Oireachtas Joint and Select Committees
Tuesday, 25 May 2021
Joint Oireachtas Committee on Transport, Tourism and Sport
National Cybersecurity: Discussion
Apologies have been received from Deputy Matthews and Senator Buttimer.
The purpose of today's meeting is to discuss national cybersecurity in light of the recent cyberattacks on the HSE and the Department of Health. The meeting brings together international experts in this area. We thank them for accommodating the committee on such short notice. This is an issue which requires detailed and careful attention.
The committee is very conscious of how delicate the situation is. Nevertheless, as a committee we want to deal with it and contribute in real time. That is the purpose of today's meeting.
I welcome the expert witnesses: Mr. Pat Larkin, CEO of Ward Solutions; Mr. Padraic O'Reilly, co-founder and chief product officer with CyberSaint; Ms Bláthnaid Carolan, cybersecurity recruitment expert; Mr. Paul Walsh, chairman of Cyber Ireland; and Dr. Eoin Byrne of Cyber Ireland. All the witnesses are most welcome.
All witnesses are reminded of the longstanding parliamentary practice that they should not criticise or make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable, or otherwise engage in speech that might be regarded as damaging to the good name of the person or entity. If the statements are defamatory, therefore, in respect of an identifiable person or entity, witnesses will be directed to discontinue their remarks. It is imperative that they comply with all such directions. For witnesses attending remotely, outside of the Leinster House campus, there are some limitations to parliamentary privilege. As such, they may not benefit from the same level of immunity from legal proceedings as a witness physically present does. Witnesses participating in this committee session from a jurisdiction outside the State are advised that they should also be mindful of their domestic law and how it may apply to the evidence they give.
Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official either by name or in such a way as to make him or her identifiable. I remind members of the constitutional requirement that in order to participate in public meetings members must be physically present within the confines of the place the Parliament has chosen to sit, namely Leinster House or in the convention centre in Dublin. Regrettably, I will not permit a member to participate where he or she is not adhering to this constitutional requirement. Any committee member who attempts to participate from outside of the precincts will, reluctantly, be asked to leave the meeting. Any other Members who attempt to participate from outside the precincts will asked to leave the meeting. In this regard, I ask any members who are participating via Teams to confirm, prior to making their contributions, that they are on the grounds of the Leinster House campus.
For the information of anyone watching this meeting online, Oireachtas Members and witnesses are accessing the meeting remotely, with committee members being in the precincts of Leinster House or the convention centre in Dublin. Only I, as Chairman, and the staff essential to the running to the meeting are physically present in the committee room. Due to the unprecedented circumstances of Covid and the large number of people attending the meeting remotely, I ask everyone to bear with us should any technical issues arise. I believe, however, that we are in good hands with Anthony here.
I now call on Mr. Pat Larkin, CEO of Ward Solutions, to make his opening statement. I thank him and all the witnesses for making themselves available.
Mr. Pat Larkin:
It is my pleasure to be welcomed here today by the Cathaoirleach and members. I am the chief executive and co-founder of Ward Solutions, one of the largest indigenous, dedicated cybersecurity companies in Ireland. We spend our time helping a wide range of commercial, public sector, government and other organisations from a wide variety of sectors on the island of Ireland to secure their people, data and systems from malicious and inadvertent threat. Prior to this I had the privilege to serve my country as an officer of the Irish Defence Forces at home and overseas with the UN.
Since our foundation in 1999, Ward Solutions has witnessed a number of things that are relevant to the committee's purpose here today. Ireland's citizens, organisations and society have transformed to a sophisticated and prosperous digital economy, with a very significant digital dependency. Significant technology and born in the cloud sectors have emerged indigenously and through foreign direct investment to a point where Ireland now holds upwards of 30% of European cloud data in data centres located on the island.
The dramatic digital transformation of traditional bricks and mortar organisations, including government, led to a very high digital dependency based on accessing and servicing the markets via digital channels. A lot of business and wealth now located in Ireland has digital roots and is, therefore, much more portable as distinct from less portable legacy business. This portable business and wealth can easily relocate to countries that are in a position to appropriately secure it.
In the field of cybersecurity we have witnessed the emergence of cybersecurity on global, national and corporate risk registers, consistently as one of the top three risks, along with climate change and global pandemic, and the increasing occurrence of all three risks. We have witnessed the relentless increase in the scale, sophistication, and effectiveness of attacks directed against individuals, organisations and the State from criminals, hacktivists and militia to a point where the financial scale of cyber crime at €6 trillion annually has overtaken the global illicit narcotics trade.
Organisations are increasingly challenged to protect themselves from inadvertent or non-malicious cyber events that similarly threaten their survival or prosperity. There is a global shortage of cybersecurity talent, estimated to be about 3.2 million professionals by 2022. The cybersecurity market emerged as a massive opportunity for Irish companies, conservatively estimated to be worth $173 billion in 2020, and growing to $270 billion by 2026. There is an emergence of a vibrant cybersecurity ecosystem in the Republic of Ireland and in Northern Ireland.
We work with our clients through the full cybersecurity lifecycle of assess, protect, detect and respond. There is one absolute observable trend that we and our industry generally notice. Clients who invest and adopt a systemic approach to their cybersecurity posture, who work to move from an immature approach to a fully optimised approach, suffer from the same hostile environment but are typically breached less. When breached, optimised clients respond quicker and better and thus suffer less impact and cost to their business. Cyber-optimised organisations treat cybersecurity as a journey, not a destination.
Ireland now needs a fundamental acceleration of our approach to national cybersecurity. We have a society worth defending and we need politically and societally to move towards a national defence mindset with our national cybersecurity as one of the key pillars of our defence. We need to move to leading and developing national and global consensus, to collaboration on cyber law, norms, ethics and behaviour, and to the global enforcement of same. We need a full-blooded, joined-up, coherent and committed strategy for our defence, encompassing all government, national security and intelligence, industry, academic and research resources, to out gun the cyber bad actors. We need to adopt a ten-year goal of making Ireland the cybersecurity capital of Europe. We can do this by developing a world-class cybersecurity ecosystem in Ireland so we have the resources in country to secure ourselves. In doing so, Ireland also stands the possibility of benefiting from a rapidly growing cyber marketplace, estimated to be worth $270 billion by 2026. We need to raise our game nationally from an immature to an optimised approach to cybersecurity, to protect our citizens, our government and our economy.
I thank Mr. Larkin. I now invite Mr. Padraic O'Reilly, co-founder and chief product officer with CyberSaint, who comes to us from the US. We thank Mr. O'Reilly for taking the time to be with us today. We look forward to Mr. O'Reilly's contribution.
Mr. Padraic O'Reilly:
It is a pleasure to be here today and I thank the Chairman for the invite. The Colonial pipeline attack, which may have been in the news in Ireland, shook up a large portion of American society. It really hits individuals where they live and is escalating prices for gas. It has had a direct impact on the citizenry. Over here we also have health services getting attacked. We do not have a national health service but we have prescription and hospital concerns. A hospital in San Diego is currently struggling with ransomware. We had more than 200 attacks on hospital chains last year also.
I will talk a little about my background and my perspective. I started the company five years ago with the chief information security officer of Schneider Electric. His expertise was primarily in cyber and operational technology. My expertise was in financial modelling. I bulked out a software product that operationalises regulation standards, like the NIS directive. From what I have seen on the inside, my concern across many sectors is in accordance with what I have just heard, which is that there is some variance with regard to maturity and work in depth with the energy industry, the finance industry and across almost every sector. We see the increase in frequency of ransomware and the increase in ransoms, which is quite alarming. Maturity levels vary greatly. With the pipeline Colonial tech we are dealing with the learnings here in the US. The Administration here came out immediately with an executive order that sought to address some of the gaps that remain.
We have a sprawling regulatory regime here so when I work with the energy industry it is under something we call NERC CIP, which is a legacy set of standards that relate to the grid. The pipeline industry is under a voluntary set of standards, so there is real variance between practitioners and companies within the energy industry. One can see the results quite clearly. We do not see that the organisations under strictly voluntary standards do a great deal of adoption. That is not the case for all of them, of course, but we have learned over here, with the threat of going from cyber to physical in the pipeline industry hack, that the government and the Department of Energy are now re-evaluating whether to actively police or regulate the pipelines. It is always a question. The question comes down to the fact that 85% of our public infrastructure is in private hands. Private infrastructure companies tend to live quarter to quarter. They do not always put into practice some of the standards that are quite clear.
When I was speaking on television last week, there was quite a gap in understanding about what one does with respect to cyber. People tend to think it is extremely expensive because these are complicated systems. Many things done in cyber that are practice and policy oriented and employment oriented are not overwhelmingly expensive. Best practices are not always terribly expensive. The pipeline attack looked like a remote desktop protocol, RDP, attack. In an RDP attack, one can do two-factor authentication and do some other things with RDP that make it much harder for brute force attacks. There is no way to know, however, if one does not have metrics. We can talk about standards and best practices, but there must also be metrics. When the network and information systems, NIS, directive came into play, there was a colloquium in Washington DC on metrics. It was essentially taking the cybersecurity framework we operationalise in our software and driving metrics over it. It was very controversial. Many industries do not want metrics. They do not want to be measured. If one cannot measure it, one cannot improve it.
