The report submitted today to the Knesset is the first of its kind, and it presents the audit results in cyber protection, information technology and privacy protection.
Cyberspace includes computers, automated systems and networks, software, computerized information, digital content, traffic and control data. Cyberspace is characterized by rapid technological development, which permeates all areas of life and shapes mankind's social, economic and political activity. Cyberspace and technological progress hold many advantages for the economy and society, but they hold inherent threats that may affect the functional continuity of the organization, the integrity of processes and the confidentiality of organizational information.
Given the ever-increasing cyber threats, the State of Israel is facing in recent years, at the beginning of my tenure as State Comptroller and Ombudsman I specified the cyber field as one of the core issues the state audit will address. This is to examine the audited bodies' preparedness and readiness to contend with significant cyberspace risks, strategic threats and future cyber challenges that lie before them.
To develop and strengthen the professional abilities of the State Comptroller's Office in cyber and information systems, several key measures were taken, including the establishment of a cyber audit division dedicated to conducting audits in this field. In addition to the division dedicated recruiting employees with a unique professional background in the cyber field; Promoting the process of international certification of the Office's employees as certified information systems auditors (CISA); and the engagement of external consultants in information and cyber protection to accompany the audit teams in these areas.
Furthermore, as part of the cyber protection audit, the State Comptroller's Office carried out a precedent-setting step in Israel and among state audit institutions worldwide – penetration tests into the computerized systems of several audited bodies simulating a cyber-attack. The penetration test was done to find vulnerabilities in the computer system that may endanger its stability during an attempted attack, and as a result disrupt the regular functioning of the tested system. The tests were conducted in coordination with the audited bodies, and they already rectified some of the deficiencies that emerged during the audit.
In 2021-2022, the State Comptroller's Office carried out dedicated cyber and information security audits in infrastructure, education, transportation, health and financial fields and in local authorities. Among other things, the office examined the information systems and cyber protection as part of the election processes for the 21st, 22nd and 23rd Knesset; Biometric databases; Cyber protection for medical devices; And information systems management in local authorities. As part of the audits, the following topics were examined: the integrity and reliability of the information systems in the audited bodies; The effectiveness of the computerized protections and controls embedded therein; The protection of personal and private information in government systems; Investment in IT; pre-preparedness for cyber incidents and disaster recovery; Preparedness for cyber-attacks and damage to critical state infrastructures and more. The chapters on these topics were made available to the public in our annual reports.
This report is unique as it deals entirely with the results of the state audit in information systems and cyber protection. Following are the chapters of the report:
- 1. Cyber protection and business continuity in the Automated Processing Service Unit at the Tax Authority
- 2. Cyber protection in the transport sector
- 3. Management of Biometric information in the IDF and its cyber protection
- 4. Establishing a new foreign trade system at the Tax Authority – the "Global Gateway" Project
- 5. Regulation and supervision of local water suppliers in cyber protection
- 6. Special audit report - Cyber protection of information systems in the Ministry of Education data bases and of matriculation exams and grades
The audit on the topics above raised the following deficiencies: user and permissions management; Documentation and monitoring of network access and control; Protection of stations and servers; Segmentation and flow control; Software updates; Adherence to secure access to systems, protection of personal information of millions of citizens and more.
In recent years, we have witnessed various types of cyber-attacks, ransomware and malware incidents, fraud, embezzlement and business information theft. The cyberspace has even become an arena for warfare between terrorist and criminal organizations and countries and even between countries themselves. In the coming years, a considerable increase in the penetration of cyberspace into the daily routine is expected, given the development of IOT (Internet of Things) products, autonomous cars, and more, and accordingly a considerable increase in the frequency of cyber threats and their degree of severity is expected.
The audited bodies are obligated to act in a quick and efficient manner to rectify the deficiencies raised in this report, to increase the organization's level of protection and to prepare for optimal handling of cyber-attacks; To adapt their activities to a world saturated with advanced technologies and to the challenges they will face in the coming years. The recent cyber-attacks highlight the need for this.
Finally, I have the pleasant duty of thanking the employees of the State Comptroller's Office, who work with dedication in carrying out audits in a professional, in-depth, thorough and fair manner and to publish objective, effective and relevant audit reports.
We at the State Comptroller's Office are obligated to continually examine the compliance of the audited bodies with current and future risks and engage in the cyber protection, information technologies and privacy protection, for the benefit of the citizens of Israel and the entire world.
Matanyahu Englman
State Comptroller and
Ombudsman of Israel
Jerusalem, December 2022