Chapter 5
Moving Toward an Italian Cyber Defense and Security Strategy 1
,
5.1. Information warfare and cyber warfare: what are they?
Nowadays armed forces are much more dependent on information networks and systems for command, control, intelligence, logistics and weapon technologies. At the same time, civilian infrastructures rely on information networks and technologies for their functioning. If we take into consideration the number of information systems and networks and their widespread vulnerabilities, it is not surprising that they have become targets for adversaries bent upon disrupting society, the economy and welfare of a nation. If we also consider the availability on the Internet of tools that allow everybody – not only those with IT skills – to automatically take advantage of security flaws for espionage and criminal or military purposes, we can gather a clear picture of the current situation. Sometimes, software security flaws are not even voluntarily exploited.
I wish to recall a personal experience of mine to enable you to see the full picture. One day, while surfing on the net looking for a scientific article, by clicking on a link in Google search I was redirected, quite oddly, to a United States (US) Navy Intranet webpage. This was strange because to get to the same page from the Navy website you need to log in. This page contained a list of high-ranking senior officers with their social security numbers – which are confidential for every US citizen. I was redirected to that page because the name of the article’s author was in that list – even if it was a case of homonymy – but what could apparently look like an innocuous webpage index-linked mistake, was instead a breathtaking vulnerability. It can easily be imagined what would happen if these names were to fall into the hands of criminal gangs, terrorist organizations, cyber warriors or non-allied intelligence services. New identities could be exploited for network-centric warfare to gather additional information since social security numbers are usually used for common identification throughout the military.
In Italy, the theme of cyber-security has been recently dealt with by military research centers1 as well as by the Italian Parliamentary Intelligence Oversight Committee (Co.Pa.Si.R. – Comitato Parlamentare per la Sicurezza della Repubblica) [COP 10]. The purpose is clear: Italy needs to elaborate a comprehensive cyber-defense and cyber-security strategy in order to prevent and react in an efficient and coordinated manner to possible cases of information and cyber warfare.
However, apart from a comprehensive strategy, it seems that we first of all need a clear definition of the terms ‘information warfare’ and, especially, ‘cyberwarfare’. Too often concepts such as cyber-terrorism and cyber-warfare are ill-used or are used as synonyms. This is also true for cyber-espionage. With respect to the first dichotomy, the danger of assimilating cyber-terrorism to an act of cyber warfare, which is an act of war carried out within the fifth domain, is quite evident2. It can be defined as “the unauthorized penetration by, on behalf of, or in support of, a government into another nation’s computer or network, or any other activity affecting a computer system, in which the purpose is to add, alter, or falsify data, or cause the disruption of or damage to a computer, or network device, or the objects a computer system controls” [CLA 10].
Cyber warfare may be symmetric while terrorism, also in its cyber form, is asymmetric by definition. Moreover, assimilating cyber-terrorism with cyber warfare would mean that cyber-terrorists are ‘legitimate combatants’ – an assimilation that is firmly denied by the international community in the physical world. It is also interesting to note how cyber warfare is clearly not governed by the Hague Regulations of 1899 and 1907, or by the four Geneva Conventions of 1949, regulating jus in bello3. This aspect is not secondary, if we consider that cyber operations are often carried out in support of acts of conventional warfare – e.g. the Georgian case – and that they may have indiscriminate effects on the civilian population.
At the same time cyber-espionage is something totally different from cyber warfare, even if the former is aimed at stealing military information, such as new weapon systems.
It should also be noted that the techniques (tools and modus operandi) usually used for cyber-attacks are not univocal. For instance, those normally used in criminal activities are similar to those used for cyber-espionage, cyber-terrorism or cyber warfare. This leads us to another consideration: in most cases these attacks are carried out by private hackers, thus allowing plausible denial by the sponsoring State. This happened in the second half of the 1980s. An example is the cyber-espionage case involving the Chaos Computer Club hacker group and the KGB, described by Clifford Stoll in his book The Cuckoo’s Egg [STO 00].
Cyber warfare attacks are not necessarily perpetrated by military hackers wearing a uniform. This sheds light on the difficulties related to the attribution of the attack source – not only the nature of warfare – especially when the attacker uses “triangulation” (a method where the attacker can disguise the origin of the attack), a technique very familiar to the intelligence community and relatively easy to use within the shadow domain of computer networks. This aspect poses another problem when State A engages private hackers to hack into the information and communication technology (ICT) systems of another country B – possibly an adversary of A – to use them as launch pads for cyber-attacks against an additional country that is its final target C – an adversary of country B and/or A. In the case where B and C are both adversaries of A, this technique permits A to gain a double advantage since it will be able to defeat two adversary countries with a single coordinated attack without being recognized as the originator of the cyber-aggression. It will also trigger a possible reprisal by C against B, giving rise to an escalation of the cyber-conflict between the two enemies. This may have been the scenario in which the Stuxnet cyber weapon was used.
Finally, while defining the notion of cyber warfare, we should also consider the effects of an attack against national stock exchange markets, which could produce an even more damaging outcome than those of conventional warfare.
China and Russia are currently trying to define and shape a legal framework and rules of engagement for cyber warfare [FRI 08]. What we need at the moment at a national and international level is a clear definition of what is meant by cyberspace and information warfare – especially cyber warfare – and, then, the identification of which actions are allowed or banned by the international community. The fact that the same attack techniques are used for criminal, military or intelligence purposes does not mean that these three areas should be treated equally (from a law-enforcement perspective), even if overlapping among the aforementioned areas is common, and considering that there could be State-sponsored attacks carried out by private attackers. This issue has been recognized by the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security (UN General Assembly, Resolution A/65/201 of July 30, 2010). This group is concerned about the involvement of individuals, groups or organizations, including criminal organizations, in “disruptive online activities on behalf of others” [UNG 10], both State and non-State actors. The above-mentioned document contains recommendations – formulated by Italian experts4 together with a group of experts from other nations5 – aimed at reducing the threat of attacks on each others’ computer networks6. The group stated that “there is increased reporting that States are developing ICTs [information and communication technologies] as instruments of warfare and intelligence, and for political purposes. […] Non-criminal areas of transnational concern should receive appropriate attention” [UNG 10]. Indeed, during the past decade, national efforts to work with global partners in cyberspace have centered on combating crimes online. This set aside the more sensitive issues of State involvement in, or responsibility for, cyber intrusions into critical computer systems. This requires a political rather than a judicial solution.
