Information communications technologies (ICTs) are the backbone of Europe's economy. They fuel new opportunities for citizens to connect, for governments to provide increased access to public services, for utilities to deliver critical services, and for businesses to serve as an engine of economic growth. The remarkable opportunities associated with being connected and participating in the Internet economy are enticing countries and corporations to further expand their digital footprint. They are embedding ICTs into their networked environments and infrastructures, and accelerating access to Internet, broadband networks, mobile applications, IT services, software, and hardware. In the European Union (EU), these goals were codified in the 2015 EU Digital Single Market Strategy and reiterated during the recent Tallinn Digital Summit– a new platform to further plans for digital innovation enabling Europe to stay ahead of the technological curve and become a digital lead in the world. If successfully implemented, the Digital Single Market Strategy promises to contribute €415 billion per year to Europe's economy, provide better access to the free flow of digital goods, data, services, and capital across borders, create new jobs, and transform public services.
Yet, the economic opportunity of the Internet is at risk today. The same open, reliable Internet that has helped countries prosper, improve government operations, and facilitate the dissemination of information, has also exposed our society to very costly cybercrime, hacktivism, service disruption, and destruction of critical digital property. Malicious cyber activities degrade economic progress and threaten national security by undermining the availability, integrity, and resilience of the Internet infrastructure. In 2016, the EU was victim of more than 4,000 ransomware attacks per day and 80% of European companies experienced at least one cybersecurity incident. The economic impact of cybercrime in the EU has risen five-fold over the past four years alone.
Protecting the Internet is both an economic and national security imperative. European countries must wrestle with the fact that their Internet infrastructure, services, and delivery of information – and potentially disinformation – to citizens are vulnerable to interference and manipulation. Their economic innovation, modernization, and security depends on protecting the Internet and its underlying value preposition. Balancing the need for national security with the need for economic prosperity, and investing equally in the security and resilience of their core infrastructure and systems must be a priority.
No country is cyber ready for the level of threats to their economic wellbeing and national security. According to the internationally recognized Cyber Readiness Index 2.0 (CRI 2.0), few countries have aligned their national economic vision (digital agenda) with their national security agenda. National leaders need to map and call attention to each country’s Internet-infrastructure dependencies and vulnerabilities, and the national economic erosion caused by cyber insecurity. Given the costs of failure, it is essential that countries move now on a framework for cyber-resilient digital societies with security, privacy, and resilience at its core.
Adopting a national cybersecurity strategy is one of the most important first steps in securing the national cyber infrastructure and servicesupon which the digital future and economic wellbeing of a modern nation depend. The 2013 EU Cybersecurity Strategy – that was followed by the 2016 EU Directive on Network and Information Security (NIS) and the most recent 2017 EU Cybersecurity Package – require each EU member state to create their own “network and information security strategy.” However, European strategies differ in terms of the competent authority tasked with executing the strategy, the roles and responsibilities of the different entities involved in national cybersecurity, the specific objectives set forth in their implementation plans, and the resources allocated to achieve those goals.
As an EU Member State, Italy has adopted a national cybersecurity strategy.
The 2013 “National Strategic Framework for Cyberspace Security” includes a description of the national security and economic risks of cyber insecurity, an assessment of Italy’s cybersecurity capacity, a clear delineation of the roles and tasks of public and private stakeholders involved in cybersecurity, and tasks the Cyber Security Unit (Nucleo per la Sicurezza Cibernetica) – a permanent body within the Prime Minister’s Office – with coordinating the activities of the various institutions that compose the national cybersecurity architecture. The accompanying implementation plan – the “National Plan for Cyberspace Protection and ICT Security” – sets specific strategic and operational objectives, most of which have already been initiated, if not fully implemented, including strengthening intelligence services, police, civil protection, and military defense capabilities; establishing a national Computer Emergency Response Team (CERT-IT); conducting international exercises; and promoting ad hoc legislation and compliance with international obligations.
Implementation efforts take time; many are still fragmented. Despite the publication of its national cybersecurity strategy, a restructuring of the relevant national cybersecurity architecture, and the development of cyber-related policies and capacity, there is still a considerable gap between Italy and comparable EU member states in terms of both Internet uptake (only 61% of Italians are connected to the Internet versus an average 81% in the EU) and national-level preparedness for cyber risks. Italy is now working on a second national cybersecurity strategy to reflect its commitment to being cyber ready. The new draft strategy focuses on straightening and streamlining governance, institutional leadership, legal frameworks, preparedness for increasing security threats from cyberspace, protection of national critical infrastructures, interoperability for IoT and emerging technologies, and increasing public cyber awareness, accurate cross-sector statistics, and society-wide integrated defenses. Various independent studies estimate that the economic losses due to cybercrime, hacktivism, and cyber espionage activities have grown exponentially. Italy continues to suffer as one of the most botnet-infected countries across the European and Middle Eastern (EMEA) region.
