Dr. Richard Browne:

Good afternoon. I am the director of the NCSC and I am accompanied by my colleague, Kerri-Ann Woods, who is the head of the project management team in the NCSC.

The mission of the NCSC is to lead in enhancing the security of essential network and information security systems in the State against cyber threats, facilitating a free, open, secure and stable digital ecosystem for the people of Ireland. We achieve this mission by a number of means, including by actively detecting and defeating cyber threats targeting critical infrastructure and critical networks in the State, leading the national cybersecurity incident response process and reducing risks to the State's critical infrastructure by strengthening its resilience. The NCSC also has a series of new roles around capacity building in the cybersecurity sector in Ireland and in setting certification standards.

I wish to speak about three things. I will talk about current global state of affairs in cybersecurity and the risk level that it presents to this State. Then, I will talk about the work of the NCSC and how our capability is continuing to develop and our evolving role in defending the State against risks and threats in the cyber domain. Lastly, I will talk about the future, including future European legislation and the future political, economic and security challenges that we will almost certainly face.

To begin with, and reflecting on more than a year of the most recent Russian invasion of Ukraine, a number of things have become evident. The first, as was widely predicted before the event, is that cyber remains a key tool in the armoury of any state wishing to conduct offensive military action. The second thing is that, in this case, these attacks have been largely inconsequential in respect of the overall Russian military effort. There are three primary reasons for this. The first of these relates to an innate characteristic of cyber as a means of force projection. It is simply less effective as a destructive tool than many commentators have allowed for in recent years. The second reason is that Ukrainians were ready because they had endured years of similar offensive actions and because they already expected an attack. They have also taken and continue to take significant measures to protect themselves from the consequences of these activities. Lastly, Ukrainians have also benefited from massive external support from public and private organisations on a global basis, including the NCSC.

There have been some notable implications for cybersecurity in the rest of Europe as a consequence of the conflict in Ukraine also of course. Some of this relates to the ongoing risk of spillover in the cybersecurity domain, as has already happened to a limited extent in the Viasat incident. There has also been an ongoing and persistent series of so-called "hacktivist" attacks, which have extended over the vast majority of EU member states, including Ireland. These attacks have primarily been distributed denial of service, DDOS, type attacks and have caused little to no disruption to services. They do, however, indicate the existence of an organised campaign to harass service providers in Europe and a willingness to at least tacitly threaten further action against European infrastructure operators.

As ever, of course, the most pressing risk to services, businesses and infrastructure remains ransomware. This is now a highly-evolved, vertically-integrated industry with a significant number of well-capitalised and well-organised criminal groups conducting attacks on an ongoing global basis. Furthermore, this criminal ecosystem, which also includes a vast amount of cyber-enabled fraud, is evolving extremely quickly, developing and sharing new tools and techniques very rapidly.

There are, however, some reasons for guarded optimism at this point. Better international co-operation, particularly around intercepting these groups' revenue and targeting their core infrastructure, has seen some of the major groups fracture in the past few months. Also, it appears that the percentage of victims who were paying ransom continues to fall, at least partially due to the fact that victims are now more resilient. Critically, and this cannot be overstated, none of these groups, despite their capabilities, are unbeatable. Sensible resilience measures can dramatically reduce the likelihood of being targeted and can reduce the seriousness of impact if you are targeted or make it far easier to recover even if you are hit.

Moving on to the work of the NCSC, it is worth reflecting on the July 2021 Government decision on the future of the NCSC, which was based on a very detailed capacity review of the organisation, including setting a trajectory on staffing and technology development. The contents of that decision continue to be delivered, and in fact exceeded, with a technology strategy developed last year and the very significant evolution of the outputs of the organisation in the period since.

Regarding people, in the past 12 months, the NCSC has gone from 25 staff to 52 staff today, with sanction to grow to 62 staff this year. The organisation now has three directorates, each led by a director-level post and each with a team led by staff at principal officer grade. Furthermore, this far more robust management structure has allowed for a far greater specialisation of function within the organisation and the addition of entirely new functions, including the national co-ordination centre role and the certification team.

The operations team is responsible for incident response and detecting and defeating incidents before they occur. Previously led by a principal officer, it now has three principal officer-led teams, overseen by a director. The organisation now has a dramatically increased ability to defend against incidents at a national level and collect, manage and analyse cyber-intelligence material.

The resilience directorate has five teams, covering engagement, compliance, capacity building, certification and project management, each also led by a director. The range of work accomplished includes ensuring the compliance of critical infrastructure with binding security requirements, building and maintaining information sharing networks and working with industry and academia to support the development of the cybersecurity sector here.

The new technology directorate is awaiting the appointment of our new chief technology officer, CTO, which will happen later this year, but this team also already builds and maintains the systems, networks and tools we use, and is instrumental to the process of building our new permanent headquarters.

Quite aside from our capability developments, we have also made significant strides in both operational and resilience realms. For example, we fully revised the national cyber emergency response plan on the basis of after action reviews of previous experiences and conducted a full-scale national exercise to test this, using the energy sector as a basis. We also commenced the process of revising and deepening our long-standing information sharing structures, starting with a new Government cybersecurity co-ordination and response network called GovCORE, which also acts as our point of contact for the baseline standard. This is being followed by augmented cybersecurity information sharing, co-ordination and response networks, or COREs, in the local government, energy and digital infrastructure sectors.

The NCSC is now housed in an interim facility that is secured to international best practice and has the appropriate infrastructure for full international sharing of cybersecurity intelligence, as well as a full incident response suite. In turn, this has augmented our ability to conduct faster and more complete analysis and response to cybersecurity incidents and risks, and allows us to share information with colleagues globally on a real-time basis. Our permanent facility in Beggars Bush is on track for handover to us at the start of quarter 4 of this year. We are in the process of procuring the hardware and equipment for that facility at the moment. That new facility will allow us the space to continue to grow and develop and, perhaps most importantly, allow us to build out our new national-level security operations centre, SOC.

Lastly, I look to the future. By 18 October next year, the revised network and information security directive, NIS2, for short, will come into effect in Ireland. This will result in a dramatic expansion of the number of entities subject to the directive here, from just over 100 to at least 2,000. Unsurprisingly, this will have some dramatic implications for the NCSC and a great number of other entities in this State. It will take up a very significant amount of effort in the next 18 months. Also, in the coming weeks, a mid-term review of the national cybersecurity strategy will be brought to Government for approval. This will contain a series of new roles of the NCSC, which will be framed, in turn, in new primary legislation, with the general scheme of that Bill to be published by year end. This same legislation will also reframe the roles and powers of the NCSC as well as make provision for the transposition of several other pieces of EU legislation.

