Ossian Smyth (Dún Laoghaire, Green Party)
Link to this: Individually | In context | Oireachtas source

We have discussed cybersecurity in a number of different contexts before and also on the floor of the Dáil. Deputy Ó Murchú asked about the capacity review. We published the executive summary and we will publish the entire report in a redacted form before the year end. I will share it with this committee as well. I commit to that for a start.

The question about other member states having a much larger number of operators of essential services, OESs, is a reasonable one to ask. We have chosen as a national strategy to focus on a smaller number of OESs and to do that in more depth. The NIS 2 directive is coming and I expect to be in Brussels on Friday negotiating this with other Ministers. Part of the NIS 2 directive is to extend the number of OESs to a much broader sector. Basically, everybody within the sector that is above a certain size will be included. A set number of sectors are included and defined as being OES sectors and every company in that sector will be considered an OES if it is above a certain size. As I understand, that is the proposal at the moment. That would lead to a much larger number.

Deputy Ó Murchú mentioned a secure by design approach for software developers. It is true that we need to design security in from the start. It is not something that should be retrofitted afterwards, or it is much more expensive to do it that way and less effective. I agree with that point. It comes down to there being an education part and a standards part to that as well. In fact, the Deputy may have noticed that yesterday the National Cyber Security Centre published its baseline security standards for public sector bodies and that provides very clear guidelines and a checklist they should all be doing already. This is a very clear and accessible guide for anyone who is running a public sector body and wants to know that the IT security manager is doing what he or she should be doing. Managers can ask if they have identified the key assets to protect, if they are being correctly protected with firewalls or other virus protection, if an intrusion detection system in place, if there is a plan for how to respond and how to recover based on disaster recovery. It is very clear and straightforward and is based on the National Institute of Standards and Technology, NIST, in America. Did I miss something the Deputy asked me about?