How ready is Italy for cyber-security and cyber defence?
How ready is Italy for cyber-security and cyber defence?

Italy is lagging behind many of its peers in Europe and around the world in preparations for cyber-crime and defence, according to an internationally recognised report on cyber preparedness.

The latest country report to be issued as part of the Cyber Readiness Index (CRI) gives Italy low marks for defence and crisis response, cyber R&D, information sharing and diplomacy and trade. The country gets higher marks for law enforcement, incident response and its national strategy.

However, even the national strategy is not where it should be, as the document noted the resources that need to be allocated but failed to pledge funding.

Italy took positive steps in 2015 to form its first national computer emergency response team (CERT) to help contain and respond to large scale cyber incidents.

In the area of e-crime and law enforcement, Italy received its highest score. It is a signatory to the Budapest Convention and has a raft of legislation in place to regulate internet crime. The Italian Postal Service, which provides internet services to millions of Italians, has developed monitoring and filtering systems under its own police service, making it the primary law enforcement agency for the internet.

The country also has several mechanisms for information sharing including the postal service police, various CERTs and the Security Intelligence Department.

However, research and development is not well supported, the CRI report said, and the country lacks a clear strategy for addressing this. Its approach to international trade and negotiations as they pertain to cyber-security are not robust and tend to be handled on a bilateral basis.

Defence and crisis response is still an area in need of development. While the government has acknowledged the need for a comprehensive approach, it is only in the past couple of years that the country has recognised cyber as a new domain of warfare and its Joint Command for Cyberspace Operations is only expected to be operational in 2017.

The CRI, now in its second edition, sets out seven criteria for measuring how well countries have prepared themselves for defending attacks against their information infrastructure.

It was created by Melissa Hathaway (pictured right), a senior fellow at the Potomac Institute in Washington, DC, who has served in the administrations of two presidents as an adviser on cyber-security policy.

Following the publication of the overarching report entitled “Cyber Readiness Index 2.0”, the Potomac Institute began publishing individual country reports, starting with the United States. Since then it has added to the collection with Japan, France, Germany, the UK and the soon-to-be-published Italy report.

“The CRI 2.0 offers a comprehensive—and yet easily employable—methodology to identify the essential elements of a stronger cyber-security posture to defend against economic losses caused by cyber insecurity, and encourages countries to align their national economic vision with their national security priorities,” Hathaway told SCMagazineUK.com. “It is also a tool to assess where a country is on a maturity curve from all-of-government and all-of-nation perspectives.”

However, Hathaway doesn't want the CRI to be seen strictly as a ‘national security' tool. “The CRI 2.0 challenges the conventional wisdom that cyber-security is predominantly a national security issue,” she said. “It demonstrates how national security is closely intertwined with Internet connectivity and the rapid adoption of ICT, which—when secure and resilient—can lead to economic growth and prosperity.”

By benchmarking countries against other countries, she hopes to highlight shortcomings in cyber-security preparations and encourage countries to find their own solutions to the problems. “The reports are not meant to be prescriptive or tell a country how they should fix their shortcomings,” she said.

The United States received a low mark for its national strategy, while receiving high marks in the six other categories, because as a country it has a well developed military strategy but it has not articulated a strategy that addresses its economic and innovation goals. It has also failed to follow through with initiatives and lacks leadership focus on the issue, she said.

Countries with strong ratings include Germany and South Korea. Germany and South Korea, for instance, have “developed incident response exercises with a focus on critical infrastructure and nuclear power”.

The UK rates well in her report. While not perfect, it scores consistently high in all seven categories, especially law enforcement.