I will end by saying that-----
Mr. Padraic O'Reilly:
Yes. A very simple one that I discussed with Adam Sedgwick who was the head of the National Institution of Standards and Technology, NIST, at the time is just scoring how one is doing. The first guest referred to a metric. Maturity is a metric. Maturity usually has several stages. If one does something for the first time, that is called ad hoc. One can assign it a number, for example, 0.25. If it is a process that is documented, it could be 0.5. If the process is then reviewed and re-documented, that would be 0.75 and so on.
Mr. Padraic O'Reilly:
What Ireland is going through with the health service has our attention and sympathy. That is why I wanted to join the meeting today. We are dealing with this in our hospitals as well. They are obviously more distributed than those in Ireland, but the hospital chains and the health maintenance organisations, HMOs, are all very vulnerable to ransomware, as are our states and local municipalities. The Washington DC police are undergoing this at present. I have been quite busy just talking in general to individuals about these issues. I wanted to make sure to attend today, and I appreciate the opportunity.
We look forward to putting questions to you, Mr. O'Reilly.
Ms Carolan is an expert in cybersecurity, particularly on the recruitment of experts. We will hear her opening statement in the context of the director position that is currently vacant in the NCSC and what that role involves. I thank her for joining us. She has approximately five minutes.
Ms Bláthnaid Carolan:
I thank the committee for inviting me to attend the meeting. I am attending in an advisory capacity, as mentioned, to support with the recruitment of the extremely important new position of director of cyber security, DCS, with the National Cyber Security Centre. It is worth mentioning that this role will be recognised nationally as chief information officer, which is relevant for what I will discuss next. I have been invited here in my capacity as a professional and seasoned human resources director, bringing more than 15 years of expertise in recruitment, particularly for senior and executive roles spanning technology, high tech and blue-chip companies both in Ireland and internationally.
We all acknowledge that the role of director of cybersecurity must be on the executive level team and board where business decisions among the executive team will be discussed and agreed together when they are decided. This is a new critical hire for the NCSC. The seniority and accountability of this role cannot be understated. The director of cybersecurity will be at the forefront of the centre to drive and influence right decisions on security, strategy, infrastructure, programmes, people, behaviours and so forth in developing a sustainable and scalable secure model. The gravitas and accountability that come with this role define the calibre of candidate that we need. This role demands the best-in-class hire. We must provide every opportunity to the NCSC to hire the best, most qualified, proven candidate, and one who is capable of delivering on an international level.
If we are to hire for success, we must hire expertise in this field, most likely attracting from the public sector and, therefore the remuneration of this role must be competitive. If we are to fill this role, we must apply the salary range and benchmarking of the private market sector. We recognise that this is a time when the job market is extremely competitive. We see a great deal of movement at senior level roles, particularly this year where there has been a huge lift in confidence in people moving. With all this in mind, the benchmarking on current market data for this role of director of cybersecurity, or chief information officer, provides for a basic salary ranging between €220,000 to €290,000 per annum, plus benefits including bonus, long-term incentive plans and stock options combined with a benefits package ranging between €150,00 to €200,000 per annum. It is worth mentioning, also, that we are seeing other varied and flexible benefits, for example, a one-time sign on bonus for executive hires ranging up to €20,000
. Everything hinges on getting this hire right to ensure the sustainable and secure success of the National Cyber Security Centre. We need to get the package right to ensure we hire the right calibre for this role. Once we have the package defined, we must ensure the process is immediately defined and runs smoothly. That will include branding the role, driving positive branding through social media, newspapers and other such channels, using our networks to reach out to and attract candidates of suitable calibre, ensuring the interview process is defined and clear from the outset to ensure that it runs smoothly and efficiently through a thoughtful process, bearing in mind that we are competing against a very fast external market in which candidates are hired and move quickly through processes. I recommend that we meet this head-on to ensure we hire the best-in-class candidate.
Thank you, Ms Carolan. You have certainly given us food for thought. The range of €220,000 to €290,000 is far off the €89,000 being mentioned and reported in the media. We look forward to questioning you in that regard.
We will move to Mr. Walsh, the chair of Cyber Ireland. I thank Mr. Walsh and his colleague, Mr. Byrne, again for coming at such short notice. We deem that we are at a critical time in cybersecurity and more particularly, the State itself in its protection.
Mr. Paul Walsh:
It is my pleasure to be here today along with my colleague, Mr. Eoin Byrne, our cluster manager. I am the chairperson of Cyber Ireland, the national cybersecurity cluster organisation. Cyber Ireland brings together industry, academia and Government to represent the needs of the cybersecurity ecosystem in Ireland and to address key challenges for industry. We aim to enhance the innovation, growth and competitiveness of the companies and organisations which are part of the cluster. Today we have over 120 members nationwide, comprising 40 multinationals, 60 Irish SMEs and 12 of the leading academic institutes, with our partners in government including the National Cyber Security Centre, NCSC, IDA Ireland and Enterprise Ireland. Our aim is to move forward Ireland's cybersecurity agenda and advocate for industry needs. Now more than ever there is a need for a collaborative approach across industry, academia and Government to address Ireland's cybersecurity challenges.
Cybersecurity is a rapidly growing industry internationally for which there are a number of opportunities and challenges. It is estimated that cybersecurity spending will reach €240 billion worldwide by 2023. The annual global cost of cybercrime has exceeded €1 trillion. The number of unfilled cybersecurityjobs is predicted to hit 3.2 million by 2022 and current unemployment levels are low. There is increased global competition for talent and investment and there is increased cybercrime globally and in Ireland. The economic impacts of cybercrime put our indigenous SME sector at risk and this has knock-on effects for our foreign direct investment, FDI, brand. There are skill shortages globally and locally and there is low level collaborative security research and development between industry and academia.
Ireland has become a significant base of international technology and security companies. Some six of the top ten software security companies are here. There are over 40 multinationals with cybersecurity operations in Ireland and there are over 60 Irish cybersecurity companies and start-ups. Over 6,000 people are working in our cybersecurity industry and 30,000 professionals have cybersecurity related skills. We have a strong talent pool with a highly skilled and multilingual workforce. We are a digital leader, attracting foreign direct investment and hosting much of Europe's data. We have a dedicated workforce with talent development programmes. Ireland is uniquely placed to benefit from increased global investment in cybersecurity. It has an opportunity to position itself as a global leader for cybersecurity talent and innovation.
Cyber Ireland aims to facilitate the cybersecurity ecosystem to capitalise on this opportunity. We have a strong focus on talent and skills to ensure a sustainable pipeline of cybersecurity talent. Our Cyber Ireland skills report was published in February and its key findings clearly highlight the opportunity and challenges facing the industry. Our finding tells us that: in Ireland, 62% of companies will hire in 2021; our cyber workforce is highly skilled; 48% of organisations have open or unfilled cybersecurity roles; 46% of cybersecurity teams are understaffed; 19% of cybersecurity teams require six months or more to fill a role; 42% of new hires are from outside of Ireland; and 27% of cybersecurity teams have difficulty in retaining female talent.
A sustained long-term strategy is needed to address these gaps and Cyber Ireland is focused on building a strong pipeline of talent from schools and universities to industry with our partners. We have programmes in place that promote career opportunities in cyber to students through the cybersecurity academy for secondary schools and career talks in cyber summer camps that we have planned for June. We welcome the skills initiatives that are focused on upskilling our existing workforce and attracting talent to cross train in cybersecurity.
We strongly believe we have an opportunity to be at the centre of a growing global cybersecurity market, support indigenous cybersecurity SMEs and start-ups, be a leader in cybersecurity policy and the response to ransomware, influence Europe's investment and prioritisation of cybersecurity, and create a national research and development centre along with the NCSC with a strong national security perspective.
If the witnesses have prepared statements they might provide them to the clerk so that we can distribute them among members. Mr. Walsh quoted figures and percentages that would be interesting to us. If he has compiled those figures together we can deal with them as we go along.
I thank all the witnesses for that useful information. I might not get to question all of the guests due to time constraints but I am sure other members of the committee will. I thank them all for their contributions. I might ask Mr. Larkin and Mr. O'Reilly about their experience of working with companies and what the difference is between a mature and an immature organisation in terms of the mindset, the commitment, the governance structures or the regulatory structures that separate them? What should the two or three priorities be for Government in ensuring that more companies and State bodies move from being immature organisations to mature organisations? I ask Mr. Larkin to address that first.
Mr. Pat Larkin:
I thank the Deputy for the question. There are a number of key principles that differ. I would call it a defence mindset rather than a compliance mindset. If one focuses on compliance one is just trying to achieve compliance but if one focuses on defence and protecting what is important to the organisation, then one is much more centred on the robustness and resilience of the organisation. Board level involvement, top-down engagement from the top level of the organisation and a commitment to cyber resilience and cybersecurity are important to the business. That involves communication upwards from stakeholders in the business to make the board aware of that and to be transparent with it on the exposure it faces, the maturity the organisation is at and the work programme it needs to undertake to achieve that resilience. It is important to point out that it is a journey and not a destination. There is no point at which an organisation is entirely resilient or mature. It has to commit to the ongoing journey.
Back to the second speaker's point, organisations need to bring standards and measurement into play to assess matters. There are standards so we do not need to reinvent the wheel. There are standards like ISO/IEC 27001, which is a well recognised standard. It puts in place an information security management system and governance in an organisation. It is objectively measured and assessed periodically by an auditor and then that builds a structure by which an organisation can then layer in the people, process and technology controls that make it mature and resilient.
