http://www.haaretz.com/hasen/spages/905587.html By Yossi Melman September 20, 2007 Esther Levanon is a computer whiz. She was responsible for the Shin Bet security service computer system for several years. Now, her pupils are trying to teach their instructor how to run and secure computer systems: Levanon is now CEO of the Tel Aviv Stock Exchange, and the Shin Bet wants to control that organization's information security. But Levanon refuses to surrender to Shin Bet dictates. She fears that a connection between the public financial institution and the security organization would damage the TASE's image and make it less attractive to foreign investors. The disagreement made its way to the Knesset Internal Affairs Committee, which addressed the issue in May. During the deliberations, committee chair MK Ophir Pines-Paz learned that the prime minister and the public security minister, who are responsible for this matter, failed to establish committees to appeal Shin Bet decisions, as required by law. In response, Pines-Paz delayed adding the TASE to the list of institutions supervised by the Shin Bet. Meanwhile, the appeals committees have not yet been formed. The argument between the Shin Bet and the cabinet, against the TASE and Pines-Paz, stems from two laws: the 1998 law regulating security in public institutions, and the Shin Bet Law. These bills determined the division of labor and responsibility between the Shin Bet and the Israel Police for securing public, and often private, organizations. In general, police guide and advise personnel in physical security matters, and the Shin Bet information security division primarily protects computer systems. (The latter was granted the status of official defender of information in Israel in 2001.) By nature, security organizations seek to expand the margins of security. Money is not their central consideration, if it is an issue at all. The problem is that neither the Shin Bet nor the police bear the financial burden for security activities - this rests squarely on the shoulders of the organizations or institutions under their jurisdiction. This problem is particularly acute in the case of the police, who, unlike the Shin Bet, profit from their guidance. The police provide - and demand payment for - their security services without competition or tenders. And when a certain event needs to be secured, the police always charge more than is required, usually demand payment up front, and return the balance very late and without interest. The Shin Bet, police and the National Security Council (NSC) requested that May meeting of the International Affairs Committee in order to amend the public institutions security law (a move that requires the committee's approval). Their proposed amendments would add Mediterranean Nautilus (a submarine cable company that facilitates 95 percent of Israel's communications traffic), Israeli universities, the Defense Ministry's terminals administration, Israel Railways, newly privatized refineries, and the stock exchange to the list of supervised institutions. None of the institutions objected to being "supervised," with the exception of Levanon and the stock exchange. She remains firm in her position despite the fact that the Israel Securities Authority, the government body that oversees the TASE, already agreed to the amendment. Levanon told the committee that she worked with and for the Shin Bet from 1973-1985, first as an external consultant, on behalf of a programming firm, and later, after the Shin Bet adopted her recommendation to establish an independent computer system, which she then managed. In 1985, she left the Shin Bet for the TASE, where she directed the computerization of the stock exchange. During the discussion, she described Shin Bet computer personnel as her "spiritual grandchildren." She questioned the Shin Bet's estimate that a terror attack on stock exchange computers could cost 0.5 percent of the Gross National Product (about $75 million) and hundreds of lives, maintaining that these figures were used merely to justify Shin Bet demands. "I don't understand what attack on the exchange they're talking about. They told us that if someone breaks into the TASE system, the damage will cause a lack of faith in the exchange and make foreign investors flee." But she maintains that knowledge that the Shin Bet supervises information systems in Israel's stock exchange might drive foreign investors away, "causing exactly what the Shin Bet is striving to prevent." A Shin Bet representative responded that the security service has no interest or intention in supervising information - only in "securing the computer system." Levanon said that when she left the Shin Bet, an agreement was made that a Finance Ministry security official - not the Shin Bet - would be responsible for safeguarding the TASE computer system. Levanon maintained that this would be readily acceptable to foreign investors, but difficult to implement, because the treasury's security department is ultimately subordinate to the Shin Bet, too. Pines-Paz suggested that the issue be transferred to the appeals committee, but was then informed that this committee was never established. Pines-Paz told Haaretz that the Prime Minister's Office and Public Security Minister Avi Dichter promised him they would establish the committee quickly, but this has not happened yet - thus, the amendment was not transferred to committee, and the stock exchange continues to secure its own computers without Shin Bet supervision. Levanon responded, "I expect we will operate according to the agreement, and that the treasury will act as our professional guide in matters pertaining to computer security." The Shin Bet refused to address the matter. Officials in the Public Security Ministry responded that Dichter ordered the establishment of an appeals committee, to be led by the chief of the police operations branch. The committee will begin work as soon as two more committee members are found, and once it receives the requisite approval of the Civil Service Commission. [...] __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Thu Sep 20 2007 - 22:20:22 PDT