Dr. Richard Browne:

In some cases it is private sector companies or even some NGOs on a global sense that scan or look for particular vulnerabilities. An organisation might come to us and say that six particular IP addresses in Ireland have a problem and it thinks that problem is a certain actor group. We will then sometimes visit the entities involved, conduct checks and assessments and if there is an intelligence product from this that is of national security importance, we will take that through the proper channels. We will clean up the mess, as is required, or get someone else in to do it.

More of the broad spectrum, large-scale stuff relates to the ability of the NCSC to consume much larger threat intelligence feeds. In other words, we can take much larger datasets now, analyse them ourselves and then output a product that says these 16 IP addresses may have a problem and we should conduct an investigation, as we have. If it is a significant incident, we can chase down to a granular detail within an IT system to look for a problem.

There is another issue here and it is a challenge facing every European jurisdiction. Very often when the NCSC finds a vulnerability with an IP address, sometimes we cannot identify the owner of that. Legally, we cannot work out who the owner is. Home IP addresses, where there is a home router sitting on a hall table or wherever it might be, are connected to an Internet service provider, ISP. That ISP owns an IP address block and randomly reassigns within that block to different customers. In some cases, thanks to something called IPv4 carrier grade NAT, which is a long story, the ISP might have 20 or 30 houses hanging off one IP address. If we find that one IP address has a problem, we have no legal means of compelling the ISP to tell us who is using that IP address-----