By Pasquale Preziosa | 08/15/2021 - Defense
After the launch of the National Cybersecurity Agency, there are at least three aspects to be implemented to ensure full resilience in the country: regulatory, structural and in terms of strengthening controls. The comment by Pasquale Preziosa, president of the Eurispes Security Observatory, former Chief of Staff of the Air Force
The new National Cybersecurity Agency has taken its first institutional appearance. The Agency could not be part of the secret services, whose focus is mainly on regional crises, threats to the national economy, subversion and extremism, the hybrid threat, jihadist terrorism, illegal immigration, crime organized, the cyber threat and more.
Unfortunately, our country continues to be in fifth place in Europe for the number of cyber attacks. When fully operational, the Agency will complete the national resilience already defined with the establishment of the cyber perimeter of national security, with the declared aim of increasing the promotion of the culture of cyber security, through a wide regulatory, administrative and patrimonial autonomy. , organizational, accounting and financial.
The establishment of the Agency will not be the last structural change for the IT protection of our country, because it will be necessary to urgently strengthen the cyber prevention sector that is not feasible at the moment, with the regulatory framework in force. The cyber domain, together with the other domains consolidated over time, underlies the strategic competition in progress and represents the indispensable tool for being relevant in the new world order. It is used by both state and non-state organizations, and is a pervasive, silent, almost unknown tool in the deep and dark part, capable of greatly increasing performance in the application sector as well as being able to destroy it. Like all domains, it needs the organizational pillars in order to operate, i.e. policy, strategy and tactics. If the policy objective is represented by the mitigation of the cyber security risk of an institution, the strategy will have the task of aligning all the means available (regulatory, financial, instrumental and human capital) to lower the risk of cyber attacks that may degrade the efficiency and effectiveness of the institution. The starting point in every domain is the knowledge of who is interested in us and with what purposes and what possible means, it is the knowledge that allows the best preparation of the means of contrasting the cyber threat. In other words, we must have the so-called "situational awareness (SA)" for our IT field of interest, updated moment by moment, or be able to produce "Intelligence Cyber" analysis, we must have the ability to prevent a cyber attack, any sabotage launched against our production capacities.
The non-Italian state cyber world has already created offensive tools (cyber bombs and traps) to cause irreparable damage to opponents. The cyber war is already underway both between states and in the private sphere. We cannot control it only with the judiciary, whose investigations are already very complex in the real field, but in the cyber field they become impossible due to the difficulty of "attribution" of the attack. A targeted cyber attack can lead to business failure. If even crypto currencies (a sector not yet regulated) have recently been targeted with a big shot worth 600 million dollars (Poly Network), no one can be considered immune from the possibility of suffering cyber attacks. Without a solid ability to prevent cybercrime and without a structure for verifying the vulnerabilities of computer networks, the levels of risk for the Nation will be very high with important impacts on national security levels. Cyber intelligence is not exclusive to the public domain, with the fall of the Berlin Wall it expanded to the private sector and is at the basis of the industrial competition in progress. The prevention of cyber attacks is based on cyber exploitation and possibly the cyber attack, even preventive, activities that must be provided for by the law of the State for the bodies authorized in the specific sector. Many states have already authorized the aforementioned functions for their own security agencies. Our country has an urgent need to fill this regulatory gap that does not allow cyber intelligence to exercise the preventive (knowledge) function through cyber exploitation, and this partly explains why we are in fifth place in Europe for the moof cyber attacks against our country and we must turn to allied countries to know the origin of the attacks. In the cyber world we must bear in mind that there are no ethical barriers: everyone spies on everyone. In terms of controls, much has already been done by the Agency for Digital Italy but it is still not enough. The minimum ICT security measures, although organized on three levels, are mainly based on the self-certification of the entities (Implementation form), unfortunately not highly effective. The Agid also provides for ABSC 4 or the continuous assessment and correction of vulnerability also through Stress Tests. The more frequent adoption of checks by qualified third parties (White Hat) for IT systems may give greater confidence to the resilience capabilities of the network. After the launch of the Agency, in order to achieve minimum sufficiency and align ourselves with other European states, there are therefore at least three aspects to be implemented: regulatory, structural, in terms of cyber intelligence and strengthening the effectiveness of controls.
THREE ARTICLE CHALLENGES