In an era where e-payments and cloud services are key elements of our lives and businesses, Network Information Security (“NIS”) has become the essential precondition for a reliable online environment for the worldwide trade.
As a matter of the fact, with a proliferation of connected devices operated remotely and a more pervasive use of data, increasing and more sophisticated cyber-attacks, alike Malware, Phishing, Dos Attack and the so-called “Man in the Middle” (MITM) may expose businesses to commercial losses, negligence claims, public relations problems among customers and suppliers, and are able to compromise vital services depending on the integrity of network and information systems.
We have just seen the consequences of the first global cyber-attack this week: the malware “Wanna Cry” that was spread to more than 100 countries across the world, including the UK, Russia, India, China, Italy, caused the England’s National Health Service (NHS) to force some hospitals to divert patients due to the breakdown of the patient administration systems.
The cybersecurity threats have led thus to increasing regulations, fostering cybersecurity best practices.
The Italian cybersecurity scheme
At the Italian national level, the cybersecurity scheme was established by the PM Decree no. 66 of 24 January 2013 (the “PM Decree 2013”), which outlined its organizational and functional scheme.
The Prime Minister carries out a supervisory activity, which is reflected in his power to adopt the act that defines objectives and lines of action (the National Plan for cyber protection and security in informatics) and the directives for its implementation.
Under the PM, the cybersecurity architecture is based on a strict cooperation between the current ministerial bodies set up for the cybersecurity – the so-called “DIS” (the Department of the Information for Security”) and “CISR” (the Ministerial Committee for Security of the Republic) – and the Ministry of Economic Development, the Digital Agency for Italy as well as both the Ministries of Defense and the Interior.
Undoubtedly the central role is that of CISR, which is entitled to regulatory and/or legislative acts proposals, opinions, drafting of guidelines, advisory activity in crisis situations. For performing all such activities, as said, CISR is supported by DIS and some specifics structures of the mentioned Ministries.
The PM Decree 2013 also provided the establishment of: (I) a Scientific Committee of experts in information technology and cyber security from universities and research organizations in order to improve the existing cybersecurity safety measures (and search for new ones), and (II) a permanent cybersecurity Task Force at the Office of the Military Adviser, composed by a member of DIS, AISE (External Intelligence and Security Agency), AISI (Internal Intelligence and Security Agency), of the Ministries of Interior, Defense and Economic Development, of the Digital Agency for Italy and of the Department of Civil Protection.
Such Task Force supervises, provides and ensures the measures to prevent or deal with cyber-attacks that takes the form of a crisis, being also the Italian point of reference for the international bodies in the subject matters, for cooperation purposes. Whereas the cyber-attack reach a large scale that cannot be locally solved, causing a severe damage for the national security, the Task Force shall convene the Cyber Security Inter-ministerial Table (“NISP”), that coordinates and develops the measures required by the situation.
The EU Cybersecurity Strategy
Since 2013 the European Union has developed a comprehensive strategic framework in order to protect its citizens and its business from cyber-attacks.
The EU purpose at the base of this strategy is articulated in five strategic priorities: (i) achieve cyber resilience; (ii) drastically reduce cybercrime; (iii) develop cyber- defense policies; (iv) promote the industrial and technological resources for cybersecurity; (v) promote core EU values.
The most recent result of the EU Cybersecurity Strategy is the Directive on Security of Network and Information Systems (the “NIS Directive”) which was adopted by the European Parliament on 6 July 2016 and is to be transposed into national law by July 2018.
The NIS Directive is the first piece of legislation at European level on cybersecurity and aims at boosting the overall level of cybersecurity in the EU providing legal measures through three different directions:
– Firstly, Member States are required to set up a competent national NIS authority and also Computer Security Incident Response Teams (“CSIRT”) to gather information on cyber-attack, handle incidents and risks, discuss cross-border security issues and identify coordinated responses to provide a faster and efficient answer to cyber-attacks.
– Secondly, the NIS Directive provides the establishment of: a ‘Cooperation Group’ to assist member states in cybersecurity capacity-building, and a ‘CSIRT Network’ that support the Cooperation Group with the purpose to share information about cyber risks and guarantee effective operational cooperation with regard to specific cybersecurity attacks or incidents.
– Thirdly, member states are required to identify “operators of essential services” in sectors such as energy, transport, health, banking and drinking water supply. Two obligations lie on businesses identified as such: primarily they have to take appropriate security measures to prevent cyber-attacks, and then notify serious incidents to the competent national authority or to the CIRST. Also key digital service providers (search engines, cloud computing services and online marketplaces) are subjected to these obligations. The security and notification requirements are, however, lighter for these providers. Instead, micro digital companies will be exempted from these requirements.
