The Parliamentary procedure to confirm the decree-law establishing the Agency for Cybersecurity also intervenes in broader areas. It is an opportunity to establish a legal definition of national interests and security. The analysis of Andrea Monti, Professor of Digital Law, University of Chieti-Pescara – Initially published in Italian by Formiche.net
Much has been said about the political importance of Decree-Law 82/2021, much less about its legal contents and what could be improved.
If, on the one hand, the attributions of the Agency are clear, there are still some parts that should be harmonised: the regulatory taxonomy, the status of the personnel and their powers in acquiring information on incidents, the role of the Personal Data Protection Authority in a matter —national security— which not even in the EU context is among the attributions of the Data Protection Authorities.
THE LEGAL DEFINITION OF NATIONAL SECURITY
Like Law 124/07, this decree-law does not define the concept of national interest or national security in a normative way. Although the choice could be understandable, since it concerns categories that pertain more to international relations than to law, to insert a concept and not define it is dangerous. It allows a breadth of interpretation that a formal definition would have avoided. It would therefore be appropriate (as also noted by the Defence Commission in its opinion on the decree) to introduce a letter a-bis into Article 1, defining national security as
the Government’s duty to protect and realise national interests while respecting constitutional principles and the prerogatives of Parliament.
HARMONISATION OF THE PREROGATIVES OF THE PRESIDENT OF THE COUNCIL
Article 2 of the Decree-Law defines the prerogatives of the President of the Council of Ministers, already partially identified by Article 1 of Law 124/07. It would be opportune to coordinate the norms by modifying paragraph I of the article with a premise:
1. In addition to the prerogatives of article 1 of Law 3rd August 2007, no. 124, the President of the Council of Ministers…
PROTECTION OF NATIONAL TECHNOLOGICAL SOVEREIGNTY AND THE CYBERSECURITY MARKET
Article 7 of the Decree is particularly articulated and complex. It can indeed be said to be the heart of the regulation of the modus operandi of the Agency.
Paragraph 1, letter e) number 1 gives the Agency the role of certifier of cybersecurity products. However, it makes no reference to the need to favour products, software and services based on so-called ‘open source’ or ‘free’ intellectual property models, which allow direct access to the functioning of the tools used and reduce the risk of hidden functionalities or unknown vulnerabilities. The issue is not new since it was precisely the fear of hidden computer codes in Chinese 5G devices that accelerated the establishment of the national cybersecurity perimeter and raised the issue of the analysis of foreign technological products. Indeed, it is not always possible to use these models of intellectual property management, but it would be appropriate to indicate principle at least.
Moreover, an indication of a preference for IP management models in the terms set out above would prevent a situation like the US Executive Order that in 2019 led to the remote blocking (later revoked) of Adobe software used in Venezuela or that which led to the revocation of access to Google services to the detriment of Huawei. Regardless of the merits, these facts indicate what can happen when relying on technologies over which the Italian Government does not have complete and absolute control.
Finally, Italian companies should be guaranteed the possibility of competing in the cybersecurity market and developing their products and services independently. Indicating a preference for the proposed model of intellectual property management would go in this direction.
One way to achieve this would be to amend Article 1(VII)(e) by adding a number 1a) and a number 1b):
1-bis Without prejudice to documented needs, in the exercise of certification activities of products, computer programs and services used by administrations, providers of essential services and entities, including private ones, included in the national cybersecurity perimeter, the Agency shall give preference to those based on licences of use and/or conditions of service that allow access, modification and redistribution of the computer code used performed without financial consideration.
1-ter Except for documented needs, in the certification referred to in paragraph 1-bis above, the Agency shall adopt choices that do not alter the national cybersecurity market.
THE INVESTIGATIVE POWER OF THE AGENCY AND ITS STAFF
The current text of Article 7, paragraph I, letter f) does not clarify the legal limit of the power attributed to the Agency’s staff to request information from private subjects outside the perimeter. In order to avoid possible interference with incidents that have been the subject of a complaint and therefore covered by investigation secrecy, it would be necessary to establish that Agency staff do not have judicial police powers.
A solution could be to amend paragraph I, letter f) by establishing that
the Agency assumes – in compliance with the rules on preliminary investigations and preventive interceptions – all the functions in the field of cybersecurity…
THE EXTENSION OF THE AGENCY’S JURISDICTION
Article 7(I)(n) deals with preventing attacks, but it is not clear whether the rule applies only within the national cybersecurity perimeter or outside it. The clarification could come by amending paragraph I letter n):
In compliance with the rules of the Royal Decree 18 June 1931 No. 773 and the Code of Criminal Procedure develops national capabilities … This formally preserves the public security activity of the State Police by establishing regulatory coordination with crime prevention activities.
INVOLVEMENT OF THE PERSONAL DATA PROTECTION AUTHORITY
As in the case of the transposition of the NIS Directive, Decree 82 also involves the DPA in areas that are the exclusive responsibility of the executive and removed from the supervision of the independent Authority. To submit, as Article 7, paragraph V of Decree 82 does, the work of the Agency to the interaction with the Data Protection Authority for the is a non-compulsory and counter-productive choice because it subjects national security to a control that is not provided for by a superior norm, is not necessary and is potentially a source of delays and operative inertia. Instead, it would be opportune to guarantee the autonomy of the Agency by replacing paragraph 5 with the following text:
The processing of personal data carried out by the Agency in the exercise of its powers is declared to be of fundamental public interest, and when it concerns national security it is covered by State secrecy.
THE LEGAL STATUS OF THE AGENCY’S STAFF
Article 12 of Decree 82 deals with the personnel of the Agency but does not indicate their legal status. By analogy with what happens with AISE and AISI, it would be appropriate for the personnel of the Agency to lose their qualifications as judicial police officers, public security officers and military personnel while retaining their seniority in the role in case of return to their offices. It is to avoid the obligation to denounce or report and allow the Agency to manage the prevention and counteraction of cyber attacks efficiently. The solution would be to add a paragraph 7-bis that applies to the Agency’s staff the prerogatives of Article 23 of Law 124/07:
7-bis. Article 23 of Law 3 August 2007, n. 124 applies to the Agency staff.
The law converting decree 82 has the opportunity to reinforce the legal framework and the political function of the national strategy on cybersecurity. Building a solid regulatory foundation is the best way to ensure the resilience of the complex legal infrastructure that in part already exists but in another part will need to be developed. The clearer and more consistent the premises, the more effective and immediately applicable the consequences will be.
If one had to choose which point to reinforce if only one were available, the choice would necessarily fall on providing a legal definition of national security. It is an essential prerequisite for the practical defence of our electronic borders.