Dr. Richard Browne:

I thank the committee for the very timely invitation. I have a prepared statement, which I will read. I am joined by three colleagues. We will be more than happy to take any questions members may have following my presentation.

I stress that there are limitations to what I can say for reasons of national security and the security and privilege of our clients. Let me start with the cybersecurity implications of Russia’s ongoing invasion of Ukraine both in general and for Ireland. Ukraine has been victim of a series of cyberattacks over the last decade and has been in many ways patient zero for the more serious and sometimes destructive attacks and incidents we have heard so much about.

Similarly, it is clear that the Russian state possesses and is willing to use very advanced offensive cybersecurity capabilities, and has sought to deploy at least some of these in the run-up to and during its most recent invasion of Ukrainian territory. However, at least as far as can be determined, the effect on target of these has been minimal so far. The precise reasons for this may not be known for some time. However, it appears that a combination of Ukrainian preparedness and targeted assistance from elsewhere has helped reduce the effectiveness of cyber tools in this case, rendering them a less effective complement to conventional weapons.

There are of course manifold implications for national and international security flowing from the war on Ukraine by Russia, including the creation of profound uncertainty about the immediate future. On that basis, threat levels and risks may change, rapidly and seriously. However, at present, the NCSC’s assessment of the risks to this State - in general and not just limited to Russian activity in Europe - is as follows. The threat from cybercrime against the State, including Government and private sector, continues to be high, particularly from ransomware. We have not seen any change to the rate or seriousness of these types of incidents since the onset of the war and expect to continue to see attempts to extort money from entities here.

The threat from destructive cyberattacks conducted directly against the State or entities here continues to be low. The NCSC has not observed any evidence to suggest that there has been significant preparatory work under way. However, there have been some reports of increased scanning activity both in Ireland and across the European Union and US. The NCSC assessment is that there is no evident intent by any party to launch attacks against the State. Similarly, there is no evidence of this type of activity being launched against other EU states either. However, the NCSC assessment is that the risks of an incident affecting a service operating at a European or global scale, and of a second or third order effect on services here is moderate.

The threat from cyber activism against Ireland continues to be low. There has been a very pronounced increase in this type of activity in Russia and Ukraine, but there is little evidence of this type of activity outside of this limited environment.

The threat from cyberespionage against the public and private sector in Ireland continues to be high. The NCSC assesses that the State continues to face a persistent, active and serious threat of cyberespionage against both public and private entities, and that this risk remains unaffected by events in eastern Europe. I stress again that this assessment and analysis may change, and change quickly.

The NCSC has been operating at a heightened state of preparedness since late last year in response to the tensions in eastern Europe and ongoing discussions at a European and international level on cybersecurity risks. We have contingency plans in place, in case of escalation of malicious cyberactivity impacting networks and services here. We are working with sectoral regulators and Departments to further develop these plans in key areas. We have arrangements in place to avail of external expert support, as required, including a number of third-party incident-response services which can be immediately made available to support Government or critical national infrastructure.

We have also issued a number of guidance and support documents, including most pertinently our NCSC Cyber Vitals Checklist on 1 February and a detailed advisory note on 17 February. This advisory detailed a risk assessment and appropriate advice regarding the ongoing situation in Ukraine. These documents and much more are publicly available on our website ncsc.gov.ie.

We are in ongoing contact with our counterparts across the European Union, as well as the UK, US and other countries to share information and monitor possible threats. We continue to work closely with the Defence Forces and An Garda Síochána and are in frequent contact with operators of critical infrastructure and services to monitor for possible malicious cyberactivity.

The message to organisations and operators at this time is very simple: we urge everyone to take the time to ensure that their cybersecurity risk assessments are updated and that their mitigating measures and response plans match the current situation. The NCSC Cyber Vitals Checklist remains a simple effective place to start for entities of any scale.

As members know, the NCSC is undergoing a period of expansion and development as a result of the Government decision in July 2021 to implement the recommendations of a capacity review which was initiated in the previous year. Since then, we have taken significant steps to expand the resources and capabilities of the organisation. We are in the process of filling 20 new permanent posts, most of which are at a senior level and the fit-out of a temporary facility for the NCSC is in progress with a view to occupation before midyear.

In addition to implementing the recommendations of the capacity review we continue to work on the measures set out in the National Cyber Security Strategy 2019-2024 with a number of measures fully achieved or at an advanced stage. This year we will carry out a midpoint review of the strategy to reassess priorities and incorporate developments and lessons learned since its inception. One critical area to be addressed as part of this review is the ongoing negotiations for a revised network and information security, NIS, directive, which supersedes some aspects of the 2019 strategy. The revised directive, NIS2, is expected to cover a broader range of sectors within a more stringent compliance framework. It is currently the subject of EU Council trilogue negotiations. It is in the latter stages of negotiations.

In the interests of time, I will skip briefly through our future planning. The NCSC headcount will grow to 45 at least by year-end and to 70 by 2024. The Government has committed to bringing forth a general scheme of a Bill to increase the powers of the NCSC by providing the legal authority to properly conduct monitoring and to gather and store intelligence on cyberthreats relating to national security.

The capacity review also recommended that the NCSC cease its compliance role under the NIS directive as it detracts from our core mission to defend cyberspace and act as trusted adviser to critical infrastructure. We are reviewing the options for devolving these functions to existing sectoral regulators in advance of the introduction of NIS2.

I remind the committee and interested parties that our website, ncsc.gov.ie, and our Twitter feed remain valuable and up-to-date sources for information on cybersecurity risks and threats. I would be happy to take any questions.