HRA-NGO filed objection to amendment to the law, which transfers authority, relative to vital IT systems, from the Shin-Bet to the "Cyber Array"
The ongoing failure to register IT systems, which are vital for the nature of the regime, among the “public agencies” (both in the existing Act and in the proposed Amendment), enables serious failures. Such failures, which have been repeatedly documented, undermine procedures and institutions of the democratic regime, the Rule of Law, and Human Rights in the State of Israel.
The Shin-Bet should be responsible for such systems, since it is charged by law with "safeguard of procedures and institutions of the democratic regime". The transfer of such responsibilities to the "Cyber Array", which is directly controlled by the Prime Minister, with no adequate oversight, creates clear and present danger for the nature of the regime in the State of Israel.
READ MORE: https://inproperinla.blogspot.com/2018/10/2018-10-21-hra-ngo-filed-objection-to.html
Tel-Aviv, October 21 - Human Rights Alert-NGO (HRA-NGO) has filed today objection to the proposed amendment to the Public Agencies Security Arrangements Act. The proposed amendment transfers the responsibility for securing "vital IT systems" of "Public Agencies" from the Shin-Bet to the new "Cyber Array" in the Prime Minister's office.
The HRA-NGO objection opens by stating:
In our opinion, the transfer of responsibility for vital IT systems from the Shin-Bet to the National Cyber Array is an inappropriate measure. Moreover, the ongoing failure to register IT systems, which are vital for the nature of the regime (and are operated by various government arms), among the “public agencies”, both in the existing Act and in the proposed Amendment, enable serious failure, which have been repeatedly documented, undermining procedures and institutions of the democratic regime, the Rule of Law, and Human Rights in the State of Israel.Documenting failures in the validation and security of IT systems across the branches of government, and the publication of invalid and/or false and misleading electronic records, was the center of HRA-NGO's reports to the UN Human Rights Council for the Periodic Reviews of Human Rights in Israel (2013, 2018).
The 2018 report was incorporated into the UN High Commissioner of Human Rights report on Israel (2018), and summarized as follows:
24. HRA-NGO highlighted the serious deterioration in integrity of law and justice agencies as a consequence of the implementation of e-government systems. It affirmed that the validity and integrity of any legal and judicial records of Israel should be deemed dubious at best.Both in reports submitted to the UN Human Rights Council and in academic publications, HRA-NGO calls upon computing experts to assume a public duty in monitoring government IT systems and Human Rights in the digital era.
Following are the comments, filed today by HRA-NOG, on the proposed amendment to the Public Agencies Security Arrangements Act
October 20, 2018
Prime Minister Benjamin Netanyahu
By email and through dedicated government portal
RE: Memo, in re: Public Agencies Security Arrangements Act (Amendment #9) (National Cyber Array), 2018 – our comments
Dear Sir,
Human Rights Alert-NGO has been active for about a decade in monitoring e-government systems in Israel and beyond and researching their effects on Human Rights, the Rule of Law, and democratic institutions (short CV of the undersigned attached).
In our opinion, the transfer of responsibility for vital IT systems from the Shin-Bet to the National Cyber Array is an inappropriate measure. Moreover, the ongoing failure to register IT systems, which are vital for the nature of the regime (and are operated by various government arms), among the “public agencies”, both in the existing Act and in the proposed Amendment, enable serious failure, which have been repeatedly documented, undermining procedures and institutions of the democratic regime, the Rule of Law, and Human Rights in the State of Israel.
We request to be invited to any public hearing in this matter in Knesset Committees.
Following are our detailed comments:
a. The amendment to the Act would transfer “the responsibility for vital IT systems” from the Shin-Bet to the Cyber Array
The Memo, referenced above, says in Article B (page 1):
Principles of the proposed bill and the justification
On August 3, 2016, the Public Agencies Security Arrangements Act (Interim Provisions) 2016 was adopted, which pursuant to Government decisions, pertaining to cyber security, established the transfer of responsibility for vital IT systems from the Shin-Bet to the National Authority for Cyber Security (today – the National Cyber Array).Therefore, the Amendment to the Act, proposed in the memo, transfers the “responsibility for vital IT systems” from the Shin-Bet to the National Cyber Array.
b. The list of “Public Agencies’ in Appendices to the existing Act and in the proposed Amendment – fail to include agencies, which are vital to the nature of the regime
Articles (19) and (20) in the Memo list the “public agencies”,relative to which the Act would apply, pursuant to the proposed Amendment. Likewise, the existing Act list in the Appendices the “public agencies” to which it applies today.
