by Andrea Monti – originally published by Infosec.News
A note for the non-Italian readers: Leonardo is the biggest Italian defence contractor. Recently the company has discovered a massive information theft related to critical pieces of defence equipment, allegedly committed by two insiders. According to the prosecution, the exfiltration went on undisturbed for about two years before being discovered.
A great deal has already been said about the massive illegal exfiltration of data suffered by Leonardo, about the difference between the institutional narrative of cybersecurity and the dramatic situation of the Italian infosec, and about the regulatory superfetation burdening national security. However, something still lasts to be discussed: the less-than-proportional relationship between the members’ quantity of a structure and their “loyalty” to the structure itself.
It is quite intuitive to understand that as a structure grows and its organization becomes vertical, moving from peer-based management to a hierarchical pyramid, the widening of the base implies a lowering of fidelity to the structure. So, if at the top it is (relatively) more probable to expect a commitment that goes beyond pay and prestige, in a Fordist perspective, as one descends towards more “menial” positions the sense of belonging diminishes and purely economic interest prevails. It does not matter “who” is the employer or “what” the duties are, as long as the salary is adequate and, above all, arrives on time.
It does not mean that all managers are enlightened executives who care only about the well being of the company (or institution) and those who depend on them are mercenaries who are only interested in a selfish defence of the workplace. The history of the workers’ movement in Italy and the commitment to protect factories in the tensest moments of political and industrial relations speak for themselves and exclude such a simplistic reading of events.
It is true, instead, that it is precisely the highest levels of management and leadership that have the least “loyalty” to the company. Just look at the professional profiles on Linkedin to realize how high the mobility of executives and managers is. A situation that is light years away from the Olivetti of the golden age, the one that taught Americans and of which people were proud to be part.
What does all this have to do with the “Leonardo case” and the information security sector?
The security and defence sectors share a common trait: you cannot be part of them only because —simplistically— a work is available, because the salary is good and it is possible to get important duties and institutional awards. Competence should be, of course, non-negotiable. However, it is also necessary to own, at any level, a solid sense of the Institutions. It is the only barrier against corruption, industrial espionage and “intelligence with the enemy”. Therefore, still thinking that an entity can counter an insider threat by way of official background checks and, perhaps, by some “discreet” investigation is quite naive and, as a matter of fact, insufficient.
The conclusions are easy to guess, but at the same time objectively unpleasant.
Should we start to select who works in these areas considering, in addition to technical skills, the level of “impermeability” to external stress or living conditions?
Should we adopt a generalized control system such as the one that allows Apple to maintain practically absolute internal security?
Can we still consider that the outsourcing (that is translated often in sub-sub-sub contracts) is an acceptable practice in the world of the security, instead of exercising a direct and exclusive control on who comes in contact with critical information for the security of the State?
Moreover, if also we wanted to abandon this model, how would we suppose to operate in the security domain using technologies that we do not control neither juridically nor operatively?
Out of all hypocrisy, the ghost that nobody wants to evoke or exorcise is that of technological independence.
As the “cybernetic perimeter” legislation shows, national security has got out of the control of the institutions. It has turned into a dual system, with private (and non-EU) subjects taking on a role far beyond that traditionally reserved to defence contractors.
In this context, therefore, three things are clear: firstly the “Leonardo case” is not particularly scandalous or incredible. Secondly, it will certainly not be the last one. Thirdly, it is impossible to prevent it from happening again in some other equally critical area.