Post on 28-Dec-2019
CYBER LAW AND REGULATION: THE ISRAEL CASE STUDY
Deborah Housen-Couriel, Adv.
February 19, 2019
2
OECD R&D
4
5
BAGRUT IN CYBERSECURITY
A GROWING THIRD SECTOR
E-DIPLOMACY
CYBERSPARK
BEER-SHEVA, Israel, January 28,
2014 – Israel’s Prime Minister
Benjamin Netanyahu and Ben-Gurion University of the
Negev (BGU) President Rivka
Carmi announced yesterday the
establishment of a national cyber
complex in Beer-Sheva, called CyberSpark.
ISRAEL’S LEGAL AND POLICY ON
CYBER THREATS AND CYBER-ENABLED
TERRORISM
10
HOSTILE CYBER ATTACKS ON
ISRAEL ARE ONGOING
• Wars with in the Gaza Strip with Hamas
– Summer 2018
– Protective Edge, 2014
– Pillar of Fire, end of 2012
– Cast Lead, 2009
• Iran hostile activity
• “Anonymous” threats and hostile activity- since Passover 2015
• Delegitimization of Israel, BDS, student movements
12
KEY
CIVILIAN
SECTOR
WAKEUP
CALL
CRITICAL INFRASTRUCTURE IS
ESPECIALLY TARGETEDCARMEL TUNNELS CYBERATTACK, 2014
ISRAEL ELECTRIC COMPANY, ONGOING
2011 NATIONAL CYBER INITIATIVE
PMO mandateWho’s in the
room?
The importance of a “good mistake”
The Israeli cyber conversation is
bornStart-up mode
THE RESULT: ESTABLISHMENT OF
THE NCB
Government Resolution 3611 (Aug. 2011)
• Definitions
• Cyberspace
• Cyber security
• NCB begins operation in winter 2012
• CERT
• ICT trade
• Critical infrastructure
ISRAEL GOVERNMENT GOALS
• Goals/Tasks:– Establishing the NCB
– Retaining Israel’s global leadership
• Israel’s cyber policy
• Definition of cybersecurity professions
• R&D
• International outreach
• CERT-IL
Regulatory Frameworks
– Gov’t Resolutions 84B,
3611, 2443 and 2444
(February 2015)
– 2443 – “Promoting
National Regulation and
Government Leadership
in Cyber Defense”
– 2444 – “Promoting
National Preparedness
for Cyber Defense”
LAWS, GOV’T DECISIONS, KNESSET
RESOLUTIONS
COMPUTERS LAW, 1995
PROTECTION OF PRIVACY LAW, 1981 and 2017
Regulations
GOV’T DECISIONS 3644, 2443,
2444
LAW TO ENFORCE
SECURITY IN REGULATED BODIES, 1998
MINIS-
TERS’
DECISI
ON 84B,
2002
LEGISLATION (2)
COMMUNICATIONS LAW (TC AND BROADCAST),
1982
SUPERVISION OF SECURITY
EXPORTS LAW, 2007
CRIMINAL CODE, 1977
LAW TO ENCOURAGE R&D,
1984
19
הסדרה הסייבר בישראל
REGULATORY WAVE I
Legacy issues: existing regulation that
needs to be adapted
• Privacy regulation and protection of
databases in the Privacy Protection Law
• Definition of “data” + computer-related
crimes in Computers Law
• Article 13A of Telecommunications Law +
service supplier licenses
22
23
24
GOV’T RESOLUTION 2443
(FEBRUARY 2015)
Promoting National Regulation and
Government Leadership in
Cybersecurity
GOV’T RESOLUTION 2444
(FEBRUARY 2015)
Promoting National Preparedness
for Cybersecurity
REGULATORY WAVE II:
SECTORIZATION
Health
– Director-General’s
Guidance on Health
Data, January 2014
– Data Sharing Directive
– National Scope
– Israel’s HMOs and
hospitals
– Privacy Protection
Financial– Bank Supervisor
Directive 361 (March 2015)
– Scope: all banks and credit institutions
– September 1 deadline
– Similar to US regulation
– Data breach requirements
– Capital markets directive on the way
THE BANK OF ISRAEL
29
REGULATORY WAVE III:
ISRAEL’S CYBER LAW
ISRAEL AND CYBER
TERRORISM
THE NEW COUNTER-
TERRORISM LAW
HOSTILE SOCIAL
MEDIA LEGISLATIVE
INITIATIVES
31
0xOmar, The Saudi Hacker 2012
• 15,000 Israelis – credit
card data, 3 co’s
• BoI – they’re responsible
• Stormy public debate
around ’81 Protection of
Privacy Law and PCI –
Payment Card Industry
Security Standard
• to "…hurt Israel --
politically, economically
and culturally"
32
Combatting Terrorism Law, 2016
A new definition of an
“act of terrorism”
33
“Act of terrorism”
Motivation is political, religious,
nationalistic, or ideological
Carried out with the goal of causing
public fear or alarm, or to cause the
government or another public body (in
Israel or abroad, including IOs) to either
act or refrain from acting
One of the following was either threatened
or had a real danger of occurring:
1) Severe injury to a person’s body or freedom;
2) Severe injury to public safety or health
3) Severe damage to property
4) Severe damage to religious objects, places of worship or other sites
5) Severe damage to infrastructure, systems or basic services, or severe interference with them, or severe damage to the national economy or ecosystem.
TOWARDS A NEW UNDERSTANDING ON
THE PART OF ISRAEL’s LEGAL SYSTEM
AND LAW ENFORCEMENT AS TO WHAT
CONSTITUTES A “TERRORIST ACT”
36
ISRAEL’S FACEBOOK LAW - AND OTHER NATIONAL LAWS FOR REMOVAL OF
ONLINE TERRORIST CONTENT- COMBINE BOTH LEGAL ELEMENTS
2 CONDITIONS FOR ISSUING OF COURT ORDER TO REMOVE CONTENT from a website, search service, other platform
IT VIOLATES CRIMINAL LAW AS FORBIDDEN SPEECH (INCITEMENT –BUT NOT ONLY!)
CONTINUED “PUBLICATION” ACTUALLY ENDANGERS A PERSON, PUBLIC SECURITY OR STATE SECURITY
CRITICISM:NEW KIND OF
FAST-TRACK CENSORSHIP,
SUB-STANDARD EVIDENCE,
RESULTS NOT FACTUALLY
SUPPORTED, DOESN’T
SOLVE ENCRYPTED
CONTENT
A GROWING PHENOMENON
1
• Distinction between support activities in cyber space and terrorist acts of direct impact (ex / Islamic Relief NGO)
2
• Exacerbated assymetric capabilities of terrorist groups (class exercise)
3
• Increasing vulnerabilities of critical infrastructure
38
NEXT TRENDS FOR ISRAEL
continued sectordevelopmenmt
NCD leadership cultural transition
the nat’lregulatory project
in cyberspacecyber
professionals
SUMMING UP
formulating a cybersecurity policy is a process, not an event
• a new reality
• unprecedented threats
• uncertainty
• the task: creating a new language and new concepts
there are excellent best-practice resources for
launching a nat’lprocess
• basic outline and “necessities”
• but each country has specific challenges, needs and priorities
• particular dilemmas such as balance between ICT development and the costs of cybersecurity
Israel’s experience led to the adoption of some general conclusions and some
Israel-specific ones
• importance of “clean table” legislative review
• R&D investment a priority (start up nation)
• cyber policy does not solve all cybersecurity problems
• don’t forget legacy issues
• Cyberterrorism is a new and difficult challenge, connected to content and free speech issues
40