State comptroller: Israel unprepared for major cyberattack as ministries lag on defenses

Matanyahu Englman warns ministries ignored cyber warnings during Gaza war, leaving emergency agencies, embassies and databases with millions of citizen records vulnerable as Iran and Hezbollah-linked hackers ramp up attacksIn light of threats from Iran, the government is expected to be well prepared for cyberattacks, but in practice, emergency agencies, including the Israel Police and the National Fire and Rescue Authority, have not been properly prepared for emergency scenarios. Exposure risks to cyberattacks were not sufficiently examined and, more seriously, explicit preparedness guidelines drafted by the National Cyber Directorate after October 7 were not distributed to some emergency bodies.3 View gallery Israel National Cyber Directorate chief Yossi Karadi

(Photo: Dror Sithakhal)This negligence is reflected directly in the data on the ground. Since the Hamas-led Oct. 7 attack, there has been a troubling increase of about 500% in information security incidents at Israeli diplomatic missions abroad. The Foreign Ministry, a key target for attacks by Iranian, Hezbollah and Hamas actors, continues to suffer from a long-standing technological gap stretching over many years.The comptroller further argues that the ministry operates under an inappropriate organizational culture. The audit found serious deficiencies in the handling of sensitive information, including an open network drive accessible to all employees that contained tens of thousands of personal and sensitive documents.“Most government ministries used for months a digital tool exposed to cyberattacks. The audit findings regarding the Foreign Ministry indicate a persistent technological gap in its computer systems that has lasted for many years and an organizational culture that is not suited to the threat level defined for the ministry. In the absence of a comprehensive and up-to-date cybersecurity policy, the exposure to cyberattacks and leaks of sensitive information increases. Serious deficiencies were found in the Foreign Ministry regarding the protection of sensitive and personal information,” the comptroller said.3 View gallery Foreign Minister Gideon Sa'ar (Photo: Yair Sagi)At the same time, at the Ministry of Construction and Housing, alerts for suspicious cyber activity jumped by 130% in 2024, yet the ministry failed for eight years to properly register nine information databases containing millions of sensitive records about citizens.“At the Ministry of Construction and Housing we found that despite holding databases with millions of records relating to public housing tenants, recipients of housing assistance, participants in subsidized housing programs and registered contractors, the ministry did not properly register all nine databases as required under privacy protection regulations for eight years,” Englman wrote.One of the most striking findings concerns the conduct of the National Digital Agency and government ministries regarding remote work. The National Cyber Directorate instructed the Digital Agency in March 2024 to immediately stop using a specific remote work infrastructure after critical vulnerabilities were discovered and exploited.Despite the warning, the Digital Agency and about 65% of government ministries (31 ministries) continued using the exposed tool for another ten months, only stopping in January 2025. This means that for months during the war, most government ministries were fully exposed to potentially devastating cyberattacks.A major section of the report focuses on implementation of the government’s digital services policy, the national identification system and the government personal area platform. The system, launched in 2019 to provide secure, unified and continuous access to government services, shows extremely poor usage rates. By the end of 2024, about 4.6 million citizens were registered, but actual service integration remains minimal.Only 16% of mapped government services are connected to the identification system (650 out of about 4,000 services). Only 3% of services offered to the public are actually available through the government’s personal and business portal (233 services out of thousands). In addition, hundreds of government forms are still only available for printing and manual completion, including 89% of Foreign Ministry forms and 79% of rabbinical court forms.Critical agencies providing essential public services, including the Tax Authority, National Insurance Institute, Defense Ministry and Employment Service, are not connected to the system and operate independent identification systems.3 View gallery National Insurance Institute (Photo: Nachum Segal)This forces citizens to deal separately with each agency, creates inefficiency and increases exposure to security flaws and data leaks. The situation is also poor in local government, where only about 6% of municipalities have adopted the national identification system. “Digital service for citizens is not a luxury,” Englman stressed. “It is not acceptable that only a small percentage of government services are available through the personal area.”The technology behind the national identification system and the “personal area” strategy is based on Single Sign-On (SSO) and the Once-Only Principle. This is an architectural model developed in the early 2000s and widely implemented in Western countries, most notably Estonia, a global pioneer in digital government where nearly 100% of public and municipal services are available digitally under a unified secure identity.In Israel, the first government decisions to advance digital services and establish the identification system were made in 2014, and the systems went live in 2019. However, as the comptroller’s report shows, organizational politics, decentralization of authority, budget gaps in IT units and poor management culture prevent Israel from successfully implementing basic technologies that have been standard globally for two decades.The comptroller calls on the National Digital Agency and the government to set strict timelines, advance regulation requiring all public and statutory bodies to connect to the unified system, and urgently address cybersecurity vulnerabilities that threaten national security and citizens’ privacy.The National Cyber Directorate said in response that the findings clearly demonstrate what the proposed cyber protection law seeks to address. In a period where cyber threats are a daily risk to operational continuity, public services and sensitive information, it is not possible to rely on a model in which each organization independently decides its level of protection, risk management and investment priorities.This reality creates significant gaps in protection between organizations and leads to systemic vulnerabilities that may affect the entire economy. The purpose of the law, approved by the government ahead of its first reading, is to establish a unified, clear and binding national framework based on international standards similar to advanced Western regulations.The law is intended to create a unified professional language, set a mandatory baseline for cyber risk management, strengthen preparedness and incident reporting and ensure that protection levels for essential services and infrastructure do not depend solely on local discretion or resource gaps.The National Digital Agency said it is working in full cooperation with the State Comptroller’s Office and has already implemented most of its recommendations. The cybersecurity division within the agency has developed a control system to assess ministries’ cyber resilience and maintains ongoing contact with ministries, which are required to carry out periodic assessments.At the end of 2024, the agency used the remote work tool in which certain vulnerabilities were discovered. Following disclosure, it acted immediately to address them. In January 2025, after a critical security flaw was identified and attack attempts were detected, a decision was made to shut down the system entirely to protect government networks and prevent wider damage to infrastructure.At the same time, the Government Procurement Administration led a centralized purchase of an alternative infrastructure under the SSE tender, based on a Zero Trust model. This is advanced technology providing a broad and enhanced security layer beyond simple secure connectivity.The agency said it is dealing with unprecedented and dynamic cyber threats and that preventive measures alongside the adoption of advanced technologies ensure continued protection of government systems.It also said it has built a cross-government infrastructure for identity-based services for all citizens, aimed at enabling simple and secure authentication, and is working to implement the Once-Only policy so that services across all ministries are integrated into the government personal area platform.