Why did Bennett's cyber security policy crash? - analysis

For the last seven weeks there has been no cyber chief, and for eight months, and likely several months into the future, there will be no cyber law.

 PRIME MINISTER Naftali Bennett on his way to a cabinet meeting.  (photo credit: MARC ISRAEL SELLEM/THE JERUSALEM POST)
PRIME MINISTER Naftali Bennett on his way to a cabinet meeting.
(photo credit: MARC ISRAEL SELLEM/THE JERUSALEM POST)

Prime Minister Naftali Bennett may have taken office more familiar with technology than any prime minister in history, and made a major speech on cyber policy soon thereafter to show how seriously he took the subject.

But then why have his public moves and non-moves to date projected a sense of neglect?

On January 5, with no public warning, Yigal Unna stepped down as cyber chief after more than four years in office but with no replacement named.

The announcement was one of the more bizarre to emerge during Bennett’s term. His office did not even comment on the development until repeatedly questioned during the day.

It became clear even then that not only was there no replacement for Unna, but the process to select a replacement had not advanced far.

Israel National Cyber Directorate (INCD) chief Yigal Unna at the Cybertech conference in Tel Aviv, 29/01/20 (credit: ODED KARNI)Israel National Cyber Directorate (INCD) chief Yigal Unna at the Cybertech conference in Tel Aviv, 29/01/20 (credit: ODED KARNI)

Wasn’t the prior government of Benjamin Netanyahu accused of not making appointments on time, which harmed the functioning of government and of state agencies? Interim appointments were said to show that Netanyahu wanted to weaken key agencies, from the police to the state attorney’s office.

What’s more, Bennett did not need to consult widely on appointing a new cyber chief.

Like the Mossad and the Shin Bet (Israel Security Agency), which always have competitions and vetting in place for several months leading up to the end of a director’s term, the prime minister picks the cyber chief on his own.

The Jerusalem Post has learned that the delay in finding a replacement was not because Unna suddenly surprised Bennett’s office, the way the public announcement suggested. Rather, Unna had told both Netanyahu and Bennett that he planned to step down after four years.

So Unna warned Bennett six months earlier, and again in November and in December.

Why did Bennett sit on the issue without moving to replace Unna before he left office, so that there could be a transition period between the outgoing and incoming chiefs?

The Prime Minister’s Office has not responded.

Some might defend Bennett’s action by pointing out he was dealing with the Omicron crisis, passing a budget and other issues.

But if these excuses were advanced to delay appointments of new Mossad and Shin Bet chiefs, they would no doubt be viewed with great skepticism.

Alternatively, Bennett was simply inexperienced in the bureaucracy of appointments, and believed that finding a new chief would be easy and fast.

It also seems that part of the problem was raising the salary and changing the post’s terms of employment in other ways to attract private sector candidates.

The signs all point to Gabi Portnoy, CEO of ENvizion Medical and a former IDF Brig.-Gen. in intelligence who served in both Unit 8200 and 9900, as the next cyber chief this coming Sunday.

Though Portnoy does not have as extensive a cyber background as predecessors Yigal Unna and Buky Carmeli, he is viewed as a top-notch candidate with a more than sufficient background in cyber and excellent experience in management.

So the issue is not who Bennett is about to appoint, but that he left one of the country’s most important agencies vulnerable and somewhat rudderless for seven weeks, in an era when massive cyber attacks can disable a country in a matter of days, or even hours.

If this were the only misstep, there might be less of a story.

But simultaneously, Bennett has dropped the ball on passing a much-needed cyber law for which a proposed bill has existed several years.

Netanyahu was blamed by many for stalling on the bill due to the four elections that he brought about.

But Netanyahu has not been in office for eight months, and not only is the bill not close to passing, but there are no signs that the Bennett government is investing any effort to advance it.

Unna has made it clear in public interviews that Hillel Yaffe Medical Center, Hadera, the water authority, Cyberserve and others were hacked partially because they ignored warnings from the cyber authority – or they decided to move slowly in addressing the warnings.

Put differently, none of these institutions felt threatened by the cyber authority, because there is still no formal law that allows the authority to obtain court orders or bring in the police to force immediate compliance and impose criminal penalties for failure to comply.

The proposed law that Bennett has done nothing about for eight months (or his office has declined to make public what it has done) would resolve this issue.

It would delineate where companies can choose to cooperate with government directives and where they are obliged to conform to directives under threat of penalties if they violate them.

In some ways, it is extraordinary that the cyber authority has kept Israel intact and avoided most major attacks in the last few years without the cyber law.

In December 2020, cyber chief legal adviser Amit Ashkenazi detailed a variety of creative strategies his agency had employed to garner voluntary cooperation.

But the government published a report this past week noting that 90% of ransomware attacks are not reported by businesses, and that 80% of businesses that pay ransoms later experience repeat attacks.

Far too many businesses are not complying with their obligations regardless of the cyber authority’s best efforts.

Governments across the planet have passed or are advancing cyber laws to address this menacing gap in regulation.

A new cyber law will also set a balance between privacy rights and national security in a variety of areas, and better define what industries are essential and considered critical infrastructure.

Why is Bennett ignoring all of this?

The charitable view is that it is due to an ongoing debate between government lawyers and defense establishment officials on what aspects of the market will be the IDF’s responsibility in the event of an emergency.

Debating these issues is important, but not at the cost of delaying a law that probably should have been passed years ago, and from the Bennett administration’s perspective, months ago.

After all of this, there is still not a set date to bring the cyber bill before the ministerial committee, a moment that shows a bill might pass within a few months.

So for the last seven weeks there has been no cyber chief, and for eight months – and likely several months into the future – there will be no cyberlaw.

This is not what one would expect from “the functioning government,” and the most tech-savvy prime minister in history.