In addition to all of this, the technological underpinnings of the world we live in are beginning to change very significantly. Were I sitting here a year ago, I would have spoken about the shift to cloud computing, the challenges associated with post-quantum cryptography or perhaps the need for security by design to be implemented at every level of the supply chain. All of these are still factors today but are entirely overshadowed by the first public outings of generally available artificial intelligence.

This technology has been much-heralded and has seen a vast amount of investment in the last decade. It is not an overstatement to suggest that this is at least the single most important technological development since the Internet, and it may well turn out to be more important than that. Like any such technological revolution, the full effects of this will take years to play out, and perhaps even longer than that. Already, it is clear that these tools will be extremely powerful, with applications and implications across the full range of human behaviour and activity, including in security. We have already published a blog on the matter and will have a piece of guidance available for public servants in the coming weeks.

Matt Carthy (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I thank Dr. Browne. When the IAEA was before us, it highlighted what it called a cybersecurity data gap and I think it was specifically talking about information sharing, or the lack of it, between the private and public sectors. Dr. Browne referenced the expanded scope of sectors that will be required to comply with the new directive. Does he consider that that gap is now closed or is there a need to be more ambitious still?

Dr. Richard Browne:

The IAEA does great work. I was delighted to see the publication of this piece, which is a very valuable contribution to the discussion and debate. I note also that the piece references the 2019 national cybersecurity strategy in the bibliography. However, I would point out that that same strategy outlined on page 20 the existing - at that point in 2019 - information sharing roles that the NCSC had. In fact, if we go through the remainder of that IAEA report, several other aspects of the recommendations were implemented five years ago, so much of what is in here is already in place and has been in place for a long time.

To answer the question directly, the extent of the gap that the IAEA report suggests has not existed in five or six years, particularly since the transposition into law here of the network and information systems directive, NIS 1, in September 2018, so, by law, this was done five years ago, or very nearly. However, and this has been instrumental in what we have done in government to begin with, the depth and utility of that sharing can always be improved. In talking to colleagues all around the world on this, everybody has had the same problems and the same discussions. What we have done in the CORE model means it is a deliberately different model; it is much more involved and labour-intensive, and involves much more than us just showing up with information. We have been issuing advisories, alerts and notifications to entities in the State on cybersecurity for more than a decade now, so we have been sharing this information for ten years. We have at least three times, if not four, completely revised how we do that. The Gov CORE and the ensuing and coming COREs in local government, energy and digital infrastructure - we have plans for more beyond that - are far deeper than that.

To answer the question directly, I do not fully agree with what is in the IAEA report. Using just public domain information, we can very readily show that we were doing this a long time ago. There is always a case for us to continually assess and improve what we do, and this is what we are doing.

Matt Carthy (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

One of the things that has been obvious, and that has been mentioned in this committee and in the Chamber, is the different bodies that have responsibility. There is the Garda National Cyber Crime Bureau and the Communications and Information Services, CIS, Corps. Maybe Dr. Browne could describe what interaction there is between those. Are those bodies, in particular the Garda bureau, represented on and embedded within the NCSC?

One of the areas that strikes me is that we have an office of procurement and we have various other offices where making the wrong decision could effectively make Dr. Browne's job much harder. Is there liaison between the NCSC and Government procurement bodies, particularly around IT systems?

On a final point with regard to this part of the question, the HSE attack has been very well rehearsed and discussed in public fora. I do not expect Dr. Browne to name them or point them out, but are there other public bodies that he would have a concern about in terms of vulnerabilities to a similar type of attack at this point?

Dr. Richard Browne:

Those are three really useful questions. I will go in reverse order. To start with the last one, first, we obviously keep a very close eye on vulnerabilities, risks and issues as they arise, looking outwards. It is not merely that people come to us to tell us they have a problem. We look at what systems and processes people are using and actively seek to determine if there are risks in advance. That allows us, by whatever means, either by picking up the phone or going and sitting in someone's office, to tell people that they have a problem. There are always going to be risks out there and part of our role, and our evolving role, particularly in the next couple of months, will be to manage that risk in a much more coherent fashion. We are limited now by legislation, particularly in regard to how we share some of that information, so that is one challenge.

To answer the question specifically, if we had a particular risk or a particular challenge, we would have moved to address it as quickly as we could. Right now, there is nothing that would worry us to that level. There are always risks and there will always be incidents. It is how we move through that process that really counts.

The procurement one is a really important question. I wish we were a week later because we are about to publish something on procurement in the next couple of days. The nature of supply chain risks and how organisations of any scale, public, private or otherwise, manage procurement and supply chain are becoming increasingly important. Anybody who has watched developments in cybersecurity will have seen things like the SolarWinds attack a couple of years ago, which had profound implications for the United States Government, and will also have seen other supply chain attacks in other jurisdictions, including one last week on a supplier to the energy industry. These are really significant challenges, as well as the more passive issues when you buy infrastructure that is not suited or services that do not do quite what they said they would. These are entirely serious questions.

We are about to publish a piece of guidance for public sector bodies on procurement, particularly around procuring services, for example, how do you contract for and procure services that will ensure you limit your risk associated with that service provision. The mid-term review, which we publish in the next couple of weeks, will also have further measures, including a lot of further measures on supply chain security, which is one of those very challenging issues for us. One of the new teams we hope to establish in the next couple of months is on exactly this question, so it is a fundamental one for all of us.

It is also, by the way, international in nature. Supply chains are global and people buy from all over the world, as you would hope and expect. It is also a challenge that everybody in Europe and globally is wrestling with. It ranges from bad actors and from poorly aligned and poorly configured devices and equipment to cloud computing services, so it is a vast challenge. That is the second question.

Matt Carthy (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Before Dr. Browne moves on from that, he mentioned that the NCSC will be publishing guidance. The difficulty with guidance generally is that it can be ignored. We see again with the HSE experience that the ramifications of getting this wrong can be much further-reaching than the entity itself. Where does the guidance and instruction lie and where is the line between the two?

