State audit warns Israel’s cyber preparedness gaps threaten economy and security

The report cited the National Cyber Directorate’s estimate that cyberattacks cost the Israeli economy NIS 12 billion annually. It also noted that global cybercrime damage was estimated at about $8 trillion in 2023, about 15% higher than in 2022.

The report found that from 2020 until June 2025, the National Cyber Directorate did not submit required semiannual reports on the protection status of computerized systems in Israel, including critical state infrastructure bodies, to the prime minister, cabinet secretary, head of the National Security Council, head of the Shin Bet, and chair of the Knesset Foreign Affairs and Defense Committee.

It also found that the steering committee responsible for essential computerized systems in critical state infrastructure bodies did not convene in 2021 and did not convene for one year and two months after the outbreak of the war. The committee met in December 2020, January and December 2022, June 2023, and December 2024.

Prime ministers did not initiate dedicated security cabinet discussions on cyber during the decade before the war and through June 2025, except for one dedicated meeting held in 2018, the report said. Although cyber was mentioned in broader discussions, including annual intelligence assessments and multi-arena situation reviews, the cabinet was not exposed to the full range of cyber risks, preparedness gaps, and potential damage.

The National Cyber Directorate had warned before the war that cyber protection levels in parts of the economy, excluding critical state infrastructure bodies, were insufficient. These warnings were presented in several forums, including to an interministerial team, to then-intelligence minister Gila Gamliel, and once to a ministerial forum headed by Prime Minister Benjamin Netanyahu.

In October 2024, about a year after the war began, then-National Cyber Directorate head Gaby Portnoy reported that the maturity level of cyber protection in the economy remained insufficient and might not meet future challenges. Portnoy said the dramatic improvement in the pace and capabilities of attacks required action to strengthen Israel’s line of defense and ensure functional continuity at the economic and security levels.

The report said some critical state infrastructure bodies had certification levels before the war that reflected a limited ability to deal with attackers. By June 2025, certification scores had improved, but a gap still remained.

The report said several government decisions on the issue were adopted between 2011 and 2021, while an international comparison by the National Cyber Directorate found that Israel was significantly behind in cyber regulation. Several previous State Comptroller reports had also identified gaps in advancing Israel’s cyber law.

In January 2024, after the outbreak of the war and amid increased cyberattacks in the civilian space, Netanyahu instructed officials to submit a cyber bill memorandum for approval by the Ministerial Committee for Legislation within three months, by April 2024. As of June 2025, the bill had not been completed, disagreements between ministries had not been fully resolved, and no timetable had been set for submitting the bill, the report found.

Additionally, the report found major gaps in national and sectoral cyber exercises before the war. At the national level, the National Emergency Authority and the National Cyber Directorate did not hold a national cyber drill for six years before the Israel-Hamas war.

Only in November 2024, about a year after the war began, was a national cyber drill held in tabletop format. In March 2025, the National Emergency Authority held a broader national drill that included both a war scenario and a cyber scenario, which the National Cyber Directorate helped plan and attended.

The report also found that representatives of the political echelon, including the prime minister, security cabinet members, and ministers, did not participate in the national cyber drills held in 2018, 2024, and 2025. At the sectoral level, gaps were found in cyber drills in 2022 and 2023, even though the National Cyber Directorate had defined an annual sectoral drill as a required anchor for sectoral cyber units.

Sectoral cyber units were described as the professional and practical infrastructure for guiding, supervising, and overseeing cyber defense in hundreds of public and private bodies that provide essential services. However, it found that part of the sectoral cyber unit system suffered from significant functional weakness.

Before the war, the National Cyber Directorate did not hold intelligence reviews for the sectoral cyber units, did not establish a regular information-sharing forum among them, and did not sufficiently involve them in developing tools intended for their use. The professional guidelines sent to the units were recommendations only and were not binding, while the directorate could not oversee the extent of their implementation.

The report noted positively that during the audit, the National Cyber Directorate began addressing some gaps, including by convening a professional forum with the sectoral units and presenting an intelligence review. It said strengthening the sectoral units was essential because the level of protection in some sectors remained insufficient.

Although a 2011 government decision required the National Cyber Directorate to formulate a national concept for handling emergency situations in the cyber dimension, the report found that the document “The National Concept for Managing a Cyber Crisis” had not been updated for many years.

The document did not include references to cyber-defense guides and organizational preparedness materials published by the directorate from 2018 to 2023. It also did not detail all state regulatory bodies in the cyber field, their powers, areas of responsibility, or the interfaces between them.

The National Cyber Directorate did not instruct the sectoral units to operate according to the concept, even during the war, the report found. It also identified gaps in cooperation among relevant bodies dealing with cybercrime and financially motivated cyberattacks.

The report distributed questionnaires to 21 important bodies in the economy to assess their readiness before the war and their ability to respond to cyber incidents. The bodies included sensitive entities guided by the National Cyber Directorate, government ministries, essential bodies, higher education institutions, local authorities, and special bodies operating under self-guidance in the cyber field.

Seven of the 21 bodies, or 33%, received a score of 60 or lower in an index measuring organizational frameworks and tools needed to handle a significant cyber incident. These included appointing a cyber officer, establishing a management team for a cyber crisis, convening a cyber steering committee at least once every six months, and employing an internal or external incident-response team.

