Dr. Richard Browne:

Good afternoon. I am the director of the NCSC and I am accompanied by my colleague, Kerri-Ann Woods, who is the head of the project management team in the NCSC.

The mission of the NCSC is to lead in enhancing the security of essential network and information security systems in the State against cyber threats, facilitating a free, open, secure and stable digital ecosystem for the people of Ireland. We achieve this mission by a number of means, including by actively detecting and defeating cyber threats targeting critical infrastructure and critical networks in the State, leading the national cybersecurity incident response process and reducing risks to the State's critical infrastructure by strengthening its resilience. The NCSC also has a series of new roles around capacity building in the cybersecurity sector in Ireland and in setting certification standards.

I wish to speak about three things. I will talk about current global state of affairs in cybersecurity and the risk level that it presents to this State. Then, I will talk about the work of the NCSC and how our capability is continuing to develop and our evolving role in defending the State against risks and threats in the cyber domain. Lastly, I will talk about the future, including future European legislation and the future political, economic and security challenges that we will almost certainly face.

To begin with, and reflecting on more than a year of the most recent Russian invasion of Ukraine, a number of things have become evident. The first, as was widely predicted before the event, is that cyber remains a key tool in the armoury of any state wishing to conduct offensive military action. The second thing is that, in this case, these attacks have been largely inconsequential in respect of the overall Russian military effort. There are three primary reasons for this. The first of these relates to an innate characteristic of cyber as a means of force projection. It is simply less effective as a destructive tool than many commentators have allowed for in recent years. The second reason is that Ukrainians were ready because they had endured years of similar offensive actions and because they already expected an attack. They have also taken and continue to take significant measures to protect themselves from the consequences of these activities. Lastly, Ukrainians have also benefited from massive external support from public and private organisations on a global basis, including the NCSC.

There have been some notable implications for cybersecurity in the rest of Europe as a consequence of the conflict in Ukraine also of course. Some of this relates to the ongoing risk of spillover in the cybersecurity domain, as has already happened to a limited extent in the Viasat incident. There has also been an ongoing and persistent series of so-called "hacktivist" attacks, which have extended over the vast majority of EU member states, including Ireland. These attacks have primarily been distributed denial of service, DDOS, type attacks and have caused little to no disruption to services. They do, however, indicate the existence of an organised campaign to harass service providers in Europe and a willingness to at least tacitly threaten further action against European infrastructure operators.

As ever, of course, the most pressing risk to services, businesses and infrastructure remains ransomware. This is now a highly-evolved, vertically-integrated industry with a significant number of well-capitalised and well-organised criminal groups conducting attacks on an ongoing global basis. Furthermore, this criminal ecosystem, which also includes a vast amount of cyber-enabled fraud, is evolving extremely quickly, developing and sharing new tools and techniques very rapidly.

There are, however, some reasons for guarded optimism at this point. Better international co-operation, particularly around intercepting these groups' revenue and targeting their core infrastructure, has seen some of the major groups fracture in the past few months. Also, it appears that the percentage of victims who were paying ransom continues to fall, at least partially due to the fact that victims are now more resilient. Critically, and this cannot be overstated, none of these groups, despite their capabilities, are unbeatable. Sensible resilience measures can dramatically reduce the likelihood of being targeted and can reduce the seriousness of impact if you are targeted or make it far easier to recover even if you are hit.

Moving on to the work of the NCSC, it is worth reflecting on the July 2021 Government decision on the future of the NCSC, which was based on a very detailed capacity review of the organisation, including setting a trajectory on staffing and technology development. The contents of that decision continue to be delivered, and in fact exceeded, with a technology strategy developed last year and the very significant evolution of the outputs of the organisation in the period since.

Regarding people, in the past 12 months, the NCSC has gone from 25 staff to 52 staff today, with sanction to grow to 62 staff this year. The organisation now has three directorates, each led by a director-level post and each with a team led by staff at principal officer grade. Furthermore, this far more robust management structure has allowed for a far greater specialisation of function within the organisation and the addition of entirely new functions, including the national co-ordination centre role and the certification team.

The operations team is responsible for incident response and detecting and defeating incidents before they occur. Previously led by a principal officer, it now has three principal officer-led teams, overseen by a director. The organisation now has a dramatically increased ability to defend against incidents at a national level and collect, manage and analyse cyber-intelligence material.

The resilience directorate has five teams, covering engagement, compliance, capacity building, certification and project management, each also led by a director. The range of work accomplished includes ensuring the compliance of critical infrastructure with binding security requirements, building and maintaining information sharing networks and working with industry and academia to support the development of the cybersecurity sector here.

The new technology directorate is awaiting the appointment of our new chief technology officer, CTO, which will happen later this year, but this team also already builds and maintains the systems, networks and tools we use, and is instrumental to the process of building our new permanent headquarters.

Quite aside from our capability developments, we have also made significant strides in both operational and resilience realms. For example, we fully revised the national cyber emergency response plan on the basis of after action reviews of previous experiences and conducted a full-scale national exercise to test this, using the energy sector as a basis. We also commenced the process of revising and deepening our long-standing information sharing structures, starting with a new Government cybersecurity co-ordination and response network called GovCORE, which also acts as our point of contact for the baseline standard. This is being followed by augmented cybersecurity information sharing, co-ordination and response networks, or COREs, in the local government, energy and digital infrastructure sectors.

The NCSC is now housed in an interim facility that is secured to international best practice and has the appropriate infrastructure for full international sharing of cybersecurity intelligence, as well as a full incident response suite. In turn, this has augmented our ability to conduct faster and more complete analysis and response to cybersecurity incidents and risks, and allows us to share information with colleagues globally on a real-time basis. Our permanent facility in Beggars Bush is on track for handover to us at the start of quarter 4 of this year. We are in the process of procuring the hardware and equipment for that facility at the moment. That new facility will allow us the space to continue to grow and develop and, perhaps most importantly, allow us to build out our new national-level security operations centre, SOC.

Lastly, I look to the future. By 18 October next year, the revised network and information security directive, NIS2, for short, will come into effect in Ireland. This will result in a dramatic expansion of the number of entities subject to the directive here, from just over 100 to at least 2,000. Unsurprisingly, this will have some dramatic implications for the NCSC and a great number of other entities in this State. It will take up a very significant amount of effort in the next 18 months. Also, in the coming weeks, a mid-term review of the national cybersecurity strategy will be brought to Government for approval. This will contain a series of new roles of the NCSC, which will be framed, in turn, in new primary legislation, with the general scheme of that Bill to be published by year end. This same legislation will also reframe the roles and powers of the NCSC as well as make provision for the transposition of several other pieces of EU legislation.

In addition to all of this, the technological underpinnings of the world we live in are beginning to change very significantly. Were I sitting here a year ago, I would have spoken about the shift to cloud computing, the challenges associated with post-quantum cryptography or perhaps the need for security by design to be implemented at every level of the supply chain. All of these are still factors today but are entirely overshadowed by the first public outings of generally available artificial intelligence.

This technology has been much-heralded and has seen a vast amount of investment in the last decade. It is not an overstatement to suggest that this is at least the single most important technological development since the Internet, and it may well turn out to be more important than that. Like any such technological revolution, the full effects of this will take years to play out, and perhaps even longer than that. Already, it is clear that these tools will be extremely powerful, with applications and implications across the full range of human behaviour and activity, including in security. We have already published a blog on the matter and will have a piece of guidance available for public servants in the coming weeks.