Fraud through the credit card provided by the customer for a payment or identity theft for data stolen following registration on an e-commerce site are increasingly frequent and daily undermine customer trust and the company’s reputation deemed unsafe. In a period of rapid digital transformation like the one we are experiencing, the success of a cyberattack perpetrated on a restaurant, supermarket or retailer has cascading effects on the final consumer.

The risk grows exponentially when dealing with more complex realities such as the public administration, with which one is often forced to interact remotely due to the impossibility of physically accessing the offices. The European Union Agency for Cybersecurity (ENISA) reports that, between April 2020 and July 2021, the five sectors most affected according to the complaints received by the authority were precisely the PA sites (198 incidents reported), followed by digital service providers (152 incidents), healthcare professionals (143 incidents) and financial/banking companies (97 incidents).

Vulnerable security systems are a gold mine for cybercrime perpetrators. In the UK alone, for example, reports of ransomware attacks have increased by more than 3,000%, from 171,000 in 2019/20 to 5.5 million in 2020/21 (source: ActionFraud).

The report of the Italian Postal Police on computer fraud updated to 2022 marks a 98% increase in arrests compared to 2020 and a 17% increase in the number of people reported, but with attacks in the millions every day, there is no reason rest assured.

Untargeted cyberattacks such as phishing and ransomware are driving the rampant growth of crimes while the opportunities facing cybercriminals are growing every day. The personal data of individual users are at risk, but also the complex systems of large companies, with the sensational news of famous brands that have recently seen their security violated.

These premises show us that no one is safe and that a series of common defense initiatives are needed with a centralized authority that sets precise standards.





initiatives in Italy

The establishment of the National Cybersecurity Agency (ACN) demonstrates the commitment to make up for Italy’s lost time in the past, and helps to provide a clear legislative framework in the area of ​​cyber security.

The current national legislative framework is being completed through the publication of the fourth accreditation decree for laboratories, structures based in Italy and equipped with instrumentation and test methodologies which, guaranteeing authority in the results, essentially ensuring a so-called digital sovereignty in our country .

Standardized tools and procedures that respect the Time-To-Market are also a concrete step towards coordination with the discussions on the European tables for a “European Common Criteria” (CC) approach to cyber security certifications. But can these actions make us feel calm?

“Only a standardized and recognized test methodology – declares Luca Piccinelli, Cybersecurity and Privacy Officer of Huawei Italy – will be able to allow, in the field of cyber security, safety and quality for companies and end users, as it was, for example , in the telecommunications sector, the international standardization of GSM, UMTS, LTE and 5G technologies which for over 20 years has allowed the development of cellular systems and the widespread use of smartphones by all users. Now the new step to take is make communications and networks more secure. Standardization therefore remains central to this process, as a final guarantee for the industry and the consumer.”

Work tables in Europe

The standard approach of the Common Criteria is already consolidated at a European and global level, with different levels of certification responding to different complexities but homogeneous to the context in which the device is located. In respect of national sovereignty in the field of control, in the European panorama and in a logic of competitiveness it would be desirable that tests on the same products do not have to be repeated, and that the certificates issued in Italy are recognized in Europe and vice versa. If anything, it is legitimate to ask whether, in this way, the bar of the level of security is lowered.

«For each context, a so-called ‘security target’ must be defined – continues Piccinelli – to which different security profiles correspond. The current discussion in Europe on the various work tables, also with the contribution of our partners and customers, is leading to the consolidation of the so-called European Common Criteria, which represent a test methodology recognized at European level. It will probably not be possible to complete the work in a short time but we hope that, as soon as the activity is completed, the certification methodologies of the Italian National Certification and Evaluation Center (CVCN) at the National Cybersecurity Agency will be able to connect with the European scheme . For our part, we can say that Huawei is already investing through voluntary Common Criteria certifications at ACN, bringing some of the certifications, previously carried out in other laboratories at a European and global level, here in Italy.»





Simplify safely

In the context of a productive fabric such as the Italian one, based on the SME and on the relationship of trust between it and millions of customers, the doubt arises that compliance with the European Common Criteria could weigh on an already complex regulatory framework which for the small entrepreneur represents a further source of concern regarding the possible delays on the Time-To-Market.

«In the various European countries, and specifically also in Italy – explains Luca Piccinelli in this regard – possible simplified Common Criteria approaches are under discussion on the working tables of cyber security stakeholders, both institutional and non-institutional. These are reduced procedures which would allow, especially for small companies, limited certification times and costs. This approach would benefit Time-To-Market, but would carry the risk of potentially conflicting test methodology localization with standardization of procedures and re-use of certifications across multiple European countries.”

It is in this context that Italy’s involvement in the Community’s working groups represents a decisive contribution in proposing a simplified but effective Common Criteria methodology, capable of responding simultaneously to the industrial requirements of speed and resilience. There is no shortage of solutions in this area, as Piccinelli himself suggests: «a preliminary analysis of the Common Criteria certificates, already in the product portfolio of ICT companies, could avoid unnecessary repetitions of tests and checks, already carried out on the same software versions and / or similar, perhaps intervening “ad hoc” only on the differences. Finally, it could be useful to compose a timely “White List” of CC and/or EU CC certified products in the future and to structure timely checks only in the “live” network ecosystem of the project in which the product is inserted.”