The pervasive use of new technologies in sensitive contexts (e.g. management of critical infrastructures) is leading nation states to protect the cyber domain through the creation of governmental bodies with this specific responsibility. This requires the definition of specific protocols to manage diferent attack scenarios, rules, guidelines, and behaviors. Public administrations must follow such protocols to develop an appropriate cyber defence capability. The aim of this paper is to introduce a new high-level framework to improve proactive cyber defence in the current Italian Public Administration. The general objective is to promote the reuse of information coming from security tests in order to optimise local resources while meeting global (national level) normative requirements and cybersecurity good practices. Protocols for diferent scenarios are described and expected micro-/macro-economic efects are discussed.
The use of ICTs in sensitive public contexts (e.g. public health care, management of power plants, etc.), in combination with private citizens’ communication, is leading Public Organizations to consider compliance with law and defence against malicious cyber attacks as a matter of vital importance.
Due to the level of connectivity entailed by digital transformation, information management,
which has always been an important but cross-sectoral factor related to specific domains, is
now an asset with its own characteristics. In this framework we now refer to cyberwarfare [
As a consequence, nation states are actively protecting this new domain through the creation
of governmental bodies with such specific responsibility, defining specific protocols for given
circumstances and attack scenarios, rules, guidelines [
In this contribution, we present a new proposal to improve proactive cyber defence in a specific scenario, that is the current Italian Public Administration (hereafter PA). This objective relies on operational and organisational adaption of processes in PA to already existing technologies, which motivates us in focusing on high-level, non-technical descriptions of the phases characterising proactive defence through security test reuse.
We start with a brief introduction to the current Italian context, highlighting the strengths as well as organizational challenges related to cyber defence in the PA. Then, we provide a description of our proposal, which aims at improving the resilience of the country system and developing an “active” (i.e. proactively defensive) cyber defence capability.
Specifically, we propose a variation of code reuse, namely, the reuse of results of Security Testing performed locally (e.g. Penetration Testing performed by local PA nodes present on the national territory) through a nation-level centralization. The main goal of this new framework is to enhance the protection of the most vulnerable links (local PAs) of a complex system (the National PA) while optimizing public resources.
The context where the present proposal has been conceived is the current state of cybersecurity in Italian PA. Starting from the need to protect the Information domain, the notion of Information defence has been recently defined by the Italian law (2013, subsequently revised and adapted in 2017) with the aim of defining protocols to manage critical situations.
The current definition of the national cyber defence system involves several actors, among which the Prime Minister, the Interministerial Committee for the Security of the Republic (CISR), the Department of Information for Security (DIS), the External Information and Security Agency (AISE), and the Internal Information and Security Agency (AISI). More recently (2019) regulators have provided a clearer definition of national cyber security standards with regard to prevention and response to cyber events, with the aim of ensuring a high level of security of the networks, ICTs and IT services for PAs and public or private entities operating in the national territory.
Beside the reaction to ongoing attacks, a fundamental approach to avoid damages in the
Information domain is to prevent cyber attacks (“Prevention for Mitigation”). With regard to
proactive defence, AgID defined the guidelines for the acquisition and reuse of software for
public administrations (May 9, 2019) with the aim of reducing costs of PAs. These guidelines
require that the source code of the software produced by PAs (either on commission or through
internal resources) be released as an open source project, so that other PAs can reuse the
software. However, a PA node is not forced to use the software produced by other PAs. In fact,
the guidelines describe the selection process in three steps [
Each phase is preliminary and mandatory for the following ones. The third phase is divided into two sub-phases, where both the feasibility of the implementation of a new solution and the adoption of current proprietary ones are studied; the administrations are required to carry out both analyses, which will be compared during the choice phase (“make or buy” evaluation).
In particular, the solutions taken into consideration during the research phase must meet a series of constraints and criteria; in any case, if even one of the constraints is not met, the solution cannot be eligible. However, external constraints (time constraints, specificity of the issue raised by the PA node, etc.) may lead PAs to find and adopt proprietary software meeting all the constraints more likely than software-reusing solutions.
