With almost three years having passed since the Italian Prime Ministerial Decree of January 24, 2013, which set out “Strategic guidelines for national cyberspace protection and ICT security”, this national roundtable event afforded an opportunity to take stock of what has been accomplished so far to implement that directive.
It was noted that the so-called “Monti Decree” was essentially aimed at achieving standards of cybersecurity more in keeping with those being urgently demanded by the international community, which were based on an indisputable fact, namely: that in an increasingly joined-up world, the chain of interconnectedness is as vulnerable as its weakest link – and Italy presented as such.
It was therefore necessary to extricate the country from this awkward position. The first objective was to get Italy’s main public players in cyberspace to “pull together”. This in itself was no simple undertaking, and made even more complicated primarily by the fact that, in this particular “domain”, the boundaries between the public and private are often very blurred.
Compounding this were certain “rules of engagement” clearly laid down in the Prime Minister’s directive, and which, in a nutshell, can be summed up as requiring measures taken to be in line with existing laws, with the responsibilities already assigned to each respective ministry, and with the financial resources available.
Working within these constraints, two Computer Emergency Response Teams (CERTs) – one at the national level and one dedicated to the country’s public authorities – were established, as well as a coordinating body within the Prime Minister’s Office for managing cyber crises. The work carried out thus far has essentially relied on the willingness of the main stakeholders to “submit to coordination”, based on the shared goals incorporated within the National Strategic Framework for Cyberspace Security. The Framework was described as one of the few strategy documents to have ever been adopted in Italy, aimed at reducing the cyber threat-related risks that loom large both over Italy’s heavily-exposed small and medium-sized firms, as well as over the country’s major corporations.
Indeed, the crucial area on which it was felt efforts need to be focused is that of raising awareness of cyber threats in all their manifestations, in the sense that such knowledge must become an essential part of the professional stock-in-trade of entrepreneurs and managers, and be considered a key element in the design of corporate security plans and, even more generally, of “doing business”. It was suggested that a failure to achieve this would result in increasingly severe damage both in terms of know-how and reputation, which are the recurring targets of the vast majority of cyber attacks.
In addition, it was stressed that in order to make progress in this area, it is essential to expand, strengthen, and hone a genuine and inclusive partnership between businesses, universities, and public authorities. In this regard, it was acknowledged that the earmarking of new financial resources for cyber security – announced recently by the Italian Prime Minister – could give a real boost to the very active “efforts in progress”.
Lastly, it was observed that certain systemic regulatory reforms advanced during the discussions could also make a tangible contribution on this front.