Dr. Richard Browne:

I thank the Deputy for her questions. Defence or resilience has never been a solely military question anywhere. I could speak at length about how hybrid works at a governmental scale. Having civilian agencies or entities like ours engage in resilience and security matters is the norm globally. This is an important realisation.

Regarding the HSE specifically, this is a complex area for reasons everyone will understand, but I will be brief. The HSE is an operator of essential services, or OES, which is the legal term, under the first NIS directive. As such, we have been regulating and auditing the HSE's cybersecurity, including prior to the incident. Its technology was not unsafe. There was some speculation in the media that, for example, the fact it had some older operating systems and older computers was a source of some risk. It was not ideal, but it was nowhere near instrumental in the incident. Bizarrely, older infrastructure survived this incident better than newer infrastructure did for the simple reason that the older infrastructure could not run the malware. That itself is a complicated story.

Compliance is not the same as security and security is contingent on human decision-making. The PricewaterhouseCoopers, PwC, report that was published at the end of 2021 made clear some of the issues that had arisen within the HSE, largely as a consequence of 18 months of pandemic, which made the issue particularly complex. How any state pursues cybersecurity compliance is extremely complex. I sat for several hours with the White House director of cybersecurity, Ms Kemba Walden, recently in Belfast and we had the same discussion about how the US had been dealing with compliance. Their most recent national cybersecurity strategy – our 2018 strategy is one of the strategies it is based on – wrestles with exactly the same problems we have. It is not easy to compel large organisations to deal with a complex, nebulous and changing issue like cybersecurity. The powers we are seeking in the context of the legislation and NIS2 are designed to allow us to do that better, but there is no complete solution. The bad guys are always looking for a way in, vulnerabilities, one person to make a mistake or an organisation to not be fully prepared, and then there are problems. The price of security in this case is eternal resilience – not just stopping the incident from occurring, but detecting it as it occurs. To use an air accident model of risk, what happened in the HSE saw a whole series of vulnerabilities lined up in the Swiss cheese model in exactly the wrong way and it had a very serious incident. Stopping that requires a cultural organisational response. I could speak at great length about that, but I will not, as I do not want to take up too much of the committee's time.

By the way, we were centrally involved in the HSE response process, but the scale of it - again, there were hundreds of thousands of end points - was such that it took a long time to clean out that network.

As for timing and staffing and our sanction, we have ten staff either in security clearance, that is, we are waiting for them to come through, or to come to us off panels. That is happening. We have another person starting the week after next. It is happening over time. We have a substantial staffing bid in for next year. The number will not surprise anybody in terms of our ambition. My ready reckoning is that we will need to grow to a similar scale in at least the next three years. Our building in Beggar's Bush has room for well more than a hundred people, and we do not plan to have those seats empty for too long. What will happen beyond that, beyond three to five years? It depends ultimately on the roles we have and how many additional roles come to the NCSC, but I cannot see a situation emerge where we will ever reduce the number, to put it to the Deputy like that.

Senator Craughwell asked a question about location. My view essentially has not changed. The Senator referred to colleagues in Israel and Poland. I know all those gentlemen very well. I sit next to my colleague from Israel on the International Counter Ransomware Task Force. We all have our own challenges. Part of the issue in some jurisdictions is that cyber is Balkanised, that is, broken up between different organisations across government. The reason there are cyberdirectors in prime ministers' offices is that that person co-ordinates cybersecurity functions. We do not have that. Our cybersecurity function is centralised in the NCSC, so I can be a single point of contact across Government and can go directly to the Department of the Taoiseach myself.