It is also stressed that proprietary software is often designed for a specific context, therefore
its characteristics and configuration strongly depend on the laws and organization of the state
(Italy in the present discussion). This also leads to consider such proprietary solutions as “niche
products” since software produced for Italian PA is often not under the eye of the ethical hacker
community and software houses rarely organize bug bounty programs[
The development of national cybersecurity strategies has received interest because they have the potential to align the needs of national security with those of economic growth: the latter promote proactive security for the design of all digital policies. Indeed, proactive defence can increase the ability to prevent, deter, and detect cyber attacks response in a coordinated manner, including the diferent institutions involved in the cybersecurity framework.
There are diferent approaches regarding the countermeasures that a private company or
a public body can adopt to prevent possible attacks to its infrastructures. Among them we
mention:
1. Vulnerability assessment (VA) and Penetration testing (PT) [
While such approaches are well suited for anticipating possible consequences in the event
of cyber attacks, in practice they present issues that cannot be ignored. Taking up some of
the challenges presented in “The future of Cybersecurity in Italy: Strategic focus areas” white
paper [
Based on the previous discussion, we introduce a proposal to promote proactive security and increase the ability to prevent, deter, and detect cyber attacks in a coordinated manner with the various institutions involved in order to meet some of the challenges highlighted in the White Paper.
The proposal consists in the high-level design of a new class of processes to manage information content regarding security tests as a resource. The expected efect of this design is to introduce a new observable criterion, i.e. the useful information content regarding security test, to formalise and enhance the concrete implementation of secure connections among nodes of the PA. This criterion not only can integrate the efective approaches and in-use recommendations with active cyber defence capability, but also represents an explicit discrimination among diferent nodes of the PA: the information content can be shared and accessed only based on the actual security needs of the diferent nodes of the PA, beyond their functionalities. In addition, our solution encompasses in a natural way the guidelines issued by AgID regarding code reuse for PAs: specifically, it solves several limitations of the current organization also highlighted in the White Paper, directly addressing the code reuse paradigm.
In order to clarify the points addressed by our proposal, we start from cost reduction for verification, which represents a major limitation for some institutions (such as small PAs). Then, software solutions adopted in distinct nodes with similar needs may take advantage from the reuse of security tests and the information on bug fixing: this can result in a larger set of in-use solutions to evaluate and update before moving to other proprietary software, which prompts cost reduction and enhances the adoption of certified and verified solutions. Finally, it is worth stressing that this approach could also solve the limitation introduced by automated tools, since the time saved in the analysis phase allows to transfer resources for additional, in-depth analyses. In this regard, multiple tests on software assets may be needed in order to explore vulnerabilities arising in diferent configuration settings: we stress that these tests do not represent redundancy, instead they improve the accuracy of PT/VA exploring potential vulnerabilities in diferent environments.
As well as for software, behind the concept of “reuse” there is the observation that diferent PAs acting in a common context often share the same solutions, either from AgID-promoted reuse or from proprietary solutions. As a consequence, in the case of VA/PT, the same components could be analyzed. The first implication is the violation of one of the main desiderata we want to satisfy, that is, cost minimization. An approach to solve this issue is to avoid redundant double-checks through the sharing of reports from VAs and/or PTs carried out by PAs. In particular, this allows to: 1. minimize costs: it is the obvious consequence of sharing. In this way, it is possible to analyze in detail only those solutions that are not yet equipped with security test results or with specific configurations; 2. support small PAs in the protection of their assets: shared results should be available to all PAs (limited to those concerned, for obvious security reasons). In this way, even PAs that are not capable of in-depth analysis can provide an appropriate level of security. At a deeper level of detail, the results could be accessible only to a given set of PA nodes, e.g. those nodes that have adopted the same software (nominal approach) or those that perform similar functions (functional approach); 3. notifying new vulnerabilities: the technical manager of a PA can be directly notified about new vulnerabilities in the assets he is in charge of. Furthermore, these communications can certify that updates have been notified, so the manager is required to update the system accordingly.
