Key Takeaways
- The Israeli government kept using a remotely‑accessed platform with known cyber flaws for ten months after the National Cyber Directorate ordered it shut down, leaving many ministries exposed during wartime.
- Emergency services, the police, the Fire and Rescue Authority, and the Courts Administration lacked up‑to‑date business‑continuity plans, emergency exercises, and recent penetration‑testing of their remote‑work systems.
- The Foreign Ministry showed a 500 % spike in information‑security incidents during the Gaza war, outdated cyber policy (last updated 2018), an inactive IT steering committee, and a budget shortfall that delayed or froze 14 projects, including cloud migration and consular‑system upgrades.
- Sensitive‑data handling was weak across ministries: shared folders were openly accessible, numerous databases were not registered with the Justice Ministry, and required user‑permission and privileged‑user reviews were infrequently performed.
- Citizen‑facing digital services remain only partially rolled out; the national identification system linked to just 16 % of mapped government services by the end of 2024, and many local authorities and hospitals remain disconnected.
- The State Comptroller urges a unified, secure identification system, regular cyber‑policy updates, systematic testing, access restrictions, and disaster‑recovery planning, and stresses that cyber threats must be treated as a national‑security priority.
Overview of the Comptroller’s Investigation
State Comptroller Matanyahu Englman released two reports on Tuesday that examine Israel’s cyber‑readiness amid growing threats from Iran and ongoing conflict. The audit reveals that despite repeated warnings, many government bodies continue to operate with outdated, insecure digital infrastructure. Englman warned that the deficiencies must be corrected immediately, emphasizing that cyber preparedness is not a luxury but a necessity for national security.
Continued Use of a Vulnerable Remote‑Work Platform
One of the most serious findings concerns a remote‑work platform that the National Cyber Directorate ordered the National Digital Agency to stop using after discovering critical vulnerabilities. Despite the directive, the agency and roughly 65 % of government ministries kept the platform in operation for ten months. The service was only discontinued in January 2025, leaving ministries handling sensitive data exposed to potential cyberattacks throughout a period of heightened conflict.
Emergency Bodies Lacking Basic Cyber Preparedness
Emergency services, including the Fire and Rescue Authority and the police, were found to be inadequately prepared for cyber incidents. The Fire and Rescue Authority had no business‑continuity plan for remote work, had not conducted required emergency exercises, and had not performed penetration tests on its remote‑work system until the Comptroller’s Office did so during the audit. The police similarly lacked a technological business‑continuity plan, had not held emergency exercises, and conducted a penetration test of its remote‑work system only in early 2025—some eight years after the previous test. The Courts Administration also displayed gaps in its remote‑work procedures, with certain audit details withheld for national‑security reasons.
Foreign Ministry’s Escalating Cyber Incidents
The Foreign Ministry, identified as a central cyber target, experienced a roughly 500 % increase in information‑security incidents during the Gaza war, with hundreds of incidents recorded in 2023, including an attempted breach of an embassy employee’s email. Englman noted a continuing technological gap and an organizational culture misaligned with the defined threat landscape. The ministry’s cyber and information‑security policy had not been updated since 2018, its IT steering committee was inactive from 2021 to 2023 (reconvening only in April 2024), and its 2024 IT budget of NIS 85.3 million fell at least NIS 20 million short of actual needs, resulting in the freezing or delaying of 14 projects—including upgrades to the Merkava system, the consular system, and cloud migration.
Deficiencies in Sensitive‑Data Management
Across several ministries, the audit uncovered lax handling of sensitive and private information. Shared folders on some networks were open to all users and contained tens of thousands of documents, many of which were sensitive. In the Foreign Ministry, only three of dozens of databases were registered with the Justice Ministry’s database registry. The Construction and Housing Ministry, which maintains millions of records on public‑housing tenants, assistance recipients, and contractors, had not completed the required registration of all nine databases under privacy‑protection regulations. Its cyber policy, approved in 2020, had never been updated, discussed, or reviewed biennially as required. Between 2022 and 2024, the ministry conducted eight risk surveys but its cyber steering committee discussed only two; from 2021 to 2024 it performed just two application penetration tests and one infrastructure penetration test. Moreover, more than half of its systems missed the mandated annual review of user permissions, and semiannual reviews of privileged users, abnormal‑action definitions, and automatic alerts were absent.
Partial Rollout of Citizen‑Facing Digital Services
Englman criticized the sluggish implementation of digital services for the public, stating that such services are not a luxury. Although the national identification system and the government personal area launched in 2019, by the end of 2024 only 4.6 million citizens were registered, and a mere 16 % of mapped government services were connected to it. Only 233 of thousands of services were accessible through the government personal and business area. Eight of 31 ministries—including Foreign and Defense—remained disconnected from the national identification system, as did only 11 of roughly 36 government units and a single one of 11 general government hospitals. Major service providers such as the Tax Authority, National Insurance Institute, and Employment Service operated their own identification schemes. Local government lagged further, with only 15 of 258 local authorities (about 6 %) linked to the national system. Many services still rely on paper‑based processes, notably most Foreign Ministry consular forms, Rabbinical Court forms, and roughly half of the Population and Immigration Authority forms reviewed.
National Response and Proposed Legal Framework
In reaction to the findings, the National Cyber Directorate highlighted the urgency of the newly approved Cyber Defense Law, which passed a government vote in preparation for its first reading. The directorate described cyber threats as a “daily threat” to functional continuity, public services, and sensitive information, arguing that Israel can no longer allow each body to set its own protection level. The law aims to create a binding national framework, establish a mandatory baseline for cyber‑risk management, strengthen readiness and reporting mechanisms, and guarantee protection of essential services and infrastructure independent of local discretion or resource gaps.
Comptroller’s Recommendations for a Secure Future
Englman’s recommendations focus on several concrete actions: moving all public bodies onto a unified, secure identification system; closing emergency cyber‑readiness gaps through updated plans and regular exercises; obligating ministries that hold sensitive data to refresh their cyber policies, conduct systematic testing, restrict access to essential information, and develop comprehensive continuity and disaster‑recovery plans. He stressed that cyber threats must be treated as a national‑security and strategic concern, beginning with the directors‑general of government ministries themselves, who must champion and oversee the necessary reforms.