Friday, May 17, 2024

Vogon Today

Selected News from the Galaxy

StartMag

I’ll explain all the defects of the Cybersecurity dl. Rapetto’s hearing

3 years ago babelfish

I'll explain all the defects of the Cybersecurity dl. Rapetto's hearing

Here is the text of the parliamentary hearing held on 1 July by the general of the Guardia di Finanza (r), Umberto Rapetto, on the Cybersecurity dl

It is not easy to condense in 7 minutes the contribution of those who started dealing with computer crime in 1987 and cyberdefense in 1995. The only desperate attempt is to read a text after having timed its duration.

The standard, perhaps due to reduced knowledge of the scenario, was drafted without taking into account the real objective to be pursued. The creation of a burosaurus is destined to produce conflicts between the already existing joints that it does not necessarily manage to harmonize, it triggers administrative dynamics, generates a dangerous sense of false security.

This approach to the cybernetic emergency conflicts with common sense and forgets the foreign experiences where governments have preferred a cyber-czar or a small handful of true connoisseurs of the subject to quickly make decisions and move the pieces already operational to face digital attacks, manage the counter-offensive, restore the current situation and – in periods of apparent calm – coordinate all initiatives to raise the level of preparation and reactive capacity of those who manage critical infrastructures and public and private organizations that provide essential services.

The provision of a general manager and his deputy doubles the chances of satisfying the promoters of the candidates. Their choice on the one hand excludes that role being played by a brilliant and competent young man who perhaps has a rank or a non-top position (you are told by those who as lieutenant colonel have captured the hackers who entered the Pentagon and NASA systems) and privileges high dignitaries of a generation far from these issues, on the other hand it opens up to anyone coming from outside the Public Administration.

If it is true that 95% of computer systems are not secure, as Minister Colao says, it is right to keep out of this game those who in the PA or the Prime Minister for years have had and continue to have responsibilities in the cyber area because they probably do not has the necessary technical and organizational skills or has not been able to do his job.

But don't you want me to believe that you are convinced that the situation is better in industry, banks or businesses?

Think of the humiliations suffered by Leonardo , ENEL , INPS , Vodafone and TIM , Ho.mobile , Unicredit , SAIPEM , CINECA , SNAI , Geox , Luxottica , Campari , ANIA , the University of Tor Vergata, the San Raffaele Hospital and to the other thousand realities which – in certain contexts – should be deprived of the word.

Summit aside, difficult situations must be resolved with streamlined structures, quick to intervene, surgical in acting. We need close-knit teams, of a few people with extraordinary professional skills and able to play without protagonism. The hypothesized structure envisages the involvement of too many subjects whose inclusion must only be executive.

The “Core for cyber security”, for example, evokes leather heads and SWATs ready to swoop into the field, to duel against the enemy on duty, to solve the problem. Instead it translates into a conclave of ministerial representatives that meets periodically, with the slowness of the convocations and the uncertainty of the respective agendas. Its members respect the rules of good institutional coexistence but trample on those of the need to counter moments of extreme drama with speed and effective proactive ability.

The "contingent of experts", in which 50 luminaries are expected to be employed part-time, proves the understandable desire not to upset anyone and at the same time is a clumsy attempt to dilute possible responsibilities in the event of an accident.

The "National Evaluation and Certification Center", which is absorbed by the Agency, is a reality that – launched in 2019, Di Maio Minister – still has to be fully operational, testifying that obsolescence does not seem to be scary, forgetting that two years I'm a geological era,

The Computer Security Incident Response Team (CSIRT), established in 2018 and revisited the following year, survives not to harm anyone but is weakened …

Some mutilation also affects the Agency for Digital Italy and, last but not least, the migration of the valuable resources hitherto in charge of the DIS is expected.

It is evident the fog that clouds the panorama and favors the launch of other clumsy initiatives that foresee, however, the recruitment of 300 super-specialists to whom to entrust our destiny. If it is difficult to understand how to proceed with their selection (and there are not so many "warriors" really up to it), it is curious who should provide it. The same as 95% of Colao?

Imagining that no one will have questions to ask me, the questions for once I ask them.

Has anyone ever met a hacker, given that this is not only the quisque de populo but the government envisions? Do you know the level of real reliability of the cyber pirates or are you convinced to organize battalions of virtual askari for an impromptu war performance?

Do you really believe that a Rocambole del bit is willing to play as a team? How much time do you imagine can pass before any thug begins to get bored in seeing himself turned into a half-maniche? And who should embody the iron sergeant who keeps so many prima donnas at bay?

Above all for what reason there is no trace of a training course (which should and could have started thirty years ago) or of a school that sensitizes public and private management, creates client capacity (instead of leaving a free hand to suppliers) , educate anyone who is part of the system so as to avoid those trivial recklessness at the origin of too many disasters?

Why don't we proceed to rationalize existing resources, forcing them to function and transforming harmful superimpositions into useful complementarities? P.

why don't we understand the time lost in gossip and conferences and don't sum up the “not done so far”, from the Monti decree of 2013 to today?

Why are you thinking of allocating 429 million euros if you do not even imagine where and how they will be spent and today instead you should know it to the penny?

For what damned reason do you not copy the US model without being afraid of recognizing its limitations and defects?

Why don't you try to calculate the time needed for a decision that should be instantaneous thanks to a direct link between the leader and his cyber-centurion and instead an exhausting and imperishable sequence of steps is foreseen in which everyone struggles to take on the responsibilities that do they compete with them?

If someone, in his vocational flattery, tells you that the provision is perfect, be sure that he aspires only to a placement in the saddle or in the belly of the nascent creature.

This is a machine translation from Italian language of a post published on Start Magazine at the URL https://www.startmag.it/innovazione/dl-cybersicurezza-rapetto/ on Thu, 01 Jul 2021 09:08:12 +0000.