Dr. Michael Scott:

I will dive straight in. In 2012, I retired at the rank of associate professor as head of the School of Computing in DCU. My research area is cryptography. Immediately after leaving DCU, I co-founded a start-up, Miracl.com, based on this research in the area of cybersecurity. I am currently employed full-time working in a cybersecurity role in Abu Dhabi. I was a contributor to the report from the Commission on Electronic voting that lead to the scrapping of insecure electronic voting machines in Ireland back in 2006. While in DCU, I shared responsibility for pioneering a master's degree in security and forensic computing, one of the first cybersecurity master's degrees in either Ireland or the UK, and which has been running for at least the last 20 years. I have been keenly following cybersecurity-related developments in Ireland.

There can be no doubt that the Russian invasion of Ukraine has heightened the global concern around issues of cybersecurity and their potential impact on our sovereignty. There is no Geneva Convention in cyberspace; anything goes. Attackers can be hard to trace, and they often maintain a plausible deniability relationship with their governments. Critical systems depend on computers that can be hacked. The ransomware attack on the HSE demonstrated the real-world damage that can be done. Incurring the displeasure of physically distant foreign governments can now have serious local consequences.

On our response to date, fortunately, due to our intervention back in 2006, the Irish electoral system is secure, based as it is on complete transparency and the non-use of Internet-connectable devices or "stupid old pencils", as members will recall them being called. Thus, our electoral system is beyond the reach of cyberattackers. However, that was a close-run thing. There was a lot of naivety back then, but as luck would have it we avoided a trap that many other countries have stepped into in the supposed interests of modernising their electoral systems, while completely ignoring the complex security issues that can arise. Therefore, more by accident than design, we got off to a good start in the cybersecurity stakes.

Academia was not slow either. In academic circles, the growing importance of cybersecurity as a discipline was realised early on. Indeed, since the turn of the millennium, universities have maintained a steady stream of cybersecurity graduates to satisfy a growing demand from the private sector. There was a lot of awareness that cybersecurity was going to be a big thing.

However, in 2012, six years after the voting machine controversy, the European Network and Information Security Agency, ENISA, published a report which described the evolution of cybersecurity strategies of each of the EU member states. The report is still available online. Even Luxembourg gets a mention, but Ireland is not mentioned at all. Clearly, we were right at the back of the European pack, literally doing nothing at a national level that the EU could detect, back in 2012. Thus, 2012 is year zero for Ireland's national efforts in cybersecurity. Probably as a consequence of the ENISA report, the NCSC was established. However, I suspect that we were just doing the minimum necessary to placate the EU. Investment was minimal. As far as I could make out at the time, the NCSC was a kind of two-men-and-a-dog operation working out of a couple of rooms in UCD.

Fast forward, then, to the Government’s completely inadequate response to more nudging from the EU, with the launch of the National Cyber Security Strategy 2019-2024, which I interpreted as a can-kicking exercise. The NCSC was to be expanded and provided with more resources. When the HSE hack happened in May 2021, it was certainly a wake-up call. The response was not at all impressive. While I was following the media coverage, I was unaware of any expert response from the NCSC, and I could not name the equivalent of the Tony Holohan figure who might have provided some reassurance to the public that we had this under control. In fact, despite closely following the media coverage, I was unaware of any NCSC response whatsoever to the crisis. The NCSC itself is shrouded in secrecy, so I can only make a few observations about it. It appears to have been under the same leadership since its foundation. Its website contains no names. There is not a single name of an individual on the website. All the articles are anonymous. The Irish Examinerpublished an interview with the centre's director in 2021. Such an interview was described, in the article, as being rare, and no photograph of the director was allowed to appear next to the article. I can conclude, therefore, that a culture of secrecy exists within the NCSC. Personally, I have seen no job advertisements for the NCSC. My suspicion is that it is, in fact, largely staffed by secondments from other services.

At a meeting of this committee in September 2021, the Minister of State, Deputy Ossian Smyth, said "Most of what is being done is not secret and does not need to be hidden from people". However, in reality, it is secret and it is hidden. At the same meeting, an independently commissioned report, which was heavily redacted, nonetheless concluded that the NCSC was not fit for purpose as it was under-resourced and overtasked and its structural legislative foundations were totally inadequate. In short, the NCSC is secretive to the point of being invisible. Based on the redacted report and the HSE debacle, it seems reasonable to conclude that it is also largely ineffectual.

Here we are, facing into a deteriorating cybersecurity landscape, a situation made worse by the crisis in Ukraine. We are woefully unprepared, while being an attractive target for attack. We are, after all, a member of the UN Security Council. Expelling Russian diplomats can almost be guaranteed to provoke a dangerous response. We really need to start taking this seriously. Given our generally high standing in the world of IT, it is all rather embarrassing. As stated, I am currently working in the United Arab Emirates, a country comparable in size to Ireland, where they take cybersecurity very seriously and have shown themselves willing to make the necessary investment to build a strong centre of excellence in the area of cybersecurity to defend their national interests. This stands in stark contrast to the situation in Ireland.

I wish to make one last point. As I said in my introduction, there is no Geneva Convention in cyberspace. Therefore, the ability to counterpunch is an absolute necessity. It may go against the grain and against our traditions to develop an offensive capability, but as a means of deterrence, I believe it to be absolutely necessary.