Special Counsel Roy Keidar, Israeli law firm Yigal Arnon & Co, examines the New Israeli Cyber Bill, with the assistance of Arod Balissa.

The Israeli parliament (Knesset) has only recently approved a bill which transferred cybersecurity responsibilities from the Israeli central security agency to the Israeli National Cyber Bureau (INCB). The bill should be considered an important step towards boosting the country’s level of cyber-protection to include not only critical national infrastructure and government facilities, but also to provide means to enhance cyber-preparedness of the entire Israeli private sector.

A record-breaking number of cyber attacks

The new Israeli bill is a result of a fairly long process, however, ‘timing is everything’. It comes in a record-breaking month of cyber attacks raging all over the world, with aggregate damages totaling in hundreds of millions of dollars. While some attacks received wide media coverage, like the recent Bitfinex’ US$72 million breach, many others were not even heard of among the public.

These latest developments are yet another sign of the cyber vulnerability of the private sector. If at the beginning the main concern was mainly critical infrastructure, such as power grids, with policymakers visualising a violent catastrophe as the quintessential cyber threat, there is now a better understanding that the possible range of threats includes much more nuanced threats, as was evidenced during the Bitfinex debacle.

Cloud-based technologies and Big Data

One type of threatened entities is still receiving scant attention: Small/medium sized entities (SMEs). Nowadays, with the advances made with cloud-based technologies and Big Data, SMEs have unprecedented access to personal and sensitive data of their clients, partners, and employees. Unlike gargantuan multinational corporations, SMEs usually possess insufficient resources to protect themselves from sophisticated attackers, and often lack any real recourse to the law, with regulatory frameworks still being in their infancy. To make matters worse, attack costs are usually far lower than the costs of adequate protection (if such protection exists in the first place), turning SMEs into proverbial “sitting ducks”. Due to the multiplicity of challenges and the complexity that arises from modern threats, no single and simple strategy can withstand reality.

It is against this backdrop that we must understand Israel’s latest bill. Traditionally, Israel has been a pioneer in developing holistic approaches in security, as in the area of Critical National Infrastructure (CNI), by investing in technology, manpower and in devising national-level defence strategies. Early on it was understood that it requires collaboration with the Israeli private sector. This strategy that was adapted was dialogue first, then regulation. Overall, it proved to be effective. However, in the case of SMEs, application will be limited in scope. While CNIs are few in numbers, the number of SMEs is way too large to be able to satisfy each one.

New rules and standards

Israel’s new bill will allow the incoming regulator, the INCB, to formulate new rules and standards that will benefit SMEs, an area that requires an entirely different ‘toolbox’ than was available to regulators so far. Among the methods that the INCB may use to increase SMEs’ resilience in the face of increasingly dangerous cyber-attacks are developing new standards for protection, legal recourse and equitable relief, adequate insurance policies, price-control measures, issuance of guidelines, formulation of reporting requirements in cases of data breaches, coordination of information-sharing practices and cross-sector cooperation policies, and many others.

This is important and the right step forward. Still, it is important to remember that the INCB still operates in a complex and sensitive regulatory and business environment. One significant challenge that it will have to tackle is the enhancement of cyber protection, without undermining common business models. To achieve this, the costs of protection must be monitored and controlled. Furthermore, with the private sector’s traditional suspicion towards regulatory bodies, in order to gain trust, the INCB must be able to work with the business sector and foster a bottom-up channel to facilitate innovation and regulatory agility, thus preventing alienation of other entities. Lastly, the INCB must lead an overall holistic approach that considers national and private interests, supports technologies, builds capacities, develops human capital and more. Indeed, preventing Cyber threats is like solving a puzzle; it requires understanding the overall picture and then assembling piece by piece.

Edited for web by Jordan Platt.