A Look at Israel's New Draft Cybersecurity Law

By: Deborah Housen-Couriel.

Last month, the Israeli government published the draft of its long-anticipated cybersecurity law and issued a call for public comment, which closes on July 11. The draft (Hebrew) represents years of consultation and debate concerning Israel’s approach to cybersecurity. It combines elements of existing cybersecurity legislation and policy with several significant innovations, including some controversial broadening of powers of the lead government agency for cybersecurity, the National Cyber Directorate (NCD).

As in other countries, responsibility for Israel’s cybersecurity falls across several government ministries and private sector organizations. In 2011, the government created the NCD, tasking it with coordinating national cybersecurity efforts and policy and making it directly accountable to the prime minister. Under the proposed law, the NCD’s position will be strengthened by a bolstering of its leadership role in assessing national cyber risks, planning for national preparedness and resilience, and providing guidance to government agencies and the Israeli private sector. For instance, the NCD’s current supervisory powers over other government regulators have been minimal and constrained by legacy regulation. Under the proposed law, the NCD is specifically granted enhanced authority to issue national guidance on cybersecurity matters, even within the scope of other regulators in areas such as finance, health, transport, energy, and communications.  

In the explanatory notes that accompany the bill, the drafters have taken pains to outline the need for regulatory intervention given an increasingly hostile cyberspace. Two fundamental principles are specified: (a) the need to develop a new approach to cybersecurity by initiating an unprecedented type of cooperation between government and the private sector; and (b) the need to devote national efforts to improve cyber preparedness and mitigate the fallout from incidents. The drafters were also careful to separate the civilian and military aspects of cybersecurity in the proposed law. For instance, the authorities of the NCD extend to addressing issues relevant to hostile cyber activity targeting Israel such as strategic risk assessment, mapping of national vulnerabilities, and real-time information sharing, but exclude authorities that would allow it to respond to attackers – a task for the military or security agencies.

The bill establishes the NCD as the primary national cybersecurity regulator and maintains its direct accountability to the prime minister. Among its core responsibilities, the NCD will deploy two operative bodies: (1) a center for countering cyber threats on an ongoing basis (the national computer emergency response team, CERT-IL, will continue to serve this function) and (2) a detection and verification hub for early warning and attack mitigation. The hub will facilitate information sharing among specified governmental and private sector actors, essentially creating a national database of threat indicators and other data. The proposed database has already sparked controversy in the Israeli media since it will inevitably entail the collection and processing of large amounts of private and corporate data.

The NCD is also likely to gain powers under the proposed law allowing it to access documents and computer data from private sector organizations in order to identify, prevent or mitigate hostile cyber activity and to seize any equipment for inspection for the same ends. Although some of these actions, such as intervention in an organization’s computer network, will require judicial authorization, this may be waived under certain conditions justifying urgent action in the view of the head of the NCD. These powers are currently the subject of public controversy and may not survive the full legislative process awaiting the bill. 

For their part, private sector entities that cooperate with the NCD and competitors on cybersecurity matters will obtain immunity from antitrust and other civil claims. Additionally, certain corporations designated by the prime minister in consultation with the minister of justice will be required to convene an annual board meeting about cyber governance issues, including cyber threats to business operations, cyber risk assessment, and the degree to which the organization has carried out relevant NCD policies and guidelines.

Finally, the proposed law introduces a new data classification and protection regime for information gathered by the NCD itself or shared with it, categorized by the risks entailed by its exposure. Thus, data of techno-security value (i.e., indicators of a hostile cyber event); unidentifiable data (that do not reasonably allow for the identification of an individual or an organization); and protected data (in accordance with Israel’s data privacy and other domestic laws) are subject to different processing safeguards by the NCD and those sharing such information. The sufficiency of these safeguards is an additional point of public critique of the bill.

In summary, the draft cyber law merges robust regulatory innovations with controversial initiatives, at a time when Israel’s global credibility and deterrence in the face of ongoing, critical cyber threat vectors remains high. The country continues to influence the global market for cyber products and services well beyond its size, garnering approximately 15 percent of global cyber investments, with investors infusing $815 million into Israel’s cyber market last year, according to a recent report. Nonetheless, despite Israel’s cybersecurity successes so far, the proposed law raises several challenges in the context of the difficult balancing act required in democratic, rule of law societies between the needs of national security and the safeguarding of fundamental individual rights. The opportunity for public consultation on the draft law in the coming weeks provides an arena for vigorous deliberation, which the Israeli public, companies and academics will undoubtedly put to ample use.

This article first appeared on Net Politics blog, published by the Council on Foreign Relations. Reproduced under a Creative Commons license.