The national cybersecurity strategy: protection, resilience and digital autonomy for Italy

On May 18, the National Cybersecurity Strategy (2022-2026) was approved by the ACN (National Cybersecurity Agency) during a meeting of the Interministerial Cybersecurity Committee chaired by Prime Minister Mario Draghi. This decision was taken at a time of emergency for the cyber attacks that have hit Italy, also due to the Russian-Ukrainian conflict. The approval of the strategy was accompanied by the approval of the scheme of the latest DPCM, which defines the criteria for the accreditation of the testing laboratories of the National Evaluation and Certification Center (CVCN), responsible for cyber security. The new National Cybersecurity Strategy is based on the analysis of the current context, in which the majority of human activities depend on interconnected and digital services. Technological evolution has made the migration to digital more convenient, but at the same time has increased the complexity and interdependence of systems, requiring greater security and resilience to ensure community protection, economic development and state defense. The strategy focuses on 4 main aspects:

1. Cybersecurity is a state duty and must be an integral part of the country's digitization process, aiming at national strategic autonomy in the sector.
2. Cybersecurity must not be considered as a cost, but as an investment that favors the development of the national economy and industry, increasing its competitiveness.
3. The security of infrastructures, systems and information must be accompanied by cultural progress that is widespread at all levels of society, promoting a "security-oriented" approach.
4. The strategy addresses three macro-categories of systemic risks: cyber attacks, interference in the supply chain of ICT technologies and the spread of fake news and disinformation.

The strategy aims to address the following challenges:

1. Ensure a resilient digital transition for the Public Administration and the country's productive fabric.
2. Achieve strategic autonomy in the digital sector at national and European level.
3. Anticipate the evolution of cyber threats and adopt active defense tactics to increase the costs of offensive activities.
4. Manage cyber crises through an efficient and graduated crisis management mechanism.
5. Tackling online disinformation in the broader context of the hybrid threat.

To implement the strategy, programs of investments and financial leverage are foreseen, including national funds, specific funding managed by the ACN and resources from the National Recovery and Resilience Plan. The main objectives concern the protection of national strategic assets, the response to cyber threats and incidents, the development of digital technologies, research and industrial competitiveness.

The strategy also includes the strengthening of the National Assessment and Certification Center (CVCN), the integration with accredited testing laboratories and the definition of a coherent legal framework on cybersecurity. Actions are identified for the management of cyber crises, the fight against cyber crime and the strengthening of cyber deterrence capabilities.

Training, promotion of cyber security culture and cooperation are considered essential enablers for the implementation of the strategy. Furthermore, the public-private partnership (PPP) is a cross-cutting element that actively involves the public, private, academic, research and media sectors to strengthen the cyber resilience of the country and society as a whole.

However, the main challenge will be to implement all the objectives set, as history has shown that cyber attacks can become more and more devastating. It is necessary to actively involve the relevant actors and define strategic objectives, roadmaps and indicators to measure the evolution of the implementation of the strategy.