On Wednesday, Italy’s intelligence community presented its 2026 Annual Report, highlighting the need to change how security threats are addressed. The shift is driven by the increasingly central role of technology, which now underpins multiple dimensions of national security. The key priorities emerging from the report are identifying and preventing threats.
Decode39 discussed these developments with Stefano Mele, lawyer and partner at Gianni & Origoni, where he leads the Cybersecurity & Space Economy Law department and co-heads the Data Privacy department.
Q: The report suggests changing the approach. Technology is innovation, but also a driver transforming our world. What does this mean for intelligence?
A: The report starts with a clear premise: the technological revolution is simultaneously transforming the social, economic, political, and military dimensions of contemporary societies, and doing so at a pace that often renders traditional analytical tools inadequate for understanding reality.
- In this context, the role of intelligence is also evolving. It is no longer just about gathering information on events that have already occurred or on immediately visible threats. The objective is increasingly to understand the trajectories of technological transformation and anticipate their effects, since many emerging threats originate precisely from the strategic use of new technologies.
- This requires strengthening forward-looking analytical capabilities. Intelligence services are called upon not only to understand what is happening, but also to assess who might exploit specific technologies, for what purposes, and with what geopolitical, economic, or social consequences. In other words, national security today increasingly depends on the ability to anticipate technological change and the new power balances it generates.
Q: The report also introduces the concept of “cyber-physical systems.” What does that refer to?
A: It describes a concrete transformation in how modern infrastructure operates. Increasingly, digital systems and physical systems are integrated into a single operational ecosystem.
- This is evident across energy networks, transportation systems, industrial processes, healthcare, and telecommunications infrastructure. In these contexts, software, sensors, digital networks, and physical machines operate together to ensure the functioning of essential services.
- The consequence is that a cyberattack is no longer confined to the digital domain. It can produce real-world effects, disrupt services, halt industrial processes, or compromise strategic infrastructure.
- For this reason, the report emphasises that the resilience of cyber-physical ecosystems depends on both the security of their digital components and the quality of their integration with the physical domain. This makes cybersecurity an increasingly central component of overall national security.
Q: What are currently the most significant cyber threats, and who is behind them?
A: According to the report, the most sophisticated cyber threats originate from highly specialised groups often linked to foreign government structures. These are the so-called Advanced Persistent Threats (APTs), which operate with advanced technical capabilities and long-term objectives, particularly in the field of technological and industrial espionage.
- Alongside these state-linked activities, there is a rapidly expanding, increasingly structured cybercriminal ecosystem. The report highlights, for example, the growth of identity and credential theft, with stolen data often resold on illegal marketplaces in the deep and dark web.
- Another major phenomenon is ransomware, where criminal groups encrypt victims’ data and demand payment to restore access. The report notes that this has become a highly profitable criminal market.
- Completing the picture are hacktivist groups and actors operating as proxies for foreign governments, often used to conduct disruptive actions or exert political pressure.
Q: Do we have the right defences in place?
A: The report shows that cyber defence relies on a combination of technological tools, intelligence capabilities, and international cooperation.
- One particularly important aspect concerns the attribution of cyberattacks. Identifying the perpetrator of a cyber operation with sufficient certainty is essential to counter hostile activities and develop coordinated international responses.
- In this regard, it is significant that the Italian intelligence community, together with major Western partners, participated in a joint report publicly attributing a cyber espionage campaign to the People’s Republic of China, conducted by the APT group known as “Salt Typhoon.”
- This demonstrates how cybersecurity today is not only a matter of national technical and defensive capabilities but also a field of strategic cooperation among allied countries.
Q: The report suggests there may be an “inadequate perception—especially within public administration—of the actual infrastructure perimeter that deserves protection.” Do you agree?
A: The report suggests that the range of infrastructures requiring protection is often perceived too narrowly. Today, there are no longer completely isolated systems; rather, there are interconnected digital ecosystems where the entry point for an attack may be a peripheral component.
- Hostile actors often attempt to access networks through devices used by personnel or through ICT services connected to public organisations. In some cases, the objective is to steal access credentials, which are then used for further operations or sold on the dark web.
Q: So where should attention be focused?
A: Not only on the most visible critical infrastructures, but on the entire digital ecosystem that supports them.
- In addition to traditionally strategic sectors—such as energy, telecommunications, and finance — the report highlights growing interest from hostile actors in the digital infrastructures of public administration and the healthcare sector.
- In an increasingly interconnected system, security does not depend solely on protecting central nodes but on the overall resilience of the digital infrastructure network on which the country’s functioning depends.
