The IDF’s cyber protection of certain databases for personal identification and health information of its soldiers is significantly deficient and hackers could penetrate it in order to steal identities and impersonate IDF personnel, the State Comptroller’s report said on Tuesday.
Matanyahu Englman’s latest incursion into cyber defense deficiencies during his term focuses on the IDF, as well as the transportation, water, education, tax and business sectors.
“There are serious gaps in the cyber security defense of biometric IDF data,” the report said. In “biometric data for dead soldiers, there is a risk that hackers could use such data to impersonate [IDF soldiers] and steal identities.”
More specifically, Englman wrote that 95% of the x-ray photos of soldiers’ oral cavities are contained in insecure databases. Hundreds of thousands of soldiers’ fingerprints are also currently held in hackable databases.
Next, the report said that the IDF has not updated its cyber defense protocols for these databases in seven years.
Moreover, the IDF’s rules regarding privacy have not been updated since 1996 despite massive changes to the world in that area and in related technologies.
Across the various databases, the report detailed a variety of other problems relating to missile defense data, disaster management data, other security data and the efficiency of service in providing data to actual authorized IDF personnel.
According to the report, the military also has no official responsible for the related cyber security issues. Englman also had issues with physical security at the places where the physical stations holding the databases are kept.
Moreover, the IDF has not studied the issue of whether its database would be usable at a sufficient speed to identify soldiers as part of a mass casualty event.
Overall, the thrust of the IDF section of the report was that while traditional hard cyber targets like weapons systems and communications may be better protected, the IDF’s databases with personal information have been neglected.
Israel's water sector vulnerable to hacks
Regarding the water sector, the report said that many water suppliers were given extremely low scores for their cyber defense readiness.
In April 2020, Iran managed to hack a portion of Israel’s water sector and almost succeeded in releasing dangerous levels of chlorine into that portion of the country’s water supply.
Although the hack was only partially successful and was blocked before a national disaster occurred, it set off a new level of attention to Israel’s “softer” cyber targets beyond the national security establishment.
The comptroller recommended on Tuesday that the government impose an obligation on water suppliers to meet certain cyber defense standards.
Transportation and education sectors in Israel vulnerable to hacks
Next, the report slammed 21 out of 35 transportation sector bodies for failing to work properly with cyber defense authorities.
The impact of this deficiency is exacerbated by the fact that six out of 30 cyber bodies are considered critical infrastructure for the country, breaking down into a byzantine maze of 28,000 smaller bodies.
In the education sector, the report said that key databases’ vulnerability to hacking could undermine public faith in key exams of graduating high school students reviewed by universities.
This could also lead to cheating or other abuses of the exam process.
In fact, the report said that the designer of the system the Education Ministry is currently using had already stopped vouching for its defensibility in 2019.
Only five out of 50 databases are properly defended.
Further, the report said that around 4,000 outside contractors had access to aspects of the grades, who access the system from insecure home computers that could also lead to hacking the broader system.
Many areas of the education sector have not designated cyber defender officials who are responsible for their digital defense, said the report.
According to Englman, the Education Ministry has failed to carry out disaster drills in preparation for a mega cyber hacking event.
The IDF responded to the report saying that it had accepted most of the recommendations and was starting to implement them.
Despite this, it did emphasize that the data discussed by the comptroller is held within protected databases which are not exposed to the public.
In addition, the IDF said that though it has physical security for all of the physical locations of its databases, it is exploring adding an increased level of security.
The military said that it would soon update its cyber and privacy protocols, along with committing to future updates every few years.