Israel expands cyber powers amid rising threats—via WhatsApp

The Israeli government expanded the powers of the National Cyber Directorate and the Shin Bet on Monday night, approving new emergency regulations via an urgent vote in a dedicated WhatsApp group of cabinet ministers.

The regulations require cloud and digital service providers to report significant cyberattacks and grant the Cyber Directorate and the Shin Bet authority to demand documents and data from providers in cases of a major cyberattack, or even the suspicion of one.

According to experts, the measures are proportionate and may pave the way for a broader, regulated cyber law. However, the speed and method of their approval raised concerns.

“Despite clear warning signs, Israel still hasn’t enacted a comprehensive cyber law that defines the powers of the national cyber directorate and other security bodies in protecting civilian cyberspace,” said Dr. Tehilla Shwartz Altshuler of the Israel Democracy Institute. “That’s why we’ve once again been caught unprepared, forced to pass emergency regulations at the last minute. These measures should have been introduced at the start of the Swords of Iron War.”

The newly approved regulations grant the Cyber Directorate, Shin Bet, and Israeli Security Agency several focused and time-limited powers (currently set for a one-month period).

First, authorities can obtain documents and information from cloud or digital service providers in the event of a serious cyberattack, or the concern of one, in order to assess the characteristics and origin of the attack, as well as its potential spread beyond the original target.

Second, providers are now obligated to report major cyberattacks to the national cyber system if there is concern the incident could impact others or compromise the availability and reliability of their services. These reports must include key details such as the date the attack began, when it was discovered, its nature and impact, and whether it affected other organizations ("affiliated organizations") connected to the provider’s systems. Providers are also required to inform such affiliated organizations.

“This is a standard practice in other democratic countries, especially when dealing with supply chain cyberattacks,” Shwartz Altshuler noted.

Importantly, the regulations exempt providers that adhere to recognized international cybersecurity standards.

“This is significant because it incentivizes the private sector to adopt robust cyber protection measures independently, rather than through coercive regulation,” said Shwartz Altshuler. “Essentially, it says that those who comply with best practices are exempt from intrusive oversight. This approach also allows standards to evolve without requiring constant legislative changes.”

The regulations also mandate that any data obtained by authorities be deleted once the response to the attack is complete or if it is determined that no serious threat existed. The authorities must report their actions to the Prime Minister’s Legal Advisor and the Knesset’s Foreign Affairs and Security Committee every two weeks, an increase from the previous monthly reporting schedule.

In a twist of irony, these new cybersecurity measures were approved via a platform that itself poses security risks: WhatsApp.

“It’s deeply troubling that emergency cybersecurity legislation was passed through a ministerial referendum on WhatsApp,” said Shwartz Altshuler. “It reflects a fundamental misunderstanding of information security.”