Dr. Richard Browne:

There is a lot in those questions. I will try to be as brief as I can.

The first question about hybrid was really well put. It is important to stress that when we talk about hybrid in this context we are in many cases talking about two linked and related but actually fundamentally quite different conceptualisations of hybrid. Hybrid warfare ultimately owes its origins to, latterly, the beginning of the idea of the three-block war in the 1990s, that is, that militaries in the future would have to fight a three-block war, and, later, thanks to General Mattis and Colonel Hoffman, the idea of a four-block war in the 2000s.

The conceptualisation of hybrid that we use in a civilian space, the one I referred to in terms of the hybrid centre of excellence, frankly flows more from the Russian concept of active measures, the idea of a purely civilian means of influencing, compromising and pressurising democratic governments. It is more in the latter space that we find ourselves. In that regard, and to go back to the centre of excellence's model of 13 domains, the key point is that those domains are all separate and independent. This is why hybrid works in the way that it does. In many cases, the domains are politically or legally separated. The courts and the Houses of the Oireachtas are separate from Government so no one entity can dictate or compel other entities to do things. In talking about how we are funded to deal with hybrid, a more fundamental question is that of how the State as a whole ensures that all of these domains are properly resilient to hybrid activity. As I will come to in a second, that is something the State has already made significant strides in. In that context, our role is really to lead on the cyber domain, but also across related domains in other areas to ensure they are all up to scratch or up to the same level. That is why our mission statement has that "lead" piece in it.

On the specific question of what the State does on hybrid, while it gets very little press, it is worth pointing out that, under the new legislation, the Electoral Commission has an express role in dealing with disinformation. In the last while, in conjunction with the NCSC, the Parliament, the Dáil - I am sorry, I am too used to speaking abroad - has passed primary legislation on how to deal with high-risk vendors in telecommunications. There is a significant amount of legislation being passed that deals explicitly with hybrid threats. Colleagues across Government are working on a national counter-disinformation strategy. The State is taking very significant steps to deal with hybrid threats and is doing so in the right way. Rather than relying on one area to lead on it, there is a whole-of-government response to these kinds of challenges. That is the first question.

The second question is in some ways related. It relates to the skill mix in the NCSC. The vast majority of our staff arrived with a technical background. They were recruited from technical competitions. They come from the private sector, the public sector, the Defence Forces and, in some cases, An Garda Síochána and have experience in dealing with these kinds of issues. It will not be much of a surprise to the Chair to learn that we now have some of the most experienced cybersecurity operators as regards dealing with live incidents that you will find anywhere in the State. Without a shadow of a doubt, in some cases, they are the most experienced. We have ten years of operational experience in dealing with the full range of cybersecurity incidents from criminal issues to national cybersecurity incidents. That gives us a very significant capability not just to deal with future incidents, but also to bring in and train new staff as these incidents occur. One of the reasons we have waited this long to do a mid-term review is that we wanted to bring in new staff and to spend the six or 12 months needed to bring staff up to where they need to be. To put it bluntly, the types of skill sets we need do not exist anywhere else in the State. We can get people who are close to the required standard and train them to the point we need. That addresses the skill mix piece.

On assets, the cloud and the types of issues faced in that regard, as the Deputy has pointed out, I obviously cannot and will not talk about operational issues but we see the full range of issues that would be seen on a global basis. Very few are in the public domain but, if you look hard enough, you will see that aspects of one or two have crept in. These details do not come from us but from other sources. Across the various different issues, we have seen very limited activity by way of destructive attacks. It happens but it is extremely rare. Espionage is an ongoing challenge for everybody in Europe. We talk to colleagues and know that everybody classifies the risk of espionage as high and remaining high. That remains our assessment.

Another issue we see, which goes back to the Deputy's comment on the amount of infrastructure we have here, is the prevalence of C2 and C3 infrastructure, that is, command, control and communications infrastructure. To put it very bluntly and very simply, if country A wants to extract information from country B, it will very often hack a device in country C. Because of the sheer amount of infrastructure and IP address space here, we are a very obvious target with regard to that kind of command and control infrastructure. A lot of our work involves mapping and taking down these kinds of C2 and C3 nodes.

On the very specific question on the NATO centre of excellence, we are publicly involved in the hybrid centre. We are formally a member. We are also involved in a number of other NATO information-sharing projects, including the NATO malware information sharing platform, MISP. We have full access to that NATO project and its malware information sharing platform. We also have access to a number of others. Of course, it is very important to say that we do not know what we do not have access to. We can only assume that, as a non-member, there are aspects of NATO infrastructure that we do not have access to. That is just the way it goes. However, I can confirm that we do have very significant access right now to real-world threat and risk information sharing with partners across NATO. Most of these countries are EU member states so we have this intervention anyway. It is important to point out that the EU does not have an operational cybersecurity role. The EU does not deal with national security issues in cyberspace. NATO does, which is why our having access to those feeds is really important. It allows us to deal with the full spectrum of cybersecurity issues.