Mr. Padraic O'Reilly:
I would agree with what the first speaker said but I would add to it. What I have seen across a lot of different sectors, including the defence sector in the United States for example, is that we have hundreds of thousands of companies that supply up the chain to the primary contractors. Often when one goes into a defence industrial base company that is trying to baseline itself on a cyber standard, it might have two or three people, if that, who are responsible for this. On top of the IT management work that they are already doing, they are having to report out on a standard. Sometimes, if they have a little bit of a budget they will contract with a managed service provider or the like and that will put a process in place but I generally see that such a move might be a one-off and it does not then become a continuous practice.
There is a role for governments, even at the lowest levels. Some of the best companies we have worked with on the smaller end have direct mandates from the top to spend a budget to baseline themselves and then some continuous improvement on the cyber standard. The EU's NIS directive is in alliance with the cybersecurity framework, CFF, and ISO, the information security management framework and other control frameworks are informative references. There are many good standards out there.
With larger companies, we get into big time governance issues. In larger companies there are many different departments, including those deal with compliance, risk, information technology and operational technology. They often talk to each other but when we get them on calls together, sometimes the right hand does not know what the left hand is doing. This is an issue. They must also justify spend when it comes to fixing things. They might have alarming gaps in a programme and have to take it upstairs but to take it upstairs, they must make a risk-based argument.
The governance structures are not always interested. There has been much talk about cyber being central to governance in larger organisations but at times over here, to be frank, governance structures have been asleep at the wheel. It takes events like this to shake them up and they do but then, sometimes, the hype cycle ends and they move on. Education is a good element of what we are discussing and that also applies to governance structures as well.
There must be teeth behind this as well. In larger sectors I see results if executive pay is sometimes tied to cyber. My company has seen that. It is a complicated challenge as there are resource-constrained companies on the smaller end. Many of the ransomware hacks hit smaller organisations, which can be difficult, as it leads to a scramble. They might not have had time or resources to back up things. That is why they are such a juicy target for attackers. In larger companies there are sprawl and antiquated practices. Much cyber is still drawn on spreadsheets, which is a problem, as there must be central visibility for the practice of cyber inside a company. Spreadsheets do not get the job done. Many large service organisations deliver on the back of spreadsheets. When Mr. George Wrenn and I founded our company, we created software that makes a central repository for the practice of cyber.
I thank Mr. O'Reilly. I have some questions on the recruitment and retention environment. There has been considerable discussion about the comparatively small number of staff in the NCSC and the lack of a director. Does Mr. Walsh share that concern or have any sense of the type of staff that such services require? What is the rate of retention or attrition? Is pay a factor or does it also take in the level of supports and overall governance and commitment to the sector? Does Ms Carolan have any comments on staff at the director and other levels of cybersecurity as a priority for the Government and the State?
Mr. Paul Walsh:
It is an excellent question. I do not have any information or data on attrition elements in the NCSC or how it is structured. Within the industry in general in Ireland, there is growth at a rapid pace. Many additional organisations are setting up in Ireland and it is becoming a strong hub for cybersecurity activity. That creates much opportunity and brings some very critical roles to the country but it also creates competition within organisations operating here, both on a multinational and SME level.
The real opportunity or challenge is to create more awareness in the school systems and university sector to create graduates with the necessary skills to fill these roles. There are also opportunities for cross-training of people who are working and may have an interest in cybersecurity to bolster the general need in the economy.
Ms Bláthnaid Carolan:
I thank the Deputy for an excellent question. It is pertinent as we are seeing a very competitive market that has been going in this direction for quite a while. I do not have direct experience of the NCSC but nonetheless in the nation and right across Europe we have seen much activity and movement in the area. This is partly because of last year's pandemic, which we are still in the throes of, and we would normally see between 12,000 to 15,000 people moving to Ireland from other countries but that has not happened. The market is that bit tighter as a result, which is certainly throwing up much more movement across companies. It is becoming much more competitive and we are seeing many headquarters setting up in Dublin. It is really competitive.
With regard to factors relating to retention, on a human resource element we are looking at hygiene and wellness factors and job satisfaction. We are considering whether people are growing their skill sets and ensuring those skill sets and career opportunities are being made available. That is really important to individuals. There is also the question of pay and the additional benefits around it, which are important. It is a combination of many elements of the employee experience and there is not just one piece.
It is important not to lose sight of accountability. People appreciate the recognition in their role and the accountability that comes with it. They want to grow in the role within their organisations. There is a combination of elements.
I will not use my full slot because I must speak in the Seanad. I thank all guests for their presentations, particularly our guest from the US. I was trying to work out which part of the US he is in and I recognise it is probably well past his bedtime. This is really helpful as the witnesses have identified that our IT infrastructure, particularly in the health service, is under attack. To some extent we seem to know where we are going with but the concern we have as a committee is to understand how vulnerable we are in other institutions of the State and fundamental service providers, or even the wider public sector. If my comments are incorrect, the witnesses might correct me but it seems larger private companies have taken this more seriously, perhaps investing more money than State institutions or semi-State organisations. It is something we must look at.
Mr. Larkin is a contractor in the State. Does he have any views on the state of readiness or protection that exists? He has indicated he does some State work. What is the level of protection of State institutions and Departments, where key data are stored? How does it compare with the experience in the private sector? This is not about being critical but rather to give us some understanding of the challenge we face.
Ms Carolan addressed a point that I raised with the committee previously relating to the concerns about the position of director of the NCSC. It seems the proposed payment was far too low. She has clarified that matter for us so will Mr. Larkin respond to my question?
Mr. Pat Larkin:
I thank Senator Dooley for his question. In general terms, the commercial sector has a slightly different mandate from the public sector and it comes back to the aspect of mindset. In most cases, there is a very clear imperative. We were shouting into the wind five years ago when we were trying to educate boards about the importance of cybersecurity and the need to do something about it. The frequency and degree of crime and the resulting cost to organisations has ensured that data awareness now definitely exists. Boards are bringing in businesses like ours to do cybermaturity assessments and assess organisations' readiness because they are interested in protecting shareholder value. Customers vote with their feet if there are breaches. Therefore, apart from the direct cost of an incident like a ransomware attack, or something like that, the tail cost is far more significant. The clean-up costs, regulatory fines and related loss of customer confidence and revenue are huge factors. This has ensured that boards are now intimately aware of the risks of cyber infrastructure and they are giving a mandate to their organisation to protect their revenue and customers. The mindset now is a defensive one, namely to protect the business and shareholder value. A clear mandate is coming from many boards to do that, and, therefore, there is a matching resource commitment from the top and a budget to do that.
I suggest that mandate is probably less clear in the public sector and in the Government. There is more of a compliance mindset. The National Cyber Security Centre, NCSC, is also a regulatory authority for the European Union's network and information security, NIS, directive. While it is a good framework and a step in the right direction, we must return to the fact that these are critical State services, such as health, telecommunications and power etc.. First and foremost, we need to secure those services. If we do not do that, then the State and its people will suffer and so too will prosperity, because foreign direct investment, FDI, companies will vote with their feet. That portable wealth and capital which exists in Ireland will simply move abroad. If we are below par in cybersecurity, such wealth will move. I refer to the State adopting a mindset which regards cybersecurity as critical to societal progress and prosperity and the protection of those aspects and not some notional compliance in respect of the EU concerning GDPR or NIS. Do not get me wrong, compliance is important. However, if we approach this issue from a mindset which views it as critical to our prosperity, services, economy and people, then that is a different mindset. It is a mindset which leads to carrying out risk assessments and maturity capability assessments to protect against threats and putting programmes in place to secure the cyber infrastructure. That mindset may not be as obvious in the Government and public sector, but it needs to be.
I thank Mr. Larkin for that contribution. That is what I suspected and I thank him for his clarity. Mr. Larkin's contribution helps this committee in respect of our report and in trying to change that mindset. I do not think it is necessarily a negative reflection on anybody in the State sector, it is just the culture which has existed. Ms Carolan certainly identified that in respect of trying to fit within specific pay scales. We must look at the threat and examine a way to model a solution which does not fit within the Civil Service box. I thank all the witnesses for their presentations. I have to leave the call now.
I move to my own spot now. I thank all the witnesses for being here. This is a critical time for cybersecurity, and especially in Ireland. I have questions for Mr. O'Reilly and Mr. Larkin. Why were the systems of the HSE and Department of Health attacked? Is there any particular reason for that to have happened? How is Ireland perceived in respect of its level of cybersecurity? Equally, is this a world-wide practice? I ask Mr. O'Reilly to put this situation in context. Are we talking about many lone wolves operating out there, or are there seriously organised groups? Why was the HSE database and the Department of Health system attacked and why did that happen now? I call Mr. O'Reilly first for a comment on the context, and then Mr. Larkin.
I compliment Mr. O'Reilly on his choice of reading, because I can see volumes by Samuel Beckett and James Joyce in his background. I had a quick look at the time, and Mr. O'Reilly was probably up at an ungodly hour. It is probably 4 a.m. in the US, so I thank him for contributing to this committee.
