State offensive cybersecurity requires an organized regulatory framework

The upcoming Decree Law ‘Aiuti’ seeks to equip Italy with the reactive capacity to cyber attacks. Nevertheless, “Article 37” is only the first step. The analysis by Andrea Monti, professor of Digital Law in the Digital Marketing degree program at the University of Chieti-Pescara. Originally published in Italian on Formiche.net

Article 37 of the ‘Aiuti’ decree-law allows Italy to react to cyber-attacks even launched from abroad, involving the military structures of the Defense. Deferring the provision’s analysis to its final version, it is, instead, useful here to make a general assessment about such a choice that normatively aligns Italy with other countries such as the U.S. and France.

International precedents

Last November 8, 2021, the U.S. Department of Justice announced the dismantlment of a Ukrainian criminal group accused of being behind countless ransomware attacks. The few publicly known details about the investigation show that prosecution qualified the case as a national security matter, allowing the involvment of the Secret Service and the Department of Defense. It also appears that the FBI used offensive security techniques to locate the servers that carried the ransomware and to implant the computer code needed to identify the suspects.

French authorities used a similar procedure in the Encrochat case. The investigation began in 2017 and involved a company that provided customized versions of Android smartphones turned into crypto phones for exchanging communications via an infrastructure of secure servers. Similar to the ReVIL case, French authorities used national security to enroll the Direction Générale de la Sécurité Intérieure and used malware ‘planted’ on Encrochat’s servers hosted in a French data centre.

Foreign judicial decisions

As was to be expected, once the affair went to trial, it prompted a series of challenges by defence lawyers to the regularity of the methods used by the French authorities. In a decision delivered on April 8, 2022, the Conseil Constitutional declared legitimate the rule allowing the public prosecutor’s office to invoke the secret de la défense nationale to use state apparatuses other than the judiciary.

Italy’s future regulatory framework

These two cases provide valuable leads to the Italian legislature for what will be the law converting the Aiuti decree and for enacting further measures needed to make Italy’s active cybersecurity apparatus effective.

Provide a normative definition of national security

Taking a cue from French legislation, the first thing to do is to define normatively in a clear way the operational perimeter of national security. Unlike Italy, which continues to use the notion of national security vaguely and ambiguously, France is adamant on the point. Wanting to move toward a harmonized regulatory framework to enable immediate response to attacks, this is an ineradicable step. Indeed, once national security is normatively defined, it becomes possible to make the balancing judgment between state interests and the right of defence by assessing individual situations on a case-by-case basis.

Coordinate reactive capabilities with the Code of Criminal Procedure

Defining National Security’s operational perimeter would allow the coordination between criminal investigations and the involvement of entities other than the law enforcement.

Cyber attacks even from abroad are, in fact, crimes that domestic authorities can investigate under the doctrne of the ubiquity of prosecution. If they involve critical infrastructures, they are even prosecutable ex officio. Consequently, in the case of such criminal actions, the immediate response activity should include immediate reporting to the prosecutor and analytical documentation of the activities carried out to be made available to the magistrate.

Respect the right of defence

In parallel, amended regulations on investigative secrecy should make not immediately available information about the operatives involved in the activities and the methods adopted. This goal is challenging because it should consider guaranteeing the right of defence. Respecting due process avoids criminal proceedings being essentially removed from any form of control by the judiciary.

Protect operators

Another aspect to consider is the protection of the field operators. While responding to an attack could be considered lawful and therefore not prosecutable, as provided for by law, this would not automatically be the case if the target of the action is in another country. An undeniable attack attribution to a state-sponsored actor (a virtually unrealizable hypothesis) could justify retaliation. By contrast, the lack of attribution allows labelling the attack as a criminal offence. Thus, Italian operatives who should, in turn, attack foreign criminals could find themselves committing a prosecutable offence in the jurisdiction of the country where the retaliating servers are.

Strengthen agreements for judicial and preventive cooperation

How information was exchanged between the various investigative and supporting authorities, such as Europol, in the Encrochat investigation has been the subject of judicial review. From a German Federal Court ruling, it appears that information on investigative results was exchanged before a European Investigation Order was issued and that the order in question was only issued later, almost as a formality. Although the German Federal Court found this way of operating correct, there is some doubt as to whether such an approach would work in Italian law. Accordingly, rules of cooperation should be established for the preventive stages.

Conclusions

Providing by law the possibility of responding to cyber attacks from other jurisdictions aligns Italy with a trend already manifested in other E.U. countries and the U.S.

Article 37 of the ‘Aiuti’ Decree goes in this direction. However, it must be supplemented with a series of legislative and regulatory measures that allow for its operational effectiveness and jurisdictional tightness.

The risk of leaving this rule abandoned to its own devices is that, even with the geologic timescales of justice, results obtained in the immediate term will be thwarted by national judicial decisions or international courts. In other words, a victory in the tactical sphere risks translating into strategic failure and, therefore, total defeat.

Leave a Reply

Your email address will not be published.