The blacklist is out. As anticipated by Decode39, the months-old Italian National Cybersecurity Agency has taken steps to root out potentially unsafe Russian software from the Public Administration’s devices.
- NCA Director Roberto Baldoni signed a directive ordering the PA to diversify its IT cybersecurity and exclude Russia-related products and services.
- The document’s order is already in force and will impact over 2.700 PA nodes.
It’s not just Kaspersky Labs. Italy’s PA vastly employed cybersecurity software from the famous Russian company, and the NCA had already signalled its intention to exclude it from the country’s public servers. Other two Russian companies made the list:
- Group-IB, whose CEO Ilya Sachkov was arrested in September by the Russian authorities on charges of high treason;
- Positive Technologies, whose clients include UniCredit, Lukoil, Kaspersky Labs itself and even the French NCA equivalent.
It’s about national security. The directive states that in choosing to do away with Russian software, the government had considered “the extraordinary necessity and urgency of ensuring the strengthening of security, national defence, electronic communication networks and raw material supplies.”
- Companies that sell cybersecurity products and services linked to the Russian Federation won’t be able to provide services and updates to their products, the directive adds.
Which software? PA bodies and companies that wish to mirror them should eradicate these Russian cyber products:
- endpoint security (that’s device-securing software, including antivirus, anti-malware, endpoint detection and response applications), provided by Kaspersky Lab and Group-IB.
- web application firewalls provided by Positive Technologies.
Gathering the prohibited software from indirect channels or resales, within frameworks agreements or contracts, either on-premise or remotely, won’t cut it either.
“We must free ourselves from dependence on Russian technology,” said Franco Gabrielli, the government’s undersecretary who oversees security and cybersecurity, a few weeks after the outbreak of the Russian war in Ukraine (read his interview with Decode39).
- The National Cybersecurity Strategy 2022-2026 is expected to be published in May.
- It will consist of 85 bullet points with instructions on how to secure companies and the public administration from attacks and cyber intrusions, which have soared since the war in Ukraine.
Not just ones and zeroes. Cybersecurity is also “a social investment, an investment in the country’s productivity and prosperity, [and in] democratic independence” said Director Baldoni recently. He emphasised the importance of achieving a digital sovereignty “at least” at the European level.