Dr. Richard Browne:

On the Defence Forces question, I can quote from the 2015 White Paper that the role of the Defence Forces with regard to cybersecurity is to protect their own networks. We work closely with the Communications and Information Services, CIS, Corps which is the part of the Defence Forces that does this and they have a security incident response team, SIRT, of their own. They are equipped and trained to deal with that. In some ways they operate like any other constituent of the NCSC because we give them threat intelligence information and provide them with guidance and, like the Oireachtas or any other entity, that is their role. Clearly, the Defence Forces have a broader set of roles also but obviously some of those roles are in a space that is not usually discussed, or ever discussed, in public which, of course, also poses limitations for us to talk about them.

On a hierarchy, we all have our roles. The hierarchy is flat in that the Government has sovereignty and that is the way it has to work. There is obviously a question as to why cyber is being dealt with in a separate organisation and we have military, law enforcement and national security functions in both, and yet we have an entirely separate National Cyber Security Centre. That is entirely normal in a European context. Everybody, including in the US, have exactly the same thing. There is a civilian resilience response information provision body. It is the Cybersecurity and Infrastructure Security Agency, CISA, in the US and it is the National Cyber Security Centre, NCSC, in the UK, and so on, and "NCSC" is, in fact, a term used in most of Europe.

The term I tend to use is that cybersecurity is a confounding policy problem. It is in everything and everything is in it. Everybody carries around a computing device in his or her pocket and some of us carry more than one. These devices are privately owned, the networks that serve them are privately owned, the technology they run on is privately owned and yet they can be the subject of a national security incident and, in fact, anybody in this room could be the subject of one immediately. One ends up with organisations like ours that have this cross-cutting and sometimes confusing set of remits but which remain utterly essential. As we look at this, and we have been in the context of our legislation, this model is not waning. The model of an NCSC as a separate civilian organisation is, if anything, becoming more robust. Sweden and others are moving more in this direction also. This is a kind of new normal.