Mr. Padraic O'Reilly:
It is a pleasure and I thank the committee for asking me to contribute. Turning to the queries, the why aspect is complex. The simplest answer though is that data are valuable. Hospitals are being hit over here as well. I refer to reputational concern. The last time I was over in Ireland was in 2017. I met with the Minister who then had responsibility for communications, and he told me that he wanted Ireland to be the primary cybersecurity centre for all of the EU. Therefore, I can understand reputational concerns in that context, but everyone is getting hit. This is a global problem and these criminal actors are inside states which often do not police their activities. These are criminal organisations, but they punch a clock. Their members show up in the morning and work. They are professionals and are criminals. They are very disciplined at what they do and they know what they are after, and that is data. Health data are very valuable, and the organisations concerned are inclined to negotiate if their data are stolen. Such a theft exposes private information and those are valuable data, and there are now even double ransom strategies.
The criminal organisations are growing in capability and the aspects of why this is happening are also connected to the technical level. There are software vulnerabilities, remote desktop protocol vulnerabilities and all manner of things that hackers can do. Hackers can log on to a website to look for Internet protocol, IP, addresses and do any number of things to breach systems and they will continue to do that. We have a national ransomware task force over here which produced recommendations. Ireland's firm stance on non-payment of the ransom is very impressive. I state that because many of the companies here that are compromised get into quick negotiations and often publicly say they are not going to pay the ransom, when they have already paid it. Those are some of the elements explaining why this type of attack happens.
Mr. Padraic O'Reilly:
Yes. The Federal Bureau of Investigation, FBI, and 60 key industry leaders here recommended that ransoms not be paid, but they are frequently. Regarding state organisations, that information is a little bit secret over here and we do not see it. We do see private organisations paying ransoms all the time, however.
Mr. Pat Larkin:
-----so I must be circumspect because we are in the middle of an investigation. Taking up the general point made by the previous speaker, however, healthcare is attractive because the data is valuable. In addition, both private and public systems are incredibly complex. They have what are called a large attack surface area because of the complexity of the environment, the spread of the network and the range of different users of the system, including doctors, nurses, students and vendors as well.
Therefore, it is an incredibly complex environment, which means that it is relatively easy to target from an attack perspective. Even robust health systems, because of that complexity, are also vulnerable. Equally, there is the ability to monetise the situation. I agree with the previous speaker in this regard as well, in that I think that it is the principled and correct decision to not pay a ransom. The reality, however, is that more than 56% of organisations pay a ransom. It is usually because they have no choice, but it could also be because organisations may not have the same resources that enable a state to go through a complex, lengthy and costly rebuild of its systems. Most organisations, and especially those which are private, are therefore faced with a simple balance-sheet choice.
Do we spend tens of millions of euro rebuilding or do we spend €1 million getting the keys to unlock the system and get back to core business? It does not help to speculate, but I do not know that Ireland or Ireland's health system has been consciously targeted. It is another health system that is vulnerable. They have carried out a targeted attack that has been successful from their perspective. It is very difficult for us, as a State. The challenge is that today the health system could be attacked, tomorrow it could be the power grid, the day after that it could be the transportation grid.
In respect of a national security mindset, we should be cognisant of the fact that traditionally, when we think about national security, we think about state actors carrying out targeted attacks from a foreign policy perspective to influence a government. In this case we are also seeing criminals attacking from a financial crime perspective, with a similar attack profile and causing similar national damage as state actors, potentially. The mindset must be that criminal cartels can in some respects cause as much consequential damage to a state as nation state actors carrying out deliberate foreign policy based attacks. From a mindset perspective, it is necessary to take the position that, defensively, we must secure ourselves against the attacks of criminals almost as much as we need to be secure against nation state attacks, because either is of similar consequence and catastrophe to the State.
In his opening statement, Mr. Larkin stated that politically and socially, we need to move to a national defence mindset, with our national cybersecurity as one of the key pillars of our defence. What do we need to do differently? Mr. Larkin spoke about the terrible Covid-19 virus which has quietly been attacking the world. We are now facing this other form of a virus. What do we need to do differently in Ireland? In what direction does Mr. Larkin see cybercrime moving over the next three to four years?
Mr. Pat Larkin:
In respect of what we need to do differently, we have had a wake-up call. The original point about the cyber, environmental and global pandemic being on the risk registers was that all of us, myself included, silently hoped that these events would never occur. Therefore, we have been adopting the mindset of these events being a risk, but wondering of we should do anything about them. These risks now have materialised and are materialising as we speak. We must recognise that reality and change our mindset.
The national mindset and psyche is based on Ireland being a neutral country that is not in an alliance. It is thought that we do not follow an aggressive foreign policy so therefore we do not need a large defence organisation or national security infrastructure or apparatus. However, we do now, from a cybersecurity perspective. We need to adopt that mindset. It is not about projecting foreign policy or insidious foreign policy; it is about protecting the societal and economic benefits that we have. Therefore, we must invest. Historically, we have underinvested in national security.
The threat is no longer a geographical one. Any of these organisations, whether they are nation state or criminal organisations, can simply project themselves across the Internet at Ireland. For example, Ireland is a member of the UN Security Council. If we set out our policy on the Israeli-Palestinian conflict or another issue on which are entitled to set out our policy, it is possible that perhaps not even a nation state but a militia group within a nation state, may object to that and inflict collateral damage on national security by simply objecting to it. It is about recognising that reality and making the philosophical mindset shift towards the idea that we need to protect our national State, resources and sovereignty and then investing accordingly.
The biggest issue is the shift in the societal and political mindset towards the idea that national security is important and we have something worth protecting. Everything else flows from there. We have a national risk assessment which is updated regularly. We must look at that, because the risks were set out on that assessment. We need commitment from Government. It requires a whole-of-society commitment that is made collaboratively. Government, industry and citizenry need to do their bit. Once that mindset has been adopted and it is recognised that we must secure ourselves nationally, we need collaboration and alliances. If an attacker is projecting themselves from a nation state in eastern Europe, Asia or wherever it is, we will not solve that problem from Ireland. We will solve it through alliances with international governments, UN member states and international law enforcement, policing and intelligence. We need to try to build that consensus.
We have an awful street credibility now because we are suffering a catastrophic attack on our national health system. Looking at other countries that have suffered attacks, Estonia, for example, suffered a similar catastrophic attack against a wider set of its critical services in 2007. It came back from it stronger. It took the attack as a wake-up call. Now, it is one of the leading actors in the area of international law on cybersecurity. It built alliances, albeit typically with NATO member states, around protection. In respect of resilience, it has developed a clear strategy around delivering digital government to ensure that it is secure in the face of an attack by a nation state or criminals..
We should heed the wake-up call. We must make the shift in the mindset towards the need to ensure security and to do it right. We must adopt a very coherent and well-resourced strategy to deliver it and we must stick at it. We cannot just let this moment pass and move on with business as usual once the health system has recovered. We need to heed the wake-up call.
Mr. Pat Larkin:
I did a projection on a per capita basis against the UK, which has spent about €1.9 billion on its national security for the period 2018 to 2023. On a simple per capita basis, I would suggest that we need to be spending around €50+ million, just as in order of magnitude. It is the second or third time that the UK has made such an investment.
Mr. Pat Larkin:
Yes. The solution does not just reside with the National Cyber Security Centre. It is a point of focus and takes the lead, but it is way beyond that. The collaboration of society and organisations is required to fix it. In respect of magnitude, at least ten times the current spend would be required.
I have a brief question for Ms Carolan. She estimated that the salary for the vacant post of director of the National Cyber Security Centre should be in the order of €220,000 to €290,000, with benefits. It has been speculated in the media that the current salary for the post is around €89,000. Can Ms Carolan explain why she has recommended the salary of €220,000 to €290,000? That is a very high salary. Why does it need to be at that level? I also ask her to outline the type of candidate they are seeking to recruit.
Ms Bláthnaid Carolan:
That is an excellent question. All of the speakers today have set out the complexity of the situation, the challenge we face and the opportunity we now have to address and resource upwards with an expert in the cybersecurity field. The figures that I have quoted are based on my expertise of 15 years in hiring and recruiting in the technical space. I have built very strong partnerships with Ireland's top headhunters and business consultants, who run salary benchmarking and benefit data every year right across Ireland and at an international level, as needed. It is about keeping on top of what the market is telling us in terms of where we need to be at to draw the calibre of candidate to the roles that we are seeking to fill. There will be a huge span of responsibility for this role and that must be recognised. The person will be coming into a most complex situation. As the contributors have stated in respect of their vision for the role, it is about building something extremely solid. The role really requires a highly-qualified expert who can come in with the gravitas that is required to support the National Cyber Security Centre and to bring the accountability that is needed. It is a very high-level role. There is a lot of responsibility involved. It is about comparing what is out there and what other companies are doing. It is about looking at the private sector salary and benchmarking range.
Ms Carolan, I will let other members follow up on that.
I thank the speakers. I agree with what has been said. We have fairly conclusive proof, to the narrative that is out there, that we have insufficient capacity to deal with the situation we are in. Will Mr. O'Reilly and Mr. Larkin put it starkly what exactly we are facing in terms of ransomware? I am talking about the number of attacks and the number of criminals we believe are operating in this situation.
