Rome. On the top floor of the former headquarters of the Italian secret services, which now houses the National Cybersecurity Agency (NCA), Director Roberto Baldoni is scrolling through a slide deck on his PC. “We cannot miss the Recovery Fund train. And we don’t intend to,” he says, sitting behind his desk.
There’s a reason why the helmsman of Italian cybersecurity is known as “the professor”. And to think that a lot of time has passed since his years as a teacher at La Sapienza University, when he was a pioneers of the subject in Italy.
Before the NCA, he spent four years as deputy director of DIS, the agency that coordinates the intelligence services, building the national cybersecurity perimeter for the State’s strategic assets, both public and private.
Then, exactly one year ago, he was called by the Draghi government to lead the NCA. In this exclusive interview with Decode39, Mr Baldoni retraces the road travelled so far and anticipates what’s to come, from grounding the European funds to building antibodies against hackers and cybercriminals.
Professor, what do you make of this first year?
We have an excellent balance sheet. We started with a small nucleus; today, we have exceeded the threshold of one hundred people. By the end of 2023, we will be three hundred; we are looking for a new office. I think the Agency has already started giving some signals about the importance of its mission. On the one hand, by preventing and mitigating cyberattacks. On the other hand, by supporting two bastions of the national interest: the perimeter and the Golden power (the State’s screening and intervention over foreign direct investments to protect the nation’s strategic assets, ed).
As well as the Recovery Fund. The NCA is the Italian hub for the European Cybersecurity Competence Centre, based in Bucharest. Meaning it’s the chute to ground European funds on digital and cybersecurity.
A key mission. On this front, we have worked well with Vittorio Colao’s Ministry for Digital Transition and achieved significant results, starting with the national cloud infrastructure. We have already classified the data of 17 thousand public administrations (PAs), and the goal is to reach 22 thousand.
Let’s take a step backwards. The birth of the NCA was the epicentre of a major reorganisation of the intelligence sector. Previously, cyber resilience was outsourced to the DIS; now it’s up to an external body. In hindsight, was the change necessary?
I think so. This is how it works abroad. It would have been complex to create a department focused solely on cybersecurity within the DIS, which has a different mission. Moreover, through the NCA we can talk to citizens openly about the risks in the cyber world and the private sector, and we can provide training: a great cultural challenge. The DIS, instead, requires the appropriate guarantees of confidentiality to fulfil its mission.
A year of operation, a year of hunting for talent to make up the team. Is Italy still a talent forge?
Italy still produces good talent. There are where we are weaker, such as hardware – this is the case with microchips – and others in which we excel. Educational qualifications don’t always make a difference. In the new recruitment campaign, for instance, we will call not only graduates but also self-taught technicians, graduates who have developed skills on their own, along the lines of what happens in the US or Israel. Moreover, the campaign also includes seats for technology analysts, international relations and new technology law experts, and technology project management.
Should we call back people from abroad?
Another mission we cannot fail to fulfil. The reason is simple: many technologies are developed outside Italy. And Italy, like other European countries, has often dozed off in recent years.
Among the milestones cut in this first year is the Cyber Perimeter, which fences off strategic assets. You started planning that three years ago. Where are we now?
The network of test laboratories is finally taking shape. It’s made up of centres that will have to test technologies employed in various sectors now radically transformed by IT, from aerospace to energy to transport. In addition to performing quality control on the devices that will enter the cyber perimeter, the network will become a hotbed of expertise that – according to our goal – will partly make up for the deficit caused by the flight of experts abroad. Something that’s useful to the entire country, from the PA to the private system that will draw on it.
What is the timetable?
The laboratory network goes hand in hand with the grounding of the NRRP (National Recovery and Resilience Plan, ed). Creating one laboratory by the end of the year, and about 20 by the end of 2024, is one of the plan’s objectives. In the autumn, we will issue a call for tenders, open to the public and private sectors, to finance the construction of the labs.
In September 2019, the first cabinet meeting of the second Conte government greenlit the cyber perimeter. At the time, it was interpreted as a political gesture: a response to US concerns about the infiltration of foreign states, namely China, into Italian technology.
I am convinced that the message got through. The perimeter inaugurated a virtuous path for Italian cybersecurity, which continued with the creation of the Agency, embedded in a harmonious national architecture. I do not doubt that allies and non-allies, friends and foes have noticed this path.
In the meantime, the National Evaluation and Certification Centre (CVCN), another pillar of the perimeter, has been operational since July 1.
The mission is always the same: to manage technological risk. We must decrease technological dependence on other countries. On the one hand, we must develop Italian and European technology, from microchips to AI and the cloud. On the other hand, since we won’t be able to produce every kind of tech, we must be able to analyse foreign equipment so as to import quality technologies that minimise technological risk, including from a geopolitical point of view. The CVCN system and test laboratories will be the technical engine of this analysis work.
Since May, Italy has had a new National Cybersecurity Strategy. There is a long history of Italian strategies remaining in the drawer…
As Undersecretary [Franco] Gabrielli noted, this one is different. Because alongside the strategy is an implementation plan that indicates the actors responsible for the individual measures and the timeframe for implementing them. We are defining the KPIs (key performance indicators, ed) with some PAs: we will evaluate each step and provide a yearly report to Parliament.
Let us return to the Recovery Plan and the role of the NCA. Here too, all the more so with a political crisis, Italy risks missing the target. How will you stay on the European tracks?
We cannot afford to abandon them. We are working to put the cybersecurity funds allocated by the NRRP to good use. That’s €620 million, divided between national cyber services and strategy-related projects, scrutiny laboratories and technology certification, and strengthening the cyber resilience of the PA.
What are the next steps?
There are 77 interventions to strengthen the security posture of the central PA and constitutionally important bodies for a total of €28 million. These are either approved or directly identified and financed by us. In September, there will be a second call for local PA interventions worth €45 million. Other calls for tenders will follow in 2023 and 2024, up to a total of €150 million.
How do you proceed?
We send the necessary documentation to the Ministry of the Economy, which in turn has a continuous dialogue with the EU. To keep up with the NRRP, we have developed a tomography of interventions to direct spending on cybersecurity and maximise efficiency. An evaluation grid that measures the ease of implementation and resolving capacity of each intervention.
Is the PA side receptive?
It’s a dedicated mission that requires preparation. This is also why we organised a training school with PA Minister [Renato] Brunetta and the Director of the National School of Administration to explain to PA managers how to intervene and what funds to draw on.
Professor, the Agency’s first year was far from ordinary: beyond the escalation of cybercrimes such as ransomware, there has also been a campaign of Russian-backed cyberattacks against Italy, linked to the Ukraine crisis, since mid-January. Is the alert level still high?
It remains very high on both fronts, the war in Eastern Europe and the escalation of cybercrimes, which includes the recent incident at the Internal Revenue Service. We cannot afford a moment’s pause.
Are we talking about lone wolves, or is there a more sophisticated direction?
As far as the structuring of the gangs is concerned, it is the Postal Police that deals with it. For our part, we recently suffered a DDoS attack by Russian hackers. It lasted sixteen hours: they did not manage to take our systems offline for even a second. It was a coordinated, structured attack, which we did not underestimate.
Among insiders, that attack has already become famous. Once it was over, the Russian hackers asked in a note to increase your salaries. Do tell the truth: are you on the same side?
Someone had the same suspicion (he laughs). But I can swear we weren’t in agreement.
