A normal day at the office. You arrive, say hello, and sit down in front of your computerAll of a sudden, a stranger walks in, identifying herself as a government worker. She demands immediate access to the organization’s computers, confiscates some equipment, and instructs employees to carry out certain network tasks—and then commands everyone to keep what happened a secret. She is not law enforcement and she does not have a court order. But what she’s done is completely legal and everyone has no choice to cooperate. Why? Because there’s a threat that the organization you work for is undergoing a cyber attack.
This scenario, as far-fetched as it may seem, could become a reality in Israel if a cybersecurity bill being proposed by Prime Minister Benjamin Netanyahu’s office were to be enacted in its current formulation by the Israeli parliament.Details of the bill were revealed last week in a formal memo describing the contents of the bill.
The bill seeks to give an agency known as the Israel National Cyber Directorate with extraordinary powers to search and seize private computers and to amass data collected from government agencies, utilities, and other organizations. The Directorate was created earlier this year from the combination of two separate offices that dealt with cyber threats. The new agency operates under the Prime Minister’s Office, similarly to the Shin Bet security service and the Mossad.
The bill is in the revisions phase and could be significantly rewritten before it appears for a vote before parliament. The public is invited to provide comment until July 11.
Privacy advocates, civil liberties groups and cybersecurity specialists responding to the bill’s current version have called on lawmakers to curb the powers given to the Directorate and to introduce better safeguards against abuse.
The bill raises “serious concerns about the potential for unintended harm to the privacy of citizens and the trade secrets of private organizations,” the Israeli Digital Rights Movement wrote in a letter to the Cyber Directorate. “The memo describes no specific limits to how data that is collected can be used nor for how long.”
Karine Nahon, a professor of information science and president of the Israel Internet Association, said the secrecy around the Directorate activities would become an issue of concern.
“Imagine there’s a cybersecurity breach at Bank Leumi,” Ms. Nahon said referring to one of Israeli largest financial institutions. “Two million accounts are hacked and the Cyber Directorate takes control over this episode. If the secrecy protocol is activated, the account holders will have never known what happened.”
Ms. Nahon added that defining the role of the Cyber Directorate would be appropriate if not for the shortcomings of the bill.
“It’s good that there will be a law,” she said, “better to make it legally clear what an agency like Cyber Directorate actually does so that I, as a citizen, could have some oversight. But there’s no proper mechanism in the law to ensure transparency.”
Tehilla Shwartz Altshuler of the Israel Democracy Institute, a nonpartisan think tank, said that one of the problems with the bill is that it defines “cyber threat” too broadly. The potential for abuse here is “reminiscent of the extent of authority afforded to the NSA as revealed by Edward Snowden.”
Lawmakers in the opposition unsurprisingly have criticized the bill. “Giving the Cyber Directorate these freedoms without comprehensive oversight and without checks and balances, like approval from a court, renders this agency too powerful,” Member of Knesset Karin Elharar of the Yesh Atid party.
None of the senior officials involved in drafting and promoting the bill were given authorization by the Prime Minister’s office to be interviewed for this story. No government agency or official has spoken publicly in defense of the bill.