Eurispes, databases and security
PRESS NOTE*
Databases and security
Public administrations and private companies administer or collect in their databases an extraordinary and growing amount of information of very high sensitivity and criticality. Information concerning the most sensitive aspects of the lives of citizens and businesses: health, judicial, economic-financial, banking and credit data, police data inherent to personal life, administrative data for access to public services and disbursements.
And while over time the ability to defend (technical and behavioral) against attacks outside the perimeter of the organization has grown and is growing, the same is not true with respect to the risk of information compromise and leakage originating from within, from an employee or collaborator who has access privileges and diverts them for illegitimate and even illicit activities.
Faced with the risk that the pathology concerns internal conduct, there are numerous cases that demonstrate the weakness of preventive alerts and the timeliness of discovery, as well as a low propensity for immediate sharing with supervisors and judicial authorities (what holds back is sometimes the fear of reputational injury, other times the fear of potential sanctions arising from organizational and managerial dysfunction).
But the macroscopic fact concerns the still structural lack of automated capillary monitoring of database accesses, which through algorithms succeeds in constructing behavioral risk indices that would then allow selectively targeting control on specific accesses and specific employee conduct. This lack does not depend on technical complexities, but on a culpable underestimation of risk, a “proprietary” idea of the data collected and a presumption of the unquestionability of their “internal” use.
In the face of increasingly frequent breaches of important public and private databases, do citizens know what data pertaining to their personal lives are being collected and processed?
For example, do they know that every time they go to a hotel or b&b their presence remains in future and indelible memory within police databases, based on an obligation dating back to 1978, which exposes their personal and emotional lives without evidently adequate protection?
And what other data, such as sexual, political, religious orientations, are retained? What effective control is there by the Data Protection Authority?
The recent affair of Lgt. Striano in DNA tells us that our economic-financial life is layered in a mass of data capable of irreparably affecting our reputation, putting together both information known to us and others that even we do not know: positive, negative, evaluations of mere suspicion, often without effective verification, out of our control but accessible to others and also used for purposes of political, family, industrial espionage, or even mere voyeurism.
In recent years, data have grown by leaps and bounds as public and private databases have not only poured an infinite wealth of information-previously analogue-into digital archives, but have also seen their quantity and detail increase, thanks to the digital revolution. Databases are increasingly interoperable, with multiplatform and remote access, with a greater level of dependence on a plurality of applications and software, leading to a permanent and very high risk of information dispersion and less control over its dissemination.
All this complexity has been matched neither by awareness, nor by culture, nor by a sense of responsibility, nor even less by fear of the consequences, by any effective and concerted planning and implementation of prevention measures (preventive alerts, need-to-know verification, monitoring of access modes, etc.).
The latest cases-Striano in DNA, Intesa Sanpaolo in Bisceglie, Equalize in Milan-demonstrate not so much and only the amount of malicious actors, public and private, that can endanger people’s lives and data, but how the preventive garrison is sometimes nonexistent, sometimes failing.
While the information system these days sketches even gloomier pictures related to organized crime and foreign intelligence, the most relevant question is lost sight of: what tools and methods are actually adopted by database managers – beyond the regulatory requirement – to prevent and contain the risks that are physiological and well evident.
In the face of claims that access is controlled, it is now clear that this is not true. The control measures are there, but in practice they are not implemented: in fact, proceedings rarely arise from internal reports.
At the same time, while public administrations and private companies embark on media and admirable exercises in the application of Artificial Intelligence in the most disparate spheres, the effective garrisoning of critically important databases always seems to be entrusted to the analog intervention of the Judicial Authority, which, in the absence of automated prevention, unveils “by chance” what has probably long been an established and widespread system.
While it can be expected that public and politically exposed figures will be spied on – a fact that is in any case very serious, but one that depends directly on their level of exposure – it is also true that this makes them more easily guarded and protectable. On the contrary, the market for abusive access, from what emerges, and the deviant use of data for purposes of blackmail, unfair competition or for manifestations of control over women, affects not a few, but potentially everyone, and no alert is triggered for access on any ordinary citizen.
