SOCIETÀ ITALIANA DI DIRITTO ED ECONOMIA
Federico Serini (University of Rome La Sapienza)
Abstract
Computer resources are essential elements for democracies. These tools not only serve as a means for individuals to freely express their personalities in new forms and ways through the network, but also play a crucial role in facilitating communication, information sharing, and participation in democratic processes at a technical level, they also serve as the configuration and operational parameters of many infrastructures that provide essential services and functions for society and the economy (known as critical infrastructures). Consider the computer systems used by operators in the banking and financial, energy, transportation, communications, and healthcare sectors, as well as those utilised by public administrations and various government institutions.
These tools have become indispensable not only for the State itself but also for its components, primarily individuals and businesses. They play a vital role in facilitating the functioning of various sectors, enabling efficient operations, data management, and communication, ultimately contributing to the overall functioning of society and the economy. However, at the same time, they are also responsible for transferring the risks of cyberspace into the real world. The intention to create a "global network" characterised by the principles of free access and interoperability led to the development of a system not designed to adhere to security criteria but rather to principles of open access and information exchange. These principles now clash with the possibilities of dual use of the network and information services, to the point that someone has warned that today «every society is as vulnerable as the information technology it uses" and therefore "the more advanced societies are, the more vulnerable they are».
Despite this condition, according to which "cyber risk = social risk", it highlights how the protection and guarantee of rights and freedoms in today’s technological society also depend on the security of networks and computer systems. Ensuring the security of networks and systems is crucial for safeguarding the privacy, integrity, and availability of information, as well as maintaining trust in digital interactions and transactions. It is an integral part of ensuring the overall well-being and functioning of individuals and society in the digital age, Public authorities have only recently turned their attention to this phenomenon (more or less starting from the late 1990s), following the increasing dependence on States and infrastructures on information technology.
The demand for security in cyberspace by States now clashes with the effects resulting from this delay. Cyberspace is, in fact, an originally public phenomenon, born with the Arpanet project, it was subsequently developed and disseminated by private entities, beyond the control of states.
It is not a coincidence that the initial definitions of cybersecurity, computer security, and information security were formulated within the domain of "private law”, specifically, they were formulated within technical sector regulations.
However, if in the digital environment it seems that there is no longer a State, territory, sovereignty, or even a people, but rather primarily private production of law, it is not solely because public authorities arrived "later," but mainly because the object of regulatory pretension, cyberspace, is a global phenomenon devoid of territoriality. Cyberspace represents a limitation on the action of public power, which, on the other hand, boasts an «original need for places».
In reality, as noted in the literature on this matter, cyberspace is a dimension characterised by the coexistence of immaterial components, such as connections, electromagnetic spectrums, and operating protocols, which are not inherently tied to any physical space. It also consists of material components, namely physical technologies like cables, routers, and switches, located within the boundaries of states and typically produced by private actors active in the telecommunications market.
The outlined morphology demonstrates that, in both realms, public action for cyberspace security necessitates necessary cooperation with private entities. Regarding the immaterial profile, this cooperation aims to regulate what occurs "in" cyberspace, including the conduct and behaviours of users, among which we can identify cybersecurity threats. Concerning the material aspect, the aim is to ensure the security "of" cyberspace through the creation and development of market products and solutions that are designed with cybersecurity in mind, ensuring the progressive security of the digital environment.
This proposal is part of the Authors’ PhD thesis, recently discussed in May (here in open access: https://iris.uniroma1.it/handle/11573/1711004), and wants to reflect on the use of technical standards from the economy to the social/political aims, in light of the regulatory framework outlined by the European Union regarding cybersecurity.
The high level of expertise required in regulating the subject matter and the rapid pace of technological change have led legislators to increasingly delegate regulatory competence to standardization bodies responsible for developing standards in areas heavily influenced by technical and scientific factors. In particular, among these standardization bodies, those focusing on the security of computer resources and information have gained increasing importance due to the close correlation between cyber risk and social risk. The growing significance of computer infrastructures, not limited to critical infrastructures alone, has led these regulatory instruments - originally developed within the private context to contribute to the smooth functioning of the market - to intersect with political and social objectives such as public order and the national security of States.
The occasion is to reflect on the entry of these non-legal norms, as tools, into the field of (European) cybersecurity, as a new branch of security that arises from the private sector and now engages public law scholars.