By Andrea Monti – Originally published in Italian by Infosec.News
Italian Prime Minister Decree 131/2020 is one of the acts resulting from the enactment of Law Decree 105/19, later converted into Law 133/09 establishing the national cyber perimeter, a concept also relevant for the application of Legislative Decree 65/18, transposing EU Directive 1148/16 (NIS Directive). While this sentence appears to be illegible and incomprehensible, the choices and content of the Prime Ministerial Decree are even more so because they increase the level of the contradiction of a body of legislation which, by regulating national security, should instead be easy to understand and agile to apply.
However, first things first.
The creation of the perimeter National Cybernetic Security Perimeter
In full fear of the “yellow danger” – the seizure of control of our (still non-existent) 5G infrastructure by Huawei – the government issued and Parliament ratified emergency legislation: the Decree-Law 105/19 converted into Law 133/09. In short, this regulation does two things: it gives the Prime Minister the power to “shut down” the Italian network and establishes a complex bureaucratic system at the centre of which is the “CVCN” (National Evaluation and Certification Centre).
This structure, at least on paper, should be the one that “certifies” the security of the equipment and software used in the “cybernetic perimeter”. It is an enormous task that CVCN (which is not yet operational) will hardly able to manage because of the quantity, complexity and legal limits linked to the analysis of projects, source codes and implementations of an enormous quantity of products. It is reasonable to expect, therefore, that the verifications will, in reality, and quite often, a “self-certification” issued by suppliers, based on those provided for by the Conte-Huawei Prime Minister’s Decree.
The lack of coordination with the NIS regulation and the Penal Code
In addition to the CVCN, Law no. 133/09 imposes obligations and sanctions for telecommunication operators and service providers, and places alongside the critical infrastructures regulated by Legislative Decree no. 65/18, the “essential functions” for the State, whose regular course of action is guaranteed by the “essential service providers”.
There are macroscopic contradictions between the regulation of critical infrastructure and that of the protection of essential functions. For example, although not required by the NIS Directive, and notwithstanding national security is out of the scope of the GDPR, critical infrastructure’s management is subjected to the jurisdiction of the Data Protection Authority, while “essential functions” are (rightly) not.
Secondly, Law 133/19 also applies to entities other than those identified by Legislative Decree 65/18. A detailed analysis of the relationship between these two laws is out of scope; however, it is sufficient to point out a few quirks: Law 133/19 applies to “entities and operators, public and private, based in the national territory on which the exercise of an essential function of the State depends” and concerns “the provision of a service essential for the maintenance of civil, social or economic activities that are fundamental to the interests of the State and whose malfunctioning … may result in a prejudice to national security”. By contrast, the Legislative Decree 65/18, on the other hand, deals only with operators of essential services as entities providing “a service that is essential for the maintenance of fundamental social and/or economic activities”.
Furthermore, the definitions contained in Law 133/09 are not in sync with the provisions of the Penal Code on computer crime, which already punishes damage, unauthorised access and interruption of operation to the detriment of systems “of military interest or relating to public order or public security or health or civil protection or in any case of public interest”. The result is the difficulty of punishing actions to the detriment of essential functions and services which will force the police and judicial authorities to carry out intricate interpretative work to support the accusations in court.
Finally, Law 133/09 makes improper and potentially unconstitutional use of administrative sanctions which, as in the case of the COVID-19 sanctions, have such an affliction that they are, absolutely, part of “criminal matters”. To understand the implications, it is enough to read the Engel and Grande-Stevens judgements issued by the European Court of Human Rights on the abuse of administrative sanctions as “criminal offences in disguise”.
As a side matter, a question arises about the requirements for the use of the Decree-Law (an exceptional legislative power the government can use in case of emergency). One might wonder where was the emergency condition if, after almost a year, the cyber-security perimeter is not yet in place because of the lack of implementing decrees such as precisely, the Prime Minister Decree 131/20.
Having made this long but inevitable introduction, we come to the merits of the decree, which inherits the same problems as the regulations that generated it.
The criticalities of Prime Minister Decree 131/20
First of all, but it is a “curiosity” for law scholars, Article 4 of the Prime Minister’s Decree, which sets out the rules for identifying the persons forming part of the cyber perimeter, begins with this statement:
Without prejudice to the provisions for security intelligence bodies in Article 1(2)(a) of the Decree-Law…
as if a decree of the Prime Minister could affect a Parliamentary-issued law.
Secondly, confusion over definitions increases. A few examples:
- Article 1 c. I(i) confuses “network” and “data”.
- Subparagraph (l) below, which speaks of computer service, uses the term “information” instead of “data”.
- Letter m) introduces the concept of “ICT asset” which is a further (and different) definition compared to the one provided by the Penal Code.
- Letter n) which defines architecture and components, makes a total confusion between hardware, software and procedures.
Thirdly, it establishes a complex system of obligations and controls managed by various ministries. The telecommunications sector is negatively affected by this provision because of the possible alteration of competition in the internal market. Small operators might not bear the costs of the technological and organisational adjustments necessary to continue providing services to customers included in the “essential functions” list.
Finally, it settles an “interministerial table”, whose meetings, according to article 6, paragraph V, “may be attended by … representatives of other public administrations, as well as public and private bodies and operators”.
The overall gut feeling of the rules on national security, of which Prime Ministerial Decree 131/20 is the last (but not least) component, is that of a system that is so confused and bureaucratic that it would be substantially inapplicable if an emergency were to occur that require rapid and decisive decisions.
The situation is similar to the one we are experiencing in Italy with the pandemic, where – to use a hyperbolic – in case of emergency, emergency legislation does not apply because we have an emergency to manage.