Even as Israel’s privacy and democracy watchdogs welcome a cybersecurity law that would help the nation fend off damaging attacks to its businesses and critical infrastructure, they are warning that a newly proposed law, now up for comments, is not beneficial to democracy.
The proposal gives “too wide an authority without enough checks and balances,” said Dan Hay, the head of the privacy committee of Israel’s Bar Association, who is planning to submit objections to the proposed law. “There is a danger that if you give a body power, they will misuse it. This is not healthy for a democratic country. The proposal is extreme, and I don’t know of any law in Israel that is so extreme.”
He said that a final version of the law would require a “dramatic change.”
The law, published last week, would give Israel’s National Cyber Directorate, the agency charged with protecting Israel’s civilian national cyberspace, the authority to gather information and confiscate equipment without a court order, in order to foil or deal with a cyberattack. Interested parties have up to July 10 to submit comments to the proposal.
The proposed legislation is likely to be amended numerous times before being submitted to a vote. The proposal formalizes the processes already in place and sets up a framework of what Israel’s civilian and government sphere should be doing for cybersecurity.
The new law comes as nations grapple with the growing threat to their citizens and democracies posed by hackers. In the past few years there has been a “significant rise in cyber threats and their severity,” the authors of the proposed law wrote. “Cyberattacks are becoming more sophisticated, and their results are more difficult and more complex to deal with. As a result, the risk of harm to personal security, economic activity, and national security increases in a manner that requires addressing at the national level.”
In 2015 the OECD recommended that nations set out a policy to defend their digital sphere from attacks and in 2016 the European Union legislated a law, which came into force in May 2018, that requires all member countries to set up a cybersecurity policy regarding critical infrastructures and a national center for cybersecurity. The World Economic Forum said earlier this year that cyber threats are one of the biggest risks in the world, and recommended increasing national readiness toward cybersecurity breaches.
Israel’s proposed law says that authorities will be able to instruct organizations on how to act if there are suspicions of a hack or data breach, and that those organizations that receive instructions cannot reveal the instructions they were given. Only in some cases will the permission of a court be required to impose such instructions.
The proposed law is “pretty dramatic,” said Prof. Yuval Shany, a former dean of the Faculty of Law at the Hebrew University of Jerusalem and an expert in international law and international human rights law, who is leading a team of legal and technology experts to tackle the challenges posed by the new digital world and cyber-warfare to legal systems around the world.
“It allows the authorities to enter private premises without a court order and confiscate equipment in order to prevent or stop a crime. This is serious because it involves an infringment of the right to privacy both with relation to the premises and the contents of the data found in equipment.”
Huge costs and risks
A World Economic Forum report said that the “takedown of a single cloud provider could cause $50 billion to $120 billion of economic damage — a loss somewhere between Hurricane Sandy and Hurricane Katrina. And while it’s not exactly apples to apples, the annual economic cost of cybercrime is now estimated at north of $1 trillion.”
The number of interconnected devices globally is forecast to jump from 8.4 billion today to some 20 billion in 2020, according the the World Economic Forum. “The increased use of artificial intelligence in business processes also heightens exposure to cyber-risks,” the report said.
“The directorate operates more narrowly” than the new law would allow, Shwartz Altshuler said, and has shown “self-restraint.” “They know that there are certain things they cannot do, without legislation.”
The new law allows Israel to update its legislation to bring it in line with developments on the ground, she said. But there are red flags in the proposed law, she warned, that signal a need for rewriting.
One of the most worrying aspects of the law, she explained, is that it would allow the directorate to monitor all internet traffic. “This is significant and dangerous,” she said. Israel’s Shin Bet security agency is likely doing this already with Palestinians to foil terror attacks, she said. But there has never been such monitoring on Israeli citizens, she said.
“They can say we won’t look at the private information,” she said, but “we don’t know what will happen in the future. The ability to track internet traffic is very dangerous.”
In addition, she said, the proposal does not obligate the authority to make the public aware of a breach. During hacking events it is often important to preserve secrecy to counter the attack efficiently, she said. But no commercial or government body would ever want to admit that they have been hacked and important data has been leaked. “Thus, the pressure on the directorate by politicians and corporations not to publish the information will be very strong.”
Besides that, the law does not define what should be done with the data that has been collected by the directorate, she said. “Will they be allowed to transfer the information to the police?” she asked. If that is the case, then people won’t disclose they have been hacked, for fear of their data being transferred to unknown recipients.
Another worrying element of the law is the definition of a cyberattack. The issue is very clear when the attack targets infrastructure. But what if the attack is intangible, like a tweet, or fake news that aims at manipulation for political gain? Technically, that too is a cyberattack, as it is using the cybersphere to “harm a democratic process.”
And if the directorate intervenes, it will be accused of political motivation, one way or the other, she said.
The law also gives the directorate powers to override existing regulators, she said, allowing it to give direct orders to regulators as how to operate and act with regard to the cybersphere.