Both according tot he existing Act and to the proposed Amendment, the list of “vital IT systems fails to include the following agencies:
- Central Election Committee;
- Supreme Court;
- Other courts (District, Magistrate, etc);
- Administrative courts under the Ministry of Justice – the Debtors’ Courts, the Detainees’ Courts, etc;
- Knesset;
- Prison Service.
Additionally, inclusion of the large banks and large medical services providers in the list of “public agencies” should also be considered.
c. Failures in IT systems of the Central Election Committee as a test case
IT systems (particularly “Democracy”) and information security in the Central Election Committee are again on the agenda:
1. Already in a joint hearing of the Knesset Science and Technology Committee and the Foreign Affairs and Security Subcommittee on Cyber Security on June 12, 2017, concerns were raised regarding circumstances, where such systems were not secured by State cyber agencies, and were not designated as “critical infrastructure”. The hearing was reported by media, including concerns of “bias in tallying the votes”. [1]
MK Yael Cohen-Paran stated in the same hearing:
… we have a problem here, the system [“Democracty” - jz] is below public radar… is not secure enough… it influences the outcome of the election. The output of this system, whatever it is, holds the highest influence on our lives here. More than anything else.MK Anat Berko stated in the same hearing:
If it [“Democracy” - jz] were defined as critical infrastructure, it would be more tightly secured.2. A series of responses on FOIA requests on the Central Election Committee raises serious concerns that development, implementation and operation of IT systems of the Committee was conducted in disregard of Government Decisions, General Accounting Office Procedures, and binding Israeli Standards,pertaining to government IT systems.
3. Media reports the day before yesterday (October 19, 2018) again raise the same concerns in a more blatant fashion:
Numerous rumors were spread regarding cyber, following the 2015 election, when Netanyahu beat himself in his own polls, in the last second. TV ballot exit polls, which were almost uniform, indicated a tie. But 3 hours later, 3 mandates moved from the Zionist Alliance to the Likud party. All other parties remained as predicted by the exit polls. To this day, there is no evidence that any hacker from some dark cyber corporation penetrated IT systems of the Central Election Committee from his location in the Ukraine/China. Most likely, it didn’t happen. Physically, it could happen.
Here is the punchline: The most amazing fact is that IT systems of the Central Election Committee are not defined as “Vital Infrastructure”, and therefore are not protected by state agencies against cyber threats. The systems are in fact open to the whims of any occasional hacker, totally abandoned. They are not professionally secured. And more: Just as he is a step ahead of his rivals in anything political, he is ahead of them relative to cyber. Benjamin Netanyahu is years ahead of them all. He is connected to senior cyber experts, he confers with the CEO of a huge cyber corporation, which also provides services to Israeli intelligence. He is strong in this area. Without entering speculations, it appear to me that the time has come to immediately declare the Central Election Committee “Vital Infrastructure” and provide it maximal protection. It would save us an investigation committee later on. [2]4. Various social media publications have been dealing with such circumstances for over two years. Only yesterday, posts pertaining to the media reports, cited above, generated hundreds of “Shares”, “Likes” and “Comments”.
5. Last week notice was also sent to the Prime Minister, the Central Election Committee Chairman, and the Attorney General – warning prior to filing legal action, seeking to prohibit the use of “Democracy” IT system in the upcoming election for the 21st Knesset. [3]
The mere expression of such concerns by MKs, media reports, public discourse on social networks indicates the loss of trust in competence and/or integrity of the Central Election Committee, particularly in the area of its conduct relative to its IT systems. Such circumstances undermine public trust in the legitimacy of the regime in the State of Israel.
It should be noted that although media reports presented the problem as concerns regarding failure in securing the systems against external threats – hackers in “the Ukraine/China”, the more serious concern regards the failure to secure the systems against internal threats – failure in permissions and validation of the systems.
d. Failure of government IT systems across the branches of government
Documentation of failures in validation, certification and security of IT systems across the branches of government, and the publication of invalid, and/or false and misleading electronic records, was the focus of reports, filed by this organization to the UN Human Rights Council for the Periodic Reviews of Human Rights in Israel (2013, 2018).