Mr. O'Reilly spoke about the Colonial Pipeline situation. The big fear beyond even what has happened is the cyber to physical attack and us being wide open. As brutal and heinous as the attack on the HSE was and, similarly, the Colonial Pipeline attack, they were both high profile and some of these gangs may have bitten off more than they can chew. We all know there is a certain narrative that some of them might even be, as it were, semi-state operators, so there would be communications between states and these criminals, and maybe they have been told to rein themselves in. The fact is there is a threat and it needs to be dealt with. What exactly needs to be done regarding the threat facing us?
I would also like if Mr. Larkin could give a bit more information on the risk assessments. My fear is the NCSC, when it has a concentration on compliance, does not have the capacity to carry out that compliance and risk assessment, and then enforcement related to risk assessment is carried out on organisations that are of critical importance to this State. It is what we need from a point of view of protecting this State, as Mr. Larkin said, and then I have even heard a narrative in the past while that as we build that sort of capacity, we also need there to be an element of offensive capacity.
Mr. Padraic O'Reilly:
The Deputy has asked very good questions and I understand his concerns. Over 2020, the incidence of ransomware attacks increased by 311% and upwards of 350 million was paid out in ransoms, and that is just the disclosed stuff. The gangs are going nowhere and ransomware continues to be developed.
In terms of semi-state actors, when I was on television I was repeatedly asked, in terms of the states they are acting out of, who is responsible for this. It is something as a private citizen I am a little careful about but I think we all know they may be semi-state operators and, in that case, that means there is more will behind it. When it gets to cyber to physical, you would want to be very careful about the political terms you speak in, obviously. Cyber to physical keeps cyber professionals up at night. There was a lot of great research around it done in 2010 and they were looking at attacks that propagate over the generator systems and the like. Then, 2015 happened when we actually saw a grid go down in Ukraine. Those types of attacks are truly scary because they hit the national infrastructure.
In the States, we have a unique situation that 85% of our public infrastructure is in private hands. This is a very difficult situation to be in, largely because it is hard to impel some of those holders of that infrastructure to do the right things. We have some regulations in place to force that but we are struggling and scrambling at the moment. The Government has said all the right things after the Colonial Pipeline attack. We are now evaluating whether pipeline security should be the responsibility of the Department of Transportation, and we have six individuals in oversight there, so there is an analogue to some of what Ireland might be dealing with at the NCSC.
My company makes software. We benchmark organisations on cyber. We work across a large set of organisations. My perspective is we need standards. Compliance is important but it is just one aspect of the overall approach to cyber. I love the term "risk assessment" because it is the way forward. You have to identify and prioritise, and risk assessments do that. They also take probabilities into account. That is why information sharing is so important here in the States because we have to have better ideas of what the probabilities are. C-suites and boards will not invest if they cannot financialise the actual risk, but to financialise risk you have to have good data. These are important things to understand in the practice of cyber. Risk has to be understood. Compliance and risk are related. Talking about it more is getting the private and public partnerships going that will help to solve this long term.
Mr. Pat Larkin:
At an operational level in an Irish context, we have a security operations centre. Three years ago, ransomware for our clients, either the clients we have or inbound clients, would typically have been a once a week or once a fortnight event. It is now a daily event, so we are dealing with ransomware incidents and outbreaks daily.
Coming back to the previous speaker's point, it matches exactly with the profile of increase. Why? Because it is so easy to execute and it is so lucrative. It is industrialised now from a cybercriminal's perspective. There is a whole cybercriminal ecosystem. When we talk about one group perpetrating this attack, actually it is not one group. It is a whole layer of contractors and subcontractors who provide different ranges of services in perpetrating the attack and then liberating and washing the finances associated with it.
It is absolutely the case that, at an individual organisational level and at a national level, we all have to improve our cyberhygiene and beat the odds. It is like the physical security in your home. If you put a burglar alarm in, if you put gates and locks in, then typically the criminal passes by because it is more difficult to break into your house than your neighbour's. Unfortunately, you are trying to secure yourself so that you are at the smaller end of the probability scale.
I agree with the previous speaker's point: it is all about risk and mitigating risk. You can spend an infinite amount of money, resources and time delivering security and security technology, but the majority of it is inefficient if you are not deploying it against identified risk and mitigating that risk.
It comes back then to the broader agenda, where we need to lead as well, which is we have to change the game here. Internationally, you have to make the organisations perpetrating this type of activity pariahs. You have to make any nation states that are facilitating it or are ambivalent towards it pariahs and there have to be sanctions. You have to enforce it. At the moment at the UN there are still debates on whether cyber law is adequate and how we are going to deploy it and enforce it. Because this is a global problem, however, while we can secure our critical services, our organisations etc., infinite defence in its own right is not a strategy. The principle of defence, from my military days, is you defend and protect yourself long enough that you can launch a counter-attack. That is the argument for defence. If you are not in a position to launch a counterstrike against the people perpetrating this, then at some point they are going to get in. You can defend repeatedly but at some point they are going to get in, so we need a global consensus to say this activity is a higher order of crime, particularly when it attacks critical national infrastructure or health systems. It is not a financial crime; this is a higher order of crime.
Without being dramatic about it, there are adverse patient outcomes to what has happened in the health system leading to increased mortality. This is not a financial crime. This is a crime against society and a crime against people. You have to look at it as that higher order of crime and we have to mobilise the United Nations and people like that to say this is unacceptable, the people perpetrating this are pariahs, and we have to go after them, their assets and their infrastructure like they were narcoterrorists or international criminals. We also have to go after states that are ambivalent or are facilitating or perpetrating this as international pariahs.
I very much appreciate that. The witnesses got the point around pariahs. What we are talking about is illegal, international and technological capacity and the ability within even the State, while dealing with other people, to counterstrike.
I will ask a quick question about the FBI ransomware task force. We obviously need a greater level of capacity than that which exists in the NCSC. We need to look at the likes of this task force. What does Mr. Walsh think we need to do from the point of view of ensuring we have throughput of the skill sets that are required to do battle in this arena?
Mr. Padraic O'Reilly:
The FBI, in co-operation with 60 industry leaders, recently came out with a set of recommendations around ransomware. The main recommendation was not to pay the ransom. This is a long-term strategy to starve criminal organisations. I am in full agreement with the previous speaker that they need to be made pariahs. Their infrastructure was targeted during the Colonial Pipeline attack here. Our Government was not specific about that but it did not deny it and retweeted some of the stories about the service being taken down. There was a bit of a scramble then from the criminal organisation with respect to what it had done and the consequences.
The ransomware task force is coming out with a framework to deal with ransomware. The framework is going to be modelled on the cybersecurity framework. I am a big believer in gold standards and best practices. I heartily support such a task force. Public private partnerships are how progress had been made in the cyber area of late.
Mr. Paul Walsh:
I thank the Deputy. The challenge is that we have seen an explosive growth in this sector. Ireland has positioned itself as a world leader, in a sense, with all the top technological companies, including multinationals, based here. We are now augmenting our hiring needs by bringing in people from outside Ireland to fill some roles. That is working but we also need to focus on the pipeline. That starts at primary and secondary school levels through creating awareness around security. That has a twofold benefit. It helps to attract people into the industry and makes students more aware of protecting themselves from online security risks. That, in turn, can benefit society in general.
We must create more interest in this area in schools and call out the opportunities that exist in cybersecurity because it is a broad sector with many different aspects. This rewarding and challenging area offers young people tremendous opportunities to have fulfilling careers. We should create more graduates with cybersecurity expertise, more masters programmes and more research and development. There are some top-class research teams in the country, both in industry and academia. We should try to connect these organisations to focus on research projects that create more security for companies, organisations and the State. The situation is not going to change quickly but we must put a focused effort on making it more attractive. Computer science as a subject in the leaving certificate is critical, as is creating modules around cybersecurity in all software development courses in universities. That will help. However, there needs to be more of a focus on creating more opportunities and programmes in addition to what we have today.
We will be following up on both of those matters. The capacity review is under way and we will consider the public-private element. We look on this as a body of work so we will obviously be coming back to this particular issue. The witnesses have been great.
I thank all our guests for being here. We consider this to be a relatively new area but, realistically, I am of an age that I remember movies such as "War Games" and "Die Hard", in which air traffic control systems were being taken down and nuclear missiles were going to be launched by ten- and 12-year-olds. This topic is not that new even though it is now on our doorstep to the extent that we are unable to find out the number of Covid-19 cases per day or get updates on the level of vaccination. We are not able to e-mail the HSE or the Department of Health in the way we normally would. Technology is everything to us now, as demonstrated by how this meeting is being conducted.
I am aware that Estonia became a very digital society when it became an independent state in the early 1990s. I do not know if it is an example of best practice in terms of combating cybercrime. Are there any examples we can follow? We will probably not hear about companies that do badly but are there companies or countries from which we can learn, that can tell us the way we should be going?
The conversation today has been useful in raising and outlining the expectations of these roles. The market is the market but the idea that somebody is going to be paid more than the Taoiseach in this role is probably something that Irish society in general will find a little difficult to process initially. However, the cost of tens of millions in lost revenue because of hijacking and the need to rebuild systems is much greater. However, one individual is not going to change this situation. Is there a roadmap? We can hire somebody and spend three, four or six months getting the best person in the world and paying them €250,000 a year or whatever it is, but what is the roadmap? The situation changes all the time and these criminals only have to be lucky once. We have brought our expert guests here today and I thank them for their statements. Where do we as a country need to go from here? It is obvious we need more people and training. There are 60,000 people involved in dealing with cybercrime on a daily basis in Ireland, a figure that surprised me. I am looking to our guests, as experts in the area, to tell me what we as a country need to do in the next month, the next six months and the next five years. We can spend and recruit more but what is the roadmap?
