Dr. Richard Browne:

I thank the Deputy. There are three questions implicitly in that piece. The answer to the first two is yes, and I will come back to AI in a second.

On the first two, in terms of our role versus the roles of the NCAs, the NCAs' roles will not be technical in the sense of them looking at whether they have the right firewall or the right piece of infrastructure or software. It is a controls-based environment and an audit-based process. It is much higher level than that, which essentially means it is primarily a paper-based exercise. It does not usually involve rooting through people's offices or their hardware, although aspects of that can be done under the powers in the directive.

NCAs will sit in that kind of compliance space without worrying about the ones and zeroes essentially. Our role, as the Deputy suggests, will continue to evolve along the path we are already on. We will garner much more technical capability and powers to access information and to understand what the risks are before they actually happen. Much of the work we are doing right now is managing the national attack surface. We can see what systems are deployed across the State, in the public sector and private sector. We have some powers in some cases to engage with vulnerabilities and say to people they need to fix that specific problem or, even worse, we can tell people they already have an active incident under way and they need to take specific steps to stop that.

The legislation for NIS2 will contain powers to allow us to do a lot more of that. That is a really important step us for us and for everybody else as well. At the same, as the Deputy suggests, we also will have a substantial role in assisting the NCAs and ensuring they know what good looks like. We will be running a number of different software systems to allow NCAs essentially to log in to a central register and exchange and share information with us, as well as with subject entities, in a secure way. We essentially are trying to lift as much of the burden from NCAs as we can to allow them to get on with the critical work of going out and doing compliance.

On AI really briefly, in the past 12 months or even just during 2023, we published a blog post on the use of generative AI from a cybersecurity perspective. We provided guidance for public sector bodies on the cybersecurity risks associated with the use of generative AI and we are active members of the working group on trustworthy AI, which is lead by the Departments of Enterprise, Trade and Employment and Public Expenditure, National Development Plan Delivery and Reform. We are fully involved across the public sector on the use of AI. It is undeniable that AI has a huge number of advantages for both attackers and defenders. The general consensus in the cybersecurity community is that over time, the advantage will float to the defender more because defenders tend to be larger in scale. They can use AI in a more coherent fashion. That is not to say there are not risks associated with it, of course there are. There is some evidence on the fringes that some actor groups are using generative AI to be better and faster at exploiting vulnerabilities.

The key point is that we have yet to see, and this is borne out by a lot of international experience, any attack with an AI component that could not be defeated by traditional cybersecurity practice. In other words, the world has changed but it has not changed that much just yet.