Mr. Cian FitzGerald:

I will begin by responding to Deputy Cronin's remarks on where these capabilities could lie. As Dr. Colfer stated, we are relatively ambivalent with regard to who oversees it. I will focus on the Defence Forces. The Commission on the Defence Forces has proposed the creation of a joint cyber defence command. At present, the Defence Forces generally focus on maintaining their communications internally. It is about operating within theatre and being able to have their communications operating properly. As the report stated, the joint cyber defence command would be a step up in the level of ambition in order that the Defence Forces would be able to play a role in the national cyber defence of the State, rather than just seconding people to the National Cyber Security Centre. Our recommendations in the paper focus on that aspect primarily. It is about levelling up the capabilities of the Defence Forces to be a player within the State's cyber defence.

On the question regarding intelligence, an additional matter we should consider is the role of open source intelligence. It is not just classified intelligence. Open source intelligence is playing an extraordinarily large role in the war in Ukraine. With pictures being posted on social media, it is quite easy to follow what is happening on the front lines. These images often raise questions but the ambiguity within these sources can also be used to construct information or disinformation. A good example is the questions relating to the presence of a drone over the Kremlin. It has yet to be identified but that is an example of open source intelligence with an ambiguous interpretation that could be used by both sides. I hope we will eventually find out who is behind that.

On the question regarding how we build our cyber force, there is a significant amount of expertise in Europe and the United States. We are already a member of groups on which we could draw. Deputy Stanton referred to the hybrid centre of excellence in Finland. There is also the NATO Cooperative Cyber Defence Centre of Excellence in Estonia. We are already a member of that centre. If we decide to enhance or level up the capabilities of the Defence Forces to be in cyber defence, we could draw on the expertise of those centres to help us in that regard. In the context of staffing in that regard, many armed forces in Europe have direct entry models. That is potentially something on which we could draw. We could draw on universities and recruit people directly in. Ideally, however, we would, in time, be able to train people internally within the Defence Forces to be part of the State cyber defence.

As regarding Russia's overall lack of progress in Ukraine and the potential expansion of the theatre towards Europe, members may remember that in February 2022, Russia's campaign was expected to last three days. It probably had systems in place for a two-week campaign at best but there has now been well over a year of fighting. As Russia continues to face repeated setbacks and fails to make progress and as Europe continues to provide support for Ukraine, we could see an increase in the level of threatening behaviour, such as the cable and the suspicious manoeuvres of boats, not just in Irish waters but also in the waters of our European neighbours.

I will jump to Deputy Stanton's questions regarding whether we are in a war. To echo the remarks of Dr. Colfer, war is normally declared. An additional element is that it depends on how we conceptualise this. Some analysts believe that Russia considers itself to be in a confrontation with the West. As Dr. Colfer stated, it is important for us to focus on and understand the fact that we are under attack and there are deliberate efforts to undermine the stability of our democracy and states and to limit our ability to act and make choices for ourselves. It is not just Ireland facing this threat; Sweden has also identified it in its national security strategy. This is not unique to Ireland but it creates an impetus for us to respond effectively. I hope that implementing some of the recommendations in my paper would constitute a very small part of that effective response.

As regards the request for examples, there are good examples. Estonia recently managed to thwart a large-scale attack on its institutions. Another example relates to the ongoing attacks on Ukrainian critical infrastructure as part of Russia's hybrid warfare against Ukraine. Its power systems are still being targeted but Ukraine has built resilience into its system. The first time the system was attacked, it was very disruptive, with a quarter of a million people losing power, for example. By the third or fourth such attack, however, Ukraine had reverted to analogue systems, such as using walkie-talkies to communicate, rather than digital systems. In addition, it has good backups on which it can draw. Much of this is about having the decisions made in advance rather than worrying about what happens if we are under a cyberattack. It is about having protocols in place to ensure that, in the event of a cyberattack, disruption is minimised.

As regards the use of offensive cyber, this is based entirely off recommendations from the Commission on the Defence Forces. The key word in this regard is "limited". I cannot comment on what that would mean. What it looks like is a question for policymakers. The commission recommends that the joint cyber defence command should have the capacity to carry out strategic reconnaissance, that is, to see inside other people's networks, or to conduct limited offensive cyber operations for defensive purposes.

As regards the deterrence playbook, which is from the European Centre of Excellence for Countering Hybrid Threats, Hybrid CoE, overall this paper tries to encapsulate some of the ideas that come from the cyber deterrence playbook. In general, the way I have conceptualised the paper is that we arguably have two parts to this deterrence. The first section is deterrence by denial, that is, making sure society is prepared. It is the equivalent to building a castle. The second part is exploring the use of deterrence by punishment, which is the use of limited offensive cyber operations to change the cost-benefit calculation. Ultimately, this is to try to make Ireland sufficiently resilient that we would not be targeted in the first place. It is about deterring attacks, rather than just being resilient in the case of an attack. It is also about trying to make sure we minimise the risk of an attack occurring. As Dr. Colfer stated in the context of the risk of a cyberattack against the energy grid, it is about pointing out what the vulnerabilities are. Of course, there are other vulnerabilities that exist in that regard. Making society resilient and ensuring all the boxes are ticked minimises the risk of those other vulnerabilities, not just the energy grid, being targeted.

As regards co-operation between the civilian and military , this is the overall impetus of the paper. What we have seen in states, including Ireland, other European states and other, much bigger states, is that, in general, running the whole spectrum of grey zone threats, modern militaries are struggling to deter or respond to these threats adequately because the threats target societies, not military installations. Ultimately, militaries are drawn from society but they are only one small part of this. In general, grey zone threats or grey zone antagonist activity is designed to circumvent the ability of the military to respond. The military has a role to play in countering disinformation, as well as in cyber defence and, for example, in ensuring Russia is not able to sabotage our cables. We are arguing, through this whole-of-society approach, that it is not just about the military. This also relates to other elements of the State security services, as well as to private businesses, which are often the targets of these cyberattacks. Universities are targets of cyberattacks, as are the multinational tech companies that operate here. There is an enormous amount of expertise and knowledge here already and a whole-of-society approach enables us to harness it to protect the State, rather than relying on a single section of society, namely, militaries, to do a job they are not best equipped to do.

Their best job is protecting the State against kinetic threats.