In December 2023, new legislation was adopted on Handling Serious Cyberattacks in the Digital and Storage Services Sector (Temporary Provision – Swords of Iron), 5774-2023 (“Law” or “New Law” or “New Legislation”).
The background of the New Legislation relates to the ongoing war, as cyberattacks against civil entities have risen both in scope and intensity, with the purpose of undermining the Israeli economy and market, and may lead to diverse damages. The Law was enacted to adress the unique cyber threats of these days, regarding providers of digital services and storage services, as defined in the Law (“Provider\s“), which are characterized by high connectivity to many entities in Israel economy (including public entities, critical infrastructure, organizations essential to the functioning of the economy, etc.). Due to this high connectivity, the effects caused by cyberattacks against these Providers may spread and affect many companies.
To mitigate cyber threats against these Providers, according to the New Law, an authorized employee from the Israel National Cyber Directorate or other elaborated Israeli security organizations (“Authorized Employee“), would be authorized to notify the Provider regarding a severe cyberattack threat, and when appropriate, to provide instructions to the Provider, in order to mitigate the threat.
Key provisions of the New Law:
1. The Law authorizes a qualified manager (senior position) of the Israel National Cyber Directorate or other elaborated Israeli security organizations, to determine that a “severe” cyberattack is occurring or is high likely to occur, in case there is a significant concern that the cyberattack will undermine national security, public safety or the standard provision of essential supplies and services, and in relation to the following circumstances: its occurrence during significant military operations; a significant concern of a material effect that is not limited to the affected Provider; and the cyberattacks’ overall characteristics, including the outline of the cyberattack or the identity of the attacker.
2. If it is determined by the qualified manager abovementioned that a “severe cyberattack” is occurring or is about to occur, and an Authorized Employee has notified the Provider of the existence of such a concern, the notice shall detail the factual and professional basis of the concern (subject to confidentiality considerations). After providing the notice to the Provider, the Provider will be given the opportunity to act appropriately to confront the cyberattack, within a reasonable timeframe determined considering the specific characteristics of the cyberattack.
3. Following the abovementioned, the Provider will be required to update the Authorized Employee regarding the actions taken to detect, prevent, or halt the cyberattack, or, alternatively, the Provider may provide an affidavit according to the Law, regarding the implementation of security guidelines in accordance with the NIST 800-53 Security and Privacy Controls for Information Systems and Organizations standard (or another standard as may be approved in the future by the Israel National Cyber Directorate according to the Law).
4. If the Provider does not provide an affidavit as stipulated above, or the Authorized Employee has found that the Provider has failed to act adequately to confront the threat, the Authorized Employee will be authorized to provide the Provider with instructions on cybersecurity measures, including instructions to deliver information or a document, after informing the Provider of the intention to provide instructions, and giving the Provider the opportunity to voice his arguments. While issuing instructions, the Authorized Employee is required to consider, inter alia, the instructions’ possible effects on the right to privacy; on the Provider and on third parties; the estimated costs of implementing the instructions and the possible effect on the functional continuity of the Provider. Such instructions will specify a deadline for execution. The Provider will act in accordance with the instructions within that deadline and will report the manner of execution to the Authorized Employee.
5. Documentation – the Authorized Employee shall document the instructions given to the Provider in writing and will deliver to the Provider a written version of the instructions (not containing classified information), as soon as possible after the instructions are given.
6. Duty of confidentiality and deletion of information – the Law establishes a duty of confidentiality in relation to information received from a Provider, and stipulates that, in general, information received from a Provider will be deleted immediately after the mitigation of the threat is completed (except if a qualified manager has determined otherwise).
7. The Law provides that public announcement of the Provider’s identity will be made only upon approval of a qualified manager, after the Provider has been given an opportunity to voice his arguments.
8. The Law establishes a reporting mechanism on the exercise of the powers under the Law, to Israel attorney general and the Knesset’s (Israel Parliament) Foreign Affairs and Security Committee.
It should be noted that the Law does not derogate from the provisions of any other law and is intended to add to the provisions of any other law. Furthermore, the Law is intended to add to any provision regarding cybersecurity, under a governmental decision or an agreement, and will prevail over them in case of contradiction.
The provisions of the Law will remain in force for a period of up to seven months from the date of publication.
As always, we will be glad to provide any legal advice and guidance regarding the matter and all legal aspects related, as may be required.
*This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.