One cannot underestimate the latest cyberattack in Israel, in which the Iran-affiliated BlackShadow hacker group breached the Israeli LGBTQ dating app Atraf (among other platforms) and began leaking information on its users. Theoretically, although this is a privacy issue for private citizens and a commercial website, in actuality it is a far more serious matter that requires greater urgency and attention than it has thus far received.
Follow Israel Hayom on Facebook and Twitter
Precisely because the attacked infrastructure was relatively unimportant this time – compared to the ransomware attack on Hillel Yaffe Medical Center, on the Shirbit insurance firm, or the national water supply – we can examine it relatively objectively, without overblown hysteria. And such an analysis indicates that Israel is disconcertingly lagging behind in terms of cyber defense and safeguarding the privacy of its citizens.
It's no secret that Israel is under constant cyberattack. The reasons are numerous: It is an advanced country significantly reliant on computing infrastructure (a Garden of Eden for hackers in search of ransom), and it has many enemies who wish to compromise this infrastructure to steal information or cause damage. Neither of these factors are a surprise; Israel is well aware of the threats and is supposedly prepared to handle them.
However, there is a worrying and dangerous gap in how Israel addresses the various threats to the country's various infrastructures. It's not that all infrastructures need the same level of protection; just as the Shin Bet's Protective Security Department safeguards individuals of symbolic national importance and not every citizen, the National Cyber Directorate is tasked with protecting critical infrastructures and not each and every person's personal computer.
However, from that to the neglect that exists today, the distance is long. The NCD constantly releases warnings about possible threats, but too many official bodies simply ignore them. The attack on Hillel Yaffe is a good example: Had the hospital bothered to update its security software against vulnerabilities that were exposed and made public, it would have been spared the damage. This is exactly what happened to Shirbit and others who didn't take good enough care of themselves (and us).
The problem is that no one truly oversees any of the implementations, and there is certainly no one who issues fines against those who fail to implement the necessary defensive measures. The Cyber Security Law which regulates the operations of the National Cyber Directorate is full of loopholes in this regard: It lacks effective enforcement authorities and doesn't incentivize companies and organizations to safeguard themselves and the information in their possession – which is our private information.
An unhealthy decision-making process
Considering the current state of affairs, the Privacy Protection Authority should have intervened and taken action, but it is behaving as if this doesn't pertain to it – even when hackers steal people's private information and threaten to publish it, potentially at a tremendous personal, reputational or financial cost.
On the surface, the most recent incident could have been resolved with a ransom payment – but that won't happen. Unlike the attack on Hillel Yaffe, it seems this event is being orchestrated by Iran via the BlackShadow hacker group it operates (and has already attacked Israel before). The laws against money laundering and terrorist funding prevent such payments to elements affiliated with Iran, and regardless, it's doubtful the hackers' goal was to receive money. It's likelier they are more interested in embarrassing Israel and presenting it as incapable of protecting its citizens.
This was precisely the purpose of last week's cyberattack in Iran that paralyzed the country's gas stations: to present the Iranian regime as an empty vessel. On Sunday, Iran pointed the finger at Israel, and it's worth asking whether a serious discussion was held prior to that attack regarding its desired outcome and the inherent risks – from exposing capabilities to an Iranian counter-attack.
It's safe to assume the answer to this question is no. Israel has no organized policy in relation to the cyber realm, and its actions – similar to almost every other area of security and defense – aren't part of an overall strategic outlook, rather, for the most part, are the result of random opportunities and pressures. This is an unhealthy recipe for decision-making; not just because of the debatable benefits of carrying out such an attack, but also because of the defensive holes that were subsequently exposed.
As stated, the country cannot protect each and every citizen at every given moment. Even when kinetic attacks are carried out in Syria or a senior terrorist is eliminated, there is concern over whether the counter-response will lead to Israeli casualties. But at the very least it is expected to take the necessary steps to mitigate those risks, certainly in such a world as vulnerable and attractive as cyber. And Israel is lagging on all these fronts – legislative, enforcement, and decision-making. It will only wake up after infrastructure or people suffer significant harm, and that's a shame.
Subscribe to Israel Hayom's daily newsletter and never miss our top stories!
