Oireachtas Joint and Select Committees
Wednesday, 22 September 2021
Joint Oireachtas Committee on Transport, Tourism and Sport
National Cyber Security Centre Review: Discussion
A European directive tells us that we must have a list of critical infrastructure organisations or operators of essential services and keep track of what is included on it. It is not always that obvious. Electricity and water service providers are included, but we might not think about many other essential parts of the economy in the same way. What we do is to provide those organisations with information. We get them to do risk assessments and we can audit those organisations as well. In addition, we have the legal power to request information from those organisations, and we have done that. We can also issue orders for compliance or enter their facilities. Generally, we do not need to invoke those powers. We have a co-operative relationship with those critical infrastructure providers because it is in their interest to ensure that they do not get attacked. The NCSC is there in a supportive capacity to help those providers to protect themselves.
As the Deputy said, 90% to 95% of this work is concerned with prevention. The glamorous end of activity in this area arises when there has been an attack and people come in to help. Situations like that are similar to when there has been a fire and then the fire brigade arrives. To continue the analogy with fire protection, however, the majority of the work must be done at the preventative stage. It is much more effective to spend money on preventing an attack happening than on trying to resolve an attack after it happens. Who is responsible for doing that work? It is the infrastructure providers themselves. In the same way that the fire brigade does not stop people having fires in their houses, it is useful-----