A Look at Israel's New Draft Cybersecurity Law

Deborah Housen-Couriel is an independent cybersecurity researcher and a member of the advisory board of the Hebrew University Cyber Security Research Center, where she teaches cybersecurity law and policy.

Last month, the Israeli government published the draft of its long-anticipated cybersecurity law and issued a call for public comment, which closes on July 11. The draft represents years of consultation and debate around the country’s approach to cybersecurity. It combines elements of existing cybersecurity legislation and policy with several significant innovations, including some controversial broadening of powers of the lead government agency for cybersecurity, the National Cyber Directorate (NCD).

As in other countries, responsibility for Israel’s cybersecurity falls across several government ministries and private sector organizations. In 2011, the government created the NCD, tasking it with coordinating national cybersecurity efforts and policy; and made it directly accountable to the prime minister. Under the proposed law, the NCD’s position will be strengthened by a bolstering of its leadership role in assessing national cyber risks, planning for national preparedness and resilience, and providing guidance to government agencies and the Israeli private sector. For instance, the NCD’s current supervisory powers over other government regulators have been minimal and constrained by legacy regulation. Under the proposed law, the NCD is specifically charged with enhanced authority to issue national guidance on cybersecurity matters, even within the scope of other regulators in areas such as finance, health, transport, energy and communications.      

In the explanatory notes that accompany the bill, the drafters have taken pains to outline the need for regulatory intervention given an increasingly hostile cyberspace. Two fundamental principles are specified: (a) the need to develop a new approach to cybersecurity by initiating an unprecedented type of cooperation between government and the private sector; and (b) the need to devote national efforts to improve cyber preparedness and mitigate the fallout from incidents. The drafters also took care to separate the civilian and military aspects of cybersecurity in the proposed law. For instance, the authorities of the NCD extend to addressing issues relevant to hostile cyber activity targeting Israel such as strategic risk assessment, mapping of national vulnerabilities, and real-time information sharing, but exclude authorities that would allow it to respond to attackers—a task for the military or security agencies.

The bill establishes the NCD as the primary national cybersecurity regulator and maintains its direct accountability to the prime minister. Among its core responsibilities, the NCD will deploy two operative bodies: (1) a center for countering cyber threats on an ongoing basis (the national computer emergency response team, CERT-IL, will continue to serve this function) and (2) a detection and verification hub for early warning and attack mitigation. The hub will facilitate information sharing among specified governmental and private sector actors, essentially creating a national database of threat indicators and other data. The proposed database has already sparked controversy in the Israeli media because of its inevitable collection and processing of large amounts of private and corporate data.

The NCD also stands to gain powers under the proposed law that allow it to access documents and computer data from private sector organizations in order to identify, prevent or mitigate hostile cyber activity and to seize any equipment for inspection for the same ends. Although some of these actions will require judicial authorization, such as having the NCD intervene in an organization’s computer network, it may be waived under certain conditions that require urgent action in the view of the head of the NCD. These powers are currently the subject of public controversy and may not survive the full legislative process awaiting the bill. 

For their part, private sector entities that cooperate with the NCD and competitors on cybersecurity matters will obtain immunity from antitrust and other civil claims. Additionally, certain corporations designated by the prime minister in consultation with the minister of justice will be required to convene an annual board meeting about cyber governance issues, including cyber threats to business operations, cyber risk assessment, and the degree to which the organization has carried out relevant NCD policies and guidelines.  

Finally, the proposed law introduces a new data classification and protection regime that applies to information gathered by the NCD itself or shared with it, categorized by the risks entailed by its exposure. Thus, data of techno-security value (i.e., indicators of a hostile cyber event); unidentifiable data (that does not reasonably allow for the identification of an individual or an organization); and protected data (which draws its status from Israel’s data privacy and other domestic laws) are subject to different processing safeguards by the NCD and those sharing such information. The sufficiency of these safeguards is an additional point of public critique of the bill.

In summary, the draft cyber law merges robust regulatory innovations with controversial initiatives, at a time when Israel’s global credibility and deterrence in the face of ongoing, critical cyber threat vectors remains high. The country continues to influence the global market for cyber products and services well beyond its size, garnering approximately 15 percent of global cyber investments, with investors infusing $815 million into Israel’s cyber market last year, according to a recent report. Nonetheless, despite Israel’s cybersecurity successes so far, the proposed law introduces several challenges to the difficult balancing act required in democratic, rule of law societies between the needs of national security and the safeguarding of fundamental individual rights. The opportunity for public consultation on the draft law in the coming weeks provides an arena for vigorous deliberation, which the Israeli public, companies and academics will undoubtedly put to ample use.