Israel's cyber winter came, but failure to regulate continues - analysis

Officials and experts seem completely uninterested in how or why the Black Shadow hack succeeded and there is still zero formal regulation.

 A 3D printed model of man working on a computer are seen in front of displayed binary code and words "Cyber atack" in this illustration taken, July 5, 2021. (photo credit: REUTERS/DADO RUVIC/ILLUSTRATION)
A 3D printed model of man working on a computer are seen in front of displayed binary code and words "Cyber atack" in this illustration taken, July 5, 2021.
(photo credit: REUTERS/DADO RUVIC/ILLUSTRATION)

Cyber winter is already on the way to Israel and no one seems to care in any real way.

Something bizarre has happened regarding reactions to the latest Black Shadow hack of Israeli companies: this time the Internet company Cyberserve, including Atraf, the Kavim and Dan bus companies and the tour-booking company Pegasus.

The hacking of the giant insurance company Shirbit in December 2020 drew massive attention and concern.

In contrast, the later hacking of Israel Aerospace Industries, Israeli call center Voicenter, the Defense Ministry and now Cyberserve, seem to be getting much less significant reactions from the government and the Israel National Cyber Directorate (INCD) and cyber experts in general.

Even more important, officials and experts seem almost completely uninterested in how or why the hack succeeded and, as will be discussed further down, there is still zero formal regulation (there is significant ad hoc government intervention) regarding companies’ obligations).

 People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. Picture taken December 27, 2014. (credit: REUTERS/DADO RUVIC/FILE PHOTO)
People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. Picture taken December 27, 2014. (credit: REUTERS/DADO RUVIC/FILE PHOTO)

Rather, those speaking up at all seem entirely focused on the message of getting other companies and individuals to better protect themselves and to spread awareness of the constant cyber threat modern people face.

The one recent exception was the cyberattack on the Hillel Yaffe Medical Center in Holon, which actually got officials and experts quite concerned and might have led to a recent counter-attack.

Why do officials and experts say that the how and why the hack happened is less important?

First, by the time a major hack is revealed, there is a certain amount of leaked information and damage that is irreversible.

But there are some more self-interested reasons.


Stay updated with the latest news!

Subscribe to The Jerusalem Post Newsletter


Companies that are supposed to protect their clients’ data, and officials and experts who are supposed to help the companies do so, do not want to draw attention to their failures.

Some of the hacks have been by nation-states or sponsored by nation-states like Iran.

But some are just criminals or amateur anti-Israeli ideologues, and it is embarrassing for the companies to admit they did not do their homework, and for the experts to admit they did not get the companies to do their homework.

In some cases, the INCD may have warned of the specific vulnerability that led to the hack months or a year or more earlier, but the warning was ignored or put on a long-term schedule, sort of like the 2030 and 2050 goals for preventing climate change.

A more generous explanation for the current messaging is that the INCD and experts want to encourage companies to come forward early on when they are hacked so that the hack does not spread.

To do this, they want the companies to receive the minimum amount of blame and embarrassment possible.

They also do not want the companies to pay money to ransomware hackers.

Yet another reason is brought out by the contrast with the reaction to the attack on the Hillel Yaffe Medical Center and to the first major reported cyberattack on Israel’s water infrastructure in April 2020.

At this point, the INCD and other experts are far more concerned about attacks on infrastructure than they are about leaked information and harming individual’s privacy.

This same reason also makes the Israeli picture visa vise Iran and cyber wars look a lot better.

Iran or its sponsors have likely been behind, some but not all, of the above mentioned attacks.

But none of them besides Hillel Yaffe – which at the end of the day is not comparable to Israel’s better protected and larger medical centers in Jerusalem and Tel Aviv – caused physical harm in the physical world.

In contrast, past Israeli hacks on Iran – according to the Islamic Republic and foreign reports – have blown up nuclear centrifuges in 2009-2010 and brought large ports to a standstill in May 2020.

There is an ongoing debate about whether Israel or some other hacker brought down Iran’s train system in July and its electronic systems for around 4,300 gas stations nationally last week, but these were also examples of major harm to Tehran in the physical world.

So there may be many self-serving reasons for certain companies and experts to downplay the severity of the current wave of cyberattacks in Israel, but at the same time, Jerusalem is outplaying and outwitting Tehran in the cyber arena in a very substantial way.

So long as the Jewish state’s cyber elite can hold off major physical harm and are able to cause the Islamic Republic physical harm when they want to send a message, they will consider it a win and view the situation as going their way.

One last scary element in all of this mix is that Israel’s cyber legislation which has been crafted and debated behind-the-scenes for several years is still stalled.

Until June, this could be blamed on the broader stagnation of the Likud-Blue and White government and the four rounds of elections.

But four-and-a-half months after the new government took office, the INCD is still merely hopeful of the Knesset taking up the legislation and has not been promised any concrete date.

Until legislation is passed, as many other countries have done in recent years, some amount of a subjective vacuum about how to respond to even mass cyberattacks will continue.