Oireachtas Joint and Select Committees
Tuesday, 25 May 2021
Joint Oireachtas Committee on Transport, Tourism and Sport
National Cybersecurity: Discussion
Mr. Padraic O'Reilly:
Certainly. The Colonial Pipeline attack expedited some things already under way in our government. I would second all the things the previous speaker said with respect to best practices. We still have challenges in the States. We spend quite a bit more on cyber, something like €20 billion per year. We have a lot of very good standards and organisations which generate such standards. The National Institute of Standards and Technology, NIST, does a fine job and the federal government does baseline itself regularly. That said, many challenges remain.
With respect to best practices, the committee could certainly look at the executive order just released from the White House. It is pretty comprehensive. The emphasis is really on information-sharing, to some extent, and on changing the acquisition contracts around companies that do business with the federal government. That emphasis is really around information-sharing as well. One of the big problems in cyber in the States is visibility into true risk. Frequently there are these informational problems; companies are not reporting what is happening to them as there is an incentive not to. However, fresh air is the best disinfectant. When I was asked about this issue recently, I basically said it is hard to do risk assessment if one does not have complete data sets. I hope to see from our government more emphasis on actually generating quality data sets with respect to risk because that will help governance structures make the improvements they need to make. I re-emphasise that the executive order is a real fount for best practice. I revisit it every day. Newspapers call me every day to talk about it. Its first recommendation is an interesting one; it suggests organisations should ensure logging practices are being done properly. There is a set of maybe ten things that can be done across the board, that are not prohibitively expensive, that can be measured, around which metrics can be put, and can get the critical infrastructure or the essential services sector on the right path.