Cybersecurity, how Italy can catch up by Chiara Rossi

Who was there and what was said at the event "Cybersecurity – Public Administration and Secure Enterprises", organized by the Center for American Studies

In the field of cybersecurity, Italy "conquers" a sad record: our country was the first in Europe for ransomware attacks in March. "From the ransomware attack on the Lazio Region to the Ddos attacks in the Senate. Moments that have made it clear to us how fundamental IT security is for a country that aspires to play a leading role and the digitization of its services". This is what Nunzia Ciardi, Deputy Director General of the National Cybersecurity Agency (ACN), explained at the event "Cybersecurity – Public Administration and Secure Enterprises", organized by the Centro Studi Americani in collaboration with Open Gate Italia and Paesi Edizioni. The ACN is the national cyber security authority that must raise the country's cyber resilience. "In addition to investing in digitalization, we also need to talk about system security. Finally this topic has the dignity it deserves. We insiders were suffering a bit of a periphery of thought, outside the forums it was not worrying for everyone this sector. Today the subject has sadly jumped to the headlines. It is at this moment that the National Cybersecurity Agency (ACN) is born, lagging behind other European countries it cannot be hidden. We arrive and suffer a delay, in a situation that is not rosy. In all this, however, there are strong elements of positivity: the speed with which the agency was established, and it is not trivial", underlined Ciardi. Here is everything that emerged from the meeting attended by Giuseppe Russo, Security Assurance Manager of Amazon Web Services Italy, and Cristiano Alborè, Portfolio Development Director of Telsy (Tim group). CYBER-CRIMINALS EVOLVE RAPIDLY "It is an emblematic phenomenon, a malware that encrypts data making it completely unavailable to the owner. If I am asked for a ransom to decrypt this data I am tempted to pay. The most obvious defense is to create a backup, so as to have a copy detached from the network. But crime evolves rapidly, ransomware has evolved, and attackers no longer demand ransom to decrypt data but not to publish it. There is a risk of enormous reputational damage to the image of the affected company", explained the deputy director of the ACN. In addition, Ciardi pointed out, "a ransomware attack is very difficult to discover, a police force that arrives at the scene of the crime is faced with all encrypted data and all operations take place in cryptocurrencies (including ransom) in the dark web where we find servers distributed all over the world. The investigative activity is complex and many are tempted to pay. Unfortunately, companies are tempted not to report, to pay to silence everything and not to suffer the damage to their image. They range from 500 thousand euros to 8 million euros, very high figures that go to feed cybercrime, which is already growing a lot ". HOW TO DEFEND YOURSELF "The solution is to defend oneself better, to invest in security - highlighted the number two of the National Cybersecurity Agency - We must understand that security is not a cost but an investment. Usually investments are made downstream of an attack, it would be better to do it first to try to reduce the possibility of being attacked by a lot". "We clear the field of the idea that absolute security can be achieved, but we must reach an acceptable level where risks and benefits can find their balance, a sufficiently good level." Therefore, Ciardi recalled, "the ACN will have tasks to help companies in the prevention of attacks and remediation, that is, once hit, we are alongside the subjects in the activity of restoring the operation of their systems (as in the cases of attacks on Railways and Mite)". THE ACN'S TASK: STIMULATING TECHNOLOGICAL AUTONOMY First of all, the deputy director of the ACN reported: "We Europeans are great users of technology but we do not produce our own technology". So "the ACN has the task of stimulating a technological autonomy, European in the first instance and Italian in the second. Technological autonomy is a driving force for the country's economy, but because it represents security, it otherwise means serving a deficit in safety". THE IMPORTANCE OF PUBLIC-PRIVATE PARTNERSHIPS In addition, "we need precise professionalism: we have a deficiency that is not only Italian but global. those few Italian skills, however, have gone out", remarked Nunzia Ciardi. "The ACN is trying to bring them back as well as stimulating new professionals with partnership assets with schools and research institutions and public-private and international collaborations. The network has crumbled every space-time boundary so collaboration must be a fundamental weapon to manage cyber security". BUY NATIONAL The business world is also of the same opinion. "Synergy is fundamental and so is public-private partnership because institutions must invest and buy Italian products," said Emanuele Galtieri, CEO of Cy4Gate. "Other countries (Americans, Israelis for example) buy domestic, so far we have favored foreign products", underlined the number one of Cy4gate. And speaking of technological autonomy, according to Galtieri "it is pursued through partnerships. Businesses and institutions must work together and overcome dichotomies, to achieve that sufficient degree of cybersecurity to the point of bringing the country system to cyber tranquility. The paradigm to make a qualitative leap is precisely public-private partnerships" highlights the CEO of Cy4gate. THE NIS 2 IS COMING SOON In addition, nis 2 will soon be adopted , the proposal to update the 2016 NIS Directive with which the EU aims to strengthen the cyber security framework at European level. Therefore "we have only 2 years to adapt to the directive that requires a high level of computer security", reported Annita Sciacovelli, professor of International Law at the University of Bari Aldo Moro and the Unint of Rome and Cybersecurity specialist, Research Visiting Fellow at the Jerusalem Institute for Strategy and Security. "We can create a hundred agencies, but we have to take the actual measures. We can also create the best cybersecurity infrastructure but then we must also do adequate risk management and risk assessment", pointed out Sciacovelli. NOT ONLY PA, A NATIONAL CLOUD ALSO FOR SMES To give an acceleration in digitization there is "The PNRR which is important to fill a gap, but the sector is constantly evolving. Criminal organizations always find how to evolve", noted Stefano Mele, Partner of the Gianni & Origoni Law Firm and President of the Cyber Security Commission of the Italian Atlantic Committee. "And then there is the issue of SMEs in Italy that have an economic value of over 60% of GDP, but do not have the culture of resources and workforce to achieve the objectives of the cyber security perimeter. So it is politics that must find a solution. In fact, we are moving towards the creation of the PSN (National Strategic Pole for the national cloud) for PAs but it must also be created for SMEs", Mele hoped. Therefore, according to Mele "it is the task of the state to offer an extra solution: a national cloud for SMEs similar to that for PAs, optional, with a small incoming payment, with the same levels of cyber security made available for PAs". AIMING FOR STRATEGIC AUTONOMY Finally, "beyond training it is necessary to make public-private interaction and tend to strategic autonomy", recalled Federica Dieni, pentastellata deputy and vice president of Copasir. "It is necessary to do this at least at the European and NATO level. The Ukrainian decree with articles 28 and 29 affirmed the possibility of bringing the cloud within the golden power legislation, and this is fundamental to preserve the national and EU strategic independence, at the same time it has allowed to differentiate the security functions and force the PAs to diversify. We must understand that we cannot put ourselves out to tender for the most advantageous offer for the safety of our public administration with all the risks involved", concluded Dieni.