Regulatory Models for Cyber Information Sharing in the Financial Sector: An Analysis of Rights Balancing through a Polycentric Approach
A Look at Israel’s New Draft Cybersecurity Law
Deborah Housen-Couriel is an independent cybersecurity researcher and a member of the
advisory board of the Hebrew University Cyber Security Research Center, where she teaches
cybersecurity law and policy.
Last month, the Israeli government published the draft of its long-anticipated cybersecurity law
and issued a call for public comment, which closes on July 11. The draft represents years of
consultation and debate around the country’s approach to cybersecurity. It combines elements
of existing cybersecurity legislation and policy with several significant innovations, including
some controversial broadening of powers of the lead government agency for cybersecurity, the
National Cyber Directorate (NCD).
As in other countries, responsibility for Israel’s cybersecurity falls across several government
ministries and private sector organizations. In 2011, the government created the NCD, tasking
it with coordinating national cybersecurity efforts and policy; and made it directly accountable
to the prime minister. Under the proposed law, the NCD’s position will be strengthened by a
bolstering of its leadership role in assessing national cyber risks, planning for national
preparedness and resilience, and providing guidance to government agencies and the Israeli
private sector. For instance, the NCD’s current supervisory powers over other government
regulators have been minimal and constrained by legacy regulation. Under the proposed law,
the NCD is specifically charged with enhanced authority to issue national guidance on
cybersecurity matters, even within the scope of other regulators in areas such as finance, health,
transport, energy and communications.
In the explanatory notes that accompany the bill, the drafters have taken pains to outline the
need for regulatory intervention given an increasingly hostile cyberspace. Two fundamental
principles are specified: (a) the need to develop a new approach to cybersecurity by initiating
an unprecedented type of cooperation between government and the private sector; and (b) the
need to devote national efforts to improve cyber preparedness and mitigate the fallout from
incidents. The drafters also took care to separate the civilian and military aspects of
cybersecurity in the proposed law. For instance, the authorities of the NCD extend to
addressing issues relevant to hostile cyber activity targeting Israel such as strategic risk
assessment, mapping of national vulnerabilities, and real-time information sharing, but exclude
authorities that would allow it to respond to attackers—a task for the military or security
agencies.
The bill establishes the NCD as the primary national cybersecurity regulator and maintains its
direct accountability to the prime minister. Among its core responsibilities, the NCD will
deploy two operative bodies: (1) a center for countering cyber threats on an ongoing basis (the
national computer emergency response team, CERT-IL, will continue to serve this function)
and (2) a detection and verification hub for early warning and attack mitigation. The hub will facilitate information sharing among specified governmental and private sector actors,
essentially creating a national database of threat indicators and other data. The proposed
database has already sparked controversy in the Israeli media because of its inevitable
collection and processing of large amounts of private and corporate data.
The NCD also stands to gain powers under the proposed law that allow it to access documents
and computer data from private sector organizations in order to identify, prevent or mitigate
hostile cyber activity and to seize any equipment for inspection for the same ends. Although
some of these actions will require judicial authorization, such as having the NCD intervene in
an organization’s computer network, it may be waived under certain conditions that require
urgent action in the view of the head of the NCD. These powers are currently the subject of
public controversy and may not survive the full legislative process awaiting the bill.
For their part, private sector entities that cooperate with the NCD and competitors on
cybersecurity matters will obtain immunity from antitrust and other civil claims. Additionally,
certain corporations designated by the prime minister in consultation with the minister of
justice will be required to convene an annual board meeting about cyber governance issues,
including cyber threats to business operations, cyber risk assessment, and the degree to which
the organization has carried out relevant NCD policies and guidelines.
Finally, the proposed law introduces a new data classification and protection regime that
applies to information gathered by the NCD itself or shared with it, categorized by the risks
entailed by its exposure. Thus, data of techno-security value (i.e., indicators of a hostile cyber
event); unidentifiable data (that does not reasonably allow for the identification of an
individual or an organization); and protected data (which draws its status from Israel’s data
privacy and other domestic laws) are subject to different processing safeguards by the NCD and
those sharing such information. The sufficiency of these safeguards is an additional point of
public critique of the bill.
In summary, the draft cyber law merges robust regulatory innovations with controversial
initiatives, at a time when Israel’s global credibility and deterrence in the face of ongoing,
critical cyber threat vectors remains high. The country continues to influence the global market
for cyber products and services well beyond its size, garnering approximately 15 percent of
global cyber investments, with investors infusing $815 million into Israel’s cyber market last
year, according to a recent report. Nonetheless, despite Israel’s cybersecurity successes so far,
the proposed law introduces several challenges to the difficult balancing act required in
democratic, rule of law societies between the needs of national security and the safeguarding of
fundamental individual rights. The opportunity for public consultation on the draft law in the
coming weeks provides an arena for vigorous deliberation, which the Israeli public, companies
and academics will undoubtedly put to ample use.
Related posts