5.2. Understanding the current Italian geopolitical context
Even if a comprehensive cyber threat assessment has not been elaborated in Italy to date, either at an official or unofficial level, we can entertain some considerations beginning with the fact that Italy is a United Nations (UN), OSCE (Organisation for Security and Co-operation in Europe), North Atlantic Treaty Organization (NATO), Council of Europe and European Union (EU) member and that it takes part in several peacekeeping support operations. The Italian armed forces are currently employing 7,811 soldiers in 30 missions in 22 countries and two geographical areas, including the Balkans (NATO), India-Pakistan (UN Nations Military Observer Group in India and Pakistan), Sudan (UN African Union-United Mission in Darfur), Lebanon (UN Interim Force in Lebanon), Israel (UN Truce Supervision Organization), Gaza (EU), Iraq, and Afghanistan (International Security Assistance Force, EU Police Mission in Afghanistan or EUPOL) [MDD 10]. According to a Ministry of Foreign Affairs report [MAE 09], Italy is the first ‘blue helmet’ contributing country among the European G8 partners, the second EU country for the number of personnel engaged in missions abroad, and the ninth largest contributor – out of 117 countries – to UN military and police operations with its 2,864 peacekeepers. These facts and figures are indicative of Italy’s well-defined role in the maintenance and enhancement of international governability with related burdens and risks. In this regard, Italy’s alliance with the US7 – which is one of the cyber-power nations together with China, France, Germany, Israel, Russia and the United Kingdom [CLA 10, AGY 09] – requires the protection of the nation from both State and non-State adversaries. In this connection, some important exercises were held in 2010 that were aimed at assessing the cooperation capabilities of participating organizations and improving the procedures for exchanging information within the national, pan-European and NATO scenario through “Cyber Shot 2010”, “Cyber Europe 2010” and NATO “Cyber Coalition 2010”, respectively [ANA 10, ENI 10a]. Moreover, the Italian armed forces, as in other developed nations, strongly rely on commercial off-the-shelf technologies rather than on government off-the-shelf ones, and this presents some vulnerabilities due to private foreign manufacturing of electronic components (hardware and software) that may contain security flaws, embedded malware, or loggers for stealing sensitive information.
Products produced for the defense market can be altered throughout the product lifecycle, “from the inception of the design concept, to product delivery, and to product updates and support” [USA 10]. Undoubtedly, the possibility of rogue microchips from China, for example, which is considered one of the main countries with information warfare capabilities [KRE 09], represents an important counterintelligence problem. Nowadays, computer chips and software are produced globally and an adversary can infect high-tech military equipment with computer bugs. This is particularly true for current military technologies: the more technological they are, the more vulnerable they will be, even if countermeasures are built up. This is why doctrines, policies and strategies on information and electronic warfare should be elaborated on and kept constantly updated to keep pace with ICT developments. From this perspective, Italy – together with France – is currently involved in the FREMM (FRegate Europee Multi Missione, i.e. the Multi-mission European Frigates) program and will acquire at least six of the 10 frigates initially envisaged, which will be also equipped with electronic warfare devices. Another example is given by the technologically-advanced stealth fighter F-35B Lightning II with which the Italian Navy and Air Force would like to renew their fleet, whose plans were stolen by hackers who could have implanted logic bombs in the code that manage the aircraft’s wired brain [CLA 10].
However, cyber warfare attacks may have indiscriminate targets and effects. They can – either directly or indirectly – destroy or disrupt civilian infrastructures on which military networks and systems also depend. The more digitalized a country is the, more vulnerable it is to cyber attacks, as the Estonian case clearly shows. Many highly computerized nations are working on devising their own defense mechanisms. If we look at the 2010 UN e-Government Readiness Index, we can see that Italy is ranked 38th in the list of the top 50 countries in e-government development8. From this stand point, Italy is less vulnerable to cyber attacks against governmental ICTs than other European countries that ranked higher in the above-mentioned index, e.g. the United Kingdom (4th), the Netherlands (5th), Norway (6th), Denmark (7th), Spain (9th), France (10th), Sweden (12th), Germany (15th), Belgium (16th ), Switzerland (18th) and Estonia (20th) [UNI 10, pp. 114].
It is extremely difficult to find reliable and complete data on cyber-attacks against a specific country, considering that not all attacks are easily detectable if they do not show their effects in the physical world. However, as far as Italy is concerned, we can mention two recent cases that have had tangible repercussions. On January 26, 2007, the Italian Air Force website was successfully defaced by four Turkish hackers claiming that it was “a protest against those who support the war”. More recently, in November 2009, the Air Force and Ministry of Defense websites were infected by a malware that in an automatic and stealthy way reproduced itself through a download on visitors’ machines without them noticing.
In the case of war, either kinetic or cyber, critical national infrastructures (CNIs) may be the first to be hit, together with traditional military targets. As with the cyber incident at the Iranian Bushehr’s nuclear plant demonstrates, this kind of cybe-attack has increased to an unprecedented level of sophistication. The criticality is reflected by the fact that SCADA (supervisory control and data acquisition) systems that manage CNIs are connected to internet protocol (IP) networks or to the Internet9, as reported in a recent survey conducted by McAfee interviewing 600 managers from 14 advanced countries, including Italy [MCA 10]. According to this report, around 45% of Italian managers interviewed think that foreign governments are involved in attacks against CNIs [MCA 10] and the countries that generate primary concern are China (around 40%), the US (21%) and Russia (5%) [MCA 10]. Nowadays information and communication infrastructures (ICIs) govern CNIs and are themselves critical infrastructures on which defense and national security agencies also rely. Italy hosts the main exchange point between Central and Southern Italian internet service providers (ISPs) – the Nautilus Mediterranean eXchange point (NaMeX) in Rome – on which Southern European and Mediterranean carriers converge. Apart from ICIs, those that provide electric energy are the most sensitive among CNIs.
In this regard, two major challenges have been identified by the EU.
First, we are all increasingly dependent on ICTs in all areas of our daily life. Indeed, ICTs govern energy-critical infrastructures – normally managed by privately-owned companies – on which other critical infrastructures are in turn interdependent:
– ICTs themselves;
– other energy supply services (natural gas and oil);
– food and water supply;
– waste disposal;
– hazardous materials storage;
– government and public agencies in general;
– finance and insurance companies;
– healthcare, emergency and rescue services;
– transport, traffic and logistic services;
– postal services;
– mass media; and
– cultural and research institutions.
Such interdependence and the great complexity of CNIs mean that even small outages, failures and disruptions can produce dramatic consequences (the so-called “vulnerability paradox”).
Second, the creation of a common and liberalized energy market in the EU has driven the development of regional networks that extend across national and even EU boundaries. This is true for both electricity and gas supplies provided through long distance pipelines. The gas supply system is considered the ‘Achilles’ heel’ of the European energy supply security, since the supply chains start in other States – often situated in difficult regions, such as the North Sea and the Maghreb and, in the future, also in the Arctic area, Caspian Basin, Persian Gulf, Middle East, and Central Africa. These pipes transport natural gas across several transit States before reaching their final destination [NER 09]. The growing EU dependence on gas and other energy imports from countries outside Europe – including unstable regions – determines an expansion of network interconnections that increase vulnerability to cyber-attacks. It is, however, outside the remit of this chapter to analyze Italian strategy for energy policies. In this framework it is sufficient to know that, according to the 2010 ENEA10 report on energy and the environment, in 2009 the Italian level of foreign energy dependence remained virtually unchanged at around 85%, compared to the average of about 53% across the 27 EU Member States, There is a growing dependence on foreign markets for natural gas compared to a basic stable dependence on imported oil [ENE 10]. A comparison between Italy and some major EU countries – France, Germany, Spain, and the UK – shows that, as opposed to different levels of dependence on total energy, for all these countries there is a constant dependence on oil (close to 100%) required by the transport sector – except for the UK, which has a significant domestic production. The Italian case, however, is unusual considering its total dependence on the importation of solid fuels (like France) – in the absence of a significant domestic production – and of electric energy, which is historically constant [ENE 10].
