Despite the warnings of lawyers and experts in data security, on Feb. 15, the outgoing government authorized the creation of a national cyber defense authority. In a strongly worded letter to Attorney General Yehuda Weinstein, the opponents argued against the authorization of the program, because the agency to be created will hold many powers that could impinge on citizens’ privacy, without checks and balances.
Among the signatories of the letter are Boaz Dolev, formerly the head of Project Tehila, attorney Yoram Hacohen, the former head of the Law, Technology and Information Authority at the Ministry of Justice, and many lawyers and legal experts in the field of cyber security. According to them, the government’s proposal lacks “the creation of a civil mechanism for inspection and control over the authority’s activity — starting from periodic reports to the government and the public, to representing the objects of inspection and monitoring — in the private and business sectors — in the central decision-making processes.”
Preceding this decision was a year of fighting between the Shin Bet and the National Cyber Bureau at the prime minister’s office over the question of who will be responsible for the creation of the new agency. In the end, Prime Minister Benjamin Netanyahu decided to leave the Shin Bet out of the picture.
Professor Isaac Ben-Israel, the head of the Interdisciplinary Cyber Research Center at Tel Aviv University and one of the leading experts in the field in Israel and the world, thinks Netanyahu’s decision was necessary and correct. While at first Ben-Israel supported the Shin Bet’s position, in the end he changed his mind and recommended to Netanyahu that he place the agency under the jurisdiction of the prime minister’s office, mainly in order to protect civic interests in privacy and data security as much as possible.
On June 23, Netanyahu will be the guest of honor at the annual International Cybersecurity Conference at Tel Aviv University. Among the participants will be Minister of Defense Moshe Ya’alon and experts from all over the world, including David Koh, the head of the cyber bureau in Singapore. One of the central topics to be discussed at the conference will be the question of how to build a mechanism to protect the individual as part of the global cyber wars that are constantly escalating.
In a special interview with Al-Monitor, Ben-Israel, the chairman of the event, reveals the regulatory structure forming in Israel in the field of cyber security and estimates that in the end there will be no option but to deal with this issue through special legislation. As he sees it, very soon the government will make the installation of network security systems a condition for business licenses.
The text of the interview follows:
Al-Monitor: Where do you think Israel stands compared to the rest of the world where it comes to protecting privacy? Citizens here and elsewhere are concerned about the rule of Big Brother.
Ben-Israel: The field of cyber security is one of the special cases where the State of Israel is taking preventative steps, unlike its usual practices. It’s thinking forward and preparing itself. We have a country with a strong high-tech inclination and large professional groups that understand the threat in this field. In this case, the prime minister himself advanced the creation of the cyber security agency. I was at the discussions and I can say he took this threat to heart, and pulled all his weight to find a solution. He also justly decided in the end that the Shin Bet will not be responsible for the agency.
Since the prime minister knows our abilities in the field of cyber warfare, he asked himself what would happen if someone did something similar to us, and reached the obvious conclusion that this is a major threat. Since 2002, we in Israel have been protecting part of the critical infrastructure of the country, both military and civilian. We have systems for the discovery of attacks, and we’ve seen the attacks on Israel’s electric company. On a normal day there are hundreds of thousands of attempts to attack us by private individuals and organizations, Palestinian elements and countries.
We know that cyber warfare against civilian infrastructure, like airport and transportation systems, could kill hundreds of people — even more — and so it’s terrorism in the full sense of the word. Attacking the computer system of Israel Railways, for example, could cause a catastrophe if it causes two trains to collide. Therefore, in order to protect citizens, we have to have inspection and a mechanism for defense, with the maximum possible protection of privacy, and so removing the Shin Bet from the picture was the right thing to do.
Al-Monitor: Does the prime minister’s high degree of involvement in this issue stem from his view of the threat from Iran, which he sees as the primary threat to Israel?
