IDF Cybersecurity as a Warning
If the Israeli Defense Force (IDF) is failing on cybersecurity, what hope is there for the rest of Israel's digital infrastructure?
Israel's new government and its challenges are preoccupying all of us. All aspects of life are considered: health, economy, homeland security, transportation, etc. There will yet be a significant challenge facing all the new ministers, which has remained hidden and unaddressed for far too long: protecting Israel's digital infrastructure.
In recent decades, Israel has undergone a rapid digitization process, including computerizing all information systems. There is no doubt that the benefits have been immense. However, we have become increasingly vulnerable to cyberattacks on critical infrastructure (electricity, water, transportation). Moreover, it has enabled the use of extensive personal information for many criminal activities (identity theft, credit card fraud, voter fraud). These attacks are gaining in scope, number, and financial damage, as well as the sophistication of the criminal organizations and hostile states behind them. And unfortunately, time and time again, it turns out that the defenses in place for Israel's digital systems are scandalously inferior.
Just a few weeks ago, the State Comptroller published a disturbing report. A significant problem revolves around the IDF's information systems, which store biometric information such as fingerprints, palmprints, dental records, and DNA samples. There is no orderly process to protect this information. The military has failed to meet even the most basic data protection standards. IDF General Staff's standing orders on protecting private information have not been updated for 26 years. Surplus information is not deleted; no coordinating body is examining all the information repositories and is responsible for their protection.
Suppose the IDF, a giant in cyberspace, is in trouble; what about the Water Authority, the Ministry of Education, the Ministry of Transportation, and the Tax Authority?
The water company- Mekorot- is considered a "critical national infrastructure" and is therefore directly handled by the National Cyber Directorate. But what about the regional water agencies responsible for supplying our homes with water? Currently, no defense requirements are in place against possible cyberattacks, the Water Authority does not approve data security architecture plans, and none of the relevant computer systems are connected to the National Cyber Directorate's Control Center. No one seems to be in a rush to take up the reins, and the regional water companies "were graded poorly for their cyber-defense readiness," wrote the State Comptroller.
An outdated security system protects the Ministry of Education's major information management network, as the position of head of cyber defense has been vacant for months. Israel's children's medical, educational, and personal data are at risk.
Do you need to be more worried? Cyberattacks on transportation networks have the potential for wreaking devastation, from paralysis of the country's ports, via substantial traffic jams, to crashes with many casualties. And indeed, the Ministry of Transportation set up a cyber division tasked with providing guidelines to the thousands of relevant transportation agencies and companies. Yet, the necessary administrative work still needs to be completed.
There needs to be an orderly mapping of the informational assets of the Tax Authority, which holds extensive information about all Israeli citizens, taxpayers, and self-employed workers. Consequently, there needs to be a suitable security plan for each of the Authority's informational assets. There is no risk-management system and no requirement for the Authority to report to relevant bodies in the event of a cyber breach.
The current report continues and joins other words published over the last year on cybersecurity failings at the Israel Electric Corporation and the Central Elections Committee. It was not necessary to issue a report on hospitals: the recent cyberattack on Hillel Yaffe hospital, which caused physical and emotional harm to patients, was a shocking demonstration of the state of affairs.
There is a systemic problem with Israel's cyber defense readiness.
Most of the data security flaws identified in the report stem simply from negligence—a lack of planning of defensive systems, a lack of control over information storage, failures to update operating systems and software, weak passwords, chaotic approaches to managing system access, and failures to create information backup systems that are disconnected from the regular system, should disaster strike.
The core of the problems lies in the appalling extent of digital ignorance regarding the importance of cyber protection; and, second, a lack of incentives and sanctions to promote the creation of defense mechanisms against cyberattacks. Although the National Cyber Directorate published a document titled "Cyber Defense for Organizations" - a practical handbook to help directors of companies and organizations develop a cyber defense plan. However, the Directorate has no enforcement powers without a suitable legislative framework.
So why is there still no cyber law? It's a good question, and the answer is straightforward. The proposed Cyber Law bill sought to place all cyber oversight under the Authority of the National Cyber Directorate, a secret defense agency similar to the Israel Security Agency (Shin Bet). It thus attracted fierce opposition from the civilian public sector and the private sector. Certainly, cyberattacks may come from enemy states, but criminal and financial motives drive most hackers. Therefore, the approach to cyber defense (except critical infrastructures) should be based on active awareness, legal responsibility, and publicly transparent risk management rather than on default of passivity and the belief that "the security services will protect us."
Israel's cybersecurity is a ticking time bomb; no one knows when or how it will explode or which institutions will be affected. But it is clear that this will happen at some stage and that the damage will be severe and scary. Therefore, the State Comptroller is right to emphasize the importance of passing a cyber law that defines a framework for oversight and enforcement. Secret defense agencies should be kept from these powers, as they would monitor companies, transportation systems, and credit card transactions. Instead, the country's cybersecurity oversight should be entrusted to a strong government agency with significant powers. All government ministries should also be required to take steps to improve their literacy, awareness, and expertise in the field of cyber defense. Furthermore, strengthening our cybersecurity system would only be complete with significant changes to the Privacy Protection Law and supporting the Privacy Protection Authority, which will make it possible to hold those responsible for protecting our private information accountable for their gross negligence.