(July 22, 2019) On December 27, 2018, the Knesset (Israel’s parliament) passed an Amendment Law that gives a statutory basis to the unification of the Cyber National Bureau and the National Cyber Security Authority into the Israel National Cyber Directorate (INCD), which operates directly under the Prime Minister. (Law for the Regulation of Security in Public Bodies (Temporary Provision) (Amendment), 5779-2018), SEFER HAHUKIM 5779 (SH, BOOK OF LAWS, official gazette) No. 2766 p. 86 (the Amendment Law), Reshumot website (in Hebrew) (type in 2766 in the top-left search box, click the dark blue box to the left of the search icon, click on the PDF icon next to 2766, and then open the PDF document and go to page 86).) The new law amended the Regulation of Security in Public Bodies Law, which regulates the protection of certain listed public bodies that provide essential public services, including computerized systems and information security. (Regulation of Security in Public Bodies Law, 5758-1998, SH 5758 No. 1685 p. 348, as amended (the Law) (in Hebrew).)
INCDs Mission, Functions, and Authority: Proposed Legislation
The mission, functions, and authority of the INCD are not yet regulated by law. A Cyber Security and National Cyber Directorate Memorandum was published and distributed for public comments in July 2018 in anticipation of filing a cyber-protection bill for the approval of the Ministerial Committee for Legislation, and later consideration by the Knesset. (Summary of Memorandum of Cyber Protection Law) (Memorandum Summary), Government of Israel website (in Hebrew).) The Memorandum seeks “to regulate the mission, functions and authority of the INCD to implement the government policy, in accordance with the principle of the rule of law, while combining basic concepts of constitutional law on subjects regulated under the draft bill and concepts of law and information technology.” (Cyber Protection and the National Cyber Directorate Memorandum, 5778-2018, at 3 (the Memorandum), Government of Israel website (in Hebrew; all translations by author).)
According to the introduction of the Memorandum’s Summary, the objective of the INCD is to protect cyberspace and promote Israel as a global leader in the area of cyberspace. The functions of the INCD include managing the national defensive operational efforts against cyberattacks, promoting Israel’s ability to deal with cyberattacks, promoting international cooperation and cooperation agreements in the field of cyberspace, and advising the government and its cyber committees. The INCD will serve as “a dedicated body to deal with attacks before … [and] as they occur, without replacing other security and law enforcement bodies, but rather through interfacing with them.” (Memorandum Summary at 1.)
The Memorandum includes a preliminary draft bill that defines the duties and authority of the INCD, special organizational aspects including appointment of the INCD Director and staff, and special requirements that apply to any person associated with the INCD. (Memorandum ch. B-D.) According to the draft bill, one of the INCD’s duties would be identifying cyber threats and detecting cyberattacks early through collection of targeted data from government ministries and other identified organizations and processing it in real time to facilitate a response. Additional powers include requesting data and documents, entering a premises on the basis of a reasonable suspicion that a computer or computer material containing valuable information for identifying, handling, or preventing a cyberattack is located there, and confiscating items for testing. (Id. ch. C.)
Considering the need to protect cyberspace in real time while ensuring “implementation in a balanced and proportional way,” the Memorandum requires judicial approval for acts to prevent or handle cyberattacks. (Id. § 27.) Additional oversight mechanisms proposed by the Memorandum are the appointment of an internal INCD privacy supervisor and an external Supervisory Committee to oversee the INCD’s activities with a focus on the impact on protecting privacy. (Id. §§ 10–15.)
Criticism of the Proposed Legislation
A document issued by the Israeli Internet Association on August 9, 2019, criticized various aspects of the Memorandum. (Reference of the Israeli Internet Association (IIA) Regarding the Memorandum of the Cyber Protection Law and the National Cyber System (Aug. 9, 2019), Israel Internet Association website (in Hebrew).)
- Lack of Sufficient Transparency
According to the IIA the Memorandum is conspicuously lacking in transparency mechanisms, as well as parliamentary and public oversight of its activities. According to the proposed bill, the INCD’s activity focuses on the relationship between the prime minister, the INCD’s Director, the privacy supervisor, and the Supervisory Committee. There is no reporting to the Knesset or to the general public. The duty of extreme secrecy that is imposed on INCD’s employees and on the Supervisory Committee, according to the IIA, prevents the publication of any information to the public. (Id. at 3.)
2. Disclosure and Identification
The IIA further highlights the Memorandum’s silence regarding the constitutional justification of the system of disclosure and identification. Such justification must be scrutinized “through constitutional glasses … according to accepted proportionality tests – the test of the rational connection, the lesser harm and the test of proportionality in the narrow sense.” (Id.)
3. Relationship Between the Memorandum and the Law for the Regulation of Security in Public Bodies
The Regulation of Security in Public Bodies Law, 5758-1998, by temporary order, authorized the National Authority for Cyber Security in 2016 to function as the regulator of entities that operate “essential computer systems” and are detailed in the fifth appendix of that Law. The National Authority for Cyber Security was integrated into the national cyber system by a government decision. According to the IIA, many questions remain regarding the relationship between the Security Arrangements Law and the Memorandum, and the Memorandum is completely silent on this issue. (Id. at 4.) These questions do not appear to have been resolved by the passage of the Law for the Regulation of Security in Public Bodies (Temporary Provision) (Amendment), 5779-2018, after the issue of the IIA’s document on August 9, 2019.
4. Interface with Criminal Law Enforcement Agencies
In the IIA’s opinion, the Israel Police should be removed from the list of special bodies dealing with the defense of national security. The police force is a law enforcement body that deals mainly with civilians within the territory of the State of Israel. Additionally, the Memorandum is silent on the INCD’s interaction with the Authority for the Protection of Privacy and other law enforcement agencies, such as the Israel Securities Authority, the Antitrust Authority, and the Business Fair Trade Authority, which deal with cyber-related issues and investigations that are likely to interface with issues defined in the Memorandum as cyberthreats or cyberattacks. (Id.)