Communications Minister Yoaz Hendel and Israel National Cyber Directorate (INCD) Director Gabi Portnoy on Monday announced that the telecommunications industry would now be required to up their cyberdefenses in light of recent large-scale cyberattacks.
Hendel said, “The State of Israel suffers from thousands of cyberattacks, some of them attempts against critical infrastructure, and we know about plots to launch further attacks. As our dependence on digitization increases, so does the potential for risks and for the country to confront strategic damage on multiple fronts.”
The minister continued, “The communications market is the conduit to the economy and the public and therefore, comprehensive regulation is required that will raise the level of national readiness.
“There is no essential infrastructure that does not sit on a server which is part of the telecommunications network. Recent attacks show that state and other entities identify the telecommunications infrastructure as a highlighted target in order to hit strategic targets,” said Hendel.
Further, he said there is a need for “proper management of the [cyber] defenses required to safeguard the public interest. We decided today to obligate the telecommunications companies to be equipped with the best detection-identification, containment and recovery capabilities available, in order to protect the public’s communications services from the potential damage of cyberattacks.”
According to INCD chief Portnoy, “The joint initiative will take a step forward regarding the level of protection at the state level and will be a kind of iron dome that provides an additional layer of protection for the entire economy.
“Cyber has no borders, and therefore this kind of collaboration which we promote with the Communications Ministry has added value. In the last month we have seen a significant increase in waves of attacks aimed at artificially overloading websites to get them to crash,” he said.
Continuing, he added, “The level of readiness of communications providers for such attacks... has an effect on the level of protection of their customers... and is a force multiplier for strengthening [cyber] defense” nationally.
The decision comes after an August 2021 hearing that led to amending the licenses of communications companies to add benchmarks for managing cyberdefense. This will reduce the risk of cyberattacks on communications networks, companies’ services and their subscribers.
Communication services have emerged as being among the most essential services for the nation due to the public’s and the economy’s constant use of them, both in routine and emergency situations.
The new principles of regulation and benchmarks include: formulating a comprehensive cyberdefense plan, including protecting the communications network and a mix of monitoring and control mechanisms that help establish an up-to-date picture of cyberdefense, while ensuring information privacy, data integrity and service availability.
Next, companies will need to maintain the timeliness and relevance of the program and implement intrusion-prevention systems.
Moreover, they will be obligated to deal with cyber incidents through incident identification, recovery and performing periodic cyber exposure scans to identify vulnerabilities.
The state will impose responsibility on boards of directors for approving cyberdefense management plans and on CEOs to chair steering committees to ensure implementation of the plan.
Next, there will be reporting mechanisms and procedures for entities inside and outside the organization, though the exact timing was not specified.
There will also be standards for implementing the cyberdefense program among other managers, employees, suppliers and subcontractors of the licensee.
The regulatory burden might vary by company so that it is proportional to the risk, especially regarding company size and the specific services involved.
The move is one of the first major changes of Pornoy’s era following his taking the reins of the INCD in February.