General
Finally, after a long waiting, Italy’s National Cyber Agency (NSA) has published the National Cyber Strategy (NCS)for Italy. The time framework of the strategy is 5 years – 2022-2026. The document has two main chapters the first deals with the challenges and the second chapter presents the strategic vision and the objectives to be pursued. In conjunction with the Strategy document, the NSA also published an elaborated (too elaborated in my view) implementation document.
The importance of a National Cyber Strategy for Italy may not be underestimated. A strategy document should serve as the keystone for the building of Italy’s capacity (defensive and offensive) in cyberspace. This is the very reason, I have always believed and advocated that the NCS should develop the strategy in close conjunction with all the relevant key stakeholders in the Government and in the civilian sector. The end goal of our strategy should be to build an advanced modern Cyber capability for Italy: a process that might take years to achieve.
The NSA Strategy Publication
Reading the NSA Cyber Strategy for Italy, gives me a sense of a missed opportunity to deal with some core aspects of our national security needs through the prism of cybersecurity. This is extremely important considering the Russian conflict and the cyber threats Russia and other key players impose on our values, security, and economy.
In the first chapter, the NSA Strategy document lists three main risks: 1) Cybercrime and States Campaigns, 2) Technology manipulated by rival governments that may affect supply chain, both in terms of availability, and reliability, and 3) The use of fake news through ‘influence operations’. The threat assessment is a critical part of any strategic document and is needed to guide our efforts to be focused with our response.
Chapter two addresses four objectives to be pursued. 1) The protection of national strategic assets, through a systemic approach aimed at managing and mitigating risk; 2) The objective response to national cyber threats, incidents, and crises; 3) The development goals for digital technologies, research, and industrial competitiveness, capable of responding to market needs; and finally, 4) The enabling factors.
In my view, this National Strategy may have been a good opportunity to analyze and deepen blocks of knowledge that are needed for our national cyber security as I will present below.
My Recommendations on the National Cyber Strategy
The formulation of Italy’s National Cyber Strategy needs to directly involve all relevant stakeholders such as: Public Administration (especially Healthcare Sector), Military, Intelligence, Security Services, Civilian Business Sectors (Financial, R&D particularly in medical and pharmaceutical fields), and to consider the relevant International, NATO and EU players. In my view the National Strategy for Italy should consist of the following parts:
First The assessment of Italy’s strategic environment in three spheres, i.e., analysis of the external and regional strategic environment in cyberspace in both the defensive and offensive contexts including Allied States, NATO, the EU, rival states, and enemy States; as well as analysis of the strategic environment relevant of terror organizations and criminal organizations active in cyberspace, and analysis of the strategic environment resulting from the internal sphere of Italy. From the above assessment, we will need to derive the overall meanings, and the consequence to Italy.
Second our National Cyberspace Goals including defensive operational goals both for confronting cyberattacks and cyber incidents as well as confronting ‘influence operations’ on the Italian public and its decision makers; intelligence gathering in cyberspace and early warning in the national level; offensive operational goals for offensive responds to attacks and counterattacks, preemptive attacks, and retaliation attacks, and goals related to the interface between operations in cyberspace and the physical space.
Third the Threat Assessment including classical cyber threats of unlawful penetration to networks, computers, end-devices, communications, datacenters, supply chain and alike; the threats of rival states installing “Red Batons” and maintaining them in critical and strategic assets of Italy; ransomware attacks on the public and private sectors, cyber espionage and industrial espionage by State actors and criminal organizations, cyberterrorism threats both internally and externally, and influence operations threats. I would also recommend that we consider characterizing the national reference threat which would consequently help synchronize and focus our response.
Fourth the Use of Force in cyberspace and the response to the threats and organize the synchronized operations. The part determines the principles of the use of force in cyber (defensive, intelligence gathering and offensive) at the national level, which includes principles of defensive use of force in response to the various threats; determining the principles of National Cyber Defense in all sectors in relation to threat clusters; principles for intelligence gathering in cyberspace, the development of joint offensive infrastructures and more; determining the principles of cyber offense from a national point of view and the interface with the cyber defense;. the role of the private sector (if any) in the national use of force; define and update the use of force principles of all the above during routine, emergency, and war times.
Fifth our Command-and-Control principles at the State level, including determining emergency situations at various levels (routine, emergency, war, natural disaster, pandemic) analysis of the authority and interactions between all parties in all emergencies (who is responsible for what and who determines the allocation of resources and the necessary achievement); division of authorities and powers of action vis-à-vis all sectors: Security, State, Government, Business Sector, Citizens. A special reference should be made to all security and intelligence organizations, and stakeholders to define (again) who is responsible for what.
Sixth the overall Capacity Build-Up for Italy. It refers to a breakdown of all national efforts to intensify in the cyber field. I refer to them as Capacity Build-Up Pillars: 1) The development of technology and means enabling the implementation of Italy’s cyberspace strategy; 2) The development of Italy’s cybersecurity human resource by encouraging academic and non-academic studies and training based on a holistic approach; 3) The maximizing national potential by organizational development in line with the new EU requirements for digital products and ancillary services [1]. The need to have a macro analysis of the nation’s cyber-security needs and accordingly building the nation’s cyber-security eco-system and define the various entities roles and responsibilities; 4) Drills, Training and Assimilation, and 5) International cooperation on cybersecurity, including the sharing of information and best practices aimed at industrial, technological, and scientific development.
Conclusions
I my view the published strategic document should be more specific and tailored for the actual needs of Italy and EU, especially keeping in mind: 1) the EU Commission’s position about the lack of an efficient intra-state cooperation on cyber security and resilience while applying Directive NIS [2]; 2) the new measures drafted in the proposal of Directive NIS 2 (to be adopted in the next months) that asks Member States to guarantee an effective and a common higher level of cybersecurity[3], and 3) the compliance with the EU’s Cyber Posture (delivered on May 23rd 2022 by the European Council) which underlines the necessity to have cybersecurity considerations in all EU public and sectorial policies[4].
The implementation plan document is important; however, it has two main flaws, 1) it does not deal with the missing strategy blocks as I presented above, and 2) it is way too detailed and, in my view, should not have been part of the Strategy high level document, and it should have better referred to the big blocks of the strategy. This looks like a “bite off more than one could chew”.
In light of the above, I would recommend that Italian Cyber Strategy should be completed to fill in the missing parts so that the document may be a comprehensive and effective Strategic Compass for the reinforcement of Italy cyber security, especially during these troubled times. And we should always keep in mind that putting in place the Strategy (any strategy) is only the first stage, the actual implementation of the strategy will be the real challenge.
[1] See the proposal for a Cyber Resilience Act 2022 aimed to set out horizontal cybersecurity requirements, https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13410-Cyber-resilience-act-new-cybersecurity-rules-for-digital-products-and-ancillary-services_en.
[2] https://www.enisa.europa.eu/topics/nis-directive.
[3] https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333.
[4] https://www.consilium.europa.eu//media/56358/st09364-en22.pdf?utm_source=dsms-auto&utm_medium=email&utm_campaign=Cyber+posture%3a+Council+approves+conclusions.