Cybersecurity, Critical Infrastructures and States Behaviour

Cyber space is a complex environment with many factors and dimensions that make it unstable and, at the same time, fascinating and interesting. The threats, the threat agents, the tools used, the actors, the targets, the exact geographical location where the attack started and the one where the most devastating effects occurred, the assessment of the damage produced but above all the real assignment of responsibilities: these are some of the main elements that make the cyber space arduous, multiform and articulated and, on the other hand, legitimize the interest of the states - but not only.

Take, for example, a classical case study. A particular worm, ransomware type, is spread through e-mail and, after the user unknowingly installs it on the PC, it starts infecting all the other devices connected to the network. Additionally, while infecting a PC, the worm encrypts files by blocking access until the user pays a certain release - perhaps in bitcoin crypto-value. Among the targets of the attack there are telephone companies, government ministries, banks, hospitals, universities, research centres and critical infrastructures related to the energy and transport sectors.

This brief case study shows the complexity of an attack in the cybernetic environment where threats, enemies, their intentions and goals, their resources, and their stakes are not immediately clear.

Reflecting on the attackers, very often the only fact of being connected to the Internet and having a PC with some vulnerabilities represent a hazard to the transmission of malware that can therefore spread by producing a chain reaction across multiple sectors, particularly those considered "critical", that is the country's critical infrastructures. Food, transport, health services, telecommunications, aqueducts, banking network, financial services, political institutions, public and private security [1]: each state must provide its citizens with basic services - from which the welfare of society depends - trying to avoid interruption. Such interruptions could affect the entire supply chain of essential services, creating a lot of damage (tangible and intangible) to end users and therefore to citizens.

Based on this background – welfare community, critical infrastructures and cyber security - we could answer a fundamental question: is cyber security a prerogative of critical infrastructures/private companies or is it a national security problem? Is it the responsibility of a particular "critical" sector or does the theme require a major effort from public institutions and the state? The state's role, which is a primary role, can be identified because:

1. Considering that the prosperity of a country and the well-being of a whole community depends on the security of cyber space, then it becomes clearer that the state plays a fundamental role not only in terms of responsibility but also in coordination and control in the dynamics that affect the cyber space that today becomes a general strategic interest;
2. The security of cyber space is a prerequisite for the prosperity of the country also in economic terms. A state that protects cyber borders includes its own subjects within territorially and politically established boundaries; it is clear what the risks and opportunities of the cyber arena are and is thus necessary to be aware that to be "cybersecure" means creating the essential conditions to attract business and create a solid economy and to ensure economic and financial prosperity throughout the country [2];
3. Although the cyber space looks like an abstract and intangible environment, its security is still a problem of "space." Everything that gravitates within this space deserves to be protected as if it were “the weaker ring of the chain” that, if it is attacked, may affect the entire security system. The actors that gravitate within the cyber space are many: from critical infrastructures to their supply chains, from smaller companies to the complex social and entrepreneurial ones that - above all in Italy - represent the framework of the entire economic and productive system.

The behaviour of states in the cyber environment, in a cooperative and non-conflicting approach, deserves more attention by monitoring some of the elements that will be briefly described below.

Sharing information, using a common and well-defined language, is necessary to configure a first cyber-risk line. The concept is quite broad and should be more detailed in order to understand both “how” to share and “what” to share. Firstly, for example, the experience of Information Sharing and Analysis Centres (ISAC) [3] is interesting, which, born in the United States, are structures built to share information in critical infrastructure contexts or within one specific sector (finance, transport, industry, water, health, energy). The main activities of a “sectorial” ISAC are: establishing specific information sharing and intelligence requirements for accidents, threats and vulnerabilities; collecting, analysing and disseminating incidents related alerts to its members, based on industry-specific analytical expertise; providing a "trusted" electronic communication medium for the sharing of threat information and partners that make it, even with guaranteed anonymization mechanisms; finally, sharing and providing support to the Government or to other ISACs. In other words, within an ISAC, it is possible to bring together companies in the same manufacturing sector or with a very similar cyber risk exposure in the tables to prevent the cyber threat through appropriate intelligence activities.

Secondly, with regard to the information to be shared, it is necessary to make clear the "rules of engagement" in order to guarantee the sharing of the information needed to know but also the anonymity; in addition, it is crucial that there is a system that welcomes “third parties” in a non-competitive environment animated by trust; that IT channels and physical places where the actors can meet are universally and unanimously recognized; that the transmission and contact points are able to handle the information and consequently assign any liability for potential damages that may occur.

Thirdly, the identification of standards and policies is important, thanks also to the contribution of numerous commissions that have been established at global, NATO, EU and national levels and provide guidelines that, often not binding, would be preferably taken.

In addition, in recent years, the role of Computer Emergency Response Teams (CERTs) is growing and specializing in the task of responding to computer security incidents. Not only do they have operational and response capability – unlike ISACs – but satisfy other security needs through three types of services [4]:

- Proactive services: Cyber ​​Threat Intelligence, Web Monitoring, Web Intelligence, Trend Monitoring, Security Test, Vulnerability Management, Vulnerability Communication and Attacks, BIA, Risk Analysis, Audit, Cooperation with Other CERTs;
- Reactive Services: assessment of current IT accidents, malware and reverse engineering, digital forensic;
- Training services: programming of specialized courses and organizing events aimed at raising awareness and raising awareness on safety issues.

The last aspect to be considered, equally important to others, concerns the awareness and development of a "cybersecurity culture", backed up already in the international context also by Resolution 58/199 of the UN General Assembly on “The creation of a global culture of cybersecurity and the protection of critical information infrastructures”. These are key concepts – awareness and development of a culture of security – where the latter is the natural consequence of the first: only if there is widespread awareness it is possible to achieve the goal of a shared security culture. There are many ways to achieve these goals, but in the context of interstate relationships, technical tables, forums, roundtables, meetings, conferences are preferred. "Awareness" in this work is understood in its broadest sense – such as “the knowledge and attitude of members of an organization regarding the protection of its assets, characterized by a specific level of risk” – both in the perspective of a “situational” and actionable awareness, – preferably in real time – thus guaranteeing an immediate and effective response.

Luisa Franchina, Engineer and President AIIC (Associazione Italiana esperti in Infrastrutture Critiche)

Andrea Lucariello, University of Perugia