By Yossi Melman
September 20, 2007
Esther Levanon is a computer whiz. She was responsible for the Shin Bet
security service computer system for several years. Now, her pupils are
trying to teach their instructor how to run and secure computer systems:
Levanon is now CEO of the Tel Aviv Stock Exchange, and the Shin Bet
wants to control that organization's information security.
But Levanon refuses to surrender to Shin Bet dictates. She fears that a
connection between the public financial institution and the security
organization would damage the TASE's image and make it less attractive
to foreign investors. The disagreement made its way to the Knesset
Internal Affairs Committee, which addressed the issue in May.
During the deliberations, committee chair MK Ophir Pines-Paz learned
that the prime minister and the public security minister, who are
responsible for this matter, failed to establish committees to appeal
Shin Bet decisions, as required by law. In response, Pines-Paz delayed
adding the TASE to the list of institutions supervised by the Shin Bet.
Meanwhile, the appeals committees have not yet been formed.
The argument between the Shin Bet and the cabinet, against the TASE and
Pines-Paz, stems from two laws: the 1998 law regulating security in
public institutions, and the Shin Bet Law. These bills determined the
division of labor and responsibility between the Shin Bet and the Israel
Police for securing public, and often private, organizations. In
general, police guide and advise personnel in physical security matters,
and the Shin Bet information security division primarily protects
computer systems. (The latter was granted the status of official
defender of information in Israel in 2001.)
By nature, security organizations seek to expand the margins of
security. Money is not their central consideration, if it is an issue at
all. The problem is that neither the Shin Bet nor the police bear the
financial burden for security activities - this rests squarely on the
shoulders of the organizations or institutions under their jurisdiction.
This problem is particularly acute in the case of the police, who,
unlike the Shin Bet, profit from their guidance. The police provide -
and demand payment for - their security services without competition or
tenders. And when a certain event needs to be secured, the police always
charge more than is required, usually demand payment up front, and
return the balance very late and without interest.
The Shin Bet, police and the National Security Council (NSC) requested
that May meeting of the International Affairs Committee in order to
amend the public institutions security law (a move that requires the
committee's approval). Their proposed amendments would add Mediterranean
Nautilus (a submarine cable company that facilitates 95 percent of
Israel's communications traffic), Israeli universities, the Defense
Ministry's terminals administration, Israel Railways, newly privatized
refineries, and the stock exchange to the list of supervised
institutions. None of the institutions objected to being "supervised,"
with the exception of Levanon and the stock exchange. She remains firm
in her position despite the fact that the Israel Securities Authority,
the government body that oversees the TASE, already agreed to the
Levanon told the committee that she worked with and for the Shin Bet
from 1973-1985, first as an external consultant, on behalf of a
programming firm, and later, after the Shin Bet adopted her
recommendation to establish an independent computer system, which she
In 1985, she left the Shin Bet for the TASE, where she directed the
computerization of the stock exchange. During the discussion, she
described Shin Bet computer personnel as her "spiritual grandchildren."
She questioned the Shin Bet's estimate that a terror attack on stock
exchange computers could cost 0.5 percent of the Gross National Product
(about $75 million) and hundreds of lives, maintaining that these
figures were used merely to justify Shin Bet demands.
"I don't understand what attack on the exchange they're talking about.
They told us that if someone breaks into the TASE system, the damage
will cause a lack of faith in the exchange and make foreign investors
flee." But she maintains that knowledge that the Shin Bet supervises
information systems in Israel's stock exchange might drive foreign
investors away, "causing exactly what the Shin Bet is striving to
prevent." A Shin Bet representative responded that the security service
has no interest or intention in supervising information - only in
"securing the computer system."
Levanon said that when she left the Shin Bet, an agreement was made that
a Finance Ministry security official - not the Shin Bet - would be
responsible for safeguarding the TASE computer system. Levanon
maintained that this would be readily acceptable to foreign investors,
but difficult to implement, because the treasury's security department
is ultimately subordinate to the Shin Bet, too.
Pines-Paz suggested that the issue be transferred to the appeals
committee, but was then informed that this committee was never
established. Pines-Paz told Haaretz that the Prime Minister's Office and
Public Security Minister Avi Dichter promised him they would establish
the committee quickly, but this has not happened yet - thus, the
amendment was not transferred to committee, and the stock exchange
continues to secure its own computers without Shin Bet supervision.
Levanon responded, "I expect we will operate according to the agreement,
and that the treasury will act as our professional guide in matters
pertaining to computer security." The Shin Bet refused to address the
matter. Officials in the Public Security Ministry responded that Dichter
ordered the establishment of an appeals committee, to be led by the
chief of the police operations branch. The committee will begin work as
soon as two more committee members are found, and once it receives the
requisite approval of the Civil Service Commission.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com