National Cyber Directorate war room

As war continues, Israeli government wants more cyber control

The government is formulating emergency regulations that will give the National Cyber Directorate the authority to issue binding instructions to businesses in the event of a cyberattack. The directorate says that these are balanced powers that will apply to very limited business sectors, but experts point to a number of deficiencies in the regulations

Against the background of the war with Hamas, Israel’s government is formulating emergency regulations that will expand the powers of the National Cyber Directorate and give it the authority to issue binding instructions to certain businesses in the event of a cyberattack, this according to the draft regulations obtained by Calcalist. The Directorate says that these are balanced powers that will apply to very limited business sectors, but experts warn that in practice the applicability of the regulations will be broad, that their application will create an information load that will burden the activities of the Directorate and that it is a mistake to advance this change without primary legislation.
1 View gallery
חמ"ל של מערך הסייבר הלאומי סייבר
חמ"ל של מערך הסייבר הלאומי סייבר
National Cyber Directorate war room
(Photo: Oded Karni)
The regulations, which are still in the stage of internal discussions, give the Cyber Directorate, the Shin Bet, or the Director of Security of the Defense Establishment the authority to issue binding instructions to certain computer service providers in the event of a cyberattack. In addition, the provider of these services will be obliged to report a cyberattack within four hours at most from the moment it is detected. The proposed regulations will apply to storage service providers (defined as "storage of information provided for uploading to the internet, data processing and storage services and services for providing information, infrastructure for data storage or processing, search media services or media streaming services with the exception of cloud computing services"), and digital service providers (defined, among other things, as software services, consulting services, planning and implementation of computer systems, data processing services, cyber protection services and supply or installation of computer systems, again excluding cloud services). According to the regulations, the list of entities to which they will apply will be confidential.
The Cyber Directorate explains that the proposed regulations are not intended to replace the cyber law, which should give the Directorate much broader powers. "The cyber law applies horizontally, including the obligation to report cyberattacks and the obligation to provide adequate protection and risk management, to about a dozen sectors. Here we are only dealing with one sector," Roy Friedman, Head of the Strategy & Policy Dept in the National Cyber Directorate, told Calcalist. "Our adversaries are operating in cyberspace against Israel with full force, and intensifying attacks. There are 15 Iranian attack groups or Iran's proxies with clear goals and we meet them on the ground. The companies (to which the regulations will apply) are part of a supply chain and an attack against them could infect many organizations. If they do not take the necessary protective measures, then their customers - bodies in the health sector, local authorities, business entities, shipping companies - absorb the damage, which may affect the fighting."
Friedman added that the Directorate normally works with these bodies by agreement, in the absence of appropriate authority in the law. However, he often encounters "bodies that are reluctant or dragging their feet", who do not implement or are delayed in implementing the directives of the Directorate. The regulations, he says, are intended to provide the Directorate with the necessary room to maneuver in order to receive updates from these bodies on cyberattacks and the authority to give them binding instructions. "In terms of balances and breaks, it's something subtle but very necessary in times of war," Friedman added. "We see entities that refuse to deal with incidents, and this may affect tens or hundreds of customers who are connected to them. During a war, the effect of all this is twofold. We have seen such attacks in times of peace as well, and the economic damage of such attacks is very significant - through one such company, it is possible to reach dozens of other companies.
"The regulations include a Directive to give an instruction whose impact is the least, to consider the impact on the Directorate’s activities, to submit a periodic report to the Foreign Affairs and Security Committee and the Ombudsman. It happens in a managed and balanced way and they don't run amok. They are not asking to buy security software for tens of millions of shekels but to deal with incidents ahead of time. The treatment can often be to update systems, disconnect connections, things whose cost is not significant."
The regulations also do not include financial or punitive sanctions for companies that do not comply with the guidelines. "The working assumption is that as soon as there is a law, bodies will listen to the instructions," Friedman said. "As soon as there is a law, the treatment will be much faster. Israeli companies during the war will not violate Israeli law, and in the end, when it goes to their legal office, they will immediately give the green light because there is a law."
Regarding the secrecy of the entities to which the regulations will apply, Friedman said: "To publish the list of entities is to draw the attacker's target bank. We do not want the target bank to be published on the internet. The companies will know about it, the Cyber Directorate will know, but the Iranians and Hezbollah do not need to know."
Not everyone shares the optimistic view of the Cyber Directorate in relation to the proposed regulations. Dr. Tehilla Shwartz Altshuler from the Israel Democracy Institute criticized, among other things, the choice to deal with the issue through emergency regulations."According to the ruling of the Supreme Court, emergency regulations can only be established if it is not possible to resort to primary legislation by the Knesset. The Knesset is functioning now, and certainly when it comes to an abbreviated law. Emergency regulations proposed so far within the current war are much more specific than the broad arrangement proposed here,” she said.
Shwartz Altshuler also stated that in practice the applicability of the regulations is much broader than presented by the Directorate, and that "the regulations basically apply to anyone who provides information systems and information management and information search to any business in Israel." As for the obligation to report a cyberattack, she said that this is a very broad obligation that, in addition to clear events such as disrupting the normal operation of a computer, deleting computer material, infiltrating computer material, and eavesdropping on communications between computers, also includes dealing with Fake News ("storing or presenting information or output which is false or misleading, depending on the purposes of their use," according to the language of the regulations). "The obligation to report is very, very broad, and will create a huge burden on the providers and also flood the Cyber Directorate," she explained. "In addition, it is not clear what the Cyber Directorate can do with all this information that is reported to it, because it has no authorization to do anything with it."
Regarding the confidentiality of the list of entities, she said: "This is a problematic matter, given that it is a broad list of entities, and transparency regarding the fact that they are regulated is very important for the management of cyber risks in the civil and private sector, and also for the public's trust that the digital products it uses are monitored and secure."