The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

Technological Threat Attribution, Trust and Confidence, and the Contestability of National Security Policy

The world has been asked to believe that China is a source of cyberthreat and that Russia is meddling in U.S. elections. Western populations are being asked to trust the words of intelligence agencies and world leaders that these unspecified technological threats are real. The oftenclassified nature of the threat results in governments not being able to provide the public with an evidence base for the threat attribution. This presents a social scientific crisis where without substantive evidence the public is asked to trust and have confidence in a particular technological threat attribution claim without any further assurance. It is sensible for the public to ask whose security claim should be believed and why? Likewise, it seems a critical social responsibility for security policy makers and academia to first acknowledge this conundrum and then strive to develop frameworks to better understand the trust and confidence challenges around technological threat attribution. This talk draws on New Zealand as a sociological case study to illustrate where and if a technological threat attribution and trust and confidence challenge might be evident in the Department of Prime Minister and Cabinet’s 2018 National Cyber Strategy refresh and the New Zealand Defence Force’s 2018 Strategic Defense Policy Statement. This case study is used to sketch out a broader project focusing on how the contestability of national security strategy and government security discourse can present specific trust and confidence challenges for both the public and government, and how we might begin to address these challengesfals

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

A Comparative Analysis of the National Cyber Security Strategies of Leading Nations

The rapid pace of technological developments in the area of information and communications technologies caused nations and peoples to be more reliant on cyber infrastructure to survive. Besides opportunities, the widespread use of information technology introduces new threats as well. Risks related to cyber security have started to threaten critical infrastructures, which are defined as assets that are essential for the functioning of a society and its economy. Cyber security has become one of the most serious national security concerns. In 2003 the United States was the first nation to prepare and publish a national cyber security strategy In the last ten years, 35 other nations have subsequently published their national cyber security strategy document. There are several aspects for national cyber security strategies. According to Luiijif and Healey (2012), there are five mandates of national cyber security: 1) Military cyber operations, 2) Counter cybercrime, 3) Intelligence/Counter intelligence, 4) Cyber security crisis management and critical infrastructure protection and 5) Internet governance and cyber diplomacy. In this study, the national cyber security strategies of France, Germany, The Netherlands, United Kingdom, United States and Turkey are examined and compared. Correlations between specific properties of the nation (economic power and political situation etc.) and focus and content of its cyber strategy were examined. The results of the study will provide guidance for nations that plan to prepare or update a national cyber security strategy

Cybersecurity for Infrastructure: A Critical Analysis

Nations and their citizens rely on infrastructures. Their incapacitation or destruction could prevent nations from protecting themselves from threats, cause substantial economic harm, and even result in the loss of life. Therefore, safeguarding these infrastructures is an obvious strategic task for any sovereign state. While the need to protect critical infrastructures (CIs) is far from novel, digitization brings new challenges as well as increased cyber-risks. This need is self-evident; yet, the optimal policy regime is debatable. The United States and other nations have thus far opted for very light regulation, merely encouraging voluntary steps while choosing to intervene only in a handful of sectors. Over the past few years, several novel laws and regulations addressing this emerging issue have been legislated. Yet, the overall trajectory of limited regulatory intervention has not changed. With that, the wisdom of such a limited regulatory framework must be revisited and possibly reconsidered. This Article fills an important gap in the legal literature by contributing to and promoting this debate on cyber-risk regulation of CIs, while mapping out the relevant rights, options, and interests this ‘critical’ debate entails and setting forth a regulatory blueprint that balances the relevant factors and considerations. The Article begins in Part II by defining CIs and cyber risks and explaining why cyber risk requires a reassessment of CI protection strategies. Part III describes the means used by the United States and several other nations to address cyber risks of CIs. Part IV examines a market-based approach with minimal governmental intervention to critical infrastructure cyber-regulation, along with the various market failures, highlighting assorted minimal measures to correct these problems. It further examines these limited forms of regulation, which merely strive to bridge information and expertise barriers, assign ex post liability for security-related harms, or provide other specific incentives—and finds them all insufficient. Part V continues the normative evaluation of CI cyber-protection models, focusing on ex ante approaches, which require more intrusive government involvement in terms of setting and enforcing standards. It discusses several concerns with this regulatory strategy, including the lack of governmental expertise, regulatory capture, compromised rights, lack of transparency, and the centralization of authority. Finally, in Part VI, the Article proposes a blueprint for CI cyber protection that goes beyond the mere voluntary regulatory strategy applied today

An Assessment Model to Improve National Cyber Security Governance

Today, cyber space has been embraced by individuals, organizations and nations as an indispensable instrument of daily life. Accordingly, impact of cyber threats has continuously been increasing. Critical infrastructure protection and fighting against cyber threats are crucial elements of national security agendas of governments. In this regard, governments need to assess the roles and responsibilities of public and private organizations to address the problems of current cyber protection postures and to respond with reorganization and reauthorization of these postures. A risk management approach is critical in placing these efforts in an ongoing lifecycle process. In this paper, a model is proposed to be used in national cyber security risk management processes. We argue that this model simplifies and streamlines national risk management processes. For this purpose, a matrix is created to partition the problem space. Cyber threat detection and response activities constitute one dimension of the matrix. The second dimension divides the timeline of cyber incidents into three: before, during and after incidents. The resulting matrix is then populated with responsible bodies which need to address each case. As a result, a national cyber security responsibility model is proposed for policy/decision makers and academics. We believe that the proposed model would be useful for governments in analyzing their national responsibility distribution to address gaps and conflicts in their current cyber security postures and for academics in analyzing natural cyber security systems and comparative studies

Cyber Risks and Costs for the Company.

