World War III will be a cyber war but the world isn’t ready – comptroller

Israel’s State Comptroller Matanyahu Englman explains the deficiencies of Israel’s public cybersecurity

World War III will be a cyber war, but the world is not prepared for cyberattacks, said Israel’s State Comptroller Matanyahu Englman on Wednesday.

During a panel at Cyber Week 2022, Englman gave a foreboding outlook on the current state of public cybersecurity. “In a way, we all are living inside the global Big Brother show,” he warned. “We are exposed. The citizens of the world have no protection. Our data are visible to too many people. Our money is exposed; our children are exposed; our health is exposed; our security is exposed.”

“We are exposed. The citizens of the world have no protection. Our data are visible to too many people. Our money is exposed; our children are exposed; our health is exposed; our security is exposed.”

Matanyahu Englman

He explained that the vulnerabilities that the Israeli public faces in the cyber arena have inspired his decision to focus on cybersecurity in his official duties, noting that “in view of the growing cyber threats faced by the State of Israel in recent years, I have decided to place the cyber field as one of the core issues the [state] audit will address.”

Cyber audit
As such, Englman established a cyber audit division, as well as a dedicated division for information systems auditing within the State Comptroller’s Office. “At first, there were those who raised an eyebrow; today there is no one who does not understand the importance of the subject,” he said.

He elaborated on the details of the cyber audit process, stating that it will examine privacy protection, control and protection mechanisms of computerized systems, investment in IT and cyber protection, advance preparedness for cyber incidents and disaster recovery, a raised level of logical and physical protection, insurance coverage and more.

These topics are to be examined from four perspectives: cyberattacks and damage to critical state infrastructure; public expenditure in the field of IT and the rate of expenditure on cyber protection; and privacy infringement.

“For example, we examined the protection of biometric databases,” Englman said. “We found that the Transportation Ministry does not examine aspects of information security and protection of passenger privacy of the ‘RAV KAV’ – a database operated by public transportation companies that include photos of about a million children and information about their travels.”

On that note, in February 2022 Engleman’s office published a special report on the protection of children and youth in the online space.

Prior cyber audits have uncovered several key insights, said Englman. “It was found that the law enforcement authorities in Israel do not have the ability to contend with cybercrime and ransomware. Eighty-seven percent of cybercrime victims in Israel in 2019 (about two hundred thousand people) did not report the crimes to the police.”

As well, he noted, “a report on the computer system of the Central Election Commission in Israel found that their main computer system began operating in 2008 and it [became 13 years old] last year – and yet, cyber audits were conducted only during election periods, so it was not possible to conduct comprehensive and complex tests that included all aspects required under cyberdefense theory.”

“The National Cyber Directorate is empowered to guide several entities that hold critical national infrastructures, he said. “However, the audit found that entire sectors do not have a guide in the cyber field, including the health sector, the transport sector, local government and more.”

Englman listed several deficiencies discovered during the audit of critical Israeli infrastructures such as the Traffic Management Center in Jerusalem, hospitals and the Tax Authority systems.

“In the audits, we found significant deficiencies, including that very few penetration tests were performed by public bodies and some of them conducted penetration tests only during the audit, [as well as] the absence of a test environment for performing these tests, and other deficiencies that arose in the penetration tests we conducted, some of which were rectified in the course of the audit,” he said.

“The auditing world views cyber risks as a major risk,” concluded Englman. “The challenges involved in coping with the matter are complex and they require continuous cooperation between states, for optimal contention with cyber risks. We in the State Comptroller’s Office are committed to continuing to address this significant topic even more forcefully, for the benefit of the citizens of Israel and the entire world.”