Domestic Security perimeter: companies focus on infrastructure and training

(To Ing. Carlo Mauceli)

The recent decree law on the cyber security perimeter is the result of new reflections on the evolution of the cyber threat, of the technological context and of the national and international regulatory framework and the fact that it is composed of different actors, public and private, represents in itself a positive element. Even the criteria for identifying the actors are an element in favor of the decree as they establish that:

  • The subject exercises an essential function of the State, that is, it ensures an essential service for the maintenance of civil, social or economic activities fundamental to the interests of the State;
  • The exercise of this function or the provision of this service depends on networks, information systems and IT services and to whose failure, interruption, even partial, or improper use, may result in a prejudice for national security.

On the other hand, there is still strong doubt about the timing to define who will become part of the perimeter, given that in the DL their identification is delegated to a subsequent decree (within 4 months from the entry into force of the conversion law) of the President of the Council (art. 1 paragraph 2 letter a). Since, by default, a delegated decree is all postponed to subsequent provisions which must be issued a number of unspecified months after the law of conversion of the DL comes into force. It would therefore be important that these times were actually respected.

Moreover, it is a strongly unbalanced decree towards two elements:

  1. The communication networks and the theme of the 5G
  2. The CVCN that:
    • It absorbs half of the already scarce financial resources;
    • It risks becoming a bottleneck and, above all, it is not clear how it arises, from the point of view of evaluations towards cloud providers. In particular, in the paragraph 7 point c is said “elaboration and adoption of cybernetic certification schemes, where, for national security reasons and on conventions of the technical CISR, the existing certification schemes are not considered adequate for the protection requirements of the cyber national security perimeter" What does it mean? That even if the solutions, be they HW or SW, comply with international standards, must, in any case, pass the examination of the CVCN certification and validation? This is a source of concern because it would be a further tightening as well as a disproportionate lengthening of time.

While appreciating the effort to define a significant organizational structure, we do not go to the root of the problems that plague our country and arise from a very specific question "How come our country is among the first in the world as regards attacks like never before our companies suffer attacks with techniques that are not necessarily modern but capable, however, of striking equally?"

The data of the last Clusit report are merciless. The study is based on a sample that at 31 December 2018 consists of 8.417 known attacks of particular gravity, or that have had a significant impact for the victims in terms of economic losses, damage to reputation, the dissemination of sensitive data (personal or otherwise), or that in any case foreshadow particularly worrying scenarios, occurred in the world ( including therefore Italy) from January 1st 2011, of which 1.552 in the 2018 (+ 77,8% compared to 2014, + 37,7% compared to 2017) e 5.614 registered between the 2014 and the 2018.

Overall, compared to the 2017, the number of serious attacks we have collected from public sources for the 2018 grows by 37,7%. In absolute terms, in the 2018 the categories "Cybercrime" and "Cyber ​​Espionage" record the highest number of attacks of the last 8 years. From the sample it clearly emerges that, with the exclusion of the activities referable to attacks of the category "Hacktivism" which still decreases significantly (-22,8%) compared to the 2017, in the 2018 there are increasing serious attacks made for the purpose of “Cybercrime"(+ 43,8%), as well as those referable to activities of “Cyber ​​Espionage"(+ 57,4%). It should be emphasized that, compared to the past, today it is more difficult to clearly distinguish between "Cyber ​​Espionage" and "Information Warfare": adding the attacks of both categories, in the 2018 there is an increase in 35,6% compared to the previous year (259 against 191)

Therefore, in light of all this, we think that the decree should also cover the areas of suffering in our country that I would summarize in these points:

  • Security enhancement solutions based on cloud driven solutions. Advanced, targeted and evasive attacks of another nature make it extremely difficult for companies to effectively prevent computer breaches:
  1. Cybercriminals use advanced attacks to bypass anti-virus, IPS and next-generation firewalls and hide in companies for months (320 days on average in 2015, when notified externally)
  2. Beyond the 68% of the malware is specific to a company and 80% of that malware is used only once, so signature-based defenses are ineffective against targeted attacks
  3. Beyond 80% of alerts generated by security systems based on criteria and signatures are unreliable and subtract resources from the analysis of critical reports

Today's IT business transformation, which expands the company's attack surface, makes this challenge even more complex:

  1. By the 2020, public cloud applications will account for over two-thirds of business spending. Cloud-based operations increase 40% corporate Internet traffic (and potential threats) in and out. All this traffic must be controlled
  2. Nowadays, non-Windows devices supported by 96% of companies have usually not been well protected
  3. The adoption of direct connections to the Internet by 40% of the branches increases their exposure to attacks outside the high protection of the central office