Both ICIs’ and CNIs’ network security and resilience can be ensured through supranational coordinated strategies. Since the bulk of critical infrastructures, as we have just seen, are transnational, an international approach is required.
5.3. The Italian legal and organizational framework
The importance and strategic value of public information systems was first recognized by the Minister for Innovation and Technologies Directive in the January 16, 2002 document Information and Telecommunications Security in the Public Sector. However, the legal basis for the protection of CNIs from cyber-attacks can be found in Article 7bis (electronic security) of law no. 155 from July 31, 2005, which contains urgent measures for countering international terrorism. CNIs are those processes the destruction, disruption, or partial unavailability of which significantly weakens the efficiency and functioning of the vital services of a nation. Specifically [COP 10]:
– production and distribution of energy;
– communications;
– transport;
– management of water resources;
– production and food distribution;
– health (hospitals, networks and interconnection services);
– banks and financial systems;
– security and civil protection;
– supporting networks of institutions and constitutional bodies;
– special services provided by some strategic organizations and companies.
A dedicated State police unit, the National Computer Crime Center for Critical Infrastructure Protection (CNAIPIC or Centro Nazionale Anticrimine Informatico per la Protezione delle Infrastrutture Critiche)11, was established in order to apply law no. 155. It has been in operation since June 23, 2009, on a 24 hours a day, seven days a week basis, and supports the security efforts of the operators of computerized information infrastructures, listed in the Minister of the Interior’s decree of January 9, 200812. To ensure CNIs security, agreements have been entered into by the Ministry of the Interior’s Department of Public Security and public/private companies providing critical services [VUL 10]:
– the Italian mail service (Poste Italiane);
– the national agency for air-traffic control (Ente Nazionale Assistenza al Volo or ENAV);
– telecommunications companies (Telecom Italia, Vodafone, Fastweb, Wind, H3G);
– energy producer and provider companies (Terna, Enel, ENI, ACEA);
– banks and financial institutions (CONSOB13, ABI14, Bank of Italy, and private banks);
– the Italian Railway Company (Ferrovie dello Stato);
– Alitalia; and
– mass media such as RAI15, ANSA16 and Mediaset.
It should be noted, however, that the mission of CNAIPIC is to prevent and prosecute computer crimes of a common, organized or terrorist nature through intelligence capabilities and judicial police tasks. Therefore, cyber-attacks for information and cyber warfare purposes lie outside the mandate of the above-mentioned agency.
The Italian intelligence services are also actively involved in cyber-security activities. Within the Information Department for Security (or Dipartimento Informazioni per la Sicurezza) of the Presidency of the Council of Ministers, which is the coordinating body of the two intelligence agencies AISI (Agenzia Informazioni e Sicurezza Interna – Internal Information and Security Agency) and AISE (Agenzia Informazioni e Sicurezza Esterna – External Information and Security Agency), there is the UCSe (Central Office for Secrecy – Ufficio Centrale per la Segretezza). This office has expertise concerning the security of classified communications (COMSEC) and the physical security of facilities that handle classified information. UCSe also takes part in the work of the UN Group of Governmental Experts to study the consequences of cyber-attacks and evaluate possible countermeasures to protect critical information systems. Furthermore, an ICT counterintelligence section has recently been created within the counterintelligence department of the Internal Information and Security Agency, in accordance with Law No. 124/2007 that transferred internal counterintelligence tasks from the former SISMi (now the AISE) to AISI. This section operates in close cooperation with police forces and with strategic public and private national organizations. Its technical personnel participate in multilateral forums, such as the Working Groups on Electronic Attacks and the Working Group on Interceptions. AISE has an INFOSEC Division instead, which is responsible for identifying and neutralizing ICT attacks on the Agency’s and country’s information resources. It also achieves this through timely cyber-intelligence information-sharing with international partners.
In 2007, a board for the protection of CNIs (Tavolo PIC – Protezione Infrastrutture Critiche) was established within the Office of the Military Advisor of the Prime Minister to study and analyze CNIs. Representatives from major interested ministries are assigned to the board.
Moreover, pursuant to an EU Directive17, in order to identify and list Italy’s crucial infrastructures beginning with the energy and transportation sectors, a technical secretariat – functionally subordinate to the Military Advisor of the Prime Minister and inclusive of computing facilities – was formed in January 201018 to protect CNIs. It also fosters interdepartmental coordination of national activities also within international forums. This list is classified, since a well-coordinated attack against those infrastructures could seriously jeopardize the national security of Italy, even if their protection is mainly focused on accidents, such as natural disasters, rather than attacks19. This is confirmed by the creation of the above-mentioned secretariat within the Centre of Civil Protection/CBRN (chemical, biological, radiological and nuclear) of the Civil Protection Department.
In addition, the e-government 2012 information technology security plan foresees the stabilization and strengthening of the Computer Emergency Response Team (CERT) of the Public Connectivity Service created within the National Center for Information Technology in Public Administration (CNIPA or Centro Nazionale per l’Informatica nella Pubblica Amministrazione) – now called “DigitPA” – under Article 21, paragraph 5(a) of the President of the Council of Ministers Decree of January 4, 2008. In this context, a stronger integration between the central component (CERT-SPC, the CERT for Connectivity Public System) and Public Administration structures that are locally distributed is felt necessary. These bodies have the task of implementing measures to prevent and manage accidents that may occur on systems inherent to their domain, and follow the instructions and support provided by CERT-SPC20. The consolidation of the CERT-SPC provides the central government with the capability to:
– have an information network that is primarily focused on collecting data and information necessary for coordination in their frame of reference;
– use advanced tools for monitoring vulnerabilities and observing hostile behaviors on the network;
– develop a complex system of communication through alerts and reports of emergencies, addressed to personnel and facilities involved in the operational management of government information technology systems;
– use of standardized procedures for response and coordination on occasion of computer accidents;
– interact with a variety of analog bodies to ensure proper verification and correlation of information and data obtained; and
– improve the mechanisms and protection measures based on incident analysis.
Between 2002 and 2003, well before such major developments, two groups were created within the Department of Innovation and Technology of the Presidency of the Council of Ministers [ENI 10b]. The first was a National Technical Committee on Informatics Security, which is responsible for improving the information technology security of public bodies and for defining their nationwide ICT security plan. The second is a Working Group on Critical Information Infrastructure Protection, which is composed of representatives from government departments and agencies, as well as private sector actors involved in the management and control of CNIs.
