From Huawei to Kaspersky, the Italian cybersecurity daughter of the current media hype

After the Chinese with the ban of Trump and Google & co for the European cloud, today it is the turn of the Russian company, which has become the protagonist of parliamentary questions in the wake of the conflict in Ukraine. Is security really at risk or is it just another case that has hit the headlines just to divert attention from national inefficiencies? 15 Mar 2022 Mila Cornflowers Director

"Without technological autonomy there is no IT security": the undersecretary to the prime minister with responsibility for national security, Franco Gabrielli, interviewed last night by Nicola Porro at "Quarta Repubblica", thus answered a question on the case of the antivirus Russian Kaspersky used by many central and local Italian PAs, the case of the Prime Minister stands out, as well as universities and a long list of local companies and private citizens, and inevitably ended up in the media crosshairs following the outbreak of the Russian-Ukrainian conflict. An answer, that of Gabrielli, to say the least obvious but at the same time a non-answer. Technological autonomy does not exist: to begin with, not in Italy, but not even in Europe and even more so globally. There is no system or technological infrastructure that does not count the presence of one or more subjects, from different and extra-national backgrounds. No country, not even the United States and China - to mention the two opposing and most advanced poles in the world - can truly be called technologically independent. Companies make their way through investments in research, development and innovation and those who claim to be a technological "giant" in the sector in which they operate, have evidently managed more and better than others to establish themselves on their reference market thanks to skills, resources and even a certain reliability. It is also evident that each country tends to "push" its own and that state holdings in many technology companies, starting with those in the defense sector and beyond (think of the telecommunications sector) contribute to the affirmation of this or that subject, of this or that technology. Cybersecurity, understood as the security of critical infrastructures and so-called "sensitive" data (those relating to Defense, Tlc, Energy, Health, public administration, etc.) is obviously a national issue. But waking up suddenly pointing the finger at a company or companies with specific origins is certainly not the solution. It fell to the Chinese - with Huawei becoming the West's scapegoat - then to Google & co in the cloud match with Europe in search of its own identity (yet to be found) and now it's up to Kaspersky, the Russian par excellence. "Immediately replace the Russian antivirus, delete the Russian antivirus": these are the "tips" that have been bouncing for days from the mouths of experts or self-styled experts, complete with social campaigns. History repeats itself and gets out of hand every time: the issue of security is confused, and badly, with that of data sovereignty, which is a completely different story and does not depend on who does what but on what rules are established to guarantee the information protection. Who owns the hardware and software is indeed important, but if a country is not able to self-produce all the hardware and software (as well as all the associated components in a chain) it is useless to waste time in sterile debates. Italy has equipped itself with the so-called "cyber perimeter", a framework of rules and authorizations that will shake your wrists, however complex and restrictive. Even Italian companies complain about it: bureaucracy to the nth degree, technicalities that often go unanswered, anachronistic operational delays. But beyond these considerations, the regulatory framework exists, it is considered one of the most stringent in Europe, and is coupled with that created by the EU itself, to defend its data and infrastructure. The question to ask therefore is not so much who is the supplier on duty but: are the rules developed able to guarantee the protection of national data? If the answer is yes then the story is over. But if the answer is no, then take action to get it right rather than pointing the finger every time at the company on duty. "Without technological autonomy there is no IT security". Returning to Gabrielli's statements, answer this question: is there information security with technological autonomy? Would the “made in Italy” stamp be enough to guarantee safety? Today the National Cybersecurity Agency (a creature born a few months while in other countries there have been counterparts for years) declared that at the moment there is no objective evidence "of the lowering of the quality of the products and technological services provided" by the Federation Russian, but in a context of “growing inter conflict national risk cannot be separated from a reassessment of the risk that takes into account the changed scenario and that considers the consequent adoption of mitigation measures ". The agency therefore asks to raise the guard on antivirus, antimalware, web application firewall, e-mail, cloud services and managed security services produced by Russian companies. And the advice should apply to all non-EU technologies at this point, so as not to find ourselves tomorrow having to raise the bar on who knows what technologies from who knows which countries.