Cybersecurity and privacy: scenario and future developments By Linea EDP editorial team 04/15/2022

Pierluigi Perri, traces a very in-depth analysis of the scenario regarding cybersecurity and privacy in Italy and around the world

The 2022 edition of sec solution forum, which will take place online on April 26-29, has among the main focuses the delicate issue of cybersecurity and privacy, also understood as data protection. The latest sensational events that have seen large companies as well as primary PA bodies being stolen personal and non-customer and supplier data, lead us to ask ourselves what the current scenario is regarding the protection of information by those in charge of storing it and protecting them. What has been done, what is still to be done or what could be done? Pierluigi Perri - Lawyer, Associate Professor of "IT security, privacy and protection of sensitive data" of the University of Milan, answers this and the following questions, who traces a very in-depth analysis of the scenario concerning cybersecurity and privacy by offering a characteristic point of view on the current situation and probable future developments. The newspapers now constantly report news about attacks on infrastructures, stolen data, blocking of services, etc ... Unfortunately this is the distinctive feature of the digital world which, as in a hypothetical war between cops and thieves, sees more and more figures interested in stealing data and others committed to protecting them. Professor Stefano Rodotà, long ago, emphasized the importance of data, arguing that they too should be kept in a safe, just like jewelry or cash. What we are living in is an increasingly digital world pushed even more by the pandemic which in recent years has characterized a new environment where all the activities have poured, increasing what is called attack surface in jargon. that it is not possible to interrupt the growth trend of attacks because it is closely linked to the progressive transfer of all activities, including economic ones, to the so-called cyberspace. By now, the policies of the European Union are all based on data and on the creation of the so-called digital single market, which would like to create a digital single market, similar to the existing single market for physical goods and services. In this context, security is the precondition for a digital environment to be reliable, fostering a feeling of trust. Trust is precisely the condition under which people can conduct their business within a virtual environment. The projections provided by the European Union illustrate how much benefit we can derive in terms of GDP from a data-driven market, therefore the only thing we can do is to face the current digital world with awareness of the risks and benefits, considering that awareness is the first requirement of any security plan. Cybersecurity is now part of the processes in most companies and organizations, which have increased their investments, well aware of the risk situations to which they are exposed. Despite this, the increase in cyberattacks is proportional to the progress in cybersecurity technologies. Is this a trend destined to become a constant? Unfortunately, the trend is destined to increase and as I said earlier we can see it from the media: after all, "the thief is always one step ahead". In any case, we can still draw important lessons from the attack methods and the possible forms of prevention or control of damage with respect to cyber threats. For this reason, the European Union through the regulations offers various stimuli regarding cybersecurity from which different aspects emerge and in particular two keywords: proactivity and resilience. These words indicate precisely the capacity that a computer system must have: to be able to absorb an attack and ensure the continuous delivery of services, even if most likely slowed down, not efficient, but never interrupted. Resilience logically means creating a system that has the ability to respond to the attack, therefore in this continuous struggle between attackers and attackers we always try to be ready looking for the best way to identify the attack vector, mitigating or putting a stop to the consequent damage. We must not forget that, as a defense weapon, we also have knowledge sharing available. Only through the sharing of experiences, even negative ones, in the field of information security is it possible to arrive much more quickly to the identification and prevention of a problem, such as in cases of cyber attacks on healthcare facilities, which have multiplied exponentially during the pandemic. At this point, managing to quickly identify a threat, thanks to sharing, it is possible to solve the specific problem in a shorter time, ensuring resilience to the entire sector. Going back to talking about regulations and approaches, the European Union pushes us to reflect on how in reality, although business is an individual practice, we are all connected on a digital level. In this sense, it is necessary to consider from a broader point of view what the so-called perturbation factor can represent: a supply chain is composed of many actors and the safety problem of any of these subjects is able to create a shocking effect on the whole production chain. Let me give an example: if a bank is attacked, obviously the person suffering the most damage is the institution that is the victim of the attack, but it should also be considered that the entire banking system would then be affected by a general decline in confidence. Today's economy relies heavily on data exchange, so all attacks create consequences that, when added together, have a negative impact on the overall economic objective. Having said that, as far as safety aspects are concerned, they can be divided into three levels • First level: recalling national but also European considerations on cybersecurity, we can say that the protection of all structures that provide essential services for the population such as telecommunications, financial, PA, etc., must fall within specific security measures that are included within the national cybersecurity perimeter. European regulations think in this way: each nation identifies the actors who must fall within the security perimeter and requires them to adopt special measures. At this point, the sum of these actors who provide services leads to obtaining a hypothetical set of perimeters. Since the national perimeters are the result of a directive, all the countries of the European Union will have their own total perimeter; the sum of all these perimeters will establish the European