Dr. Richard Browne:

I thank the Deputy. There is a lot in all of that. On the partnerships first, cybersecurity is a global team sport. Because the domain is essentially global in nature and interconnected, no one state can do this by themselves. They have to be able to share information and share threat intelligence. They have to be able to share knowledge of new risks and we have been heavily involved through the European Union and other processes from quite some time on all of that. More recently, obviously, we have been heavily engaged through the NATO individual tailored partnership programme, ITPP, and other partnerships on sharing information up to the very highest classification levels on risks, threats and actual incidents.

There is also an important point on partnership in respect of the obligations on this state. We might be a small state in generic terms but in cybersecurity terms, we have almost twice the number of IP addresses per head as the UK, for example. We have a substantial cybersecurity real estate. Because we have that and we host all that economic activity, we have a collective responsibility to everybody else that our estate is not used for attacks on other jurisdictions. It is also a question in terms of neutrality. We cannot be used as a base for an attack on other jurisdictions. We work closely with lots of international partners, through the European Union and other fora, to ensure that if people have an issue with something that is emanating from here, we can stop it. We see it in advance and we can stop it.

There is also a more general question about the use of large-scale command and control networks for malware. These are called C2, command and control nodes, and because of our large IP address space, we tend to see a lot of that kind of activity here. We work closely to ensure that we can continually monitor and take down things that might be affecting any other country in the world, frankly. That is the first point.

On the second point, on staffing, there are two points under staffing. One is the NCSC's own staffing question and the other is the generic point. I will come back to a question on VPNs as well. First, we have recruited very heavily over the last number of years. We have gone from 25 to 60 as of the week after next, and to 75 in a couple of weeks. That has given us a huge amount of exposure to what is happening in the market place. The simple answer to the Deputy's question is that it is entirely possible to get staff. It is very possible to get highly qualified staff but the place is not awash with them. There is a relatively limited marketplace. We find that if we go back regularly to the market we tend to better, rather than going for very large panels in one big go. Our modus operandi has been to go regularly to market and recruit regularly to see what is out there.

At the same time, we have been very successful in getting very well qualified staff. A lot of our staff have joined us from the private sector, from consultancy houses and other commercial companies. We are in that space. The work we do is in and of itself an incentive. Many of our staff are readily employable elsewhere for a lot more money but they choose to work with us which in and of itself tells you a lot about the nature of our work as well.

On the national picture, we have just concluded a consultation on a national cyber industrial strategy, which looks at all of the questions that would be asked around the future and present cybersecurity workforce. Globally, we have a huge challenge in this regard. We are in a period that in the US is referred to as the valley of death. We have identified a huge problem but it probably will be about four to six years before the new graduates and new skilled personnel will come through the cycle. As the Deputy has pointed out, we have a significant international workforce who have come into the country because of the jobs that are here and this has been hugely valuable for the State. It is something that we, SFI, Enterprise Ireland and the Department of Enterprise, Trade and Employment are heavily seised of. It is an area where we have a huge economic opportunity as well because of all the data and cybersecurity companies and connectivity here. This is an area where, hopefully, we can take significant advantage in years to come. The point on the VPNs is not that working from home is necessarily risky but that some of the VPN solutions that have been used have been found to have vulnerabilities. The extent of the exploitation of those vulnerabilities here has been limited because when someone has a global vulnerability of that kind, it will go after the big targets first and the big targets usually mean large governmental organisations in large countries. The timeline from the detection of the vulnerability to the vulnerability being exploited, however, is falling dramatically. We have been lucky in the recent past but we will not be lucky forever.