The report found that four bodies, or 19%, had no internal or external incident-response team. It also found that 48% of the bodies had not convened a cyber steering committee as required in the year and a half before the war, 38% had not established a cyber crisis management team, and 90.5% did not have cyber insurance.

Before the outbreak of the war, eight of the 21 director-generals, or 38%, lacked the situational picture and information infrastructure needed to understand their organization’s cyber preparedness, protection level, and gaps. The missing information included cyber risks, cyber policy, principles for handling incidents, business recovery plans, lessons from exercises, and findings from investigations of significant incidents.

The report found cross-cutting gaps in presenting recovery plans for cyber incidents to director-generals (52%) and in presenting lessons learned from exercises (55%). It also found that 40% of director-generals were not presented with critical and high-severity penetration-test findings, while 52% did not receive annual reports from their organizational security operations center.

These gaps could impair management’s ability to allocate resources, make decisions, and ensure continuity of operations during a significant cyber crisis, the report said.

The reports of 18 of the 21 bodies, or 86%, indicated gaps in threat and risk analysis between January 2022 and July 2023, before the October 7 attack. The report also found gaps in some bodies in planning and implementing technological measures to detect cyber incidents, although some were corrected during the audit.

On the eve of the war, two of the 21 bodies, or 10%, reported that they had not implemented any SIEM or SOC system for monitoring and handling cyber incidents. These bodies later reported that the issue had been corrected following the audit.

The reports on 20 of the 21 bodies, or 95%, indicated that, before the war, there was at least one gap in planning for handling cyber incidents and integrating those plans into work processes. The report warned that inadequate preparedness could undermine bodies' ability to manage cyber incidents effectively and increase the damage they cause.

Among 13 important bodies that said they had experienced cyber incidents, five, or 38%, reported that they only partially implemented lessons from those incidents. The report warned that partial implementation could lead to similar future incidents.

The report also found that the National Cyber Directorate’s information on hundreds of wartime incidents with significant potential for damage lacked essential details needed to build a full situational picture, investigate incidents, and produce systemic lessons. The missing information weakened the state’s ability to prevent recurrence and to improve cyber defense processes.

The report noted positively that the National Cyber Directorate acted at the beginning of the war and during it to identify and reduce critical gaps, strengthen cyber resilience, divert resources, and change priorities. However, it said those actions did not fully address the gaps identified in the audit.

In the absence of a permanent cyber law, the National Cyber Directorate worked with the Shin Bet and the Defense Ministry’s security department to enact emergency regulations and temporary orders for serious cyberattacks in the digital services and hosting-services sector. The original validity was seven months, but it was updated several times and extended until November 2025.

By the end of August 2024, the National Cyber Directorate had reported to the attorney-general and the Knesset Foreign Affairs and Defense Committee several cases in which it identified serious cyberattacks and issued binding instructions to bodies under the temporary framework.

The report also noted positively that the Knesset approved Amendment 13 to the Protection of Privacy Law in August 2024. The amendment expanded enforcement and oversight tools, updated criminal offenses, required the appointment of privacy protection officers in certain public and private bodies, and created a special oversight mechanism for security bodies.

Englman called on all relevant parties to treat the deficiencies as an urgent warning and act promptly to correct them. He recommended that the National Cyber Directorate, government ministries, and sectoral cyber units formulate a national-governmental action plan to reduce cyber-protection gaps in both the short and long term and bring it for government approval.

The report also recommended that the prime minister hold orderly discussions, at least once every six months, to present the state’s cyber-preparedness picture and the gaps in it to the security cabinet or to a dedicated ministerial committee. It further recommended that the Prime Minister’s Office act to complete the cyber law.

The report said responsibility now rests with the prime minister, the National Cyber Directorate, the Shin Bet, the National Emergency Authority, the government cyber defense unit, the sectoral cyber units, and the management of the audited bodies. Each must act within its area of responsibility to ensure that the gaps identified in the report are corrected.

The report comes amid a broader rise in cyber activity against Israel. The National Cyber Directorate handled more than 26,000 serious cyber incidents in 2025, a 55% increase compared with 2024, Yossi Karadi said at the Cybertech Global conference in Tel Aviv.

A permanent cyber law was advanced in January 2026, with the National Cyber Directorate seeking stronger powers after years of operating largely through executive decisions and temporary emergency regulations. Karadi later said the Iran war had delayed the bill and that it would likely not be completed before 2027.

Karadi warned in March 2026 that AI was increasing the scale and sophistication of cyber threats, including hacking, deepfakes, and mass attacks. In December 2025, he said Iran had tried to target Israelis during the June war through large-scale cyber and social-engineering campaigns.

Former National Cyber Directorate head Gaby Portnoy called in May 2025 for a cyberdefense coalition with regional partners that helped defend Israel against Iranian attacks in 2024.

In response to the report, The Israel National Cyber Directorate said the National Cyber Defense Law, which was approved Monday night in its first reading, would improve cyber protection for essential organizations and digital suppliers, and strengthen government regulatory ministries’ ability to lead cyber defense efforts in the various sectors under the directorate’s professional guidance.