Italy adopted its national cybersecurity strategy in 2013. Its cybersecurity framework was published in February 2016.
Objectives of the national strategy are:
Obj. 1 - Enhancing technical, operational and analytic expertise of all concerned stakeholders and institutions through a joint effort and a coordinated approach.
Obj 2 - Strengthening capabilities to protect national critical infrastructures and strategic assets and stakeholders.
Obj 3 - Facilitating public-private partnerships.
Obj 4 - Promoting and encouraging a Culture of Cybersecurity.
Obj 5 - Reinforcing capabilities to counteract online criminal activities, malicious and illegal activities.
Ojb. 6 - Strengthening of international cooperation.
To achieve the above guideline the Italian Government has identified eleven operational guidelines:
Act. 1 - Enhance the expertise of the intelligence community.
Act. 2 - Identify the Network and Information Security (NIS) Authority that will engage at the European level.
Act. 3 - Develop a widely shared cyber taxonomy and promote a common understanding of cybersecurity terms and concepts.
Act. 4 - Foster Italy’s participation in international initiatives to enhance cybersecurity.
Act. 5 - Attaining the full operational capability of the National Computer Emergency Response Team.
Act. 6 - Legislative and compliance with international obligations.
Act. 7 - Compliance with standards and security protocols.
Act. 8 - Support for industrial and technological development.
Act. 9 - Strategic communication.
Act. 10 - Allocation of adequate human, financial, technological and logistic resources to the strategic sectors of the Public Administration.
Act. 11 - Implementation of a national system of information risk management.
Adequate definition of critical infrastructure protection: yes.
Investments: In 2015 the Italian government announced that two billion euros would be allocated for national security and education in 2016. The 2016 budget will include 150 million euros for cyber security and another 50 million for better tools for law enforcement.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||2013; National Framework|
|Updates and revisions||
Prime Minister's Decree - 24 January 2013 sets out guidelines for national cyberspace protection and IT security and led to the definition of a National Plan, which provides a roadmap for the adoption of the priority measures for implementing the National Strategi Framework by the public and private sectors (www.gazzettaufficiale.it/eli/id/2013/03/19/13A02504/sg).
The 2016 national cybersecurity report paved the way for the establishment and evolution of the national framework. The Report was jointly authored by CIS Sapienza (Research Center of Cyber Intelligence and Information Security Sapienza Universita di Roma) and CINI (Cyber Security National Laboratory), drawing on inputs from various public and private organisations such as AON, Deloitte, AGID (Agenzia per l'Italia digitale) and the Italian Government Agency for Economic Development.
|Implementation and monitoring||
The Presidency of the Council of the Ministers is the officially recognized organization responsible for implementing a national cybersecurity strategy, policy and roadmap.
|Operational capacity building||
Italy has several Computer Emergency Response Teams (CERTs) covering the public and private sectors as well as citizens.
The Italian national CERT - CERT Nazionale (Italian; https://www.certnazionale.it/chi-siamo/) is based on a public-private collaboration on cybersecurity for citizens and companies. It is responsible for raising awareness, and helping to prevent and coordinate cyber incidents on a large scale.
GARR-CERT provides support for the Italian Academic and Research Network, working to reduce the risk of computer security incidents. (Italian: https://www.cert.garr.it/; English: https://www.cert.garr.it/en/).
CERT Posteitaliane is a private structure within the Poste Italiane Group, providing services for security specialists, large organisations, clients, and consumers. (Italian: https://www.picert.it/; English: https://www.picert.it/en/).
|Policy requirements for an inventory of systems and classification of data. Policy requirements for security practices mapped against risk levels. Policy requirement for annual cyber-security audit. Requirement for public report on government capacity. Requirement for public and private procurement of cyber-security solutions based on international accreditation/certification schemes without additional local requirement.|
Business and Public Private partnerships
There are no official initiatives though several independent associations exist that deal with cybersecurity.
CLUSIT (Italian) is a cluster of IT associations tasked with helping to spread a cyber security culture in companies, public administrations and citizens. It also contributes to formulating laws and regulations on cyber security at local and national level. It provides inputs to training programmes and ICT professional certifications and also promotes the use of technologies and methodologies that improve cyber security at all levels of society. Its 2016 annual report (Italian), Il Rapporto Clusit 2017 sulla sicurezza ICT in Italia, is the outcome of a collaboration between representatives from the public and private sector, sharing data, insights and experiences. IDC is a research partner of the report.
Italy has officially recognised national or sector-specific educational and professional training programs for raising awareness with the general public, promoting cybersecurity courses in higher education and promoting certification of professionals through the National CERT and CNAIPIC (National Anti-Crime Computer Centre for Critical Infrastructure Protection).
|Overall assessment/best practices||
Italy has introduced an innovative reference model that represents an accelerator of the National Strategic Plan for Cyber Security at which all companies and government agencies are invited to attend. The reference model draws on the American NIST Framework (National Institute of Standards and Technology) for the improvement of critical infrastructure cyber security.
The current model is not, however, exhaustive as it does not emphasise preventive measure dynamic attacks with countermeasures in industrial espionage contexts to companies and research centres. What is required is a communication and research process involving the civil and military intelligence structures (DIS, AISI, AISE) both on national scenarios both on transnational scenarios. This involvement needs to reference standards to support specific protocols between public and private organisations and intelligence structures in the event of terrorist attacks or industrial espionage or simply redefining induced in crisis scenarios of new geopolitical boundaries in Italian strategic sectors such as: research, defence, energy, telecommunications, agribusiness, tourism, high fashion.It is also necessary to create suitable operating centres for security and intelligence (Cyber Security Operational Center CSOC) dealing with security issues in a strategic, tactical and operational national and transnational, and where they will be analysed and related to Dynamic Data Mining Techniques millions of data
|Date of last analysis||August 2017|
Compliance with the GDPR and NIS Directive: Report a cyber incident
|Report a cyber incident to national CERT/CSIRT||
CERT Posteitaliane (security specialists, large organisations, clients, and consumers).
|Guidance and Updates||
The Italian National CERT provides updates on:
The website also provides access to publications: https://www.certnazionale.it/documenti/.
GARR CERT provides a cyber alert service (https://www.cert.garr.it/en/alert-en/security-alerts). GARR CERT also publishes technical articles, e.g. on honeypot; advanced network security; secure router configurations; Distributed Denial of Service attacks via DNS servers; antivirus installations (https://www.cert.garr.it/en/documents/technical-articles). It provides annual statistics on cyber incidents (2012-2017; https://www.cert.garr.it/en/documents/statistics), which are not particularly detailed.
Poste Italiane CERT: publishes alerts (https://www.picert.it/category/alerts/); practical technical notes (https://www.picert.it/category/alerts/note-tecniche/); related news and events.
|Date inserted||July 2017|