Israel Vulnerable to Cyberattacks on Civilian Sector, Top-secret Report Says

State watchdog report cites agency infighting and widespread failure to act, issues a wake-up call. Most serious shortcomings found in areas under the National Cyber Bureau, a part of Prime Minister Netanyahu's office.

Prime Minister Benjamin Netanyahu visiting a cyber youth program, Ashkelon, Israel, April 25, 2013.
Kobi Gideon

Prime Minister Benjamin Netanyahu has made the establishment of a national system for protecting Israel from cyberattacks a priority and a point of pride, but the state’s main oversight agency warns that critical infrastructure is unprepared to withstand the substantial threat they face from hackers.

On Tuesday, State Comptroller Joseph Shapira issued a report warning that Israel is not geared up to defend against cyberattacks on civilian computer networks. The 63-page report is top-secret and has not been made public, but Shapira’s office released an unclassified six-page executive summary of the document.

A reading of the summary suggests that many of the details of the report were classified in order to avoid disclosing the extent of Israel’s vulnerability to cyberattack.

Shapira focuses his criticism on the slow pace with which the National Cyber Bureau and the new National Cyber Security Authority on one hand, and the Shin Bet security service on the other, are dividing their responsibilities. He also notes the failure to fully implement three cabinet decisions issued between 2011 and 2015.

It was decided that the Shin Bet would retain responsibility for military cyber-defense and for critical civilian infrastructure, such as the railways, air- and seaports and the power grid and installations of the Israel Electric Corporation.

A man types on a computer keyboard in this illustration picture February 28, 2013.
Kacper Pempel, Reuters

Responsibility for the civilian sector, mainly private companies and factories, was assigned to the National Cyber Security Authority.

The state comptroller found that most of the shortcomings were in the areas for which the National Cyber Bureau and National Cyber Security Authority have responsibility. Other than a few fields such as “national critical infrastructure,” the preparations being carried out on a national level in the civilian sector are not keeping pace with the extent of the threat there in general, the summary stated.

The report also disclosed that several entities deemed critical infrastructure have still not fully implemented the measures required by the Shin Bet to protect computer systems, which, as practical matter, exposes them to cyberattacks. Shapira issued a recommendation calling on the Shin Bet to report to the boards of directors of entities with critical computing facilities informing them of the failure to comply with the directives. Such a failure, Shapira added, “places essential national infrastructure or the business activity [of the entity] at risk.” He also recommended considering legal measures that would force entities with critical infrastructure to comply with the Shin Bet’s directives.

The state comptroller found that three full years had elapsed between the original 2011 cabinet resolution and the completion of the process of dividing responsibilities between the National Cyber Bureau and the Shin Bet. The pace of the process, Shapira said, also held up legislative and organizational structural changes as well as the transfer of resources that were essential to expanding protection from cyberattack in the civilian sector. This, Shapira added, was “inconsistent with the growing threat to the State of Israel.”

Shapira also found deficiencies in staff headquarters work and the decision-making process in connection with dividing responsibilities between the National Cyber Bureau and Shin Bet. This included a failure to provide an alternative to cabinet members other than what they were voting on; the absence of details regarding the cost of shifting responsibilities from the Shin Bet to the cyber bureau; and an absence of explanations regarding the significance of implementation of the cabinet resolution on the Israeli economy.

Shapira also disclosed that, although a legislative memorandum on a cybersecurity bill was to be submitted to the prime minister by August of last year, as of the beginning of this year, it had still not been completed. In addition, it was a full year after a resolution was passed establishing the new National Cyber Security Authority before a director of the agency was appointed.

Netanyahu and State Comptroller Shapira, 2012.
Emil Salman

One of the more serious shortcomings noted by the state comptroller related to procedure that the National Cyber Bureau, which is part of the Prime Minister’s Office, was to carry out with regard to a survey of the civilian-sector entities that needed to be protecting. The survey was to be conducted bearing in mind the kinds of computer systems being used, the risk of harm to them and the potential damage that would be caused. Despite years of work on the effort, the National Cyber Bureau has still not finished the project, Shapira wrote.

By virtue of its responsibility, the bureau should have seen to it that the extent of the problem that it was dealing with was defined when it comes to civilian sector cybersecurity; that the fields and entities that needed to be protected be determined; and [that it be decided] how this needed to be addressed and what resources would be invested.” The bureau needs to step up its activity on the matter and, either itself or through others, act to conduct a full survey in the area.”

The National Cyber Bureau responded to the report: "Israel's policy is held in great professional esteem by many counties and international organizations seeking to learn from its innovative approach and its implementation, regarding both the establishment of the country's strength and the establishment of national defense."

"In the past five years, the government has taken a long list of measures to formulate and implement a thorough and orderly state of preparedness in order to maximize the opportunities inherent in the development of cyberspace and to deal appropriately with its emerging threats," it added. "A significant portion of the government's efforts began to bear fruit only after the time period examined, but are already evident now. The remaining recommendations are in the implementation process, which is naturally adapted to the changing needs."  

MK Erel Margalit (Zionist Union), a member of the Knesset Foreign Affairs and Defense Committee's subcommittee for cyber defense, said that "the state comptroller's conclusions are the result of Netanyahu's attempt to subject the field of cyber too to his exclusive control, contrary to the position of security officials."

"Many civilian infrastructures – technological, financial, transportation and medical – are in constant danger of cyberattacks by terror organizations and state attacks that could paralyze the entire country," he added.