Given the sensitive context, results cannot be publicly shared and access must be granted only to certain specific entities. In addition, results should be made available without providing information about the PA that performed the test in order not to disclose its technological infrastructure. In any case, information can be shared only after the security bugs found have been fixed (case zero).
Operationally, this proposal requires both a dedicated platform, which establishes an oficial communication channel for notifications and information exchange encompassing the whole network, and an active participation of the technical staf in charge of its management. For each PA node, the technical managers should be involved whether the PA receives a report after a security test, or after a modification of the assets. In detail: 1. The PA that has carried out the security test first verifies that the discovered vulnerabilities have been resolved by the vendor; then, the PA uploads the results on the platform specifying vendor, product, version, and impact of the vulnerability (CVSS score [19]) with a description of such vulnerability. It is also possible to indicate who carried out the test. 2. The PA that modifies its technological infrastructure, in terms of both hardware and software assets, updates these changes on the platform. In this way it can be notified for any already known problem, or for future ones.
Organisations such as CSIRTs are natural candidates to manage the platform, but the proposed framework introduces a bottom-up approach beyond the scope of CSIRTs: information and queries on security tests come from PA nodes and actively involve the whole PA network, including small PAs.
The logical flow of interactions to enable Security Tests reuse is mainly determined by requirements. We start from the constraint coming from the current AgID guidelines and good practices in PT/VA.
• Security Test execution (e.g. PT) must be conducted by a third party vendor and must not be performed by the PA or the vendor that developed the software. • There are standard scenarios that should be considered by any PA: information acquisition associated to new software introduced in the PA node; information retrieval and update regarding existing software in the PA node; information retrieval and update regarding new software in the PA node. • there exists non-standard, context-based scenarios that may generate new process schemes.
This eventuality has to be considered by default, in order to trace, assess, and possibly accept the process or correct it.
In order to contextualize the following process schemes in the same scenario while complying with the previous requirement regardless of the software being analyzed, we will adopt the convention of two distinct actors, associated respectively to software sales and to PT/VA services. Actors: • PA (1, 2, 3, . . . ): public administration; • SW-1: Software vendor. This actor develops, customizes, and sells the software to PAs; • PT-1: Security test vendor. This actor sells security tests to public administrations; • PLATFORM: the platform. 3.2.1. Process scheme 1 1. PA1 buys software from SW-V1 2. SW-V1 provides the software to PA1 (e.g. sw_calcoloImu v1.0) 3. PA1 requires a security testing service from PT-V2 4. PT-V2 executes the security test and provides the report regarding security bugs and 0day to PA1 5. PA1 sends the security bugs and 0days found during the security test to SW-V1 and requests the bug fixing of the software (e.g. sw1_calcoloImu v1.0) 6. SW-V1 executes bug fixing on the software according to the agreement between all parts (e.g. sw_calcoloImu v1.0) 7. SW-V1 releases the fixed version of the software (e.g. sw1_calcoloImu v2.0) 8. PA1 uploads on the platform the security bugs found during the security testing (e.g. security bug and/or 0day) for software version 1 (e.g. sw1_calcoloImu v1.0) developed by SW-V1 9. PLATFORM notifies all PAs that have registered the software on the platform for vulnerabilities that have been added on the specific software version 10. Every single PA checks the software for which a vulnerability has been reported. At this point there are two possibilities: a) the PA has the vulnerable software b) the PA no longer has the software among its assets 11. PA2 requires the latest version of the software to SW-V1 12. SW-V1 releases to PA2 the latest version of software the (e.g. sw1_calcoloImu v2.0) 3.2.2. Process scheme 2 1. PA1 requires to PLATFORM an updated list of vulnerabilities regarding their software assets 2. PLATFORM provides the vulnerability list to PA1 for every single software owned by PA1 3. PA1 analyzes the vulnerability list from PLATFORM. The list can be made as follows: a) it contains recent information for some components owned by PA1 i. PA1 contacts SW-V1 for bug fixing of information that meets 3.(a) ii. SW-V1 provides the fixed version b) it contains outdated information (e.g. the date of the last security test performed on a single software version is older than 6 months) or does not contain information (e.g. some security test has never been performed on that specific software version) for some components owned by PA1 i. PA1 requires a security test to PT-V2 regarding the assets that satisfy point 3.(b) ii. PT-V2 executes the security test and provides the report regarding security bugs and 0day to PA1 iii. PA1 updates its assets based on the report provided by PT-V2 iv. PA1 uploads the results of the security test on PLATFORM
