Pursuant to proposals of the National Cyber Bureau, all organizations associated with cyberspace will have to comply with new standards and requirements.
In early January 2015, the National Cyber Bureau presented, to a session of the Israeli Government, two bills for advancing regulation in the field of cyber: advancing national regulation and the government’s leadership role in cyber defense, and advancing national preparations for cyberspace defense. These bills suggest that the field of cyber in general be regulated and that enforcement and regulatory powers for this field be concentrated in a methodical manner.
The bills, or proposals, of the National Cyber Bureau followed the increase in cyber threats, which have become significant with regard to national security, the normal function of the state and its organizations, public order and economic activity. In recent months, the National Cyber Bureau formulated a national preparation plan for cyberspace defense.
In its national preparation proposal, the National Cyber Bureau defines “Cyber Defense” as “the range of activities intended to prevent, neutralize, investigate and cope with cyber threats and cyber incidents and to minimize their impact and the damage they inflict, before they have taken place, while they are taking place and after they occurred.” Apparently, this definition is fairly broad and may even apply to offensive cyber products and services. In fact, it applies to the over-all regulation of the entire cyber market in Israel.
According to the national preparation proposal, a national cyber defense authority should be established by a government resolution – a sort of executive organ whose primary duties are to manage, operate and execute all of the operational cyber defense efforts. These duties will include handling of real-time cyber threats, assembling an on-going status picture, concentrating research and intelligence collection activities and maintaining and operating a dedicated center for handling cyber threats (the national CERT) for the entire economy. The national CERT will constitute an interface between the defense organs and elements in the national economy, through which the new authority will concentrate and share relevant information with all of the elements in the national economy. Additionally, the new authority will be responsible for building and reinforcing the resilience of the entire economy with regard to cyber through the development, supervision and implementation of the regulation proposal.
The national preparation proposal further prescribes that the Bureau should establish a national technological infrastructure (“The Infrastructure”) for detecting, identifying, providing early warning and sharing of information regarding cyber attacks against the State of Israel, to be operated by the new authority while observing basic legal rights, including the scope of the information collected and the authority to use this information, maintain it and share it with other parties. Once the infrastructure has been established, the proposal suggests that Resolution B/84 by the Ministerial Committee for National Security Affairs, dated December 11, 2002, regarding the issue of defending (critical) computer-based infrastructures in the State of Israel be revoked, thereby revoking the authority granted to the National Information Security Authority within the Israel Security Agency (ISA) as the organization responsible for defending critical computer-based infrastructures in Israel (this definition applies to systems which, upon sustaining a hit, could lead to highly significant physical or economical damage, to the loss of human life or to disruptions in the supply of vital public services).
Additionally, the national preparation proposal suggests that the National Cyber Bureau, the Legal Chambers at the Prime Minister’s Office and the Ministry of Justice prepare a draft bill for a cyber defense law, which should review, among other things, the need for statutory revisions.
While the national preparation proposal sets forth the powers of the agencies responsible for cyber defense in Israel at the macro level, the regulation proposal prescribes the manner in which cyber defense should be regulated at the micro level.
The purpose of the regulation proposal, according to the explanations it contains, is to provide “A solution to the existing situation, where any individual may present himself as a cyber defense expert or sell a product presented as a cyber defense product or offer services presented as cyber defense services…” as well as to provide “A solution to the situation where, with the exception of such fields of activity as critical infrastructures and specific sectors and organizations, the majority of the national economy operates, with regard to cyber defense, in a manner that is neither regulated nor binding.” For this purpose, the regulation proposal suggests the use of professional standards already available worldwide, which were adopted in Israel a long time ago, as well as specific legislation in accordance with the specific sector and/or industry.
According to the proposal, a cyber defense service market regulating unit should be established, whose duties, among others, will be to advance compliance with the relevant professional standards by cyber professionals (including academic qualifications and personal learning requirements). A dedicated public committee headed by Maj. Gen. (res.) Ami Shafran defined the following professional functions: Senior Cybernetic Defender, Cybernetic Defender, Cybernetic Intrusion Specialist and Cybernetic Debriefing/Analysis Specialist. The proposal sets forth the establishment and operation of a mechanism for the approval of cyber defense products with regard to their conformance to such standards as the Common Criteria Standard (Israeli Standard ISO 15408), by the establishment, among other things, of a cyber product testing and approval laboratory. The proposal calls for the advancement of compliance with the relevant professional standards by specifying the services to be regulated and by setting forth a quality scale.
As stated, the regulation is to be applied to all organizations, companies, service providers and suppliers in the field of cyber defense in Israel and to products and services imported into Israel or provided in Israel.
As far as government ministries are concerned, the regulation proposal suggests that all government ministries be obliged to comply with organizational information security standards in accordance with the international information security standard of the ISO 27001 family, which the Standards Institution of Israel adopted a long time ago. According to this standard, government ministries should, among other things, appoint a cyber defense specialist within the government ministry, whose duties would include the consolidation of a flexible cyber defense policy that may be adapted to the existing threats, preparation of a budget plan, development of a work plan for the implementation of the budget plan and supervision of the manner in which the plan is implemented. Additionally, the government ministries will have to appoint a “person in charge of cyber defense at the information system unit”, who should comply with the requirements for a “Senior Cybernetic Defender” position (with regard to academic qualifications and specialized professional training). All new employees involved in the field of cyber defense within the government sector will have to comply with the standards applicable for their respective positions.
Moreover, the regulation proposal suggests that a government cyber defense unit be established and subordinated to the functionary in charge of government C3 and under the guidance of the National Cyber Bureau. The objective of this unit will be to professionally direct and guide the government ministries in all matters pertaining to cyber defense. Additionally, the regulation proposal suggests that a government cyber threat command and control center be established (government SOC, Security Operations Center) within the national CERT. This center will assemble an on-going government status picture and provide solutions during actual cyber incidents.
With regard to the acquisition of cyber defense services and products by the state and/or organs working with it, the regulation proposal rules that such processes should be carried out subject to the products’ or services’ compliance with the relevant information security standard (e.g. the Common Criteria Standard). The proposal further demands that parties wishing to supply and/or sell services or products who submit computerized information to the government, or suppliers of computer systems embedded in or connected to government computer systems should comply with organizational information security standards (Israeli Standard ISO 2700) as a prerequisite.
The proposals should be implemented and enforced in stages, while allowing the relevant organizations, private companies and government corporations a specific period of time for organizing.
While on the one hand the regulation proposals are welcome, as the field of cyber is a substantial and important field that should be regulated, on the other hand, the stringent demands for standards, regardless of the type of company, service, product or the sub-field of the cyber market in which the company operates, impose additional costs on the private sector. This could prevent the establishment of new companies and hinder the development of existing companies, thereby effectively preventing renewal and innovation, and even lead to excessive centralization as larger and/or well-established companies are better equipped to comply with the proposed standards and requirements.
Moreover, with regard to the recruitment of new employees to the government sector, giving precedence to candidates who only comply with the academic requirements, without placing the emphasis on practical experience in the field or on a certain mix between experience and academic qualifications, could lead to discrimination against employees who possess extensive experience in the cyber field (and who, among other things, belong with those who actually developed this field in Israel) and even to the loss of professional, skilled and experienced personnel.