Cybersecurity scandal: Netherlands-Italy 300-3

(To Andrea Cucco)

Have you ever imagined that one of the main cyber threats affecting our country is a 2008 worm? How to hear, in our days in Italy, about smallpox!

The terms "cyber" and "cybersecurity" have been overused for too long. They are by those who consider the field an opportunity for exits that can compensate or hide very serious personal political incapacities, they are by those who comment on how they were "successes" signs of imminent danger.

Increasingly concerned about cyber risks in our country, we have heard about Microsoft, represented by the engineer Carlo Mauceli, to try to understand what he thinks about.

How does Microsoft evaluate the cyber situation in Italy?

I'll talk to Microsoft but without forgetting to be Italian and, therefore, I immediately say that the comparison between Italy and many of the countries that we generally use as terms of comparison is against us and does not seem to be improving.

I will give you an example to be clear. A few days ago at ITASEC I and some colleagues we analyzed what are the main infections that Italian companies are fighting. Incredibly we realized that it is Conficker, a worm of the 2008, of which everything is known and that having its years should have practically disappeared. So in fact it is in most of the other countries while in our no.

What does this mean? It means a lot of things: obsolescence, lack of sensitivity, misinformation, little inclination to collaboration (especially as regards partnerships between public and private) and lack of investments in the IT sector. Both in the world of public administrations and in the private sector, especially for small and medium-sized companies, we are still witnessing the presence of computers with more than ten years of life, obsolete systems, and dated applications. But not only. What is striking is that it is necessary to change attitude and posture if you really want to cope with this situation.

Not to mention the application software ... developed in the past without any attention to security and, unfortunately, still present and, therefore, extremely risky.

You do not have to look too far to learn and improve. If you know the risk and the enemy, you can fight but if you pretend that the problem is always someone else and that we are the best and do not run any risk ... well, in this case what comes to us is nothing else that what we deserve.

One of the problems I see in Italy is its isolation. We can not continue to remain isolated, we need to join the others and work together. Just look, for example, the Netherlands and Great Britain and still France and Germany that through substantial investments, organization, public-private partnerships and seriousness have managed to create a national system able to help both public administrations and businesses and private citizens.

The Italian industrial fabric is made for the 95% of small and medium enterprises, if the State does not deal with them, through investments and tax breaks for those who make technological upgrades, who should take care of them?

What is needed for Italy to become competitive?

Let's start from some examples of other countries to understand how they faced one of the most important problems of the moment. The Netherlands estimates that 2020% of their gross national product (GDP) will be made up of the digital economy by 25 and that economic well-being will increasingly depend on a functioning, safe and reliable digital economy. Therefore, the Dutch government has set itself as a fundamental objective to protect and strengthen the ICT sector and is investing in the cyber security of the country by allocating € 300 million in four years for cybersecurity and implementing structural reforms to facilitate the achievement of its objectives.

In the 2015, the UK has set itself the ambitious goal of becoming "the safest place in the world to conduct" online business "and to be a world leader in the field of cybersecurity. To achieve these goals, the United Kingdom launched a new National Cyber ​​Security Strategy in 2016, earmarked nearly 2 billion pounds over five years for cybersecurity and inaugurated the new National Cyber ​​Security Center as a national cybersecurity authority, responsible for response to cyber attacks with national impact, the exchange of information between the actors involved, the reduction of general risks for the IT security of the country system, the assistance to bodies and organizations that need it, the dissemination of pertinent information and the management the Cyber ​​Security Information Sharing Partnership (CiSP), a tool that allows information exchange between organizations and provides specific support whenever needed. In addition, the Cyber ​​Essentials program has been launched, a set of criteria and standards that guarantee basic IT security and a cost-benefit ratio for organizations of all sizes and in all sectors to help them protect themselves from the most common cyber risks. and increase their resilience to cyber attacks.

What did we do in Italy?

The national security framework has been defined, the Security Information Department (DIS) has been appointed as the single point of contact and we are awaiting the formation of the Computer Security Incident Response Team (CSIRT) for the notification of incidents with significant impact beyond to have allocated, during the Renzi government, 150 million euros of which no trace has been lost.

Il "government of change "in charge?

With the new budget law: one million euros a year for three years!

The lack of investment and the impossibility of accessing an open market is a problem, not only for Microsoft, but for everyone, and ultimately for the country. As for Microsoft's position, it is clear that it is a company that has to deal with doing business; however, faced with incomprehensible choices for the development of the country, we too, as a company, find it difficult to create the conditions to be able to collaborate proactively.

As an example, you can tell us that Microsoft has a free government program, known as the Government Security Program, signed by 70 Countries in the world and that could help a lot to prevent potential incidents, share technical information and develop products in line with the requests of the countries . With us, we have not yet managed to sign this agreement despite our efforts and stakeholder interest.


Honestly, I do not have an answer. And it's a shame, because on closer inspection it is not only interest of Microsoft but also of all those who would take advantage of it in Italy ... it must be everyone's interest.

The issue of investments is important: helping the development of small and medium-sized businesses serves to spread the cyber culture, to train industry experts and to lay the foundations for ever-better market competitiveness.

What are the main obstacles that have hitherto prevented the development of the sector?

One of the main problems concerns it exchange of information.

Information exchange should be encouraged at all levels, both among technicians and between managers and managers. If I know the enemy I can use prevention ... but if I have no idea of ​​what happens to me around ... what am I doing?