To minimize the risk of costly IT breaches, companies of all sizes need to effectively protect themselves from attacks. What needs to be done can be summarized in these four points:

  1. Detecting and blocking threats that traditional security products do not detect
  2. Respond quickly and contain the impact of accidents
  3. Constantly adapting to the evolution of threats
  4. Scale and remain flexible when the company grows or the IT service delivery mode changes

The technologies that can guarantee the required security level, from a logical point of view, cannot be based on old-style on-premises architectures but on Machine Learning systems and Artificial Intelligence algorithms and no longer based on signatures that inspect the suspicious objects to identify targeted, evasive and unknown threats.

  • Investments for Training. In the far 2015, Prof Baldoni, wrote in the White Book of Cybersecurity the following: "The professional figures related to security have a world market and often in Italy we find ourselves competing with realities that, on the other side, offer far better salary conditions. The number of professional figures related to cybersecurity produced by our universities is still too low, also due to the few teachers present in Italy in this specific sector. This is one of the causes that, in fact, prevents the activation of new three-year and master's degree courses in many Italian universities: degree courses that at this moment unfortunately are counted on the fingertips. Due to the combined purpose of an escape from Italy to seize important salary opportunities and a scarce creation of professional figures adequate to the need, it is necessary and urgent to develop brain retention strategies that make working on security issues more attractive IT in our country. Israel, for example, has succeeded in curbing the bleeding through the creation of an Industry-University-Government ecosystem based on technology parks and incentive policies for spin-offs, succeeding in this way in transforming an endemic weakness into a growth factor . In addition to these programs, we need to create the conditions to bring our best brains into science and entrepreneurship in the security sector back to Italy. The mobility of the labor market is an endemic problem in this sector that does not grip only Italy: some large countries are moving, on the one hand to have available, in a few years, the necessary workforce and, on the other hand, for create the conditions to keep it within their borders. This goes, by way of example, to policies of loans of honor to students: for example, policies already pursued by France and Germany and which could also be taken into consideration in our country to keep new graduates in our governmental structures, in the PA and in the national industrial system. If adequate policies are not put in place, the situation will deteriorate significantly in the coming years. Note, in this regard, that countries like Germany are making very aggressive policies to attract not only scientists and entrepreneurs, but also simple foreign students to degree courses within their universities". Four years have passed and little has changed but the fact that in some universities such as Politecnico di Milano, La Sapienza, Tor Vergata, Cagliari, master's degree courses in cybersecurity have been established but there is no national plan to create adequate professional figures and consequently, it continues to lack the culture necessary to change the sensitivity towards a problem that has become one of the most important on the planet.
  • Investments for the removal of technological obsolescence. The attacks that Italy undergoes depend not so much on the attackers' ability to use new techniques, something that happens in precise cases and with targeted campaigns (APT), but from obsolete infrastructures and applications which, precisely due to the lack of tax relief for private companies, mostly SMEs, and investments for public ones, are not able to update and secure their platforms.
  • Strengthening of the CERT. If we take a look at the international scene in terms of organizing security units, there are several models we find. Precisely because of our experience and our collaboration with the governments of other countries (United Kingdom, Denmark, France, Germany, Czech Republic, just to name a few), we believe it is necessary to establish a permanent Crisis Unit at CERT National or Council Presidency, composed of technicians from the private and public sector who work in the interests of the country. A central Cybersecurity unit that functions as an always active cell to respond in a unified manner to attacks on Public Administration and critical infrastructures of national interest, charged with training and awareness within the State and finally, capable of responding promptly to a cybernetic threat in absolute synergy with the DIS and the police and postal departments in charge of contrasting and suppressing the phenomenon. In fact, a central cell whose strength lies in the set of investigative skills that come from the police and those that are more strictly computerized, which are characteristics of those who work in companies that make security a distinctive element. This initiative is in line with the sense of emergency and effective response required by the EU directive on Cybersecurity (NIS) which will soon be approved by the European Parliament and which consequently, like Italy, we will have to implement in our European Community legislative system. All this must necessarily pass through the increase of the knowledge and the relative skills of the cybersecurity unit, as mentioned, through the inclusion of specialists who really have a more direct experience of the market and who can work alongside those who have the knowledge and the more "military / governmental" experience.

I believe that if our decision makers followed this path we could finally get out of these quicksand and look with renewed enthusiasm at a real digital revolution.