Dr. Richard Browne:

There are six points there and I will respond quickly. as I know the Senator is under time pressure. The first one on visibility is really important and it goes to our shared responsibility in terms of our position in the global cybersecurity ecosystem. The reason Ms Woods is not in the room is because she was stuck in Frankfurt late last night getting back from another trip abroad, so this is an ongoing piece. It is a huge workload but we have to do it because the State has to be represented in those multiple forums. On visibility and access, it is immediate. I can be in Government Buildings in a single phone call. There is no barrier to access, if required. On the cybersecurity reserve question, this is one that has been around the European construct for a very long time. I think we both have mutual contact in the Baltic states who have explored components of this over the years. There are three things to note. The first is that cybersecurity reserves have been varied in effectiveness in operational use because very often, one goes to war with the army one has, not somebody else's army that has been borrowed on Saturday morning. This in and of itself sounds very obtuse but that is generally how it works. If there is a crisis, employers will have first call, which is fair enough. There is, as I have mentioned already, under the new EU Cyber Solidarity Act, a European-level reserve, that is, a mobile reserve that can go from a member state to other member states in times of crisis. That is one which, when it comes into affect several years from now, will have some utility.

The second thing is that the Defence Forces have a substantial number of reservists with a foot in this space and that is a construct that works well for them. I suspect we will see more of that happening in the short and medium term. They have access to some really excellent staff from across the private sector who work in uniform, in the Defence Forces, in various different cases. My last piece refers to Locked Shields, which is the major European NATO exercise held every year. This year, we played for the first time with a full team. We had people from across the private sector playing as well, exactly as we would in a real-world incident. We had people from some of the cybersecurity firms involved in front-line defence of infrastructure, Defence Forces personnel in uniform and Defence Forces personnel who were from the private sector but were in uniform that day. In a real-world case, like with the HSE, that is exactly how we have to play it. That is the way it works.

I will address the last three items quickly. On the question about the CEOs, it is important to note that under NIS2, under Article 20 of the directive, the CEOs and managing bodies of organisations will be directly responsible for cybersecurity. For those 3,000 plus organisations, they will be directly responsible under the legislation. We have worked with the Institute of Directors and other management organisations to try to frame some work in that space. It is very challenging. There remains, we are not unique and this is a global problem, a disjunct between the boards of organisations and the IT function, as the Senator noted. Elevating IT risk into the boardroom agenda has been a concern of ours for many years. It is happening but it is happening far too slowly and NIS2 will help with that. Regarding the second last item on schools, it is a very challenging area. We have had a junior cycle short course on cybersecurity in place in ten to 12 schools a year for quite some time now. Going from that to a mainstream deployment is very challenging. Finding the teachers who can do it is a challenge. I know there are a number of other initiatives under way as well in primary schools and elsewhere. We have looked at it in our cyber industrial strategy. If we can get anything material going, the outcome will be in that formal version of that strategy.

The last item I will come to is the use of scanning tools. First, there is a large number of scanning tools out there. There are two difficulties upfront. The first one is that threat actors use the same tools. If you are a bad guy or a white hat, it is the same tools and in some cases, it is deliberately so. When we see people doing it, it triggers alarms on our end as well because we see those scanning attempts. The second piece is that, as people will probably be aware, aspects of the criminal justice Acts also impinge on the types of scanning people do. People consequently have to be extremely careful that they do not inadvertently cut across and commit a crime, which is in and of itself unlikely, but it is a problem. We use some scanning tools ourselves and have done so for many years. We will have much greater scanning powers once our NIS2 legislation is in train.

It is much better that this stuff is done using a co-ordinated vulnerability disclosure process, which we will also be establishing under NIS2. This will allow these types of white-hat entities to engage with us. We will act as the interlocutor between them and the victim.