5G networks represent one of the key elements upon which the future process of digital transformation of both the economic and social level of each nation is based. Indeed, the potentialities of these networks will go well beyond the supply of telecommunications services between users. Accordingly, it will allow a more efficient and dynamic allocation of those related to other strategic and sensitive State’s sectors, whether public or private, such as the financial and banking ones, energy, public health, transport, or those related to digital infrastructure, supply chains and so on.
Consequently, the security of 5G networks’, as well as their capability to constantly guarantee the use of essential services by citizens, will be not just the main economic driver of the near future, but above all a fundamental element for countries’ national security, including Italy.
In this context, although the Italian government has not yet tackled the issue of 5G networks’ security in a strategic way, it can be still highlighted how the new regulation on the ‘National Cybersecurity Perimeter’ and the novelties brought to the discipline on the so-called ‘Golden Power’, will also have a positive impact on this sector.
Particularly, through the provisions of the ‘National Cybersecurity Perimeter’, the Italian legislator aims to ensure a high level of security of the networks, information systems and IT services of public administrations, of private and public entities and operators that have an office within the national territory, on which the exercise of an essential State function depends, or the supply of essential services in order to maintain civil, social or economic activities that are fundamental to the State’s interests and from whose malfunctioning or interruption, even partial, or improper use, may derive a prejudice to the national security.
This goal – which is both essential as well as ambitious – will also impact the security of 5G networks. This will be achieved, on the one hand, by imposing the obligation to all private and public operators included within the ‘National Cybersecurity Perimeter’, to adopt the security measures developed, depending on their respective area of competence, by the Presidency of the Council of Ministers or by the Ministry of Economic Development, on the other hand through the verification activities of the National Evaluation and Certification Center (Centro di Valutazione e Certificazione Nazionale – CVCN). Indeed, this body, along with other various tasks assigned by the provision, will also have to carry out an activity of risk assessment, verification of the security conditions and absence of known computer vulnerabilities, whenever a public or private operator decides to provide for the supply of goods, systems and ICT services, that will be used on networks, informational systems and for the performance of computer services covered by the ‘National Cybersecurity Perimeter’.
At the same time, the recent changes to the so-called ‘Golden Power’ will also indirectly have a significant impact on the security of 5G networks. As it is well known, this regulation guarantees to the government the possibility to exercise – in some sectors considered strategic and of national interest – the power of veto on the adoption of corporate resolutions or the purchase of shareholdings, as well as to impose specific requirements or conditions on each contract or agreement from which a serious prejudice to public interests may arise.
The latest updates of this legislation have subjected to the power of veto and to the power of imposing specific requirements and conditions also to the conclusion of contracts or agreements concerning the purchase of goods or services related to the design, construction, maintenance and management of the networks linked to the electronic telecommunications services with 5G broadband technology, or concerning the acquisition, for any reason, of technology-intensive components functional to the above-mentioned implementation or management, when realized with parties outside the European Union. To this end, the discipline further specifies that the elements indicating the presence of vulnerabilities, that could compromise the integrity and security of the networks and data passing through them, including those identified on the basis of principles and guidelines developed at international level and by the European Union, are also subjected to an assessment.
Therefore, it is evident that, even in the absence of a specific strategy for the security of 5G networks, through the joint use of the ‘Golden Power’ and of the activities of the CVCN, the Italian government is concerned to regulate the urgency of a careful selection of suppliers of goods and services for the design, construction, maintenance and management of the 5G networks, even in the acquisition phase, for any reason, of the technology-intensive components functional to these activities. Furthermore, thanks to the ‘National Cybersecurity Perimeter’, the government aims to ensure a high level of security of these networks, as well as of the informational systems and services linked to them.
Italy, therefore, applies, as the central point of its security system, the criterion of careful selection of suppliers, avoiding the idea of using an approach based on a geographical origin parameter, as for instance, the United States, Australia or India have done with the technology of Chinese companies. Nevertheless, in order to obtain a similar result to that of these actors, not being able to exclude tout court non-European companies from the national market through a mere political decision, the Italian government has chosen to use the only effective possible approach, as to provide on the legal level that national companies who want to use the 5G technologies of non-European suppliers considered unsafe must be subjected to a series of strict requirements for their use, which go so far as to obtain from the supplier the possibility to carry out, even through third parties, processes of verification and control of the source code and hardware designs of the equipment. National companies will need to be able to prove these informations to the government upon request.
In conclusion, although Italy has so far arranged useful tools, a strategic and broader approach to support the security of future 5G networks still seems to be missing. In this sense, even just fully implementing, as quickly as possible, what has been recently provided by the European Union within its “Toolbox on 5G Cybersecurity”, would represent a decisive step forward among what can already be defined as the single most important global man-made critical infrastructure of the past thirty years.