Mr. Pat Larkin:
In response to the Senator's initial question, there are three countries that are notable. Estonia, as the Senator pointed out, had a compelling event and responded appropriately, as he has outlined. Estonia has become a recognised centre of excellence. It has adopted the strategy that it must survive particularly malevolent state action, and maintain society and the delivery of digital government in the event of a significant attack or influence. Estonia is a base model.
The UK has probably come back to its national cybersecurity strategy two or three times but has made considerable progress this time around. The cyber tsar it has put in is a recognisable individual, Mr. Ciaran Martin, who has added an awful lot of coherence. He has added coherence in overall policy. The UK has engaged in things such as active cyber defence whereby not only is it sitting in defence but it is targeting and taking down malicious domains and sites within its organisation in order to improve the cyber hygiene of government across the board. The UK offers services that various public bodies would use, etc., and provides a significant level of investment. There are lessons to be learned from how the UK has approached this matter the second or third time around.
I appreciate there may be reservations about other aspects of its society but Israel has done well from a cyber perspective and we should look at that. Israel has imperatives around foreign policy and national security and it has, therefore, delivered a collaborative approach between the military and society. I accept it is a militarised society and there is, therefore, an acceptance that cyber is an important pillar. From a government perspective, Israel has led initiatives such as thinking outside the cyber box, etc. There have been huge levels of innovation.
I was part of a buying mission when I was in the Defence Forces back in the late 1990s and I saw that level of collaboration between industry, users and military where literally some industry players had co-resident development ongoing with the military and the military was consuming their development of technology and then using that to export internationally. In terms of a security imperative and a collaborative national approach, Israel is an example, appreciating all the other reservations about policy and everything else that is going on there. Those are three examples we could look to build a collaboration, to create the cyber tsar and the leadership and from a national imperative to digital society to survive malign foreign intervention.
On the roadmap, Mr. Larkin was talking about the best countries we can learn from. I do not mind whether Mr. Walsh, Mr. O'Reilly or Mr. Larkin answers this. Let us say as a country we recruit a chief cybercrime guru, tsar or whatever we want to call him and he gets a budget of even ten times the €5 million we have currently. Where do we go from there? Mr. O'Reilly might give us an American perspective.
Mr. Padraic O'Reilly:
Certainly. The Colonial Pipeline attack expedited some things already under way in our government. I would second all the things the previous speaker said with respect to best practices. We still have challenges in the States. We spend quite a bit more on cyber, something like €20 billion per year. We have a lot of very good standards and organisations which generate such standards. The National Institute of Standards and Technology, NIST, does a fine job and the federal government does baseline itself regularly. That said, many challenges remain.
With respect to best practices, the committee could certainly look at the executive order just released from the White House. It is pretty comprehensive. The emphasis is really on information-sharing, to some extent, and on changing the acquisition contracts around companies that do business with the federal government. That emphasis is really around information-sharing as well. One of the big problems in cyber in the States is visibility into true risk. Frequently there are these informational problems; companies are not reporting what is happening to them as there is an incentive not to. However, fresh air is the best disinfectant. When I was asked about this issue recently, I basically said it is hard to do risk assessment if one does not have complete data sets. I hope to see from our government more emphasis on actually generating quality data sets with respect to risk because that will help governance structures make the improvements they need to make. I re-emphasise that the executive order is a real fount for best practice. I revisit it every day. Newspapers call me every day to talk about it. Its first recommendation is an interesting one; it suggests organisations should ensure logging practices are being done properly. There is a set of maybe ten things that can be done across the board, that are not prohibitively expensive, that can be measured, around which metrics can be put, and can get the critical infrastructure or the essential services sector on the right path.
I thank all the witnesses. This is a very valuable meeting and I thank the Chairman for organising it. Regarding our own State's response to this whole cyberattack and our cyber ecosystem in this country, what type of investment is required where personnel and infrastructure are concerned? What should it look like in Ireland? I noted Mr. Larkin said the UK is spending ten times more per head of population on a similar system. Therefore, what should it look like here? What type of form should it take? I noted Mr. O'Reilly said big wins have been made when there is collaboration between public and private and we can see in this attack that basically what is happening behind the scenes is that there is a collaboration between public and private to try to come up with a response to deal with this.
Ultimately, there must be a very strong global response to cybersecurity because when all the different countries are doing their own things, these criminals are preying on countries and their weaknesses and we have been exposed in this. It is desperate to see the fallout of these criminals preying on vulnerable sick people in our health system and to see the impact that is having on the ground is truly shocking.
Mr. Pat Larkin:
I thank the Deputy. Very quickly, first and foremost, I suggest a very clear commitment from Government to say national security, cybersecurity is important and therefore we must move nationally from immature to optimised. A very clear statement around that would be good. There is a national risk register which I think is conducted by the Department of Defence. Taking the risk-based approach is looking at the risk register and then building strategic, tactical and operational mitigation of that risk with a commitment to it. While we are talking about budget and spend, it is wasted unless it is mapped and used in terms of strategically-planned risk mitigation approaches. Therefore I recommend a commitment from the Executive to say national cybersecurity is important and that we are really going to focus on improving it. That feeds down to co-ordination at a central level. What we do not want is turf wars and silos within Government so somewhere, maybe under the National Cyber Security Committee, NCSC, or under the Taoiseach, it needs to be co-ordinated from a national security perspective, with the cybersecurity pillar underneath that to drive it. One then uses resources like the NCSC to provide leadership and governance, particularly of critical national infrastructure services, and one uses the standards and frameworks that are there, namely, those of ENISA, the International Organization for Standardization, ISO, the NIST, etc.
The genesis of the collaboration piece has already been started. Cyber Ireland, which I should declare I am a board member of, along with Mr. Walsh and Dr. Byrne, is perhaps the genesis of this. I say so because it has an economic agenda, which is about creating the ecosystem of industry, academia, research and Government, so it is further support for that. The IDA and Enterprise Ireland are already supporting that and it will, in some respects, create the talent pool, industry imperatives, etc. Out of the national security plan, all of that is key but then we must build indigenous capability. It is then about bringing all the resources of the State and their tasking up to date, by which I mean mandating police to police cybercrime and State security, and mandating the Defence Forces to build capability. On that, I know, just colloquially that in some respect the Defence Forces have been restrained and contained in terms of the cyber role. There is an opportunity there for every soldier to be a cyber-soldier, for argument's sake, from an innovation perspective, because they have a training mandate and then they would bring huge national resources in aid to the civil power to all the rest of the authorities on a crisis basis. Thus it is about innovation, about taking the imperative from the top down to say this is really important, we need to solve it, we need to improve it and then all the strategy and resources flowing from there.
Dr. Eoin Byrne:
I thank the Chairman. To respond to the Deputy's question and build on Mr. Larkin's previous point, there is an opportunity here to build on public-private partnership and we have started that already with Cyber Ireland, the national cybersecurity cluster organisation which is aiming to bring industry, academia and Government together to address specific challenges for industry but also for national security as well. It developed out of addressing the talent and skills shortage and a lot of the challenges have been clearly identified there already so I will not go through them again. It is also important to say there is a huge amount of work already being done in growing home-grown cybersecurity talent in Ireland. We have programmes there supported by Government, which are training up 5,000 professionals in cybersecurity skills all across different areas of the economy.
Fourteen new courses in cybersecurity were funded by the Government last year in our higher education sector. A cybersecurity apprenticeship programme is producing entry-level graduates for the sector, and just last year an €8 million project was funded under the Higher Education Authority human capital initiative, which aims to produce hundreds of new cybersecurity graduates. That is being led out of Munster Technological University and four other academic institutes. Cyber Women Ireland is addressing gender diversity, while other groups are looking at career promotion for secondary school students. We are involved in the cybersecurity academy and have summer camps for internships. A lot is being done but there is a lot more we can do. In the UK, for example, there is the CyberFirst programme for secondary school students and the US has cyber ranges, or virtual training facilities, to provide cybersecurity training and education to secondary school students, third level students and citizens.
Another key point is that one of the reasons for developing Cyber Ireland was the current low level of collaborative research and development between industry and academia. This is a severe challenge because there is currently a fragmented approach to cybersecurity research in Ireland, whereby academic and research entities are trying to address these urgent national scale cybersecurity challenges through a disconnected or small-scale response. We need to look at developing a national cybersecurity research centre to address this challenge. There would be potential to develop cybersecurity research solutions that could have sectoral applications for areas in which Ireland is already a leader, such as manufacturing, processing, the biopharmaceutical sector, industry 4.0 and so on. There is also-----
We are caught for time. That national cybersecurity centre is something in which we would be very interested so I ask Dr. Byrne to provide the committee with a submission on that topic. Three or four members are indicating, and with Covid restrictions we have to be out of here at a certain time. I apologise. We will come back to it at a later time.