Dr. Richard Browne:

We do not have any statutory power to compel anybody to do anything in this space. In practical terms, it would be difficult to do it because, given procurement law, each entity has to make its own procurement decisions, so you cannot actually tell people what to buy or not to buy, although there are measures you can take to help people make better decisions. We have work ongoing with the Office of Government Procurement, OGP, on some other future-facing challenges, which I will not go into right now, whereby we can ensure that when they contract for framework contracts in IT or cybersecurity, they do so in a way that is secure, risk-appropriate and manages the broader challenges in this area properly. There are further powers that we will be looking at in the context of the mid-term review, which will be made public in due course.

To move on, the last question was on the interaction. I always say in public that cyber is a confounding policy area in the sense that it is in everything, so cyber is in every part of all of our daily lives right now, whether we know it or not - in services, in government, in whatever we touch or use - but also, because of its embedded nature, it is in every single part of Government policy. We have ongoing and very wide interaction across all parts of government, including many different parts of the Defence Forces - in the CIS Corps, in military intelligence, in the operations branch and in other parts of the Defence Forces. The same thing applies to the Garda. We have close co-operation with cybercrime and with the fraud elements of the Garda, with security intelligence and with Garda headquarters. This interaction is ongoing, structured and coherent. Again, there will be more on aspects of that, particularly in the context of ransomware, in the mid-term review.

Matt Carthy (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I will keep going until the Chair asks me to stop, if that is okay.

We have had much discussion about social media apps. In March, the Minister of State with oversight in this area said that Government advice in relation to mobile phones, for example, does not pertain to specific companies. That has clearly changed in respect of TikTok. How does the NCSC decide that there are particular issues with an app and how does it arrive at that point? Is it possible that similar advice will follow for other social media apps and platforms? We have seen the fine levied against what is probably the most widely used social media company in respect of data protection. When do data protection concerns become wider cybersecurity concerns?

Dr. Richard Browne:

We issue advice and guidance to Departments and Government agencies on an ongoing basis. We have had advice on mobile phone use and device use for many years. We reissued and revised some of that advice in March of this year to be more specific on certain aspects of app use. That is primarily aimed at a wide range of social media, gaming and leisure applications. Much of that advice is in the public domain. Essentially, it suggests that people should not have any applications of any kind on their device that they do not need for business. This is simply because every single application has some degree of risk. If one removes an application, one removes some of that risk, at least.

We were subsequently asked by the Taoiseach to do a risk assessment of a particular social media company. That company had been the subject of similar risk assessments across Europe. We spoke to a number of European colleagues about this process but nobody outside of Europe. We conducted our own risk assessment and issued a piece of guidance across Government at that point. The nature of the analysis was very straightforward and much of it is in the public domain. It is a challenge for us to keep an eye on every single device, application, software and hardware element that is on sale right now. We do not even seek to do so. However, when we are asked to conduct a particular risk assessment, we will produce a report. Is it possible that more will follow? The answer is "Yes". We keep all our advice under constant review. There are particular issues with some applications around permissions and around the way in which data are accessed and used that cause particular concerns. However, we have no immediate advice coming on any other application or any other area.

To summarise, this is a very complex area. Some of the risks will be very apparent to people. Some others will not be. An aspect of our role is to take information that is very varied in its origins. Some of it will be in the public domain and some of it will not. This means that we have to closely guard the analysis and the information we use to create that risk assessment because we will burn sources and capability. We are not keeping things secret for the hell of it. We are keeping things secret because to release that information would compromise our ability to do our job in four or eight weeks' time or six months' time.

Cathal Berry (Kildare South, Independent)
Link to this: Individually | In context | Oireachtas source

I agree on the point about the products. I welcome Dr. Browne and Ms Woods and thank them for the NCSC's opening statement. From the opening statements, it seems that the witnesses have transformed things over the last 12 months. The big takeaway for me - and I think most people on the committee - is that if we actually resourced our State agencies properly, there would be a profound effect on output. Most areas of the public sector are struggling with recruitment and retention at the moment. In the past 12 months, the NCSC has doubled its headcount and with plans for further expansion. How was this achieved? I have a fairly good idea but it would be great to get it on the record because other public sector organisations could learn from it.

In relation to the permanent premises in Beggar's Bush, is that leased or is that going to be purchased and State owned? If the security operations centre, SOC, is to be established when is it hoped to be fully operational? How has the budget of the organisation changed in the past 12 months and what is the current budget for the year? The opening statement mentioned that the NCSC gave some assistance to Ukraine. What was the level of that support? Ireland recently joined the European Centre of Excellence for Countering Hybrid Threats, Hybrid CoE, in Helsinki, and obviously the cyber centre of excellence in Estonia as well. Was that positive or negative from the perspective of the NCSC? What kind of an impact did that have?

Echoing what Deputy Carthy said, it is my understanding that the NCSC is a multidisciplinary outfit and that there are military and Garda seats at the table there. Are those seats manned? Do the Garda and the Defence Forces have the capacity to contribute to the multidisciplinary nature of the organisation?

In summary, while all present can speak for themselves, the NCSC has the full support of the committee. We have been tracking its progress over the last three years. I hear Dr. Browne on the dangers of AI. I very much look forward to the mid-term review of the national cybersecurity strategy. We can certainly contribute to that, where appropriate.

Dr. Richard Browne:

I thank Deputy Berry for the questions. I will begin with the changes in the NCSC. Many of those changes, while they have become very obvious in the last 12 months, owe their origins to deeper processes that go back to the 2019 strategy, in many ways. If we look at the capacity review that was conducted in 2021, much of the structure and staffing roadmap was created in that process. The figure of 70 came out of that and we hope to substantially surpass that figure next year. That is the longer-term process. This was a structured, coherent process, building on a series of reports going back to 2009 when the original report that led to the creation of the NCSC was drafted. It might look dramatic but it is really the realisation of something that has been happening for a very long time.

Regarding staffing, we have had significant success in recruitment. In many ways, we have been the victim of our own success. The Deputy may have heard this from his own contacts, many people who have tried to get in have been frustrated at the length of time processes take. First of all, that has changed because we have managed to accelerate the process quite a bit. One of the real challenges we have is that we have so many people applying that interviewing people takes weeks. To run through a full recruitment process for a CSS grade, for example, takes many weeks. I will give a case in point. We closed a new recruitment competition last week. Previously, we thought that 90 applicants would have been a good haul for a CSS competition. That was the figure the previous year. It has very substantially surpassed 90 this time around. We are going to have to trawl through and interview a significant proportion of that much larger figure. That means the process will take longer but it also means, as we have seen throughout this process, that we are getting really good staff out of it.