Faced with such a serious emergency, the answer cannot be sought either in analogical norms, which remain abstract principles remitted to the virtue of a few, or in fiduciary reliance on database administrations. The European Union has long armed itself with instruments that also and especially regulate public databases – the main one being the GDPR – equipping the Data Protection Authority with effective and powerful tools.
In parallel, on the digital security dimension, we now have the National Cybersecurity Agency.
In the face of what is happening, it is time for the Garante and the Agency (regardless of the offenses that the Judicial Authority is dealing with) to undertake an in-depth fact-finding investigation of all public databases, to understand what data they collect and process, on what people, for what purpose, and what technical-organizational methods are adopted to protect the information from internal and external risks.
At the same time, they should specifically state how data subjects can have access to the data referable to them, to check its integrity, timeliness and completeness.
In relation to what has happened so far, then, organizational shortcomings, managerial omissions, and managerial responsibilities that have allowed the clandestine and prolonged consummation of illicit conduct, even in the face of enormous amounts of exfiltrated data, should be identified.
The concrete evaluation of database prevention and integrity systems must be entrusted to university research centers, with consequent certification and accountability with respect to the suitability of the technical measures adopted; the analytical and predictive policing tools used, for example, in anti-money laundering must also be applied with respect to all those who have access to the information, in order to be able to identify systemic and behavioral anomalies according to statistical criteria (effective legitimacy, excessive amount or repetition of access, deviation from bands of statistical normality, etc.).
It is then imperative that we overcome the “proprietary” perspective of data, which carries with it the unquestionability of the actions that public administrations (maximally police) adopt in making the needs of efficiency of their institutional activities prevail over data security. The latter has equal if not higher rank and dignity than the former.
If PAs are unable to protect data, those that are not absolutely essential should not be collected and stored at all. In any case, technical-organizational inadequacy in data protection is a criterion that should directly hold accountable those on whom management, services and administration depend.
With equal candor, another issue should be addressed: the continuous outsourcing of technological supplies and services, coupled with the lack of adequate oversight of administrator privileges for access to platforms in use by the PA, represents one of the most serious alarms for the exfiltration of judicial and security data, which has still remained largely unheeded.
Currently, malicious accesses to the detriment of Prosecutors’ Offices and Police Forces, even before permeating databases, take place through the jungle of networks and devices, devoid of adequate and conscious guarding due to a vision of pure machine efficiency that reigns among PAs, where it is notoriously believed that security tends to be the enemy of efficiency and an avoidable cost and, above all, where there is a fideistic reliance on technologies and suppliers.
Hence, the remote management and control of applications and machinery, even as simple printers and scanners, combined with the mechanisms for acquiring and sub-acquiring external resources (including and especially human resources) that are unverified and not subjected to the rigor of controls that would be demanded, result in a permanent vulnerability to organized crime, foreign entities and other hostile entities.
In relation to this, too, the model of cost-saving and technical objective pursued from the perspective of “functional efficiency” represents the failure of public safety. Prevention is a cost to be borne that nevertheless returns an extraordinary double value: protecting citizens and national interests, on the one hand, and ensuring trust in institutions, on the other.
This reasoning must also become a guide and a warning to guide companies and private entities that collect health, judicial, credit, utilities, and travel data, and that must ensure identical transparency in representing what data is collected (even apart from that conferred by data subjects), where it is stored and protected, and what preventive measures are in place to enable early alerts.
In this sense, the case of Intesa Sanpaolo (among the largest and most trusted institutions in the world) is a demonstration of the failure of prevention even in banking.
Since it is often precisely costs that holds back prevention, there must be specific spending obligations related to the institutional value of the data or the companies’ turnover. Given that restorative activation is often determined only by fear of reputational injury or sanctions for managerial responsibility (two aspects that become almost preponderant when pathologies are discovered and established), the new sanctions or their aggravation should not only concern the occurrence of abusive accesses (for which there are already rules and penalties) but will have to concern first and foremost the responsibility of those who have the obligation of guarantee and prevention, according to the already existing model (regarding data security aspects) of the GDPR, which in our country seems to remain, unfortunately, only a paper tiger.
* Edited by Prof. Avv. Roberto De Vita, President of Eurispes Cybersecurity Observatory.