The Swords of Iron war proved beyond doubt that the cyber dimension has become a fifth and critical battlefield for Israel’s national resilience. But a comprehensive State Comptroller report released Tuesday reveals that behind the country’s image as a high-tech powerhouse lies a legislative vacuum, a lack of national preparedness drills and flawed conduct by some of the most sensitive state institutions.
With cumulative economic damage to the Israeli economy estimated at 12 billion shekels a year, the country’s digital line of defense is emerging as a worrying weak point.
3 View gallery
Prime Minister Benjamin Netanyahu visits the National Cyber Directorate in 2025
(Photo: Kobi Gideon/GPO)
Attackers grow bolder, political leadership remains stagnant
The report found that during the war, the intensity of cyberattacks against Israeli bodies surged. The attackers showed creativity and growing audacity as time passed: from psychological warfare and denial-of-service attacks at the beginning of the campaign, to data-wiping attacks, recruitment of collaborators and spies on social media, and strategic targeting aimed at gathering intelligence on Israeli citizens and sensitive processes in the country.
Despite these threats, the political leadership showed worrying indifference. In the decade before the war and through mid-2025, prime ministers did not initiate or hold dedicated cyber discussions in the Security Cabinet, except for a single meeting in 2018. As a result, the Cabinet was not exposed to the full range of risks and potential damage.
Moreover, in the six years preceding the war, no national cyber drill was held. Only about a year into the fighting, in November 2024, was the first tabletop exercise held. Even then, as in previous drills, no representative of the political echelon took part.
The President’s Residence affair: 100,000 sensitive databases at risk
One of the report’s low points concerns data protection at the President’s Residence, a prominent symbol of government. Until September 2024, the institution operated without a guiding cyber authority and without a steering committee. The President’s Residence computer systems store highly sensitive information, including medical, social and financial data on nearly 100,000 pardon applicants.
The audit found that the database was managed in violation of the law: no information security officer was appointed, employees used private email accounts for work purposes, creating a serious opening for data leaks, and sensitive pardon requests were transferred to the Justice Ministry and the Military Advocate General’s Office over the open internet without any encryption. In addition, many endpoint stations operated with expired software versions, and core systems had reached the end of their life cycle without manufacturer support.
Israel leads in AI, but the government lags behind
The report also presents a multinational audit, conducted in cooperation with the European Organization of Supreme Audit Institutions in 12 countries, examining preparedness for the AI era. Here, Israel’s “innovation paradox” becomes clear: While the private sector and the country’s technological ecosystem are at the global forefront, the public sector is lagging behind. Compared with countries in Europe and the United States, Israel has yet to approve a long-term, binding national artificial intelligence plan that includes a dedicated budget and oversight mechanisms.
The report found a huge gap between budgeting and implementation, especially in a critical field: supercomputing infrastructure and infrastructure for training large language models. While the United States, China and leading European countries are investing billions in establishing independent computing infrastructure to avoid reliance on external providers and to protect sovereign information, in Israel, bureaucratic obstacles, systems that do not interface with one another and the lack of a government data strategy are preventing a leap forward.
A survey conducted among 70 public bodies in Israel found that 58% had not been allocated any dedicated AI budget, and that information security restrictions, cited by 65%, and a shortage of skilled personnel, cited by 51%, are the main barriers to implementing the technology.
How did we get here?
The global cyber defense architecture rests on two central pillars: the international ISO 27001 standard, developed in the early 2000s, and the cybersecurity framework of the U.S. National Institute of Standards and Technology. These models redefined information security, shifting from a passive perimeter defense model, or “firewall,” to a dynamic model of continuous risk management, active intrusion detection and rapid disaster recovery plans.
While Western countries, led by the European Union through binding directives such as NIS2, have turned these standards into strict national legislation imposing heavy sanctions on essential bodies that fail to meet the standard, Israel has remained frozen from a regulatory standpoint.
3 View gallery
National Cyber Directorate chief Yossi Karadi; the organization’s recommendations went ignored for a decade
(Photo: National Cyber Directorate)
For more than a decade, the Prime Minister’s Office failed to complete legislation of the National Cyber Law. The National Cyber Directorate’s guidelines for sectoral units have largely remained “recommendations only,” without significant enforcement powers, leaving the Israeli economy exposed, fragmented and significantly behind developments in the Western world.
Surprisingly, on Monday, one day before the comptroller’s report was published, the Knesset passed the National Cyber Law in its first reading. This followed more than a decade of efforts to advance the bill, which was approved the previous evening under the leadership of the National Cyber Directorate and without opposition. It is unclear whether the timing of the publications is connected, but there is no doubt that passage of the law is expected to make it easier to correct the deficiencies detailed by the comptroller.
The National Cyber Directorate said in response to the report: “The National Cyber Protection Law, which was approved last night in its first reading, will improve the level of cyber protection of essential organizations and digital suppliers, and will strengthen government ministries that serve as regulators in leading protection in the various sectors, with professional guidance from the National Cyber Directorate.
“It is important to note that the intensive defense activity of the National Cyber Directorate during the war, together with its mission partners, prevented the enemy from making significant achievements. The enemies did not succeed in damaging national functional continuity or human life, as they tried to do repeatedly.
“The National Cyber Directorate has studied the report’s findings in depth, as it does with every professional audit, has already addressed some of the issues raised and will continue working to implement the lessons.”
The National Digital Agency said: “The National Digital Agency works continuously and professionally to strengthen the government sector’s preparedness for cyber incidents, end to end, both in routine times and in emergencies. The agency leads preventive actions, professional guidance, exercises and preparedness among government ministries, and when necessary, operates the agency’s incident response teams and professional suppliers to respond to cyber incidents in real time.
“It is important to emphasize that, with regard to the government sector under its responsibility, the agency has acted and continues to act continuously, responsibly and professionally. Insofar as the report raises claims that do not reflect the full scope of activity carried out, the matter will be examined and presented again to the relevant parties.”
The President’s Residence said: “Upon receiving the State Comptroller’s comment, it was decided to implement an additional and stricter layer of protection. The matter was examined and handled thoroughly, and the deficiency was fully corrected. It should be emphasized that no personal information was exposed and no information security incident occurred. The President’s Residence attaches supreme importance to protecting privacy and strictly maintaining information security, and works continuously to strengthen its protection and oversight systems.
“Although the government decision regulating cyber in the public sector does not apply to the President’s Residence, the President’s Residence approached the Government ICT Authority’s Yahel unit, the body that guides cyber protection in state systems, on its own initiative, even before the State Comptroller’s audit began, requesting voluntary professional guidance and support.
“As for the handling of material related to pardon requests, our position, as conveyed to the comptroller, is that the President’s Residence did not violate the legal provisions that applied in this context. The President’s Residence will continue to operate according to the highest standards of information security and privacy protection, in cooperation with the authorized professional bodies.”