The implementation of the DIS Directive in Italy
EU member states are obliged to transpose the NIS Directive into their domestic laws within 21 months while 6 months more are given to identify operators of essential services.
As it concerns Italy, on 17 February 2017, the Italian Prime Minister issued the “Directive setting out guidelines for the national cyber protection and the information technology security” (the “PM Decree 2017”), which repeals and replaces the PM Decree 2013, in order to rationalize the functioning of the above described structure of the national cybersecurity system.
In brief, the novelties can be summed up as follows:
- now, the CISR actively participates to the resolutions of crisis events that involves the national security, and thus can provide advises to the PM, make proposals and take resolutions;
- the DIS empowered its role and becomes the very central body of the cybersecurity national asset. In fact, the General Director of DIS sets out the action lines to guarantee the national information security from cyber-attacks, by improving the security standards of the information technology systems and suitable instruments that can prevent, face and block cyber-threats. The General Director of DIS also connects the public and the private sector, having the power to enter into agreements on behalf of public administrations with private individuals;
- the Task Force becomes an official body of DIS, whose Vice Director acts as President of the Task Force, as such the competence of the Office of the Military Adviser is now excluded. By facing the crisis, the PM Decree 2017 also states that the Task Force must cooperate with the Italian CERT (Computer Emergency Response Team), established within the Ministry of Economic Development;
- finally, the Minister of Economic Development is invested of the task to promote the creation of a national center of evaluation and certification to verify the security level of products, assets and systems developed and provided by private operators that provides public services or deal with critical infrastructures.
As can be seen, the PM Decree 2017, has not profoundly reformed the tasks of the ministerial bodies and the asset of the cybersecurity national system as outlined by the previously PM Decree.
The vulnerability of the Italian business
Despite the above described legislative interventions – at European and national level – that foster the adoption of suitable cybersecurity measures for the technologic progress connected with the usage of the internet, or intranet, Italian private sector is still not ready to face all the consequences that the development of the information technologies brings with it, in particular cyber-threats.
As a matter of the fact, most Italian companies are not yet aware of the full breadth of the cybercrime phenomenon while “intelligence”, or at least “awareness” will have to be shared at all levels also within the employees. Most secured environments have in fact been affected by employees that had not been aware of the consequences of certain behaviors (see, for instance, the risks/data hacks incurred in using personal email account for business purposes). Unfortunately, the same goes for the public sector, which economic resources actually intended for the development of the tools and measures – even if required by the laws – are always too few to be really effective before an hacker attack.
From the perspective of the cybersecurity within the public sector, important issues concern in particular the health services. In fact, on the one hand, following the international trend of Big Data, Public Administrations are going to digitize all the health data of individuals, with the purpose of creating databases capable to cross all the data collected which allows diagnosis almost instantaneously, that – through the implementation of the so called “Smart Hospitals” – might be done also remotely. On the other hand, as above said, Public Administrations do not devote enough resources – neither economic nor human – to the security of the IT systems.
Such lack of means dedicated to the implementation of suitable safety measures, generates a very vulnerable and dangerous situation: in fact, for healthcare, cyber-attacks can have ramifications beyond financial loss and breach of privacy, involving life-critical services. And this will be true a fortiori after the fully implementation of a “Smart Healthcare System”, where every data concerning the health of individuals will be only digitized and no more available in written form on a paper backing. Precisely the sensitivity and the importance of the health data are the reason why cyber-attacks affect in particular the health services: in the market of data, the health data have a more than fifty times value than – for instance – the bank data.
In the light of the mentioned global cyber-attack spread this week, the inadequacy of the safety measures adopted by the States has become dramatically clear and, as a consequence, the importance of the issue and the need to urgently improve the cybersecurity systems.
The recent adoption of the NIS Directive represents an important step to tackle cyber-threats that are increasingly sophisticated and harm the European digital economy.
Now the resilience and stability of network and information systems across the EU relies on how the member states will implement the principles of NIS Directive.
In this respect, with the PM Decree 2017, Italy has already taken steps to upgrade its cybersecurity scheme also with the aim to raise awareness among the business.
Therefore it becomes now a precise task of the companies to act proactively by revisiting their existing practices on NIS, or putting in place a cyber breach response plan for the first time.
Cyber protection is in fact no longer optional in the light of new online dangers.
 A man-in-the-middle (MITM) attack is a form of eavesdropping where communication between two users is monitored and modified by an unauthorized party. Generally, the attacker actively eavesdrops by intercepting a public key message exchange and retransmits the message while replacing the requested key with his own.
 According to the Annual Cybersecurity Report (ACR) 2017 drafted by Cisco, one third of the respondent companies had experienced at least one cybersecurity incident in 2016, that had a serious impact negative on their activities.
 The text of the Nis Directive is available at: http://eurlex.europa.eu/legalcontent/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC