If you want, you can call it that, because in recent years it can be said that anything has become‘cyber‘; with the help of market opportunities and the ‘fashion’ of the moment, we have exchanged a critical sector for an opportunistic one, and that is what we have to talk about.
In these hours, the Agency for National Cybersecurity (ACN) is at the centre of yet another controversy, and to understand the seriousness of the situation, it is necessary to reconstruct the facts a little.
Communication problems
The ACN has never excelled too much in ‘institutional communication’, and this is evidenced by the calibre of some of the responses that have been provided over time by the agency, some of which have also been documented on this blog. The most exceptional case was the one related to the scandal of the telephone numbers of public subjects that we wrote about in this article‘Between data breaches and embarrassing communications‘. I think it is clear to everyone that a government agency cannot respond in a tone that is not institutional and that, for every ignored and unverified response, one takes responsibility for one’s actions. The institutional response is not just a ‘formal’ matter but is due to the citizens who, through their taxes, pay salaries and fund the structure.
Transparency issues
In an interesting article published by ‘Il Fatto Quotidiano’ and entitled‘ACN, away with the communication manager and trade union protests‘, journalists Bisbiglia and Proietti report that CISAL (Confederazione Italiana Sindacati Autonomi Lavoratori)‘configures anti-union conduct‘ and that CISAL itself states that it is unclear how ACN personnel are hired and selected, in addition to the fact that
Many of these [n.d.a. hires], who initially arrived on secondment often without any cybersecurity expertise, were then stabilised in positions hierarchically and economically superior to the CSIRT Italy personnel.
This fact, if it were proven, would be particularly serious: firstly, because of the inequality of expertise to which Italians are now accustomed, and secondly, because of the dangerous use of this agency. It is now clear that the cyber danger, so much advertised on the web, in the newspapers, and in magazines, is becoming yet another ‘mantra’ ridden by self-styled experts and by a state that has no clear ideas of what cybersecurity is on a geopolitical level. The CSIRT, which plays an essential role in the country’s cybersecurity, both for the P.A. and for private companies, cannot be subjected to imbalances and unjustified pressures, with the risk of compromising its functioning.
The CSIRT Italia (Computer Security Incident Response Team) is the national body responsible for managing cybersecurity incidents at state level. It operates under the Agency for National Cybersecurity (ACN). It coordinates responses to cyber incidents involving critical infrastructure, government agencies and operators of essential services. It receives reports, analyses threats, provides technical support and disseminates alerts and good security practices. It cooperates with other European and international CSIRTs. It supports prevention by sharing information on vulnerabilities and attacks. It is a central point of contact for significant incidents at national level. Helps strengthen the country’s cyber resilience. Constantly monitors the national network to identify potential risks. Promotes a digital security culture among public and private entities.
Problems of culture
Thomas Mann used to end a sentence with the famous expression‘everything is politics‘, but this is not necessarily a good thing, especially when it is a ‘technical’ agency that needs stability, clarity and transparency in order to operate efficiently. The problem, however, is more extensive, and we have been coming back to it for years as if in a spiral: the cybersecurity culture in Italy is poor. Politics (in its majority) fills its mouth with it but hardly knows the risks, just as the knowledge of many of the top management appointed to make strategic decisions on the subject is scarce. One thinks of the great controversy over Frattasi: the current head of ACN and deemed unsuitable for this role due to both age and knowledge. In an article called‘The Culture of Data Management‘, an excerpt from an interview with Senator Matteo Renzi was quoted, stating:
It is clear that we do not have the technical capacity to handle such a vital matter as our security and privacy. Frattasi is a prefect, what are we talking about?
The age issue can be considered relative: a top management structure needs to have up-to-date knowledge in the field, but also valuable experience in decision-making. This means that reducing the issue to the slogan‘In high countries, cybersecurity is done by 20-year-olds‘ is not exactly the best approach. This is also demonstrated by the case of the US government agency CISA, which currently has non-twentysomethings heading it.
Executive Director
Executive Assistant Director for Cybersecurity
Acting Executive Assistant Director for Infrastructure Security
Executive Assistant Director for Emergency Communications (ECD)
The complete list can be seen here and shows that it is possible to have a competent and heterogeneous government agency in its workforce.
What it means for Italy
An important fact is often overlooked: what happens in our country does not stay within it. Although Italy speaks little about foreign affairs (except for the most common and widespread news), in other countries it is a culture to read what happens abroad. Controversies and issues on ACN easily cross Italian borders and reach allied and non-allied countries. Italy’s credibility at technical tables is often guaranteed by competent people who know how to make their mark in strategic conversations, but if these people were replaced by incompetent ones, what would happen?
One must always keep in mind that we are watched from the outside, we are observed from the outside, we are studied from the outside, and what one learns may be a ‘spectacle’ that is not as dignified as one thinks.
Conclusions
A government agency is, by its very nature, intertwined with the concept of‘institution‘: everything must be institutional and therefore everything must be subject to a decorum that is not debatable but due. Owed to citizens, owed to allies, owed to the goals it is meant to pursue. A government agency that loses institutional sense in its activities will inevitably be less credible because it is deemed incapable of adequately representing its country. The worrying thing about this is that skills can be passed on, notions can be learnt but the sense of status cannot, that is innate in the person. What is happening with ACN should make us reflect on the sense of state present in many public and private Italian realities and on the real capabilities to manage such a complex field as cybersecurity.