Finally, it is interesting to note that last year Italy’s Prime Minister issued a decree on the national organization for crisis management21, which led to a reorganization of the crisis management system by creating a Political-Strategic Committee (Comitato Politico-Strategico or CoPS) and an Inter-ministry Unit for Situation and Planning (Nucleo Interministeriale di Situazione e Pianificazione or NISP). The CoPS is charged with addressing and managing national crises. It is chaired by the Prime Minister and its members are the Ministers of Foreign Affairs, Defense, Internal Affairs, Economy and Finance. The NISP, on the other hand, is a permanent body chaired by the Under-Secretary of the Presidency of the Council of Ministers-Secretary of the Council of Ministers. It aims to support the CoPS and the Prime Minister in the case of current or potential crisis as well preventing damage, planning countermeasures and preparing the country in the case a crisis should arise. The NISP, which replaces the Political-Military Unit (Nucleo Politico-Militare), a non-permanent body providing the CoPS with consultancies in times of crisis, systematically monitors the national and international security situation to foresee and prevent possible crisis. It relies on the early-warning system provided by the bodies represented within the NISP, namely the interested ministries and the intelligence community22. A common Secretariat for the CoPS and the NISP is foreseen within the Prime Minister’s Military Consultancy Office [GER 10]. It is worthwhile noting that the above-mentioned bodies would play a strategic role in the event that an information- and cyber warfare-related crisis should arise.
This multiplication and proliferation of actors within the Presidency of the Council of Ministers creates a problem in the case of a real and not simulated cyber warfare attack or, more generally, information warfare activity, since it would be difficult to establish who should do what. This also represents a vulnerability of the system.
5.4. The need for a national cyber-defense and -security strategy
To date, Italy has successfully built up infrastructures to tackle cyber-crime and protect intellectual property, including trademarks and industrial patents. However, as stated in the Co.Pa.Si.R. report on the possible implications to national security of cyber threats [COP 10], what is lacking is a strategic plan to counteract the cyber-threat – as part of a national security strategy – that dictates the guidelines to all stakeholders, coordinating efforts and planning actions for security implementation of CNIs. The Italian Parliamentary Intelligence Oversight Committee, moreover, recognizes that appropriate countermeasures have to be adopted before the attack occurs, since success is directly proportional to the speed of implementation of countermeasures.
It is also evident that, considering the global dimension of the cyber-threat, intervention strategies involving all security bodies is necessary, including those beyond national boundaries. In this regard, the Parliamentary Committee has registered an absence of unique coordinated planning at a political level. To overcome this shortage in planning, Co.Pa.Si.R. recommends that the government adopts a strategic-organizational system to ensure appropriate leadership and clear policies for tackling the threat and coordinating stakeholders. The report stresses the fact that this could be achieved through a coordinating structure within the Presidency of the Council of Ministers, without the need to grant additional funds, but simply redefining the activities of existing facilities. This structure should perform specific tasks, such as:
– define the threat and provide a draft of a national security document dedicated to the protection of critical infrastructures;
– prepare an action plan outlining the perimeter of Italian cyber-security, defining the roles and responsibilities of those responsible for national cyber-security;
– draft strategic policies for cyber protection, resilience and security, in close coordination with public and private partners, starting with our intelligence services;
– promote public awareness-raising campaigns and common specialized training among various stakeholders at national and international level;
– prepare disaster recovery plans for data of strategic value for the security of the Republic; and
– coordinate the participation of Italian delegations to international cooperation boards, bilateral and multilateral, at EU and NATO level.
The Committee also recommends an insight, from a technical, legal and regulatory perspective, on the emerging practices of acquisition and retention of computerized data. This is particularly important with regard to phenomena such as cloud computing and the proliferation of virtual servers, as well as on the delicate profiles related to deep packet inspection operations, which has an undoubted effect on the protection of national security but requires proper regulation to ensure privacy and confidentiality. The delicate balance between privacy and national security requires the constant updating of laws in compliance with the constitutional right to privacy.
The same Co.Pa.Si.R. report highlights that the transnational nature of the threat requires a wider participation of Italian intelligence services to international coordination initiatives. This applies, in particular, to the need to identify a national focal point for the Network Security Incident Alert Mechanism established upon the decision of the EU Council Secretary General following the protracted cyber-attack against the unclassified IOLAN (intranet office local area network) network of the EU. This was before the establishment of the envisaged European bodies (including an EU-CERT) dedicated to the protection of critical information technology infrastructures. The above also applies to the process underway within NATO – and particularly within the Working Group on Information Assurance of NATO Security Committee, in which UCSe participates. This is probably intended to urge Member States to identify a national authority of reference on the matter. On both fronts, Co.Pa.Si.R. suggests to the government that the Information Department for Security, which already strategically and operationally participates in the coordination of activities to prevent and combat cyber-threats to national security, is the most appropriate institutional reference.
Specifically referring to information warfare, the report then concludes that Italy should promote consensus-building in multilateral forums and lead to the drafting of a treaty to counter State-originated cyber threats, such as the use of information and network technologies as unconventional military tools. It states that this could be achieved through the creation of an International Centre for the Repression and Control of the proliferation of offensive cyber tools. Indeed, the current militarization of the scenario by major geopolitical players is liable to degrade the political and strategic relations and undermine the search for a world order based as much as possible on stability and cooperation. In this context, Italy is called on to participate, politically and diplomatically, in NATO’s joint action plan to respond to the threat posed by the military use of networks. It is also involved in the expansion of the scope of ‘collective security’ envisaged by Article 5 of the North Atlantic Alliance Treaty to cases of ‘computer attack’23.
In order to counter cyber-threats, policy-makers are currently discussing the creation of a cyber-defense command. In this regard, the Italian Parliamentary Intelligence Oversight Committee has consulted many experts from both the public and private sector on the best way to counter cyber-attacks on Italian national security, in order to deliver a packet of proposals to the Parliament. Currently, Italian cyber-security is managed by the armed and police forces and government departments but, as noted by one of the experts audited, there should be a common definition and vision of those threats. Decision makers are discussing whether to create one or two controlling structures, in the latter case one military with links to intelligence agencies and the other civilian. Italy has many cyber-crime units, some also dealing with cyber-terrorism, but what is missing is a structure that is able to tackle information warfare and, specifically, cyber-war-type attacks. To prevent and react to this kind of cyber-attack, a 2008 report commissioned by the Center for Military Strategic Studies [IOV 08] proposed the creation of a Centre of Excellence (CoE), which should be coordinated by a director who responds and is directly subordinate to the director of the intelligence apparatus, or other equivalent defense structure. Other than managing CoE activities, the director should coordinate CoE relationships with analogous centers of Italian and foreign intelligence services, as well as with other bodies such as research centers, universities, national and international companies. CoE shall be composed of four units: information systems; data analysis and processing systems; telecommunication systems; and identification and recognition systems24.
The report also suggests that, together with the CoE, a defense information infrastructure should be established and implemented, which should incorporate all defense networks – both classified and not classified – since such an effort would allow resource optimization at networking, security and core services level. It would also ensure interoperability with NATO, the EU and other international organizations’ systems and services, through the Information Exchange Gateway.
Interoperability and coordination is also essential from a policy and strategic perspective. At the moment many EU countries have their own policies for critical information infrastructure protection, which are fragmented and not coordinated, and a coordinated emergency response between national governments and EU institutions is still lacking [REN 10]. Therefore, while thinking about a possible cyber-defense and -security strategy for Italy, we cannot leave the EU internal security strategy [EUC 10] out of consideration. Although this document is focused on cyber-crime, some considerations also apply to cyber warfare attacks, such as those contained in “Action 3: Improve capability for dealing with cyber attacks” of “Objective 3: Raise levels of security for citizens and businesses in cyberspace”, and in “Objective 5: Increase Europe’s resilience to crises and disasters”. In Objective 5, the document expressly recognizes how the EU is exposed to an array of potential crises and disasters, such as those caused by cyber-attacks on critical infrastructures:
“These […] threats call for improvements to long-standing crisis and disaster management practices in terms of efficiency and coherence. They require both solidarity in response, and responsibility in prevention and preparedness with an emphasis on better risk assessment and risk management at EU level of all potential hazards” [EUC 10].