Given the time I will not take the full seven minutes. I thank the participants for sharing their expertise and insight. Everything we have heard this morning highlights the magnitude and complexity of the problem. When it comes to cybersecurity it is quite obvious at this stage that Ireland left the front door and the back door open. We are now reacting to fix the damage. The damage is done and I have no doubt that our complacency will cost us dearly. Dr. Byrne spoke about what has been done in recent years. The HSE is the biggest organisation in the country and handles billions of euro of taxpayers' money. Why was it so complacent and so outdated? Why were its defences so weak? The reason it was attacked is that it was obvious it was vulnerable and open to an attack. From a technical perspective, why were the Department of Health and the HSE so vulnerable?
What would be involved in putting in place a defence mechanism? We have heard we should be spending in the region of €50 million, but if we had the budget and the personnel to put the infrastructure in place, what timescale would be involved in bringing it up to an acceptable standard?
Data are valuable and very personal to every individual. There is an opportunity here for a double ransom, that is, one ransom from the HSE or the service provider and another from the individual. What has happened in the United States as regards GDPR and the duty of care of the provider? Has that not left states and their agencies open not alone to ransom but also to legal actions?
Mr. Padraic O'Reilly:
GDPR has not quite taken the same foothold in the States as it has in the EU. Jurisdictionally it is not something a lot of American companies would concern themselves with and certainly not as regards localised health concerns. We have a very distributed healthcare delivery system so it is quite different from Ireland's institution at the moment. Some states have been frustrated by federal inaction on privacy regulations and have put their own standards into place, such as the California Consumer Privacy Act, CCPA, and other states have followed suit. As a means of enforcement, fine delivering bodies have taken a bit of a hold here in the States but I do not know that I have seen the impact across the healthcare delivery system in the States as of yet. We have a very distributed, privatised system.
The Colonial Pipeline attack is a unique case study in how having public infrastructure in private hands goes quarter to quarter in terms of investment. A longer term capex is required with respect to mandating standards and the like and tying the performance around measuring risks and standards to actual numbers and analytics in order that organisations can make decisions about how they go about remediating. If there is no way to measure it and if companies are just doing one-off risk assessments yearly, the data will be a year old when they revisit the issue and do the analytics, and in some respects they will be useless.
Our private sector has done brilliant things in cyber. Like Israel, for example, we have many tech start-ups that do incredible things such as endpoint detection. I have a partner company and some of our investment group has invested in Virsec, which does ring-0 malware detection and looks at memory protocols, effectively killing around 100% of attacks. There are brilliant solutions in the private space but there has just not been enough co-operation to date between the public and private sectors. That company was founded around the cybersecurity framework, which was a consortium of 3,000 industry experts in co-operation with NIST. It is initiatives like that that drive more and more co-operation between the private and public sectors. The public sector is great at certain things and the private sector is great at certain other things. That co-operation is needed to get the synergies and efficiencies going forward.
Mr. Pat Larkin:
On average, to rebuild from a ransomware attack in totality takes weeks and months. Critical systems will be back up quite quickly but our experience is that, for six or nine months, people will still be dealing with the fallout of a significant attack, whether that is ransomware or other types. Expectations should be set around that. The cost associated with it is ongoing.
It is important to take the lessons learned here. As part of any systemic review we should be focusing on the lessons learned and then building those in as improved controls and governance structures to try to prevent such things. We should also be sharing that intelligence. Some of these lessons would apply across healthcare but there are also lessons that would apply across the whole country and globally. I have long advocated that we take an aviation approach to cybersecurity, which means disclosing, investigating, systemically taking the learnings, re-engineering them back into the impacted systems and standardising. That is the approach I would advocate.
As regards building a strategy and defences, this must be looked at collectively and not in a manner specific to the HSE or any other organisation. Collectively, we are trying to move from an immature system to an optimised one and that programme of work will take five to ten years. That is a strategy we need to adopt as well.
I thank the Chair. Based on what is being said today, I would be interested in Mr. Larkin's, Dr. Byrne's and Mr. Walsh’s comments on Ireland’s significant lack of a security culture and awareness. It may well be based on an insular and naive belief in goodness and the lack of interest in security and defence issues. The lack of interest leads on to an ostrich-type smugness, which has led us to the dangerous situation that Ireland finds itself in today. Security and defence are one and the same thing. I know that Mr. Larkin was a member of the Defence Forces. The Defence Forces provide 40-odd security outputs for the State, of which most politicians and civilians are totally unaware. On the running down the of the Defence Forces and particularly of the two absent seats on the National Cyber Security Centre, NCSC, is that something that we need to address fairly quickly?
I thank Ms Carolan for her submission this morning. She has sent shockwaves through the entire committee, with salaries ranging from €220,000 to €290,000 and bonus payments, with benefits. However, if we take it the head of the-----
I thank the Chair. The head of the HSE is paid €420,000 so the €290,000, which Ms Carolan is suggesting, is not extraordinary by any means. However, it is Ms Carolan’s view that we in the public sector have to compete with the private sector for the people we are looking for. We do not pay bonuses in public sector. Does this mean that the base salary will have to be even higher than what she is suggesting?
I thank Mr. Walsh and Dr. Byrne from Cyber Ireland. On the development of cyber at junior certificate level, it has always been a regret of mine that Ruairí Quinn's programme was not embraced when he brought it forward to develop education, even though I was the president of the union that stopped it. I believe that we need to develop this. I am interested in what Dr. Byrne has to say about the apprenticeships, but I think we are going to find ourselves tight on time.
Some countries in Europe, particularly some of the Nordic countries, moved to open source software in the late 1990s and early 2000s, as far as I am aware. If we had open source software that was bespoke for the purposes of each Department, would it be a safer type of platform, rather than purchasing what is commercially available?
Finally, I have some quick points. I assume the National Cyber Security Centre would be probing organisations throughout the country all the time. Mr. O’Reilly and Mr. Larkin might want to come in on this. Should there be sanctions against a company that fails, particularly against a semi-State or State organisation? There are stories coming out of the HSE about computer monitors with passwords taped to the monitor, so that people can have quick access. It is not just about sitting in an office on cybersecurity; I would think it is a pro-active move throughout an organisation.
I think Mr. Larkin mentioned foreign direct investment, FDI, risks. Would he care to quantify the type of risk we are exposing ourselves to? We have so many organisations here.
Finally, with respect to a cybersecurity centre, which Department should it be under? Should it be under the Department of Defence or the Department of Justice? Is it fine where it is, under the Department of the Environment, Climate and Communications?
Mr. Pat Larkin:
I thank the Chair. In terms of the FDI risk, we need to be aware that as organisations look to locate in a country, they assess the good business environment, the access to talent and resource pools and then the security of their investment. That is the kind of criteria that they use.
We brief boards regularly. On the foot this event, I have had a number of requests for briefing, including from one large natural resources company. The nature of the briefing is such that they are looking to assess whether this was, in our opinion, a nation state attack and what is the state of national cyber defence, etc. I think that there is a heightened awareness. I do not know that there is any imminent,per se, or immediate risk. We have to look at it as a long game. The long game is that we have to build strong, mature, optimised cybersecurity capability, to protect all the resources in the State. If we do that, then we will continue to attract FDI and retain it. That is why Cyber Ireland is so intrinsically important to this whole strategy.
In terms of the location of the NCSC, in some respects, it is as appropriate where it resides as anything else, provided that the national security governance and commitment is joined up. That needs to come from centre of Government, somebody who can drive that strategy into all parts of Government organisation.
In terms of sanctions, blaming the victim is perhaps unhelpful here. We do not blame homeowners when their houses are burgled. We point to them where they could improve their security, etc. Blaming the victim, in some respects, creates a perverse incentive for the ransomware attackers because, if we blame the victim, then there is an increased incentive not to disclose and pay. I think we have got to move to a mindset of supporting and getting the victim to improve their security. There will not be a healthcare professional working in the health system who will not be traumatised by what has happened, between Covid-19 and ransomware. I think we will get goodwill. A compelling event like what has happened - disastrous as it is – is quite often, if used positively, a good spur to drive improvement and to gain buy-in to improvement. If it is a stick-only approach, one will achieve very little progress.
Ms Bláthnaid Carolan:
I thank Senator Craughwell for an excellent question. This is an exceptional role and I have no doubt that time-to-time in the public sector, as in the private sector, there are exceptions. In my language, there is an exception to every rule. We really need to make it attractive in order to attract and retain the right person in this role. Maybe we might look to the National Treasury Management Agency, NTMA, which applied private sector packaging towards hiring particular key talent, albeit within the public sector, and possibly apply a model akin to that.
Dr. Eoin Byrne:
I thank the Chair. The Senator’s question on a security awareness programme on a national level is an incredibly important point. It is being used throughout Europe and internationally to raise awareness of cybersecurity. I think it is important that we tell a story of the impact of cybersecurity on society and start a national conversation around cybersecurity. That needs to be funded appropriately. The NCSC has a national cybersecurity awareness programme that runs in October, in line with the European cybersecurity month, which is run by the European Union Agency for Cybersecurity, ENISA.
There is also a role for Ireland to play within Europe for cybersecurity. Just this morning, there was a European Commission workshop on the establishment of the European cybersecurity competency centre, which is looking at supporting indigenous European small and medium-sized enterprises, SMEs, to develop, to innovate, to grow and to compete internationally, while also building Europe’s cybersecurity posture and strategies. There will be national cybersecurity co-ordination centres set up as part of this European competency centre, so Ireland would be setting up one of these. That needs to be set up within six months of the European competency centre, which is being set up in Bucharest in the coming months. There is a decision there on whether Ireland wants to lead the way in setting up its national co-ordination centre or whether it wants to wait and see what other organisations and member states are doing.
