Cyber-attacks are on the rise globally, evidence of how significant and pervasive the skills and resources of those who have an interest in violating security systems are. Actually, both SMEs and bigger organisations, either public or private, better equipped and with more resources, are targeted by cyber-attacks, often successfully, which cause huge financial, but also - and most importantly - reputational damages.
A cyber-attack recently at the forefront of public debate is the one that last July targeted the IT systems of an Italian regional public administration. The attack highlighted various areas of improvement in the defence system. It actually caused the interruption of a whole regional system, as the direct practical consequence was the disruption of the entire regional services network, including the vaccination management system, with non-negligible recovery times ranging from days up to whole weeks, also in the better equipped organisations.
According to some studies, in Italy the total cost for businesses and citizens for cyber-attacks in 2021 will be equal to approx. 6,000 billion dollars[1]. Moreover, as specified by the Minister for technological innovation, V. Colao, almost 95% of public administration servers are subject to the risk of cyber-attacks. And yet, cybersecurity is often considered by organisations as a cost they can do without, rather than an investment. On the contrary, it is clear that improvements to the IT systems security would imply a lower cost compared to value of the risk of a cyber-attack, with loss of data or the disruption of normal operations.
Technological innovation and digital transition in the last few years have been expanding constantly and quickly, thus contributing to focus the concept of business competitiveness on the ability to adopt cutting hedge technological solutions and to develop new applications to make operations easier and quicker, to increase efficiency and reduce costs. Therefore, in order to achieve these targets, it is necessary to plan a solid cybersecurity strategy, i.e. the practice to protect systems, networks and programs from cyber-attacks, which are usually aimed at the unauthorised access, change and dissemination of sensitive data or at the interruption of business operations[2]. Cybersecurity operates crosswise on various protection levels and is based on the integration of people, processes and technologies to build a robust defence and guarantee confidentiality, integrity and availability of information (so-called CIA Paradigm).
The Italian cyber security regulatory framework includes various interventions aimed at outlining a final architecture still under construction. On 16 December 2020 the Commission published the EU Cybersecurity Package, a collection of regulations, directives, guidelines and policies on cybersecurity; among these are in particular EU Directive no. 2016/1140 (NIS Directive) and EU Regulation no. 2019/881 on ENISA (EU Cybersecurity Act). The NIS Directive is the first actual legislative document on cybersecurity and it represents a centralised intervention aimed at attaining a minimum common level of security for networks and IT systems in Europe; it was implemented in Italy with Legislative Decree no. 65/2018. The main requirements, in line with the need of centralising and coordinating information on incidents and cyber vulnerabilities, are the identification of a single point of contact at a domestic and European level for the cooperation with NIS Authorities and with the European Commission, and the creation of a sole incident response centre through a Computer Security Incident Response Team (CSIRT).
ENISA, i.e. the European Union Agency for Cybersecurity aims at guaranteeing a high and effective level of network and information security and at promoting the establishment of a cybersecurity culture for the benefit of European citizens, consumers, businesses and public sector organisations to guarantee the functioning of the internal market. The main tasks performed by ENISA are: i) the collection of appropriate information to analyse the current and emerging risks relevant to the digital world for the European institutions and the Member States Authorities; ii) the facilitation of the cooperation between the Commission and the Member States for the development of common methodologies to prevent, identify and solve network and information security issues; iii) the tracing of the development of standards for products and services dedicated to the security of networks and information.
Generally speaking, the cybersecurity national governance framework is delegated to national security bodies, which are called upon not only to perform an information activity through digital systems, but also to intervene with a view to prevention, response and resilience.
In Italy, cybersecurity still needs to be addressed with a structured approach, but it is on the agenda of political decision makers also as concerns the implementation phase of the National Recovery and Resilience Plan, which includes sixteen topics grouped into six macro missions, among which is digital transformation. With reference to this area, the Plan identifies three overall targets: the digitalisation of the Public Administration, the innovation of the Public Administration and the organisational innovation of the judicial system. Achieving the digital growth and modernisation targets is a priority for Italy’s recovery and relaunch. Moreover, the digitalisation of Public Administration systems and services has now become a topic that can no longer be postponed in order to change citizens’ and businesses’ perception and make PA a true ‘ally’ - to recall the term used in the Recovery and Resilience Plan - able to drastically reduce distances and thus bureaucracy-related timing between public entities and individuals. This is yet truer in the light of the ‘forced’ transition to remote work made necessary by the Covid-19 pandemic which hit the Italian economy more than other EU Countries and which revealed the delays accumulated by the Public Administration.
The PA digitalisation process is based first of all on the allocation of 620 million Euros and is structured into seven investment areas, among which is cybersecurity.
The first area of intervention includes digital infrastructures with the adoption of a cloud first approach based on which Public Administration progressively need to abandon own IT infrastructures to adopt cloud technology. This measure became necessary since PA’s data centres do not ensure a suitable level of cyber security. The Agency for Digital Italy (AGID), in charge of coordinating the PA digitalisation, structured the cloud first strategy based on three guidelines which they can choose to follow with reference to the infrastructures towards which to migrate: 1) infrastructures offered by authorised private Cloud Service Providers (CSPs) indicated by AGID in specific registers; 2) Community Cloud infrastructures for which public service contracts have been entered into by CONSIP; 3) infrastructures made available by the National Strategic Hub (PSN).