With the aim of enhancing prevention, detection and fast reaction in the event of cyber- attacks or cyber -disruption, by 2012 all EU Member States and EU institutions themselves should have established a “well-functioning CERT”, which will be supported by ENISA. These CERTs should cooperate with law-enforcement agencies to prevent and react to cyber threats. By the same deadline, “Member States should network together their national/governmental CERTs […] to enhance Europe’s preparedness” [EUC 10]. Together with ENISA, Member States should develop national contingency plans and undertake regular national and European exercises in incident response and disaster recovery. Moreover, by 2013, with the support of the European Commission and ENISA, a European Information Sharing and Alert System and a network of contact points between relevant bodies and Member States will be established [EUC 10].
In the framework of the European Program for Critical Infrastructure Protection (EPCIP), Council Directive 2008/114/EC of December 8, 2008, which identifies the ICT sector as a future priority sector (Section 5)25, foresees that a security liaison officer should be established in every EU country who acts as a point of contact for security-related issues between the owner/operator of the European critical infrastructure and the relevant Member State authority (Article 6). Each Member State shall conduct a threat assessment and shall report to the Commission every two years (Article 7). They shall appoint a European Critical Infrastructure Protection focal point that shall coordinate European critical infrastructure protection issues within the Member State, with other Member States and with the Commission (Article 10)26. The EPCIP also includes a Critical Infrastructure Warning Information Network, created in 2005 by the Commission, which brings together the critical infrastructure protection specialists of Member States assisting the Commission in drawing up a program to facilitate the exchange of information on shared threats and vulnerabilities and appropriate countermeasures and strategies27.
Of course, a cyber defense and security strategy should also take into account the new NATO Strategic Concept, adopted in Lisbon on November 20, 2010, which replaces the old one approved in Washington in 1999. During the discussion about the strategic concept, there had been divergences between the US and allied European countries. Among them, the US stressed the necessity to enhance the protection of the Internet and other networks and envisaged collective defensive and offensive cyber warfare operations. However, while allied European countries agree on the necessity of having collective defensive cyber warfare capacities, they do not support the proposal for establishing a corresponding offensive apparatus [CER 11].
Section 19 of NATO’s new Strategic Concept clearly states that NATO has to develop further its “ability to prevent, detect, defend against and recover from cyber-attacks, including the use of the NATO planning process to enhance and coordinate national cyber-defence capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations” [NAT 10]. In this regard, Italy is one of the sponsoring countries28 that contributed to the creation of the Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, on May 14, 2008. This Centre conducts research and training on cyber warfare in order to enhance NATO’s cyber-defense capabilities. This body, which is responsible for further developing NATO cyber-defense doctrine and strategy, together with the Cyber Defence Management Board, which is the main consultation body for the North Atlantic Council on this subject and provides advice to Member States, should be kept in consideration while developing a national cyber-defense policy and strategy that is truly coordinated and consistent with the Alliance approach.
Since a clear, coordinated and coherent national strategy is still missing, we are going to consider a possible cyber-defense and security strategy for Italy. We are inspired to instigate a proactive rather than a reactive approach and that ensures operational flexibility and adaptability, taking into consideration what has been developed up to date on this subject in other countries and by supranational organizations such as NATO and the European Commission. Even if, for obvious reasons, information and cyber warfare policies and strategies are not publicly available, with some exceptions like the US where doctrines are publicly discussed, we can make reference to national cyber-security strategies that are all too often general. Most probably, this is currently due to policy-makers not having a full comprehension of this phenomenon. Starting from the assumption that there are no valid solutions for every country, and that national policies, strategies, theories and doctrines reflect the political background and organizational culture of interested agencies, we can draw some conclusions.
After having established who should participate in the drafting of a cyber defense and security strategy, it is important to consider the issues that such a strategic document must address. There is no doubt that, since the bulk of potential targets are owned by private entities – for example ISPs, telephone companies, electricity, water and gas suppliers, and nuclear power plant owners – they should be actively involved in the design and development of national doctrines, strategies and policies on cyber security and defense. They should work together with relevant institutional stakeholders – thus envisaging the necessity of public-private partnerships29. The aspects that this multidisciplinary team should address are several and varied, ranging from technical to geopolitical, from organizational to legal ones. Let us observe the main points.
First, a clear chain of command and control seems to be needed. A possible solution is a one-stop coordination center for national cyber-security that deals with cyber-related threats whatever their nature: hackers, criminal, terroristic, military and so on. The coordination center should be established within the Presidency of the Council of Ministers – absorbing all the existing uncoordinated and dispersed structures – and should encompass three clusters: a political board, a research and development unit and a technical-operative body. These should be directed by a responsible individual, preferably an Under-Secretary of State, who must have deep knowledge of the subject – thus encompassing the political and technical stance in a single person. This person needs to mediate between the coordination center and the Prime Minister. Naturally, the Under-Secretary of State should rely on a secretariat that has the required personnel and capabilities to support the several and complex tasks required. The political board should represent all interested ministries – defense, internal and foreign affairs, economy and finances, infrastructures and transports. The order of business and the calendar of the sessions should be established by the Under-Secretary of State responsible for the coordination center and the chair of the political board. He/she should be responsible, also upon the suggestion of Ministries’ representatives to invite audit experts and authorities from relevant public institutions, such as CNAIPIC, Information Department for Security and the Civil Protection Department, and from private companies, such as administrators or technicians from CNIs to the sessions. The board should have the task of developing national strategies and policies, with the support of the other two components of the coordination center.
The research and development unit should merge the knowledge coming from national intelligence services – civilian and military – and from university departments and think tanks, to draft studies, reports and analysis. The unit should act as an early-warning system, should draft strategic analysis and should foster technical solutions for enhancing resilience, cyber-defense and security.
Finally, the technical-operative body, exclusively composed of highly-skilled technicians, should keep the national networks and systems constantly monitored – keeping contacts and sharing information with national CERTs. Together with the research and development unit and the political board, we should have a full picture of strengths and vulnerabilities of our networks. The technical body can also act as an advisor for CNIs.
Both the research and development unit and the technical-operative body should be partly composed of personnel seconded from relevant national ministries, agencies and departments to ease information-sharing. The coordination center shall play a fundamental role also in the international arena, since it can act as the unique referent for the NATO Cyber Defence Management Board and ENISA. Moreover, the research and development unit can be in charge of drafting the threat assessment to be submitted to the European Commission every two years, while the technical-operative body can encompass the security liaison officer and the European Critical Infrastructure Protection contact point envisaged by the Council Directive 2008/114/EC, as well as the national focal point for the Network Security Incident Alert Mechanism.
