On October 25th, 2022, newly appointed Italian Prime Minister Giorgia Meloni reaffirmed the centrality of cybersecurity in her inaugural speech at the Chamber of Deputies. Let’s take a look at the context to understand the Italian government’s challenges and think of solutions to improve digital security in the country.
The pervasive spread of information and digital technologies has made cybersecurity one of the most pressing global security priorities. With the National Recovery and Resilience Plan, which places the digital transition at the center of Italy’s economic development, decisions to secure emerging technologies take on fundamental strategic importance for the country’s future. Newly appointed Prime Minister Giorga Meloni reaffirmed the centrality of cybersecurity in her inaugural address to the Chamber of Deputies. What challenge does the Italian government find itself facing? What are the priority goals to make technologies and networks more secure? The overall context of cyber threats suggests that culture and the national technology market will be the crucial points in securing strategic success.
The volume of attacks has grown in proportion to the increase in remote work. In 2021, the growth was 10% over the previous year. There have also been qualitative changes in the global threat level. The average impact of a cyber-attack is at a higher level than in previous years. The sectors that count the highest number of victims are those sectors that are “critical” to the essential services of any state (government/military, IT, and health infrastructure).
According to CLUSIT, the Italian National Association for Information Security, cybersecurity is at the top of the list of the most pressing global security priorities. Consistent with the increasing frequency of large attacks such as Stuxnet, Wannacry, NotPetya, and SolarWinds, the trend solidifies the impression that cyber incidents have become increasingly frequent, organized, sophisticated, costly, and, as a result, more dangerous.
For CLUSIT experts, Italy faces a similar context, but it differs from the global figure in two areas in particular. The first concerns the type of targets. The most frequent victims are the financial and insurance sector and the Public Administration (PA). In aggregate, these targets amount to about 50 percent of Italian cyber incidents. This is followed by industrial services, with 18 percent of the national figure.
The second aspect concerns the most widespread attack techniques, which revolve around email security. The emerging finding confirms that the probing threats to public and private sectors are devious and rooted in social engineering. Indeed, they leverage deception, the lack of human awareness of cyber issues and digital risk. In the most traditional modes (email phishing), social engineering methods via email prompt their targets to click on links or download seemingly legitimate files only to turn out to be vectors of intrusion/compromise of the victim’s system.
Today, attack techniques are evolving. Experts say they are difficult to monitor, quantify and intercept. It therefore becomes a must for private and government organizations to stay abreast of evolving attack techniques that seek to exploit the weakest entry points. In Italy as elsewhere, these are often human beings.
Regardless of the attacker’s matrix, whether criminal or state, protecting public administration (PA) and small and medium-sized enterprises (SMEs) is a strategic necessity. Not only because these have endemic problems. Rather, because what is endemic is the risk their cyber insecurity poses to the business continuity of the production system and essential services (e.g., those of critical infrastructure such as the health care system). At present, in addition to technical skills and economic resources, there is a lack of knowledge and sensitivity to cybersecurity issues. Indeed, it is these that lead to underestimating threats such as those concerning email security.
It follows that one of the biggest challenges in this field is cultural. Investment has long been focused on training the younger generation. There are many international and Italian initiatives that aim to instil a culture of cybersecurity and digital security in younger people – e.g., the European Cyber Security Organization’s Youth4Cyber and, most recently, Lazio’s Cybersecurity Academy. However, training the younger generation takes a long time, while the challenge is urgent. Any defensive strategy inevitably passes through the training of the current workforce. Therefore, a digital security culture that is transversal in Italian society, taking action to fill the deficiencies of the present, becomes essential.
Steps forward have been taken in recent years. Initiatives such as the creation of the Agency for National Cybersecurity (ACN), the publication of the National Strategy 2022-2026, and putting technological modernization first in the PNRR should not be ignored. The new Cloud Italia project – a digitization effort by the Italian PA – proposes a technological solution that can secure public data and services through reliable and resilient cloud infrastructure. The cloud would improve management standards regarding cybersecurity risk in PA.
However, given the shortcomings of SMEs, their historical weight in the country’s production system (41 percent of Italy’s GDP) and the strong interest of malicious actors in the industry, the cloud strategic function is currently incomplete. Without expanding the national cybersecurity perimeter beyond the public sector, the risks of cyber compromise in the private sector persist in the short to medium term. They constitute imminent threat. Widening the Cloud to make the adoption of cybersecurity best practices structural and homogeneous across the public and private sectors can serve a strategic-economic purpose.
In a passage in the above-mentioned inaugural speech, the Prime Minister reaffirmed that innovation and cybersecurity are interdependent and go hand in hand. Although telegraphic, Meloni’s reference to return to thinking about an industrial policy that can take advantage of the high quality of Italian manufacturing in the technological field as well is relevant. It would be interesting, as well as useful from a security and economic point of view, an Italian technology market dedicated to the research, development and production of cutting-edge technologies that can integrate security into their design – and that, in addition, preserve user privacy as indicated by the European Union cybersecurity certification framework. We can be inspired by virtuous examples seen abroad with public-private partnership initiatives, forming, for example, interdisciplinary strategic hubs that unite universities, companies and government institutions.
The goal is ambitious, legitimately consistent with the status of a G7 and Atlanticist country. To achieve it, the government can and should take advantage of the strategic opportunity created by the NRP on digital. Solutions need to be made structural, with an ‘institution that has a mandate and coordinating responsibility for both government and the private sector. However, doubts remain. The current lack of an innovation ministry in the government set-up does not bode well today. From the dimension illustrated in the above-mentioned CLUSIT Report on the state of Italian cybersecurity, the challenge is pressing. The national security of the coming years from the protection of the production system, public institutions, and personal data. Continuing education and the technology market are the way forward.
Author: Alessandro Colasanti
Editor/Translator: Gianluca Riglietti
If you liked this article, you might enjoy reading this one.