The second area of intervention focuses on a support and incentive program for cloud migration in the technical analysis and priority-setting phase, aimed in particular at local administrations.
The third investment measure concerns data and interoperability and tries to achieve the target of PA’s digital transformation by changing the design and interconnection methods between databases in order to have a shared and universal access to data, following the “once-only” principle, according to which information should be required to citizens only once, with a consequent reduction in times and costs related to their input. To this end, the Recovery and Resilience Plan set forth the need to create a National Digital Data Platform (PND) accessible through a dedicated service compliant with GDPR privacy requirements, eliminating the need for citizens to provide the same information to various administrations more than once.
The fourth investment is aimed at strengthening and improving the efficiency of digital services and digital citizenship through a wider diffusion of PagoPA[3] (a system to simplify payments in favour of Public Administrations) and of the IO[4] app, the introduction of new digital services also in the mobility sector and an integrated action to improve the user experience of digital services. The broadening of the digital scope makes organisations still more vulnerable to cyberattacks, since the data collected and processed are the most profitable target for intruders, as [5], the average value of a medical record sold on the dark web is approx. 1,000 US Dollars. Therefore, the legislator deemed it advisable to dedicate the fifth scope of intervention exclusively to cybersecurity, starting from the implementation of the regulation on “National Cybersecurity Perimeter”. In particular, investments reserved to cybersecurity are divided into four areas of intervention:
strengthening of front-line control systems for the management of alerts and detected at-risk events targeted against PAs and national interest companies;
building and/or strengthening of the technical skills for the evaluation and the ongoing audit of the security of electronic devices and applications used by entities carrying out vital functions to provide critical services to citizens;
hiring of new personnel for both the public security and criminal investigation police forces, dedicated to the prevention and investigation of cybercrimes targeted against individual citizens, and the forces dedicated to protect the Country from cyberattacks;
consolidation of assets and cyber units in charge of the national protection and security and response to cyber threats.
The sixth area of intervention focuses on the digitalisation of big central administrations and includes various aspects of PA, such as for example Justice, Labour, Defence, Internal Affairs and Tax Police.
The last area of intervention concerns the improvement of citizens’ basic digital skills, in order to support the digital literacy process.
Moreover, for the purposes of this article, it is worth mentioning the legislator’s intent to digitalise, innovate and maintain competitiveness in the manufacturing system through investments in ultrafast 5G optic fibre connections. The latter are a key condition for the realisation of the gigabit society and to allow companies to make use of various 4.0 technologies (such as sensors, Internet of Things or IoT, 3D printers[6]). The internet connection and the various interconnections between devices on the one hand lead to various benefits in terms of real-time interaction with data, but on the other hand they increase inevitably the perimeter of cyberattacks. And while experts work to prevent and manage cyberattacks in dynamic contexts, there is one element beyond their control: the human factor, i.e. the users’ behaviour when using devices. The first true protection is the compliance with the users’ best practices, which can range from a correct management of passwords and access credentials and a careful management of suspect emails to the connection to a safe network and the physical safety of devices.
As a final note, the Digitalisation mission within the National Recovery and Resilience Plan allocates incentives and tax credits to businesses for IT products and IT planning, consultancy and related services. This boost will lead businesses in the private sector to undertake a quick path towards digitalisation. The trend registered so far actually testifies, also in the private sector, the adoption of cloud computing, the introduction of artificial intelligence algorithms, the adoption of the Internet of Things or IoT, the evolution of Robotic Process Automation or RPA, as drivers for the performance of routine or low-value added activities, with the resulting opportunity to requalify personnel for higher-value added activities.
In this context, cybersecurity plays a key role to safeguard IT assets and to sustain future developments, both in Public Administration and in the private sector.
In many cases, public entities and private sector businesses still need, to date, to identify the roles and responsibilities related to the management of cybersecurity and to structure a specific management process. In particular, it is necessary to define a risk analysis process allowing to align investments in cybersecurity with strategic objectives, involving the entire chain of command. It is therefore crucial to regulate all key cybersecurity processes: the management of IT accesses so that information can be accessed by authorised people only, seeing also to restrict their access only to necessary information; the management of physical accesses to the premises and to equipment rooms; the management of assigned personal IT devices; the classification of information and the relevant protection; the definition of the correct backup and recovery procedures, as well as the procedures for operational continuity, and so on. Adequate security measures also need to be identified (by way of example: firewalls, SIEM, antivirus/end point protection, etc.) to safeguard the infrastructure, as well as projects to improve cybersecurity through an ongoing reassessment. As a final note, a good cybersecurity management process needs to include risk and performance indicators with alarms and risks monitoring processes, also in real time, in order to be able to promptly respond to threats.
[1] ‘Cyber Security, approccio sistemico e sostegno alle PMI’, Il Sole 24 Ore, 18 August 2021, by E. Ferretti.
[2] CISCO.
[3] Payment platform between PA and citizens and businesses, under the PNRR.
[4] Versatile front-end/ channel aiming at becoming the single access point for all PA digital services.
[5] “Hacker attacks, health data at risk: the secret list of 35 hospitals targeted”, Corriere della Sera, by M. Gabanelli and S. Ravizza, 28 September 2021.
[6] Classification included in the National Recovery and Resilience Plan.
