Italy Proposes Cybersecurity Agency to Boost Data SecurityAgency to Defend Critical National Infrastructure, Decree Says
The Italian government is planning to launch a national cybersecurity agency, the Agenzia per la Cybersicurezza Nazionale, or ACN, to fight the growing cybersecurity threat, according to a draft decree seen by Reuters. The decree also includes plans to create a unified cloud infrastructure to boost security of data stored by individual public administrations, the decree says.
Italy’s cabinet is expected to approve the decree this week, Reuters reports, adding that under the Parliamentary Committee for the Security of the Republic, or COPASIR, the government will then implement rules and regulations to allocate resources to tackle cyber-related threats.
Currently, various aspects of digital security are divided among different ministers and state bodies, and this decree aims to unify them under the prime minister's authority.
ACN Makeup and Role
The new Italian governmental cybersecurity agency will be responsible for coordinating public entities involved in cybersecurity.
The decree states a general director and his deputy will be appointed for four year, with a mandate that can be renewed once, according to Reuters. The new agency will have six departments and is expected to hire around 300 staff members and eventually grow to around 800 by 2027.
In addition, the prime minister will be directly responsible for management and responsibility for cybersecurity policies and adoption of the national cybersecurity strategy. Innovation Minister Vittorio Colao said last month that a total of around 900 million euros ($1.10 billion) will be invested in the project, which would involve overseas tech companies, Reuters reports.
"The ACN will manage the funds destined for cybersecurity stemming from the EU-funded National Recovery and Resilience Plan. Most importantly, the ACN will operate as the liaison between the European Union Agency for Cybersecurity and the relevant national bodies to ensure a coherent cybersecurity strategy," Stefano De Blasi, an Italy-based threat researcher at Digital Shadows, tells Information Security Media Group.
The agency will work as a frontline desk and especially in crisis situations, it will ensure support for the premier and the Interministerial Committee for the Security of the Republic, or CISR, according to a report by Rai News, a local news publication.
A committee will consist of the prime minister's military adviser; representatives from the Ministry of Education, University and Research; the delegated minister for technological innovation and digital transition; and a representative of the Civil Protection Department of Palazzo Chigi and others, the report says.
De Blasi says the reform has come at an exceptionally topical moment, as Italian Prime Minister Mario Draghi is set to meet U.S. President Joe Biden and Russian President Vladimir Putin over the coming two weeks to discuss a broad array of crucial topics, including international cyber governance.
"In this sense, this Italian cybersecurity body and legislation reform sends a critical message of cohesion and unity of purpose with its European and Western allies," De Blasi states.
"Having a centralized approach to cybersecurity is a critical component of responding quickly to any threats faced or actionable intelligence either from cybercriminals or rogue states. The approach Italy is taking aligns closely with other European and North American nations," says Peter Nailer, head of operations at CloudCoCo, a cybersecurity firm. "The approach can be further strengthened by sharing identified threats between allies to promote a joint approach to threats faced."
Steve Forbes, a government cybersecurity expert at Nominet, says "to enact real change, a centralized approach can make a huge difference in protecting citizens and businesses from cyberthreats, from having visibility across many different organizations that allow analysts to see trends, map vulnerabilities and share intelligence, to having the ability to deploy scalable solutions.
"The impact of this type of coordinated cyber defense can happen at pace and will enable Italy’s cybersecurity agency to take a firm grip when any threats arise - protecting on a local, nationwide and international level."
Marco Rottigni, chief technology security officer for EMEA at cybersecurity firm Qualys, says, "The formulation of this agency is one of three key initiatives by the Italian government announced in recent years, which also include a focus on how data and critical infrastructure owned by public administrations can be better managed and controlled at a national level. This will involve collaborating with private technology vendors and consultants outside of Italy to source the required technological expertise. The third initiative centers around digitization, where the Agency for Digital Italy will form the key guidelines and processes to assist public administrations during their cloud migration and adoption of new technologies."
Public/Private Cloud Infrastructure Planned
Slightly out of step with the emphasis on Western unity, the Italian government is also planning to set up a new cloud infrastructure through a public-private partnership, which will be implemented by a European tender, according to the Reuters report. Reuters attributes the move to growing concerns about U.S. dominance of cloud data storage and the risk of U.S. surveillance in the wake of the adoption of the U.S. CLOUD Act of 2018.