Cathal Berry (Kildare South, Independent)
Link to this: Individually | In context | Oireachtas source

It seems to be unique to the public service. I have not detected that level of interest in working in a particular entity in the public service in my time in the Oireachtas. The NCSC must be doing something right.

Dr. Richard Browne:

Some of this is due to the work we are doing. We are getting people who are really interested in the subject matter. Many applicants have worked in the private sector and elsewhere for a long time. They want to come and work with the NCSC because they know what it is we do. They know the risks and the issues involved. They know, over time, what we are actually doing. We have a certain pull that other organisations do not have. To be frank, we have also been lucky with salaries. We can be, if not entirely, then somewhat competitive with the private sector, which helps as well. Another point is that in real terms we are not looking for vast numbers of staff. From the CSS panel that we are looking to create for this year - we had one last year as well - we will probably take ten or 12 from it. That allows us to be very selective. Those people who are unsuccessful will roll on and will look to apply next year and the year after and that is fine too.

Regarding Beggar's Bush and the SOC, the State owns the property. We were based there for many years in the NCSC. We have come out of there to allow it to be fully refurbished. The refurbishment is nearing completion. We hope to take possession of the building in October. We think it will take us three to four months to build in the security facilities, IT infrastructure, our own fibre connectivity and all the usual things one would expect.

We expect to be fully in place in January or February of next year. We have had a security operations centre, SOC, up and running in the NCSE for six years. We are essentially building a next generation SOC. It will be physically present in February or March next year. The real challenge for us is the legislation to allow us to use it properly. The usual way an organisation like ours is measured is in people, process and things. The people situation is resolving itself with a lot of work. The process is evolving quickly and the mid-term review will help that and make some of it clear. The things piece is the last part of the puzzle as it often is. That is happening now with Beggar's Bush. The issue is that we will run into a legislative barrier, in that we can go no further in terms of accessing information. That involves legislation to be brought through the Houses of the Oireachtas, which will happen shortly. That covers the SOC and Beggar's Bush.

Our budget has doubled in the past year because we can now say we can genuinely spend it properly, effectively and proportionately. We have also spent more so far this year than we did in the whole of last year. We have a much larger budget and we are spending our larger budget. That system is really starting to hum now, which is useful. I will not go into all of the details of what we have been doing on Ukraine. Along with a large number of European colleagues, we have provided numerous different types of assistance to our colleagues. I have met my counterpart from the Ukrainian computer emergency response team on a number of occasions. Like a number of European states we have provided aid - in our case non-lethal - in significant volumes to Ukraine across the full range of governmental functions. We will continue to do that. It is also obviously of great interest to us, leaving aside our moral responsibility, that we learn with great fidelity what is happening in Ukraine. We get the details. We get the indicators of compromise. We get to understand exactly what tactics are being used now with rapidity. If it happens in Ukraine on any given day, we will know on the following day exactly what happened. That is really useful. It is part of a cybersecurity response process, which we are very much a part of. I will rehearse that quickly. We rebuilt our national cyber emergency plan last year, and rehearsed it in the energy sector going back to our colleagues in the Institute of International and European Affairs, IIEA. That rehearsal was a full-scale national exercise starting with information sharing processes that we exercise on a day to day basis, building to a full national meeting in Department of Agriculture and leading to a full political process. Embedded in that was the EU-CyCLONe - the European cybersecurity instant response process. We practised an exercise from the ground level up to the European instant response process as part of what we do. This has been ongoing since the outset of the Ukrainian conflict, and in fact since a couple of weeks beforehand. We are fully plugged into that process. Helping Ukraine helps us better protect the people of Ireland. That is at least part of the reason we do it.

The Hybrid centre of excellence is a huge advance. We have been part of the group across Government that has been pushing for the State to join it for some time. We have heavily used the Hybrid centre's training and material in the production of national strategies. It was in some ways central to our work on the 2019 strategy. However, to my mind the single best and clearest explanation of the hybrid domain is a 2021 report produced by the Hybrid centre on the conceptualisation of hybrid. It is worth reading for anybody with an interest in the area. It is a hugely positive development for the State. Similarly, we have led from the outset on the NATO centre of excellence for cyber. Ms Woods represented us at the flag raising ceremony in Tallinn. I have been on the steering committee of that group for four years at this point. It is a really valuable source of training, not just for the NCSC, but for colleagues across Government - in the Defence Forces, An Garda Siochána, the Department of Foreign Affairs and our parent Department, the Department of Justice. It allows us to upskill not just on the operational aspects of cybersecurity, but on the policy and geopolitical aspects too. These centres of excellence are valuable, especially for small states. I have done a couple of courses myself, and they have been among the best I have ever done. It is not a bad place to start.

On the seats specifically, we have traditionally had one officer and one non-commissioned officer from the Defence Forces, as well as one or two members of An Garda Siochána. Right now, one officer from the Defence Forces is seconded to us and then seconded onwards to Tallinn. The Defence Forces officer in Tallinn is nominally ours. We do not have anybody else from the Defence Forces with us now. That will change in the short term. We had a conversation about this in McKee Barracks recently. We have one member of An Garda Siochána seconded to us - not from cybercrime, but a different part. We are waiting for another secondee. We had one recently, but she was promoted. We know that seat will be filled again in the short term.

Dr. Richard Browne:

That is a really good question. Yes, I am, is the simple answer. What the Chair has said goes to the heart of the hybrid question as much as anything else, and to the role of the NCSC in particular. I referred to the Hybrid centre's landscape of hybrid threats conceptual model. It outlines 13 different domains of hybrid activity. As the Chair correctly points out, those domains cut across all of government. At least part of what we do flows from aspects of various parts of An Garda Siochána, and the same thing applies to various part of the Defence Forces. What really matters is how we all interact and share with each other, and what is shared with the centre. The centre can issue policy advice, and guidance and support that covers all of these issues. That is what happens. We interact with An Garda Siochána and the Defence Forces in a variety of ways and at a variety of levels. I meet with colleagues from Garda Headquarters and the headquarters of the Defence Forces, including the Chief of Staff and the Garda Commissioner on a relatively regular basis. Colleagues at different levels within all of the organisations meet as well. We meet on criminal matters, national security issues, co-ordination issues and information sharing issues. We are happy with it. There are some structural things we want to change. That will be in the mid-term review, and they will become apparent at that point.

