Operation Swords of Iron: Contending with a Cyberattack
This week, the Israeli government enacted emergency regulations for contending with serious cyberattacks in the digital services sector in the wake of Operation Swords of Iron, and the increase in the scope and quality of cyberattacks against civilian entities.
The purpose of the regulations is to regulate the cyber defense activities of companies providing digital and information storage services during the war. These cyberattacks, targeting medical institutions or companies in various sectors, such as infrastructure, commerce, and energy, could also result in significant damage to the Israeli economy. At the same time, the National Cyber Directorate published a memorandum on the Cyber Defense and National Cyber Directorate Law, which is intended to replace the regulations.
Powers of an Authorized Director
According to the regulations (and, accordingly, also according to the Directorate’s memorandum), when an authorized director in the National Cyber Directorate detects a substantive risk of a cyberattack against one of the companies, and that authorized director has a reasonable concern that the cyberattack against the company could infect many other organizations (causing a serious cyberattack), or a concern that the cyberattack could compromise wartime national security, the authorized director may notify the company under attack of the concern and give the company a reasonable time frame to contend with the incident on its own.
If the authorized director finds that the attacked company failed to contend with the cyberattack in an acceptable manner and within an acceptable time frame, the director may issue binding directives to the company about how to contend with the cyberattack, including for detecting, preventing, or stopping the attack. This is in order to safeguard the security of the economy and mitigate the potential damage from that cyberattack.
Sliding into the Private Market
The regulations and the memorandum allow the National Cyber Directorate and other agencies to exercise very broad powers to issue directives and to control cyber events, even when they are in the private market.
Relevant companies, i.e., any company that provides digital services, data storage services, or website or system maintenance and control services, should prepare in advance for the likely possibility of cyber incidents in the near future. Such preparation includes updating cyberattack procedures, training relevant company personnel, and conducting exercises in cyberattack scenarios.
***
Barnea Jaffa Lande’s Privacy, Data Protection and Cyber Department is at your service to answer any questions about the applicability of the National Cyber Directorate’s memorandum and about contending with cyberattacks.
Dr. Avishay Klein is a partner and heads the department.
Adv. Ben Norman is an associate in the department.