ISRAEL: Draft law to be submitted to the Ministerial Committee – far-reaching powers for the GSS and the Cyber Authority
The National Cyber Authority and the GSS will be allowed to give instructions to private and public organizations in Israel on how to prepare for and defend against a cyber attack and even get a court order direct access to the computer systems of companies and organizations in Israel to operate on their own. National Cyber (Powers to Strengthen Cyber Defense) (Temporary Order), 5721-2021, which will be submitted today for approval by the Ministerial Committee for Legislation.
The law is intended to be in force for two years, as a temporary provision, and the explanatory notes to it depend on the need for it that “in the past year, due to the outbreak of the corona crisis, And accelerated digitization processes of public and private services
According to the draft law that will be submitted to the Ministerial Committee for approval, the National Cyber Authority may give the organization professional instructions for preparing for a cyber attack, after giving the organization an opportunity to make its claims, if it is convinced that the organization has vital activity. May cause actual harm to a vital public interest. If the formation believes that a serious cyber attack is or is about to occur in the organization and it does not take the necessary actions to deal with it, the formation may instruct organizations how to act, including instructing them to carry out cyber defense operations. A court may allow the system itself to carry out cyber defense operations in organizational systems, if it is required to carry out professional instructions and has not acted on its own or if the purpose cannot be achieved through professional instructions for carrying out operations by the organization itself. The order can allow entry into the place and seizure of an object, which by definition also includes computer systems.
The draft law stipulates that the national cyber authority is allowed to collect privacy-protected information if it is of protective value or if the collection is permitted by law or the court has approved the collection of the information. The draft restricts the use of information for the purpose of cyber protection only “or after the court has approved it” (law.co.il notes that there is an opening for other uses) and prohibits the transfer of information except for cyber protection purposes.
All these powers are given in the draft law that the Ministerial Committee is asked to approve also for the General Security Service for the purpose of thwarting and preventing illegal activities aimed at harming state security, the democratic regime or its institutions.
Today, the National Cyber Authority operates by virtue of the Law for Regulating Security in Public Bodies, 1998, towards the bodies listed in the Fifth Schedule to the Law only. On June, 2018 to regulate a comprehensive legal framework for the activities of the national cyber authority. However, the explanatory memorandum to the current bill states that “in view of the desire to promote a comprehensive legal framework, significant legislative time will be required to discuss and promote the law.”
“law.co.il” remarks that it is not clear the urgency for which the draft law is being discussed in the Ministerial Committee for Legislation on the eve of the end of the government term and less than a month before the Knesset elections, especially given its wide-ranging implications and controversial arrangements.
By Haim Ravia (Hebrew), February 26, 2021, published on law.co.il