The necessity is clear for any country, but especially Israel with its unique security considerations, to maintain a cyber defense system. The creation of the unified Israel National Cyber Directorate (INCD), which includes the Israel Cyber Event Readiness Team (CERT-IL), side by side with other security agencies such as the Israeli NSA and Mossad within the Prime Minister’s Office, addresses this need. This is an important institution, and it therefore must have clearly defined legislative powers, goals and organizational structures.
What is interesting, though, is that although Israel is Startup Nation when it comes to innovation and development, it is sorely behind in legislation that deals with the growing dilemmas regarding the intersection between technology, human rights and democratic values. Most technological innovations in security and tracking systems used in social networks are developed out of the public eye. The unified INCD was established before legislation to regulate its activities was put in place.
To this end, the recent publishing of the first draft of a cyber law for Israel, designed to provide a legal framework for the activities of Israel’s cyber defense system, is welcomed. However, the content of the draft shows that the State is seeking to assume far wider powers than are needed to protect the public from cyberattacks. Part of the reason for this is that it is difficult at present to assess what cyberattacks could look like in the future, but another part is what seems to be a somewhat hidden policy of the government to use technology in order to increase their control over citizens’ activities.
According to the draft, the INCD, a division within the Prime Minister’s Office, will be able to routinely collect data from internet and cellular providers, government ministries, local authorities and government corporations in order to identify and thwart cyberattacks in real time. Yet the definition of “security relevant data” remains ambiguous, and is certainly much broader than the definitions laid out in IOC (Cyber Threat Indicator) in the American Cybersecurity Information Sharing Act (CISA) passed in 2015.
The question is whether there is truly a need for all of this information — a record of all online activities and personal details we’ve shared with governmental agencies — to be collected in this way, and whether this is information that could potentially be used to create behavioral profiles that could be used against citizens. What, in effect, is the difference between gathering this data and wide-scale, unrestricted wiretapping? For the State to have access to such far-reaching information constitutes a real threat to citizens’ privacy and human rights on a larger scale.
In addition, should the drafted bill pass, INCD will have access to computers and the authority to collect and process information, all in the name of identifying cybersecurity infiltrators. This could include almost any information held by any private citizen or business. While the law mentions the need to respect the right to privacy, it also permits activities that do not infringe upon this right “more than is necessary” — a frighteningly vague limitation. In addition, there do not seem to be sufficient limits on the use of the information collected. How long can it be stored? Can it be passed from INCD to the police, or to other agencies?
We would not be global leaders in cyber and technology without simultaneously protecting fundamental human rights.
This bill endows the INCD with supreme regulatory powers that supersede those of the police, the Privacy Protection Authorities and others. The INCD even has the capacity to withdraw licenses awarded to commercial institutions. One obvious outcome of this is that it will lead to a lack of cooperation between the different authorities. The million-dollar question is, of course, when do these powers come into play? And the answer, again, is worrying: “Whenever necessary in order to defend a ‘vital interest.'”
This might mean protecting the country’s security or saving human life, but according to the draft, it also includes “the proper functioning of organizations that provide services on a significant scale.” Does this also mean a cyberattack on a large clothing chain? And if so, is this justified?
Classic cybersecurity, as we know it, deals mainly with potential damage to tangible infrastructure. However, the proposed bill allows the prime minister to add more cyberthreats to this list at his will. Which begs the question: What will happen when a prime minister adds something along the lines of “harming the public consciousness by presenting arguments on social networks”? or “disseminating fake news”? Do we really want the INCD to be empowered to deal with such cases in addition to the Israeli NSA?
Moreover, the draft makes scant mention of oversight bodies to regulate the use of such broad powers, and grants the head of INCD the power to maintain a veil of secrecy when attacks are being discovered. It certainly makes sense not to publicize the existence of a cyberattack until it is under control — in order to prevent additional damage — but assume that you are a patient in a hospital in which a cyberattack has created confusion in the administration of medicines. How long would you want this to be kept secret? And what of bank account holders, or people who have registered for a dating site, whose details have been compromised?
The proposed bill endows the INCD with unchecked power, especially when compared with other democracies. The abuse of such power and Edward Snowden’s exposure of PRISM (the NSA’s intrusive surveillance program) should serve as a warning to us all, especially here in Israel. Today, the right to privacy can no longer be seen as the right to control one’s personal data as laid out in the General Data Protection Regulation (GDPR). Rather, the right to privacy is understood as a prerequisite condition for other human rights. While the bill is important, one cannot help but think that it may be the first stage in an unprecedented “big brother” scenario.
Legislators have to take the time to study cyber issues and the threats and opportunities that they pose. It is crucial that those who decide whether or not to pass the bill gain a deep understanding of the meaning of the right to privacy in a digital world. This knowledge will allow them to create a more balanced piece of legislation and in turn protect the rights of Israeli citizens.
The law states that one of its primary goals is to “advance Israel as a global leader in the field of cyber security.” Yet let us not forget that in a small country like Israel, driven by creativity, independence and thinking out-of-the-box, we would not be global leaders in cyber and technology without simultaneously protecting fundamental human rights.