The interest in the security of IT systems has grown in recent years, proportionally to their diffusion and to the role they play in the community. With the spread of computerization of society and services (public and private) the risk of cyber-attacks and accidents has increased. From the results of the analysis of the present study it is noted that only in Europe, more than 4 thousand computer attacks per day have occurred and also in Italy the phenomenon has recorded increasingly heavy consequences to the detriment of businesses. From the analyzes reported in the present study, the causes of the problem are multiple but in particular they are due to the scarce training of the personnel, which does not allow to notice in time of possible threats and intrusions in the control systems, to a cultural problem and to the inadequacy of the investments to face the problem, in fact, despite, a general concern of the companies about the risks of cyber security. The present study examines the main sector reports, including those in the international context of the World Economic Forum, Kaspersky, McAfee, Norton Cybercrime Report and at a European level, the recent Euro barometer research to investigate the risks of company and identify the tools that allow to improve the degree of knowledge of the real threats, to know the business costs in order to activate a series of measures able to guarantee the security of company data

Beyond Physical Threats: Cyber-attacks on Critical Infrastructure as a Challenge of Changing Security Environment – Overview of Cyber-security legislation and implementation in SEE Countries

States, organizations and individuals are becoming targets of both individual and state-sponsored cyber-attacks, by those who recognize the impact of disrupting security systems and effect to people and governments. The energy sector is seen as one of the main targets of cyber-attacks against critical infrastructure, but transport, public sector services, telecommunications and critical (manufacturing) industries are also very vulnerable. One of most used example of cyber-attack is the Ukraine power grid attack in 2015 that left 230,000 people without power for up to 6 hours. Another most high profile example of a cyber-attack against critical infrastructure is the Stuxnet computer virus (first used on Iranian nuclear facility) which could be adapted to attack the SCADA systems (industrial control systems) used by many critical infrastructures in Europe.Wide range of critical infrastructure sectors are reliant on industrial control systems for monitoring processes and controlling physical devices (sensors, pumps, etc.) and for that reason, physical connected devices that support industrial processes are becoming more vulnerable. Not all critical infrastructure operators in all sectors are adequately prepared to manage protection (and raise resilience) effectively across both cyber and physical environments. Additionally there are few challenges in implementation of protection measures, such as lack of collaboration between private and public sector and low levels of awareness on existence of national key legislation.From supranational aspect, in relation to this papers topic, the European Union has took first step in defense to cyber threats in 2016 with „Directive on security of network and information systems“ (NIS Directive) by prescribing member states to adopt more rigid cyber-security standards. The aim of directive is to improve the deterrent and increase the EU’s defenses and reactions to cyber attacks by expanding the cyber security capacity, increasing collaboration at an EU level and introducing measures to prevent risk and handle cyber incidents. There are lot of other „supporting tools“ for Member States countries, such as European Union Agency for Network and Information Security – ENISA (which organize regular cyber security exercises at an EU level, including a large and comprehensive exercise every two years, raising preparedness of EU states); Network of National Coordination Centers and the European Cybersecurity Industrial, Technology and Research Competence Centre; and Coordinated response to major cyber security incidents and crises (Blueprint) with aim to ensure a rapid and coordinated response to large-scale cyber attacks by setting out suitable processes within the EU.Yet, not all Member States share the same capacities for achieving the highest level of cyber-security. They need to continuously work on enhancing the capability of defense against cyber threats as increased risk to state institutions information and communication systems but also the critical infrastructure objects. In Southeast Europe there are few additional challenges – some countries even don\u27t have designated critical infrastructures (lower level of protection; lack of „clear vision“ of criticality) and critical infrastructures are only perceived through physical prism; non-EU countries are not obligated to follow requirements of European Union and its legislation, and there are interdependencies and transboundary cross-sector effects that needs to be taken in consideration. Critical infrastructure Protection (CIP) is the primary area of action, and for some of SEE countries (like the Republic of Croatia) the implementation of cyber security provisions just complements comprehensive activities which are focused on physical protection.This paper will analyze few segments of how SEE countries cope with new security challenges and on which level are they prepared for cyber-attacks and threats: 1. Which security mechanisms they use; 2. The existing legislation (Acts, Strategies, Plan of Action, etc.) related to cyber threats in correlation with strategic critical infrastructure protection documents. Analysis will have two perspectives: from EU member states and from non-EU member states point of view. Additionally, for EU member states it will be analyzed if there were any cyber security legislation before NIS directive that meets same aims. The aim of research is to have an overall picture of efforts in region regarding cyber-security as possibility for improvement thorough cooperation, organizational measures, etc. providing also some recommendations to reduce the gap in the level of cyber-security development with other regions of EU.</p