In the difficult moment of reconstruction that will follow the great economic crisis caused by the pandemic, one of the most precious assets that a country holds is information, which must be defended as much as national borders are defended in the event of a war. That's what it's all about when it comes to cyber security, and for some months now our country has been making great strides to protect our "internal program" of security that runs on the web.
It was discussed on Friday 26 February at a webinar organized by Lexout, a company that offers legal and professional services in outsourcing, and The Skill, a communication firm specializing in legal communication. Protagonists Aigi, Italian Association of Corporate Jurists, and Aitra, Italian Transparency and Anti-Corruption Association.
Nourished and competent the parterre of the guests, did the "honors" the lawyer Giuseppe Catalano - president Aigi (company secretary e head of corporate affairs Assicurazioni Generali Spa), the lawyer Giorgio Martellino (president of Aitra - head of the Aigi Center Section as well as general counsel of Avio Spa) and Professor Francesco Bruno (founding partners of B - Partnership between lawyers and member ofadvisory board by Lexout).
At the round table, moderated by Pietro Galizzi (head of legal and regulatory affairs of Eni Gas and Luce Spa and partner Aigi), attended by the lawyer Gianluca Cattani (advisory board Lexout), Professor Roberto Baldoni (Deputy Director General Dis with responsibility for Cybersecurity), Doctor Fabio Mulazzani (business and continuity officer of the European Food Safety Authority), the engineer Massimiliano Vegni (CEO of It systems Srl), the lawyer Antonio Enrico Agovino (member of the Aitra board and head of compliance by Inwit spa).
To give a regulatory framework, even with the recent introductions made by the government on the subject of security, was Professor Baldoni, who explained how a national campaign has been launched in December to update the "ICT assets": in essence, it is a matter of to secure all networks that support information of an exclusive nature, which are decisive for the country. While on the one hand the Legislative Decree 231/2001 on the liability of entities for crimes that occur within the company due to omitted supervision forces public and private companies to comply also with respect to possible cyber attacks, from more it was necessary to go into the specifics of cybersecurity with four Dpcm and a Dpr that contribute to the identification of those networks that are particularly exposed and that must be protected because they contain sensitive information.
Last December, many companies that interface with various parts of the state received a letter inviting them to submit within six months, then by June, a complete map of the networks that support potentially sensitive information. The Security Department will immediately afterwards impose a security system that guarantees to lock this information: The world in front of us is complex, if we want to navigate it we have to do complex things. The cyber national security perimeter was created to secure the country's essential functions, those that if they were to be blocked would lead to national security problems - explains - To regulate this risk study there are 4 dpcm and a dpr, it is the work of about 200 people including technicians and regulatory experts. There is an intergovernmental agreement on all the decrees, then we move on to the opinions of the Chambers, the Court of Auditors and the Council of State and some of these are in the pipeline - keep it going - for IT security, inspections of security measures, measurement and management of the response to incidents are crucial, and finally the National Certification Assessment Center is being implemented at the Mise - explained Professor Baldoni - this is an opportunity for us to build a skill base on which geopolitical balances will play.
Some of the companies that have been called by the Security Department to take a series of actions to protect their sensitive information, are companies that enter the country's procurement system, the letter received may in many respects be unclear, it will be expected a clarification? There is still no public version of the Dpr - replies Baldoni - we have tried to take into account all the problems related to tenders for both private and public entities, such as Consip, however we should be able to manage some problems, we are trying to build a system that works and brings value to the pase system. We will try to solve the problems, there will be immediate repercussions also on the economic level.
From words to deeds, how is a correct and effective cyber security system built? The first step in implementing a security plan is a "holistic" approach to convergent security - explains Fabio Mulazzani - companies must increase their skills and knowledge on cybersecurity, the method must be understood as multidisciplinary and not focus only on technical areas - the expert continues - there are many sectors that must be considered when it comes to convergent security: in this framework of national cybersecurity perimeter, which refers to a European plan, each company must do its part by increasing its skills. One of the greatest difficulties we all have is to make communication simpler and more efficient: we must communicate clearly and precisely, abolishing technichese as much as possible. Our organization is like a castle that must be defended, and defending your castle means thinking about the foundations, putting in place reengineering systems. You don't have to look only at the networks, but at the whole business plan - adds Fabio Mulazzani.
There are many security aspects that we know little about and that we should apply to businesses - underlined Gianluca Cattani - Italy is at the forefront of cyber security, and let's not forget that on this level, tenders, whose security legislation is of Community origin, also have an important value. Furthermore - adds Cattani - companies must already start preparing for change: in six months, ICT assets will be mapped, i.e. networks or IT services that interact with the essential functions of the State.
But what are these companies that need to organize their cyber security from scratch? The answer is always Cattani: We are talking about companies that serve the Interior, Defense, Energy, Telecommunications, Finance: in the case of a cyber attack, the entire country pays the costs and even a single attack can be very dangerous. Think of the health sector, the supply and distribution of drinking water or energy: these are essential services and today it is all electronic ... maybe the dam once moved by crank, now everything works with an IT access.
Finally, the focus shifted to costs, as the engineer Massimo Vegni explained: The national cyber security perimeter is perceived with some anxiety because it leads us to new rules. It all stems from the fact that there are "bad guys" who target our strategic infrastructures and our strategic companies, both to steal data and to manipulate it. The mapping of sensitive networks is not a simple job and we often deal with devices whose security terms we do not know. But the risk of cyber disruption involves other aspects: the attacks do not come only from private individuals, but also from foreign states that have the ability to spy on us, which benefit from having sensitive information. Top management must be involved in these challenges, because addressing them means having to employ substantial resources, which must understand how that investment is an opportunity to secure our businesses., Vegni stressed again.
Let's not forget the criminal and civil procedural aspects, as regards both the 231 models and the cyber security perimeter, as well explained by the lawyer Antonio Enrico Agovino: With the conception of this new cyber security perimeter, computer crimes take on new relevance which - as the experts have well noted - have always been seen as at the lowest step among the crimes included in Legislative Decree 231/2001, among other things, the subject of scarce jurisprudence.
