Oireachtas Joint and Select Committees
Wednesday, 22 September 2021
Joint Oireachtas Committee on Transport, Tourism and Sport
National Cyber Security Centre Review: Discussion
I do not think that it is fair at all. I have read the report and really do not see it saying that the centre is structurally unfit for purpose but certain recommendations were made. We knew that the NCSC needed more resources in response to an escalating threat and escalating workload. That is why we commissioned the report to see where should the money be spent and where should the resources be directed. I absolutely agree that the centre needs a new headquarter building and new physical facilities to accommodate all of the new staff.
The Chairman asked whether a floor of the Department would be sufficient; he did not say that it is not sufficient. In fact, the space will accommodate 100 staff. We have examined in great detail what a security operations centre for a NCSC looks like in a number of different countries and specified that we wanted the best in class. So there was not a constraint about saying let us get something that is mid-market. We wanted to get the best that we could get and the long-term future is the headquarters facility.
In the near future, we will redeploy staff who are there at the moment to a temporary building. I have talked directly to the staff. I have asked them if they feel they are getting what they need, that there is a problem with morale, or there are any issues they wish to address with me. They are saying "No".
The Chair mentioned lost capacity and losing staff. Every organisation has a certain degree of churn, of people who come and go. Sometimes that is an indication of success within an organisation. If you go into an organisation and you develop great skills, you then have that option to move into the private sector or towards some other organisation. You have on your CV that you are somebody who was involved in national security and in protecting your own country at the highest level. Because the centre has such a good reputation, that is something very positive, and it is one of the reasons people want to work at the NCSC and that it does not have difficulty attracting quality staff. Again, from talking directly to the staff, that is the feedback I get from them. The fact some people come and some people go is normal within any organisation. Having fresh people coming in is a good thing. Having the perspectives of people coming from the Army, the Defence Forces, or An Garda Síochána are all positive things that help out.
The Chair also mentioned Windows 7 and the fact there are thousands of computers in the HSE that are still running Windows 7. If possible, one of the things you should do as part of your security hygiene is to have the most up-to-date patches on your operating system, all the updates that should be on your phone, and, where possible, you should not be using bits of software that are out of date. However, that is just one line of defence. That is part of what you should do. Like with the coronavirus where you should wear a mask, wash your hands, and stay two metres away, none of these things on its own is enough to protect you from an attack, and none of those things on its own is the reason you got attacked. The HSE was not attacked because some computers were running Windows 7, and it would not have been prevented if the computers had all been upgraded. That was not the problem alone. It did not help, but it certainly would not have prevented the attack from taking place. I can tell the Chair that definitively. I can also say the HSE was well aware that this was a risk. Richard Corbet, who was the chief information officer, took useful steps to minimise and mitigate the risk of running Windows 7. For example, he firewalled off those computers to one section of the network and added virus protection software. We do have a-----