Today, the Israeli Prime Minister's office published a memorandum of the proposed Cyber Defense and National Cyber Directorate Law, 2018. The memorandum’s proposed law is aimed at regulating the purpose, functions and powers of the Cyber Directorate in dealing with cyber threats against the State of Israel.
It includes far-reaching and unprecedented measures that affect every organization in the Israeli economy. It also extends the powers of the Israeli Security Agency (colloquially known as Shabak).
Amongt other issues, the memorandum provides that the National Cyber Directorate will operate a system for early detection of cyber attacks. The information collected and processed by the system shall be used for this purpose only. The system will cover government ministries, public agencies and covered entities under the Law Regulating the Security in Public Bodies, namely companies in critical infrastructure industries (such as telecom, chemicals and transportation).
As far as organizations in the Israeli market are concerned, the National Cyber Directorate will have far-reaching powers -
- It may compel any organization to produce any information or document, including a copy of computerized material, which is required to locate, deal with, or prevent cyber attacks.
- A qualified employee of the Directorate may enter any premises if they have reasonable grounds to believe that a computer or computerized material within the premises contain valuable security information that is necessary for identifying, dealing with, or preventing a cyber-attack. By virtue of this provision, entering the offices of any company, organization and even private residences, is permissible.
- A qualified employee of the Directorate may seize an object if they have reasonable grounds to assume that it contains valuable security information, which is immediately required for investigation in order to identify, deal with, or prevent cyber-attacks. The definition of an ‘object’ in Israeli case law also includes any information and document.
- A qualified employee of the Directorate may issue instructions to organizations, including instructions to carry-out acts on the organization’s computerized material, for the purpose of locating, dealing with, or preventing cyber-attacks. In other words, the Cyber Directorate will be empowered to issue instructions to organizations with respect to their computer systems.
- According to the memorandum, these powers will also be granted to the Shabak for the purpose of thwarting acts of terrorism or espionage.
- A Magistrate Court Judge may permit an authorized employee of the Cyber Directorate to carry-out acts on a computer or computerized material if the Judge is convinced that there is a reasonable basis to assume that a cyber-attack is underway or that there is a cyber threat, where the attack or threat might be detrimental to a critical interest. In other words, the Directorate will be empowered to carry-out by itself acts on the computer systems of every organization in Israel.
- A Magistrate Court Judge may permit, for the purpose of sampled inspection, to carry out acts on a computer or computer material of an organization if the Judge believes that there is a genuine likelihood of locating a cyber-attack in the organization.
- The head of the National Cyber Directorate may transfer information collected by virtue of these broad powers to international bodies. Even if the memorandum of law seeks to achieve this by way of exclusionary language, that is the result of the following proposed provision: "protected information shall not be divulged to an international body unless it is valuable security information and the head of the Directorate is convinced that it will be used solely for the purpose divulged".
Alongside these powers, the memorandum of law includes provisions seeking to protect the privacy of information collected in the Directorate’s early detection system. Yet it does not necessarily seek to protect other values, such as commercial confidentiality or privilege from self-incrimination. In this framework, the memorandum states that the head of the Directorate must ensure that its systems are designed in a manner that will collect and preserve only the minimum data required for its purpose and that data will be processed to the greatest extent possible in an unidentified manner and "to the extent possible, automatically or without being exposed to a person". The Directorate will include, among others, an internal privacy inspector who will be responsible for implementing the provisions of the Protection of Privacy Law.
Employees of the Directorate are bound to secrecy and are forbidden from disclosing information "except in accordance with the provisions of this Law or for criminal proceedings on a felony or for disturbing a public servant". In other words, if, by virtue of the powers of the Directorate, information is revealed about the commission of a felony, the Directorate may divulge it to the police, for example. At the same time, the memorandum states that information submitted consensually will not be used as evidence against the submitter in any civil, administrative or criminal proceedings "except for offenses determined by the Minister of Justice in the First Schedule to the Law." So here too, there is no absolute immunity.
Directorate employees are not allowed to be members of any trade union. The employees will be granted immunity from criminal and civil liability for acts or omissions that they reasonably performed in good faith when carrying out their duties.
A committee of five, headed by a retired judge, will be appointed to supervise on the activities of the Directorate. The committee is required to submit an annual report to the Prime Minister, but the Government is not obligated to deliberate on the report. In this respect, the memorandum requires the Government of Israel to do much less than the Government itself wishes to compel the boards of directors of companies to do. The memorandum requires the boards of directors in certain companies to discuss cyber threats to the company's activity at least once a year, as well as the damage that may result from such threats, the resources allocated to mitigate cyber risks and more. The Israeli Government is exempted from all of this at the national level.
The Memorandum of Law is open to public comments through July 11, 2018.