Roberto Baldoni welcomes us in his office in Rome with a tired smile. There hasn’t been much time to relax since Prime Minister Mario Draghi appointed him as the Director of the new National Cybersecurity Agency (NCA).
Before that he spent four years as Deputy Director of the Department of Information and Security (DIS, the organisation overseeing Italy’s domestic and foreign intelligence agencies), and was devoted to building the country’s digital defence system, dubbed “National Cybersecurity Perimeter.”
Mr Baldoni is known to all as “the Professor” because of the long and uninterrupted academic career that made him a leading Italian cybersecurity expert. Now, as he tells Decode39, Italy is ready to secure its critical infrastructure. The Recovery Plan – mostly bankrolled by the EU – is the chance for the Italian and European digital industry to leap ahead, and it can’t be missed.
Mr Baldoni, how was the transition from university teaching to working in the secret services?
It was an exciting experience. In these four years at DIS I had a privileged observatory within [the Presidency of the Council of Ministers’] structures that made me grow further. The foundations of Italy’s cyber resilience and the birth of the Agency were made possible thanks to the work at DIS. Without the Department’s variety and quality of skills, it would have been impossible.
Now on to a new job at the helm of the NCA, which is split from intelligence operations. Is it wise to detach the two endeavours?
This is a different mission. For the cyber-resilience of national infrastructures to take root, we need a strong awareness campaign in the open world. We must also foster the skills needed to defend Italian strategic structures – from hospitals to the public administration – from cyberattacks.
Hence, it cannot be clouded in secrecy.
That’s right, it must enter society. It is intrinsically different from intelligence-related endeavours, where confidentiality is fundamental. On the other hand, this path has already been taken by other European countries and their cyber agencies: France’s ANSSI branched out of the secret services, and the UK’s NCSC is closely linked to the GCHQ.
The last government tried to bring order among the secret services by establishing the Italian Cybersecurity Institute (ICI), but the idea of a public-private foundation was criticised and eventually abandoned. What went wrong?
I believe that the NCA is in continuity with the ICI, now a part of it. The mission for which the ICI was born – that is, to coordinate European funds for technological, scientific and industrial development in cybersecurity – is also the NCA’s mission. But there are substantial differences.
Which are?
The NCA is a public institute. And it will have a broader mission. It will also handle ICT equipment certification through the CVCN (National Assessment and Certification Center, editor’s note), the Assessment Centres of the Interior and Defence Ministries, and the network of testing labs. Moreover, it will oversee operations, such as incident prevention and management, through the CSIRT (Computer Incident Response Team). And it will also act as the national cybersecurity authority.
Cybersecurity-wise, is Italy running late?
Yes, no point in hiding it. Germany inaugurated its cybersecurity agency in 1991, Israel in 2002, France in 2006. But we have come a long way, thanks to the work done within the DIS, the launch of CSIRT, the construction of the National Cybersecurity Perimeter and now the NCA.
How many people will work at the NCA?
We will finish transferring 90 professionals from DIS, the Ministry for Economic Development and AgID (the Agency for Digital Italy) within the first months of 2022. Then, starting that year, we will launch competitive exams with the aim of expanding the staff to 300 employees by the end of 2023. The goal is to reach roughly 800 by 2027.
You are the architect of the National Cybersecurity Perimeter, the oversight network that will guarantee the security of those entities – both public and private – that provide essential services to the State. How close to completion is it?
We’re at the final stretch. The Perimeter is built on three pillars, two of which – security measures and the incident notification system on which incident management through the CSIRT is based – are already in place. The third, technological scrutiny (to be undertaken through a CVCN-centered system), will be online by June 30th, 2022. Still, the two operational pillars are already crucial reference points for those who provide the State with essential services, allowing them to raise their security level.
Italy’s main ally, the United States, calls for a choice of sides that entails excluding suppliers deemed at risk, especially certain Chinese companies, from the 5G network and other critical infrastructures. Have we done enough?
We have done a lot. We moved in alignment with the European Commission. Let’s not forget that Italy was among the countries that led the work to shape the EU’s Toolbox, i.e. the set of European guidelines that introduced the concept of “high risk vendor” and earned the applause of our allies.
Is it really enough to raise the safety bar?
We must reason on two distinct levels. The first is the IT security of the devices we use within our strategic ICT assets. We have to check what we bring in our house, regardless of the supplier.
And the second level?
It concerns the level of technological risk, where the problem of the supplier’s “trust” comes into play. The two levels are contiguous, but it’s best they remain separate. The NCA will deal with IT security. To mitigate the technological risk we’ll have to initiate a debate between several institutional actors.
Meanwhile, the EU and the US are looking for a common strategy. Operations at the Trade and Technology Council have begun. Can we be allies on the digital front, too?
Of course, as long as mutual needs are taken into account. Europe is dealing with a twenty-year-plus problem: its limited strategic autonomy in the ICT sector.
Where are we at?
The market speaks for itself. We do not have competitive European companies in cloud technology or artificial intelligence, we have few in the Internet of things. Quantum computing could be an exception, but that sector still belongs to the world of research and actual industrial developments have yet to take place. A symptom of another typically European problem.
Which is to say?
Europe, unlike America, struggles to transform research into business. We have to do our homework: without creating the conditions for the birth of major European players, or without reaching a higher level of autonomy in ICT, it becomes harder to lay the foundations for a full technological alliance with the US.
The global microchip crisis stands out among other dossiers at the TTC. Should we blema the pandemic?
The pandemic dealt the final blow, as the demand for computers and portable devices with multiple microchips has increased significantly. But this crisis has deeper roots, it also depends on export restrictions and bans imposed over time that have caused an imbalance in the market. We’ve witnessed two reactions in the face of these shocks: some hoarded microchips, and some chose to continue production at full speed. Today, the latters are in trouble.
How do we come out of it?
It’s not easy. The economies of certain countries, such as Taiwan, are built to favour semiconductor development. One company is not enough to manufacture microchips, those require an entire ecosystem that’s difficult to replicate.
And that ecosystem is extremely expensive. Hence, European states must deploy public funds, but they also reject State economy – such as that of certain Asian countries…
It is a very complex balance, it will take time. Strategic technological autonomy is a pillar of the von der Leyen Commission’s mandate. Unfortunately, the EU – which is bogged down by competition and internal vetoes – often concentrates more of its efforts at the scientific and social cooperation level instead of the development of a true European industrial policy.
Some international companies are looking to Europe to build new semiconductor foundries. Does Italy have what it takes?
Of course, this is one of the missions of the Italian Recovery Plan. The European funds have brought in the occasion for a new digital industrial policy. The national cloud strategy I presented together with [Digital Transition] Minister Vittorio Colao and Undersecretary Franco Gabrielli (who oversees the Intelligence Department, editor’s note) is a first, important step.
Regulating Big Tech is another tense front between the UE and the US. Is Europe’s pressing approach at risk of turning against it?
On the legislative level, EU regulations (starting with the GDP) are a global standard, and they’re even upheld by other non-European countries. But they are not enough. Digital transformation is not governed by acts and directives only, we need a strategy for the development of the European industry. In addition to values and norms, we need to export technology.