By: Amir Cahane

Contents of the Bill

On June 20, 2018, the Israeli Prime Minister’s Office published a draft Cyber Security and National Cyber Directorate Bill.[1] The Bill is the latest stage in the process, originated in 2010, of creating in Israel a national cyber security authority, as part of its national cyber security strategy.[2]

The first part of the Bill serves as the legal basis for the establishment of the Israeli National Cyber Directorate (INCD). The INCD is defined as an operational security body within the Prime Minister’s Office, whose purposes are defending the cyber domain and promoting Israel as world leader in the cyber field. The INCD is tasked with national defense efforts against cyber threats, enhancing Israel's capability to handle cyber attacks, and promoting Israeli cyber policies, as well as furthering international cooperation in the cyber field and advising the government on cyber-related matters.

The first part of the bill delineates certain organizational aspects of the INCD. INCD Employees are subject to confidentiality provisions, as well as to other restrictions that may be later decided upon by the Prime Minister. The Bill also creates the position of an INCD cyber security officer, supervising the Directorate's own cyber defense. Moreover, pursuant to the first part of the Bill, an oversight framework is set in place, composed of an external supervisory committee and an internal privacy supervisor. 

The powers of the INCD are set forth in detail in the second part of the Bill. The INCD is authorized to obtain and collect cyber security-related information (any information that may assist in the detection, handling or prevention of cyber attacks) and information that may be used to produce cyber security-related information; to process information for the purpose of producing cyber security-related information, subject to the provisions of the Bill; to transfer, share and distribute cyber security-related information to the private market and entities therein, subject to the provisions of the Bill; and to provide assistance to any relevant entity in handling a cyber attack. INCD will operate the national Cyber Event Readiness Team (CERT), which is already up and running.

Under the provisions outlined in the second part of the Bill, INCD employees are authorized to demand from any relevant organization information or document necessary for detection, prevention or handling of cyber attacks. INCD employees are further conferred with the power to enter nonresidential premises and seize any object, granted that there are reasonable grounds to assume it may contain “cyber security-related information”. Similar entry to residential premises is subject to the consent of its holder or to a court order (except in exceptionally urgent cases).

Authorized INCD employees may also give instructions to organizations (such as the state, a local authority, business or anyone who provides a service to the public) in order to prevent, detect or respond to cyber attacks. Additionally, the INCD may apply for a judicial warrant authorizing it to perform Computer Actions (i.e., to access, change or copy computer materials such as data or software, monitor communications between computers, give orders to a computer using a Computer-Readable Language,[3] or install computers, or other devices in computers or in computer networks of organizations for similar purposes). Such a warrant will be granted if the court is convinced that there are reasonable grounds to believe that a cyber attack has occurred or that there exists a cyber threat which may harm vital interests. The INCD may also apply for a judicial warrant for sampling purposes, authorizing Computer Actions in an organization, if the court believes there is real chance that such activities will assist in the detection of a cyber-attack. In certain emergency circumstances, the head of the INCD may authorize the exercise of such powers without a judicial warrant for a period not exceeding 24 hours and subject to a later court review.

Several privacy protection provisions are included in the second part of the Bill. However, alongside principles such as privacy by design, data minimization, and the general prohibition against disclosure of information obtained by the INCD under the Bill, certain exceptions may allow such a disclosure in criminal proceedings in connection with serious crime. Furthermore, the Bill requires the Prime Minister to set rules for sharing cyber security-related information with other security services, including the police. It is unclear whether such rules will adhere to the ‘specific purpose’ principle, which opposes utilization of information for purposes other than these it was collected for, and whether they provide sufficient safeguards to ensure that any information that the INCD shares with any other security service will be used only for thwarting cyber threats or attacks.

The third part of the Bill sets the framework for the national regulation of cyber security to further the resilience and response of organizations in the various sectors of Israeli economy to cyber attacks. Pursuant to Government Resolution 2118 (reducing regulatory burden), any cyber security regulatory action under the Bill must be taken in consideration of its compatibility with international or domestic standards, as well as the proportionality of its scope and measures in view of the nature of the entities affected, their exposure to cyber threats, and the likelihood that such threats will actually be realized. In addition, regulations shall be introduced following assessment of their direct and indirect economic implications.

The Bill adopts a flexible framework that aims to adjust the level of governmental regulatory interference to the severity of the risks facing different sectors and organizations. Under the decentralized prong of this hybrid framework, existing regulators already operating in designated sectors[4] will serve as the competent authorities for regulating cyber security within their sectors. In such a capacity, the competent authorities are tasked with mapping the sector under their purview for cyber threats, and issuing orders to the organizations accordingly, based on the INCD's cyber security guidance, in consultation with the INCD head. A competent authority may also direct a regulated organization to nominate a cyber security officer, who will provide periodic compliance reports. Competent authorities may condition the issuance or renewal of any license to such an organization on its compliance with cyber security orders or guidance.