Cathal Berry (Kildare South, Independent)
Link to this: Individually | In context | Oireachtas source

I want to finish with one small point. I agree with the Chair, and my big takeaway is a broader point that public sector entities can be transformed in a four-year period if the political will is there and if the resources are provided.

That is the formula. The living proof is sitting right in front of us.

Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source

It is 18 months since the Oireachtas Committee on Transport and Communications fought hard to have Dr. Browne's role properly recognised and remunerated. Speaking of recruitment, has Dr. Browne been given sufficient leeway regarding salaries to attract the type of person with the type of skills he requires or is he limited by public sector?

Regarding the secondment of the Army officer to the talent centre, the officer spent roughly two years there and came back highly skilled. I have been to the place. It is an amazing entity and I am delighted. I hear that the centre has very strong links with Estonia, which I am delighted to hear. Is it not a terrible pity that when this officer returns, he is not sent straight back into Dr. Browne's office rather than off to somewhere else in the Defence Forces? Is this something Dr. Browne would look for?

I have contacted Dr. Browne through my office for a private meeting and I thank him for his availability on these matters. I am fully aware of the job he does. Security issues are better discussed elsewhere instead of here. That is something we will talk about again.

I am sure that in Dr. Browne's world, legislation moves forward at a snail's pace. He needs far more powers than he has. Is there anything we can do to accelerate the legislation that is important to him?

The issue of certification is in the middle of Dr. Browne's presentation. Recently I attended a lecture on cybersecurity given by the head of cyber at Ernst & Young. He made the point that college graduates with a degree in Ancient Greek and Roman Studies with cyber are hardly cybersecurity experts and certainly not worth the sort of money they think they are worth. The notion that you are moving towards certification and certification recognition is a major milestone. Looking at Dr. Browne's presentation, it has been one year since I met him at a meeting of the Oireachtas Committee on Transport and Communications. Progress has been phenomenal for which he is to be congratulated.

I think he is aware of the fact we are working with the National Advanced Manufacturing Training Centre of Excellence in Dundalk and a number of other manufacturing centres or advanced centres around the country on skills-based programmes. I want to bounce one or two things off Dr. Browne. Would he agree with me that one of the problems in the private sector and maybe in the public sector to a certain degree is the fact that our chief executive officers or chief financial officers do not exactly speak the language of cyber so the tendency is to leave that to the IT department and hope for the best? One of the programmes we hope to deliver through the National Advanced Manufacturing Training Centre of Excellence is a cyber-awareness programme for CEOs right down to a programme for 12 to 18-year-olds. Dr. Browne's staff have been very supportive and very available in that area. I hope skills certification would lead to a much better level of skills. I would be interested in hearing Dr. Browne's view on what specific skills he sees as important. I am not so sure that everybody has to have an academic qualification. I think we can go the further education and training route and move up the skills pot from there.

The other thing we have been slow on is public information. It is there but I often wonder why we do not have one slot per week on the news at 6 p.m. or 9 p.m. where we openly discuss cyber and all things surrounding it.

Regarding cyber attacks, I am conscious that Munster Technological University, MTU, was another entity in the country that was attacked. As Dr. Browne rightly pointed out, no entity is safe. Everybody has their vulnerabilities. It strikes me that every time we have a major attack, we go to the Big Five, who do not necessarily have cyber professionals on their staff. Does Dr. Browne have a team of indigenous companies to which he can turn to support him in the work he is trying to do? I will leave it at that for a few minutes. I might come back with one or two other things. I acknowledge that in his short time in office, Dr. Browne has certainly moved the organisation way further than I would have expected in that period of time.

Dr. Richard Browne:

It may feel like a short period of time but it does not feel short to me unfortunately. In many ways, we are really only getting warmed up. We have a lot of work in the bank, which is invisible but will become apparent in the next while. I make that about 11 questions but I will answer the Cathaoirleach's very reasonable question as well.

From the outset and going back to 2017, we discussed and got the consent of the Department of Public Expenditure and Reform to create specific grades for the NCSC. Those grades are linked to Civil Service salary grades so they are the normal Civil Service grades but they are specifically designed to be slightly more remunerative than general Civil Service grades. We have also had some flexibility in the past on salary bands so we have been equipped with a lot of flexibility and some baked-in generosity, which is at least partly the reason for our success.

On secondees and the potential for the Defence Forces officer to come back, only one officer has come back so far. He went out with very significant skills in the area and he came back with even more. He has come back into the centre of the CIS core where without giving away anything unduly secret, he is centrally involved in its work around cyber defence and implementing the report of the Commission on the Defence Forces so it is working exactly the way it should. Remember that we had access to this individual all the time he was there. We interacted with him and shared information and he was able to help us with various things. His successor is equally good and is already centrally involved in that. Ms Woods was out there last week for the flag raising and is going next week for a steering committee meeting so we are very heavily involved with the Estonian process.

Regarding legislation, about which the Cathaoirleach asked a very sensible question as well, legislation in our space is particularly complex because it touches on everything. It touches on issues like data protection, human rights, access to information and privacy - all those very significant, complex and important issues - which means that in our case, legislation takes longer. We have a firm commitment in the 2019 strategy for primary legislation. The reason it has taken so long is because NIS2 has come and now we have to do the two together. We then have to do a piece of certification flowing from the EU Cybersecurity Act 2019, which is not an Act and is not really about cybersecurity, but we have to do that too so we are putting a lot in one piece of legislation, which is why it will take a little bit of time. Much of the work on our area is done so we are waiting for the NIS2 stuff to come together in the background.

The 2019 EU regulation requires member states to have a new system in place to deal with certification. Much of this is around things like 5G and cloud. A really significant piece of European work on cloud computing is coming that we will be centrally involved in implementing. We have a newly established team to do that.

