Key takeaways from the Cyber 4.0 Forum 2024

About 400 institutional representatives, professionals from the private sector, representatives of industry organizations, SMEs, start-ups and students attended the second edition of the Cyber 4.0 Forum on June 3 and 4, 2024.

The event, which this year received the patronage of the European Commission and the Ministry of Business and Made in Italy, was held at The Dome at Luiss University and featured more than 60 speakers in more than 20 sessions on the topics of greatest relevance to the Center’s work.

These are the main takeaways from the event:

  • The national regulatory and policy framework for cybersecurity is evolving rapidly, both by virtue of the adoption of the European Union’s numerous regulatory provisions, including: the adoption of the NIS 2 Directive, effective October 17 next, the finalization of the Cyber Resilience Act, and the adoption of the Cyber Solidarity Act and the DORA Regulation, but also the finalization and forthcoming adoption of the AI Act, and also by virtue of an increasingly structured national cybersecurity framework, which-under the leadership of the National Cybersecurity Agency-is involving an increasing number of institutions and sector entities in the implementation of the National Strategy 2022-2026.
  • Of particular note, due to the direct involvement of the Cyber 4.0 Comeptenza Center, are the actions in charge of the Ministry of Business and Made in Italy
    • the strengthening of national cybersecurity skills, for the benefit of Public Administration-through training of top levels, and general increase of public awareness-through a plan of seminars on topical issues;
    • the National Cyber Industry Plan, aimed at fostering direct collaboration between research and industry, the development of innovative start-ups and SMEs in the country, and the strengthening of skills and professionalism in the sector, including through the action of technology transfer centers established by the Ministry – including Cyber 4.0.

(For more information here the talk by Dr. Eva Spina, Head of the Department of Digital, Connectivity and New Technologies at MIMIT: https://www.cyber40.it/wp-content/uploads/2024/06/Eva-Spina.pdf)

  • On the subject of funds, the NRP-and more specifically the activities under Mission 4, Component 2, Investment 2.3, “Strengthening and thematic and spatial extension of Technology Transfer Centers by industry segments”-offers a unique opportunity for enterprises of all sizes for grant co-funding to support the safe digital transition and promotion of innovation through industrial research and experimental development. MIMIT, the holder of the measure, has created an ecosystem of more than 50 Technology Transfer Centers, including: a significant enhancement of the work of the 8 Competence Centers, the European Digital Innovation Hubs and Seals of Excellence (EDIHs), the European Testing Facilities, the European Digital Infrastructure Consortium, and the Emerging Technology Houses. The network of Competence Centers, in particular, encompasses 318 private companies, 59 universities and research institutions and 32 public bodies, and about one-third of the total measure is allocated to it, and they are entrusted with the role of guiding and training companies on the 5.0 transition and supporting innovation for the realization of new products, processes and services through advanced technologies. The post-NRP challenge remains open, where a new interinstitutional governance in investment and business support policies will have to be established.

(For more details this talk by Dr. Donatella Proto, MIMIT’s PNRR UdM Director: https://www.cyber40.it/wp-content/uploads/2024/06/Sfida_innovazione_digitale_PNRR_Silvestri_Proto.pdf)

  • The threat picture is constantly evolving and progressively increasing both in terms of impact and the number of events affecting public and private organizations operating in the country. Clusit notes a 65 percent increase in the number of attacks in 2023, compared with a global increase of no more than +12 percent instead. Victims are distributed almost completely across all commodity sectors, with a prevalence in Healthcare, Government, Finance and ICT, and about 40 percent of attacks had critical impacts.

