Imagine that you are the owner of a chain of small businesses or even factories - and one fine day a representative of Israel’s cyber directorate steps uninvited into your office and instructs you to install an antivirus software of their choosing and change the way your organization secures its computer network.
This scenario may become a reality, as a new piece of legislation being fast-tracked by the government aims to substantially expand the Israel National Cyber Directorate’s authority. Among the changes promised by the legislation, which was supposed to be discussed Sunday in the Ministerial Committee for Legislation, are new binding regulations for private companies.
The background to the legislative push is the string of cyberattacks against Israeli companies during the past year. These included ransom attacks, data leaks and even loss of control of entire systems to hackers, for example as happened with the hack on Shirbit insurance by so-called hacktivists and the attack on Havana Labs, an Israeli company owned by Intel.
The legislation - that may not be debated after all, but remains on the docket - has raised concerns from experts and privacy watchdogs. It will provide the cyber directorate with expanded authority over private firms active in certain fields defined as essential services and will provide binding cyberdefense regulations for these firms.
The bill stipulates allowing the authority to “give commands” to private computer systems, provides it with access to files and backups, as well as allowing them to install software on companies’ networks.
The bill grants the cyber directorate the ability to intervene and enter these systems the movement a threat is posed “to the public interest.” However, this interest is not clearly defined and the current wording provides a very wide spectrum for reading of the term, including anything that can lead to physical harm, but also any threat to the state’s economic interests as well as “the orderly function of vital infrastructure and systems.”
- Stinging blow for Israel in major Dubai cyber bid
- Dormant for years, Iranian cyber sleeper cell awakens
- Hackers who hit leading Israeli insurance firm trying to sell details online
The expanded mandate does not extend just to real-time attacks, but also provides the directorate access to private systems in the case a “severe cyberattack” is about to take place. In the case the target organization refuses to cooperate and follow the new directives, the cyber authority can petition the courts and request an order allowing them to enforce cyberdefenses.
Another clause in the bill allows the authority to receive information about the identity of companies’ clients and even see communications between them and their clients. This is permitted in cases when “the client’s computer is critically exposed or there is a major cyberattack.”
According to the bill, “major” or “severe” cyberattack is defined as any incident which could reasonably be described as “threatening Israel’s public interest by virtue of the threat spreading to other computers.”
The cyber authority was established with Netanyahu’s warm endorsement and currently employs 340 people with a budget of a quarter of a billion shekel. Nonetheless, currently it does not have the mandate to enforce binding rules and regulations on private firms as part of their goal of improving the country’s overall cyberdefenses.
In 2018, a draft bill was circulated among government offices that was supposed to address the national directorate’s authority. However, due to political instability, the legislation never moved forward. “It takes time to put such legislation together and hold a substantial public debate,” the new bill’s introduction said, noting the persistent threats Israel faces in the cyber arena.
“In the past year, in wake of the coronavirus pandemic’s outbreak, the level of potential threat has risen substantially - among others, due to the fact that people are working remotely and increased digitization,” the bill said.
In other words, the cyber authority’s patience is running out and they are pushing lawmakers to provide them with what they perceive to be the tools and expanded mandate they need. As a result, the new bill will be valid only for two years.
“The cyber directorate decided to do something small in the meantime,” a government source said. “However, this ‘small’ thing is actually much more expensive in scope than the initial bigger bill was. As far we know, there are governmental offices that are not aware of this.”
The directorate does have a problem addressing cyber attacks: For example, many of the ransom attacks that targeted private firms were not handled by the directorate and feel beyond its authority. Therefore, a change is needed. However, it is far from certain expanding their authority is the way to go. Cutting the cyber director down in size is also an option - one not being discussed as part of the legislation the cyber directorate is promoting. The idea that more authority will make it more efficient is a problematic assumption and it may be better to have the organization serve as a small consulting body working with private companies.
If the bill is put into law, the cyber authority will become overnight one of the strongest organizations in Israel: Alongside the Shin Bet, it will be allowed to make binding decisions for private companies, as well as international ones, on how they defend themselves against cyber attacks. This is a right reserved only for ministries - thus, for example, that the authority worked with the Health Ministry to make sure Israel’s HMO were properly defended. Now, if the legislation passes, the authority could force the HMOs or any organization deemed vital to do so directly, without the relevant ministry.
A senior government source criticised the move, saying: “This legislation is overly broad and fails to define on which fields the directorate can use its expanded authority. For example, how about the finance sector? Or is it the entire market? It is clear that an organization focused on cyberdefense will take a very severe stand in the face of this threat and push for regulation outlining what programs must be installed without taking into account budgetary costs or unreasonable timelines,” they said.
They also added that, “there is a need to address the cyber directorate’s authority, and the Shirbit attack underscored this problem, but there is a very big difference between vague definitions like ‘harming the country’s economic interests’ and what needs to be done.”
Dr. Tehilla Schwartz Altshuler from The Israel Democracy Institute said the bill fails to include any checks and balances: “It is natural for the cyber directorate to want more authority, and it is clear this needs to happen through legislation, but this proposal is not balanced and it is very serious to push through such legislation while the Knesset is not functioning.”