In relation to the junior certificate programme, there is already work being done by the NCSC in developing a junior cycle programme in cybersecurity. I think it is piloting that next September for transition year students. Definitely, as part of the leaving certificate curriculum, it would be important that the computer science module would have a cybersecurity element to it.
The apprenticeship programme is providing entry-level graduates to the sector. There is a number of conversion courses as well that have been taking people who have become unemployed-----
I thank Dr. Byrne. We have to be out of here just after 11.35 a.m. and we have one more contributor. I apologise for curtailing your contribution.
Deputy Crowe, I am going to give you seven minutes. I am going slightly over the time, but I think it is only appropriate.
Not yet, anyway.
One of the take-home points I took from the presentation this morning was that cybercrime has now overtaken the illicit drugs trade worldwide. I thought that was very alarming. It gives some context to where everything is at. This is a form of attack. Our country has been under attack for the last week and a half. It is a new form of warfare, where a country is laid siege to by another entity. I want to ask a question that has not come up so far. It concerns me that it is going to take us, as a nation, five to ten years to get to full capacity to fight back against cyberattacks. In that time, things will have shifted hugely. We may get to the finish point and yet find that the whole world has changed in that interim period.
The other thing that struck me was that this form of attack is, as I said, a form of warfare, but we are a neutral country, militarily. However, when it comes to cyberattacks, this is a global problem. I put the following question to the panel. Do we really need to go so far to create our own competency to fight cybercrime, knowing that other countries spend far more than us and knowing that their systems are far more advanced than ours? Is this something where we should cede some of our cyberneutrality and ask another country or entity that has a greater capacity to fight this off to support us in that regard?
This happens very often in the military sense, where countries build alliances. Ireland is small. Our capacity will take five to ten years to build. Our neighbours in Britain spend ten times more than us per head of population fighting cybercrime. I would like to ask Mr. Larkin whether there a logic and any precedent in terms of other countries leading in respect of the fight back in this regard.
Mr. Pat Larkin:
I thank the Deputy. There is a need for collaboration and for not reinventing the wheel. We need to have indigenous capability. We may use tools, resources, etc., from collaborative alliances, allegiances or whatever one wants to term them. We are not going to fight this on our own, but we need indigenous capability, first and foremost. I do not think we could depend on others because alliances will change. We need indigenous capability. However, in order to be successful, we will have to partner and have alliances. Those alliances may not necessarily compromise our neutrality. It is collaboration that will happen between police forces, defence agencies, intelligence agencies, peer-to-peer, the National Cyber Security Centre, industry and academia.
In terms of staying current and the Deputy’s point about the investment we are making, it is a very agile approach. Something like the National Cyber Research Centre and the drawing together of the research and development strands is absolutely critical to leading and to staying current. Integrating that into the whole approach is very important.
I understand this does not come under the realm of Interpol. This does not fall properly into the realm of military alliances. While we may be militarily neutral, we are certainly not neutral in this regard. I would say that in a five to ten-year period, as we try to build up an indigenous capacity, we should be leaning on all supports. I do not care where we go in that regard. Once they are nations that have a capacity to help support us and have a system superior to ours, we should lean on them as much as we can.
Some 14 months ago, before being elected to the Dáil, I was a primary school teacher. In every primary school, there is a vertical axis in the principal’s office. There is a computer that is networked all the way up to the Department. It would hold a lot of sensitive data. However, if one goes into all the classrooms, one could have a Windows 95 or Windows 97 laptop, which is linked back to the principal’s office. This would be typical of every school in Ireland. There is a real chink in the armour there. If one were to get into a teacher’s laptop at any time, there would be everything from tests to assessment data. There could also be very sensitive information. That is just in education. It is probably replicated in the small two or three garda Garda stations in rural Ireland or in the local health centre run by the HSE. We probably have fairly robust systems in the central vertical axis of organisations, but it is far weaker as one moves out. I would like to ask Mr. Larkin whether the chink in the armour is those outposts of State organisations and Government agencies.
Mr. Pat Larkin:
I do not think so. The chink is perhaps everywhere. The Deputy is right that we need an approach that secures the citadel, the critical parts of the network and where the data resides. Realistically, and without being alarmist, the reality is that in every part of infrastructure, power, utilities, etc., one will find laptops and operational technology, OT, devices that exist that are perhaps are not appropriately controlled or secured. That relentless risk assessment and information security management is trying to identify those points on highly secure, highly critical networks as much as less-secure peripheral networks, to find those vulnerability points and those weaknesses and either secure or remove them. Our experience would be that at the centre of some of the most sensitive and eye-rollingly scary environments, we will find the same weaknesses that the Deputy just outlined. There will be relatively insecure or uncontrolled devices creeping onto those networks, producing a vulnerable point by which those networks can be compromised.
Mr. Pat Larkin:
In our experience, when the ransom is paid, they give the keys. The keys, as we see from what is going on in the Health Service at the moment, are just the beginning of a journey of pain to recover data and systems. It is not necessarily always instantaneous to recover those. The ransomware business model, in general, depends on the ransomware providers doing what they say they will do. It is a business model, in inverted terms. Therefore, if they do not release the systems, they do not get paid. The model usually is that they do what they say they will do, because if they do not, then they do not have a business model.
Mr. Pat Larkin:
I would suspect – and this is speculation in general points – that these guys typically do it for a business reason. The reason that one could speculate more generally as to why they would do this is perhaps political pressure. If they are operating from environments where there is ambivalence towards them, perhaps they have broken a norm. In general terms, if they were attacking a non-aligned, more neutral state, with whom perhaps the state in which they operate might not necessarily have an axe to grind, it may be that they are taking the heat off themselves. It may be that they have made a decision to say that, for argument’s sake, the extorted is not going to pay and, therefore, they still can monetise this by virtue of selling the records on the dark web. That is still quite lucrative. There is much data out there that the price of these records is dropping in the marketplace, but in general, it is still quite a lucrative form of additional pay to the business model.
I will take a general posture and say they do it for a business reason. The business reason, generally, may be expediency. It may be that they transgressed a line. Many of these ransomware providers make sure that their software does not attack the states in which they operate. Quite specifically built into the engineering of the software is to look and see before they attack, just in case there is inadvertent deployment or collateral damage deployments, and that they do not attack the environments that are ambivalent to them or in which they operate because obviously that brings heat on them.
That is general speculation but I have no knowledge as to why they would have-----
Mr. Pat Larkin:
It is still slow; it is not instantaneous. It would definitely assist if there were data compromised for which there is no viable backup. If the keys are not a trick or duplicitous, there is potentially a model by which data that are not otherwise accessible can be recovered. With regard to the restoration process, the technology that these guys provide is slow by default, particularly where the operation is at scale. A recovery-and-rebuild process has to be undergone anyway. It is a question of whether restoring the data from backup, assuming the HSE has viable and accessible backups, is more efficient than decrypting the systems in play. In most cases, it will not be a job of simply decrypting restore systems.
To be cynical, is it a way for the cyberpirates to let the HSE know the amount of data they have secured? Would the HSE know from the key how much data the criminals have been able to take from its system?
Mr. Pat Larkin:
To speak in general, I do not believe that would be a motivation. At this stage, most organisations with good investigative powers would have determined what was left and probably would assume the crown jewels are gone. That is a good general assumption, particularly if criminal organisations have been in a long time and have done the appropriate surveillance. In general, they would probably have what they want. I am not talking specifically about the HSE. I do not believe providing keys would do as the Chairman described. Providing the keys, in general terms and not specific to the case in question, may be a business decision to take-----
Mr. Pat Larkin:
Or maybe one could refer to the goodness of humankind and say crippling a national health system was an unintended consequence and that the criminals are trying to row back from that. That assumes these guys have a conscience but it is better to operate on the basis that they do not and that their activity is strictly based on a business model.
Mr. Pat Larkin:
In general terms, it would not be the business model. The business model might be to try to take heat off the operation in the sense of its being seen to have goodwill, although its model is still monetised. They still have to deliver on what they say they are doing. The threat still has to stand in general terms for the business model to work. The threat of the data being inaccessible or of leaking needs to exist. For the business model to be credible, they have got to deliver on their threat; otherwise, it is a false threat.
Mr. Pat Larkin:
In general, if healthcare data are liberated, they are valuable to the criminals who use them. In general, if a ransom is paid and the business model does not stand up owing to data being liberated subsequently, it is an issue for them. In general, if a ransom is not paid, an organisation will not deliver the encryption keys. In this case, it seems that they have. Again, I say that with caution. Again, in general terms, if there is a threat to leak data, it needs to be delivered on for the criminals' business model to stand up.
I thank the witnesses attending today's engagement, namely Mr. Larkin, Mr. O'Reilly, Ms Carolan, Mr. Walsh and Dr. Byrne. No doubt, this is a subject on which we will follow up with them and their colleagues. The issue of cybercrime is probably one of the greatest threats to Ireland at State and business levels that we have seen in our lifetime. As a committee, we are going to do a body of work on it and feed into Government policy. For every man, woman and child, there is a worry. We need to have absolute security, and that is a matter of investment and collaboration at public, private and international levels. I thank everybody.