The coordination center should have the power to reorganize the bodies currently operating within the Presidency of the Council of Ministers – rationalizing resources and avoiding useless duplications and redundancies – without changing the organization and mandate of external existing organizations, such as CNAIPIC and intelligence agencies’ sub-units.
This reorganization will respond to two necessities. First, since cyber war happens swiftly, the effects of a cyber-attack can be immediate and unforeseeable. This leaves decision-makers with no time to think and take decisions, and stresses the importance of sharing almost real-time intelligence (within the research and development unit) and post-mortem forensic data (eased by the technical body) among relevant stakeholders, e.g. military and law-enforcement authorities. Second, this will allow the attribution problem to be dealt with properly and determine what action is needed and justified, proportionate and appropriate according to national and international law. This is because when enough confidence on the motives for an attack/incident is gained, the coordination center will be able to switch the case to the competent agency – civil protection, military, intelligence or law enforcement – or to a group of them according to the nature and complexity of the case. The attribution problem can be overcome through strong computer forensics capabilities and conventional intelligence: capacities that come from different agencies.
Many attacks are blurred, considering that cyber criminals can become “rental cyber warriors” and potential targets are often non-military but are indirectly involved in military infrastructure. As stated in the 2010 White House’s Cyberspace Policy Review, “[…] this issue transcends the jurisdictional purview of individual departments and agencies because, although each agency has a unique contribution to make, no single agency has a broad enough perspective or authority to match the sweep of the problem” [WHI 10]. The US cyberspace policy envisages the appointment of a cyber security policy official responsible for coordinating the US’s cyber security policies and activities. This official would chair the already established Information and Communications Infrastructure Interagency Policy Committee. The US Comprehensive National Cybersecurity Initiative is to put together law enforcement, intelligence, counterintelligence and military capabilities to address the full spectrum of cyber threats. Thus, an “integrated approach” is the best suitable solution.
As for the defense sector, since many nations – such as China, France, Russia, and the US, to name but a few – have already established cyber commands and cyber warfare units with offensive and defensive capabilities, Italy should develop a cyber command within the Ministry of Defense. The command should be able to integrate the capabilities of existing units, namely Unit II – Information and Security (the military intelligence service), Unit VI – C4I Systems and Transformation, and the Defense C4 Command, with information and cyber warfare capacities. While the protection of military networks and systems is granted by the Defense’s CERT, which is a component of Unit II, armed forces should also protect civil networks as well as CNIs not only during conventional war but also in case of cyber warfare, since, otherwise, such infrastructures would remain without the State’s protection, considering that CNAIPIC is a police entity and that the task would be outside its mandate. Therefore, a strict cooperation between cyber command, CNAIPIC and CNIs – directed and eased by the coordination center – should be taken into consideration. In this regard, the Cyber Shot 2010 exercise organized by the CERT-Technical Defense Centre has seen the participation of CNAIPIC and ENAV, among the others, and it is desirable that future drills will also involve the participation of other main CNIs to improve joint incident response and disaster recovery.
It is also important to note how, according to the Italian Constitution, “Italy repudiates war as an instrument of offence to other people’s liberties and as a means to resolve international controversies […]” (Article 11, see section 1). Therefore, an Italian cyber warfare strategy can only consider it from a cyber-defense perspective excluding Italy’s being first in using cyber weapons in the framework of a pre-emptive attack. This does not exclude cyber-offence capabilities, especially those to be used as force multipliers, in the case of conventional or unconventional warfare. Rather, Italy should develop its own cyber war capabilities like other NATO Member States. The sole fact that every developed nation has its own information and cyber warfare capabilities should urge Italy to improve its own.
As already mentioned, public-private partnerships are also essential for designing and implementing a cyber-defense and -security strategy – since the private sector runs and manages most of the network and critical infrastructures used by government and private users. The PPP should establish the roles and responsibilities for each partner, such as industry, financial institutions and academia. Operators of critical infrastructures should engage with government officials and set up procedures and protocols in case of an attack. Thus, the chief executive officers and chief technology officers of major information technology/defense companies and critical infrastructures should meet regularly with the security liaison officer envisaged by the Council Directive 2008/114/EC. They should also meet with other officers from relevant ministries and agencies/departments within the proposed coordination center.
Public-private partnerships also facilitate trusted information-sharing among relevant EU stakeholders [REN 10]. Indeed, as urged by the European Commission, within the EU, Italy should share information through the European Public-Private Partnership for Resilience (EP3R) [EUC 10]. Cooperation with international partners through a structured exchange of information and good practices could considerably facilitate in fighting cross-border threats. A report by NATO’s Parliamentary Assembly [NPA 09] encourages the cooperation and exchange of information between State authorities and crucial NATO cyber defense bodies, such as the CDMA30.
It is also needed to coordinate national strategies, integrating them in a global dimension within the EU Common Security and Defense Policy, as envisaged in the Lisbon Treaty, which entered into force on December 1, 2009. Moreover, “the security strategies of the EU and NATO should not only be complementary but also convergent, each giving due weight to the potential of the other” [EUP 09: Section 10]. To this should be added the fact that Italy has recently supported the project for a common European defense within the EU through the renewed European Defense Agency [SEN 10].
National policies should also be in compliance with an international framework on information and cyber warfare that will establish which acts are lawful and which are not, in order to develop compliant rules of engagement. The purpose is to minimize collateral damage and to be in compliance with the fundamental customary International Humanitarian Law, including the principles of humanity, proportionality and distinction. Indeed, according to US Senator Carl Levin, Chairman of the Senate Committee on Armed Services, “cyber weapons are approaching weapons of mass destruction in their effect” [SIN 10]. Current international law does not explicitly address information and cyber warfare, and the possibility of an international treaty on cyber warfare was discussed at the 2010 World Economic Forum in Davos, Switzerland [HUG 10]. The main challenges that have to be faced are:
– finding a shared definition of what constitutes an act of cyber warfare;
– attack attribution;
– dual-use weapons; and
– proxy attacks.
However, an international treaty on the war in this fifth dimension appears to be unfeasible due to several issues. If the States reach an agreement on what constitutes an act of cyber warfare and they sign and ratify an international convention on it, international law cannot – by definition – keep pace with technological developments and it would quickly become obsolete. Moreover, it does not apply to non-state actors and the verification of its implementation seems to be impossible with regard to limiting – and even monitoring – the proliferation of banned cyber weapons. In this regard, the idea proposed in the Co.Pa.Si.R. report to establish an International Centre for the Repression and Control of the proliferation of offensive cyber tools seems unfeasible due to the volatile and easily concealable nature of cyber arms. To overcome this issue and that of attribution, the more viable path seems to be that proposed in the US where States are considered accountable for malicious cyber activity generated in or passing through their cyber space, whether State-sponsored or not [ZET 10].
Another issue is the great importance of developing cyber-security higher education in order to prepare talented ICT experts for employment by institutions such as the defense and intelligence services, and to retain them through career incentives to prevent their leaving the public service for the private sector [WHI 10]. Directly linked with this aspect is the enhancement of awareness and skills to reduce the vulnerabilities and counter-threats in the cyber domain, from users to system and network administrators. One of the most successful and most frequently used attack tools should not be forgotten: ‘social engineering’. The human factor continues to be the main point of vulnerability, therefore administrators must be held accountable for the security of systems and networks. Moreover, ICT security experts and system/network administrators in the public and private sectors should be trained in ‘ethical hacking’ which will allow them to identify computer flaws and vulnerabilities before they are exploited by an adversary31. At the same time, security controls over CNIs’ employees are needed in order to prevent or at least to manage the threat from insiders.
