The Italian State has decided to protect its critical operators, both public and private, by virtue of the "national cybernetic security". The computer wars fought in cybernetic space indeed represent one of the greatest risks for Western democracies, which often find themselves unprepared, compared to traditional conflicts of a military or commercial nature. For this reason, on 13 November 2019, the text relating to Decree-Law No. 105/2019 was approved. The Law designs the architecture of skills and bureaucracy, the "defence front" of computer wars, both for public and private subjects. The Law even provides that, in the presence of serious and imminent risk to national security related to the vulnerability of networks, systems or services, the Italian President of the Council of Ministers has the power to eliminate the specific risk factor «where necessary and for the time strictly necessary».

[What are the threats that require the "cybernetic security perimeter"? Let's find out in the interview below]

Here are the deadlines provided by the Converted Decree, the competent Ministries, other responsible agencies and relative penalties. Let's understand who will be included in the security perimeter and according to which criteria contracts will be stipulated for the supply of goods, services and ICT systems.

Deadlines

4 months after the issuance of Decree-Law 105/2019

" to identify the realities included in the security perimeter, identified by the President of the Council of Ministers.

" to prepare the criteria for the list of networks, information systems and sensitive information services pertaining to the realities concerned – by the Italian DIS (Security Intelligence Department), in collaboration with a representative of the Presidency of the Council of Ministers.

6 months after the issuance of Decree-Law 105/2019

" to forward the above lists – those of public bodies – to the Presidency of the Council of Ministers and private bodies to the MISE (Ministry of Economic Development) – which will be forwarded to the DIS, and also to the Ministry of the Interior's agency for the security and regularity of telecommunications services (deputed by the Ministry of the Interior).

10 months after the issuance of Decree-Law 105/2019

" for the notification by the subjects present in the lists of eventual computer accidents to the CSIR (Interministerial Committee for the Security of the Republic), which will forward them to the DIS. The latter will forward them to the Ministry of the Interior's agency for the security and regularity of telecommunications services, as well as to the Presidency of the Council of Ministers (if public bodies) or to the Ministry of Economic Development (if private bodies). The Presidency of the Council and the MISE will also carry out inspections on to the list and notification activities.

[What is meant by "computer accidents"? Let's find out in the interview below]

" to define the security measures, decided by the MISE and the Presidency of the Council, together with the Ministries of Defence, Interior, Economy and DIS.

" to define the procedures, modalities and terms with which the subjects falling within the "perimeter of cybernetic security" will proceed to the entrusting of goods, services and ICT systems – with the following communication to the CVCN, the National Evaluation and Certification Centre established at the MISE.

It should be remembered that the "security measures" decided within 10 months must also be guaranteed by the organizations that are part of the list of subjects identified by the NIS Directive, which is the first piece of cybersecurity legislation passed by the European Union (EU). The Directive was adopted on July 6, 2016 and its aim is to achieve a high common standard of network and information security across all EU Member States. (provided by the regulatory framework of Italian Legislative Decree 65/2018). These are operators of essential services and providers of digital services, taken into account in a perspective of implementation and continuous improvement of the national cybernetic space.

In addition, it is envisaged that additional measures will be implemented, aimed at ensuring equivalent levels of security to those provided for by the recent Decree, for contracts already authorized by decree of the President of the Council of Ministers, using the "Golden Power" – contracts adopted before the entry into force of the current legislation, that are related to networks, information systems and computer services and included within the perimeter of national cybernetic security.

[What is Golden Power? Let's find out in the interview below]

Ratings

The CVCN (National Assessment and Certification Centre) will carry out the risk assessment, in relation to the field of use, for the entrusting of goods, services and ICT systems. On the basis of this evaluation, the CVCN may impose conditions and tests on the hardware and software supplied within a period of 45 days – which may be extended by 15 days only once in the event of particular complexity – from the communication to the said Centre. The suppliers will be required to cooperate fully with the evaluation centre of the MISE (Economic Development) and the MID (Defence), as well as the cost of the control activities.

[An estimate of the costs? Let's find out in the interview below]

Possible sanctions

In case of non-compliance with the required safety conditions or in the absence of the favorable outcome of the tests ordered by the CVCN, the supply contracts, even if already signed, will not produce any effects or will cease to produce them. An administrative sanction is provided for the executors of such contracts, id est the impossibility of taking on management, administration and control positions in legal persons and companies, for a period of 3 years from the date of ascertainment of the violation. If false information, incorrect data or factual elements do not correspond to the truth are provided (as regards the updating of lists, inspection activities or in general compliance with the deadline for providing data), imprisonment from one to five years for natural persons, in addition to a sanction of four hundred shares for the entity is foreseen. Penalties are provided in the event of failure to comply with the obligations set out in the Decree-Law, which can range from € 200,000 to € 1,800,000.

The 5G network problem

A further element that the CVCN will have to evaluate under the Law will be the presence of vulnerability factors, which could compromise the integrity and security of the networks and the data passing through them. On the basis of this assessment, the special powers referred to in Article 1-bis of Decree-Law 21/2012 will be exercised, better known as the "Golden Power".

This is a crucial issue given by the advancement of 5G infrastructures in Italy, as in other European countries. These will lead to an exponential increase in data "on the move" and consequent problems of national security, linked to the guarantees offered by those who build and manage the infrastructures.

nterview with Francesco Capparelli

Chief Cyber Security Advisor – ICT Cyber Consulting SRL

  1. What are the major threats for which a private or public entity should be within the "security perimeter"? Cyber threats affect every business today. It is said that there are only two types of organizations: those that have been violated and those that do not know that they have been violated. Security is not a process that can be easily purchased, but it is about continuous improvement, updating and training. A regulation that obliges to implement technical and organizational security measures, therefore, makes the citizen safer, who can count on the availability of services offered by the companies subject to the measure and can allow the same organizations to plan in advance the management of risks related to information security. Planning is fundamental in this context, as often the company budget dedicated to information security increases only after accidents that, many times, have irremediable consequences in terms of penalties and especially loss of reputation.
  1. What is meant by "computer accidents" or "cyber accidents" – that has to be communicated within 10 months of the issuance of the Decree converted into Law, once the realities to be attached to the perimeter and lists of public and private subjects have been identified? The definition of a cyber incident varies according to the regulatory environment and the legal scope. From a technical point of view, the following definitions need to be developed:
  • An event is an observable change within the usual behaviour of a system or process.
  • An alert is the notification of the occurrence of a particular event or series of events, generated by systems and/or persons responsible for reporting suspicious events.
  • An Incident is an event that has negative effects on the confidentiality, integrity or availability of data within an organisation and/or has negative impacts on the organisation's own processes.In the context of the European Regulation 679/2016 better known as the GDPR, it is important to highlight a particular category of cyber incident, i.e. the Data Breach: it is an Incident, which affects or involves, accidentally or unlawfully, the destruction, loss, modification, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed by the organization.
  1. What is "Golden Power" – present in the article 1-bis of Decree-Law 21/2012? This is the right of the State to exercise control over transactions of particular importance, in this case relating to technologies related to 5G. Control may take the form of setting parameters for certain purchase conditions or even through the possibility of vetoing the adoption of technologies and products.
  1. The costs of control tests – which the National Assessment and Certification Centre (CVCN) could carry out on the supply of hardware and software – will be carry by the providers of these services. Is it possible to make a cost estimate at the moment? It is not possible to make a cost estimate at the moment. What is important to note is that the ex-ante verification processes will certainly have a particularly lower cost than the management of ex-post incidents.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.