CYBER LAW AND REGULATION: THE ISRAEL CASE STUDY

Deborah Housen-Couriel, Adv.

February 19, 2019

2

OECD R&D

4

5

BAGRUT IN CYBERSECURITY

A GROWING THIRD SECTOR

E-DIPLOMACY

CYBERSPARK

BEER-SHEVA, Israel, January 28,

2014 – Israel’s Prime Minister

Benjamin Netanyahu and Ben-Gurion University of the

Negev (BGU) President Rivka

Carmi announced yesterday the

establishment of a national cyber

complex in Beer-Sheva, called CyberSpark.

ISRAEL’S LEGAL AND POLICY ON

CYBER THREATS AND CYBER-ENABLED

TERRORISM

10

HOSTILE CYBER ATTACKS ON

ISRAEL ARE ONGOING

• Wars with in the Gaza Strip with Hamas

– Summer 2018

– Protective Edge, 2014

– Pillar of Fire, end of 2012

– Cast Lead, 2009

• Iran hostile activity

• “Anonymous” threats and hostile activity- since Passover 2015

• Delegitimization of Israel, BDS, student movements

12

KEY

CIVILIAN

SECTOR

WAKEUP

CALL

CRITICAL INFRASTRUCTURE IS

ESPECIALLY TARGETEDCARMEL TUNNELS CYBERATTACK, 2014

ISRAEL ELECTRIC COMPANY, ONGOING

2011 NATIONAL CYBER INITIATIVE

PMO mandateWho’s in the

room?

The importance of a “good mistake”

The Israeli cyber conversation is

bornStart-up mode

THE RESULT: ESTABLISHMENT OF

THE NCB

Government Resolution 3611 (Aug. 2011)

• Definitions

• Cyberspace

• Cyber security

• NCB begins operation in winter 2012

• CERT

• ICT trade

• Critical infrastructure

ISRAEL GOVERNMENT GOALS

• Goals/Tasks:– Establishing the NCB

– Retaining Israel’s global leadership

• Israel’s cyber policy

• Definition of cybersecurity professions

• R&D

• International outreach

• CERT-IL

Regulatory Frameworks

– Gov’t Resolutions 84B,

3611, 2443 and 2444

(February 2015)

– 2443 – “Promoting

National Regulation and

Government Leadership

in Cyber Defense”

– 2444 – “Promoting

National Preparedness

for Cyber Defense”

LAWS, GOV’T DECISIONS, KNESSET

RESOLUTIONS

COMPUTERS LAW, 1995

PROTECTION OF PRIVACY LAW, 1981 and 2017

Regulations

GOV’T DECISIONS 3644, 2443,

2444

LAW TO ENFORCE

SECURITY IN REGULATED BODIES, 1998

MINIS-

TERS’

DECISI

ON 84B,

2002

LEGISLATION (2)

COMMUNICATIONS LAW (TC AND BROADCAST),

1982

SUPERVISION OF SECURITY

EXPORTS LAW, 2007

CRIMINAL CODE, 1977

LAW TO ENCOURAGE R&D,

1984

19

הסדרה הסייבר בישראל

REGULATORY WAVE I

Legacy issues: existing regulation that

needs to be adapted

• Privacy regulation and protection of

databases in the Privacy Protection Law

• Definition of “data” + computer-related

crimes in Computers Law

• Article 13A of Telecommunications Law +

service supplier licenses

22

23

24

GOV’T RESOLUTION 2443

(FEBRUARY 2015)

Promoting National Regulation and

Government Leadership in

Cybersecurity

GOV’T RESOLUTION 2444

(FEBRUARY 2015)

Promoting National Preparedness

for Cybersecurity

REGULATORY WAVE II:

SECTORIZATION

Health

– Director-General’s

Guidance on Health

Data, January 2014

– Data Sharing Directive

– National Scope

– Israel’s HMOs and

hospitals

– Privacy Protection

Financial– Bank Supervisor

Directive 361 (March 2015)

– Scope: all banks and credit institutions

– September 1 deadline

– Similar to US regulation

– Data breach requirements

– Capital markets directive on the way

THE BANK OF ISRAEL

29

REGULATORY WAVE III:

ISRAEL’S CYBER LAW

ISRAEL AND CYBER

TERRORISM

THE NEW COUNTER-

TERRORISM LAW

HOSTILE SOCIAL

MEDIA LEGISLATIVE

INITIATIVES

31

0xOmar, The Saudi Hacker 2012

• 15,000 Israelis – credit

card data, 3 co’s

• BoI – they’re responsible

• Stormy public debate

around ’81 Protection of

Privacy Law and PCI –

Payment Card Industry

Security Standard

• to "…hurt Israel --

politically, economically

and culturally"

32

Combatting Terrorism Law, 2016

A new definition of an

“act of terrorism”

33

“Act of terrorism”

Motivation is political, religious,

nationalistic, or ideological

Carried out with the goal of causing

public fear or alarm, or to cause the

government or another public body (in

Israel or abroad, including IOs) to either

act or refrain from acting

One of the following was either threatened

or had a real danger of occurring:

1) Severe injury to a person’s body or freedom;

2) Severe injury to public safety or health

3) Severe damage to property

4) Severe damage to religious objects, places of worship or other sites

5) Severe damage to infrastructure, systems or basic services, or severe interference with them, or severe damage to the national economy or ecosystem.

TOWARDS A NEW UNDERSTANDING ON

THE PART OF ISRAEL’s LEGAL SYSTEM

AND LAW ENFORCEMENT AS TO WHAT

CONSTITUTES A “TERRORIST ACT”

36

ISRAEL’S FACEBOOK LAW - AND OTHER NATIONAL LAWS FOR REMOVAL OF

ONLINE TERRORIST CONTENT- COMBINE BOTH LEGAL ELEMENTS

2 CONDITIONS FOR ISSUING OF COURT ORDER TO REMOVE CONTENT from a website, search service, other platform

IT VIOLATES CRIMINAL LAW AS FORBIDDEN SPEECH (INCITEMENT –BUT NOT ONLY!)

CONTINUED “PUBLICATION” ACTUALLY ENDANGERS A PERSON, PUBLIC SECURITY OR STATE SECURITY

CRITICISM:NEW KIND OF

FAST-TRACK CENSORSHIP,

SUB-STANDARD EVIDENCE,

RESULTS NOT FACTUALLY

SUPPORTED, DOESN’T

SOLVE ENCRYPTED

CONTENT

A GROWING PHENOMENON

1

• Distinction between support activities in cyber space and terrorist acts of direct impact (ex / Islamic Relief NGO)

2

• Exacerbated assymetric capabilities of terrorist groups (class exercise)

3

• Increasing vulnerabilities of critical infrastructure

38

NEXT TRENDS FOR ISRAEL

continued sectordevelopmenmt

NCD leadership cultural transition

the nat’lregulatory project

in cyberspacecyber

professionals

SUMMING UP

formulating a cybersecurity policy is a process, not an event

• a new reality

• unprecedented threats

• uncertainty

• the task: creating a new language and new concepts

there are excellent best-practice resources for

launching a nat’lprocess

• basic outline and “necessities”

• but each country has specific challenges, needs and priorities

• particular dilemmas such as balance between ICT development and the costs of cybersecurity

Israel’s experience led to the adoption of some general conclusions and some

Israel-specific ones

• importance of “clean table” legislative review

• R&D investment a priority (start up nation)

• cyber policy does not solve all cybersecurity problems

• don’t forget legacy issues

• Cyberterrorism is a new and difficult challenge, connected to content and free speech issues

40