The analysis by Lucrezia Falciai, member of the Italian Atlantic Committee
Through the decree-law containing the urgent measures to counter the economic and humanitarian effects of the Ukrainian crisis, the Government, in order to prevent harm to IT security, formally introduced the obligation for public administrations to "diversify" technological products and services from Russia. On closer inspection, in reality, the national legislator has made the alarm recently raised by the National Cybersecurity Agency (Acn) binding on public entities, with which it highlighted the risk that, given the contingent situation, Russian companies will not be able to provide adequate support in relation to their products and services. On the one hand, the decision to limit the spread of Russian products is absolutely in line with those taken by other European and international players, who have suggested limiting their use, such as, for example, the United States and Germany. On the other hand, the approach taken by the Italian legislator is in line with the strategy adopted by our country, which is increasingly focusing its attention on the level of IT security and information of the key infrastructures for our national security. Moreover, as also emerges from this year's report by our secret services to Parliament, public administrations are confirmed to be among the main targets of malicious activities directed against the IT assets relevant to national security. A further element of attention, which adds to this worrying scenario, is also identifiable in the intensification of malicious activities directed at ICT service providers. Moreover, the report of our secret services also specified how, in 2021, one of the most relevant threat vectors were the attacks aimed at compromising users with administrative privileges to perform lateral movements within the systems of third parties and obtain access to company resources by exploiting the relationship of trust between the parties. Therefore, considering the scenario briefly outlined up to now, the choice to diversify IT security technological products and services from Russian companies is consistent with what has been outlined up to now by the Italian legislator on the protection of national critical infrastructures (e.g. the perimeter of National Cyber Security and the action of the CVCN). However, the decision to limit the spread of Russian products could only marginally stem the risk of cyber attacks. In fact, reasoning in this light, the problem should arise with any technology coming from foreign countries since it is obvious that any security tool could facilitate malicious activities or, at least, those of espionage. In this context, the reasoning of the ACN Director acquires great value, which emphasizes the limited strategic autonomy in the ICT sector, both at national and European level, and reiterates the need to create a digital market for the Union to ensure sovereignty. also in this sector. This approach also places emphasis on the importance of developing Italian products and services in order to ensure greater protection of our strategic assets.
law decree