The ransomware that hit the Regione Lazio infrastructure exposes once again the decades-old problem of the Italian public policy on technology. There has been a time when the Country had the chance to decide for the best. It did not by Andrea Monti – Initially published in Italian by Strategikon – an Italian Tech Blog.
The ransomware that paralysed the Lazio Region’s IT infrastructure is nothing new for either the public or the private sector. Media frequently report on this or that structure being victims of similar attacks. At the same time, this incident is proof of the distance between declarations of principle, ‘memoranda of understanding’ and ‘working groups’ on IT security (the results of which are never disclosed) and the reality.
Central and local public administrations have constantly been exposed to attacks of various kinds, such as defacement, unauthorised access, data theft and loss, virus infections, but also functional blocks and the dissemination of citizens’ personal data caused by mistakes and recklessness on the part of those who manage them. When an incident occurs, however, the approach to crisis management is always the same: focus on the near cause and avoid dealing with the less immediate but more relevant ones.
So, ‘it is hackers’ fault’ and not the infrastructure design choices. Alternatively, ‘the system has crashed’ as if a machine were living a life of its own. Or again, ‘we are the victim of a very sophisticated attack’ and not carelessness in systems management. On the other hand, how can one defend oneself against criminals with such extraordinary capabilities?
This attitude of victims and media is the outcome of the desire – not even too unconscious – to exalt the attacker’s capacity, thus reinforcing the delusion of the inevitability of the fact and, therefore, the absence of institutional and individual liability.
Speaking of responsibility, and here we come to the point, we can no longer afford to ignore huge issues such as the quality of the software that runs the platforms and hardware used by the public administration, the outsourcing -cloud sourcing- of services to citizens, and, in short, the control of the digital public administration over the tools it uses.
At the dawn of the digital era, between the late 1980s and the early 1990s, essential issues such as the importance of computer security, control over software and access to information were already known and theorised. We had already reached the crossroads, and, like Robert Johnson, we stroke a deal with the devil. He did it to play the blues, we to create a digital colossus with feet of clay, made even more fragile by the logic of an industrial sector that favours programmed obsolescence and ‘release early, release often’ models, without paying too much attention to the rest. It is impossible to generalise, but it is a fact that even large international companies in the IT sector, which are supposed to provide guarantees of reliability, have turned out not to live up to their promises.
The situation seems hopeless, yet there is a solution at hand, and it is called software reuse for the Public Administration. The Italian Digital Administration Code has already required civil services to use open-source software mainly, and AgID (the Italian agency for digitisation) plays an essential role in this process.
Despite radical views that demonise other forms of software intellectual property management, making room for the free circulation of software increases its quality and security. It is not a claim, to be clear, to ban the private sector from interacting with the State, but of ensuring that in this relationship, the needs of the State receive more attention than (legitimate) private profit-oriented interests.
What does all this have to do with the ransomware that has hit the Lazio Region? In the short term, practically nothing; in the medium to long term, a great deal.
The public digital ecosystem has become so complex that it is difficult to keep managing it in the way of today’s industrial models, both in terms of products and their use. One can no longer delegate to Big Tech the decision to release updates or fix vulnerabilities, just as one can no longer hope that some bug hunter will decide to make a zero-day public instead of selling it on the black market.
Taking back digital sovereignty also means making choices of this kind.
What is needed is the political will to give a vigorous impetus in this direction, also involving universities in an effort that is undoubtedly titanic but fundamental for the country.
Involving universities in developing and improving the software for the civil service would allow an almost continuous security check. On entering the world of work, having people who already have knowledge and expertise on the platforms used by offices large and small, makes it easier to manage them safely. Knowing what the programmes look like enables the private sector to develop a competition based on quality and efficiency rather than discounts and payment times.
It is easy to criticise such a proposal because it is not feasible, because universities cannot meet the challenge (and why shouldn’t they?) or that it is a radical utopia with no practical value.
Much more difficult is to roll up one’s sleeves and try to make it happen.