The decree on the State-retaliation to cyber attacks is now a law, but its criticalities have not been resolved during the conversion phase. A ruling from the Supreme Court indirectly highlights them and makes it urgent that the government remedy this paradoxical situation. The analysis by Andrea Monti, adjunct professor of Digital Law in the Digital Marketing degree course at the University of Chieti-Pescara – Initially pubished in Italian by Formiche.net
Law no. 142 of 21 September 2022 converted into law the ‘Aiuti-bis’ decree, which in Article 37 provided for the attribution to the government of the power of retaliation in the event of cyber attacks, even if not state-sponsored. Critical affected this provision, that the conversion law have not addressed. The result is a sketchy egislative framework, hardly improvable by the implementing measures.
IT retaliation and right of defence
One of the icebergs on which the power of cyber retaliation could break emerges from a ruling of the Italian Court of Cassation published on 7 September 2022, holding that it is an infringement of the right of defence not to make technical information on how the information used for the investigations was acquired. In such general terms, this principle of law does not seem connected to cyber retaliation; however, a deeper analysis shows the opposite.
The decision concerned the technological investigation activities that led to the dismantling of a hyper-secure messaging system known as SkyECC used by criminal groups from the most diverse origins. Law enforcement agencies of various country were given the intercepted messages, that fueled a significant number of domestic trials.
In a nutshell, the dismantling of SkyECC resulted from an international Franco-Belgian-Dutch investigation that also involved the Canadian and North American authorities, Europol and Eurojust. The details of the collaboration have not been disclosed to the media; however, it is less acceptable that they have been kept out of court files, hampering the right of defence. Hence, the sentence of the Italian Supreme Court, which stigmatized the refusal opposed by the Public Prosecutor’s Office to disclose technical information on how the messages exchanged between the defendants was acquired, including the contributions provided by entities not belonging to the prosecution offices running the investigation.
Encrochat, Sky ECC, REvil and the mixing of the roles of state apparatuses and states as such
To understand the impact of this ruling on legal cyber retaliation, it is necessary to address the issue of the relationship between technology and inter and transnational crime in more general terms, referring to other leading cases: Encrochat (predecessor of SkyECC) and REvil .
Investigations on Encrochat and those on the Russian-speaking criminal group that ran the REvil ransomware platform show common traits: a mixture of state powers, political interventions, involvement of community ‘agencies’ and co-optation of the ‘private sector’. For example, in the former, a significant contribution was provided by the French Direction Générale de la Sécurité Intérieure. However, under the rule on the secret de la défense nationale, the details of this cooperation has been kept away from the scrutiny of the counsels. In the latter, the FBI (i.e. a police body), together with other entities, went to the counterattack of the criminal group that managed the platform through which particularly aggressive ransomware was commanded. At the same time – in the European Union – essential parts of the investigations were carried out with the contribution of ‘agencies’. Formally, these entities act as mere ‘information pivots’; however they participate fully in the police investigations.
The confusion between means and ends and the uselessness of the legislation on cyber retaliation in light of the sentence of the Supreme Court
It is beyond question that, regardless of the motivations that motivate it, the international crime must be taken down. The point, therefore, is not the ‘if’ but the ‘how’. In other words, it is irrelevant whether cross-border actions are ‘purely’ criminal or favoured, if not sponsored, by States. When these produce immediate effects that go beyond the ‘simple’ criminal relevance and attack critical infrastructures, they must be stopped quickly and with methods that do not belong to the times and rules of the judicial trial. The judgments will arrive later, in due course.
However, the cases highlighted above demonstrated that the activities of information gathering, interdiction and reaction ended up in criminal proceedings. Therfeore it is unthinkable that a democratic system based on the rule of law can accept that criminal liability be based on the impossibility of verifying the (also) technical basis of the accusations. This means, in other words, that of information on the modus operandi of the involved security and intelligence agencies must be disclosed to the defence counsel.
We are light years away from when, in the early 90s, the Italian Guardia di Finanza, in an ‘excess of zeal’, inserted information on the existence of the ‘Telemonitor TM40’ in a trial file, thus letting ‘everyone’ know of being able to intercept the early communications between modems, until then considered ‘safe’ in the hacker underground. In general terms, however, the core of the problem remains the same and concerns the risk of the methods and tools used by the armed forces and intelligence being made public.
One might bet on a ‘forgiving’ jurisprudence such as the German one formed on the use of information collected by foreign authorities in the Encrochat investigation to limit the right of defence; however, the remedy – as they say – would be worse than the disease. It would affirm the principle that the administration of justice is subject to the needs of the executive powers well beyond the limits set by the legislation on state secrets. It would also imply that these needs can be satisfied by involving State actors doing ‘other jobs’. It would also make it legal to hide them from the judicial overview.
The unresolved issue of short-term strategies, covert/clandestine operations and the crucial role of attribution
The Aiuti-bis decree and the conversion law did not take on these (and other) complexities and favoured an approach based on achieving short-term results, neglecting the consequences on a more extended time scale. Moreover, given the chain of command built by this provision, it is improbable that the retaliatory order will be issued with the speed necessary to counter an ongoing attack. This again places attribution’s problem at the centre of the analysis.
Suppose an attack is not immediately qualified as State-sponsored. In that case, it remains the responsibility of the public security structures (and, therefore, the Ministry of the Interior) and the judicial authority (and therefore, the Ministry of Justice). Nothing prevents intelligence agencies such AISE and AISI from ‘discreetly’ collecting information related to the attack, nor that the Defense raises alert levels. However, without an explicit qualification as a hostile act, the formal involvement of these entities in criminal investigations would not have grounds.
If, on the other hand, the attack is attributable to a state actor or somebody explicitly supported by a foreign government, the judicial investigation that will necessarily be launched must step back. It should be coordinated with the political assessments of the public decision-maker and subordinated to Defence and Intelligence. It should be protected by the State Secret or another form of secret that, at the moment, our legal system does not provide.
The policy choice of the Aiuti-bis decree-law is not a viable option. Cyber retaliation carried out on foreign soil, especially if it concerns criminal groups not connected to state activities, is still a violation of the sovereignty of another country. It would be conceptually identical to sending an expeditionary force to protect the national interest regardless directly and, possibly, even without the knowledge of the ‘receiving’ nation. It would trigger an escalation with unpredictable consequences.
Recent history is full of such actions, as taught by the targeted assassinations practised by various countries on both sides of the Iron Curtain. Therefore there would be nothing conceptually inconceivable in foreseeing, even in the Italian legal system, a power of similar intervention, although certainly less lethal. The point is that this should be done by acknowledging once and for all the possibility of clandestine or covert offensive operations on the model adopted by France, the United Kingdom, the United States and Israel.
Still, the question of how to manage high-tech judicial investigations remains on the table. Even in this case, however, the solutions cannot be built upon shortcuts or by the empty and formal respect of the procedural rules, which must be modified but, equally certainly, not torn to pieces in the name of a ‘whatever it takes’ principle.