Shin Bet steps up supervision over Israeli banks' computers to prevent future cyber attacks
Shin Bet seeking to have the banks defined as institutions that are responsible for essential infrastructure, which would enable the agency to supervise them even more closely.
The Shin Bet security service has recently stepped up its supervision over computer systems of commercial banks, out of fear that they could become the target of a cyber attack that could dry up the country's financial lifeblood.
The Shin Bet is also seeking to have the banks defined as institutions that are responsible for essential infrastructure, which would enable the agency to supervise them even more closely. All companies that fall under this definition have their computer systems directly supervised by the Shin Bet via the National Information Security Authority. Companies already on this list include the Israel Electric Corporation, Israel Railways, Bezeq and the Tel Aviv Stock Exchange.
Both the banks themselves and their regulator, the Bank of Israel, have for years opposed adding the banks to the list, fearing that Shin Bet involvement could frighten off both foreign investors and foreign depositors. But senior banking officials said that this time, they believe the Shin Bet will get its way despite their opposition.
Earlier this year, the Bank of Israel's banking supervision unit began cooperating with the Shin Bet on the issue. A few months ago, Supervisor of Banks David Zaken summoned all of the banks' information technology managers, along with representatives of the Association of Banks in Israel, to an urgent meeting on the subject of cyberterror with Shin Bet officials and the Bank of Israel's own information security experts.
At the meeting, Zaken stressed the importance the central bank attaches to this issue and explained the Shin Bet's recommendations on information security. Since then, he has sent out an unusually large number of directives detailing additional Shin Bet instructions and ordering the banks to follow them.
Participants of that meeting agreed to set up an industry-wide situation room to which all the banks would report if they experienced a cyberattack. The information would then be shared with other banks, to enable them to protect themselves against similar attacks.
For now, participation in the situation room will likely be voluntary. But banks that refuse to share information about attacks they have suffered won't receive information about attacks suffered by other banks.
On Monday, the media reported on a new, highly sophisticated computer virus called Flame that apparently spied on government agencies in the Palestinian Authority, Syria, Iran and other countries in the Middle East and Europe.
Israel, too, has suffered several cyberattacks over the last year. The most serious one was when a Saudi hacker posted some 15,000 Israeli credit card numbers online. Since Israel's three credit card companies - Isracard, Leumi Card and Cal - are all owned by the banks, this was essentially an attack on the banks.
At about the same time as that attack, hackers shut down several key Israeli websites, including those of the stock exchange and El Al Israel Airlines.
In response to these attacks, the Shin Bet ordered the Bank of Israel to have banks bar access to their websites from certain sites in Iran, Saudi Arabia and Algeria.
Zaken declined to comment on this report, and a source close to the Bank of Israel said the Shin Bet had forbidden the bank to do so. The Association of Banks also declined to comment.
Dr. Nimrod Kozlovski, a lecturer in information security at Tel Aviv University who also owns his own data protection company, said that two decades ago, the banks viewed information security mainly in terms of preventing fraud. "But in the late 1990s, and even more so in recent years, the view has begun to change to one of national security, in which financial systems in many countries - the United States, for example - must be treated as critical infrastructure.
"The assumption is that certain civilian infrastructure that is not supplied by the government is nevertheless of critical importance to the nation's strength or stability ... There are nightmare scenarios that could affect the nation's strength, such as one in which hackers seize control of the interbank clearing system, which is responsible for all financial transfers in the economy, or over the interbank communication system, enabling them to shut down the banks' commercial trade."