The new "Guidance on Cyber Protection and National Computer Security" has recently come out.
Was there a new standard?
I would say yes.
Let's see what's new and make some personal considerations of a general nature.
The "Cyber Security and National Computer Security Directive" is now the Decree of the Prime Minister's Office, issued 17 February 2017 and published in the Official Gazette, general series in 87 13 2017 April.
What is its purpose?
First update the pre-existing regulations dating to four years ago (DPCM 24 January 2013), then "to bring to the system and unitary the various competences involved in the management of the crisis situation ..."in the cyber field, whose lack (of unity!) is obviously the source of the difficulty in answering a possible cyber attack on one or more critical national infrastructures.
Article 1 introduces us to the subject, pointing to the subject of the Directive (Institutional architecture dedicated to the protection of national security in respect of critical and intangible infrastructures ...) and the main stakeholders (mainly the Ministry of Economic Development, the Agency for Digital Italy, the Ministry of Defense and the Ministry of the Interior).
Interestingly, the 2 article is where the most important definitions for the cyber field are collected. Necessary, without doubt, even if not all personally can be shared. I refer in particular to the definition of "cyber space" and the consequences that this can have in cyber risk analysis.
Let's start with the definition of the DPCM.
"Cybernetic space: the set of interconnected IT infrastructures, including hardware, software, data and users, as well as the logical relations, however established, between them".
Now let's take some of the Cyberspace definitions adopted by the most advanced nations in the industry: USA and Russia.
- USA: The notional environment in which communication over computer networks occurs;
- Russia: The sphere of activity within the information space, formed by a set of communication channels of the Internet and other telecommunication networks, the technological infrastructure to ensure their functioning, and any form of human activity on them (individual, organizational, state);
These definitions are taken from the NATO Cooperative Cyber Defense Center of Excellence site located in Tallinn, Estonia (https://ccdcoe.org/cyber-definitions.html).
Now, let's consider the definition of Russia: it is easy to see that, in addition to talking about the Internet and communication channels, it refers to "technological infrastructures that allow the functioning of communications networks", infrastructures not included in the US definition or in the Italian one.
In my opinion the lack of this reference could mislead those who are interested in developing the cyber risk analysis of a critical infrastructure, for example by not considering the power plant that feeds a critical data center.
Certainly this is just a trivial example, but sometimes the banalities can make the difference!
Another definition in my opinion incomplete is that which speaks of "cybernetic event".
According to the Directive, a cybernetic event is a "voluntary or accidental event, consisting of the acquisition and the transfer of undue data, their alteration or unlawful destruction or undue control, corruption, destruction or blocking of the normal functioning of networks and information systems or their constituent elements ".
Even in this case, in my opinion, something is missing: how could we frame an event such as the one known as "Stuxnet", with which the United States and Israel (as far as they know) sabotaged the Iranian nuclear power plant of Natanz?
The virus in this case has damaged the centrifuges, that is, it has acted against an element that is not part of any computer network, and yet it can not be considered as an "cyber attack".
Here are two examples that show the importance of adopting suitable legislation and correct definitions. It is clear that these are points of view and that highlighting them only serves to create awareness and spread knowledge.
So welcome to the DPCM which still makes it clear!
But let's go further.
The 3 article illustrates the tasks assigned to the Chairman of the Council of Ministers, "responsible for the general policy of the Government and the Summit of the Security Information System of the Republic for the purpose of protecting national security also in the cyber space".
The Chairman of the Board uses the Inter-ministerial Committee on Security of the Republic (CISR) for the definition of the national strategic framework for the security of cyber space.
It is interesting in this context to refer to the national strategic framework that contains the "evolving trends of threats and vulnerabilities of national systems and networks, the definition of roles and tasks of various public and private actors, and national agencies operating outside the country, [..] tools and procedures to pursue the growth of the country's ability to prevent and respond to events in the cyber space, also with a view to spreading the culture of the country safety".
It is always the PCM (based on the CISR resolution) that adopts the "National Plan for cybernetic protection and cyber security" containing objectives and lines of action consistent with the national strategic framework.
Article 4 deals with the CISR, in particular paragraph f. recites: "exercises high vigilance on the implementation of the National Plan for Cyber Space Security".
The 5 article introduces the technical CISR as a CISR support body, chaired by the General Director of the Department of Information Security (DIS), and finally gets in the way! It's right here is the great news in fact.
Specific attributions to DIS are better specified in 6 article. Indeed
precisely the DIS, in the figure of its general manager, is identified by the DPCM as the one who "adopt appropriate initiatives to define the necessary lines of action of general interest".
The purpose of the lines of action is to "to raise and improve the security levels of systems and networks ..."in anticipation of the necessary actions of contrast and response to a possible"cybernetic crisis by public administrations and bodies and private operators ...".
In practice, the DIS is given a mandate to coordinate actions to combat and respond to cyber attacks in Italy. Concept clearly expressed in article 7 paragraph 2, in which it is said that the Director of the DIS takes care of the coordination of information research activities aimed at strengthening cyber protection and IT security in Italy.
The 8 article introduces the "core for cyber security", permanently constituted by the DIS for the prevention and preparation of crisis situations and"for the activation of alert procedures"This core is chaired by a deputy general manager of the DIS and is composed of the military advisor and representatives of:
- DIS;
- AISE;
- AISI;
- Ministry of Foreign Affairs;
- Ministry of the Interior;
- Ministry of Defence;
- Ministry of Justice;
- Ministry of Economic Development;
- Ministry of Economy and Finance;
- Department of Civil Protection;
- Agency for digital Italy;
- Central Office for Secrecy.
The core, in the mind of the article 9, performs functions of "link between the various components of the institutional architecture that intervene in various ways in the field of cyber security", in particular keeps the unit active for alerting and responding to crisis situations, active units h24, 7 days on 7.
Article 10 establishes the composition and tasks of the Core in case of cyber emergency, with particular reference to the coordination it has to put in place for reaction and stabilization. In the 3 paragraph it is said that it uses, for its technical activities, the national CERT of the Ministry of Economic Development and CERT PA of the Agency for Digital Italy. And in this case I completely agree on the need to join the forces (and the resources!).
The 11 article imposes on private operators a series of rules. Among these there is an obligation to communicate "any significant violation of the security and integrity of their IT systems" and the obligation to collaborate in cybercrime management by helping to restore the functionality of the systems and networks they manage. Allegations of violations will probably not be anything substantial as the "significance" of a cybernetic event is not defined in any way, which means that everyone evaluates what they want, but it is very important that private operators should collaborate, even by putting available to the company's "Security Operation Center".
Always the 11 article, under the 2 paragraph, indicates that the Ministry of Economic Development is competent to promote "the establishment of a national assessment and certification center for verifying the security conditions and the absence of vulnerabilities ...", I think it is more appropriate for the Ministry of University and Research, under the supervision of DIS.
Finally, let's look at the 13 article, transitional and final provisions.
The 1 comma from a clear idea of how the cyber problem is heard at the government level, in fact, the 1 paragraph recites: "This decree does not result in new charges for the state budget".
I have a doubt: is it all a joke?
I do not believe, in fact, that the 13 article, paragraph 1, is compatible with all the above!
