“We mustn’t do it soon, we must prioritise it,” he says several times. National security isn’t a dead-ended speed race, but rather an ever-shifting horizon that requires the right combination of vision and realism. Franco Gabrielli, the Undersecretary of State who oversees Intelligence and Security, former Head of Police and of the Civil Protection, as well as Prefect of Rome, welcomes us in his office.
The first six months of Mario Draghi’s government were anything but routine. The new National Cybersecurity Agency (NCA), the structure that will monitor Italy’s cyber resilience, was built one piece at a time under Mr Gabrielli’s direction. As he explains to Decode39, this reform is a response to an emergency, i.e. the wave of cyber attacks brought about by the pandemic – but it also carries the signs of a wide-ranging project to rearrange crucial skills and enhance the professionalism of Italy’s Intelligence.
Why is the NCA needed right now?
In truth, this need has been felt for at least a decade. Our country’s cyber resilience requires a specifically devoted structure. The birth of the NCA serves to clarify [the division of resposibilities] and restore order between the different skills.
Starting with the Department of Information for Security (DIS) – the entity that coordinates domestic and foreign intelligence agencies – which was entrusted with the responsibility of the country’s cyber defense back in 2017. Was that a mistake?
Not a mistake, but rather a choice that resulted from the circumstances and the EU’s directives. When I accepted my current assignment, I noticed that DIS was in a bit of a frenzy; many thought that its cyber defence responsibilities were conflicting with the agencies’ missions.
So, what happened?
Following the crucial impulse given by the Prime Minister, and taking stock of the collaboration of COPASIR ( Parliament’s intelligence watchdog, editor’s note) and other parliamentary committees, we decided to enact a reform to rationalise the governance. We also set out to stop what you might call institutional bulimia: just think that 23 different national Network and Information Systems were established in 2018 alone. Starting today we’ll have only one NIS, within the NCA.
What else went wrong?
The excessive overlap between different institutions inevitably created a two-speed road. For instance, I recall the 2019 legislative decree that set up the country’s Cybersecurity Perimeter and established a control centre located at the Ministry for Economic Development. This centre was supposed to hire seventy IT engineers, but it never did. The Computer Incident Response Team, which instead was under DIS’s supervision, experienced a much faster evolution.
In the last year, the number of cyber attacks has grown exponentially in Italy. The most recent one targeted the medical data of six million people. How do you explain this escalation?
The pandemic expanded the digital audience exponentially, and consequently it increased exposure to cyber risk. Ransomware attacks, which are worrying because of their skyrocketing increase over the past year, are only one side of the coin. According to data from an independent observatory, the turnover of these web-based blackmailing gangs has gone from $11 billion in 2020 to $20 billion in the first six months of 2021 alone.
What will the Agency do to defend Italian infrastructures?
It will deal with the cyber resilience of those entities, both public and private, that are essential to the State’s security. The need for the NCA becomes clear when we look at the numbers. [Technological Innovation and Digital Transition] Minister Vittorio Colao, who has a successful professional background in the private sector, pointed out that 95% of the Italian public administration’s servers are exposed. He raises an alarm that must be taken seriously. And here I’ll have to make a further premise.
The NCA will not be a silver bullet for all evils nor the cure-all solution to all problems. The country’s resistance to cyberattacks cannot be built in a few months or even a few years; it is a path that will require fundamental contributions from other apparatuses, such as police forces, who carry out cyber investigations, as well as DIS’s cyber-intelligence division. On this matter, a parliamentary “servicing” check-up is expected in October 2022. At the moment we are working on the implementing regulation.
Will the NCA be located outside DIS?
Yes, but it will still reside within the framework of national security. Making the system resilient to cyberattacks is the precondition for security, as one would reinforce an apartment’s alarm system – and make sure that whoever programs it is a trusted person – in order to prevent burglaries.
Last year the former government wanted to establish an Italian Cybersecurity Institute. How does the NCA differ from it?
The difference is substantial. That Institute looked like a spin-off of DIS tasked with managing the European funds for cybersecurity and it had a very convoluted structure, halfway between public and private, with several operational complexities weighing down the governance system. Within the foreign and domestic intelligence agencies, there was no lack of misunderstandings – even intolerance – towards a tool that further strengthened DIS’s role in the field of cybersecurity.
Let’s get into details: how many people will work in the NCA?
About seventy professionals are ready to move in from DIS, the Ministry for Economic Development and [another public-private agency]. We will employ three hundred people in the short term. But in the medium term the goal is to get close to a thousand, that is, as many as are found in the comparable agencies of France and Germany.
Salaries will be equated to those of the Bank of Italy. Why?
It is the right salary to attract professionals who would otherwise make their skills available to the private sector. If we manage to recall even one talented engineer from abroad, it will be a victory. There will be high turnover, we will create a specialized workforce that can then move into other branches of the public administration.
The NCA will have to complete the National Cybersecurity Perimeter, which is being built under the direction of DIS. Two years ago, a COPASIR report warned about the presence of Chinese suppliers in the Italian 5G network, which allies such as the United States and the United Kingdom have banned from their network. Is the Perimeter good enough?
Arranging a ban is not easy because in Europe there is no unitary position between those who advocate for a crackdown, those who want laxer measures and those who would rather postpone the problem. But most importantly, a ban is not enough: we must indicate an alternative. This is one of the NCA’s crucial missions: to work towards technological autonomy, which is necessarily a European end goal. The Cybersecurity Perimeter will be tasked not only with defending, but also with helping to grow the nation’s small and medium-sized companies in the digital sector.
If the NCA will take care of cyber defence, the responsibility for cyberattacks will remain within DIS. Do you think we need to set up a third agency, in addition to domestic and foreign intelligence services, to handle cyber-intelligence?
Absolutely not. In 2007, when the sector’s reform was completed with Law 124, I already believed that the creation of a single Italian intelligence agency would be the most obvious final goal. In the cyber world, as well as in Ecofin, the distinction between internal and external does not exist.
Talks of reforming Law 124 have re-emerged recently. Do we need to get back to work on that?
We need to update it. First off, this was a parliamentary law, approved by a unanimous coalition, and therefore it will be up to today’s Parliament to rekindle talks. Law 124 had an important task, to rebalance the system created with Law 801 (passed in 1977) that featured a generalist intelligence service, SISMI (the former foreign intelligence agency, editor’s note), and a slightly less performing one, SISDE (the former domestic intelligence agency, editor’s note).
Why was the hypothesis of a single service discarded?
I believe that back then, as now, it was difficult to accept the idea of a single agency for fear that it could centralise power in its hands and become a sort of “Spectre”. But these are unfounded fears if such a structure is complemented with a more rigid system of checks and balances. I am convinced that we will increasingly need a strong, performing intelligence apparatus, one that’s not shackled to other apparatuses that have nothing to do with intelligence.
Like the American National Security Agency?
It’s difficult to import a model from abroad without considering historical and regulatory conditions. For example, we often (and rightly) look at the Israeli agencies, while forgetting that Israel has been a nation at war for seventy years. Excellence for them is not an option, it’s a necessity. This should also be true for Italy.