Israel VPN bans and restrictions

Israel Banned a Vulnerable Remote-Access Tool in 2024 — Its Own Government Kept Using It for 10 Months

Israel's State Comptroller found 31 of 48 ministries ignored a cyber-directive ban on vulnerable VPN software until wartime attacks forced a shutdown.

Israel's Government Ignored Its Own VPN Ban People of Internet Research · Israel 65% Ministries still using banned tool 31 of 48 ministries kept using the… 10 months Months of continued noncompliance March 2024 ban wasn't enforced unt… ~500% Foreign Ministry attack surge Rise in cyberattacks on the Foreig… 16% Services linked to digital ID Share of mapped government service… peopleofinternet.com
Israel's Government Ignored Its Own VP… People of Internet Research · Israel 65% Ministries still using banned tool 10 months Months of continued noncom… ~500% Foreign Ministry attack surge 16% Services linked to digital ID peopleofinternet.com

Key Takeaways

Israel's State Comptroller, Matanyahu Englman, published four cybersecurity audits on May 26, 2026 examining how the government protects its own networks. The most striking finding has nothing to do with foreign adversaries breaching a firewall. It concerns Israel's own bureaucracy ignoring its own regulator.

In March 2024, the National Cyber Directorate ordered the National Digital Agency to stop using a remote-access and VPN platform after discovering critical, actively exploitable vulnerabilities in it. According to the Comptroller's report, the Digital Agency and roughly 65% of government ministries — 31 of 48 — kept using the flagged tool anyway. It took ten more months, and live cyberattack attempts against government networks during wartime, before the platform was finally shut down in January 2025.

A Directive With No Teeth

The remote-access failure was not an isolated lapse. The same report found the Foreign Ministry's cyberattack volume rose roughly 500% since October 7, 2023, while its network drives held tens of thousands of sensitive documents accessible to effectively any employee. The Ministry of Construction and Housing went eight years without properly registering nine databases holding millions of citizens' records, a breach of the country's own privacy-protection framework. Police had not run a penetration test in about eight years; the Fire and Rescue Authority had never run one at all. Only 16% of government services were connected to Israel's national digital-identity system, and just 3% were accessible through the citizen portal meant to unify them.

Englman's own diagnosis was blunt: "organizational politics, decentralization of authority, budget gaps in IT units and poor management culture" are blocking ministries from meeting cybersecurity standards the country expects of its private sector. As he put it, "in light of the threats from Iran, the government must be well prepared for cyberattacks."

The Case for the Original Order

It is worth steelmanning the National Cyber Directorate's March 2024 instruction before criticizing what came after it. Ordering a specific, vulnerability-riddled remote-access tool pulled from government networks is exactly the kind of targeted, evidence-based intervention this publication generally favors — a far cry from the blanket VPN and remote-access bans authoritarian governments impose to choke off circumvention of censorship, as seen at various points in Russia, Iran, and Myanmar. Israel's directive was narrow, technically justified, time-bound to a specific exploit, and aimed at protecting government infrastructure rather than restricting citizens' access to the open internet. A government that can identify a live vulnerability and order it removed from its own systems is doing cybersecurity policy the right way, in principle.

Where It Actually Failed

The problem the Comptroller's report exposes is not overreach — it's an enforcement vacuum. A rule that 65% of the regulated population can ignore for ten months, during an active war, with no apparent consequence, is not really a rule. It's a recommendation. Private companies facing a comparable regulatory order — say, a Privacy Protection Authority directive to patch an exposed database — face fines, litigation exposure, or reputational damage for slow-walking compliance. Israel's own ministries faced none of that until an audit surfaced the gap two years later.

That asymmetry matters beyond this one platform. Israel, like the EU, the UK, and India, is moving toward tighter cybersecurity and critical-infrastructure obligations for private operators — telecoms, cloud providers, financial institutions. Those mandates only carry credibility if the government imposing them can demonstrate it holds itself to the same standard. A regulator that cannot get its own Foreign Ministry to patch an exposed network drive, or get 31 ministries to drop a flagged VPN tool inside a year, has a weak platform from which to lecture the private sector about incident response timelines.

What Should Change

The fix is not looser cybersecurity mandates for government agencies — it's mandates with actual enforcement mechanisms attached. That means budget allocations tied to IT security compliance rather than treated as a discretionary line item, a public compliance clock the National Cyber Directorate can point to (so noncompliance shows up in months, not in an audit two years later), and personal accountability for agency heads who miss binding deadlines on directives tied to active, named vulnerabilities.

Englman's office says the Digital Agency is now cooperating and has implemented most of the report's recommendations. That's a reasonable starting point. But the underlying lesson for policymakers extends past Israel: a security directive is only as strong as the mechanism forcing compliance with it, and that is true whether the entity being regulated is a bank, a telecom, or the ministry that wrote the rule in the first place.

Sources & Citations

  1. State Comptroller — Annual Cyber Reports newsroom notice
  2. State Comptroller Digital Library — Annual Cyber and Information Systems Report, May 2026
  3. The Jerusalem Post
  4. Ynetnews