Security12:55 · 34m ago

Israeli Government Neglects Cybersecurity Oversight for Five Years, Audit Finds

YnetCenter

Translated & summarized from Ynet by baba

Key points

01Israel's Privacy Protection Authority conducted no cybersecurity oversight in government ministries for five years.
0260% of government sector cyber units fail to verify compliance with security guidelines.
03Critical infrastructure bodies show gaps in physical protection of servers and communication rooms.
04National Cyber Directorate's non-binding recommendations are insufficient to address security gaps.
05Digital Directorate's action plan lacks budget, timelines, and full solutions for identified gaps.
06Audit criticizes inadequate training for information security officers and their instructors.

In this story

People

OrganizationsPrivacy Protection Authority, National Cyber Directorate, Digital Directorate, Shin Bet, State Comptroller, National Emergency Authority, National Security Council

PlacesIsrael

The story · English

An audit report released on Tuesday reveals that over the past five years, Israel's Privacy Protection Authority has conducted no oversight activities regarding information security within government ministries. The report highlights significant gaps in cybersecurity supervision, noting that 60% of the government sector cyber units examined (three out of five) fail to verify whether their subordinate bodies comply with security guidelines.

The audit focused on critical national communication infrastructures, including the Electric Company, Airports Authority, water suppliers, communication systems, banks, financial institutions, and transportation bodies. It found deficiencies and lack of information concerning physical protection of server and communication rooms. Despite these issues, the cyber units responsible did not report the problems to management, and the Privacy Protection Authority did not issue public recommendations or conduct comprehensive inspections across government offices.

The National Cyber Directorate only issued non-binding recommendations regarding physical protection and operational continuity, which proved insufficient. The audit uncovered physical and environmental security gaps in server rooms and communication centers, as well as shortcomings in functional continuity among entities overseen by sector cyber units. Furthermore, three of the five sector cyber units do not monitor reporting from their subordinate bodies.

The Digital Directorate compiled data from 50 ministries during the "Iron Swords" conflict to develop an action plan to address these gaps. However, the plan lacks full solutions, is complex to implement, requires significant resources, and has no dedicated budget or timelines. No follow-up discussions involving regulatory bodies such as the National Cyber Directorate, Shin Bet, the National Emergency Authority, and the National Security Council have been held.

The audit also criticizes the cyber sector's training programs for information security officers and their instructors, pointing to deficiencies in guidance on physical protection of server rooms. The State Comptroller, Matanyahu Englman, recommends that the National Cyber Directorate, Digital Directorate, Shin Bet, Privacy Protection Authority, and sector cyber units finalize regulatory frameworks mandating physical and operational continuity protections. He urges these bodies to issue binding guidelines, conduct regular audits, and provide proper training to responsible personnel to ensure compliance and oversight.

Read the original at Ynet