Ossian Smyth (Dún Laoghaire, Green Party) | Oireachtas source

I thank the Chairman and members for inviting me to attend before the committee today and answer questions. I am joined today by Mr. Richard Browne, acting director of the NCSC, and Mr. Peter Hogan, principal officer in the Department's cybersecurity and Internet policy division.

I am delighted to have this opportunity to present to the committee on the capacity review of the NCSC, which was completed last June. When we last met, the Minister for the Environment, Climate and Communications, Deputy Eamon Ryan, and I were awaiting the outcome of the review. I am pleased to report that the review was completed within the intended timeframe. I know that the committee was keen to hear the recommendations of the capacity review and ensure that the Government took appropriate steps to implement these as early as possible.

As members will be aware, in July the Minister obtained Government agreement to a substantial expansion in the staffing of the NCSC from 25 to 45 staff over the next 18 months, and to at least 70 within five years. The associated budgetary increase for the centre for 2022 is estimated at €2.5 million. The Government also agreed a significant package of other measures to further strengthen the capacity of the NCSC, including the development of legislation to establish the NCSC on a statutory basis with a set of formal powers and a legal mandate. These measures include: that the role of director of the NCSC should be re-advertised at a salary of €184,000, which is the deputy secretary general scale, to reflect the scale and importance of the role, and to attract experienced candidates; that the director will have responsibility for building and leading the NCSC, further developing the operational capacity and expertise of the NCSC and supporting the development of the policy and legislative framework relating to cybersecurity in the State; that a single headquarters for the NCSC will provide the required security infrastructure and capacity, and that the centre will be accommodated within the Department's new headquarters in Beggar's Bush; that we will develop a five-year technology strategy for the NCSC which scopes its internal requirements and its relationship with academia and industry; that there is a measure to recruit people to 20 additional full-time roles; and that a cybersecurity graduate training programme will be initiated by the NCSC in 2021, with four computer science graduates recruited each year on contracts of three years' duration.

I have already shared with committee a redacted version of the executive summary of the capacity review. In respect of the findings of the review and the benchmarking exercise, there are some details that I cannot share due to national security considerations both in Ireland and in those countries with which comparisons were made. I will endeavour to be as open and transparent as possible with the committee, however. Where necessary, I will ask my officials to follow up with written replies to questions.

The capacity review recognises that the NCSC has grown considerably since its establishment in 2011. The consultants acknowledged that the NCSC team had developed significant expertise and capability in a relatively brief timeframe. The consultants found that staff at all levels of the NCSC are knowledgeable and highly motivated and have a clear understanding of the NCSC’s role and purpose. The consultants also remarked positively on the progress of implementation of the national cybersecurity strategy and the role that the interdepartmental committee has played in driving this work.

The consultants were tasked with charting a five-year course for the continued development of the NCSC taking into account the evolving threat landscape and the growing body of EU legislation on cybersecurity. The consultants proposed a new organisational structure for the NCSC and recommended that an incremental expansion be pursued over the coming five years. The capacity review recommends, as an initial step, that the headcount of the NCSC’s operational team should increase from 25 to 41 full-time equivalent staff, with numbers continuing to grow to in the region of 50 in year 3 and approximately 70 in year 5. In that context, the Government has decided to go further in the initial expansion of the staffing complement.

The capacity review includes more than 40 recommendations which have been categorised as high, medium and low priority and which cover issues from governance to technology to skills development. The capacity review recommendations will not be fully completed for some years and there are many interdependencies within them. For example, much of the recommended technology development requires a suitably equipped headquarters facility. A clear legislative mandate is necessary for the NCSC's functions to be expanded further.