There is a question about the type of skills we need in cyber. Two issues flow from the Senator's next question. One is the role of boards while the other is the type of skills we would like to see. We work with a number of entities, including the Institute of Directors, which has a piece coming with our assistance on what boards need to know about cyber. We also have some more public-facing work coming in the next while that will frame aspects of this. I would also point out that NIS2 explicitly requires boards of management - boards in a commercial sense of organisations - to be directly responsible for the cyber security of their organisation. That will cover more than 2,000 entities in the State so those that really matter will be captured by this. To be very blunt, there is nothing like a binding legal requirement to really focus people's attention on the subject.

Regarding skills, I am very much aware of the work Senator Craughwell is doing with a number of different educational entities. We have developed, rolled out and tested a junior cycle short course on cyber and we are now in the process of finding a feature that will become public in the next while.

Skills present a very challenging issue in cybersecurity because the field is so diverse. Cybersecurity is not just about ones and zeros or the hoodie-wearing geeks who can do that binary stuff. It is a much broader set of issues. Leaving aside the ops team, our resilience team has people with backgrounds in compliance. They are essentially IT auditors, for want of a better term. We have people whose focus is on risk management. We have people whose focus is on managing and engaging with entities that may be at risk and working with them to help their systems get better. We have people who perform exercises for a living. It is a much more diverse field than just ones and zeros, but if you do not have those, you cannot do anything. We started with our ops team for that reason. If you cannot do the math, you are at nothing in cybersecurity. You need a diverse set of skills. I agree entirely with the Senator that expecting everyone to arrive in cybersecurity with a master's degree in software engineering, networking or whatever it might be is unwise and unnecessary. We did some work with Skillnet. Its programme has the full range of skills and courses available, from diploma certificates all the way up to PhDs. That is the answer. You do not go after everyone in the world at 18 years of age and try to get them to do science degrees. You go after everyone from 15 or, ideally, 12 years of age all the way up to people in their 60s to ensure that everyone in the workplace has access to the appropriate level of skills and challenges.

Dr. Richard Browne:

Yes. It is a start.

Dr. Richard Browne:

I am not sure our colleagues in the Department would thank me for saying that, but it did-----

Dr. Richard Browne:

Something else that is worth keeping in mind is that there are approximately 8,000 people in Ireland working in cybersecurity in the private sector with a large number of very large and small cybersecurity companies. This means that we have a substantial ecosystem of people who are capable at a global level. They operate in a global ecosystem. We have access to a pool of people who are well trained and many of whom have good experience. We bring people in from the Defence Forces, the banks and other parts of the private sector, which means we have access to a well-informed and well-trained group of people.

Dr. Richard Browne:

I did not answer one of Senator Craughwell's questions, so I will finish with that, if the Leas-Chathaoirleach does not mind.

Dr. Richard Browne:

The Senator referred to MTU and the types of incident we see. I was at MTU last week to discuss with it the incident's aftermath and the process. That incident was a good example of the types of issues we all face in dealing with a complex legal, political and technical challenge. We have learned a great deal from the incident and a range of others in the recent past. We continue to review incidents and build into our process what we need to learn from each.

The risks and challenges vary, but the costs of these incidents are what people often miss. Leaving MTU aside, the cost of dealing with even a moderate incident can run into the millions of euro in a great number of cases. Organisations need to bake that into their processes.

Regarding indigenous companies, we do not tend to rely on the large consultancy companies, by and large. We procure some of our services from them, but most of our services are cybersecurity specific. We do not tend to point victims towards particular companies, but in some cases, very large incidents can only be dealt with by a small global pool of companies. The attack on the HSE is a case in point. We put the HSE in contact with what we believed was the only company in the world that could deal with an incident of that scale. The HSE had hundreds of thousands of endpoints. If you are looking for an incident response, that narrows it down to one or two companies globally. The same team that handled the HSE incident handled the Colonial Pipeline in the US – not the same company, but the same people. When playing at this game, you play internationally or you do not play at all. There is a space for indigenous companies and we have some very gifted niche individual players. I was at the RSA conference in San Francisco in the past two weeks picking up stickers from Irish companies that sell internationally. Our ecosystem is not just about acting as a home for foreign direct investment. We have innovative Irish companies that are out there selling globally.

Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source

I have one further question.

Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source

In every country I have visited, the national cybersecurity director is directly under the prime minister. I was in Poland last week and Poland has opened a new cyber centre in the Chancellery of the Prime Minister. I have always said that the NCSC is in the wrong place and Dr. Browne has always told me it is fine where it is. Has he reviewed his opinion or is he still happy enough with where the NCSC is?

Dr. Richard Browne:

Of course.

Réada Cronin (Kildare North, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I thank Dr. Browne for his presentation. There is no doubt that defence and security are no longer questions for just the military and An Garda Síochána and that a whole-of-government approach is required. How was the HSE allowed to persist with obviously unsafe technology? The HSE deals with sensitive personal information and it took time for everything to get back on track after the disruption. In that respect, does the NCSC have a role in overseeing the cybersecurity technologies used by Departments and, if not, should it?

In the past 12 months, the NCSC has increased from 25 staff to 52, with sanction to grow to 62. Obviously, people have realised how important it is. Would Dr. Browne be satisfied with 62? Will the number of staff double each year? What will be his organisation's needs over the next five or ten years?

Dr. Richard Browne:

I thank the Deputy for her questions. Defence or resilience has never been a solely military question anywhere. I could speak at length about how hybrid works at a governmental scale. Having civilian agencies or entities like ours engage in resilience and security matters is the norm globally. This is an important realisation.

Regarding the HSE specifically, this is a complex area for reasons everyone will understand, but I will be brief. The HSE is an operator of essential services, or OES, which is the legal term, under the first NIS directive. As such, we have been regulating and auditing the HSE's cybersecurity, including prior to the incident. Its technology was not unsafe. There was some speculation in the media that, for example, the fact it had some older operating systems and older computers was a source of some risk. It was not ideal, but it was nowhere near instrumental in the incident. Bizarrely, older infrastructure survived this incident better than newer infrastructure did for the simple reason that the older infrastructure could not run the malware. That itself is a complicated story.

