What do the anti-American, allegedly-Chinese espionage actions have in common with the death in Germany of a woman who would not receive prompt treatment because a ransomware attack paralysed the German hospital where her ambulance was heading? The analysis of Andrea Monti, adjunct professor of law and order and public security law, University of Chieti-Pescara – published initially in Italian by Formiche.net
What do the anti-American espionage actions attributed to China (recently, a massive attack made public on 14 September) and the death in Germany of a woman who would not receive prompt treatment because a ransomware attack paralysed the German hospital where she was directed have in common?
The answer is in a three-letter word: “bug” -monster- the nickname that since Thomas Edison’s time identifies design and construction errors that escape the attention of technicians and that surface months later causing annoyances and, sometimes, very substantial damage.
Thanks to vulnerabilities of platforms produced by Cytrix, Microsoft and Pulse Security, according to US security entities, the attackers were able to compromise the systems of federal agencies and private sector players. While in the case of the German hospital, the attackers used a known vulnerability in Cytrix equipment to inject ransomware into the healthcare facility’s network.
THE CHAIN OF RESPONSIBILITY IN CYBER ATTACKS
Facts like this, in reality, do not even make the news anymore. They have now become ‘business as usual’, and it is precisely the frequency with which they happen that has generated the conviction that there are no real countermeasures and that, apart from “plugging” the computer holes with “patches”-the patches that ICT multinationals make available from time to time – there is not much else to do. Ultimately, therefore, the consensus is that the responsibility for ransomware contagions, abusive access or theft of information lies with those who have poorly designed or mismanaged their IT infrastructure.
In some ways, and to some extent, this conclusion is correct but only solves half the problem. It is undoubtedly true that, in terms of causa proxima, the mismanagement of technological infrastructure is the Trojan horse that facilitates the attack. However, it is also true, maintaining the philosophical metaphor, that the use of poorly designed and implemented platforms and devices is the root cause in the sense that the presence of vulnerabilities is what makes it possible to launch an otherwise impossible attack.
It would therefore be natural to assume that those who produce such systems are bound to guarantee their security and subject to sanctions when this obligation is not respected. It is not the case in the IT sector because historically, unlike other industries, software manufacturers are mostly immune to such legal action, despite the number of zero-days – the vulnerabilities discovered by the expert and criminal communities – unknown even to those who build these platforms.
If we consider two more factors – the interconnection between public and private systems and the stratification, decades after decades, of increasingly vulnerable technologies over time – it is easy to see that we have built a computer Colossus of Rhodes.
SECURITY BY DESIGN AND NATIONAL SECURITY
The fact that even US security authorities recognise that US products are also the vehicle for hostile action should suggest something to the political approach to national security and technological public order. To worry – rightly so – about the consequences of using Huawei’s technology in Italy’s 5G infrastructure without simultaneously tackling the fact, certified, that even the vulnerabilities of American technologies allow attacks on Italy’s critical infrastructure means imitating the character of an advertisement from the 1980s of a well-known brand of taps. He was desperately trying to plug water leaks, ends up getting it out of its ears having plugged the last hole with his body as no other means were available.
The choice made by the Italian Government with Law Decree 105/2019 to set up the National Evaluation and Certification Centre went precisely in this direction but – even disregarding the fact that almost a year after the decree was issued the structure is not yet active – there are severe doubts about its actual effectiveness. Perhaps it is for these reasons that, aware of these intrinsic difficulties, Conte-Huawei decree went in a different direction from that established by decree 105/19 and transferred to Telecom Italia – a private subject – the task of carrying out the controls that would have been due to the Cvcn.
Looking for vulnerabilities in the source codes of firmware, operating systems and platforms, verifying that hardware components are what they claim to be instead of hiding non-public functionality, checking that no components are added during production to be used to the detriment of users; these tasks are too challenging to even the Titans. Therefore, it is unlikely for the Cvcn or Tim to succeed. Budget and the staff that may have been entrusted to them do not matter. Moreover, even if there were the resources, the Government will have to contend with the protection of (mainly) US intellectual and industrial property, under which the manufacturers will impose confidentiality commitments and hefty penalties for their violation). In conclusion, therefore, the use of technologies (regardless of geopolitical origin) for which there is no obligation of safe design and production implies that Italian critical infrastructure will continue to be vulnerable regardless of the presence of Chinese technology.
In strictly legal terms, some solutions already exist (e.g. the obligation imposed by EU Reg. 679/16 to guarantee the secure design of computer systems to protect personal data). Others could be quickly adopted (recognising that software is a product and not a “creative act”, thus allowing the application of obligations and responsibilities similar to those provided for, for example, in Directive 2006/42/EC (so-called Machinery Directive) transposed in Italy with Legislative Decree 17/2010. Moreover, taking up an approach used by the US in the 1960s with the release into the public domain of Tcp/Ip (the protocol that makes the internet work), it would be necessary for the Government to establish some essential principles for the use of software platforms in critical infrastructures and beyond: the issue has been on the table – but largely ignored – since 1999.
A structural solution, however, can only be political and must start from the acquisition of awareness: it is simply impossible to guarantee national security and public order without a European ICT industry that starts from the design and implementation of components to the development of equipment, software and cryptographic algorithms for (not only) critical infrastructures. It is clear that such a project takes a long time, but already structuring and launching it would give a direction and a direction to the national security vector, clarifying the roles, duties and responsibilities of the actors involved. Moreover, in the meantime, relations with technology suppliers will have to be managed by applying Michael Corleone’s rule in The Godfather – part two: keep your friends close, but enemies closer.