Ben-Israel: Of course it’s also connected. There’s a claim that Israel is behind the bugging of hotels in Geneva, to listen to the Iranian delegation to the nuclear talks. I don’t know if Israel was involved, but in any case, whoever installed this virus wanted the information and it shows the potential of cyber warfare on the Iranian front. The [Israel Defense Forces] has long understood that we must create a cyber warfare branch, and so that was established at the beginning of June. But as opposed to the IDF, in the civilian system, this story is more complicated and difficult because it doesn’t have the authority to invade the privacy of individuals like the military system sometimes does.
In a civilian network, there’s a tension between the need for security on the one hand and the need to protect privacy on the other, and the question is how to resolve it. You can’t ignore security for the sake of maximum protection of privacy, certainly in a country like Israel, and expose us to every whim of a terrorist. But the other extreme of security above all isn’t good, and doesn’t suit a democracy and the business environment.
For example, a few months ago someone was able to publish a list of Israeli bank account holders in Switzerland. This caused many problems for people, even though apparently no one broke the law. But there are people who didn’t want it to be known that they have such an account, maybe because they didn’t want their spouse to know. There was a lot of embarrassment for many people.
This kind of privacy is very important in the business world. The only path that remains is to find a balance, but the problem with balance is that we create it according to our life experience, and in this field of cyber warfare, we and the rest of the world don’t have any experience. We have nowhere to look and say, “Let’s do like they’ve done in America.” When we look at other countries, we find that we are on the front lines. There isn’t 100 years of history.
Al-Monitor: Who do you think should lead the cyber regulation in Israel?
Ben-Israel: Following the recommendation of a committee I chaired, the government of Israel decided in January 2015 that regulation in this field won’t be in the hands of the Shin Bet. If it were in their hands, there’s a fear that the interest of security will overwhelm the interest of protection of individual privacy. Until now, the defense of the State of Israel’s critical civilian infrastructures, like the electric company, was entrusted to the General Security Service [Shin Bet], but it’s unacceptable that the Shin Bet would be responsible for cyber security in all of the civilian realm.
We need a civilian body that is not connected to the security forces and has only one purpose: the health of the civilian Internet system. That it won’t have viruses. It won’t be responsible for preventing terrorism, but to make sure that viruses don’t run rampant in the channels of communication and the Internet. The cyber security agency now being created is civilian and composed of public figures and judges, similar to the Israel Securities Authority, which is an independent agency that does not receive instructions from the minister of finance or the prime minister.
This agency must work on several levels, mostly in regulation, meaning, for example, to condition a business license on the installation of a cyber security system, like car insurance is conditioned on installing an alarm system. The agency must set a standard for businesses for cyber security as a condition for a business license. It won’t be uniform for everyone, it will depend on the type of business and its size.
Al-Monitor: What will regulation look like in the field of cyber security, in terms of enteties and procedures?
Ben-Israel: It’s a question we thought a lot about, and in the end we reached the conclusion that it must be done through the natural regulators. If someone harms Israel’s banking system, he could do a great deal of damage to the economy. So how do you regulate and ensure information security for the banks? The agency won’t tell them how to secure their systems. It can make demands that would kill them financially, and so it will do so through the natural regulator of the banks.
For example, the agency would turn to the Bank of Israel and recommend to it how to secure information — that is, what regulation is required. The Bank of Israel is a regulator whose purpose is to ensure the stability of the banks and not information security. It needs to weigh these considerations against the damage that could be caused to the banks if it overemphasizes security. At the same time, we can assume that no one will do business with a bank whose information flows somewhere else. The only direct regulation the cyber agency will be in charge of is regulating cyber security companies.
Another element of the agency will be its connection with other civilian centers in the world, since cyber warfare has no borders. There will be an Israeli cyber emergency center, which will be in touch with similar centers throughout the world. A citizen could report a cyber attack and it would be possible to locate it before it does bigger damage.
In my estimation, the center will be active within two years.
Al-Monitor: How close are we to passing the cyber security law?
Ben-Israel: In the end, the law will be passed. To me, it’s clear. In the meantime, we don’t have enough experience. We don’t change laws every two days. There was an unsuccessful American attempt, and now everyone is mulling over the same dilemma.