Italy has faced a barrage of cyberattacks in recent weeks. On August 1, the main datacenter of the Lazio region was hit by a ransomware attack, which made many of its online services, including the COVID-19 vaccination-booking platform, inaccessible. All data was encrypted, and attackers requested a bitcoin ransom to allow authorities to recover them. Luckily, technicians were able to restore the stolen data from a backup copy.
Less than three weeks later, on August 18, the healthcare agency of the Tuscany region was also targeted by criminals who were able to penetrate its online defenses and destroy some statistical and epidemiological data.
Previously, ransomware campaigns had hit big corporations such as the energy company Enel Group, Campari, Geox, Tiscali, Luxottica, and hospitals such as the Spallanzani in Rome and the San Raffaele in Milan – albeit with limited results.
These, and other episodes, have been a wake-up call for Italian politicians and common citizens alike on the necessity to improve the country's cyber defenses, despite the Minister of Technological Innovation, Vittorio Colao, having already warned in June that "more than 90% of public administration servers are not secure."
"There's a legacy issue with local and central public administrations, as they work with very old servers and do not have budgets strong enough to update their network infrastructure," Luisa Franchina, the president of the Italian Association for Critical Infrastructures, tells ZDNet.
Buying newer and more up-to-date hardware and software will certainly help make life more difficult for attackers; the recently established Agenzia per la Cybersicurezza Nazionale (ACN), which will operate under the direct control of the Prime Minister, should also play a key role.
The agency will centralize competencies that were previously scattered among several government bodies and the intelligence services, and will help define and coordinate the Italian cybersecurity strategy.
A key component of this strategy will be raising awareness of the issues at stake, and making sure both public and private actors performing functions critical to the safety of the so-called "national cybersecurity perimeter" take appropriate measures to address them.
"The problem is not the tool, but the way it is used," Corrado Giustozzi, a well-known cybersecurity expert in Italy, tells ZDNet. "A great car is useless, if badly driven. We need to focus on improving the processes and the culture."
Giustozzi knows what he is talking about. From 2015 to 2020, he was part of the Computer Emergency Response Team of the Agency for Digital Italy, one of the bodies whose competencies will now partly be taken over by the ACN. In that role, he helped design the minimum cybersecurity guidelines that all Italian public bodies, big and small, need to follow.
Those measures contributed to improving a deeply concerning situation: a 2014 report found that only three central public authorities, out of dozens, took data protection seriously enough.
Not following the guidelines
Unfortunately, the guidelines are not always implemented. In the Lazio-region attack, for instance, the rule not to keep the backup data on the same network as the source was apparently disregarded. The hackers were thus able to delete the backup, which was later recovered, although they could not encrypt it.
"We move fast when there's an emergency, but we do not focus enough on prevention and maintenance," Giustozzi says.
"This is typically an issue where politics is involved: cybersecurity improvements are not prioritized because, unlike inaugurating a bridge, they are not immediately visible."
A more widespread issue, which concerns both the public and the private sector, is a skills shortage. In the 2021 Healthcare Security study by cybersecurity company Bitdefender, 74% of respondents said that the number of cybersecurity specialists in the Italian healthcare sector was inadequate.
De Zan found that 60% of them could not find even one candidate for the cybersecurity vacancies that they had opened, or had otherwise hired candidates that were not qualified. The problem might lie in part in the so-called "experience trap", which occurs when employers offer jobs requiring many years of professional experience, but no entry-level opportunities.
"In the last few years, Italian universities have started to offer cybersecurity master's degrees. However, graduates find it difficult to be hired, since there are very few junior positions on offer," De Zan says.
It also does not help that there is little official data available. "The first thing to do is to produce a snapshot of the current cybersecurity skills shortage in Italy. Once done, an improvement strategy must be put into place, and the achieved results monitored on an ongoing basis," he adds.
This work falls into the domain of the ACN, which is also tasked with promoting public/private partnerships to train professionals and develop know-how and innovations in the cybersecurity sector.
This will happen both in the 'competence centers' that are being supported by the Ministry of Economic Development and in new 'cyber parks', which will be modeled on the famous Israeli CyberSpark center of Beer-Sheva.
"The competence centers will combine and promote the pre-existing knowledge of private and public stakeholders; the cyber parks will focus on research and training, developing new expertise in the process," Franchina says.
The first cyber park could be created in Sicily, in the area of the former CARA of Mineo, once Europe's biggest camp for migrants and asylum seekers.
Although some improvements had already been made in the past few years, the money inflow coming from the EU, combined with the increased awareness of politicians and industry stakeholders, means Italy is finally ready to make a quality leap in terms of cybersecurity skills and defenses.
The challenge is now seizing the momentum without delay. Cybercriminals are also stepping up the attacks, and they've already shown that they can be devastating.