Can one regulator rule Israel’s cyber ecosystem?
The Prime Minister’s Office (PMO) of Israel published a new bill in February entitled “Cybersecurity and the National Cyber Directorate.” If passed by government committee and the Knesset, this law will redefine cybersecurity governance in Israel. The PMO officially tabled an earlier version of the bill in June 2018, but that bill did not advance through the legislative process given the strong objections it raised both in the professional cybersecurity community and among other government authorities. In particular, stakeholders raised concerns about the broad scope of authority sought by the Israel National Cyber Directorate (INCD) under the 2018 bill. Other concerns included the lack of proper safeguards over the nature and scope of invasive “computer protection actions” taken by the INCD in response to cyberattacks, the potential for privacy infringements in the name of national security, and the interface between the activities of the INCD and other law enforcement agencies. The process of affording the INCD—which is currently a policy-setting body—with operative powers has been controversial even within Israel’s security establishment. One publicized example of this controversy was a 2017 leaked memo to the prime minister from the Mossad, the Israel Security Agency (Shin Bet), Israel Defense Forces and the Defense Ministry declaring their opposition to the expanding authorities of the INCD.
The new bill is an abbreviated formulation of the 2018 version and is framed as temporary legislation with a two-year sunset clause—perhaps to avoid some of the opposition that emerged in response to its earlier iteration. The PMO wants to move fast—somewhat insincerely in our view—because of increased cybersecurity risk while teleworking during the coronavirus pandemic and the associated digitization of workplaces in both the public and private sectors. A string of recent attacks on Israeli companies, which two of the authors discussed in a previous Lawfare post, also generated a sense of urgency for providing the INCD with unprecedented and controversial legal tools to respond to the new risk environment. These steps, however, come at the risk of compromising Israel’s established rule of law safeguards and oversight mechanisms.
The bill aims to regulate the INCD’s functions and powers in providing professional cybersecurity guidance to public and private entities. Those functions and powers were established in order to prevent future cyberattacks that could affect, in the bill’s language, “vital public interests” and to respond to impending or ongoing attacks. As with the 2018 bill, members of civil society have expressed serious questions about the exceptionally intrusive powers granted to the INCD to undertake “computer protection actions” in a private computer network, or to instruct a private business to undertake such actions. Those same authorities also have implications for privacy and intellectual property rights. In the event that private companies do not cooperate, the INCD may seek a court order allowing it to access company servers without consent, without assumption of liability on the part of the INCD and at the company’s expense. Article 9 of the bill contains another exceptional power that allows the INCD to receive the contact details of business clients of private companies, if they are also exposed to a severe cyberattack.
Nationalization of Cybersecurity in the Private Sector?
At a general level, we have concerns about the paradigmatic shift the bill introduces in the interrelations between the INCD and private entities in Israel. Until now, the INCD has embraced a policy that puts the ultimate responsibility for cybersecurity in the private sector. Such companies currently have a strong incentive to protect their data, clients and servers. The INCD’s role has been to support these companies as they face cybersecurity challenges, serving as a hub of technological information and professional expertise. With the exception of entities providing critical infrastructure, which are subject to direct regulation, the INCD has operated with private entities primarily under a cooperative model. This is mostly due to the INCD’s lack of formal regulatory powers and its declared policy of relying on existing regulatory bodies for a sector-based cybersecurity enforcement regime.
The 2021 bill, like its 2018 predecessor, introduces a radical change in the relations between the INCD and private entities. While exercise of the requested authority depends on judicial authorization, the bill allows the INCD to obtain such authorization in ex parte court proceedings even in instances without the relevant company’s presence.
This new authority is probably unnecessary. Until this proposed legislation, Israel’s cyber ecosystem had been characterized by a high degree of government-private sector cooperation. We have seen no strong indications of past incidents in which private companies refused to cooperate with the INCD when confronting a cybersecurity crisis, let alone one involving national security interests. There appears to be no need to radically shift the current cooperative relationship between the INCD and the private sector to one of coercion. Such a shift puts significant and unjustified pressure on the right to privacy of data subjects operating on private servers, on intellectual property rights and on other business interests. While the bill limits access, use, and retention of private data and metadata gathered by the INCD from companies, it gives the INCD and the court system considerable discretion in the application of such limits. On a practical level, the shift of responsibility from private entities to the INCD sends an unintentional message: that private businesses providing important public services can become more complacent about cybersecurity, since they can now rely on the government to come to their rescue in times of need and take over the protection of their servers.
One Regulator to Rule Them All?
Another concern about the 2021 bill involves the interplay between the different government regulators involved in regulating cybersecurity. As mentioned above, the approach of the Israeli government has been to empower existing sectoral regulators (in the fields of banking, insurance, communications, health and financial services) to require organizations and companies operating in their respective fields to develop adequate cybersecurity policies, with the INCD serving as a coordinator and a professional hub. The 2021 bill, unlike the 2018 bill, does not address the INCD’s current relationship with the sectoral regulators and will most likely disturb the current balance between them. This confusion will be especially pronounced when multiple regulators try to prescribe preventive measures.
While the bill does allow sharing of collected data across government bodies (which presumably include the sectoral regulators), the data sharing raises even more concerns about data protection and leakage. It is not clear whether the data can be shared with foreign intelligence services, again raising privacy, intellectual property and other concerns.
The 2021 bill clearly demonstrates the government’s interest in quickly providing new legal tools to the INCD to safeguard the national security interests of Israel in cyberspace. This desire is made even more urgent at a time when Israel is confronting a heightened risk of cyberattacks (due, presumably, to intensified tensions between Israel and Iran and its proxies). Yet the bill makes a radical departure from previous practice by shifting the ultimate responsibility for cybersecurity from the private sector to the government, usurping the powers of sectoral regulators. These sweeping reforms are even more peculiar given the two-year sunset clause. It makes little sense to introduce such drastic changes for such a short time (although it is possible that the sunset clause provision was introduced into the bill only to facilitate its quick passage, in the hope that it could be extended at the end of the two-year period).
We believe that the bill raises grave concerns about privacy and intellectual property rights and interests. These concerns cannot be swept aside even at times of enhanced cybersecurity risks. Now that life in Israel is gradually returning to pre-coronavirus patterns, the time for urgent temporary legislation has passed and the bill should be reintroduced in a modified form as a permanent, not short-term piece of legislation. Its final form should feature a sustainable, balanced and cooperation-based cybersecurity policy for the private sector within established rule of law and oversight constraints.
The article was published in Lawfare.