," he told El Reg. ®
* On the rendering of “chutzpah” from Hebrew into English, Vulture Central's backroom gremlins are reminded of an old Jewish joke explaining the concept: A boy murders his parents and then pleads for leniency on the grounds that he is a poor orphan.