Dr. Michael Browne:

In my opening remarks, I’m going to cover three issues. I will open with a brief analysis of the state of play and the risks facing the State in the cyber domain. Then I am going to provide an outline of recent developments in the NCSC, and close with a number of points on the coming challenges.

First on the state of play, events over the past few months show an ongoing worsening of the global cybersecurity environment, both in terms of new vulnerabilities and in the nature and extent of activity by threat actors. We have seen a number of very significant vulnerabilities in widely used applications, including some very serious ones in edge devices such as firewalls and VPN systems used to enable remote working. These vulnerabilities have been rapidly and extensively exploited by threat actors. The ongoing Russian war of aggression against Ukraine continues to result in a degradation of the cybersecurity environment in Europe. While cyber tools are still heavily used by Russian forces in Ukraine, and in close co-ordination with traditional military tools, there are indications that the restraint previously shown around the use of these tools more broadly in Europe is fading. In particular, so-called hacktivist attacks are becoming more co-ordinated and effective and far larger in scale. Espionage also remains a key risk, as the recent attribution of incidents by the German and Czech governments against the group APT28–associated with Russian military intelligence shows. There have also been a number of notable developments associated with China-based threat actors, including the recent UK attribution of an incident affecting its electoral system. Notably also, the so-called Volt Typhoon incident in the US marks a very substantial development. This involved prepositioning by a China-based threat actor on US critical infrastructure, including energy and telecoms. Quite aside from the seriousness of the incident itself, this has also given rise to a very fundamental reassessment by the United States Government of the likelihood of destructive attack against critical infrastructure in the short to medium term. Of course, the risks associated with ransomware remain probably the most immediate risk critical infrastructure and services in most of the world, with the number of estimated attacks rising by 73% in 2023. In recent months, the ongoing pattern of ransomware has been punctuated by a significant number of incidents affecting large health care providers in the United States and elsewhere. In fact, there is now sufficient evidence to conclude that a combination of relatively poor cybersecurity practice and a demonstrated willingness to pay has resulted in somewhat of a feeding frenzy against some healthcare providers.

There have been some marked successes against some of these groups, with the ongoing disruption of the “Lockbit” group, called Operation Cronus, being one of the most effective in history.

However, these ransomware groups are underpinned by two things. The first of these is a diverse and robust marketplace for tools, investment and skilled personnel, which provides a fertile growth medium for new groups. The second is the fact that, by some estimates, global ransom payments last year exceeded $1 billion. This provides an obvious incentive for these groups to keep redeveloping and going.

These trends are reflected in the work of the NCSC. Last year, we received more than 5,200 reports, which gave rise to 721 confirmed incidents and a total of 309 investigations by the centre. Over the year, we also initiated 1,365 threat hunts and issued more than 8,000 vulnerability notifications. Already this year, we have launched 211 investigations, which is substantially up on this time last year.

All of this means that the cyber domain is an increasingly contested space and threat actors continue to find new ways to compromise data and systems, and are willing and capable of putting these abilities into use to a variety of different ends. States are faced with a complex and rapidly evolving threat landscape and policy and operational responses need to be similarly agile and co-ordinated to manage these risks.

I will turn briefly to developments in the NCSC. The primary role of the centre is to monitor, detect and respond to cyber security incidents in the State. In the past year or so, the investment in additional threat intelligence and analytical capabilities have seen a shift in the incident response flow in the organization. Prior to that time, the majority of incidents we responded to were reported to us. However, we have seen that reversed. Now, the vast majority of incidents we respond to are detected directly by the NCSC and we bring them to the attention of the victim, rather than the other way around. This is direct evidence of the value of this investment in protecting the State. Key to this process is the ongoing co-operation and sharing relationship we have with a range of partners, domestically and internationally. These partnerships are essential for us to understand the precise nature of the threats that face us but also to allow us share what we know about incidents in other jurisdictions.

The NCSC also has responsibility for large scale incident response co-ordination in the State. To that end, we have drafted and have continually revised a national cybersecurity emergency plan, which we have exercised in two full annual national exercises. The second of these, held late last year, involved a simulated incident in Dublin Port and involved almost 200 personnel from across the public and private sector.

The NCSC also has a very considerable series of resilience building measures in operation. Perhaps the most significant aspect of this flows from the implementation of the first EU network and information security, NIS, directive, which has seen critical infrastructure operators across seven sectors designated as so-called operators of essential services, and have been subject to a rolling annual programme of assessments and audits since 2018. Later this year, the second iteration of that directive will come into effect across the European Union. This will bring with it a dramatic expansion in both the number of entities covered by the legislation and in the requirements placed on them. NIS2, as this second iteration is generally termed, will see that the number of entities designated here will grow from just over 100 to at least 3,000, and across a larger range of types of entities.

Following on from a Government decision last year, sectoral regulators will be taking on the national competent authority, NCA, roles in respect of most of the critical infrastructure in the State, with the NCSC taking on the NCA role for government entities and for a large number of so-called "important" entities, which is the lower tier of entities under the terms of the directive. This process has drawn in resources from across the NCSC and will give rise to a requirement for further staffing and investment in years to come, quite aside from other areas of work.

At present, the NCSC has 58 staff with sanction in place for growth to 75 staff this year. All of those additional staff have been called from panels we established in the past few months, and subject to security clearance and processes within the Public Appointments Service, will be with us over the summer.

The next few months will be very significant for the NCSC. In the coming weeks the draft legislation to transpose NIS2 will be brought to Government for decision. These heads of Bill will include a series of measures to enhance the ability of the NCSC to detect and properly respond to incidents, as well as a formal assignment of roles. The work to transpose NIS2 is very much under way, however, including a very substantial set of information technology, IT, projects to support the increased number of subject entities, that is, entities subject to the directive. Part of this work involves supporting the new NCAs and the NCSC has established and chairs an NCA forum to that end. The National Cyber Security Centre is also developing a new national cybersecurity framework based on experience in implementing the first iteration of the network and information security directive, NIS1, and premised on recent developments in international best practice. This will be a set of binding security measures that entities must take to secure their organisations from security threats.

Work is also under way to develop a national cybersecurity certification process and to transpose the relevant EU legislation in this case. The first national scheme will convert the previously mentioned cybersecurity framework into a certification scheme which can be used by organisations of all kinds to demonstrate compliance with NIS2, and to assure their customers of their cybersecurity.

The NCSC is also home to the national coordination centre, NCC, for the wider cybersecurity sector in the State. This is a formal designation under the European cyber competence centre regulation. This unit is focussed on enhancing Ireland's national cybersecurity capacity and will be hosting a meeting of the European network in late June, alongside our national conference. The organisation is also in the process of moving into new premises and has a significant number of IT projects in train to support and enable that.

In addition to NIS2, we also have two further European cyber Bills that have recently received political agreement in Brussels and that will likely be published in the Official Journal of the European Union, OJEU, later this year: the Cyber Resilience Act and the Cyber Solidarity Act. The first of these will be very significant and, because of the main establishment basis of the regulation, will also have additional responsibilities and challenges for Ireland as opposed to every other member state.

Lastly and obviously, the NCSC has at all times sought to retain the capability to fulfil its primary mission which is to respond to cyber security incidents of all kinds in the State. If recent experience is anything to go by, this is unlikely to be straightforward.