Cyber threats on the rise in 2022: what to expect in 2023

During 2022, public and private bodies, businesses and individual citizens have faced increasingly complex cyber threats. In order to counter these cyber threats to the country's system, measures have been taken to strengthen the regulatory framework both at national and European level. But what can be expected for 2023 in terms of cyber security?

The year will open with the launch of the first Accredited Test Laboratories (LAP), which will support the assessments and certifications of the National Assessment and Certification Center (CVCN). The passage through the CVCN will become mandatory for the purchases of ICT networks, systems and services by 5G operators, the cloud and all operators belonging to the National Cyber Security Perimeter (PSNC) for services within the perimeter itself. The companies are awaiting the publication of the evaluation and certification schemes that will be selected by the Agency for Digital Italy (AGID), pending the adoption of the European certification schemes launched by the Cyber Security Act and still in the processing stage.

Europe has already proposed a general certification scheme based on the Common Criteria, one scheme for 5G and one for the cloud. However, the expected adoption date has not yet been announced. According to ENISA's tenth threat report, published last October, cyber-attacks have been steadily increasing since 2022. Ransomware ranks first among the threats that have hit public and private entities, businesses and citizens over the year, followed by malware, social engineering techniques (in particular phishing) and data breaches. DDoS attacks are also widespread, with one large attack reaching peak traffic of 853.7 Gbps and 659.6 Mpps in 14 hours.

The ENISA report highlights that almost 50% of threats are concentrated on public administrations, governments, digital service providers and citizens in general. The other 50% is aimed at the various sectors of the economy in a generalized way. Throughout 2022, efforts have been made to strengthen the regulatory framework at both national and European levels. Among the most significant initiatives, there is the adoption of the National Cybersecurity Strategy 2022-2026 and the operation of the CVCN. These interventions aim to respond to the increase in cyber threats, with particular attention to the healthcare sector.

During the year, the healthcare sector was subject to various attacks, such as the hacking of the ASL Napoli 3 Sud by the Sabbath group and the dissemination of sensitive data of the ULSS 6 Euganea di Padova by the Lockbit 2.0 group . Even the Fatebenefratelli Sacco in Milan was hit by a ransomware attack conducted by the Vice Society group. The energy sector has also been affected by cyber attacks involving leading companies in the energy services sector, such as GSE and ENI.

Public entities were also the target of cyber attacks during 2022. For example, ENIT was the subject of an attack by the Lockbit 2.0 group which interrupted the functioning of the servers and disseminated the data collected. The Ferrovie dello Stato network, Poste Italiane and the websites of various ministries, including those of the Ecological Transition, Defense and the Senate, have been hit by various hacker campaigns. In order to address these threats, the National Cybersecurity Strategy 2022-2026 was adopted and the National Cyber Security Perimeter was established with a regulation defining the procedures and requirements for the validation of Accredited Test Laboratories (LAP) to support of the CVCN.

Measures have also been taken to ensure the security of digital infrastructures and cloud services. A classification model for public administration data and services has been introduced, together with requirements for digital infrastructures and cloud services dealing with strategic, critical and ordinary data and services. The obligation has been established for the administrations to complete the data and service classification process through the digital PA platform. Furthermore, the Aiuti bis Decree was adopted, which introduced provisions on cyber intelligence to protect the IT systems of public administrations from potential risks associated with the Russian-Ukrainian crisis.

At European level, the new legislation relating to network and information security (NIS 2) was approved, which establishes cyber risk management measures and communication obligations in all critical sectors. The Cyber Resilience Act was also introduced, which would introduce mandatory cybersecurity requirements for all digital products in the European Union. In addition, the provisional agreement on the Digital Operational Resilience Act (DORA) was approved, which aims to ensure operational resilience in the European financial sector.

In summary, in 2023 the launch of the first Accredited Test Laboratories (LAP), further developments in the certification and assessment of IT security at national and European level are expected, as well as an increased focus on the protection of the health, energy and services sectors public. Measures and regulations have been introduced to address cyber threats, ensure the security of digital infrastructures and promote the resilience of national and European IT systems.