[ISN] Inside Intel / The Shin Bet goes to the stock exchange

From: InfoSec News (alerts@private)
Date: Thu Sep 20 2007 - 22:00:18 PDT


By Yossi Melman
September 20, 2007

Esther Levanon is a computer whiz. She was responsible for the Shin Bet 
security service computer system for several years. Now, her pupils are 
trying to teach their instructor how to run and secure computer systems: 
Levanon is now CEO of the Tel Aviv Stock Exchange, and the Shin Bet 
wants to control that organization's information security.

But Levanon refuses to surrender to Shin Bet dictates. She fears that a 
connection between the public financial institution and the security 
organization would damage the TASE's image and make it less attractive 
to foreign investors. The disagreement made its way to the Knesset 
Internal Affairs Committee, which addressed the issue in May.

During the deliberations, committee chair MK Ophir Pines-Paz learned 
that the prime minister and the public security minister, who are 
responsible for this matter, failed to establish committees to appeal 
Shin Bet decisions, as required by law. In response, Pines-Paz delayed 
adding the TASE to the list of institutions supervised by the Shin Bet. 
Meanwhile, the appeals committees have not yet been formed.

The argument between the Shin Bet and the cabinet, against the TASE and 
Pines-Paz, stems from two laws: the 1998 law regulating security in 
public institutions, and the Shin Bet Law. These bills determined the 
division of labor and responsibility between the Shin Bet and the Israel 
Police for securing public, and often private, organizations. In 
general, police guide and advise personnel in physical security matters, 
and the Shin Bet information security division primarily protects 
computer systems. (The latter was granted the status of official 
defender of information in Israel in 2001.)

By nature, security organizations seek to expand the margins of 
security. Money is not their central consideration, if it is an issue at 
all. The problem is that neither the Shin Bet nor the police bear the 
financial burden for security activities - this rests squarely on the 
shoulders of the organizations or institutions under their jurisdiction. 
This problem is particularly acute in the case of the police, who, 
unlike the Shin Bet, profit from their guidance. The police provide - 
and demand payment for - their security services without competition or 
tenders. And when a certain event needs to be secured, the police always 
charge more than is required, usually demand payment up front, and 
return the balance very late and without interest.

The Shin Bet, police and the National Security Council (NSC) requested 
that May meeting of the International Affairs Committee in order to 
amend the public institutions security law (a move that requires the 
committee's approval). Their proposed amendments would add Mediterranean 
Nautilus (a submarine cable company that facilitates 95 percent of 
Israel's communications traffic), Israeli universities, the Defense 
Ministry's terminals administration, Israel Railways, newly privatized 
refineries, and the stock exchange to the list of supervised 
institutions. None of the institutions objected to being "supervised," 
with the exception of Levanon and the stock exchange. She remains firm 
in her position despite the fact that the Israel Securities Authority, 
the government body that oversees the TASE, already agreed to the 

Levanon told the committee that she worked with and for the Shin Bet 
from 1973-1985, first as an external consultant, on behalf of a 
programming firm, and later, after the Shin Bet adopted her 
recommendation to establish an independent computer system, which she 
then managed.

In 1985, she left the Shin Bet for the TASE, where she directed the 
computerization of the stock exchange. During the discussion, she 
described Shin Bet computer personnel as her "spiritual grandchildren." 
She questioned the Shin Bet's estimate that a terror attack on stock 
exchange computers could cost 0.5 percent of the Gross National Product 
(about $75 million) and hundreds of lives, maintaining that these 
figures were used merely to justify Shin Bet demands.

"I don't understand what attack on the exchange they're talking about. 
They told us that if someone breaks into the TASE system, the damage 
will cause a lack of faith in the exchange and make foreign investors 
flee." But she maintains that knowledge that the Shin Bet supervises 
information systems in Israel's stock exchange might drive foreign 
investors away, "causing exactly what the Shin Bet is striving to 
prevent." A Shin Bet representative responded that the security service 
has no interest or intention in supervising information - only in 
"securing the computer system."

Levanon said that when she left the Shin Bet, an agreement was made that 
a Finance Ministry security official - not the Shin Bet - would be 
responsible for safeguarding the TASE computer system. Levanon 
maintained that this would be readily acceptable to foreign investors, 
but difficult to implement, because the treasury's security department 
is ultimately subordinate to the Shin Bet, too.

Pines-Paz suggested that the issue be transferred to the appeals 
committee, but was then informed that this committee was never 
established. Pines-Paz told Haaretz that the Prime Minister's Office and 
Public Security Minister Avi Dichter promised him they would establish 
the committee quickly, but this has not happened yet - thus, the 
amendment was not transferred to committee, and the stock exchange 
continues to secure its own computers without Shin Bet supervision.

Levanon responded, "I expect we will operate according to the agreement, 
and that the treasury will act as our professional guide in matters 
pertaining to computer security." The Shin Bet refused to address the 
matter. Officials in the Public Security Ministry responded that Dichter 
ordered the establishment of an appeals committee, to be led by the 
chief of the police operations branch. The committee will begin work as 
soon as two more committee members are found, and once it receives the 
requisite approval of the Civil Service Commission.


CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com

This archive was generated by hypermail 2.1.3 : Thu Sep 20 2007 - 22:20:22 PDT