At least one of the possible insider threats can be defeated granting that SCADA systems cannot be accessed through USB ports or other connections through which malware can be transmitted, as happened in the Stuxnet case. The problem of external memory devices should be borne in mind when designing hardware and software components for critical infrastructures. Controls over the hardware and software supply chain for military and other critical infrastructure networks and systems should be also envisaged in order to prevent sabotage and the injection of malicious instructions in the source code.
Moreover, CNIs should remain disconnected from the Internet and unencrypted command and control radio transmissions should be avoided. Intranets should be kept distinct and not related to the Internet through web-portals. The access to critical information systems should only be granted through the satisfaction of multiple key authentication requirements. Furthermore, resiliency should be granted through secret intrusion prevention systems, deep packet inspection and a back-up of the command and control network. Since these practices may violate users’ privacy and civil liberties, these should be granted by the Privacy Warrantor.
5.5. Conclusion
Italy needs a Cyber Security National Strategic Plan that envisages an integrated and coordinated approach among key stakeholders, which should be granted through the establishment of a one-stop coordination center for national cyber security. Up to date different official policy documents for each sector have been produced – defense, foreign affairs, internal security, intelligence – but never a common strategic document in which these different instances are represented, discussed and integrated in a synergic way. From the perspective of a center, redundancies of bodies and functions should be overcome and a clear chain of command and control should be established, according to the principle of rationalization, efficiency, efficacy and economy that inform Italian public administration. We also need to overcome a merely judicial and law-enforced approach to the problem, and become aware that information and cyber warfare are first and foremost national security problems or, in other terms, political matters. At the same time, the old post-Cold War and conventional warfare mindset of counter proliferation and disarmament does not make any sense if applied to the fifth domain. This realm of unconventional weapons and emerging threats requires the formulation of new solutions, rather than an adjustment of doctrines and policies that already exist.
5.6. Bibliography
[AGY 09] AGVEMANG F., “On the imminent cyber warfare, what’s Ghana’s preparedness?”, GhanaWeb, December 2, 2009.
[ANA 10] ANALISI DIFESA, “Esercitazioni di cyber defence per la difesa”, Analisi Difesa, vol. 11, no. 113, 2010. http://cca.analisidifesa.it/it/magazine_8034243544/numero113/article_756277855521088703734640406506_2683573816_0.jsp
[ANT 11] ANTINORI A., “Sviluppo nell’ambito Nazionale del Concetto di ‘Information Assurance’”, Relativo alla Protezione delle Informazioni nella loro Globalità, Rome, Centro Militare Studi Strategici (CeMiSS), 2011.
[CER 11] CERVONE G., “La sicurezza internazionale e il nuovo concetto strategico della NATO”, Specchio Economico, no. 2, February 2011.
[CLA 10] CLARKE R.A., KNAKE R.K., Cyber War. The Next Threat to National Security and What to Do About It, Harper Collins, New York, 2010.
[COP 10] COPASIR, Relazione. Possibili Implicazioni e Minacce per la Sicurezza Nazionale Derivanti dall’utilizzo dello Spazio Cibernetico, Co.Pa.Si.R Rome, 2010.
[ENE 10] ENEA, Rapporto energia e ambiente. Analisi e scenari 2009, ENEA, November 2010.
[ENI 10a] ENISA, Cyber Europe 2010 Exercise has Started, ENISA, November 4, 2010.
[ENI 10b] ENISA, Italy Country Report, ENISA, January 2010.
[EUC 10] EUROPEAN COMMISSION, Communication from the Commission to the European Parliament and the Council. The EU Internal Security Strategy in Action: Five Steps Towards a More Secure Europe, COM(2010) 673 final, EC, November 2010.
[EUP 09] EUROPEAN PARLIAMENT, European Parliament Resolution of 19 February 2009 on The Role of NATO in The Security Architecture of the EU, (2008/2197(INI)), European Parliament, 2009.
[FRI 08] FRITZ J., “How China will use cyber warfare to leapfrog in military competitiveness”, Culture Mandala, vol. 8 no. 1, pp. 43, October 2008.
[GER 10] GERMANI L.S., Gori U., Verso un Nuovo Sistema di Gestione delle Crisi di Sicurezza Nazionale, 2010.
[HUG 10] HUGHES R., “A treaty for cyberspace”, International Affairs, vol. 86 no. 2, pp. 523–541, March 2010.
[IOV 08] IOVANE G., Cyberwarfare e Cyberspace: Aspetti Concettuali, fasi ed Applicazione allo Scenario Nazionale ed all’ambito Militare, Centro Militare Studi Strategici (CeMiSS), Rome, 2008.
[IOV 11] IOVANE G., I Rischi per l’Infrastruttura Informatica della Difesa. Individuazione delle risorse organizzative necessarie al contrasto dell’attacco informatico per l’attivazione di strutture dedicate all’anti-hacker intelligence, Centro Militare Studi Strategici (CeMiSS), Rome, 2011.
[ISA 11] ISAF, International Security Assistance Force (ISAF): Key Facts and Figures, ISAF, March 4, 2011.
[KIN 10] KINGTON T., “Italy weighs cyber-defense command”, Defense News, May 31, 2010.
[KRE 09] KREKEL B., Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, Northrop Grumman, October 9, 2009.
[LIB 09] LIBICKI M.C., Cyberdeterrence and Cyberwar, RAND Corporation, 2009.
[LYN 10] LYNN W.J. III, “Defending a new domain. The Pentagon’s cyberstrategy”, Foreign Affairs Magazine, September/October 2010 issue.
[MAE 09] MINISTERO Degli Affari Esteri, Winning Italy. Almanacco dell’eccellenza italiana, December 2009.
[MCA 10] MCAFEE, Nel Mirino. Le Infrastrutture Critiche nell’era Digitale, McAfee, 2010.
[MDD 10] MINISTERO DELLA DIFESA, Missioni/attività Internazionali – Situazione, Ministero Della Difesa, 2010.
[NAT 10] NATO, Strategic Concept for the Defence and Security of the Members of the North Atlantic Treaty Organisation, NATO, 2010.
[NAT] NATO, CCDCOE - Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia, NATO, 2008.
[NPA 09] NATO PARLIAMENTARY ASSEMBLY, NATO and Cyber Defence, 173 DSCFC 09 E bis, NATO, 2009.
[NER 09] NERLICH U., UMBACH F., “European energy infrastructure protection: addressing the cyber-warfare threat”, Journal of Energy Security, October 2009, http://www.ensec.org/index.php?option=com_content&view=article&id=219:european-energy-infrastructure-protectionaddressing-the-cyber-warfare-threat&catid=100:issuecontent&Itemid=352.
[RAU 11] RAUSCHER K.F., KOROTKOV A., Working Towards Rules for Governing Cyber Conflic: Rendering the Geneva and Hague Conventions in Cyberspace, EastWest Institute, January 2011.
