With no cyber law, can gov’t stop Shirbit-style cyberattacks?
Top cyber lawyer tells 'Post' how INCD gets companies to reduce vulnerabilities
By YONAH JEREMY BOB
With the massive cyberattack on Israeli insurance giant Shirbit on Tuesday, Israel’s cyber vulnerabilities, and more specifically the absence of a Knesset law empowering the state to require set private sector standards, jumped back into the headlines.The Jerusalem Post recently interviewed the Israel National Cyber Directorate (INCD) chief lawyer, Amit Ashkenazi, on a variety of tactics his agency uses to address the gray nexus between cyber and law.Such an interview might seem strange given that the Knesset has not moved forward much since a push in June to reintroduce the country’s first cyber law, nearly frozen for two years.But Ashkenazi, who is low-key but also clearly battle-tested, explained to the Post that the government approved a hybrid interventionist-cooperative cyber policy back in 2015. This approach empowers INCD to directly engage the private sector in creative ways to better protect the country.He said, “We did this with the attorney-general’s consent, without a law [having yet been formally passed]. We don’t collect private information unless we have a specific legal basis plus consent of the individuals [involved] or of others whose consent is needed. Sometimes an organization can agree on an individual’s behalf.”In addition, he stated: “We have legal documents to make lawyers on the other side comfortable. Up until now we have succeeded [at convincing organizations to cooperate]. Dozens of [cyberattack] events could have been major. We don’t wait. If it becomes a major event, then it becomes a big issue” for the country.That does not mean things are always smooth.“We have seen situations where things were tricky. We see organizations connected to other organizations in Israel’s digital ecosystem where they haven’t been as tidy with their housecleaning [filling cyber vulnerabilities] as you would like them to be,” said Ashkenazi.According to the INCD legal adviser, “This has been found out by an adversary, who sees potential to create major damage. If companies’ leaders see the benefit of working with us, we can smoothly interface with them.“Cleaning networks is not simple. It is a game of submarines. You want to sink the submarines that have indications of malware in the network. You don’t know where it is. The adversary, if advanced, will expect you. He knows you do cybersecurity, so he hides himself as well as he can in the network and it becomes a game of cat and mouse,” he stated.
What about when a private sector organization does not cooperate?“If organizations don’t see this [cooperating with the INCD] is in their agenda,” Ashkenazi said, “then what tools protect the public interest? What is the threshold where the public, the legislative branch and the executive branch expect the government to say this is really nice, but we think this mitigation [of potential spreading cyber damage] should be carried out without consent?”Once that threshold has passed, what can we do to compel compliance? he asked. Can the state “interrogate and put in jail” private sector individuals who refuse to cooperate and thereby endanger the wider cyber ecosystem of the country?He said that the threshold for intervening in a private company’s affairs without consent is “a risk to critical infrastructure or an essential service, a national security risk – where a nation state or adversary is working [on undermining Israel as a country] and we know it is a security-related campaign, even if it did not appear at [something critical like a] hospital.”In that case, “we want to deal with it because we do not want” a major attack impacting the broader ecosystem.He explained that the INCD’s outreach has been smart and effective enough that Israel fared far better during the May 2017 global WannaCry attack than many other Western countries.The INCD had already published solutions in February and March for major holes which the WannaCry malware could exploit, and, just as importantly, had convinced a large swath of private sector companies to take the time to plug the hole.Discussing the future of mixing cyber and law, he said he would split INCD relations with the private sector into two levels.Ashkenazi said that INCD would start by asking a company for information or give it directives about steps it needs to take to handle a cyber event.“If you don’t agree and I need to operate your network with my hands on your keyboard, this would require a court order,” he explained.ASHKENAZI WAS asked about what kind of court would handle such special requests, given that sometimes hours or minutes of delay in handling a cyber situation could spell disaster.He said that a special administrative court could be established with judges who would have unique expertise and who would be quickly reachable at any time in order to allow proactive defensive measures to move forward promptly.Still, he emphasized that bringing in the courts would make the process more public and transparent, as he does not want frequent proceedings where only government lawyers are in the room, as often occurs with classified hearings.Ashkenazi returned to the message of: “We go out of our way to use peaceful means. Most people cooperate, and our incident responders explain things well. People almost never resist, so it is very rare that we had to break in[to]” someone’s system to protect both it and the country from a wider malware spread.Interestingly enough, he said that multiple Western countries have expressed interest in Israel’s creative model for addressing these issues.He named Australia as one country whose efforts to construct a cyber law framework may have been “inspired” by Israel’s example, and noted Germany and France as developing models with certain parallels.Despite Israel’s success, in May 2019 then-state comptroller Joseph Shapira slammed the government for failing to pass a cyber law to handle the issue of regulating cyberdefense in the private sector.The report said that the absence of a clear law was hampering the ability of the INCD and other cybersecurity officials from protecting vulnerable aspects of the nation’s cybersecurity infrastructure.Ashkenazi responded that the criticism was well meant but was misplaced.He agreed that a new Knesset law would have advantages for clarity and streamlining issues. But he said that even without a law, the government was using executive branch regulations and clever engagement to achieve many of the goals a law would be used for.For example, the Environmental Protection Ministry has issued detailed regulations for cyberdefense requirements based on the degree of hazardous waste handled by any given company.While not equal to a Knesset law, these regulations can still be used to elevate the industry’s cyberdefense standards.In the meantime, Ashkenazi said that INCD is constantly updating and reevaluating its list of which companies and industries are critical and essential, something that significantly evolved during corona.Though the country’s complex politics mean that passing a Knesset law on cyber may get pushed off for months once again, Ashkenazi is confident that INCD’s legal apparatus will handle the situation until then.