More IT security to defend against cyber attacks and heavier sanctions for online crimes, especially scams: these are the cornerstones of the cybersecurity bill finally approved in the Senate. The text – wanted by the government, modified in the Chamber and effectively locked down in Palazzo Madama – received only 80 votes in favour, those from the centre-right. The opposition abstained almost en masse (57 between Pd, M5s, Italia viva and Action) highlighting lack of funds, while 3 Avs senators voted against. The provision has 24 articles and also introduces the obligation for public administrations to report cyber attacks to the Cybersecurity Agency within 24 hours and to appoint a security contact. Iv’s proposal to establish an Agency against disinformation does not pass (for the Renzian Ivan Scalfarotto«the cyber phenomenon and disinformation are two sides of the same coin”). However, an agenda was accepted (signed by Scalfarotto) which commits the government to specifying that central public administrations, in terms of cybersecurity, involve the person responsible for the digital transition and the data protection officer.
On the initiative of Fratelli d’Italia, the crime of online fraud with aggravating circumstances for those who commit crimes using sites and platforms and the mandatory confiscation of IT tools, from which money can be drawn to compensate the victims. But for Ilaria Cucchi of Avs, the increase in administrative and criminal sanctions is not enough and complains that “they often arrive too late when the damage has already been done”. The Undersecretary of State was satisfied, Alfredo Mantovano which has responsibility for the security of the Republic. In a note he appreciates the contribution made by the opposition with the amendments and underlines: «From today the entire national security system, and in particular the cyber system which has become the main front for attacks by hostile state entities, is finally equipped with more adequate operational tools to reject them”. He also changes the composition of the Interministerial Committee for Security and will include the Minister of Agriculture, that of Infrastructure and that of the University. The rules on former directors, deputies and department heads of Dis, Aisi and Aise, the main intelligence bodies in Italy, are more stringent: unless authorized by the Presidency of the Council, in the three years following the end of the assignment they will not be able to work for foreign or private entities Italians in the defense, national security, energy, transport and communications sectors.
For the rest, the opposition denounces in chorus that there are “zero investments” for new products. For Walter Verini of the Democratic Party, faced with «new burdens for central administrations, Regions, metropolitan cities, Provinces and Municipalities, public transport companies, there will not be the resources necessary to face the new tasks». Harder Roberto Scarpinato of the M5s, convinced that the law is “an empty box” and that “this way of legislating is a method for political salesmen”. The Dem, Anna Rossomandofocuses on inspections: «An inspection power is provided for a body that depends directly on the Ministry of Justice, which will be able to exercise a very delicate power, entering directly into the secrecy of ongoing investigations».
The main measures
More tools for public administrations to prevent and combat cyber attacks and limit the damage as much as possible, new measures on the competences of the National Cybersecurity Agency, but also changes to the criminal code and the criminal procedure code to make the fight more stringent against crimes committed online. The Senate has definitively approved the bill on Cybersecurity. The text is divided into 24 articles. These are some of the new measures introduced:
AMENDMENTS TO THE PENAL CODE AND CRIMINAL PROCEDURE Increases in sentences for crimes such as unauthorized access to a computer system (if committed by a public official, imprisonment ranges from two to ten years); damaging information, data and computer programs (imprisonment from two to six years and, if aggravated, from three to eight years). A new provision is added to the penal code (article 629) with the discipline regarding extortion carried out through the “consummation of computer crimes”. Anyone who “forces someone to do or omit something, obtaining for himself or others an unfair profit to the detriment of others, is punished with imprisonment from six to twelve years and with a fine of between 5,000 and 10,000 euros. The penalty is imprisonment from eight to twenty-two years and a fine from 6,000 to 18,000 euros, if any of the circumstances indicated in the third paragraph of article 628 occur, as well as in the event that the act is committed against a person incompetent for
age or infirmity”.
THE COMPOSITION OF THE CISR IS EXPANDING. The Minister of Business and Made in Italy, the Minister of the Environment and Energy Security, the Minister of Agriculture, Food Sovereignty and Forestry, the Minister of Infrastructure and Transport and the Minister of University and Research. The CISR is currently chaired by the President of the Council of Ministers and composed of the Delegated Authority, where established, the Minister of Foreign Affairs, the Minister of the Interior, the Minister of Defence, the Minister of Justice, the Minister of Economy and finances, the Minister of Economic Development and the Minister of Ecological Transition.
The committee has consultancy, proposal and deliberation functions on the general directions and objectives of the information policy for security.
SQUEEZE ON ACCESS TO DATABASES to «ensure adequate protection and protection from the risks of abusive access to data contained in public administration information systems, access to public databases by technical staff and data processors» takes place «after using specific computer authentication based on the combined use of at least two different authentication technologies, one of which must be based on the processing of biometric characteristics”. Technical workers should be identified as “technical operators with the functions of system, network or data archive administrators”. Access to public databases is permitted «only in cases linked to non-deferrable interventions relating to malfunctions, failures, hardware and software installations, updating and reconfiguration of the systems, which may determine the need for IT access to the IT systems even in the absence of two different authentication technologies or in the absence of biometric authentication for operations that involve the physical presence of the employee carrying out the intervention near the processing system”.
LIMITS FOR FOREIGN ASSIGNMENTS TO THOSE WHO HAVE BEEN AT THE TOP OF SERVICES
Those who «have held the position of general director and deputy general director of the Dis and of director and deputy director of Aise or Aisi, or have held first level managerial positions in charge of organizational structures of general managerial level cannot, unless authorized of the President of the Council of Ministers or of the Delegated Authority where established, in the three years following the termination of the office carry out work, professional or consultancy activities, or hold positions with foreign, public or private entities”.
ACN AND DATA COLLECTION CYBER ATTACKS The National Cybersecurity Agency (Acn) will provide for the “collection, processing and classification of data relating to incident notifications received from subjects who are required to do so” by law. The data is given an account in the report on the activity carried out by the Agency in the previous year “as official reference data of the cyber attacks carried out on subjects operating in the sectors relevant to national interests in the field of cybersecurity”.
PUBLIC ADMINISTRATIONS: CYBERSECURITY STRUCTURE IS BORN
It is established for the public administrations, «indicated in article 1, paragraph 1, where it is not already present, the structure responsible for cybersecurity activities”
CRYPTOGRAPHY Article 10 of the bill establishes the promotion of the use of cryptography as a cyber defense tool and establishes the National Cryptography Center at the National Cybersecurity Agency
DISCIPLINE OF INTERCEPTIONS AND PROTECTION OF JUSTICE WITNESSES
The bill extends the rules of wiretapping provided for organized crime events to computer crimes under the coordination of the national Anti-Mafia and Anti-terrorism prosecutor and with article 21 of the text modifies the procedure for applying the special protection measures for witnesses of justice and for the other protected persons, providing that the Central Commission must ask the opinion of the national Anti-Mafia and Anti-terrorism prosecutor on the proposal for admission to the special measures. The relationship between the National Cybersecurity Agency, the National Anti-Mafia and Anti-Terrorism Prosecutor, the Judicial Police and the Public Prosecutor is therefore regulated.