[REN 10] Renda A., Protecting Critical Infrastructure in the EU, CEPS Task Force Report, Centre for European Policy Studies, 2010.
[SEN 10] SENATO DELLA REPUBLICA, Risoluzione Approvata dalla Commissione sull’affare Assegnato n. 502, Doc. XXIV no. 14, 16a Legislatura, 4a Commissione permanente, Resoconto sommario no. 175, December 2010.
[SIN 10] SINGEL R., “Cyberwar commander survives senate hearing”, Wired News, April 15, 2010.
[STO 00] STOLL C., The Cuckoo’s Egg. Tracking a Spy through the Maze of Computer Espionage, New York, Pocket Books, 2000.
[TIK 11] TIKK E., “Ten Rules for Cyber Security”, Survival, vol. 53, no. 3, pp. 119–132, June-July 2011.
[UNI 10] UNITED NATIONS, United Nations e-Government Survey 2010. Leveraging e-Government at a Time of Financial and Economic Crisis, United Nations, New York, USA, 2010.
[UNG 10] UN GENERAL ASSEMBLY, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, Resolution A/65/201, United Nations, July 30, 2010.
[USA 10] US ARMY, Cyberspace Operations Concept Capability Plan 2016–2028, TRADOC Pamphlet 525-7-8, February 22, 2010.
[VUL 10] VULPIANI D., “La cyber threat alle infrastrutture critiche in Italia: punto di situazione ed azione di contrasto”, Convegno ICSA – La Protezione delle Infrastrutture Critiche in Italia, Rome, 5 May 2010.
[WHI 10] WHITE HOUSE, Cyberspace Policy Review. Assuring a Trusted and Resilient Information and Communication Infrastructure, The White House, 2010.
[ZET 10] ZETTER K., “Countries should be held responsible for cyber attacks”, Wired News, July 30, 2010.
1 Chapter written by Stefania DUCCI.
1 See, for example, the Center for Military Strategic Studies (CeMiSS), which published a paper on cyber warfare in 2008 [IOV 08], and a research on the risks for Defense’s IT infrastructures [IOV 11] and another on the development of a national concept of “Information Assurance” [ANT 11] in 2011.
2 The other dimensions are land, sea, air and space [LIB 09].
3 For the debate about rendering the Geneva and Hague Conventions for governing cyber conflict, see [RAU 11].
4 These experts were from the Communication Security Sector of the Presidency of the Council of Ministers.
5 Namely, Belarus, Brazil, China, Estonia, France, Germany, India, Israel, Qatar, Russia, South Africa, South Korea, the United Kingdom and the United States.
6 The group of governmental experts recommended: further dialogue among States to discuss norms pertaining to State use of ICTs; confidence-building, stability and risk-reduction measures to address the implications of State use of ICTs, including exchanges of national views on the use of ICTs in conflict; information exchanges on national legislation and national ICT security strategies and technologies, policies and best practices; identification of measures to support capacity-building in less developed countries; and elaboration of common terms and definitions.
7 Italy participates in NATO’s International Security Assistance Force with 3,815 soldiers, leading the mission in the western sector of the country – including the provinces of Ghor, Badghis, Herat and Farah [ISA 11].
8 Scoring 0.5800 – compared to an average European score of 0.6227 and world average of 0.4406 – of which 0.0982 were online service components, 0.1622 were telecommunication infrastructure components, and 0.3196 were human capital components [UNI 10, pp. 114].
9 Precisely, they are connected to the company’s Intranet, which is in turn connected to the Internet.
10 ENEA stands for Agenzia Nazionale per le Nuove Tecnologie, l’Energia e lo Sviluppo Economico Sostenibile and is the national agency for new technologies in the energy sector, facilitating a sustainable economic development.
11 Foreseen by the State Police Chief Directive of August 7, 2008.
12 According to Article 1, section 1, computerized information infrastructures should be considered of national interest, as well as those systems and services that support the institutional functions of:
a) ministries, agencies and institutions that they supervise, that are active in the fields of international relations, security, justice, defense, finance, communications, transport, energy, environment or health;
b) Bank of Italy and independent authorities;
c) companies owned by the State, regions and metropolitan areas by municipalities with not less than 500,000 inhabitants, engaged in the communication, transport, energy, health and water sectors;
d) any other institution, administration, organization, public or private legal person whose activities, for reasons of law enforcement and public security, are recognized to be of national interest by the Minister of the Interior or the provincial public security authorities.
13 CONSOB is the National Commission for Companies and the Stock Exchange Market.
14 ABI is the Italian Banks Association.
15 Italian public radio-television company.
16 The main Italian press agency.
17 Council Directive 2008/114/EC of December 8, 2008, on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
18 With Civil Protection Ordinance No. 3836 of December 30, 2009.
19 As noticed by the academician Salvatore Tucci, professor of computer engineering and co-founder of an Italian think tank promoting infrastructure protection [KIN 10].
20 The Defense has its own, independent CERT.
21 DPCM “Organizzazione nazionale per la gestione delle crisi”, Gazzetta Ufficiale, vol. 151, no. 139, June 17, 2010.
22 The NISP is composed of:
a) two representatives designated by the Ministry of Foreign Affairs, Internal Affairs and Defense, respectively;
b) a representative designated by the Ministry of Economy and Finances, Health, the Department of Civil Protection, DIS, AISE and AISI, the fire department and the public medical emergency service;
c) an officer from the Prime Minister’s press office and spokesperson, and an officer from the Prime Minister’s Diplomatic and Military Consultancy Office.
23 In this sense, see [TIK 11, pp. 7].
24 Each unit should be further divided into sub-units. Specifically, Unit 1 is composed as follows: operating systems; protection technologies for attacks against critical information infrastructures; technologies and methodologies for rapid system recovery) and rapid system management in information crisis management activities. Unit 2: monitoring, control and acquisition systems; data mining and harmonization; software engineering; bio-informatics. Unit 3: web methodologies and technologies; mobile, wireless, satellite and radiofrequency identification technologies; modeling systems and simulation of complex systems; advanced systems for pervasive computing. Unit 4: science and biometric technologies; methodologies and tracking technologies; multimedia technologies; advanced computing; artificial intelligence; advanced signal processing and analysis.
25 In 2011, the European Commission reviewed the Council Directive to include the ICT sector.
26 The provisions of the Directive have only recently been implemented in Italy with the Legislative Decree of April 11, 2011, No. 61, which assigns a central role to the NISP. It is responsible for the identification of Italian European critical infrastructures, the draft of the initial threat assessment and the biennial report to the Commission. Finally, it serves as the European Critical Infrastructure Protection contact point.
27 This system is similar to the US Critical infrastructure Warning Information Network, which has been operational since 2003.
28 Together with Estonia, Germany, Latvia, Lithuania, the Slovak Republic and Spain [NAT 10, pp. 4].
29 A necessity that had been stressed in the White House’s Cyberspace Policy Review [WHI 10, pp. i].
30 CDMA stands for Cyber Defence Management Authority, which is managed by the Cyber Defence Management Board, and is responsible for coordinating cyber defense throughout the Alliance.
31 This practice is already a reality for the Pentagon’s network administrators [LYN 10].