Israel State Comptroller Criticizes Ill-Prepared Cyber Defense

The Israeli State Comptroller recently issued a summary of its comprehensive report, in which he dispraises Israel’s ill-preparedness against cyber threats. The summary raises, among others, the following points:

  • The process of developing a regime for allocating responsibilities in the field of cyber-defense has been dragging on for years and the process of formulating Israel’s overall cyber-defense doctrine has overrun the deadline that the Israeli government decided on in 2011. This lack of attention does little to address increasing cyber threats against Israel.
  • The Cyber Bureau did not present to the Prime Minister a work plan on shifting the oversight of information security of critical infrastructures’ computer systems from the Israeli Security Agency (Shabak) to the National Cyber Authority. It was required to do so by August 2015.
  • As of the beginning of 2016 the draft bill on Cyber Defense was not completed, even though it should have been submitted to the Prime Minister by August 2015.
  • A survey of foreign information security and cyber standards was conducted significantly later than scheduled. Also significantly delayed was the review and adoption of mechanisms aimed at confirming and certifying cyber security products in Israel in accordance with international information security standards.
  • As of the completion of the Comptroller’s investigation, the Israeli Cyber Bureau did not complete the task of defining a mechanism for ranking cyber defense services.
  • The process of mapping Israeli cyberspace has yet to be completed and no work plan or schedule was specified for it. Consequently, the Cyber Bureau lacked information needed to determine which organizations in civilian cyberspace warrant cyber protection.
  • A number of organizations subject to oversight of their information security measures are not at an appropriate pace in the multi-year program on implementation of information security requirements determined by the Israeli Security Agency. Some of these organizations have been subject to Israeli Security Agency’s oversight for a while.
The State Comptroller did not refrain from recommendations, such as:
  • Having the Israeli Security Agency consider the possibility of reporting to the board of directors of organizations that run critical infrastructural computer systems, of the organizations’ failure to follow the Israeli Security Agency’s directives, resulting in exposure impacting the critical infrastructures or the organizations’ business activities.
  • Having the Cyber Bureau, the Israeli Security Agency, the Ministry of Justice and other relevant actors consider taking enforcement action against covered entities under the Regulation of Security in Public Bodies Law that fail to follow the Israeli Security Agency’s information security directives. These actors should likewise consider seeking statutory amendments aimed at providing them greater enforcement powers.
Barak Ravid, in an article in Haaretz (in Hebrew), indicated that the State Comptroller’s full report was classified ‘top secret’ and was not disclosed. He also reported that reading the unclassified summary leaves the impression that numerous details were left classified so as not to reveal the extent to which Israel is exposed to cyber-attacks.
The State Comptroller’s summarized report (in Hebrew), is available here, in chapter 2 of the Comptroller’s 67A Report.