On 15th January, the French newspaper Le Monde published an article highlighting the French confusion about the “Hunt Forward Operation” (HFO), i.e. the active search (and therefore “hunt”) for persons or software that have infiltrated a network to commit illegal actions or “cause damage”. Initially launched in Ukraine in early 2022 to counter hostile actions attributed to Russia, HFOs have also been carried out in EU countries such as Lithuania and Croatia by Andrea Monti – Initially published in Italian on Strategikon – an Italian Tech blog.
As such, these activities are not particularly worrying, as they are part of the complex security offering that private companies provide to the market. However, when the people involved are not employees of a commercial company but soldiers of another country with a history of espionage, even against allies, as in the case of Crypto AG and Merkel, not to mention the revelations of Edward Snowden, it is easier to understand the perplexity of Paris.
As early as 9th December 2022, during a hearing at the Assemblée Nationale, the commander of the transalpine cyber defence had declared*: “I will not dwell on the American policy of hunting forward, except to say that it is relatively aggressive because it opens the networks of the countries that request its intervention. … By allowing a kind of access to the networks involved, the HFOs protect them, but with a marked presence at the service of diplomacy, something that General Nakasone does not hide”. A few months earlier, in a statement reported by the BBC that sounds very much like an excusatio non petita, General Hartman, Commander of the Cyber National Mission Force – United States Cyber Command, said of the way the HFOs are run*: “If you are the host country, this is a somewhat worrying situation. It immediately raises some doubts as to whether we might be doing something bad or whether this is a super covert operation to install backdoors”.
So are we facing a new front in the complex chess game between the US and the EU, allies against Russia but historically adversaries on technological sovereignty’s economic and political fronts (including Italy)?
A pragmatic and sensible approach advises against venturing into analyses based on mainstream narratives or conspiracies of various kinds and political sides, also because in subjects such as national security, the only people who can speak with full knowledge of the facts – and they don’t do so publicly – are those directly involved. Therefore, unless there is evidence of inappropriate or blatantly aggressive behaviour by the US towards the countries that have requested its intervention, we must assume that the reality matches the appearance. Consequently, we have no way of knowing whether the French alarm results from their traditional anti-Americanism, the need to extend the powers of some internal military structure or other domestic disputes. Instead, it is worth looking at home and asking whether, in similar cases, Italian national security policy makes it necessary, in the abstract, to resort to foreign aid or whether Italian defence is technologically self-sufficient.
The ubiquitous presence of foreign (not only US) technologies in the critical infrastructures and essential services that make up the “national cyber security perimeter” and, in the future, the Civil Service centralised cloud also poses a structural problem that goes far beyond the issue of HFOs.
Military operations have their own rules, and in the context of cooperation pacts, it is unthinkable that games can be played on several levels, risking undermining the indispensable total trust that must be placed in those who may be called to fight on the same side of the fence. On the contrary, information activities take place in areas with much less defined contours. It is enough to read the documents published by Wikileaks to realise that when it comes to playing with intelligence, the rule of the game is essential “no holds barred” – anything goes. For example, it is still largely unknown whether and how the American Clarifying Lawful Overseas Use of Data Act, which allows US authorities to access data held by US companies on European territory, has been applied in Italy. On 4th August, the Italian Association of Internet Service Providers asked the personal data protection authority to investigate this issue further. Still, to date, no investigation has even been launched.
The Data Protection Authority’s inertia on such an important issue is, archetypically, the weak point of the new national security framework, conditioned by the elevation of the (foreign) private sector to a direct and equal interlocutor of the state. Even before worrying about military matters, public control over the private sector constitutes a preventive remedy against “evil thoughts”.
In other words, “trust but verify”, the Russian proverb that President Reagan adopted as a mantra, is the approach that could allow a balance between the apparent need for interaction, including commercial, with allied countries and the protection of national interests. In fact, an effective and timely enforced system of controls prevents friends and foe from taking advantage of the opportunities that arise when draconian rules remain little more than ink in the Official Gazette pages.