Oireachtas Joint and Select Committees
Wednesday, 22 September 2021
Joint Oireachtas Committee on Transport, Tourism and Sport
National Cyber Security Centre Review: Discussion
I have had a chance to digest the executive summary and wish to make a couple of comments. I think it would be a fair observation that the FireEye review is very much summarised. On the last page of the executive summary the review states:
In terms of wider engagement with Critical National Infrastructure (CNI), NCSC is currently under-resourced and over-taxed providing advice to c.120 Operators of Essential Services (OES) or Digital Service Providers (DSP), albeit the staff we spoke to were well-informed and highly motivated.
FireEye was generally complimentary of the staff in the current NCSC but the overall view that I got from the report is that the centre is not fit for purpose. The main reason for my comment is that one of the recommendations is the establishment of a cross-government task force with representatives. Has it been formed? Another recommendation is to develop a strategy for NCSC and provide it with a properly established and appropriately scoped mandate. In my view, FireEye basically states that the current strategy may not be fit for purpose. In fairness, the Minister of State stated, of his own volition, that the centre needs to be put on a statutory footing.
The Department will seek to bring in changes over the next year plus. Are we at a point where this work needs to be fast-tracked? I accept that there are issues about drafting legislation. Another recommendation is to provide the NCSC single headquarter facility. I am not certain that one floor within the Department can be categorised as such and ask the Minister of State to comment.
The report further states:
We recommended consideration is given to separating the Technical Authority and Competent Authority roles as part of this process ... A significant burden rests on NCSC to deliver against the strategy and, based on our review, it does not currently have the organisational design or capacity to achieve all of the objectives. A dedicated budget should also be assigned to achieve the NCSS's objectives.
Finally, the report recommends that the NCSC reduce its reliance on external capabilities and very much prioritise its internal capacity. Has the NCSC lost staff? The Minister of State mentioned boosting retention. Is the NCSC losing top-level staff?
A sum of €100 million was lost due to the cyberattack on the HSE and there was also a cost in terms of the impact on appointments. There is a report in one of today's newspapers that 30,000 of the computers in the HSE still use Windows 7 yet Microsoft came forward and declared that it did not provide security support for Windows 7 from 2015. When will there be a swap over to using more modern software?
I welcome the fact that the post of Firector is being advertised now and has a salary of €184,000, which is very much in keeping with the views of experts in the area who have come before us. The recruitment campaign is being run by the Public Appointments Service. Does the service have the expertise to interview such a person? The cyberattack on the HSE took place in the middle of Covid and, let us be honest, there was a period when things got very hairy. Now that we have reached calm waters do we not need more based on this report?
The report was interesting and never criticised the staff and declared that they are very competent and very good. However, the report is highly critical, stating that the NCSC is not fit for purpose and that it needs its own dedicated budget. How big will the budget be?
The report refers to separating the regulator's post from the advisory one, and having a stand-alone headquarter. What I have in mind is that over the next two years we would see a fit-for-purpose NCSC and have stand-alone legislation in place. To bring the legislation forward would very much concentrate the minds on what should be in the centre.
The executive summary is pretty direct because it says: "However, legislation that gives "statutory legal vires" to the full operation of cyber security capability ... is critical for an effective future operational posture." In fairness, the Minister of State has stated that and I would like him to address my points. The devil is always in the detail and the detail in the report, from what I can see, states that the current NCSC is not fit for purpose structurally. The staff are very good and performed exceptionally well under difficult circumstances. There appears to be an indication that the NCSC is losing staff. Is that the case? Is it possible, given this work is so important, to make this a two-year plan rather than a five-year plan?