Five megatrends stand out in the short term:

  • Impatto della geopolitica: La minaccia dei conflitti in corso e potenziali porterà ad attacchi informatici sia sponsorizzati dallo Stato sia collaterali che richiedono misure di sicurezza informatica rafforzate.
    • Emerging technologies: There is widespread concern that the use of emerging technologies such as generative artificial intelligence, quantum computing, and edge computing will rapidly advance cyber attack capabilities.
    • Evoluzione normativa: Normative in evoluzione come DORA, CRA, NIS 2, AI Act e crittografia postquantistica porteranno a sfide sempre più complesse di conformità per le organizzazioni. 
    • Skill Gap: La carenza di professionisti qualificati comporta maggiore vulnerabilità agli attacchi informatici e tempi di risposta più lenti agli incidenti di sicurezza.
    • Cost Policies: What has been highlighted in the previous points leads to a continuous increase in required investments, which will have to be balanced against the needs for consolidation and efficiency, thus leading to the need to redefine corporate cost policies.

(For more details these speeches by Alessio Pennasilico (Clusit): https://www.cyber40.it/wp-content/uploads/2024/06/Alessio-Pennasilico.pdf, and Nicola Vaniin (Cassa Depositi e Prestiti): https://www.cyber40.it/wp-content/uploads/2024/06/Nicola-Vanin.pdf)

  • In the medium to long term, ENISA’s 2030 forecast sees the following prevailing cybersecurity challenges, in order of criticality:
    • ATTACKS ON THE SUPPLY CHAIN OF SOFTWARE DEPENDENCIES
    • LACK OF COMPETENCES, which will continue to be a serious problem despite the initiatives launched and underway;
    • HUMAN ERROR AND EXPLOITATION OF LEGACY SYSTEMS WITHIN CYBER-PHYSICAL ECOSYSTEMS
    • EXPLOITATION OF OUTDATED AND OBSOLETE SYSTEMS WITHIN THE CROSS-SECTOR TECHNOLOGY ECOSYSTEM
    • INCREASE IN DIGITAL SURVEILLANCE IN AUTHORITARIAN REGIMES / LOSS OF PRIVACY
    • CROSS BORDER ICT SERVICE PROVIDERS AS SINGLE POINT OF FAILURE
    • ADVANCED DISINFORMATION CAMPAIGNS, for geopolitical purposes, but also for mere economic return
    • INCREASE IN ADVANCED HYBRID THREATS
    • ABUSE OF AI, understood primarily as manipulation of algorithms and applications
    • PHYSICAL IMPACT OF NATURAL/ENVIRONMENTAL INTERRUPTIONS ON CRITICAL DIGITAL INFRASTRUCTURES, including and especially due to climate change

(For more details this talk by Rossella Mattioli (ENISA): https://www.cyber40.it/wp-content/uploads/2024/06/Rossella-Mattioli.pdf)

