Cyber ​​Strategy and public-private cooperation for effective defense of critical infrastructures

(To Andrea Puligheddu)

That cyber attacks and related threats are on the rise, is now a well-known fact.

A quick look at the CLUSIT 2016 Report on ICT security is more than enough to see a disproportionate increase in attacks on industries and multinationals that make extensive use of digitization as a tool for internal development, and provides a rather worrying picture of the state of the art of information security.

These attacks are therefore extremely numerous, uncontrolled and not necessarily equipped with prior upstream coordination. In a more global framework, they represent single pieces of a puzzle with much broader outlines, or a threat more focused on those that are critical and sensitive infrastructures present on the national territory and operating in the European context, both related to the circulation of information flows (such as telecommunications, for example) are more strictly economic or financial (banks, energy companies, transport, health). Their malfunction or malfunction following a massive attack could cause a substantial halt to the development of the entire nation that hosts them in a relatively short time.

Even the defense and public order sectors are no exception: there is no need for too much imagination to configure the scenario that would arise if there was damage to defensive IT infrastructures or the subtraction of sensitive information related to national security by subjects hostile, be they members of terrorist organizations or operators of countries militarily hostile to the Western world.

Specific risk management procedures, strategic preventive analysis of threat environments, securing infrastructures and responding to incidents are just some of the operations to be performed to deal with the so-called cyber treaths. Wanting to make an extreme synthesis, we need to ask ourselves: what are the remedies present and how should they be implemented from an organizational and regulatory point of view?

In Europe, the issue is not new at all. In the 2013, in the wake of a course previously started twelve years earlier, the Union adopted one for the first time cyber strategy common, requiring member countries to proceed with its implementation and development, foreseeing that they will also elaborate at national level response strategies according to the criteria and elements of cyber security identified at Community level. To date, all Member States have responded positively by completing the implementation procedure, with the exception of Sweden and Greece, which are in the process of developing their own cybernetic strategic line.

A further point of development is the formulation in the 2013 of a draft directive formulated by the Union on the subject of Network and Information Security (NIS). The Directive proposal contains within it various procedural and organizational requirements, aimed at implementing a preventive cooperation strategy towards the cyber treaths. These include the preparation of common safety standards, notification of accidents to a specifically designated Authority and the obligation to adopt a Computer Emergency Response Team (CERT) on a national basis that carries out activities to make critical infrastructures safe. The proposal is currently being examined by the European Council to acquire enforceability, after having passed the scrutiny of Parliament, the Council, the European Commission and the Internal Market Commission of Parliament.

One of the priority points identified in both these Community documents (which for reasons of synthesis cannot be dealt with in this contribution) consists in generating a model of cooperation between the competent institutions and the private operators of the sector generically understood (computer security, defense, service providers related to risk management, service providers for the protection of communication infrastructures etc.) in order to build a consolidated structure on several levels and involving agents of different thematic and organizational extraction.

Italy for its part has responded positively to these stimuli, adopting a special Decree of the President of the Council of Ministers on January 2013, called "Directive setting guidelines for cyber protection and national IT security ”. It constitutes a necessary starting point, since it indicates the need for precise collaborative operations that private operators, managers of significant critical infrastructures, must put in place (for example, communicating any significant breach to their IT systems to the cyber security nucleus , adopt specific policies and instrumental measures adequate to the provisions of the Ministry of Economic Development, the Permanent Collegial Body and generally provide the security and intelligence apparatus and other dedicated bodies with the information necessary to access the databases of interest). This legislative provision was followed by further intelligence documents, recently released by institutional secrecy, the Strategic Framework for National Security and National plan for cyber protection and computer security. Both contribute to designing the long-term perspective of cyber-security and specifically developing short-term operational lines, namely the 2014-2015 two-year period.

Despite the fact that the project outlined above is far from being considered complete, it should be noted that in this period at least a shared path of awareness has been taken on this. An example is the establishment of new CERTs and the reinforcement of those previously established, also at Defense level, which play the role of unique interlocutors for the activities of security information sharing with institutions; also the allocation of resources at government level to be dedicated to cyber security, although still not sufficiently large, is in the wake of a strengthening of the strategic line in defense of the cyber space described by the European indications.

An innovative element to look at with interest from the perspective of cooperation described, is certainly that represented by the plan of cyber security intelligence prepared by Accenture. At the Italian and European level, a platform has been developed that helps organizations predict, identify and combat cyber attacks through the combination of technological (AI, Cloud, analytics etc.) and organizational factors, of which the first operational developments are expected.

A similar service is in some ways similar to what has just begun experimentally in the United States, where a similar procedure for exchanging information between the public and private sectors is already fully active. It operates in the context of large-scale data processing, using a shared management public-private data platform in order to verify whether this method is usefully effective for predicting cyber attacks.

(photo: US Army)