I would like to provide the committee with an update on the progress of implementing the measures that were agreed by Government in July. Working with the Public Appointments Service, good progress is being made by the Department in progressing the delivery of the increase in headcount that was recommended in the capacity review. I understand that in the coming weeks a number of open recruitment competitions will commence to recruit new staff with cybersecurity skills and experience to complement the existing team. In addition, we are availing of the Civil Service mobility scheme to redeploy staff from across the civil and public service who have an interest in the NCSC’s work. We are taking a broad perspective on the skill sets necessary for the NCSC’s range of functions, including stakeholder engagement, project management and compliance. The process has already begun and we are currently seeking expressions of interest.

The competition for the NCSC director, run by the Public Appointments Service, will be advertised this Friday. As was the case for the previous recruitment campaign, this will be an open process carried out in line with the established principles for senior recruitment to the civil and public service. I expect to see this competition concluded before year-end and a permanent director appointed as early as possible thereafter. The Public Appointments Service is using the services of an executive search company to assist in identifying suitable candidates. In the interim, we took the decision to appoint Mr. Browne as acting director in order to ensure that the NCSC has a full leadership team in place during this important period of transition. Mr. Browne has previously served in this area since 2014 so he was able to hit the ground running when he returned in July. His focus is in implementing the measures agreed by Government in July, and he and his team are already making good progress.

The development of the NCSC's headquarters will be managed as part of the redevelopment of the Department’s offices at Beggar's Bush, Dublin 4, which are expected to be completed in 2023. The acting director and chief technology officer, CTO, have worked closely with the corporate services area of the Department and the Office of Public Works, OPW, over the past two months with a focus on the design and layout of the new headquarters. This will be an important facility for the national response to a major cybersecurity incident and, as a result, we need to ensure that it is fully equipped. There are also international standards for the security of accredited computer security incident response team, CSIRT, which will need to be factored into the design, construction and fit-out of the new facility.

While the new headquarters are being developed, temporary accommodation will be required for the NCSC and the OPW has identified a suitable location for this temporary facility. Under the supervision of the acting director, the NCSC administration and CTO teams are currently working on the design and procurement for the fit-out of this facility.

Appropriate measures will be taken to ensure that this temporary facility can accommodate the NCSC as its staffing complement grows through 2022 and 2023. We will ensure that it meets the exacting international security standards for the CSIRT.

The development of a technology strategy for the NCSC is closely linked to the new headquarter project. The acting director and CTO have completed a review of the capacity review’s recommendations in respect of technology to inform the development of the new strategy. The CTO has also identified a number of priority investments which are part of the Department’s submission for the 2022 Estimates process.

Work has also commenced on the cybersecurity internship scheme which will complement the existing actions in the national cybersecurity strategy on cyber careers and skills. This scheme will be a priority action following the imminent recruitment rounds I referred to earlier.

Finally, in respect of the proposed legislation for the NCSC recognising the need to work in partnership with other Departments and agencies, at the recent meeting of the interdepartmental committee on the national cyber security strategy, a way forward was agreed by all members. To empower the NCSC to carry out its necessary functions, it is inevitable that the proposed legislation will provide for intelligence gathering, which will bring with it certain governance requirements as well as requirements on the legislative process. Officials in my Department are leading a consultation with relevant stakeholders which it is intended to complete before the end of this year. Thereafter, work will begin on drafting heads of a Bill which I hope to see progress through the Oireachtas before the end of 2022.

I recently attended the Estonian Digital Summit, where there was much interest in the Government’s response to the HSE cyber incident and the development of our NCSC. The conference theme was trusted connectivity. I was pleased to have the opportunity to engage in constructive conversations with peer Ministers from a number of EU countries, as well as Singapore and the UK, and I also had the opportunity to meet the Estonian Prime Minister. It was clear from the conference and discussions with other Ministers that the global landscape of cyber threats is at the top of the political agenda and that concerted international co-operation will be necessary to secure essential services in the face of these threats. During my visit to Tallinn, I also met with Ireland’s secondee to the Cooperative Cyber Defence Centre of Excellence, CCDCOE, and paid the centre a visit. There are great resources in the CCDCOE that we can draw on to inform the further development of our own cyber capacity, both within the NCSC and across Government. I thank the Chairman.