Oireachtas Joint and Select Committees
Thursday, 6 December 2018
Public Accounts Committee
2017 Annual Report of the Comptroller and Auditor General and Appropriation Accounts
Vote 29 - Department of Communications, Climate Action and Environment
Chapter 8 - Measures relating to Cyber Security
Chapter 9 - Energy Efficiency National Fund
9:00 am
Mr. Seamus McCarthy:
Disruption to critical information infrastructure and networks has been recognised globally as a key strategic risk for all states. Critical systems and infrastructure at risk include those owned and managed by both public and private bodies.
The Department is responsible for the development of cybersecurity policy in Ireland, and for co-ordinating emergency responses to any national-level cybersecurity incidents. The national cybersecurity centre was established within the Department in 2011 to address those responsibilities. The examination was undertaken to review the progress made since the establishment of the centre.
The examination notes that the centre’s level of resourcing in its first four years of operation was significantly less than envisaged when the Government was asked to approve the establishment of the centre. The overall cost attributed to cybersecurity functions is not reported separately in the Department’s appropriation account. As a result, there is a lack of transparency around the availability and use of resources.
In 2015, the Department published a national cybersecurity strategy covering the period 2015 to 2017. Not all of the measures in that strategy were achieved. There is no national cybersecurity strategic plan currently in place.
At the time the strategy was published, it was planned that the overarching governance structure of the centre would be a high-level interdepartmental steering group that would oversee its work. The Department stated during the examination that the steering group had not met since the strategy was published in 2015.
In July 2016, the European Union adopted the directive on security of network and information systems with a view to achieving a common high level of cybersecurity within the EU. Transposition of the directive into Irish law was achieved in September 2018. However, a requirement of the directive is to adopt a national strategy that contains elements such as a risk assessment plan, a listing of various stakeholders and a governance framework. In the absence of a strategy, the Department is not meeting its requirements under the directive.
A number of recommendations relating to resourcing, transparency of costs, governance and strategic direction were included in the chapter. All the recommendations were agreed by the Accounting Officer who will be able to give the committee an update on their implementation.
No comments