Information insecurity:
From the State Comptroller's report published today (Tuesday), many deficiencies emerge in areas such as security, transportation, education, water, etc. The report shows that there are significant gaps in the IDF information systems, including identification means aimed at identifying spaces. These are systems that include databases of hundreds of thousands of fingerprints and palms, a database of dental photographs and a collection of blood stains of everyone who has ever enlisted in the IDF.
The Comptroller's Report on the Biometric Database in the IDF // Spokesperson of the State Comptroller's Office
The biometric information in the IDF is collected from recruits, is used to identify victims and is stored in three databases of identification means (a database of fingerprints and palm prints, a database of dental photographs and a collection of blood stains). During the recruitment process in the military chain, these identification methods are taken from every soldier who enlists in the IDF.
The space identification process is carried out by comparing the biometric data taken from the recruit to those taken from the space.
The IDF has three central information systems for managing the identification process: two systems that manage the databases of identification means were classified by the IDF as secret, and a third system that manages and documents the handling of the space, including the space identification process.
The main users of the systems are Meitav Unit (in the procurement process) and the Identification and Burial Branch (ZOK) in the Military Rabbinate (in the space identification process).
A blood sampling station in the chain of custody at the BKOM, photo: Yossi Zeliger
State Comptroller Matanyahu Engelman.
"Risk of damage to credibility", photo: Oren Ben Hakon
The IDF is not organized
When required for this, the IDF must act in accordance with the defense policy in the cyber field, and in accordance with the Privacy Protection Law. According to information security regulations, a database containing biometric information that has more than 100,000 records is required to meet a high level of security. The regulations specify how to maintain The security level set for the database.
Despite all of this, according to the State Comptroller's report, 7 years have passed since the IDF's defense policy regarding these systems was updated, and no less than 26 years since the Defense Ministry's orders on privacy protection were updated. Also, the army did not conduct surveys Risks and penetration tests for these systems since their establishment in 2005-2006.
The report also shows that the systems are missing 0.5% of the fingerprints, 6.6% of the X-rays, 32.8% of the oral cavity photographs and 3.8% of the DNA samples.
Also, there are missing hundreds of fingerprints of soldiers who enlisted in 2016 and 2017 and several thousand dental photographs for permanent personnel who enlisted in 1994-2004.
New recruits in the BCOM. The information that will be taken from them is not safe,
AKA head Yaniv Asur (archive). Problems need to be addressed, photo: Oren Ben Hakon
The auditor further commented that the IDF did not formulate a dedicated physical security procedure for the identification means systems as required by Regulation 4 of the Information Security Regulations, despite the fact that they store personal and sensitive biometric information that requires a high level of security. Furthermore, gaps were found in the level of logical protection, i.e. identification, authorizations Access, control over the execution of unauthorized operations, encryption mechanisms and more.
"This situation creates a risk of damage to the reliability, availability and confidentiality of the information in the databases", stated the auditor and added that the information systems are not managed efficiently and according to a regular methodology for managing information systems projects.
As a result, there is a fear that the identification means systems will not be able to fulfill their purpose.
It was also found that the project manager in the IDF did not prepare a work plan for the identification means systems and did not make sure that the establishment and management of the systems meet the accepted goals of content, schedules, costs and customer satisfaction. "This is it," stated the auditor.
The IDF spokesperson stated in response: "The IDF thanks the State Comptroller for this audit and takes its findings seriously. Most of the recommendations regarding the management and security of biometric information have been accepted and tested by the IDF and the relevant bodies have begun their implementation. The military database and the systems indicated in the report are within the network classified by the IDF and are not accessible to external parties or exposed to unauthorized parties within the IDF.
State Comptroller Mattaniho Engelman, photo: Oren Ben Hakon
"Upon receiving the findings of the report, several processes were initiated to improve the security of the biometric database and its use.
As part of the processes, the development of the software infrastructure for connecting new cameras that were purchased in order to improve the quality of the acquisition of identification in the enforcement chain was completed.
In some of the previous recruitment cycles this year, a mobile station operated with procurement positions borrowed from the recruitment chain, this will continue to operate as needed.
"The IDF has mechanisms in place to prevent the entry of unauthorized parties in the IDF into these systems, along with this, we will consider upgrading these infrastructures for further improvement in information security.
The cyber defense policy document is currently in the process of being validated and updated.
The auditor's recommendation to update it periodically every several years was accepted and the order will be valid once every several years.
The work plan for 2023 will include elements to improve the compliance of the information systems and the database with the latest information security and privacy protection requirements."
were we wrong
We will fix it!
If you found an error in the article, we would appreciate it if you shared it with us
