A short, dryly worded draft document quietly issued by the government has Israel’s cyber industry in a uproar, with industry figures saying it threatens to impose limits on exports that will undermine a sector where Israel has staked out a major place in the global market.
The directive, issued late last year by the National Cyber Authority and the Defense Ministry’s Defense Export Controls Agency, warns that some of the most powerful cyber software is tantamount to conventional arms and that Israel can’t risk its falling into enemy hands.
“The cyber sector is one of the biggest markets for the Israeli economy and one with great potential,” says a rider to a brief two-page document that explains the logic behind the decision and sets out the rules.
“Progress entails many opportunities but also challenges … On the one hand, it is a strategic growth engine for the country.
On the other, cyber products may contain technologies and capabilities that if they fall into the wrong hands could cause a serious risk to Israel’s security and political interests.”
Cyber software, in particular software and forensic tools designed to detect vulnerabilities in computer networks and software, will be treated by the same rules as conventional weapons exports, according to the document.
At lot it at stake with the new rules, if they are imposed. Israel cyber-security sales reached as much as $4 billion last year and attracted about a fifth of all global private-sector investment in the industry, putting it second only to their United States, according to the cyber authority.
The industry encompasses hundreds of startups, as well as bigger, publicly traded companies like Check Point Software and Cyber Ark and research and development centers operated by multinational companies.
But cyber warfare is quickly moving out of the realm of thrillers into real life.
Ukrainian authorities intends reviewing the defenses of government computer systems, including at airports and railway stations, after a cyber attack on Kiev’s main airport was launched from a server in Russia, officials told Reuters on Monday. The malware was similar to that which attacked three Ukrainian power firms in late December.
Most Israeli industry figures are avoiding public statements on the new rule and hope to resolve disagreements with officials through objections they can file by the government’s February 7 deadline.
But Haim Ravia, a partner in the Tel Aviv law firm Pearl Cohen Zedek Latzer Baratz which represents many cyber companies, will create a system of license and approvals in an industry that has so far operated with few restrictions.
“This can be expected to be a real obstacle for companies, and it’s also hard to see how their operations will be supervised,” Ravia said. “Cyber is a highly competitive, developed market in which Israel is enjoying big growth and favor by other countries. The order will create bureaucratic obstacles to exports.”
Israel’s defense industries have long been subject to export controls, but Ravia said the cyber industry is different.
It consists of hundreds of small companies that don’t have the human and other resources to cope with a strict licensing regime.
Rami Efrati, CEO is the cyber startup Firmitas and a former official in the government’s cyber apparatus, said Israel should look to the example of the United States, which weighed placing restrictions on its industry but ultimately decided against it.
“They consulted with the industry and solicited reactions from companies like Microsoft, VMware and others,” Efrati said.
“They all made it clear that it would damage the industry, research and the ability to protect [America’s] critical infrastructure, especially sharing information. Congress seriously debated the issue and decided in the end not to expand supervision.”
Efrati said tougher rules could force companies like Check Point to seek government approval before revealing the discovery of a virus, losing valuable time that govenmrents and businesses need to block or remove it.