Oireachtas Joint and Select Committees

Wednesday, 3 November 2021

Joint Oireachtas Committee on European Union Affairs

EU Cybersecurity Strategy: Discussion

Photo of Ruairi Ó MurchúRuairi Ó Murchú (Louth, Sinn Fein) | Oireachtas source

I thank Ms Boix Alonso and Mr. Cuffe for coming before the committee. I hope I have pronounced the name correctly. I am fairly sure I got Mr. Cuffe's name right.

We all accept the reality of the world we live in and the dangers as regards cybersecurity. The ransomware attack on the HSE brought it absolutely home to us. My question breaks into a number parts and, in fairness, the witnesses have dealt with some of them. I am looking for a greater amount of information. We all accept it is down to capacity and, of course, we all work better together. However, it fails miserably if nobody follows through on implementation, particularly as regards where the directives are at this point in time.

There is capacity at State and EU level. There is international engagement. We have had enough people and experts throw out commentary on certain states where there may be operations that almost operate on a subcontractor basis. While they are not necessarily within the employ of the state, they can be brought into action. We even heard commentary that they were generally given operational rules not to touch anything infrastructural on the east coast of the United States or anything that brings too much heat. I assume the ransomware attack on the HSE might have been one of those things where they bit off more than they could chew and could be the reason keys were handed over.

We suddenly became aware of the number of companies paying off money, including to avoid reputational damage. There was a report out a while ago that stated €22,712 was the average payment made. For small and medium enterprises this is not nothing. In many cases I do not think people got all of their information back. I suppose it was a case of mitigating harm from their point of view.

We have the capacity at localised level. We have had the National Cyber Security Centre, NCSC, review here. We were not up to scratch. We would like to think that in future we will have a greater element of capacity. This is accepting that it will always come down to the best level of digital hygiene that can be employed, whether at an individual level or a group level. This is an absolute no-brainer.

What do the witnesses see as regards the joint cyberunit? What will be its remit? I have a slight fear. We all accept the necessity to secure ourselves from cyberattack. The problem with this is that it has become conflated with general defence, a European army and these wider questions. This is something that has to be separated. This is not taking away from the absolute danger.

We have experts in the State who said the NCSC should probably have made greater use of the expertise we have in third level institutions. People have been running courses on cybersecurity over many years and have much more expertise than an awful lot of others. My question is on long-term proposals for what the unit will do and how we ensure we have and maintain best practice and capacity at a localised level. Some experts have spoken about an ability to disrupt. I will use the term "counterstrike". This would be in the middle of an attack.

There is also the issue of what we intend to do on an international basis from a legislative point of view or in conversations with certain states and certain players. We have all heard anecdotal stories on members of certain elements of the US Administration that may have made their voices clear to certain of these players. This is not something I would anticipate happening at European level. I apologise for the circular way I have asked these questions. It is about the unit and state and international capacity. It is what we do on an international basis. I would like a bit more detail. I thank the witnesses for their commentary.


No comments

Log in or join to post a public comment.