The new frontiers of Cyber ​​Security

(To Alexandra Javarone)

Could companies, public institutions and even individual citizens pay dearly for the information technology revolution that awaits us? How to counteract the resulting dangers?

We talk about it with Germano Matteuzzi of Cyber ​​Security Division by Leonardo Spa.

Cybersecurity could appear to be a remote concern to users of PCs, phones, GPS detectors, e-mails, social networks and networks. Yet, our daily life, our renewed easy and fast computerized sociality exposes us to new and more complex vulnerabilities. What are the major risks of the hyper-connected society?

Unfortunately, the cyber security of our data is by no means remote but a very current problem. This is precisely the awareness that is missing to tackle the problem at its root, obviously starting from the institutions. The instant dissemination of information on the network means that dangers are also instantaneous and this causes systemic unpreparedness for the users of the network who are unable to defend themselves. Just as when you ride a motorcycle when you are young, driving is reckless at first, then the awareness of the risks forces us to change our attitude.

Many of the modern companies base their business on information and knowledge. These allow them to create products and services, compete on the market and be technologically advanced to maintain their presence on the global market. The substantial difference is that since we have experienced the wave of digital transformation, this information, whether it be patents, projects, intellectual property or other, is not clear where it is stored. Or rather they are stored and available in more places and to more people. And therefore they are less protected. Many companies in riding digitalization come to change unprepared (because the pace is very tight) and often make mistakes that irreversibly compromise their ability to compete.
Just think of how many companies, for example, have migrated their infrastructures to the cloud thinking of saving money and then have lost their knowledge base, due to simple technical mistakes.

For public institutions the same goes, except that this information mainly concerns us citizens, so the strategic and tactical errors in the digitization of institutions affect mainly us, who already have our problems managing our private information.

It seems trivial, but the most effective protection is to understand the real value that information has for its owners and to simulate what could happen in the event of its loss, disclosure or compromise. So the first rule is to understand what happens if the information is at risk and if this risk materializes, considering regulatory compliance among the risks. This is why the security market is mainly divided into two large areas of activity, one technical / legal and one mainly operational.

Referring to fraud, data theft, ransomware attacks, but also cyber espionage and attacks on critical infrastructures, what are the indicators we should observe to understand if we are under attack? Does the country have the ability to analyze, respond and manage cyber attacks? What role do penetration testing play?

It is really difficult to understand if and how our information is under attack, especially when the attacker has a vested interest in not letting us know. The most important cases of cyber espionage have been detected, not so much for the defense capabilities of the victims as for errors in the management of cyber weapons and for the loss of their control by the attackers, see an example for all stuxnet. Ransomware attacks immediately manifest themselves in their destructive capacity but are the least dangerous in an espionage scenario. The actors in the game determine the purpose of the attack, so a destructive attack is quick and shows no obvious signs. Espionage attacks last over time and tend to be silent. It is also true that sooner or later the data must be exfiltrated in a spying scenario and keeping communications to external entities under control can give the right indications, as well as detect weak anomalies on the performance data of the machines, on network traffic or other. All targets are at risk, primarily critical infrastructures which generally also have other problems related to the obsolescence of their ICT systems which amplifies the risks in a hyper-connected scenario.

In the last 5 years, thanks also to the push of the European institutions, the country has made many steps forward towards awareness of cyber risks and the contrast and response to attacks. Just think of the National Framework, the government organization for cyber protection, the CSIRT Italy, the implementation of the NIS directive, the GDPR, the national cyber perimeter, the minimum security measures Agid and much more. We are on the right path but we must hurry up, because in cyberspace the time factor is fundamental and the time scales are drastically shortened.

In all this, however, being aware that our infrastructures are vulnerable, and therefore at risk, but also compromisable, is important, because it puts us in front of the evidence of knowing with certainty that a possible attack would be successful. This is the main reason why the market for penetration testers is still thriving, because they provide evidence of vulnerabilities that would otherwise remain substantially on the report paper. And, more importantly, they allow us to highlight a whole set of vulnerabilities that often do not even end in relationships, namely human and social ones.

Cataloging threats, malevolent actors and motives of any kind. How to use artificial intelligence? Is artificial intelligence capable of aggregating this data according to the analyst's needs?

The application of mathematical models that allow the learning of phenomena and behaviors and of all AI models derive from the application of human intelligence. Without wishing to bother Asimov and robotics, which is also done very often when we talk about cyber, the name itself derives from the use of the term in cyberpunk novels, one thing is AI applied to a huge amount of data and that it is based on mathematical models for the predictive research of phenomena and patterns, another is the self-awareness of machines as we see it in films and we find it in novels, the search for humanity in all senses.

For the first we are already working on it and surely the mathematics will help us to be able to visualize, aggregate and present the data analyzes so that between them appear the relationships that at first sight we cannot see, for the second, even if in the field of cyber security there are already reactive and artificial behavior models, we will probably have to wait a long time.

