In Italy, very little is always known about cyber attacks

Loading player

On Wednesday afternoon, the websites of the Ministry of Defense, the Senate, the Higher Institute of Health and the Automobile Club of Italy, the ACI, were unreachable for several hours due to a cyber attack claimed by two groups of cyber activists, Killnet and Legion, who support Russia in the war on Ukraine.

From initial information it seems that Italy has been identified as a target due to its support for Ukraine: if the reasons are confirmed, it would be the first cyber attack in Italy directly linked to the war. But although the websites of very important institutions, such as the Senate, have been hit, very little is known about the attacks. One of the few official notes was released by the Defense Staff which specified that the inaccessibility of the website was due to “a maintenance activity planned for some time”. The explanation seems to be implausible: firstly because the attack on the Defense site has been claimed and above all because such a significant maintenance activity should be announced well in advance.

The lack of information and, as in this case, denial are part of a communication strategy that in recent months has also been followed by other organizations, ministries and large companies affected by cyber attacks. However, managing crises in this way is a choice that entails various risks not only in the short term, but also on the general perception that people have of cyber attacks.

One of the recent attack cases of which very little information has been given involved the Ministry of Ecological Transition. On April 6, the ministry’s website was taken offline “for prudence”, as Minister Roberto Cingolani had said, following an attack which was later confirmed. Cingolani had spoken of “external threats detected on the computer network”, without clarifying what type of attack it was and who was responsible.

The consequences have not been negligible: in recent weeks the ministry has been forced, on at least two occasions, to postpone the deadline for submitting applications related to the PNRR, the national recovery and resilience plan, precisely because of the malfunctioning of the ministry’s platform. . Furthermore, until 6 May the portal in which to consult the environmental authorizations was inaccessible. “With the measures taken to contain the risk and the precautionary extension of the deadlines, the time schedule of the National Recovery and Resilience Plan has not been affected in any way”, clarified the ministry in a note, without however specifying what the measures were risk containment and what problems there have been concretely in the last month and a half.

Denying the incident, as the Ministry of Defense did, or giving little information, can be risky especially when the attack has a direct impact on people, such as the inaccessibility of a website, disruptions in transport (as happened to Trenitalia) or even worse the interruption of health care after an attack on a hospital. There is a consensus among cybersecurity experts that communication should be fast, clear and continuously updated.

– Read also: Why healthcare is so vulnerable to cyber attacks

One of the most common problems in Italy, says Carola Frediani, founder of the newsletter and the site Network Wars, is that unclear indications are given regarding the nature of the accident. “The simple definition ‘cyber attack’ explains little and lends itself to several possible interpretations,” he says. «The accuracy allows you to better understand what is happening and have a greater perception of the risk. Instead often, due to the lack of transparency, actually trivial and limited attacks are magnified. But there is also the opposite risk, that is to perceive accidents as all the same, even when in reality they show security and vulnerability problems ».

Another fairly common mistake is to immediately declare a person responsible for the attack that is not always attributable with certainty: the claims should be checked carefully. In recent months there have been several cases in which purely criminal attacks, organized with the aim of extorting money from affected organizations, have been attributed to Russian hacker groups siding with Vladimir Putin’s government. It had happened, for example, after the attack against Trenitalia, whose political motivations were later denied. “There are Russian criminal groups that appear to have intelligence links and therefore there may be an alignment of objectives,” explains Frediani. “But it is information that is very difficult to verify and that in any case must be contextualized”.

The cyber attack on the Lazio Region that took place last year is one of the examples of how an emergency should not be managed. Initially the Region did not provide information, despite evident disruptions for people who could not book vaccinations and appointments, and later provided fragmentary and inaccurate information, in some cases contradictory. The management of communication, then, had been entrusted to politicians who, without basic technical knowledge, had created further confusion. The president of the Region Nicola Zingaretti, for example, decided to deny receipt of a ransom request, declaring that the attack was of a terrorist nature. In reality it was a ransomware attack, organized with the aim of extorting money.

According to Corrado Giustozzi, cybersecurity expert and former head of the development of CERT-PA (Computer Emergency Response Team Public Administration), the government structure that until the advent of the National Cybersecurity Agency had the task of preventing and responding to IT security in public administrations, it is necessary to distinguish between two levels of communication: on the one hand the information relating to the investigations of the authorities dealing with IT security must be protected, on the other hand it is essential to be prepared for the communicative management of an attack, especially when consequences affect people. “The best attitude is to maintain constant contact with users, people,” says Giustozzi. “Instead, it is often decided to hide everything, deny, say nothing in order not to make a bad impression, in order not to create alarmism. But the information filters and ends up generating a lot of suspicion ».

In Italy, as in many other countries, for a few years all companies have been obliged to communicate to the Guarantor for Personal Data an attack that involves the unavailability, loss or theft of personal data; moreover, companies that are “critical infrastructures” must report any relevant incident to the National Cybersecurity Agency. But there are no official government-level rules, guidelines or guidelines on how to handle external communication during or following a cyber attack. “Institutions and companies improvise, at best with a little common sense,” explains Giustozzi. “In general, there is a lack of a culture of managing cyber crises, both for how to deal with them internally and for how to communicate them externally”.