It is my assessment that as armed conflict continues and as sanctions against Russia get harsher, we will see more cyberattacks on the EU, including Italy. Not only more politically motivated criminal like attacks such as ransomware, but also direct retaliation cyberattacks on western state critical infrastructures.
The observation of the Ukraine – Russia crisis provides a very good platform to learn lessons related to our own national security in general and specifically related to national cyber security. This is not a war conducted in a remote country: the cyber conflict may infiltrate into EU states, including Italy, and we should better be prepared the in the best way we can.
It is my assessment that as armed conflict continues and as sanctions against Russia get harsher, we will see more cyberattacks on the EU, including Italy. Not only more politically motivated criminal like attacks such as ransomware, but also direct retaliation cyberattacks on western state critical infrastructures.
There are many aspects of cyber defense readiness measures that we need to take, and in this article, I would like to address the issue of our national responsibility in the case of a national wide cyber crisis. Such a crisis can be caused because of a large cyber attack on our critical infrastructures such as our energy system, transportation, water supply, and critical services, see our healthcare system. Or it can be a result of many small cyber-attacks that are synchronized and may be accumulated to affect our national security. In both cases we must develop a concrete and effective command and control methodology that may address these attacks and prioritize the defensive response. In this article I will not address the offensive response and command responsibility.
When we address our national level defensive activities in cyberspace, we must consider response to the threats and make sure they are organized in a synchronized operational way. We must define the principals of defensive operations in response to the various threats, determining the principles of National Cyber Defense in all sectors in relation to threat clusters, derive our intelligence gathering in cyberspace in relation to our threats. We must also determine the role of the private sector (if any) in the national defensive efforts. And finally determine the responsibilities between government agencies and organizations during a cyber crisis.
First step should be the definition of various thresholds in the case of a cyber crisis. I propose that we define three levels of operations in the national level. Each of the operational levels should trigger a set of actions and define the consequent responsibilities in terms of “who is doing what” and what is the national echelon of command responsibilities and authorities during each of the operational thresholds.
The first is Routine-time. This refers the normal “peacetime” day to day situation. During this time there are continuous cyber incidents and attacks that are managed by the government and the business sector. Normally the effect on the national security is minimal and easily managed.
The second threshold is Emergency-time. This refers to a situation of high alert in our nation is because of the expectation of upcoming nationwide cyber-attacks, or that we have already been subject to cyber-attacks that have severe impact on our national security. We need to define the threshold that triggers the declaration of a national cyber-Emergency and define who has the authority to define this situation and who should declare the return to Routine-time situation.
The third national situation is Wartime. This is easy to explain as we have now a live demonstration in Ukraine. It is a situation of war or expecting to be in war. In which case this will trigger a set of nation-wide synchronized defensive activities. Again, we need to define technically and legally the threshold that triggers the declaration of a situation of a cyber war and define who has the authority to define this situation and who should declare the return to Routine-time situation.
In this article I will not pretend to have all the answers, however, I strongly recommend that we start a deep dialogue between all our national security stakeholders (such as C4, COVI, COR) and define responsibilities during each of the thresholds described above in cooperation with EU and NATO.
The Italian Cybersecurity Agency should initiate this discussion to gather with the relevant government authorities and agencies of intelligence and security. This discussion should include also relevant civilian authorities.
The result should be a detailed document that should be an integrated part of our national cyber strategy and that will include the formal determination of our operational situation in the various threshold levels as described above, (routine, emergency, war), define the authority and interactions between all parties in all operational situations. Derive the division of authorities and powers of action vis-à-vis all sectors: security, state, government, business sector, citizens. Consequently, we will need to train and exercise the above to make sure we do not only have the written doctrine, but rather are able to implement it when needed.
The war in Ukraine should serve as a waking up call to all EU states, but specifically to Italy. We may find ourselves under a nation-wide cyber crisis and we must do our best to be prepared. The process described above, should be a part of the development of our national cyber strategy that should include the definition of our national cyberspace goals; the cyber threat assessment; our operational defensive (and offensive) guidelines; our command-and-control principals, and the cyber capacity building guidelines for Italy. There is a lot of work, and we do not have to luxury to wait.