Compliance is not the same as security and security is contingent on human decision-making. The PricewaterhouseCoopers, PwC, report that was published at the end of 2021 made clear some of the issues that had arisen within the HSE, largely as a consequence of 18 months of pandemic, which made the issue particularly complex. How any state pursues cybersecurity compliance is extremely complex. I sat for several hours with the White House director of cybersecurity, Ms Kemba Walden, recently in Belfast and we had the same discussion about how the US had been dealing with compliance. Their most recent national cybersecurity strategy – our 2018 strategy is one of the strategies it is based on – wrestles with exactly the same problems we have. It is not easy to compel large organisations to deal with a complex, nebulous and changing issue like cybersecurity. The powers we are seeking in the context of the legislation and NIS2 are designed to allow us to do that better, but there is no complete solution. The bad guys are always looking for a way in, vulnerabilities, one person to make a mistake or an organisation to not be fully prepared, and then there are problems. The price of security in this case is eternal resilience – not just stopping the incident from occurring, but detecting it as it occurs. To use an air accident model of risk, what happened in the HSE saw a whole series of vulnerabilities lined up in the Swiss cheese model in exactly the wrong way and it had a very serious incident. Stopping that requires a cultural organisational response. I could speak at great length about that, but I will not, as I do not want to take up too much of the committee's time.

By the way, we were centrally involved in the HSE response process, but the scale of it - again, there were hundreds of thousands of end points - was such that it took a long time to clean out that network.

As for timing and staffing and our sanction, we have ten staff either in security clearance, that is, we are waiting for them to come through, or to come to us off panels. That is happening. We have another person starting the week after next. It is happening over time. We have a substantial staffing bid in for next year. The number will not surprise anybody in terms of our ambition. My ready reckoning is that we will need to grow to a similar scale in at least the next three years. Our building in Beggar's Bush has room for well more than a hundred people, and we do not plan to have those seats empty for too long. What will happen beyond that, beyond three to five years? It depends ultimately on the roles we have and how many additional roles come to the NCSC, but I cannot see a situation emerge where we will ever reduce the number, to put it to the Deputy like that.

Senator Craughwell asked a question about location. My view essentially has not changed. The Senator referred to colleagues in Israel and Poland. I know all those gentlemen very well. I sit next to my colleague from Israel on the International Counter Ransomware Task Force. We all have our own challenges. Part of the issue in some jurisdictions is that cyber is Balkanised, that is, broken up between different organisations across government. The reason there are cyberdirectors in prime ministers' offices is that that person co-ordinates cybersecurity functions. We do not have that. Our cybersecurity function is centralised in the NCSC, so I can be a single point of contact across Government and can go directly to the Department of the Taoiseach myself.

Réada Cronin (Kildare North, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Dr. Browne mentioned that the technology directorate is still awaiting a chief technology officer. There is a scale and an urgency to filling that position. I am sure the staff are highly skilled and expert in their job. The CTO really sets the tone. Is that position almost filled?

Dr. Richard Browne:

We have, as we would put it, a steady drumbeat of recruitment processes. We do not want to go with all our recruitment processes at the one time. We advertised for and filled a director of resilience earlier this year. That post has been filled. We have run and closed a new CSS competition, which was a bulk competition. There will be, as I said, 50, 60 or 70 people interviewed down to ten or 12 successful candidates, maybe 15. Who knows? It depends on the numbers. The CTO competition is scheduled for quarter 3, so the advertisement will go in the papers in quarter 3. It will be a public competition like all the rest of them and it will be filled by year end. These competitions are scheduled well in advance and they run on that basis. We also do not want to be going back to industry all the time and having the same people apply. We want to go back to the market as it refreshes itself.

James Lawless (Kildare North, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Thank you, Chair, for that. I welcome our witnesses to the committee. To Dr. Browne I say "well done" on what he has done to date. I heard him in a broadcast media interview a few months ago and thought, "Great, we have someone who knows what he is talking about at the top of this important organisation." Kudos for that. He has made a good impression early. I listened with interest to the earlier comments from other members and his answers to various questions. He talked about how the organisation has been ramped up, effectively, in recent times. Again, that is good to hear. One of the issues that was historically a concern regarding our cyber-readiness and cyber-preparedness, including the centre and just more widely, was the degree of resourcing from which the centre was benefiting - or not, as the case may be. It seems from Dr. Browne's earlier comments in his opening statement that that has been largely addressed, but he should feel free to put us on notice if he still feels there is a gap that needs to be plugged there or if the NCSC needs additional supports.

The first question I have is about the budget the NCSC enjoys. Conventional warfare is quite rare these days. We see it on the battlefront in Ukraine, but outside of certain pockets of the world it is really becoming the exception, while hybrid warfare is becoming the norm. In this country I think we have been subject to it on many occasions, probably a lot more than we realise, in terms of cyber, disinformation, hybrid, interceptions of our vital services and utilities and the submarine cable interceptions. There is a huge variation of attacks to which we can be subject, so cyber and hybrid are probably to the forefront of modern defence. Does the NCSC's budget reflect that, that is, the budget to the conventional services as opposed to the budget to the NCSC's department? How do they compare? What percentage is the NCSC of the overall budget? We may need to address that if it is not sufficient.

I will ask a number of questions and the witnesses will probably want to come in on them as a block rather than going in and out as I go through them.

I think some members might have touched on my next question already. As regards the NCSC's staff, one of the issues I heard raised in the past with the centre was that there was not a huge degree of operational expertise. That may be fair or unfair. I do not know. That is why I ask the question. What is the ratio between academic expertise, that is, people who are very knowledgeable in the areas of cybersecurity and hybrid warfare, and people who have had operational experience in the field, be it in this country or in other countries, actually combating advanced operations and attacks? To what degree is that balance achieved among the NCSC's staff and workforce? To what degree do other law and order associations such as the Garda, the conventional Defence Forces and other agencies feed into and co-operate with the NCSC in that regard? What is the NCSC's composition in that regard?

I mentioned that we have a huge variety of important assets here, not least the data sets for many multinational companies headquartered in Ireland. By virtue of that, we hold, I think, 40% or more of the EU's data sets in totality. We have, as I mentioned, the submarine cables which transmit data from Europe to North America. We are at the coalface of that, being on the western shores of Europe. Disinformation campaigns are a concern. There is energy and utilities. I think the NCSC did a study towards the end of last year, which, again, I am pleased to see. It performed a mock energy attack and saw what defences and what preparedness we had for that. Again, it was very encouraging to see that. There are all kinds of threats. A couple of members have mentioned the HSE attack, and of course it is of concern, but I would be probably more concerned about the ones we do not know about, that do not really make the newspapers, that are not well documented. How many systems or agencies have been intercepted, back doors created or Trojans put into networks that we do not even know exist and that could be there, dormant and ready to be activated at particular times or perhaps gathering data? Perhaps there is international property theft etc. going on. I would be interested in any views on our preparedness for that or to what degree that is happening. I appreciate that the witnesses cannot talk about operational issues in any detail whatsoever, but they might give us a flavour as to what kind of activity goes on and what kinds of threats are we subject to regularly.

