The war with Iran is being fought not only in the skies and along the borders, but also within the computer systems of Israeli companies, in security cameras, and on the mobile phones of civilians. Over the past week it has become clear that just as Iran still possesses an arsenal of missiles, it also retains significant cyber capabilities, both directly and through its proxies.

Only a few days ago, Israel’s National Cyber Directorate reported that Iranian hackers had attempted to penetrate the systems of Israeli civilian companies in order to delete data and disrupt business operations. At the same time, there has been a sharp increase in phishing attempts and impersonation campaigns, alongside intrusions into security cameras across Israel for intelligence-gathering purposes. Passengers at railway stations throughout the country encountered digital displays instructing them to evacuate immediately after the display system was hacked. SMS campaigns posing as updates to the Home Front Command application were later revealed to be dangerous phishing attempts.

None of this should come as a surprise. Cyberattacks against Israel have long been part of reality, and they have intensified significantly since October 7. Microsoft’s Digital Defense Report ranked Israel in 2025 among the three most targeted countries in the world in cyberspace. It is also important to emphasize that many of these attacks are not directed at “classic” targets such as power stations, desalination facilities, or military systems. Instead, they often target commercial organizations such as service companies, software providers, and businesses that manage large volumes of customer information. These organizations can serve as entry points for broader cyber campaigns.

One example occurred in November 2023, when a cyberattack on Signature-IT, a provider of e-commerce and web hosting services, disrupted numerous systems. Among those affected were the “Shefa Online” shopping site that provides online purchasing services for IKEA, the Home Center chain website, and the computer systems of companies such as Kravitz, Kal-Gav, and Keter Plastic. The Israel Nature and Parks Authority’s subscription website was also impacted, as were the information systems of major companies including Israir, Osem, Toyota Israel, Philip Morris, Unilever, Coca-Cola, and others. In several cases, personal information belonging to millions of customers was leaked online.

There is also a significant difference between digital espionage or a threatening text message and cyberattacks designed to destroy computer systems, disrupt supply chains, or damage servers and digital infrastructure. When such damage occurs at a single central provider, such as a cloud or hosting service, it can quickly cascade to many other organizations connected to it.

It is a serious question as to whether Israel’s cyber defense system is up to the task of addressing these threats. The cyber defense system is currently managed through a fragmented and complex structure. Critical infrastructure is overseen by the Shin Bet. Other entities fall under the authority of the National Cyber Directorate, overseen by the Prime Minister’s Office. Government ministries are then supervised by their own dedicated units. Parts of the private sector are regulated by sector-specific regulators, for example in the financial industry. Yet many organizations in the business sector are not subject to any cyber defense regulation at all.

The result is that large segments of the economy operate without a binding standard for cyber protection. Israel’s State Comptroller has repeatedly warned about these gaps in recent years. Among the findings were that organizations do not consistently follow established protection methodologies, that cybersecurity checks of suppliers are rarely conducted, and that systems containing sensitive information belonging to millions of citizens are not secured at the required level.

Against this backdrop, just weeks before the outbreak of the current conflict with Iran, the National Cyber Directorate published a memorandum for a National Cyber Defense Law. It is not a particularly dramatic proposal – it seeks to establish a basic regulatory framework that defines obligations for managing cyber risk across all sectors of the economy. These obligations would apply to each sector and business in a manner appropriate to its activities, its size, the customer information it holds, and the level of risk associated with an attack on it.

The framework would also require reporting of significant cyber incidents and would enable the National Cyber Directorate to act in extreme scenarios when a serious cyberattack threatens the functioning of the economy or endangers human life.

Nevertheless, parts of the industry have already labeled the proposal “draconian regulation.” Others have argued that it is an attempt to solve a “problem that does not exist.” Given current realities, this argument is difficult to understand and arguably reflects a lack of responsibility.

Another area of Israel’s national security provides a useful analogy. Imagine a situation in which there were no standards for reinforced safe rooms, no requirement to build bomb shelters, and each building could decide for itself how to protect its residents. In such a situation, claiming that no legal framework for cybersecurity is necessary would be similar to claiming that building safety standards are unnecessary simply because most buildings have not yet collapsed.

In practice, countries around the world establish minimum cybersecurity standards. In that sense, the proposed regulation is not unusual at all. The European Union, for example, has maintained comprehensive cybersecurity regulation for nearly a decade, most recently expanded through the NIS2 Directive.

Moreover, the proposed legislation does not seek to manage companies’ cyber systems or access their computers. Its goal is simply to ensure that organizations across the economy maintain a basic level of protection and cooperate when serious attacks occur. In cyberspace, an organization that neglects the security of its systems does not endanger only itself. It also puts its customers, suppliers, and connected organizations at risk.

For that reason, protecting the digital domain cannot rely solely on the voluntary judgment of each company or on its willingness to cooperate with the National Cyber Directorate when that authority lacks clear legal powers.

The cyberattacks we have seen since the beginning of the current campaign are a reminder that the digital front is not marginal. One cannot have it both ways – on the one hand, expecting the state to protect the economy in cyberspace, and on the other hand refusing to equip the National Cyber Directorate with the legal tools necessary to act quickly and effectively when a large-scale attack occurs.

A single cyberattack can disable public services. Just as importantly, it can damage many businesses, expose the sensitive personal information of thousands of citizens, and spread fear, panic, and confusion among the public.

So what exactly are we waiting for? Israel’s cyber defenses have already been penetrated in the conflict with Iran. We are already fighting in the digital battlefield. It’s time for regulations to catch up.  

© The Times of Israel (Blogs)