When they call us to respond to an incident, we provide our know-how and expertise in the field, both with human resources, an Incident Response Team, and with solutions that allow us to provide customers with the state of the art and thus be able to intervene. Microsoft of these teams has several in action at the same time in the world and this allows us to gather useful information, information that with due attention can be shared. The same thing is expected of an organization that takes charge of this kind of problems. These activities of connection and coordination must be borne by the state, with the right participation of the industry, national or otherwise.

France and Germany are ahead of us, like the Netherlands and Great Britain, so we look at what they do and how they do it and we learn ... with modesty.

We must also respect the rules, both the GDPR and the NIS directive but we can not think that the law has solved the problem. The rule is necessary but then it takes someone who gets dirty hands and does the work in the field and this, for now, is not seen.

What do you think about the announced reorganization of the sector that would see the Ministry of Defense at the forefront of the country's cyber development?

I heard this news during the Pisa convention. Generally speaking, there are separate organizations in the other countries, a state that supports all and regulates the subject and a separate organization for the FA, also because the tasks of the Armed forces are different. In my opinion, I do not think it could be a correct solution if I interpreted the words of Minister Trenta well. Certainly, the national framework is increasingly complex, characterized by too many levels of responsibility that make a coherent approach difficult.

As I think I have already said, it is better to stop for a moment and reflect, to look at what others do. From others, from our neighbors, we can always learn without copying, perhaps asking with humility. Using tools and analysis already done by others you can find something that will give us a hand, maybe without waiting too long!

So I understand that you think the armed forces do not have the strength to do a job like this for everyone?

Well, I rely on what I see. At the moment I only see the CIOC (Interforces Command for Cybernetic Operations, ed).

Now, the CIOC has little to do with the private world. It should take care to prepare for interventions in which national security is at risk, according to military logics.

Unless one wants to say that we are at war with the whole world and, even in this case, the CIOC does not seem sufficient.

Does Microsoft intend to invest in Italy? If not, why?

In Italy it is very difficult to work in the security sector, especially in the public sector because safety passes through the suppliers who won the SPC race (Public Connectivity System, ed). This means that if a public administration needs suppliers like Microsoft, Mandiant, FireEye, etc. because they employ specific technologies or simply because they trust these organizations, they can not do it directly. I believe that this does not help, above all, from a point of view of capacity building and competitiveness.

Is it reasonable to think that the Defense takes charge of the development of the sector? Do not you run the risk of lack of stimulus to society? I take the example of high-level athletes ...

Of course, it's exactly like that too. Civil society should develop its capabilities that must serve to operate in normal cases. The Defense must enter in cases of emergency, of war, not always, otherwise "drug" the market.

The goal of Defense Online is to inform a large and non-niche audience (perhaps desired), hoping that those with responsibilities will take the necessary corrections ...

I follow you, share and appreciate your efforts, unfortunately the Italian situation is this: municipalities and metropolitan cities, to give an example, are completely abandoned to themselves.

Most of the systems that we see daily during our interventions are absolutely insecure, both due to lack of funds and lack of trained technical personnel, but mainly due to the lack of management to consider security as a key element of both infrastructures and applications.

What to do? Firstly, we organize the organization, we create more and more sensitivity, we train people and reason according to a state logic that supports the private world as well as the public one.

Otherwise we will never go on ...

This situation leads to a deadlock.

It is necessary to create a national cybernetic nucleus that can move freely, even by calling suitable companies according to the case.

We need to simplify administrative rules, not complicate them and make them incomprehensible.

What would you do to get the military prepared in the cyber sector?

Preparing staff is a difficult thing, keeping it in the organization is very difficult.

We need to create sensitivity and create people already from schools, starting from high school. Safety should be seen and taught comprehensively, from standards to technology and risk analysis.

The necessary courses must then be included in all the universities of Italy; in this field some progress has been made but we are still far from what is needed.

For the military then you need to create "masters", you pass me the term, of various types that increase awareness and especially the preparation for 360 degrees.

The problem in Italy is that for years, unfortunately, rivers of words are wasted but it is not possible to put the right initiatives on the ground.

The president of Microsoft, Brad Smith, in recent days was received by the Pope. Can you tell us something more?

Yes, the topic of the visit is Artificial Intelligence. Even in the Vatican we are concerned with technological innovations and all that they entail, especially in terms of ethics. During the private interview our president of the Legal Division illustrated the perspectives related to Artificial Intelligence and to the ethical problems connected to it but also the great benefits for humanity that it can bring. Microsoft together with the Pontifical Academy for Life will promote an international award on ethics in artificial intelligence, which will be the main theme of the 2020 Plenary Assembly.

Brad Smith also talked about the new Microsoft investment in Italy, "Ambition Italy". An ambitious project that aims to bring young people closer to the 200.000 digital world, hoping that one day they will become professionals in the sector.

In fact, let us not forget that Italy is a very particular country in which there is high unemployment, but in the cyber sector and in the digital sector there is a chronic shortage of trained personnel.

In Italy, choices are often postponed until it is too late. Faced with a new technology you can choose whether to manage it or fight it, unfortunately we have not yet decided which side to take.

I want to be confident and believe that the light comes on soon so as not to disperse the baggage of excellence that ha our country.

Photo: web / NCSC Netherlands / Ministry of Defense