The HRA-NGO comprehensive 2018 report was incorporated in the UN High Commissioner for Human Rights 2018 report on Israel, and summarized as follows:
24. HRA-NGO highlighted the serious deterioration in integrity of law and justice agencies as a consequence of the implementation of e-government systems. It affirmed that the validity and integrity of any legal and judicial records of Israel should be deemed dubious at best.Such circumstances raise serious concerns regarding “procedures and institutions of the democratic regime” and the nature of the regime in the State of Israel today.
e. The Shin-Bet is responsible by law for safeguarding “procedures and institutions of the democratic regime”, similar provisions are not found in the proposed Cyber Security and National Cyber Array Act (2018)
The Shin-Bet Act (2002), article 7, says:
7. (a) The Shin-Bet is charged with the safeguard of State security, procedures and institutions of the democratic regime, against threats of terror, sabotage, subversion, espionage and exposure of State secrets; the Shin-Bet shall act to safeguard and promote other vital interests of national security, as determined by the government, in compliance with the law.In contrast, the Memo of the proposed Cyber Security and National Cyber Array Act (2018) fails to include similar provisions, pertaining to the responsibility of the Cyber Array in the safeguard of “procedures and institutions of the democratic regime”.
(b) Regarding Article (a), the Shin-Bet shall perform the following tasks:
(1) Interception and prevention of illegal conduct, which intends to harm national security, procedures and institutions of the democratic regime;
(2) Secure people, information and places, as determined by the government;
…
(4) Determine security procedures for agencies, which are determined by the government;
Moreover, it should be noted that the Mossad Head, the Shin-Bet Head, Ministry of Defense CEO, and Deputy IDF Chief of Staff filed strong objection to the proposed Cyber Security and National Cyber Array Act and the proposed transfer of authorities in the proposed Amendment to the of the Public Agencies Security Arrangements Act. [4]
MK Nachman Shay stated in response, that he seconded the Shin-Bet and Mossad Heads:
Placing Cyber under the Prime Minister creates an unnecessary and harmful power hub… serious error and undemocratic act.The same circumstances were more blatantly described by media:
The Israeli cyber industry is a source of pride. A few years ago, when Netanyahu decided to establish the National Cyber Authority, which would be directly under his authority, brows were raised. Netanyahu ignored the reactions, and justly so. Today we can understand why. This week, hearing was held in the Knesset Science and Technology Committee on the subject of cyber. A senior Cyber Authority officer named Erez Tidhar appeared in the Committee. During the hearing, he dropped a bomb: According to Tidhar, over the past year, the Israeli Cyber Array removed thousands of bots and fake profiles, which tried to influence the municipal elections through Facebook and Twitter.f. Summary
MK Revital Swid (Zionist Alliance), Chair of the Knesset Virtual Space Caucus, understood the meaning of such matter, and stormed him with questions: “By what authority do you remove profile? Which side of the political landscape do these fake profiles belong to? Is such process under any due review? Is there any transparency? Is it appealable? Is it reported anywhere? How can it be ascertained that such pervasive authority would not be abused for political purposes?”
Swid pointed out the mammoth in the room. Without any notice, an agency, which was supposed to be a civil agency, has turned into a military one. Kind of another unsupervised intelligence agency. The Cyber Array lacks any supervision or audit, enjoys widespread, unlimited authority. Through cyber, the most intimate information on any of us can be collected, any agency can be placed under surveillance, the power is unlimited, even sky is not the limit. A person, who head the Cyber Array can enter the psyche and privacy of any one of us, without our knowledge. The Cyber Array is also authorized to enter homes, to conduct searches, to seize property. It remains unclear what kind of information they collect, on whom, and why. What is clear is that the Array is not under the Knesset’s oversight, not under the oversight of any government minister. It is subject of only one Sovereign: The Prime Minister. One can only imagine what could be done against political adversaries with such toy. [5]
In view of all the above:
1. All agencies, which are vital for “procedures and institutions of the democratic regime” should be included among those listed as agencies secured pursuant to the Act, and their IT systems as “vital IT systems”. First and foremost among them – the Central Election Committee, the courts, Knesset, and the prisons.
2. The Shin-Bet should be charged with security of such IT systems, since it is responsible by law for “protection procedures and institutions of the democratic regime”. The transfer of such responsibility to the Cyber Array creates a clear and present danger to the nature of the regime in the State of Israel.
Truly,
Joseph Zernik, PhD
Human Rights Alert – NGO (RA)
PO Box 33407, Tel Aviv, Israel; Fax: 077-3179186
Email:
CC:
Shlomit Barnea-Fargo, Prime Minister’s Office Legal Counsel
Yuli Edelstein, Knesset Chairman
Eyal Yinon, Knesset Legal Counsel
Avichai Mandelblit, Attorney General
Raz Nizri, Deputy Attorney General (Legislation)
Nadav Argaman, Shin-Bet Head
Wide distribution
No comments:
Post a Comment