Note that the attributes “recent information” and “outdated information” in Point 3 of Process scheme 2 are related to implementation aspects that are independent of the proposed logical structure. That is, the attributes may depend on factors such as the addition of new functionalities to the software under consideration, individual assessments by the PA, or criteria related to the periodicity of testing based on safe software management guidelines (e.g., “to be performed preferably every 6 months”). 3.2.3. Process scheme 3 1. PA1 buys new software assets from SW-V1 2. SW-V1 provides the assets to PA1 3. PA1 updates its inventory by adding newly acquired assets 4. PA1 adds newly acquired assets to PLATFORM 5. PLATFORM provides a list of known vulnerabilities regarding the latest assets added based on the information provided to the platform 6. PA1 analyzes the report to check that all new assets are up-to-date and have no known vulnerabilities
The implementation of the reuse of results of PTs described above could bring efective advantages both from a microeconomic and a macroeconomic point of view. These advantages represent a tangible, i.e. measurable efects, since the economic indicators can be assessed to evaluate the efectiveness of the proposed approach at diferent scales: • improved evaluation of public spending policies: if the description of some vulnerabilities has emerged during the execution of a PT and the information regarding the patched version of the same software under test is available, public spending can be reallocated on diferent investments; • competitive advantage for territorial ecosystems: the whole country system would gain competitive advantage, for example through the empowerment of PAs that are unable to execute PT in a regular and constant manner due to budget issues or dificulties in ifnding specialized personnel; • support to policy makers in the spending review, based on secure information from a trusted network; • choice of the diferent sectors where to intervene: saving in a sector enables potential reinvestments in other ones (e.g. cultural goods, environment, health, etc.).
We can identify some advantages from the microeconomic point of view using the concept of economies of scope: with this term we refer to the savings resulting from the joint production of diferent products, or the pursuit of diferent objectives through the use of the same production factors. In this way, one can reach the production of diferent types of goods with the same class of resources. Using this notion, it is easy to identify the efects of the reuse of PTs results as the benefits of the investments made by an individual entity of the PA for all the other entities sharing the same need.
On the other hand, the proposal would also have a macroeconomic efect due to the considerable savings by the PA. In order to quantify them, we start from the public savings in formula = − : a lowering of the public expenditure () would mean greater public savings, which could allow a lowering of taxes ( ). It is also worth recalling that overall savings are given by = + . Therefore, greater public savings would lead to greater overall savings. In the Keynesian theory, the macroeconomic identity = applies. Then it is evident that the increment of the overall savings corresponds to increased investment () and, therefore, prompts an overall improvement in national GDP.
Macroeconomic advantage emerges not only from greater economic-financial resources that may cover diferent needs, but also in terms of redefinition of strategies shared among diferent local nodes of the PA. A modification of the structure of information sharing entails a corresponding change in the set of feasible solutions or policies for resource allocation; in particular, the present approach does not exclude possible strategies, but it introduces new ones. A practical example is the reuse of useful information from VA/PT carried out on some specific components of a given asset: if a PA node does not have suficient resources to ensure the fulfillment of all the criteria required by national guidelines, it can limit to recover missing information, assuming that complementary information is already available after testing and sharing actions by other nodes. In principle, this knowledge can support the strategic administrative planning of individual nodes, bringing possible reciprocal benefits.
