Ossian Smyth (Dún Laoghaire, Green Party) | Oireachtas source

I thank the committee for inviting me to participate in this morning’s meeting to consider the EU cybersecurity strategy and the alignment of Ireland’s national strategy for cybersecurity. I am joined by Mr. Richard Browne, acting director of the National Cyber Security Centre, NCSC, my adviser, Mr. David Clarke, and Mr. Peter Hogan, principal officer in the cybersecurity and Internet policy division of my Department.

I welcome the committee’s interest in this important issue. Cybersecurity has correctly been identified as a strategic priority for the European Union to safeguard the benefits of the digital transformation happening throughout Europe. In addition to the growing interconnectedness of digital services, we must recognise that cyber criminals do not respect national borders. Thus, it is essential that the member states of the EU work together to strengthen co-operation and information sharing across borders.

The EU’s cybersecurity strategy for the digital decade sets out an ambitious agenda to meet the growing challenge of cyber threats. The EU has, correctly, seized the opportunity to be a global leader in promoting and protecting an open, free, stable and secure cyberspace grounded in human rights, democracy and the rule of law. The strategy includes an ambition for the EU to achieve technological sovereignty in response to emerging supply chain risks. This will involve strengthening cybersecurity capabilities within the Union through the EU’s industrial strategy, as well as funding cybersecurity skills development and research.

The strategy includes some novel and interesting proposals to enhance co-operation and information exchange between member states and with relevant EU bodies, including a proposal for a secure connectivity system, utilising quantum computing and satellite communications infrastructure. The strategy also details the range of cybersecurity legal instruments the EU has published and will follow, such as the review of the network and information security, NIS, directive; the implementation of common cybersecurity standards for EU institutions, bodies and agencies; and the proposal for horizontal legislation on security standards for connected devices.

I share the ambition of technological sovereignty and supporting indigenous enterprises and academic institutions to deliver Irish and European solutions to strengthen the security of data and critical services. However, as the European Council has emphasised, this must be balanced with the Union’s key objective of preserving an open economy. I am also conscious of the rapid increase in the number of cyber attacks and the crippling impact they can have, as we saw earlier this year with the ransomware attack on the HSE. While it is important to develop the European cybersecurity ecosystem, we cannot lose sight of the need to take positive steps, today and tomorrow, to deploy best-in-class hardware and software to defend networks and systems, whether these come from Europe, the US or elsewhere.

I also highlight the importance of global co-operation to combat cyber criminals. When Ireland suffered its most serious cybersecurity incident last March, we shared information with partners in Europe and received great assistance from the cyber incident response teams in a number of member states. We also received assistance from agencies in the UK, the US and further afield. I am convinced of the need to enhance information sharing and co-operation throughout the Union and with like-minded third countries.

I welcome the leadership shown by President Biden and his administration in building a global alliance to combat the ransomware gangs who have caused havoc in recent years. In the Irish context, co-operation and information-sharing with the UK Government is vital and there is excellent engagement between the NCSC and its counterparts, both on a North-South and east-west basis.

The NIS 2 proposal will be the key implementing Act for the EU’s cybersecurity strategy. Ireland is playing an active role in the ongoing negotiations in the European Council. We welcome the Commission’s initiative and it is timely to review the NIS directive, in light of the massive shifts in the global cyber threat landscape. Our focus in the negotiations is to ensure the directive, when finalised, provides a solid basis for practical measures at national and Union level to strengthen the cyber resilience of critical services and important industry sectors; to facilitate information sharing and exchange of best practices; and to strengthen our capacity to respond to major cybersecurity incidents. This is a considerably important legislative file and it is vital we get this right.

I will speak briefly about Ireland’s second national cybersecurity strategy, which was published in 2019. The vision behind the 2019 strategy is to allow Ireland to continue to safely enjoy the benefits of the digital revolution and to play a full part in shaping the future of the Internet. This involves the protection of the State and its people and critical national infrastructure from threats in the cybersecurity realm; the development of the capacity of the State, research institutions, businesses and people to better understand and manage the nature of the challenges we face in this space; and engagement by the State, nationally and internationally, in a strategic manner, to support a free, open, peaceful and secure cyberspace.

Under the NIS directive, we are required to review the strategy next year. This was also a recommendation of the NCSC capacity review which we commissioned earlier this year. I welcome the committee’s consideration of the EU cyber strategy and look forward to its report. I have no doubt that report will be a valuable resource to inform the review of our national strategy.