Professor Donna O'Shea:

It is my pleasure to be here to contribute to this important discussion. I hold the position of chair of cybersecurity at MTU. I am accompanied by Dr. McSweeney, Dr. Miller, Professor Acton and Dr. Lee.

Cybersecurity has been growing in importance over the past decade as the rate, frequency, scale and sophistication of cyberattacks has increased. This importance is reflected in the growing number of EU policies and directives, such as the EU network and information security, NIS, 2 directive, the Digital Operation and Resilience Act, DORA, and the critical entities resilience, CER, directive, and national policies such as Ireland's smart specialisation strategy and the digital Ireland framework. These policies correctly detail the risk associated with digitalisation. The more we digitalise, the greater the risk of cybercrime and the need to take cybersecurity precautions to prevent the financial loss, business disruption of a successful cyberattack.

As the rate of Ireland’s digitalisation continues to increase, so too do the risks. The World Economic Forum defines cybersecurity as one of its highest likelihood risks over the next ten years, along with climate action failure, digital power concentration and digital inequality. Cybersecurity is now considered the linchpin in building the digital resilience necessary to future-proof our businesses, society and economy. This resilience, according to the World Economic Forum, will become the defining mandate of our time. It will mean the difference in being able to detect, respond and recover from future digital shocks in the form of inevitable cyberattacks of increasing frequency, scale and sophistication.

The reality is that, to date, Ireland has lagged in prioritising cybersecurity, and there is now a gap between our digital development and our cybersecurity readiness. Over the past number of years, we have witnessed first-hand the impact of this gap. While most fraud incidents in Ireland cost less than €80,000, the cost can be much greater. For example, the clean-up from the cyberattack on the HSE has cost the Irish taxpayer €80 million to date, with the cost of the remediation programme likely to be approximately €300 million over the next two to five years

When benchmarked against their counterparts in other countries, we can see that Irish companies are falling victim to cyberattacks at double the rate of reported global levels. The cost and clean up of cyber incidents also costs Irish businesses more. While the current cost of a cybercrime incident can be significant, the societal impact can be much greater, with impact on critical services and loss of personal data. For example, in the cyberattack on the HSE, 113,000 individual medical records were illegally accessed and copied.

The challenge and opportunity for the future is to ensure that Ireland has the capacity and capability to respond to the risk associated with digitalisation and bridge the gap between our digital development and our cyber readiness. One way to achieve this is by ensuring advances in cybersecurity research can be applied to improve the resilience and security of Ireland’s critical infrastructure, public sector and digital economy. In Ireland, this is providing ineffective, however, because the landscape in cybersecurity research is highly fragmented. This has led to a slow and limited impact response that follows from individual academic institutions and SFI research centres trying to address national-scale research challenges in cybersecurity with disconnected and small-scale responses. This fragmented and incoherent approach needs to be resolved if we wish to develop cybersecurity research solutions in sectoral applications where Ireland is leader, with the aim of increasing its market position.

We have a number of recommendations. The first is to establish an SFI research centre in cybersecurity that would together higher education institutions with industry, business, public sector and security forces partners. The second is to ensure a fixed percentage of all national funding for digitalisation to be specifically ring-fenced for cybersecurity. Our third recommendation is to invest in our cybersecurity infrastructure to support collaborative research and development and skills training.

Ireland also lacks a mechanism to engage its highly skilled workforce to participate in the innovation economy, ensuring that, as a country, we can develop cyber capabilities within our own borders, enabling the rapid and agile development of indigenous innovation solutions to cybersecurity and digitalisation challenges. This is important as research has proven that even though talent can often be evenly distributed throughout the world, the opportunity for engaging talent in the innovation economy is not equal, and innovation-driven entrepreneurship clusters develop at high concentrations in certain places around the world. In the cybersecurity sector, this clustering is particularly evident, with cybersecurity innovation highly localised to specific regions supported by government funded innovation ecosystems. Be'er Sheva in Israel, Tallin in Estonia and Belfast in Northern Ireland are well known examples of established innovation ecosystems in cybersecurity.

Within this research, development and innovation ecosystem, we have a lot to learn from our partners in Belfast. We have the potential to build a shared digital island that would present enormous opportunities for economic and social advancement as physical and political borders become increasingly insignificant. To realise the full potential of our digital island, we cannot replace the Border with a digital border that would mean standards, policies and strategies would be different. A common approach is needed.

As part of the approach, we need to explicitly include cybersecurity in an all-Ireland collaborative research innovation programme. We also need to establish an all-island co-ordination of national cyberdefences by developing cybersecurity infrastructure and cyberdefences to protect the nation as a whole, as a firewalled island.

Our success in building a strong research, development and innovation ecosystem is highly dependent on a skilled talent pool and workforce. Last year, for the first time, the International Information System Security Certification Consortium, ISC 2, reported that Ireland closed its cybersecurity skills gap to 19.5%, while the global gap grew by 26.2%. This success can in part be attributed to investments made by the Government in specialised initiatives, such as the Higher Education Authority, HEA, human capital initiative, HCI, pillar 3 cyberskills initiative, growth in apprenticeship offerings, Springboard and other HCI pillar 1 funding.

Many challenges remain, however, if Ireland wants to achieve its ambition of growing its cybersecurity workforce from 7,300 today to 20,000 by 2030. We need to deliver highly skilled graduates to the sector at a faster rate by investing in cybersecurity training at all levels. We need to achieve this goal in a way that does not compromise on the quality of education delivered. As part of this, we recommend that Ireland establish a baseline in cybersecurity education and agree key knowledge, skills and abilities that courses should teach. We also recommend that 50% of all cybersecurity courses should be dedicated to practical activities and the funding of initiatives and academic programmes that focus on collaboration in the higher education institution, HEI, sector. This is required as cybersecurity as a discipline is constantly evolving and training and education need to adapt at a faster rate.

To summarise, the challenge and opportunity for the future is to ensure that Ireland has the capacity and capability to develop research, development and innovation solutions that deal with the increasingly complex and expanding threat landscape that is a consequence of digitalisation. To realise this opportunity, greater investment is required to ensure that we develop a more cohesive and responsive research, development and innovation ecosystem supported by a highly skilled workforce of professionals. If we achieve this, then in the future we will ensure that Ireland can meet the demands of industry for cybersecurity products and services, which will maximise our retention of existing industries and also ensure that Ireland becomes a nexus for the growth of industries where cybersecurity is an absolute necessity.