Mr. Padraic O'Reilly:

On the previous occasion I appeared before the committee, we spoke about the response to the health service attack and about the infrastructure the State had in place to address it. The analogue for me, when I was thinking it through, was the Colonial Pipeline attack and how a small number of staff at the US Transportation Security Administration, TSA, were looking at it and being supervisory. That was woefully inadequate and it was directly analogous to what Ireland was dealing with at the time, in respect of the size of both the staff and the problem. The essential services sector here is large, as is the critical infrastructure sector. A small group, therefore, of five or six employees at TSA with oversight for pipeline security was not going to get the job done. Immediately, therefore, our legislators put more regulatory heft behind it and it is now being moved from being voluntary to more direct requirements and regulation. We are transitioning that.

As for the recent Act that has emerged, I do not think there is any analogue in Ireland, as far as I know. That said, while we have an entire agency - the Cybersecurity and Infrastructure Security Agency, CISA - with a very large budget that is in charge of critical infrastructure, we still have problems.

The Russians have still infiltrated the government and energy sector here. We recently had an alert and unsealed some indictments around Russian actors from 2011 to 2018 who were doing espionage and basically exfiltrating data. While it is obvious that Ireland needs to devote more resources to it, the story is maybe not as dark as it could look. We are finally getting our act together here in the United States with respect to risk management and we are maturing a programme.