While waiting for the meeting with the US Secretary of State Pompeo, the Italian Premier Conte talks about European technological independence. It will take time, but the government can do a lot can right now for independent national security. The analysis by Andrea Monti, adjunct professor of law and order at the University of Chieti-Pescara – initially published in Italian by Formiche.net
After more than twenty years, the idea that national security passes through technological independence, not only of Italy but of Europe, has finally made its way into government. Translating this new political awareness into legislation and then into action will require time and investment, and it will be interesting to see how much of the Recovery fund will support the rebuilding of an industrial sector at the forefront of technology on a par with Olivetti’s never-quite-repented level. In the meantime, however, much can already be done with the regulations in force. Some specific measures may not even require a parliamentary passage. Let us see which ones.
Generalisation and extension of the Conte-Huawei Decree
The Conte-Huawei decree that makes negotiating with Chinese big-tech more difficult is politically wrong, legally questionable and useless in practical terms to protect national security. However, regardless of the problematic aspects of the measure, its extension to all technology suppliers would avoid accusations of altering market dynamics, but above all, it would create a harmonised and cohesive regulatory framework for security. Pending the European National Security Independence Day, therefore, non-EU suppliers could be forced by the Presidency of the Council to offer Italy effectively secure products.
A Prime Minister Decree (since it has already been used as an exception to the Civil Code, amending contract law in the relationship between TIM and Huawei) could also eliminate the legal impenetrability of big tech equipment, software and firmware (belonging to the USA and beyond). These, in fact, unlike patents which are public by law, are rendered legally obscure by copyright law. As a result, states that purchase security products can only “trust” them, giving up the possibility of actually verifying “what” they are buying. The Crypto AG scandal makes the terms of the matter very clear.
Issue of ministerial decrees by the Ministry of economic development
Article 16bis of the Electronic Communications Code establishes the obligation for telecommunications operators to protect public electronic communications networks. There is nothing to prevent the MISE from issuing decrees and other acts of a regulatory nature to prescribe to operators the design of their infrastructure, the criteria for selecting suppliers and the “state of health” of the security of their networks.
Sweeping checks on the application of data protection by design
Article 25 of EU Regulation 679/16 (the Gdpr) requires that all systems processing personal data be designed and used considering the protection of personal data as a structural element of the product. The Italian Data Protection Authority could start an investigation against technology and software suppliers of the Italian public administration to verify the effective compliance with this rule.
Extension of Agency for Digital Italy rules on information systems security
The Agency for Digital Italy has long since established a list of security measures for Public Administration software platforms. Nothing prohibits extending their scope to specific aspects of national security.
Verification of compliance with the principles of fairness in competition
The Antitrust Authority could launch an investigation into business practices relating to security equipment and software. Placing an inadequately designed and tested product on the market gives an unfair competitive advantage over other players who have to invest more and arrive on the market late. Moreover, if all manufacturers followed the same (irresponsible) approach, then we would be facing an agreement or cartel.
The process of building such products is long and expensive, and the temptation to take shortcuts on software components in terms of test development is powerful. The most tragic case – but certainly not the only one – is that of the software that controls the Boeing 737Max.
Conclusions
Coordinated action between government, departments, guarantors and public agencies would make it possible to create a uniform legal framework for the regulation of public-private relations about national security in a concise space of time.
By squared the circle, in this way it could strongly orient the development of the market in the sector, without, however, taking on a managerial and anti-competitive role.
Finally, moving first, the government could offer Europe a concrete example of regulation, becoming a promoter and not a mere follower of decisions taken in other contexts.