Top expert: State must speed up, overhaul cyber regulation

Currently, there is not even a comprehensive cyber law – and initial efforts to propose one this summer stalled on a variety of privacy and other concerns.

Cyber hacking (illustrative) (photo credit: INGIMAGE)
Cyber hacking (illustrative)
(photo credit: INGIMAGE)
Although Israel is ahead of many countries in its cyber regulation efforts, it must speed up and overhaul the process, a new study by INSS’s Gabi Siboni and Ido Sivan states.
Speaking to The Jerusalem Post on Wednesday, Col. (res.) Gabi Siboni, a top cyber and national security expert, said that the broad problem is that although much has been done to defend the country’s infrastructure and private sector from cyber attacks, it was still highly insufficient.
Structurally, he pointed out that the private sector is not incentivized to maximally protect itself or against indirect harm to the public from hacks.
Currently, there is not even a comprehensive cyber law – and initial efforts to propose one this summer stalled on a variety of privacy and other concerns.
The study says that while Israeli businesses have started to get better at protecting aspects of their operations that they view as critical, defending against cyber attack still is a cost for them and not a profit – which means they only want to do the minimum necessary.
In the current information age, this necessary minimum may leave the wider public and its data vulnerable in unacceptable ways.
Siboni told the Post that the private sector protects itself “based on what they consider necessary and not based on what the state considers necessary; they may miss national security angles” that are less obvious.
In the midst of the debate over the proposed cyber bill’s contents and to address this gap, the study proposes a three-tiered system of regulation.
The first tier – including the IDF, the Shin Bet (Israel Security Agency), the Mossad and the Israel Police  – will self-regulate according to their own unique needs and risks.
In the second tier, the study proposed new obligatory cyber defense regulations for bodies and private companies which, if successfully cyber attacked, could harm the country’s national security.
Outgoing National Cyber Security Authority (NCSA) chief Buky Carmeli recently told the Post in an exclusive interview that he favors passing a cyber bill, but also wants to reduce some regulations so that resources are not spread too thin to focus on the primary issues.
Siboni is a greater proponent of regulation, saying that the key is not to have any loose regulation, but to rate the level of importance of even second-tier companies, and to tailor the level of regulation to that rating.
He gave the example of a restaurant which must check off certain boxes relating to fire, environmental and food safety concerns, but currently has no requirements for protecting information.
Discussing the media, he said that if one media outlet would be hacked, it might not be a national security issue. However, if every major media outlet was hacked in the middle of a war, that could become a national security problem.
Finally, the study’s third tier would have less regulation, but would be clearly incentivized economically – with tax breaks and other rewards or penalties – to meet certain minimum cyber defense parameters.
Siboni also proposed a steering committee to ensure that the regulatory reform was implemented, but he did not think that a new public body necessarily needed to be formed. Rather, he thought that the recent consolidation of the prime minister’s cyber bureau into the NCSA was a positive step, and that the NCSA could likely head the steering committee.
The study reviewed several other countries’ state of regulation, including the US, England and others, finding that Israel is actually farther along in its thinking and promotion of cyber defense.
Most importantly, he said the discussion and implementation must be strongly pushed forward since it will probably take time. Comparing it to the amount of time it took for new environmental regulations to take hold, he said that a full transformation could even take a decade.l.”