On March 19th, 2013 the much awaited and coveted Cybersecurity Decree (“Decree”) was published in the Italian Official Gazette (http://bit.ly/16HMQuO).
The Decree sets forth the new government architecture that is entrusted with the task of facing potential cyber security threats in Italy.
The Prime Minister is at the top of the organisational structure set forth by the Decree along with the “Committee for the Security of the Italian Republic” (CISR), which has the task of defining national security strategy (the so-called "National Cybersecurity Plan"). A "collegial co-ordination body" supports the first level of such organizational structure. The collegial co-ordination body is presided over by the Director General of the Department for Information Security (DIS). The Military Adviser assisting the Prime Minister attends the meetings of the collegial co-ordination body.
An interesting thing is that the collegial co-ordination body has the task - inter alia - of identifying potential threats and vulnerability of National systems (both private and public) and define the best practices with the help of a scientific committee which has been set-up at the Training School of Intelligence System (“Scuola di formazione del Sistema di Intelligence”). Public sector representatives (i.e. government, university etc.) and private sector representatives (i.e. research, industry etc.) shall be part of the scientific committee.
Alongside these bodies, there are two bodies supporting the Prime Minister: the Internal Information and Security Agency and the External Information and Security Agency.
In addition to the above, it is definitively worth mentioning the setting up of a so-called “Nucleus for cybersecurity” within the Military Adviser’s Office. Members of the National Intelligence, Ministry of Internal Affairs and Foreign Affairs, Ministry of Defence, Ministry of Economic Development, Ministry of Economy and Finance, Civil Protection and the Digital Agency are part of the Nucleus.
Finally yet importantly, the Decree also mentions the so-called “Interministerial Cybernetics Crisis Table” (NISP) that shall ensure that “the reaction and the appointing of the various Departments’and Agencies’ responsabilities in relation to cybernetic crisis’s are performed in a co-ordinated manner”.
Without further discussion of the aforementioned institutional architecture - about which doubts remain especially concerning its complexity as well as the branching of duties and functions - the appointment of a permanent crisis task force within the Nucleus for cybersecurity dealing with all large-scale cyber-attacks seems to be remarkable.
What about private operators?
Only one article in the Decree refers to private operators, that is Article 11 “Private Operators”
“Those Private Operators supplying public communication networks or electronic communication services of public access, those Private Operators who manage critical infrastructure at national and European levels and whose working order is based on software and electronic systems including those identified pursuant to Article 1, paragraph 1, letter d) of the Decree of the Ministry of Internal Affairs dated 9th January 2008, as required by the law in force or prior to special agreement:
- they send communication to the Nucleus for cybersecurity - also via institutionally authorised subjects as per Article 16-bis, paragraph 2, letter b) of Legislative Decree n. 259/2003 – of each and every security or integrity breach of their software systems, using protected broadcast channels;
- they use the best practices as well as cybersecurity measures as defined in Article 16-bis, paragraph 1, letter a), of Legislative Decree n. 259/2003 and Article 5, paragraph 3, letter d) of this Decree;
- they supply information to security information bodiess and grant access to the data bank for the purposes of the respective cybersecurity, in the cases provided by Law n. 124/2007;
d) they assist in managing the cybernetic crisis by helping to restore the working order of systems and networks that they manage"(emphasis added).
Firstly it must be said that in examining the text it can be clearly seen that the Decree obliges telecommunication operators (i.e. ISP, telephone companies, etc.) as well as other subjects included in the Decree (especially the state-owned companies) to notify Nucleus for cybersecurity of any and all significant breaches to the security of software systems. Such communication must be sent through “protected channels”.
This is a new notification obligation which private operators und said Decree must bear in mind after said Decree entered into force. It is therefore very important that such private operators (i) are aware of the obligations under the Decree; (ii) decide on a procedure to follow in order to deal with this requirement.
Secondly, it can be observed that those private operators under the Decree shall adopt the best practices to be decided by the collegial co-ordination body. Also in this case the operators’ shall pay the utmost attention since they are obliged to adopt such best practices.