In today’s interconnected world, cybersecurity stands as a paramount concern, with its implications spanning from individual privacy to the stability of nations. It is a field that continually evolves, adapting to new threats and challenges that emerge with each technological advancement. To delve into the heart of this dynamic landscape and explore the innovative work being done, we recently had the privilege of interviewing Annaleda Mazzucato and Marco Montironi from Fondazione Mondo Digitale.

In our conversation, Annaleda and Marco shared their perspectives on a wide range of topics, from the role of their organisation in collaboration with TRUST aWARE, to the global challenges and trends shaping cybersecurity research. We delved into the future of cybersecurity, the objectives behind their upcoming awareness campaign, and the impact of digital engagement with citizens on building stronger cyber protections.

• How would you describe your organisation’s role working with TRUST aWARE? 

Annaleda Mazzucato (AM): Fondazione Mondo Digitale is a non-profit, third-sector organisation that operates throughout Italy and collaborates with organisations at an international level to promote inclusive innovation through the use of new technologies, in education and training, work, and social settings. In order to ensure that technological innovation is at the service of all citizens, even and especially the most disadvantaged, Fondazione Mondo Digitale proposes initiatives to support digital literacy and citizenship, the upskilling and reskilling of skills for employability and work; and contributes to numerous research and experiments related to the development and use of technologies that put the citizen at the centre of the process. In line with these objectives, the Foundation participates in the project by engaging citizens of all ages in the co-design of the TRUST aWARE solution in order to ensure its responsiveness to specific needs so that it can transform the way they use devices and navigate the web, while respecting data and of safety. By applying consolidated methodologies over the course of experience in this area, the Foundation not only ensures the active participation of users in the pilot phases of the research project to bring them consciously closer to the development of technologies at their service, but also and above all develops around this process real training activities, for empowerment and capacity building.

• Let’s talk about a topic that has been gaining worldwide importance in recent months and that now generates a very strong impact on national economies and policies: cybersecurity. In your opinion, what are the greatest challenges facing cybersecurity research today?

Marco Montironi (MM): I believe that the biggest challenge is the exponential growth of the effects of cybercrime in everyday life, in practice the blocking of essential services often accompanied by the theft and disclosure of data, especially in the health sector. This is because the software used for this purpose is now within the reach of anyone, not just professional hackers, thanks both to the availability of generative tools (so-called artificial intelligence, but also simple automatic programme generation) and to the presence of real paid services that easily allow anyone to carry out an attack aimed at a specific target.

The second, and probably even greater, challenge is to overcome the belief held by most citizens, namely that cyber security is something that only concerns insiders, thanks to very sophisticated and incomprehensible tools; instead, cyber security involves everyone, willingly or unwillingly, by the mere fact of having a smartphone connected to the Internet in their hands, and that a great deal depends on their own behaviour. Finally, I cannot fail to mention the problem of the extreme ease of falsification of news, which is matched by an assimilated difficulty in recognising such falsification.

• How do you see the field of cybersecurity evolving over the next few years? What emerging technologies or trends are you most excited about?

MM: Being primarily concerned with privacy, I am very focused on solutions that can increase the protection and security of personal data. Amongst these, I have recently become very interested in the issue of age verification for access to online services that require it; it is a question of having legal certainty of a user’s age while guaranteeing the confidentiality of what he or she does on the web, and recently methods are appearing and being tested that should achieve this result, which could also be replicated for the verification of other individual characteristics. This is just one example of a discipline that is little practised at the moment, privacy engineering, i.e. the development of new solutions that can be easily used by anyone and that solve problems related to personal data legislation and indirectly to cybersecurity.

More generally, I am interested in the evolution of cryptography (an indispensable tool whenever we talk about data security) with respect to the advent of quantum computers, which will revolutionise computing as we know it today. On the one hand, these new computers will make even the most secure of cryptographic methods based on traditional computers obsolete, simply due to issues of computing speed; but on the other hand, they will make new algorithms possible, and we will see how efficient and secure these will be.

• Considering the work that TRUST aWARE does, in assisting with social media sharing of your upcoming awareness campaign; what are your main aims of this campaign?

AM: During the phases of piloting the TRUST aWARE solution, a gap in terms of understanding and knowledge of citizens of all ages and levels of expertise in the use of the digital was highlighted regarding security and privacy and the associated risks. Hence, the need to support citizens increasing awareness and skills in this area, implementing within the project not only training activities but also awareness-raising initiatives that could reach as large a number of people as possible, providing practical advices. The campaign, which was implemented during 2023 and will continue in 2024, reached over 20,000 citizens from 16 to 80 years of age, providing information useful for recognising risks, and practical advice on how to counter them, while giving free access to materials and in-depth training courses available both on the TRUST aWARE platform and on the FMD Academy. Like the previous edition, the new campaign will target citizens of all ages and digital skills, and will have the dual purpose of informing and training so that they become aware users and are able to activate strategies to protect their security and privacy, while promoting citizens activate engagement in the TRUST aWARE solution co-designing process. The campaign will be active on the main social media channels of Fondazione Mondo Digitale and TRUST aWARE, and thanks to the collaboration with the project partners it will be extended beyond Italy to other European countries.

