Why are Israel's critical sectors vulnerable to cyberattacks? - analysis

Until Israel decides on any new regulation on cyber law, the Jewish state will remain behind the eight ball when cyberattacks on it succeed.

 An illustrative image depicting a cyberattack. (photo credit: INGIMAGE)
An illustrative image depicting a cyberattack.
(photo credit: INGIMAGE)

In some ways, the cyberattack against Mayanei Hayeshua Medical Center announced on Tuesday was a blip in the enormous hostile waters of cyber ransomware plaguing humanity, and the health sector in particular.

Last weekend, over 100 medical centers in the US were brought down by a massive cyberattack, and this has happened before in America in 2021 and in countries across the globe.

But in other ways, the attack is a far more serious potential national security threat for Israel.

The Jewish state is far smaller than most countries and has very few medical centers.

Hacks on medical centers can shake Israel to its foundations, as did the cyberattack on Hadera’s Hillel Yaffe Medical Center in 2021.

A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. (credit: KACPER PEMPEL/ILLUSTRATION PHOTO/REUTERS)
A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. (credit: KACPER PEMPEL/ILLUSTRATION PHOTO/REUTERS)

Yet, nearly all cyber experts agree that Israel’s medical sector is as vulnerable as ever.

Why are Israel's hospitals vulnerable to cyberattacks?

How come Israel has not learned and better prepared itself for the ongoing hacking onslaught?

Some of the issue is that not “enough” people have been physically harmed.

If a medical sector’s effectiveness drops and certain people’s personal data is stolen, as long as the medical equipment keeps functioning and no patients die, most of the public will ignore the event and quickly move on.

But part of the issue is not even the cyber experts themselves can agree on how to resolve the issue.

Former Israel National Cyber Directorate (INCD) chief Yigal Unna (2018-2022) was in favor of significantly increasing government regulation, both adding sectors to the “critical infrastructure” list, which gives the government-wide authorities, and placing minimal reporting obligations on the private across-the-board related to cyberdefenses and being hacked.

The idea was that in some of the worst hacks Israel experienced during his era, Unna could warn a hospital or website that it was vulnerable to a near future attack and recommend changes, but could not compel them to act.

In multiple cases, Unna felt that if he had been able to “take the keys” over from certain private sector companies who impact the country, or at least threaten to, that he could have saved them and the Jewish state from some of the worst cyberattacks.

Along similar lines to Unna, Experis deputy CEO for cyber solutions Dikla Vered warned on Tuesday that the country “has not learned its lesson from the most recent attack on Hillel Yaffe medical center which showed that the initial damage is professional, such as a failure of continuity to function and an immediate cessation to handling [new] sick patients.”

Most importantly, Vered cautioned that it was stunning that Israel still had not placed the health sector on the critical infrastructure list along with the electric, water, banking, airports, and around another 30 or so sectors.

In contrast, current INCD chief Gabi Portnoy (2022-present) believes that Israel must pass some kind of a cyber law to balance government and private sector authorities and responsibilities, but believes much more in an aggressive campaign to voluntarily win over the private sector to an improved cyber defensive posture.

Not that Unna was not pro-negotiating with the private sector and not that Unna is against any regulation, but they had and have very different ideas about the correct balance between the two.

In the middle of this, one thing which both former prime minister Naftali Bennett and current Prime Minister Benjamin Netanyahu agree on is that they dislike regulating the private sector as their starting point.

Between the two, the proposed cyber law which would balance public and private sector powers and responsibilities has been dead in the water since 2017 and Netanyahu only made his first lukewarm positive statement about moving forward on June 18.

In a statement, Netanyahu said that he had “held a meeting of the country’s key ministers and cyber leaders” and “directed the ministers to improve the defense of any critical infrastructure within their ministry’s jurisdiction.” Netanyahu also said that they should “formulate and implement regulations for cyber defense regarding any entities under their authority.”      

Still, Netanyahu’s statement was relatively pareve, had no deadlines, and with the Knesset almost solely focused on the judicial overhaul since then, there seems to be little chance of any movement on the issue in the coming months.

Despite himself being hesitant about overdoing regulation, Portnoy in June presented to Netanyahu and other government ministers the fact that Israel is behind Germany, Australia, England, the US and the EU in providing regulations that obligate the public and private sector to focus on new critical infrastructure, to file reports within set amounts of time (often 24-72 hours) if there is a hack and what steps the government can taker to enforce cyberdefense standards and reporting.

Until Israel decides on any new regulation and any cyber law whatsoever, the Jewish state will remain behind the eight ball when cyberattacks on it succeed in various weak sectors.

More gravely, Iran and other countries seeking to damage Israel in a broader way will continue to have opportunities to harm the country’s national security which could have been properly addressed.