27 April 2019

Regulation in Cyberspace

Gabi Siboni, Ido Sivan Sevilla

The resilience of the private sector in the world of cyber has a decisive impact on national security. This sector is usually the weakest link through which cyberattacks develop and serves as a springboard for attackers who are interested in harming state targets. In addition, built-in market failures lead to a lack of sufficient organizational investment in proper cybersecurity. Negative externalization of cyber damage in organizations, the difficulty in quantifying the benefit of investing in cybersecurity, the lack of responsibility of software and hardware providers for their products’ security vulnerabilities, and a competitive market that rewards innovation and progress over proper cyber protection create a gap that requires state intervention. A review of cyber protection regulation regimes in the Western world reveals a lack of systematic solutions for the business sector and a gap in mapping out national security threats that could result from potential cyber damage in this sector. This memorandum, which is based on world events in the field of cyber and in other areas of regulation, offers a multi-layer regulatory model for cybersecurity in the private sector. The memorandum suggests an integrated model for a state regulatory alternative that includes mandatory regulations, the creation of monitoring mechanisms for supervising self-regulation, and providing incentives for encouraging organizations to protect themselves. In an era of widespread use of linked devices, the entry of artificial intelligence into all aspects of life, and the creation of an insurance market for cybersecurity, regulating the business sector is a vital national interest.Executive Summary


Regulation in cyberspace is an emerging challenge. It is a complex and dynamic domain that is largely driven by the business-civilian sector and has the potential to cause significant damage to national security. This essay surveys the unique characteristics of cyberspace and the various strategies adopted in other countries in order to manage cyber risk. It proposes a multilayered regulatory model together with concrete recommendations for the regulation of the business-civilian sector in cyberspace.

The resilience of the private sector in cyberspace is directly related to national security. The private sector usually constitutes the weak point where a cyberattack develops. Nonetheless, the survey of regulation in cyberspace in Western countries, including Israel, points to the lack of an appropriate response to this weakness. This essay attempts to fill that gap and, in order to do so, it makes use of the regulatory principles used by other countries— the United States, Britain, France, Germany, and the European Union—and also learns from other regulated domains, namely environmental protection and nuclear energy. National approaches, the variety of regulatory tools, and the systems of incentives used in the attempts to regulate cyberspace worldwide, together with models for collaboration between the public and private sectors and state compensation mechanisms that were observed in environmental protection and nuclear energy domains, have contributed to the development of an innovative regulatory model for cyberspace in the business-civilian sector in Israel.

The model proposed in this study is presented together with practical recommendations. The model is divided into three components: self-regulation in which organizations impose practices on themselves; binding regulation in which the state hierarchically imposes and enforces required practices; and incentive-based regulation in which the state creates incentives for organizations to adopt self-regulation. The first innovation of the model is related to the use of an existing statutory tool, namely the Business Licensing Law. It can be used to map the potential damage to national security as the result of cyberattacks on the business sector in a very early stage. The second innovation is the mapping and emphasizing of central resiliency points in Israel’s cyber economy and the assessment of possible state intervention whose benefit is many magnitudes larger than its cost. The third innovation is the strengthening of incentive mechanisms for the economy by the establishment of a cyber insurance market, the removal of barriers to data breach notification, tax breaks for installers of cyber protection, and the provision of incentives in the form of exemption from responsibility for intra- and inter-sectoral threat information sharing.

Insights from the Literature

The main insights from surveying the literature on cyber regulation demonstrate the high degree of variation in cyber regulation across countries. The activity of each country in cyberspace began at different points in time and focuses on threats to national security, such as attacks on critical infrastructure or protection against cybercrime. All the countries surveyed devote large budgets to cybersecurity, which are designated for state capabilities and institutions that can supervise and influence developments in the local cyber economy, including its various threatened domains. This is based on both the conception that risk assessment in cyberspace is one of the most challenging tasks for regulators and there is need to increase expertise through the broadest possible understanding of developments in this domain. Nonetheless and despite the investment of budgets and the creation of state capabilities to deal with cyber risk, there is a glaring lack of state activity to deal with these risks in the business-civilian sector. There are currently no countries that systematically regulate the business-civilian sector and relate at an early stage to national security threats as a result of cyberattacks on this sector.

The Israeli approach to cyber threats in the business-civilian sector is innovative and relatively decentralized. The regulation of the business sector is in the hands of various regulators and is sometimes overseen directly by the relevant government ministry (such as in the case of healthcare), the relevant state authority (for example, the supervisor of the banks) or a private organization with expertise in the domain that is hired by the state as a regulatory intermediary (for example, in the case of the Ministry of Energy).

During the past two years, attempts have been made to centralize the process of decision making with respect to the cyber domain for the entire economy, whereas the Cyber Law—which is still in the stage of negotiations—is meant to serve as a guiding framework for selected organizations in the economy. However, even this development has not yet created a systematic and organized process for the early identification of potential damage that cyberattacks could cause to national security. The lack of a comprehensive response to deal with the multiplying cyber threats in the business-civilian sector and the current focus on only localized incentives create a major gap in this domain. Based on the activity in the economy in recent years, it appears that the market is compensating companies for technological innovation far more than for appropriate cyber protection. As a result, companies do not invest sufficiently in order to create comprehensive protection for themselves. In the absence of systematic state oversight in this domain, a vacuum has been created that needs to be filled. In order to find the proper model for successfully tackling cyber threats in the business-civilian sector, the authors of this essay turned to other regulated domains. It was assumed that an analysis of what is being done in environmental protection and nuclear energy—domains in which private players account for a large share of the activity and in most cases constitute the state’s “first line of defense” against risk—will benefit in developing a sophisticated model for cyber protection in the business-civilian sector in Israel. The analysis led to the conclusion that the regulatory model for environmental protection in Israel is an appropriate foundation for the development of regulation in Israel’s cyberspace.

