Article Preview
TopCritical Infrastructure Protection In Israel, 2002 – 2011: Regulation And Cooperation
Following the accumulated understanding of civilian infrastructures vulnerabilities for cyber-attack, the Ministry of Defense (MoD) Defense R&D directorate (Hebrew: Maf’at) has initiated staff work at the National Security Council. Its outcome resulted in Special Resolution B/84 on “The responsibility for protecting computerized systems in the State of Israel”, of the ministerial committee on national security of December 11, 2002. After years of occasional activities, the governmental decision opened an era of national civilian cyber security policy. In fact, it might have been one of the first centralized national Critical Infrastructure Protection policies in the developed world.
The definitions stated in the B/84 Resolution are worth examining. First, ‘cyberspace’ was not an independent area of operation, but one interconnected with all physical spaces. Second, ‘information’ system is differentiated from ‘control’ system. An information system “performs mechanized activities of input reception, processing, storage, processing, and conveyance of information.” On the other hand, a control and supervision system is a “computer-integrated system that controls and supervises the frequency and regulation of measureable activities, which are carried out by mechanized means within the information system itself.”
The responsibility for protecting computerized systems rests with the users and state regulators. A ‘user’ is a supervised organization, which is in charge over financing all operation, protection, maintenance, upgrading, backup and recovery of its critical IT systems, as it shares information and activities with the regulator. The regulators are the existing chiefs of security at government ministries, who are professionally responsible for guided bodies (for example, the Ministry of Communication is in charge over the telephone company Bezeq). Two additional regulators are established: “The top steering committee for the protection of computerized systems in the State of Israel,” and “The national unit for the protection of vital computerized systems.”
The steering committee was established within the National Security Council, and comprised of senior government officials, representatives from the Bank of Israel, and the security forces. While the steering committee has a policy perspective, the ‘national unit’ - National Information Security Authority (NISA, Hebrew: Re'em) - has the professional authority1.
The government's decision delegates eight responsibilities for NISA:
- 1.
To assess the threat landscape – subject to the steering committee approval;
- 2.
To suggest classifying systems as critical and suggest oversight to the steering committee;
- 3.
To develop protective doctrine and methods;
- 4.
To integrate intelligence;
- 5.
To provide professional instruction to the supervised organization;
- 6.
To set standards and operating procedures for the benefit of supervised organization;
- 7.
To develop technological expertise and cooperation with partners in Israel and abroad;
- 8.
To initiate and support research for developing defensive capabilities, in cooperation with the defense community.