• How does working with citizens through digital and physical events, as well as workshops, have a positive impact on new digital protections?

MM: Security and privacy (S&P) threats are the most critical risks exposing citizens when using digital services and they are the combined result of numerus factors, such as inappropriate software engineering practices, bad user habits, and lack of regulatory enforcement and certification mechanisms. TRUST aWARE tool solution is developed following a user centric co-creation approach, based on a participatory process of assessment actively engaging citizens from all ages and background skills. In the context phase, Fondazione Mondo Digitale turned this research phase, corresponding to the piloting of the tool components, in an opportunity to develop a novel approach to cyber literacy training. Applying methodologies such as scenario maps, contextual inquiries, and walkthrough, the participants’ suggestions for implementations were collected, but most of all the components were used as a mean to educating and informing users about their cyber threats. In practical terms, as the tool provides users a score ranging from “no sufficient security and privacy guarantees” to “perfect security and privacy”, despite the complexity and multi-dimensional nature of this information, the feedback supports the opportunity to make the risks explainable and allows users to identify, and most of all learn about the specific threats and issues, such as a large number of SDKs, lack of sufficient information in their privacy policy, lack of encryption to upload sensitive data to the cloud, etc. TRUST aWARE solution became in this way a cyber literacy and empowering tool, or as one of the users said: “The possibility to test hands on an example of risk, helped me understanding the risks itself in practical and less technical terms…I can say the tool explain me what is all about in the context of my daily life and habits on the Internet or using a device”. Certainly, working with citizens through digital and physical events, as well as workshops, improved their confidence to use technology for work, learning and daily life and furthermore enhanced their trust in software, so how a software application determines and implements safeguards for instance shown users that software can provide safety, privacy, security, reliability, and data ethics with their online programs or devices, and this is the foundation to create a secure digital world.

• How does cyber security research and policy in Europe compare to what is being done in the rest of the world?

MM: From a technological point of view, Europe has always been significantly behind the American giants, and the few other realities that have established themselves on the cybersecurity market mostly come from Asia; making up this gap is extremely difficult. Slightly better is the situation of research and skills, which are not lacking, but which are not always exploited and succeed in giving rise to European players that are competitive at world level. A virtuous example, I believe, is the TRUST aWARE project, financed by the EU and in which the Fondazione Mondo Digitale also participates, for which I had the opportunity to test the prototype of some tools and for which I found interesting potential.

Instead, where Europe leads the world is on the regulatory side. The last few years have seen the entry into force of the first regulations, and with others to follow shortly, they will form a homogeneous package of standards for regulating digital technologies and data. The important thing is that the driving principle of these regulations is that any tool or service that is available in Europe, thus also those managed by both public and private actors from outside Europe, must first and foremost guarantee the protection of the rights and freedoms recognised to individuals by the EU legal system; and secondly, that the security (understood in a broad sense) of essential services, both digital and non-digital, is guaranteed. These regulations are setting the standard in the sense that many other countries, including even China, are adapting with similar regulations.

• Let’s talk about network security in a more general sense. What, in your opinion, are the tools that secure network users today?

Marco Montironi: The tools we have been accustomed to in years past (such as antivirus and antispam, backups, firewalls, end-to-end encryption) remain indispensable, but the evolution of the threats to which we are all subject as network users make them absolutely insufficient. In this sense, the most important ‘tool’ of all is awareness: only by knowing, and keeping up to date on, what threats are involved in using the network is it possible to find a way to defend oneself. There can be no cyber security without training all users.

Wanting to get more concrete, the first tool I can recommend is to take the time to set the options that devices and online services make available to us; within the limits of the possible choices, this guarantees our control over the data we generate or have to use.

The second tool is the safekeeping of our digital identity, i.e. all that information that guarantees ‘that it is really us’ in the immaterial world of the Net; I am referring to the hated passwords, for which a change of approach is indispensable: either relying on the new ‘password-less’ methods, but which have the great defect of delegating a third party to the aforementioned safekeeping, or using password managers, i.e. those systems that store passwords in a protected manner (through encryption), enabling us to avoid remembering them by heart and thus setting them difficult to set at will and above all different for each individual case.

There is also a great flourishing of so-called privacy enhancing technologies, i.e. applications that complement or replace the better known ones, and which allow one to significantly increase the security and control of one’s own data; just to give one example, in the category of web browsers there are many, which with the same features and performance as the others prevent tracking and hidden installations. These tools are within everyone’s reach, but they do require some time, which unfortunately many often refuse to do.