How the Italian government’s new offensive power in the cyber sector works

Italy, too, is equipped with a regulatory instrument that allows offensive operations on foreign soil, even without a formally declared state of war. The new normality of international arrangements also requires Italy to speed up the adoption of a comprehensive regulatory framework. The analysis by Andrea Monti, Adjunct Professor of Digital Law at the University of Chieti-Pescara, initially published in Italian by Formiche.net

On 9 August 2022, Decree Law No. 115 on ‘Urgent measures on energy, water emergency, social and industrial policies’ was published in the Official Gazette. The decree contains a provision (Article 37) that gives the Council Presidency powers to react to cyberattack’s. A previous article contains a broader analysis of the matter. This one, by contrast, enters into the merits of the specific regulatory framework adopted by the legislature.

The name of the provision —Dispositions on cyber intelligence— dictates the operational perimeter of the rule:  the enhancement of the collection of information to be made available to institutional structures competent in the management of attacks on critical infrastructures. The wording of the text, however, highlights several aspects to be considered.

The strengthening of the Presidency of Ministers’ Council Decree (DPCM)

Firstly, the decree takes a further step towards changing the nature of the Prime Minister’s powers already started during the first phase of the pandemic and chastised by the administrative jurisdiction.

Article 37 gives the Presidency of the Council the power to adopt ‘counter-intelligence measures in the cyber environment, in crisis or emergencies in the face of threats that involve aspects of national security and cannot be dealt with only through resilience actions, also in the implementation of obligations undertaken at the international level. Palazzo Chigi, is close to gaining power analogous to the US executive order.

The expansion of the operational perimeter of intelligence agencies

Article 37, although limited to computer systems and telecommunications networks, expands the operational perimeter of the agencies to allow actions aimed at objectives other than information gathering. We are therefore facing a change in the role of Italian intelligence that represents an epoch-making turning point and brings it closer to its Five Eyes counterparts.

Until the issuance of the ‘Aiuti’ decree, the rules for intelligence activity for the protection of the Republic did not allow offensive actions, but only the possibility of committing certain crimes within the legal cover offered by the functional guarantees to acquire information of interest to the Republic.

According to the decree, qualified operators (i.e. belonging to the AISE and the AISI) can carry out acts that, in the jurisdiction of the country of destination (the one from which the attack originates —at least apparently— could be much more severe offences than a home invasion, a theft of documents or the management of information resources. The subject is far from new and far from being limited to domestic spheres, as the heated debate in the US and Israel on the legal admissibility of targeted assassinations in the absence of declared conflict or on the non-liability for crimes committed abroad by the British services under the Intelligence Service Act of 1994 shows.

A further critical aspect to consider is that, unlike the attack, whose attribution to a hostile state might not be immediate, the reaction would be a ‘State-sponsored attack’, thus implying the Republic directly. This could cause inevitable and instrumental diplomatic tensions of no minor significance.

The Jurisdictionisation of National Security

At first, sight, establishing by law the power to attack foreign telecommunications platforms and networks to protect domestic ones could constitute a severe act political responsibility. However, having regulated by law the executive powers of intervention has the effect of activating control of the judiciary and thus removing national security decisions from pure arbitrariness. Moreover, the rather vague wording of the text —a fairly common provision-drafting technique in matters of this kind— leaves much room for legal interpretation. This means that case law will play a central role in delimiting the operational scope of the executive powers of reaction.

The role of secrecy and the French option

The increased, inevitable and justified involvement of the Italian judiciary in the management of the consequences of external attacks (which are an ex officio punishable offence) poses the problem of the possibility for agencies to resort to secrecy to protect the identity of the operatives and the methods they used in their fighting-back activities.

Article 37 does not contain a similar rule to the one that, in French law, regulates the involvement of intelligence in judicial investigations based on the secret de la défense national. Again, unless the conversion law intervenes, untangling this knot will be a matter for the courts.

Conclusions

Article 37 open challenging issues, but it would make little sense to consider this rule intrinsically non-compatible with the Italian legal system.

The point is to ask whether, in the light of the changed technological and geopolitical scenario, we can still consider sufficient principles and rules designed for contexts profoundly different from those in which the decision-maker must operate today.

Rules such as those contained in Article 37 overcome a static conception of the relationship between law and politics and formalise the fact (well known and well ‘forgotten’) that the Italian national interest can be protected even by violating the prerogatives of other states.

They represent the first step in a long and arduous journey, but one that, one way or another, had to be started.

Leave a Reply

Your email address will not be published.