The Israeli government continued using a remote-work platform with critical cyber vulnerabilities for 10 months after the National Cyber Directorate ordered it to be shut down, while emergency bodies and ministries handling sensitive data remained exposed to cyber failures during wartime, State Comptroller Matanyahu Englman found in reports published on Tuesday.
“In light of the threats from Iran, the government must be well prepared for cyberattacks,” Englman said. “The reports found significant deficiencies; they must be corrected immediately.”
According to Englman, emergency bodies were not prepared as required, and the risk of their exposure to cyberattacks had not been sufficiently examined. After October 7, the National Cyber Directorate prepared cyber-readiness instructions, he said, but they were not passed on to some emergency bodies.
Together, the reports show a government increasingly dependent on digital systems that are not always secure, updated, unified, or usable: public servants connect remotely to ministry networks, citizens are pushed into online services, and ministries hold millions of sensitive records, while basic cyber oversight remains incomplete.
One of the most serious findings concerned remote work. After the National Cyber Directorate instructed the National Digital Agency to stop using the vulnerable platform, the agency and 65% of government ministries continued using it for 10 months. The use of the platform was stopped only in January 2025.
The Fire and Rescue Authority had no business continuity plan for remote work, had not held required emergency exercises, and had not conducted penetration tests on its remote-work system until the Comptroller’s Office did so during the audit.
The police also had no technological business continuity plan, had not held emergency exercises, and conducted a penetration test of its remote-work system only in early 2025, some eight years after the previous test. The Courts Administration was also found to have gaps in its remote-work procedures. Some parts of the audit chapter were withheld from publication for national-security reasons.
Hundreds of information security incidents found in Israeli missions abroad
The Foreign Ministry, which the comptroller described as a central cyber target, was also found to have longstanding gaps. During the Israel-Hamas War, there was a roughly 500% increase in information-security incidents at Israeli missions abroad, with hundreds of incidents in 2023, including an attempted breach of an embassy employee’s email.
“The picture emerging from the audit of the Foreign Ministry shows a continuing technological gap in the ministry’s computer systems that has lasted for many years, and an organizational culture that is not compatible with the reference threat defined for the Foreign Ministry,” Englman said.
The ministry’s cyber and information-security policy had not been updated since 2018. Its IT steering committee did not meet from 2021 to 2023, and reconvened only in April 2024.
The ministry’s 2024 IT budget stood at NIS 85.3 million, including about NIS 13 million for cyber needs, but ministry documents cited by the comptroller said it was at least NIS 20 million short of its actual needs. As a result, 14 projects were frozen or delayed in 2024, including upgrades to the Merkava system, the consular system, and cloud migration.
The comptroller also found failures in the handling of sensitive and private information. In some ministry networks, shared folders were open to all users and contained tens of thousands of documents, some sensitive and private. Only three Foreign Ministry databases were registered with the Justice Ministry’s database registry, even though the ministry manages dozens.
The Construction and Housing Ministry was also found to have mishandled sensitive data. It holds databases containing millions of records on public-housing tenants, housing-assistance recipients, participants in discounted housing programs, and registered contractors, but had not completed the required registration of all nine databases under privacy-protection regulations.
Its cyber policy, approved in 2020, had not been updated, discussed, or reviewed every two years as required. Between 2022 and 2024, the ministry conducted eight risk surveys, but its cyber steering committee discussed only two. From 2021 to 2024, it carried out only two application penetration tests and one infrastructure penetration test.
More than half of the ministry’s systems did not undergo the required annual review of user permissions. The ministry also failed to conduct semiannual reviews of privileged users, define abnormal actions, or operate automatic alerts.
Governmental digital services to citizens only partially implemented
Englman also criticized the government’s digital service to citizens, saying, “Digital service for citizens is not a luxury.”
Although the government has been making decisions on digital services since 2014, the national identification system and government personal area, which went live in 2019, are still only partially implemented. By the end of 2024, 4.6 million citizens were registered in the system, but only 16% of mapped government services were connected to it, and only 233 services out of thousands were available through the government's personal and business area.
Eight of 31 government ministries, including the Foreign and Defense ministries, were not connected to the national identification system. Only 11 of around 36 government units were connected, and only one of 11 general government hospitals was connected. The Tax Authority, National Insurance Institute, and Employment Service operated their own identification systems despite providing major public services.
Local governments lagged even further behind; only 15 of 258 local authorities, about 6%, had connected to the system. Many government services still require paper-based bureaucracy, including most Foreign Ministry consular forms, Rabbinical Court forms, and about half of the Population and Immigration Authority forms reviewed.
The National Cyber Directorate responded that the findings demonstrated the need for the Cyber Defense Law, which the government approved on Monday in preparation for its first reading. The directorate said that cyber threats have become “a daily threat” to the continuity of operations, public services, and sensitive information, and that Israel can no longer rely on each body to determine its own required level of protection.
The law is meant to create a binding national framework, set a mandatory baseline for cyber-risk management, strengthen readiness and reporting, and ensure that protection of essential services and infrastructure does not depend solely on local discretion or on resource and knowledge gaps, the directorate said.
Englman’s recommendations centered on moving public bodies to unified, secure identification systems, closing emergency cyber-readiness gaps, and requiring ministries that hold sensitive data to update their cyber policies, test systems regularly, restrict access, and prepare continuity and disaster recovery plans.
Cyber threats, the report said, must be treated as a national-security and strategic threat, beginning with the directors-general of government ministries themselves.