cyber security perimeter. • Second level: the type of commercial security where it is possible to legally identify all the practices that can be classified as computer crimes and unfair competition. For example, competitors who want to take over a competitor's customer list, trade secrets, patents, confidential information relating to a product, information on mergers and acquisitions between companies, and even steal or alter data relating to consumer profiling activities. The ones I have mentioned could all fall under unfair competitive practices. • Third level: personal security, i.e. how to protect your data. Here too we can provide examples on how to avoid being scammed, inserted or cataloged in certain "filter bubbles" where systems place the person according to their preferences. Unfortunately, these "filter bubbles" are not transparent because, from the moment we are inserted into the bubbles, we are not informed and there is no way out because it is only possible to see part of the information that is provided. Therefore, to have a free and secure web avoiding the so-called social sorting, information security and transparency of operations are a fundamental prerequisite. Let's talk about Privacy. What are the current challenges and any "uncovered areas" that the legislation should protect? There are several problems dictated by the legal part which alas does not travel at the same speed as technology. Technological advancement is designed to be more sudden than legislative discussions. In any case, we can always refer to how Europe is moving and I would like to point out that our country also has its excellence in the digital field. Nonetheless, the problem is that of having two different speeds that do not allow the legal sector to go hand in hand with technology, because the challenges are many and the law will always, in some ways, find itself chasing technology. However, the regulations that are published try to adopt formulas broad enough to include what is expected to be the new technological scenarios. The current problem is of an implementation / executive nature of the existing rules within which there are still different areas and sensitivities. There are sectors and geographic areas that have a certain sensitivity to security and the importance of protecting their data, which is already very high. This sensitivity goes hand in hand with the amount of accidents that occur. Another aspect to consider is that it is not always easy to assign a value to information, eg. a patent must be protected by those security measures proportionate to protect its value. A simple example: having an object to which we attach a high value, to protect it will go emo to use a safety deposit box or a safe, we certainly would not keep it in a drawer. This reasoning is used to do it within the physical world but much less in the digital world, partly due to lack of awareness, partly because we are often convinced that we do not have enough interesting data or information. Therefore, on the one hand we have this problem that requires a cultural approach: cybersecurity solutions exist but it is necessary to make it clear that data has a weight and a value, they are easily exchangeable and extremely changeable. We must not be under the illusion that the value of that data is not important because it is precisely from that exchange that it is possible to derive value through analytics processing from which to derive the placement of a product, the range of customers who may be interested in it, what is attractive and what no, possible improvements and so on. The digital world, among other things, is connected to the real currency of our time: reputation. If we are unable to protect our customers' data and we do not generate a channel of trust, the reputation of our work or our brand inevitably collapses, and when it collapses there is nothing more to be done. On the web, there are many places where discontent can be expressed and where people who have had the same negative experiences or feelings can be gathered and attract many proselytes. When a channel of discontent is created, not only the individual subject but also the competition can exploit it by fomenting with further negative comments; it would not be an ethical practice but it is very realistic. If many restaurants have been forced to close their business because they have collected a series of negative comments on the various rating platforms, nothing prevents us from thinking that there are companies that, for the same reasons, inevitably see a downturn in business because they fail to protect and defend their reputation. Those I have talked about are the current challenges, the future ones will certainly pass through artificial intelligence and the use of automated systems. In this respect, the European Union is preparing a package of laws that can regulate the phenomenon. In fact, last summer a draft was presented to regulate AI and is still under discussion, while the Data Service Act has come to an end and there are other regulatory texts under discussion. From a regulatory point of view, the EU, albeit with the structural slowness of legislative production, is trying to provide the elements to manage this complex environment. From our point of view as sector operators, awareness is required of us and other fundamental approaches can be drawn from the bills that are currently under discussion, in particular the "by design" and "by default" approach. All systems, not only the tools but also the plan for the use of certain data, marketing campaigns and so on, must be organized from the earliest stages of design (by design) and by default (by default) in such a way. to guarantee the safety and protection of all data. It is clear that if you start with a mindset that leads you to think in terms of safety and protection, the system can only be born robust. Different, and ultimately much more expensive, is when security and confidentiality parameters are applied later in a system designed and built without. I feel like saying that it is no longer the case to "shut down the server after the bits have escaped". This and other topics will be discussed at Secsolutionforum 2022, which will take place online from 26 to 29 April 2022. Secolutionforum is a virtual space dedicated to meeting and interaction between companies and professionals. Installers, system integrators, designers, privacy consultants, DPOs, Security Managers and Public Administration will be able to broaden their skills and share problems and solutions through direct interaction with the top experts in the sector.