Israel: Doubts Concerning the Performance of the National Cyber Bureau

Israel: Doubts Concerning the Performance of the National Cyber Bureau

This post is also available in: heעברית (Hebrew)

רשות אבטחת מידע

The public uproar over the establishment of the National Cyber Bureau is far from subsiding. Following the request made by security, legal and technology experts to Israel’s Attorney General to regulate the jurisdiction and the legal limitations in the framework of this new body, it turns out that even when it comes to the authorities the Bureau was vested with, it cannot be said to be operating per an organized plan.

“If you really want to have IT Security in Israel, it is not enough to just establish a Bureau,” says a senior defense industry official. “The National Cyber Bureau did not come up with any regulated policy, because doing so takes a great deal of hard work no one wanted to get done. They gave them a great deal of authority, but they tasked the Bureau with no duties, nor did they set any professional standards for its performance. The Bureau does not even have to define standards and have Israeli systems comply with global standards.”

The defense industry source also said that Israel cyber IT Security is mired in utter chaos. Israel has several bodies tasked with this mission. The most prominent among them is the General Security Service (GSS), through its IT Security Authority (ISA). This agency is in charge of IT Security in all government ministries. Nevertheless, the National Cyber Bureau intends to have the most far reaching jurisdiction and authority, to be overshadowed only by the GCC. Yet, whilst the GSS is regulated and supervised per the law, the Bureau has been established without any legislation or means of enforcement.

“Over the past two years, the GSS and the National Cyber Bureau have been engaged in skirmishes over prestige and jurisdiction,” explains the senior source. “The result: the Bureau’s own position paper says it will handle the issues the GSS does not cover. Moreover, throughout this time, strategic private infrastructure have remained vulnerable to breaches and manipulations.”

Register to iHLS Israel Homeland Security

The senior says notes that the current situation is that numerous private institutions are in possession of databases and networks which are no less vital and critical than their government counterparts – and in certain cases even more so. “The data stored by the banks, the insurance companies, hospitals, and so on is no less valuable than the data stored by Israel’s Ministry of the Interior,” the source underscored. “All it would take is one breach or hack in one of Israel’s major banks to cripple the entire economy or seriously undermine it. This does not call for any hack into security systems – you can do this by hacking into private institutions’ systems.”

Currently, each strategic private body runs its own security policy. As former GSS IT Security Authority retire and find employment in the private sector, they bring prevailing standards up, making them the unofficial norm. “The problem this poses, is that it is not enough to ‘introduce GSS methodology into the private sector in an unsanctioned, unofficial way,” warns the source. “Real cyber security is not simply made up of various software and networks. Rather, it stems from a comprehensive, methodical, thorough view.”

When asked to assess the level of security strategic bodies feature, the source is willing to say Israel Electric was indeed transformed, per a process guided by the GSS IT Security Authority. On the other hand, Israel Rail proves a bona-fide sieve, and they seem to be in no rush to fix the breaches. “The main problem is that systems are introduced by patches, rather than comprehensively,” the source elaborates. “Numerous systems which are supposed to be completely cut off from other systems, are still linked, and are still exposed and compromised. Numerous systems have been established per no prior planning or overall thinking, without any end-user tests or any professional work put into them.”

When the senior source was reminded that only a few months ago, in the summer of 2014, Israel took pride in having foiled an Iranian plot to break into its government systems, he sighed. “They are taking credit for small things they are able to monitor and intercept,” he comments gravely. “But the tragedy lies in the fact they are not even aware of the small hacks that keep taking place.”

 The Prime Minister’s Office, which is in charge of the National Cyber Bureau, refused to comment.