Together, past and continuing challenges have imposed limitations on Italy’s cyber capacities. Italian participation in e-government, e-banking, and e-commerce still lags behind much of Europe – ranging around 20% compared to an EU average of 40-50% – and the country ranked only 25th out of the 28 EU Member States in the 2017 Digital Economy and Society Index. The adoption of digital business models and the supply of a digitally skilled workforce are still among the EU’s lowest and inadequate to the needs of a large and advanced economy like Italy. These lower figures are due in part to infrastructure limitations and lower availability of Next Generation Access (NGA) networks. Other challenges are structural, including an aging population, a stagnant GDP growth, low productivity rates, shortage of financial resources, a banking sector burdened with “bad” debt, and a high unemployment rate. Specifically, digital societal issues include lower levels of digital skills, mistrust of online transactions, and a persistent digital, educational, and income divide between northern and southern Italian regions.
Different policy initiatives undertaken in the course of 2015-2017 are finally starting to show real improvements to the Internet infrastructure and in NGA coverage, integration of digital technology by businesses, and expansion of e-government services. To more rapidly reach EU targets of Internet speed and accessibility, digital literacy, and network modernization, Italy has adopted a €6 billion Digital Growth Strategy 2014-2020, launched a €13billion Italian Industry 4.0 plan, and pursued the implementation of an ultra-fast broadband plan, and a compulsory e-invoicing for contracts with the public administration. Taken together, these policies and strategies aim to advance ICT-related skills and curricula, promote the adoption of digital technologies, create digital innovation hubs and competence centers, and offer a mix of tax breaks and other incentives to ensure all startups and businesses have access to Internet and broadband technology. Ultimately, the success of the Industry 4.0 plan will rely on its effective implementation and the successful coordination between the various stakeholders: government, industry, and higher education.
Other steps are necessary to strengthen Italian national cyber readiness, including establishing and maintaining an effective national incident response capability, a strong, well-funded commitment to protect its society against cybercrime, a secured and widely employed information/intelligence sharing mechanism between government and industry sectors, a well-funded program of cybersecurity research and development and broader ICT initiatives; continuous and agile engagement with cyber issues in foreign policy and trade negotiations; and finally, advanced abilities in cyber-competent national armed forces and/or related defense agencies able to defend their country kinetically, in cyberspace, and both as needed.
Italy has made significant progress on many of these aspects, despite all its challenges. It has signed and ratified the Council of Europe Convention on Cybercrime (commonly known as the ‘Budapest Convention’) and has been actively working to harmonize its national legislation to EU standards to more effectively combat cybercrime and strengthen data protection. It has already adopted many of the prescriptions contained in the 1995 EU Data Protection Directive and the 2016 NIS Directive, such as establishing a Data Protection Authority (Garante per la Protezione dei Dati Personali) and adopting detailed data breach notification requirements for specific entities. Moreover, all its law enforcement entities – from the Italian Postal and Communications Police to the Carabinieri to the Financial Guard – have established special units dedicated to combating cybercrime, preventing and mitigating cyber threats to critical infrastructure, conducting computer forensics and scientific investigations, and work alongside other international law enforcement agencies to increase transnational cooperation on cybersecurity, information sharing, border security, and surveillance.
In addition, Italy regularly participates in international diplomatic negotiations and dialogues aimed at fostering international cooperation on cybersecurity, promoting responsible state behavior in cyberspace, supporting the respect of human rights and democratic principles online, and championing an open and free Internet. Finally, the 2015 “White Paper for International Security and Defense” (Libro Bianco per la Sicurezza Internationale e la Difesa) strategically prioritized cyber defense and defensive military operations in cyberspace as one of the main investment programs for 2016- 2018.
With the decision to create a Cyber Command (Comando Interforze per le Operazioni Cibernetiche) within the Ministry of Defense, the Italian government appears to be gaining ground in defending itself and its economy in and through cyberspace.
