State Comptroller Joseph Shapira has published an assessment of preparations for cyber attacks by Israeli government ministries, based on an investigation conducted in July 2017-July 2018. He evaluated critical state infrastructure (the Bank of Israel, Oil Refineries, Israel Railways, Israel Airports Authority, Israel Electric Corporation, Israel Ports Authority, Israel Tax Authority, Israel Internet Association, and the Tel Aviv Stock Exchange), government ministries, support units, and sector guidance units in government ministries. The actions of the National Cyber Directorate and the government cyber defense unit were assessed, with supplementary examinations at the Israel Security Agency (ISA).
The criticism is cautiously expressed, and the report states that for security reasons, it does not include all of the information gathered by the State Comptroller. "A subcommittee of the Knesset State Control Committee decided not put the report on the Knesset agenda and to refrain from publishing parts of this audit section in order to maintain state security," the report says. Between the lines, however, is a strong wake-up call for the system.
The relevant section in the State Comptroller's report published yesterdaybegins with a review of government decisions, their implementation, and the State Comptroller's previous reports, as well as the evolution of the agencies responsible for dealing with the new challenges. Responsibility for protection of essential computer systems against cyber attacks was arranged some time in 2002, and a cabinet decision gave this authority to the ISA. This authority is currently in the hands of the National Cyber Directorate, to which the authority was actually given only in 2017, two years ago, under a 2015 cabinet decision to establish the National Cyber Directorate by uniting the National Cyber Bureau and the National Cyber Security Authority into a single agency.
The main findings concern readiness in the examined agencies, headed of course by critical infrastructure, and preparations by the agencies responsible for this infrastructure, including the National Cyber Directorate. The report concluded that when the audit was completed, only some of the critical state infrastructure agencies had complied with the instructions under the defense doctrine. The National Cyber Directorate's status assessment "did not reflect the level of preparedness in the agencies for coping with cyber attacks." After the audit was completed, however, the National Cyber Bureau presented a comprehensive and updated status assessment to the Office of the State Comptroller that filled in the gaps and gave the State Comptroller a complete picture. The State Comptroller did not write, however, that any improvement had taken place in the infrastructure agencies' compliance with the guidelines.
"Drafting of a cyber bill still not complete"
The National Cyber Directorate is still in the formation stages. Just last week, "Globes" revealed a new system devised by the Cyber Directorate for mapping and rating the vulnerability of critical infrastructure agencies, together with a voluntary "civilian" system with similar capabilities for the private sector. The Cyber Directorate plans to complete these systems in the next two years.
A key part in the process of building the Cyber Directorate as a new security agency in Israel, to be added to the IDF, ISA, and the Mossad, is legislation regulating its actions. A legislative memorandum was published for public comment nearly a year ago, but the State Comptroller's report states, "As of the date on which the audit was completed, three years after the cabinet decision establishing the Cyber Directorate, and despite the national importance of regularizing protection of the civilian sector, the necessary processes for devising the cyber bill have not yet been completed."
The delays in the legislative process were to a large extent dictated by the wish to conduct an in-depth and thorough discussion with all of the agencies involved, including legal experts and civilian social organizations concerned about preventing future misuse of the authority of the Cyber Directorate, which is subordinate to the Prime Minister's Office. Both the writers of the legislative memorandum, headed by legal advisor Amit Ashkenazi, and people from the Ministry of Justice Counseling and Legislation department, allowed consultation to continue far beyond the short time required by law. The early general election caused further delay.
The State Comptroller nevertheless warns that due to the fact that because the Cyber Directorate's authority has not yet been anchored in primary legislation, "The absence of a normative source of authority for the Cyber Authority's staff is liable to obstruct cooperation with other agencies and cause the staff to refrain from certain actions, such as taking computers for testing and conducting forensic tests."
The State Comptroller's report also states the conclusions from its testing of three critical infrastructure agencies, without naming the agencies. The main criticism can be summed up in one phrase: foot-dragging. Concerning one agency, the State Comptroller writes that although the ISA conducted a comprehensive audit of the agency in 2016, the current audit "found gaps, among other things in reports to the Cyber Directorate of events and other matters… as of the date on which the audit was concluded, the agency had not finished rectifying some of the deficiencies." The report states about a second unspecified agency, "as of the date on which the audit was completed, a certain protection component had not been installed," while noting that a third agency lacked recovery equipment.
Another agency audited by the State Comptroller is the Yahav cyber defense unit, founded under the 2015 cabinet decision in order to improve cyber defense and guide government ministries and their support units. According to the State Comptroller's report, however, the data obtained from Yahav indicate that not all of the units have appointed a cyber defense manager, some government ministries and support units have no information and cyber security policy document at all, and some government ministries and support units have not yet completed risks surveys.
The third audited group is government ministries authorized by the 2015 cabinet decision to organize civilian space through "units for instructing and guiding sectors and preparing staff work for examining the necessary legal corrections and changes." The decision states, "The unit will be subordinate to the government ministry to which it belongs in accordance with the latter's regulatory authority, and shall act according to the Cyber Directorate's professional guidance."
The State Comptroller writes, "The government ministries are finding it difficult to work at the necessary pace, and to take effective measures. The civilian sector will find it hard to meet the cyber defense challenge without instruction and guidance. There is concern that without suitable government leadership, the economy will be left exposed to cyber attacks."
Published by Globes, Israel business news - en.globes.co.il - on May 7, 2019
© Copyright of Globes Publisher Itonut (1983) Ltd. 2019