The regulatory framework outlined in the Bill also has a centralized prong, which allows the INCD to directly regulate the cyber security of certain sectors or organizations. The INCD is authorized to directly regulate cyber security in sectors listed in Schedule 3 of the Bill, which is currently empty, in lieu of the competent authority regulating the sector. Sectors may be added to the schedule by an amendment order issued by the Prime Minister, provided that they include organizations that are exposed to cyber threats that may harm vital national interests. The head of the INCD may subject a specific organization to direct INCD cyber security regulation when similar conditions apply, for a period not exceeding three months. For low-risk organizations and sectors, the regulatory framework offers a non-coercive model, under which the INCD intends to utilize various soft interference techniques to enhance cyber security, such as promoting public awareness, proper training, etc. 

Discussion

Several questions and concerns may be raised following an initial review of the Bill. The main themes discussed above – the breadth of INCD powers and the adequacy of safeguards and oversight mechanisms offered under the Bill, and the evaluation of the Bill's regulatory framework – call for further detailed analysis, which goes beyond the scope of this note.

Following the publication of the Bill, most commentators focused their critiques on the following aspects of the Bill: INCD's role as national security agency, the powers conferred thereto under the Bill, and the sufficiency of the oversight mechanisms in place.[5] A year before, four chiefs of Israel’s security establishment raised their concerns about an early version of the draft Bill at the time, arguing that the powers granted to the INCD under that draft were too broad.[6]

The far-reaching data collection and online monitoring powers of the national CERT under the Bill raises privacy concerns and – according to some commentators – invoke a troubling image of a vast government spying apparatus.  The Bill's allusion to "vital interests", whose protection justifies intrusive cyber security measures, is a particular source of concern, since the term could be subject to broad legal interpretations further expanding INCD’s powers and regulatory reach. It should be noted in this regard that the Prime Minister has discretion to add new ‘vital interests’ to the existing statutory list.[7]

Without downplaying the importance of maintaining cutting edge national cyber security capabilities, including predictive and online response capacities facilitated by the CERT, it appears that the oversight scheme and internal safeguards available under the Bill might not provide sufficient, effective and robust protections with respect to the INCD’s extensive powers. For example, the external oversight committee, while invested with certain investigative powers, may lack sufficient resources and manpower to properly supervise the activities of the INCD. In addition, the committee’s annual reports are submitted only to the Prime Minister, without any parliamentary[8] or public scrutiny.[9] As mentioned above, certain provisions in the Bill might be used to circumvent the specific purpose limitation on the use of data collected by the INCD, and facilitate intelligence creep to other security services and government agencies.[10] Some safeguards pertaining to retention, processing, use and deletion of data collected by the CERT are not specified in the Bill, which leaves them to be set by the Prime Minister and Justice Minister through future regulations, some of which may be secretive.

Considering the heavy burden already imposed on many actors in the Israeli cyber ecosystem, which are subject to various domestic and international, voluntary and coercive regulation, rules and standards, adding an extra layer of regulation under the Bill should be done with particular care. Thus, the flexible regulatory framework outlined in the Bill is a positive aspect. which enables constant fine-tuning of the specific regulatory regime applying to various sectors, in accordance to contemporary levels of threats and rapid technological changes. Such a nimble approach can reduce risks of excessive, cumbersome and outdated regulation, as well as the risks associated with ineffective and insufficient regulation.

Apart from the sectors listed in Schedule 2 of the Bill, all of which are considered classic critical infrastructure (CI) sectors, which are regulated by designated competent authorities, the Bill has yet to specify any organization or sector that INCD is authorized to directly regulate. It is unclear whether and how the INCD will utilize the flexibility regulatory framework in the Bill for future furtherance of its statutory objectives. It is also worth noting that the Bill does not set any sanctions for organizations who fail or refuse to comply with the INCD’s demands in its capacity as a direct regulator.

As the INCD aims to cast a wide net, applying either mandatory or voluntary standards for the entire market, one should bear in mind the challenge of keeping up the elaboration of standards with the latest technological, legislative and other developments, both domestic and international. What are the legal implications of the INCD's capacity to set non-binding, voluntary, yet recommended standards? Will they become a standard of care? And should the INCD fail to update its standards due to lack of sufficient resources, would the inadequate regulatory standard disincentivize organizations from optimizing their cyber security, through going further than the minimal standard of care provided by the regulator?

In addition, some sectors might remain under-regulated. The legal and accounting services sectors, for example, are not regulated directly by the INCD, nor are they under the purview of a competent authority. However, they may be exposed to cyber threats compromising vital interests.[11] Furthermore, the regulatory framework is yet to impose, for instance, cyber security standards for Internet of Things (IoT) products, and for cyber security products or service providers. It might be beneficial to consider a cyber security certification scheme in accordance with standards set by the INCD (which may be based on internationally recognized criteria or locally tailored standards), wherein the INCD or private intermediaries will certify and accredit relevant products and services.[12]