The ransomware it has the IT systems of the Lazio Region blocked this is not new to both the public and private sectors; with a certain frequency, in fact, the media give account of this or that structure hit by attacks of various kinds.
At the same time, this story is proof of the distance between statements of principle, of the “memoranda of understanding” and of the “working groups” on information security (the results of which are not advertised) and the actual reality.
Central and local public administrations have always been exposed to attacks of various types such as defacement, unauthorized access, theft and loss of data, virus infections, but also functional blocks and dissemination of citizens’ personal data caused by errors and superficiality of those who administer them.
When an accident occurs, theapproach to crisis management is always the same: focus on the proximate cause, avoiding dealing with the less immediate, but more relevant ones.
So, “It’s the fault of the hackers” and not the design choices infrastructure. Or “the system crashed” as if a machine had a life of its own. Or again, “we are the victim of a very sophisticated attack” and not of the neglect in the management of the systems. On the other hand, in the face of criminals with extraordinary abilities, how can we defend ourselves?
Isn’t it strange that the attitude of the “victims” and that of the media is based on considerations of this type, the result of the desire – not too unconscious – to enhance the opponent’s abilities to reinforce the perception of the inevitability of the fact and therefore the absence of institutional and individual responsibilities.
Speaking of responsibility, and let’s get to the point, we can’t however no longer allow us to ignore huge issues with those of the quality of the software that runs platforms and equipment used by the public administration, outsourcing –cloudsourcing– of services to the citizen and, in summary, of the check of the digital public administration on the tools it uses.
At the dawn of digitization, between the late 1980s and early 1990s, the major issues of security, software control and access to information were already known and theorized. We had already arrived at crossroad e, like Robert Johnson, we made the deal with the devil. He to play the blues, we to create a digital colossus with feet of clay, made even more fragile by the logic of an industrial sector that favors planned obsolescence and release early, release often without too much attention to the rest. One cannot generalize, but it is a fact that too large international companies in the IT sector which should give guarantees of reliability have proved, in fact, not up to the promises.
The situation appears hopeless, yet, there is a solution at hand and it is called reuse of software for the Public Administration. For some time now, the Digital Administration Code has foreseen that administrations mainly use open source software and AgID plays an essential role in this process.
Net of radical visions that demonize other forms of management of intellectual property on the software, giving space to the free circulation of software is a way to increase its quality and security.
It is not, to be clear, about ousting the private sector from the interaction with the State, but to ensure that in this relationship it is the needs of the State that receive more attention than the (albeit legitimate) private interests aimed at profit.
What does all this have to do with the ransomware that hit the Lazio Region? In the very short term, practically nothing, in the medium-long term, very much.
The public digital ecosystem has become like this complex that it is difficult to think of continuing to manage it with approaches based on today’s industrial models both in terms of products and their use.
It can’t be done anymore delegate the decision to Big Tech about when to release updates or fix vulnerabilities, just as we can no longer hope for a few bug hunter decide to make one public zero-day instead of selling it on the black market. Recovering digital sovereignty also passes through choices of this type.
What is needed is the political will of to give a vigorous impulse in this direction, also involving universities in a certainly titanic but fundamental effort for the country. Involving universities in the development and improvement of software for the Public Administration would allow an almost constant verification of their safety. Having people who, upon entering the world of work, they already have knowledge and expertise on the platforms used by large and small offices makes it easier to manage them safely. Knowing how the programs are made allows the private sector to develop competition based on quality and efficiency rather than on discounts and payment times.
It is easy to criticize such a proposal claiming that it is not feasible, that universities are unable to take up the challenge (and why?) or that it is a radical utopia with no concrete value. Much more difficult is to roll up your sleeves and try to make it a reality.
.