Finally, the reuse of security tests or, more precisely, of the useful information they provide, can also lead to advantages at supranational, e.g. European level. This aspect concerns the adherence of the policies adopted by the EU with regard to open data. Moreover, the reuse of information coming from security tests can be configured as a secure-by-design channel of communication between two types of actors, namely, the purely national level (PA) and the international level (vendors).
This contribution proposes a new framework that aims at supporting national PA in meeting the requirements posed by digital transformation in compliance with European recommendations. In turn, this framework also paves the way for new savings and business opportunities for public and private Organizations.
There are several research directions to refine this proposal: first, information coming from the reuse of security tests assumes new value, which can become a new asset for Organizations. The added value brought by information sharing can be exploited to explore new organization reward models with the goal of enhancing transparency in PA-oriented cybersecurity. Such a perspective is set up as a form of circular economy with immaterial resources, which is strategically important not only for individual PA nodes, but also for the country system and, more generally, for the EU. Also Vendors could get benefits from such an framework: increased transparency in the security testing requirements for a specific node of the network may integrate partial information already available to the PAs, both in terms of reduction of fallacies in the testing process (for instance, violations of the condition in the Guidelines) and market access beyond the local scale (i.e. countrywide).
In this work we have presented a high-level structure without providing a specific real-case context: this approach is motivated by the possibilities ofered by this level of abstraction, since the proposed scheme may be adapted to several distinct contexts. There may be situations where diferent security needs and conflicting requirements (e.g. confidentiality vs. accessibility) lead to ad hoc implementations of this framework. For instance, new security layers may be introduced, where diferent ofices or Entities within the stratified PA structure have their own security requirements and associated counteractions. The opportunity to adapt the logical structure to the contextual characteristics of nodes fits well with the complexity of Italian PA and may enhance secure information sharing between central and local/periferic levels. On the other hand, the context-dependent implementation of the present framework, which is typical of large-scale technological systems, requires specific validation procedures for each context.
In this way, the proposed framework: • introduces data separation in the access to information, making information exchange asymmetric between these layers as formally defined by the Principle of Least Privilege [20]: local layers cannot access to central information preventing vertical privilege escalation access; • may support the definition of communication layers (e.g. alerts) based on specific security qualification levels that are expected or required at each node. This enhancement may stimulate a clearer definition of fields of competence and responsibilities related to cybersecurity in the PA, in order to send relevant information to target Entities that are able to interpret it and counteract cyber-risks; • allows to share information without getting access to the original data (e.g. original reports), which may be confidential. We can get the access to information without disclosure providing only confirmation for specific queries by a node of the PA regarding its software assets, which promote the required counteractions and enhance, rather than compromise, the security of the PA network. [17] T. Ball, The concept of dynamic analysis, in: Software Engineering—ESEC/FSE’99, Springer, 1999, pp. 216–234. [18] Y. Stefinko, A. Piskozub, R. Banakh, misc and automated penetration testing. benefits and drawbacks. modern tendency, in: 2016 13th International Conference on Modern Problems of Radio Engineering, Telecommunications and Computer Science (TCSET), IEEE, 2016, pp. 488–491. [19] P. Mell, K. Scarfone, S. Romanosky, A complete guide to the common vulnerability scoring system version 2.0, in: Published by FIRST-forum of incident response and security teams, volume 1, 2007, p. 23. [20] F. B. Schneider, Least privilege and more, in: Monographs in Computer Science, SpringerVerlag, 2003, pp. 253–258. URL: https://doi.org/10.1007%2F0-387-21821-1_38. doi:10.1007/ 0-387-21821-1_38.