Cyber Reform in Israel at an Impasse: A Primer
A leaked letter from the heads of Israel’s major security agencies reveals tensions between the government and the security establishment over the allocation of powers and responsibilities in the cyber realm.
Published by The Lawfare Institute
in Cooperation With
A leaked letter from the heads of Israel’s major security agencies reveals tensions between the government and the security establishment over the allocation of powers and responsibilities in the cyber realm. The letter expresses the strong objection of the security establishment to draft legislation that would define the jurisdiction and tasks of a new civilian Cyber Defense Authority, created in 2015 to improve Israel’s readiness to address cyber threats, including threats to the private sector. This recent development is a good opportunity to take stock of the country’s years-long effort to design cybersecurity agencies and reshuffle related authorities—an effort that is hardly unique to Israel.
Background
Beginning in 2011, the Israeli government adopted a series of resolutions overhauling its cybersecurity structures. Resolution 3611 (Aug. 7, 2011) determined that the government would work toward advancing national cyber capabilities, strengthening protection of critical national infrastructure, and regulating powers and responsibilities in the cyber realm. In order to promote those goals, the Resolution approved the establishment of the National Cyber Bureau (the Bureau) in the Prime Minister’s Office, with wide-ranging cybersecurity responsibilities. Among other assignments, the Bureau was tasked with advising the government on cyber policy issues, coordinating policy across government and facilitating cooperation among academia, industry and the private sector, government ministries and the security agencies (IDF, ISA (Shabak), Mossad, the Police, and the Head of Security of the Defense Establishment (DSDE)). Importantly, however, section 5 of the Resolution explicitly excluded the security agencies from its purview. According to the Resolution, the security agencies would be subject to special arrangements mutually agreed upon between the agencies and the Bureau.
Following further assessment of Israel’s cyber readiness, Resolution 2444 (Feb. 15, 2015) approved the establishment of a National Cyber Defense Authority that would operate alongside the Bureau in the Prime Minister’s Office (the Authority). It shifted the focus of the Bureau’s responsibilities to strategic planning and capacity building. The Resolution entrusted the Authority with operational responsibility for preventing cyber attacks and addressing threats in real time, in cooperation with the security agencies as well as the Foreign Ministry. The Resolution further provided that the Authority would serve as a focal point for cyber-related intelligence and analysis, work to increase readiness to thwart cyber attacks across different sectors, issue guidelines, regulate cybersecurity services, and guide the work of cybersecurity units within government ministries (on the latter two points, see also Resolution 2443, adopted on the same day). Finally, the Authority was tasked with establishing a Cyber Event Readiness Team (CERT) that would service stakeholders across the economy. According to the Resolution, the national CERT would provide assistance in cyber defense, facilitate information sharing, and allow for coordination between security agencies and other actors.
Resolution 2444 only defined the structure and powers of the Authority in general and somewhat ambiguous terms, requiring further elaboration in the process of its implementation. It created many spaces of potential friction among the actors involved in cybersecurity policy and operations, and tasked different organs with seemingly overlapping responsibilities. For example, the Resolution created a five-member cyber advisory board to advise the Prime Minister on major decisions related to the operation of the Authority, on top of the cyber Bureau and the Authority itself. Another example is the relationship between the Authority and the Bureau. The Resolution provided that the Authority would have operational independence, but subjected it to the head of the Bureau in some aspects of its operation without clearly defining those aspects. A third example is the relationship between the Authority and the ISA. While section 12 of the Resolution made it clear that the Resolution does not detract from the cyber-related statutory authorities of the ISA, section 9 invited the Bureau to put forward a plan for the transfer of responsibility for cyber defense of critical computer infrastructure under the Regulation of Security in Public Bodies Law, 1998 from the ISA to the Authority. Perhaps most importantly, vesting the operational responsibility to prevent and address cyber threats in the new Authority was bound to draw the ire of the security establishment.
Before turning to the implementation of Resolution 2444, it is important to note that the IDF has also set cyber reforms in motion in parallel to the government reforms explored so far. In June 2015 the Chief of Staff of the IDF, Lt. Gen. Gadi Eisenkot, decided to create a unified Cyber Command that would take the lead on cyber within the military. Prior to that decision, the Telecommunications Directorate of the IDF was responsible for cyber defense, while the signals intelligence unit of the Directorate for Military Intelligence (DMI) was responsible for collection and offensive cyber operations (see also here). However, in early 2017 this ambitious plan was replaced by a more careful approach that, for now, largely preserves the previous organizational division of labor between the DMI and the Telecommunications Directorate. According to news reports, the reason for the change of direction was fear that a unified cyber command might harm collection and offensive work currently done in the DMI (see also here, Hebrew).
Implementation and Recent Developments
The National Cyber Defense Authority established pursuant to government Resolution 2444 officially began its operations in April 2016. The national CERT is also up and running. As required by the Resolution, in August 2016 the Israeli parliament (Knesset) passed a temporary amendment to the Regulation of Security in Public Bodies Law, 1998 to facilitate the transfer of responsibility for the defense of critical computer infrastructure from the ISA to the Authority (explanatory notes here, Hebrew).
However, this amendment only addressed one aspect of the Authority’s operations. At the time of its adoption, work was already under way at the Ministry of Justice and the Bureau on comprehensive legislation that would regulate the Authority’s powers and responsibilities, as well as other aspects related to cyber defense. By all accounts, the legislative effort has not been advancing smoothly. An August 2016 report prepared by a Knesset Cyber Defense sub-committee pointed to disagreements, lack of cooperation and turf wars between the Authority and the security establishment, noting that there was some improvement in this regard that resulted in the signing in June 2016 of a Memorandum of Understandings between the ISA and the Authority. The report also observed that although Resolution 2444 explicitly states that the authorities of the ISA will be preserved, there is no avoiding at least some chipping away at its authorities with the entry of a new actor, the Authority, into the cyber field.
The disagreements over the scope and content of a comprehensive cyber defense law came to a head earlier this week, with the publication of a letter from the heads of the major Israeli security agencies to the Prime Minister and the Cabinet Ministers (first reported by Israel’s Channel 2 news). The letter was signed by the head of Mossad, the head of the ISA, the IDF deputy chief of staff and the director general of the Ministry of Defense. In the letter, the security agencies expressed their strong objection to a recent draft legislation that was presented to them by the Bureau. The letter states that the draft legislation “ignores the existing authorities of the security agencies and the government resolutions pertaining to cybersecurity that explicitly exclude the security establishment from their purview.” The letter further states that by granting the Authority expansive powers without clearly defining its purpose, the draft could severely harm the work of the security community in the cyber realm. The letter concludes with a call to scrap the current draft and negotiate a new one that would take account of the position of the security agencies.
The turf wars around the legislative effort not withstanding, the Authority continues to operate. In an unusual move just two days after the publication of the letter, Prime Minister Netanyahu’s office announced on Wednesday that the Authority had successfully thwarted a cyber attack targeting 120 Israeli institutions, government officials and individuals. U.S. and Israeli experts have reportedly attributed the attack to Iran.
The fact that the Authority is “live” and operating should put pressure on all parties to agree on a statutory framework for its operations. In the absence of a statutory framework, the Authority might overreach and unilaterally take on responsibilities and tasks that are currently performed by the security agencies, while the security establishment might make life very difficult for the Authority by refusing to cooperate. In addition to the costs of continued statutory vacuum, one could expect pressure from Prime Minister Netanyahu, who has made cybersecurity a top priority, to resolve the current impasse.