Technological screening and startups: what the National Cybersecurity Agency has in the pipeline
Technological screening and startups
The last formal step is a matter of days. According to the words of its director general Roberto Baldoni, the National Cybersecurity Agency will be officially invested on 28 June with the task of starting and managing the National Assessment and Certification Center (Cvcn), that is the team of experts called to verify the reliability of technological devices.Expected in 2017, in the decree on cybersecurity launched by the then Prime Minister Paolo Gentiloni, and officially established for two years at the Ministry of Economic Development (Mise), so far the Center has remained a dead letter . Although considered a fundamental piece of the cyber perimeter strategy, designed to secure Italian critical infrastructures (from telecommunications networks to financial services), the CVCN is struggling. The call to hire the 77 reinforcements at Mise came only in August 2020, with a long delay on the schedule.
Now the ball goes to Acn, as Baldoni explained to Itasec, the Italian security conference computer science organized by the National Cybersecurity Laboratory. On June 30, as required by the last passages of the law, "we will open the shutters of the CVCN", said Baldoni. "We took this responsibility because the CVCN did not start, but we believe that a modern country must be able to understand if the technologies I am putting in my stomach are reliable and can enter our essential services", he added. Activation will be progressive. "We will arrive at the end of the year with about 60 people in the CVCN," said Baldoni, who expects to have enrolled 180 by October with the conclusion of the first recruitment campaign (today the ACN has 85 people). Then there will be at least three other hiring blocks, with a target of 300 people by 2023 and 800 by 2028. So, "about 200 will be in the CVCN", the director calculated.
Technology under examination The center under the direction of the ACN will not be the only one to deal with the screening of sensitive technology. The ministries of the Interior and Defense will have their own, but funds will come from the National Recovery and Resilience Plan to create a network of accredited private laboratories with which to deal with requests quickly. The 5G case is emblematic. Finished within the cyber perimeter, fifth generation networks were also the first to have to pass cyber security exams within the golden power scheme (the special powers of the government over strategic companies). The result was a barrage of red traffic lights from Palazzo Chigi on the contracts between the telephone operators and suppliers that ended up in the crosshairs, the Chinese Huawei and Zte.
In March, however, the Ukrainian law decree changed the architecture controls. Golden power now also concerns companies from the Old Continent. And the telephone companies are required to "present an annual investment plan", explained Andrea Billet, director of the ACN certification and surveillance service (so far only one has done so for 2023), rather than notify every single purchase, and they must then submit the control of the technologies to the Cvcn, to verify the correspondence between what has been declared and what has been purchased.
But there are new tasks in sight for those who have to "stamp" the technology. Roberto Viola, head of the European Commission's Directorate-General Connect (which deals with networks and technology), explained to Itasec that in September Brussels wants to put pen to paper a generalized certification scheme for the IT security of technological products. "Without creating new infrastructures, in the production cycles we foresee cyber validation, which will add to the existing standards, for example on toxicity, and will apply to all products", from the refrigerator connected to toys, Viola specified, up to " to standalone software. In these weeks we are finalizing the proposal that will see the light after the summer ".
Investing in startups At the community level, the new directive on IT security, Nis2, just approved by the Committee of Representatives, is in the pipeline permanent members of the Council of the Union and ready to vote in the European Parliament, which will dramatically enlarge the number of companies and entities required to comply with precise cybersecurity deadlines. NIS2 is also needed to create the basis for the national policy on coordinated vulnerability disclosure (cvd), one of the 82 implementation measures of the recently approved National Cybersecurity Strategy 2022-26. “We are strong supporters of the cvd - said Baldoni -. As soon as the transposition of NIS2 starts, we will understand with the ministries of justice and the interior how to implement this type of regulation, which is slightly in conflict with our penal code ".
The strategy also includes a investment plan to develop cyber spinoffs and startups. “At the end of July I think we will be able to have a plan”, Baldoni anticipated. The strategy includes support for small businesses, tax relief for those who adopt technologies or training programs and investments to increase international patents. Luca Nicoletti, who at Acn directs the area for industrial, technological, research and training programs, there are channels open with the National Innovation Fund of Cassa Depositi e Prestiti to help innovative companies grow.
Con Confindustria and Generali are also studying a cyber risk index, along the lines of the European one developed by the Community Agency for IT Security (Enisa), to also develop the market for policies against cyber risks. "We deal with resilience, we must manage and introduce a culture of cyber risk management within our country in all its aspects - said Baldoni -. In this we do something different from those who fight against cybercrime. In case of accidents, the Postal Police has the objective of prosecuting those who have carried out that type of operations, while our task is to understand the technical point of view, to alert those who may suffer consequences, to help the victims to recover ".
The PNRR will bring 623 million to develop the agency's projects. These include Hypersoc, a security operations center that is able to automatically collect the event signals recorded by all connected parties to relate them and have a complete and generalized view of the current situation. "We aim to make it to the end of the year with a prototype," explained Gianluca Galasso, director of the Operations / Csirt service of Acn. While 30 million, Nicoletti said, go on supercomputing projects.