  • SMEs appear to be the entities at greatest risk of cyber attack, both because of generally lower technical and organizational defense measures and because of an average level of threat awareness that is lower than in more structured entities. The opportunities offered by the NRP are supporting an increasing number of small and medium-sized realities in their actions to adapt and strengthen their defenses, but continuity must be given to the ongoing action and make it a permanent and systemic initiative. The regulations being implemented, moreover, risk finding many SMEs intervening in the supply chain of essential and important players largely unprepared and creating a stalemate in the national production system, with the consequent risk of loss of market share even at the international level.
  • In the 2010-22 period, China registered 61 percent of AI patents, the United States 21 percent, the rest of the world 16 percent, and only 2 percent the European Union and the United Kingdom combined (2024 AI Index report). A scenario that raises relevant questions about the effort that the European Union will have to put in place in the short term to support research on the topic with strategic actions and appropriate aid. In January 2024, the European Commission launched the AI innovation package to support start-ups and SMEs in this field(https://digital-strategy.ec.europa.eu/en/library/communication-boosting-startups-and-innovation-trustworthy-artificial-intelligence). On the regulatory side, much has been done, including at the national level, and Europe is the first region in the world to have a broad and all-encompassing instrument (EU AI Act) that directs AI development along a path of fundamental rights protection and clear and timely governance. A great effort awaits all so that the tools outlined can produce results in the shortest possible time. There is no doubt that this represents a great opportunity for Italian companies.
  • Blockchain technology, after a peak of interest in the last two years, seems to have reached the expected level of maturity, and its application to concrete cases allows its distinctive features to be exploited, both in the production sector and in Public Administration. In terms of cybersecurity, of particular note are: the decentralization of data, which makes it more difficult for cybercriminals to access entire databases from a single access point; the immutability of data, which reduces the risk of fraud and manipulation; the characteristics of traceability and transparency, which make it ideal for increasing the level of trust in production processes (e.g., in the agrifood supply chain); and for the possibility of integration into complex scenarios to improve their security (e.g., in the automotive sector).
  • Quantum computing presents opportunities in the medium to long term, but it also poses new challenges for cybersecurity that need to be addressed on a shorter time frame. The level of technological maturity is growing, but practical applications are still limited and mainly experimental. Much of the research is focused on developing algorithms that can accelerate the solution of highly complex problems. Practical applications are also planned for industrial process optimization, in such contexts as materials simulation and financial modeling. A more mature field is Quantum Key Distribution (QKD), for which stable demonstrators already exist, some also developed in the context of Cyber 4.0 co-funded projects.
  • Post-quantum cryptography then represents a very current area of interest, partly in view of the increasingly pressing need for cryptographic algorithms that can withstand attacks from future quantum computers. Indeed, these are expected to have the potential to crack many of the current cryptographic algorithms, such as RSA and ECC, putting data security at risk. Companies must therefore become “crypto-agile,” meaning they must be able to quickly adapt to new cryptographic standards as they are developed.
  • The central theme and common thread of the interventions dedicated to training and awareness in cybersecurity first of all concerned the approaches pursued at the national and European level to deal with the “skill shortage” problem. Skill shortages and gaps in cybersecurity, and more generally throughout the ICT area, in fact characterize the national landscape both at the academic level and at the level of the business fabric and public administrations. Although endemic, the lack of professional figures and experts in the field finds possible solutions in the adoption of wide-ranging teaching programs that can involve students and teachers starting from elementary school, up to universities and Higher Technical Institutes.
  • In addition to interventions in schools, whose effects can be appreciated in the long term, the realities that are most directly affected by the skills shortage turn out to be businesses and public administrations. With this in mind, Cyber 4.0 initiatives, partly due to its nature as a public-private partnership, have the ability to intervene directly on several fronts, with lines of action that can involve and provide aid and incentives to businesses, PAs and schools.
  • As far as businesses are concerned, however, such activities cannot be separated from the adoption of an effective, long-term and context-appropriate teaching approach. It is precisely in this regard that it is essential to facilitate the gradual adoption of innovative approaches to corporate training, including gamification and learn-by-doing activities through the use of emerging technologies.
  • Finally, with regard to upskilling in PA, in addition to planning training activities that prefer top-down approaches, primarily involving senior management, a topic of strong interest is the dissemination of a culture that puts shared responsibilities in cybersecurity at the center. Taking initiatives aimed at national cloud deployment as an example, in environments where technology procurement almost always goes through external providers and supply chains, a winning approach is to identify matrices of responsibility that ensure, on the one hand, that the service provided is secure and, on the other, that the service is managed securely by properly trained internal managers.
  • The most effective and radical course of action to counter the “skill shortage” problem in ICT and cyber is initiatives and programs aimed at students, starting with elementary school. The goal is to enable the entry of new professionals into the world of work, who, regardless of their field of interest, accompany a strong competence in technology with a solid culture of information security.
  • The specific session dedicated to students featured talks by those who have had the opportunity to benefit from the Center’s initiatives. The first testimony was from Mhackeroni, an Italian CTF (Capture The Flag) team founded in 2018 by a group of students passionate about cybersecurity from different academic institutions, united to combine their forces and achieve the ultimate goal of qualifying for the DEFCON CTF finals. Next, CyberX Mind4Future, an advanced cybersecurity training project organized by Cyber 4.0 in collaboration with Leonardo, was presented. Then it was the turn of the “Let’s Cyber Game” contest launched for students of Higher Technical Institutes (ITS), offering a hands-on learning opportunity through a competition aimed at developing a training video game in cybersecurity and cybercrime. Finally, the “At School Connected” project was presented, an educational program for middle and high schools aimed at raising students’ awareness of cyber threats and online security practices.