Italy has also an opportunity to learn from other European countries that have developed effective mechanisms to achieve cyber readiness. For example, the United Kingdom and the Netherlands, among others, have created well-funded National Cyber Security Centers to help public and private organizations better defend against and respond to cyber threats, foster information sharing, and promote closer collaboration across their country.
In order to advance Italy’s cyber readiness, the Italian government should put forward a more balanced approach that aligns the country’s national economic vision with its national security priorities, avoids duplication of efforts, and identifies a centralized coordination mechanism to ensure those priorities are met. It should also increase public awareness about the threats that are aimed at and succeeding against Italian critical infrastructures and services and the role that everybody plays in countering cyber threats; strengthen public-private partnerships; reinforce criminal law response to better protect its citizens, businesses, and public institutions; accelerate civil-military cooperation; and adequately fund its proposed programs. A shift in public mindset will also be needed, from knowing the risks and opportunities afforded by ICT innovation and Internet uptake to managing those risks and investing in their security appropriately, so that Italy can fully reap the benefit associated with the digital economy and reach the ambitious goals set in its strategies. With all these steps completed, then Italy will be on a path to becoming a cyber-resilient nation able to prosper and be secure in the digital age.
Francesca Spidalieri, Senior Fellow for Cyber Leadership, Pell Center, Salve Regina University
European Commission, “Shaping the Digital Single Market,” https://ec.europa.eu/digital-single-market/en/policies/shaping-digital-single-market.
European Commission, “Tallinn Digital Summit – Factsheets,” 28 September 2017, https://ec.europa.eu/commission/publications/tallinn-digital-summit-factsheets_en.
European Commission, “State of the Union 2017 – Cybersecurity: Commission scales up EU’s response to cyber-attacks,” 19 September 2017, http://europa.eu/rapid/press-release_IP-17-3193_en.htm.
Since its creation in 2011, the CRI has set a standard for what national cyber readiness means – directly influencing governments still developing their cybersecurity practices and policies. The CRI 2.0 offers a comprehensive methodology to identify the essential elements of a stronger security posture to defend against GDP erosion caused by cyber insecurity. Melissa Hathaway et al., “Cyber Readiness Index 2.0,” Potomac Institute for Policy Studies, (November 2015) http://www.potomacinstitute.org/images/CRIndex2.0.pdf.
For the full assessment of Italy’s cyber readiness levels, see: Melissa Hathaway & Francesca Spidalieri, “Italy Cyber Readiness at a Glance, Potomac Institute for Policy Studies, (November 2016), http://www.potomacinstitute.org/images/CRI/PIPS_CRI_Italy.pdf.
Presidenza del Consiglio dei Ministri, “National Strategic Framework for Cyberspace Security,” http://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2014/02/italian-national-strategic-framework-for-cyberspace-security.pdf, and “National Plan for Cyberspace Protection and ICT Security,” December 2013, https://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2014/02/italian-national-cyber-security-plan.pdf.
World Bank, “Individual using the Internet (% of population),” (2016) https://data.worldbank.org/indicator/IT.NET.USER.ZS.
European Commission, “Digital Single Market – Italy,” (2017) https://ec.europa.eu/digital-single-market/en/scoreboard/italy.
Presidenza del Consiglio dei Ministri, “Strategia per la Crescita Digitale 2014-2020,” 3 Marzo 2015, http://www.agid.gov.it/sites/default/files/documentazione/strat_crescita_digit_3marzo_0.pdf
Ministero dello Sviluppo Economico, “Piano nazionale Industria 4.0,” 21 Settembre 2016, http://www.sviluppoeconomico.gov.it/index.php/it/per-i-media/comunicati-stampa/2035187-il-ministro-dello-sviluppo-economico-carlo-calenda-illustra-il-piano-nazionale-industria-4-0.
Agenzia per l’Italia Digitale, “Agenda Digitale Italiana,” 26 Febbraio 2016, http://www.agid.gov.it/agenda-digitale/agenda-digitale-italiana.
These are all components of becoming cyber ready and showing a real commitment to closing the gap between a country’s current cybersecurity posture and the national cyber capabilities needed to support its digital future. For more see: Melissa Hathaway et al., “Cyber Readiness Index 2.0,” Potomac Institute for Policy Studies, (November 2015) http://www.potomacinstitute.org/images/CRIndex2.0.pdf.
Ministero della Difesa, “Libro Bianco per la Sicurezza Internazionale e la Difesa,” Luglio 2015, http://www.difesa.it/Primo_Piano/Documents/2015/04_Aprile/LB_2015.pdf.