A Proposed Regulatory Model

The advanced threats in cyberspace create an immediate need for smart state intervention that combines a variety of regulatory tools. This is in order t ensure the adoption of appropriate protective measures and to encourage the market to protect itself in response to incentives, while identifying the main locations where the benefit of protection exceeds the cost. The proposed model for cyber regulation is based on what currently exists, while introducing improvements and extensions. The model differentiates between self-regulation, binding state regulation, and incentive-based voluntary regulation as follows:


Self-regulation: Defense organizations with a high level of sensitivity, such as the Israel Defense Forces (IDF), the General Security Services (GSS), the Mossad, and the Israel Police, will be subject to internal regulation only, which the risk management mechanisms of each organization will oversee at periodic intervals.

Binding regulation: The state will impose regulation on entities should an attack on their cyber infrastructure result in significant damage to Israel’s national security.

Incentive-based regulation: This involves the structuring of state incentives to encourage the creation of cybersecurity mechanisms within organizations. This regulation will, in part, encourage businesses to acquire insurance against cyber events, based on a regime of mandatory reporting. In addition, various models for the provision of tax breaks, subject to an organization’s investment in cybersecurity, will be presented and efforts will be made to develop information-sharing mechanisms, with the goal of strengthening overall resilience in cyberspace.

The bodies that will be subject to binding regulation are divided into the following five categories:

Defense industries and sensitive facilities: These will be supervised by the Director of Security of the Defense Establishment (DSDE). The directives of the DSDE are intended to maintain the confidentiality of the work done by defense organizations under its auspices. It is worth mentioning in this context that DSDE regulation includes both security directive in cyberspace for supervised organizations and regulatory governance. In other words, the DSDE regulation is meant to achieve both national security and the functional continuity of the supervised organizations.

Organizations defined as critical infrastructure: The supervision of these organizations will remain as it is today; that is, supervision by both the National Cyber Directorate and the GSS. The steering committee, which will be composed of representatives of the GSS, the National Cyber Directorate, the ministries of government infrastructures, and private companies involved in the protection of critical infrastructure, will examine and redefine critical infrastructures if necessary, and these will have to meet strict standards, including frequent periodic inspections, according to the type of infrastructure. The steering committee will also periodically consider adding new organizations to the list of critical infrastructures or removing existing ones. The National Cyber Directorate will accumulate knowledge and expertise, in collaboration with the GSS, with the goal of protecting critical infrastructure organizations.

Economic sectors essential to Israel’s functional continuity: In addition to the bodies defined as critical infrastructure, numerous systems and entities are important to national security but have not been defined as critical by the state. These include, for example, hospitals, traffic lights, election systems, banks, and food industries. Therefore, the sectoral regulators in these domains need to develop expertise and to direct the entities under their responsibility on how to deal with cyber threats, in order to prevent harming Israel’s national security. The proposed model recommends to continue and rely upon the sectoral regulators that work against those organizations having the potential of damaging national security. The model also supports the sectoral regulators to rely upon external experts who will be hired under the direction of the National Cyber Directorate, enabling professional guidance of bodies that are significant to national security and, in parallel, the binding guidance of the sectoral regulators in the domain under their responsibility.

The business-civilian sector: The proposed model requires every business organization that requests or renews a business license to check for feasible damage to national security as a result of a cyberattack. This will create a structured process that will substantially improve the protection of private sector projects that are exposed to a cyberattack, the effect of which might be felt on the national level. The cyber regulators in this sector will be both the National Cyber Directorate, whose job is to develop knowledge, tools, and methods that organizations can use to improve their level of cyber protection, and the sectoral regulators who develop expertise according to the needs of their specific sector and make the necessary adjustments to the general directives issued by the National Cyber Directorate. The proposed process makes use of existing statutory tools and introduces cybersecurity as a built-in component of the business sector, while making use of the existing statutory process. The regulator will establish standards that will define the projects required to submit a cyber resilience review, which will be a condition for receiving a business license. The model also suggests several guidelines for the content of the cyber resilience review, as well as the entities that should be certified to implement and submit it, and those that should be certified to evaluate it.

Increasing the resilience of cyberspace by means of intervention at central points: Binding regulation according to the proposed model will also apply to central points where state intervention in protecting them will produce major benefit at little cost. The rationale behind identifying these critical points is that their supervision has substantial benefit to national security. It should be emphasized that the state will not serve as the executive arm with respect to these points and that its function will be restricted to mapping the points and cooperating with the relevant suppliers, with the goal of encouraging their security and thus increasing the resilience of Israeli cyberspace. Examples of such points are internet hosts; service providers that horizontally span the supply chains of organizations in the economy; application software and centralized information systems used in clearing credit card transactions, upon which most private businesses rely; and integrative companies that provide support for information systems. After identifying these points, the state will need to employ third-party suppliers who will be responsible for the quality assurance of these critical service providers.

No comments: