Cyber Security in the PA: risks, planned interventions, solutions
June 6 , 2022
June 6 , 2022
Cyber security concerns everyone and involves both private subjects and public bodies. Within public administration, the issue of cyber security is now of an urgent nature: in recent years, in fact, the vulnerability of the PA’s IT system, which stores and collects sensitive data, has caused considerable damage.
The digital evolution of the bodies capable of guaranteeing the performance of the essential functions of the state, be they economic, social or civil, must have, as a fundamental prerequisite, secure computer networks in the PA.
With regard to cyber security, the situation of the Italian PAs is anything but positive: among the G7 countries, in fact, Italy occupies the last position in the relationship between spending on cyber security and Gross Domestic Product. Over the last few years, the threat to cyber security in the public administration has increased substantially: an example is the cyber-attack launched in the summer of 2021 against the Lazio Region, which saw its own data center and its IT systems sabotaged, including the Health portal and the network responsible for booking vaccines.
But the question of cyber security in the PA had already emerged strongly in 2019, following the “Exodus case”, a spy software hidden among the normal apps downloadable from the Google Play Store used by the Italian Police and Prosecutors for the sole interception of crimes for organized crime and terrorism which, due to a bug in the Android operating systems, made it possible to illegally monitor the data of hundreds of users unrelated to any criminal proceedings.
Following this episode, the founder of BooleBox, Valerio Pastore, also intervened; even then, in an interview with the CorCom newspaper, he highlighted how IT security in the PA (and not solely there), must be proactive, and how fundamental stimulating greater awareness among web users is. In particular, for “Exodus”, the problem was caused not only by the lack of control of the app used, but above all by the failure to install preventive systems that allow data to be encrypted and protected.
While, in 2021 the IT security market in Italy reached a value of 1 billion and 550 million euros and is constantly growing, unfortunately, digitization processes up to now have not been accompanied by adequate training, especially in data security in the public administration.
Cyber risk management: how to manage the risk of hacking in the PA
The management of cyber security in the public administration must cover confidentiality, integrity and availability of the information stored, and, to do so, must take into consideration the continuous threats arising from malware attacks.
The risk of hacking is, in fact, constantly increasing, even in the public sector, where ransomware, malicious software that exploits network vulnerabilities to enter operating systems and encrypt files stored on hard disks, making them unreadable and then requesting a ransom, represents a huge danger. By involving institutions responsible for ensuring the performance of public and governmental functions, such as the collection and storage of sensitive data of top secrecy, which have to do with defence and national security, the danger of hacker attacks in the PA can be said to be even more serious.
This is also the case for supranational bodies such as the EU, where preventing and safeguarding threats to public security has become a primary objective, as the management of more and more activities will depend on digital technologies. In terms of cyber security awareness, the European Union has made great strides and has developed a real strategy that aims at autonomy and is adopting various measures to address this challenge. Among these includes the strengthening of ENISA, the EU agency for cyber security which has the task of supporting the Member States and the Union institutions that may be involved.
What do the AgID guidelines on IT security provide?
Coming back to Italy, in order to stimulate and support the implementation of cyber security procedures in the public administration, the AgID – Agency for Digital Italy – has prepared specific guidelines for IT security, which came into force this year, and which concern the formation, storage and management of IT documents. These are directives intended for all public bodies, as well as private organizations, which are obliged to keep electronic files, the originals of which must be archived in accordance with fiscal and civil obligations.
The AgID directives therefore concern all public administrations in our country and have replaced the Prime Minister’s Decree of 3 December 2012 relating to the technical rules for IT protocols and the conservation system. They have also substituted the Technical Rules regarding the formation, transmission, copying, duplication, reproduction and time validation of the IT documents included in the Prime Ministerial Decree of 13 November 2014.
What, then, do the AgID guidelines for IT security provide? PAs are obligated to identify and appoint a conservation manager, for example, who must prepare and update the relevant Manual. The latter must indicate, in a detailed manner, the operating model and the infrastructures, together with the safety measures, used, and the parties involved. Among the other intervention areas, there is the one that provides for the drafting and updating of the Document Management Manual relating to the IT document management system, which also indicates how to administer the IT protocol, the management of document flows and archives.
The Three-Year ICT Plan for Information Security
The current situation regarding ICT security measures for public administrations is indicated in the three-year plan for information technology in public administration 2020-2022, which contains directives to promote the digital transformation of the country and guidelines for IT security for the PA.
The Plan proposes to foster ethical, sustainable and inclusive development thanks to digitization and innovation, which must have data security as a fundamental prerequisite in order to obtain trust in the services provided and institutional platforms.
The minimum measures for cyber security in institutions and public administration are thus collected in the three-year ICT plan and are designed to create a consistent level of security for all digital portals for accessing public services.
Cyber security in public administration – what the PNRR (National Recovery and Resilience Plan) provides
With the PNRR, National Recovery and Resilience Plan, Italy has allocated substantial resources for the reform and modernization of the Public Administration. More than 40 billion euros of funding will be used to promote the country’s infrastructure and digital innovation, of which 620 million euros are specifically intended for the cyber security of PAs: [this is] an opportunity for the development and digital transformation of public and local entities that need resources and personnel to optimize IT security and cope with the increasingly numerous and sophisticated attacks of Cybercrime.
Boolebox and IT security tools in the PA
To prevent threats and protect their systems, the public administration must be able to depend on a reliable, versatile and innovative supplier. This is the case for BooleBox, which uses military encryption to share and store sensitive information and confidential documents, in compliance with the provisions of the GDPR, managing to guarantee the highest standards of security and privacy.
Encryption, the access keys for which are known only to users, is the tool through which BooleBox is able to protect data from internal theft and external attacks. This product is available in an on-premises version, in cloud mode or in hybrid form.
Boolebox offers, for example, Secure File Manager, which is a web app for secure file sharing; thanks to this, it is possible to access a protected environment in which folders and files can be uploaded, shared, modified and organized. Secure E-Mail, on the other hand, guarantees users with the certainty of using protected and safe e-mail messages in the Boole Suite, complete with encrypted attachments thanks to advanced protection features. With Secure Password, you have a virtual safe in which you can save not only access passwords, but also any other type of sensitive information that has to do with important documents, such as credits card or insurance policies. Lastly, Secure Transfer allows you to transfer encrypted files of any size quickly and securely, keeping track of every operation that is performed on the files transferred.
Boolebox ensures the encryption of sensitive data also thanks to File Encryptor for Windows (to protect files in network and computer folders), File Encryptor for OneDrive and SharePoint, File Encryptor for Google Drive and File Encryptor for Dropbox; the protection of emails and attachments, on the other hand, is possible with E-Mail Encryptor for Gmail and with E-Mail Encryptor for Outlook.
To find out more about all the data protection tools and increase IT security in public administration, contact BooleBox and we will provide you with all the relevant information.