In this first scenario, AI in its Machine Learning and Deep Learning applications using algorithms based on neural networks is able to analyze this large amount of data and present it in readable format to an analyst who can then make decisions by working on a reduced set of information. and analysable for a human mind. AI can also suggest to humans actions derived from its knowledge base linked to its learning algorithms and available data, actions that must be analyzed before being evaluated for their applicability. And the goodness or applicability of these actions are always linked to the quality and quantity of the data we provide. I would not like to give a too anthropocentric view of the issue but for now AI is still a support to human intelligence.

Alongside diplomacy and intelligence, the need to develop cyber defense and attack capabilities has become decisive. Various international actors carry out real cyber attacks to obtain information and avoid reprisals also thanks to the known difficulties of attribution. At times, the evidence of such attacks seems to all point to one country, but is it possible that the clues are left with the intent of placing the blame on an enemy country?

The attribution of responsibility for attacks in cyberspace is in fact very complicated, if not almost always impossible. Everything happens in a very short time, there are no natural barriers that inhibit certain actions, there are no effective defenses for digital assets, there are often no warning signs.

Precisely for this reason, cyber space is the new frontier of warfare, where different types of actors face each other every day, actors ranging from national governments or pro-government organizations to cyber criminals acting for profit, or destabilizing; attack scenarios radically change their face compared to traditional ones, and cyber operations can be conducted and activated abruptly and with very few warning signs. There are no more armies gathering, evidence of operations or mobilizations at the borders of the states, missile trajectories to be identified, aircraft taking off or ships leaving, all preparation and reconnaissance activities are carried out in the shadow and anonymity of the cyberspace, and the attack is impossible to detect.

There are cyber wars on this operational theater that have been going on for years; for example, India and Pakistan have been facing each other in cyber space for over 20 years, Russia and Ukraine have also faced each other on that front and the United States, Israel and Arabia are using cyber weapons against Iran (and vice versa), recently we have Chinese operations against other countries, Russia Australia, etc.

In the lists of the countries best prepared to face cyber attacks we always find the United States, Israel but also countries of the Pacific area, in addition to Russia and China.

Assigning the responsibilities of a cyber attack is a complex process that goes beyond the mere identification of the source systems of the attack, also because these systems, perhaps belonging to one country, may have in turn been the object of attack and compromise by another country and so Street. Attack tools and techniques are mainly analyzed, which can often lead to a few or a single threat agent and therefore, however uncertain, an attribution of operations can be at least risky. And of course yes, since these techniques and tools are known, it is possible that some attacks are carried out by simulating that they take place by threat agents linked to other countries for the sole purpose of placing the responsibility for the attack on it. in a scenario of cyber diplomacy that is added to the traditional one.

The Army Studies Center has long ago launched a study on the cyber capabilities of the Italian army and has involved institutions and companies in its work. Leonardo is an integral part of the group. What role could Leonardo play in the global model of detection and response desired by the CSE?

Leonardo is a historic partner of defense in all sectors, not least Cyber ​​Security. I remember the first Cyber ​​programs, the CERT of the Army and the Cyber ​​Defense Capabilities based on the NATO framework of the then C4D dating back to 2010, we are now talking about almost 10 years ago, with which the first detection & response capabilities were implemented, with all subsequent evolutions up to the realization of a full operational capability and the implementation of capabilities within the CIOC to plan and conduct operations on the new cyber domain. The Cyber ​​Security division has also collaborated with the armed forces with the creation of important cyber capabilities, especially the Army and Navy. Leonardo has also achieved NATO's Full Operational Capability by implementing the NCIRC, the Computer Incident Response Center for all NATO offices and countries.

However, Leonardo is present in an important way in the Italian cyber security market also in the civil sector, mainly in the government one where it is awarded the CONSIP SPC Cloud Lot 2 - Security framework agreement, through which managed security services and professional services are provided to all central and local public administrations that request it. It is also present in the private sector of Critical Infrastructures and Large Enterprises, where Leonardo provides services to large companies in the Oil & Gas, Energy, Utilities and Transport sectors.

In recent years, Leonardo has invested heavily in developments related to threat intelligence in the cyber field, equipping itself with its own technological tools internally developed for research and analysis on the web using the OSInt (Open Source Intelligence) paradigm. Furthermore, the Leonardo Security Operation Center, active since 2007, one of the first Italian Managed Security Service Providers on the market, provides intelligence services through this platform in full synergy with the more traditional Cyber ​​Security ones. In the field of communications security, Leonardo has a historical presence having worked and provided products and services both on the cipher domains for classified information and in the field of professional secure communications used by law enforcement and emergency services. Last but not least, Leonardo is a wholly Italian company owned by the state, which places it in a particularly privileged position to be the reference actor of Italian cyber security on the military and civilian markets.

If for operations within the cyber domain the prevalent role should be played by the recently established COR, it is also true that each armed force, following the concept of Network Enabled Capability (NEC), must extend its capabilities using cyber tools to support traditional operations . Therefore, not purely cyber operations but cyber technologies to support operations in traditional domains.

Leonardo can therefore make available to the Army, but also to the other armed forces, all the capabilities and knowledge relating to security gained in recent years in military and civil fields, and support him in the acquisition of those cyber capabilities not yet fully implemented.