ITALY HAS A NATIONAL CYBER SECURITY STRATEGY
Presented at Palazzo Chigi, the five pillars and 82 measures in the document drawn up by the National Cybersecurity Agency provide for funding, incentives and tax relief, the strengthening of public-private collaboration, an important role of university research. The core part being innovation, startups, cryptography, training and education and a national technological hub.
By ARTURO DI CORINTO
Nobody saves himself alone. The watchword is cooperation. This is the ultimate meaning of the national cybersecurity strategy 2022–2026 presented at Palazzo Chigi by Undersecretary of State, prefect Franco Gabrielli and Professor Baldoni, director of the ACN (National Cybersecurity Agency).
The strategy has indeed as its main focus the collaboration between state institutions, businesses, public administration and the Academia. The strategy, including a 27-page glossary, and the 82 measures necessary for its implementation finally make public, in black and white, what will be Italy’s cyber posture in the coming years, respecting everyone’s role, but urging the whole of society to do its part.
On the other hand, the pandemic of ransomware attacks against companies in the last two years, the daily phishing campaigns against the public administration, the DDoS attacks on banks and ministries these days, the long-standing foreign cyber espionage, amply justify its need and, for once, with certain funding within a clear regulatory framework.
As Prime Minister Mario Draghi writes in the introduction to the presentation document: “The Italian strategy for cybersecurity combines security and development, while respecting the values of our Constitution. It is in line with the provisions of the European Union strategy for cybersecurity of December 2020, the Strategic Compass for EU security and defense of March 2022 and the recent strategic guidelines of NATO. To do this, it will be crucial to allocate adequate funds on a continuous basis ”.
And this in the awareness that cyber threats “are aimed at obtaining illicit profits (cyber-crime), generating information advantage for the purposes of geopolitical competition (cyber-espionage), spreading divisive and polarizing narratives in adherence to specific ideologies or political motivations, no organization, even technologically equipped and procedurally prepared, can aspire to completely eliminate the threats that emanate from cyber space ”. Therefore in order to counter these threats there are five pillars of the strategy:
- Ensure a cyber resilient digital transition of the Public Administration (PA) and of the productive fabric
- Ensure National and European strategic autonomy in the digital sector
- Anticipating the evolution of the cyber threat
- Cyber crisis management
- Counteracting online disinformation in the broader context of the so-called hybrid threat
The measures of the strategy
Strengthen, promote, prepare, enhance, foresee, implement, are the most used words in the 82 measures to be applied to the country system by the ACN in collaboration with the competent institutions.
So if in Measure #1 is planned to “Strengthen the national technological scrutiny system to support supply chain security and the adoption of European cybersecurity certification schemes, also through the accreditation of public/private assessment laboratories; Measure #10 provides for the publication of guidelines on cybersecurity for Public Administrations, with reference to the transition to the cloud for continuous and automated management of cyber risk, according to a “zero trust” approach. Measure #16, on the other hand, specifies the importance of facilitating the secure migration of public administration services and data to the cloud, in line with the Italy Cloud Strategy; Measure #22 promotes the use of cryptography in an unclassified context; Measure #32 aims to create a High Performance Computing infrastructure dedicated to national cybersecurity, as well as the development of simulation tools, based on Artificial Intelligence and machine learning, to support the phases of prevention, discovery, response and prediction of the impacts of systemic cyber attacks.
And then again, in Measure #33 there is the increase in response and recovery capacities following cyber crises by implementing a network of CERTs integrated with CSIRT Italy, as well as a national crisis management plan.
A “National cybersecurity park” that hosts the infrastructures necessary for carrying out research and development activities in the field of cybersecurity and digital technologies, equipped with a “widespread” structure, with branches distributed throughout the country, is what the Measure # 49, which goes in tandem with the next one, is aimed at promoting the internationalization of Italian companies that offer cybersecurity products and services
All this under the banner of a renewed importance attributed to the research and development sectors of new technologies, also through financing, public and private investments with particular reference to startups and innovative SMEs in Measure #54 and the provision of incentives for the development of startups operating in the cybersecurity sector and public-private partnerships with female-run cybersecurity companies in Measure #64.
The objective is therefore clear: “plan, coordinate and implement measures aimed at making the country safe and resilient even in the digital domain, while ensuring citizens’ trust in the possibility of exploiting its relative competitive advantages, in full protection of fundamental rights and freedoms”; it implies the recognition that “cybersecurity has become a matter of strategic importance, and must be the foundation of the country’s digital transformation process, also with a view to achieving strategic national autonomy in the sector”; and with a recommendation: “cybersecurity must not be perceived as a cost, but as an investment and an enabling factor for the development of the national economy and industry, in order to increase the competitiveness of the country-system at a global level” ; which is why “the securing of infrastructures, systems and information from a technical point of view must be accompanied by cultural progress at every level of society, towards a” security-oriented “approach, an indispensable element for protecting our values and democratic system”.
The Agency will not do everything alone. These aims pursued through the recent reform of the national cyber architecture come from afar, from the Monti decree of 2013, to the Gentiloni decree of 2017, up to the adoption of European directives such as the Nis, the GDPR and the creation of the national security perimeter with former governments and then with the establishment of the National Cybersecurity Agency (ACN), to set the goal of rationalizing and simplifying the fragmented system of competences, existing at national level.
The Agency, in its capacity as National Cybersecurity Authority, will have various tasks in addition to preparing the national cybersecurity strategy but presents itself as a further pillar to complete the existing ones for the prevention and repression of computer crimes (under the responsibility of the Police forces), defense and military security of the State in cyber space (pertaining to the Ministry of Defense) and information research and processing (within the competence of the Security Information Bodies).
The funds of the strategy
The financial endowment to implement the first interventions is a fundamental element for the implementation of the strategy. The PNRR specifically allocates 623 million to the strengthening of Italian cybersecurity, with over half, over 300 million only for the Public Administration. But, as stated in the document, specific funds may also be made available year after year by the financial laws, to support specific projects of interest. To this end “a percentage share of gross national investments on an annual basis will be reserved”. These financial levers may also consist of tax relief for companies or the introduction of national areas with subsidized taxation for the establishment, for example, of a “national cybersecurity park” and related “hubs” located throughout the country.
Furthermore, there will also be the funding that the Agency will be called upon to manage as a European National Coordination Center (NCC) according to the rules establishing the European Competence Center for cybersecurity in the industrial, technological and research fields, together with the network of national coordination centers, which will in particular channel the funding from the programs Horizon and Digital Europe.