State Comptroller Report: Israel’s Emergency Agencies Are Vulnerable to Iranian Cyberattacks

A sweeping report published today (Tuesday) by State Comptroller Matanyahu Englman reveals a series of serious failures in the digital defense systems of government and emergency agencies. The audit’s findings point to major security gaps that could allow breaches into state systems, theft of personal information, and disruption to the functioning of critical infrastructure.

The audit was conducted across a number of key bodies, including the Israel Fire and Rescue Authority, Israel Police, the Administrative Office of the Courts, the Ministry of Economy and Industry, the National Digital Agency, including the Government Cyber Defense Unit (YAHAV), the Prime Minister’s Office through the National Cyber Directorate, the Ministry of Justice through the Privacy Protection Authority, as well as additional government ministries. Some of the findings are classified at a high level of severity.

One of the report’s central findings deals with conduct following the October 7 attack. According to the audit, although the National Cyber Directorate had formulated preparedness guidelines for cyberattacks, some emergency agencies never received them at all. At the same time, the report found that about 65% of government ministries continued for months to use a remote-work technology product, even though it was known to have numerous security vulnerabilities that exposed users to cyber risks. Only in January 2025 was use of that product discontinued.

The comptroller’s review also found wide gaps in remote-work systems across government agencies. In the Fire and Rescue Authority, Israel Police, and the Administrative Office of the Courts, targeted security flaws were identified. As part of the audit at the Fire and Rescue Authority, a dedicated penetration test was conducted to examine the resilience of systems accessible to remote employees. Within the attack scenarios that were tested, weaknesses were found that could harm the availability, reliability, and confidentiality of the infrastructure. In addition, it emerged that there are gaps in the organization’s preparedness for a scenario in which systems collapse as a result of a cyberattack, alongside a lack of appropriate drills.

An especially troubling picture emerges from the audit findings at the Foreign Ministry. According to the report, the ministry has for years been dealing with an ongoing technological gap in its computer systems, alongside an organizational culture that does not match the level of threat defined for it. In the absence of a comprehensive, current, and orderly cyber policy, exposure to cyberattacks and leaks of sensitive information increases. The audit also found serious failures in safeguarding personal and sensitive information, and that the ministry’s leadership is not fully implementing the provisions of the Privacy Protection Law and its regulations.

The State Comptroller concluded the report with a warning about the country’s readiness in the face of the cyber threat: "In light of the threats from Iran, the Government of Israel must be well prepared for cyberattacks as well. The reports identified significant deficiencies, and they must be corrected immediately. Emergency bodies were not prepared as required for emergency situations; the risk of exposure to cyberattacks in emergency bodies was not sufficiently examined."