The new cyber security Temporary Law applies to suppliers of digital services in Israel and enable authorized authorities to request and receive any information from the regulated suppliers’ systems, in accordance with the temporary law’s provisions.
On December 25, 2023, the Israeli Parliament passed the ‘Temporary Law on Handling Severe Cyberattacks in the Digital and Storage Services Sector (‘Iron Swords’), 5774-2023’. This temporary law proceeds the cyber security emergency regulations enacted on November 27, 2023, and canceled by the temporary law.
The temporary law facilitates supervision and intervention mechanisms, meant to allow managers in the Israeli National Cyber Directorate, the Israeli Security Service (Shin Bet), and the Director of Security of the Defense Establishment (Malmab) in the Ministry of Defense, to detect, prevent, or handle severe cyberattacks against regulated suppliers.
Regulated suppliers are defined as suppliers that:
- provide storage or digital services, that maintain either a permanent or periodic (physical or logical) connection to their customers’ computer systems, or frequent data transfers between their computer systems and those of their customers; or
- provide maintenance or management to storage or digital services.
This temporary law establishes the statutory abilities of government agencies to inform a regulated supplier of their concern of an imminent severe cyberattack.
Severe cyberattacks are actual or potential actions that are meant to unlawfully compromise computer systems or any data located on computer systems and are determined by governmental agencies to have a ‘significant impact’, meaning that the effect of the action:
- is not limited to the regulated supplier; and
- could compromise national security, public safety, or the provision of essential services.
If a government agency has real concern of a severe cyberattack against a regulated supplier, it may actively supervise the regulated supplier. If necessary for the purpose of detecting, preventing, or countering the cyberattack, the agency may also instruct the regulated supplier to provide specific information or perform certain actions.
The main statutory requirements applicable to regulated suppliers under the temporary law are as follows:
Reporting. Regulated suppliers must, upon the governmental agency’s request, either:
- provide a report detailing all actions taken to identify, prevent, or counter the cyberattack; or
- submit an affidavit, as will be published by the Israeli National Cyber Directorate, attesting that the supplier implements information security standards in accordance with the NIST 800-53 standard concerning “Security and Privacy Controls for Information Systems and Organizations”, or any other information security standard published by the Israeli National Cyber Directorate that provides adequate treatment of severe cyberattacks.
Cooperation and Documentation. Regulated suppliers must follow instructions by government agencies, and take any required action related to cyber defense. if necessary, the government agency may also require the supplier to provide it with any related information or documents.
Retention: Government agencies must document instructions given to regulated suppliers and provide them with a written copy of such instructions within a reasonable time.
Confidentiality: All data provided by the regulated supplier will be deleted by the governmental agencies following the handling of the cyberattack unless such data is essential for identifying the attack’s characteristics.
Publication: Public publication of the supplier’s identity by the government agencies will be in accordance with this Temporary Law, following the approval of the government agency manager, and the receipt of the supplier claims.
Penalty for Disclosure: Any recipient of disclosed data provided by the regulated supplier that discloses or uses such data, as part of fulfilling its duties or operation, and in contrary to the relevant provision of this temporary law, will be sentenced to three years imprisonment.
Regulated suppliers should promptly assess their exposure under the temporary law and maintain the necessary documentation for legal archival purposes.
The temporary law takes effect immediately as of the date of its publication and will remain in effect for 7 months (end of July 2024).
Feel free to contact us if you have any questions regarding the new Temporary Law and its practical implications.
*This post does not constitute a legal opinion.