Dr. Richard Browne:

There are quite a few questions, some I will address in more detail and others very quickly. Taking the staffing and skill sets questions together, first of all I think having 45 staff members is achievable and with a tail wind we will go beyond 45 this year. We do not have a limitation in regard to resourcing. The limitation is finding people as fast as we can.

When I say “advanced stage”, it means we are interviewing at the moment. I am obviously limited in what I can say about that but I am interviewing on Friday and on Monday and multiple times throughout April. It will likely be into June by the time we start to see numbers arriving in force. At that point quite a few people will arrive. We had four separate competitions open, and closed. The closing date has passed. We are in the interviewing process for four separate competitions. There are two more to launch. That is the situation we are in. Four of six are well under way.

In regard to skill sets – this is an important point – it is important to note that we have a very advanced cybersecurity industry here by dint of the fact that we have a large technology sector, which has brought its own cybersecurity services. That has led to the creation of significant offices here working in very advanced cybersecurity fields. It is a huge bonus for us because we have direct access to companies here doing leading-edge cybersecurity research and providing leading-edge global services and skills. It also means of course that there is huge competition for those skill sets. That is a challenge.

The NCSC has focused in particular on incident response and forensics. Historically our primary role has been incident response. Over the next few years the committee will see it become much more diverse in terms of its functions because of European legislation and other things we know we should be doing. We are strong on incident response. We have a significant and deep skill set. The challenge may arise in those other areas as we go on.

In regard to its new strategy, a number of individual programmes are under way via Skillnet, the universities themselves and the universities working with industry to create new masters and degree level programmes, as well as diploma programmes in cybersecurity, but this is still a relatively young industry in that context. The supply chain of talent is becoming an issue globally. We are not unique in that regard.

As for facilities, we have secured a long-term facility. Our permanent facility will be in Dublin 4. It will be built to the full NATO security specification. As that process is also under way, our temporary facility only has to do us from mid-year this year until towards the end of next year. It is a relatively short-term facility. That does not mean it cannot be secure. It is being secured to a very high level. Of course that will be left to somebody else as a secure facility after we leave.

Regarding the compliance role I will not go into detail on the types of regulators but as a general point of principle, in most European countries the NIS compliance functions were devolved out at the outset. For example, the telecoms regulator – and we will talk about nuisance calls in a moment – took telecoms security as part of its general remit. The energy regulator did the same and so on. That is the general pattern we expect to see happen here. On the nuisance calls issue, this is a good example of why that has been the case. Telecoms is a matter for the telecoms regulator, the Commission for Communications Regulation, ComReg, and it has a particular role. It has a series of measures in place including a new nuisance calls committee, which is bringing together An Garda Síochána, people from the NCSC and people from across the telecoms sector to drive a series of measures. We have already taken some measures with it on particular types of nuisance calls, that is, those involving hyperlinks or Internet-facing services essentially. We are seeking to exploit that dichotomy where we make the telecoms and other regulators more directly responsible for regulating their industries and we deal with incident response and the higher level technological challenges.

Lastly, there are two things. The HSE incident is resolved. It was an extremely serious criminal incident which affected not just the HSE but also the medical staff, patients and the families of patients on a national level for several weeks. This is an extremely serious example of what can go wrong in a ransomware incident. It was, as is nearly always the case, a preventable incident. It could have been prevented, which is the really material challenge from our perspective. In terms of the lessons learned, the HSE took the brave and proper approach late last year of publishing a detailed analysis by PwC as to what exactly happened and what went wrong. That provides a very useful baseline for the HSE going forward. We continue to work it as recently as this morning on the steps it should be taking to move that along.

The insurance issue is relatively new. I am not familiar with this act of war concept. Clearly under international law, cyberattack can be an act of war but usually for an insurance company or a commercial contract to reflect that, it would have to be declared as such by a state. That is something we might pursue offline, if the Chairman does not mind.