Finally, I think we recently joined the Tallinn centre of excellence for cybersecurity. That was mentioned earlier as well. I have often been impressed by what it does, and if I ever get the opportunity to visit, I will. I know that Estonia is very advanced in many ways on activity and eGovernment as a whole. I met Estonia's former Prime Minister a while ago, and I think because of the Cold War he had a clean slate to start with, so he managed to go digital from the get-go as opposed to a lot of other countries that are getting there very slowly after decades of paper-based administration. I have one question about that. I understand that that is a NATO-type centre. Certainly, NATO has a leading role in it. I was delighted we were able to join it, but were we in any way compromised or limited in our engagement because we were not a member of NATO? On the same theme, there is the intelligence chairing that goes on. We often hear about the Five Eyes, for example. I am sure that other intelligence chairing takes place through other agencies. Are we able to benefit from that chairing to the greatest extent? Are we limited in any way because we are not a member of certain international alliances? Do we suffer in any regard from that?

There were a couple of questions there. Keep up the good work.

Dr. Richard Browne:

There is a lot in those questions. I will try to be as brief as I can.

The first question about hybrid was really well put. It is important to stress that when we talk about hybrid in this context we are in many cases talking about two linked and related but actually fundamentally quite different conceptualisations of hybrid. Hybrid warfare ultimately owes its origins to, latterly, the beginning of the idea of the three-block war in the 1990s, that is, that militaries in the future would have to fight a three-block war, and, later, thanks to General Mattis and Colonel Hoffman, the idea of a four-block war in the 2000s.

The conceptualisation of hybrid that we use in a civilian space, the one I referred to in terms of the hybrid centre of excellence, frankly flows more from the Russian concept of active measures, the idea of a purely civilian means of influencing, compromising and pressurising democratic governments. It is more in the latter space that we find ourselves. In that regard, and to go back to the centre of excellence's model of 13 domains, the key point is that those domains are all separate and independent. This is why hybrid works in the way that it does. In many cases, the domains are politically or legally separated. The courts and the Houses of the Oireachtas are separate from Government so no one entity can dictate or compel other entities to do things. In talking about how we are funded to deal with hybrid, a more fundamental question is that of how the State as a whole ensures that all of these domains are properly resilient to hybrid activity. As I will come to in a second, that is something the State has already made significant strides in. In that context, our role is really to lead on the cyber domain, but also across related domains in other areas to ensure they are all up to scratch or up to the same level. That is why our mission statement has that "lead" piece in it.

On the specific question of what the State does on hybrid, while it gets very little press, it is worth pointing out that, under the new legislation, the Electoral Commission has an express role in dealing with disinformation. In the last while, in conjunction with the NCSC, the Parliament, the Dáil - I am sorry, I am too used to speaking abroad - has passed primary legislation on how to deal with high-risk vendors in telecommunications. There is a significant amount of legislation being passed that deals explicitly with hybrid threats. Colleagues across Government are working on a national counter-disinformation strategy. The State is taking very significant steps to deal with hybrid threats and is doing so in the right way. Rather than relying on one area to lead on it, there is a whole-of-government response to these kinds of challenges. That is the first question.

The second question is in some ways related. It relates to the skill mix in the NCSC. The vast majority of our staff arrived with a technical background. They were recruited from technical competitions. They come from the private sector, the public sector, the Defence Forces and, in some cases, An Garda Síochána and have experience in dealing with these kinds of issues. It will not be much of a surprise to the Chair to learn that we now have some of the most experienced cybersecurity operators as regards dealing with live incidents that you will find anywhere in the State. Without a shadow of a doubt, in some cases, they are the most experienced. We have ten years of operational experience in dealing with the full range of cybersecurity incidents from criminal issues to national cybersecurity incidents. That gives us a very significant capability not just to deal with future incidents, but also to bring in and train new staff as these incidents occur. One of the reasons we have waited this long to do a mid-term review is that we wanted to bring in new staff and to spend the six or 12 months needed to bring staff up to where they need to be. To put it bluntly, the types of skill sets we need do not exist anywhere else in the State. We can get people who are close to the required standard and train them to the point we need. That addresses the skill mix piece.

On assets, the cloud and the types of issues faced in that regard, as the Deputy has pointed out, I obviously cannot and will not talk about operational issues but we see the full range of issues that would be seen on a global basis. Very few are in the public domain but, if you look hard enough, you will see that aspects of one or two have crept in. These details do not come from us but from other sources. Across the various different issues, we have seen very limited activity by way of destructive attacks. It happens but it is extremely rare. Espionage is an ongoing challenge for everybody in Europe. We talk to colleagues and know that everybody classifies the risk of espionage as high and remaining high. That remains our assessment.

Another issue we see, which goes back to the Deputy's comment on the amount of infrastructure we have here, is the prevalence of C2 and C3 infrastructure, that is, command, control and communications infrastructure. To put it very bluntly and very simply, if country A wants to extract information from country B, it will very often hack a device in country C. Because of the sheer amount of infrastructure and IP address space here, we are a very obvious target with regard to that kind of command and control infrastructure. A lot of our work involves mapping and taking down these kinds of C2 and C3 nodes.

On the very specific question on the NATO centre of excellence, we are publicly involved in the hybrid centre. We are formally a member. We are also involved in a number of other NATO information-sharing projects, including the NATO malware information sharing platform, MISP. We have full access to that NATO project and its malware information sharing platform. We also have access to a number of others. Of course, it is very important to say that we do not know what we do not have access to. We can only assume that, as a non-member, there are aspects of NATO infrastructure that we do not have access to. That is just the way it goes. However, I can confirm that we do have very significant access right now to real-world threat and risk information sharing with partners across NATO. Most of these countries are EU member states so we have this intervention anyway. It is important to point out that the EU does not have an operational cybersecurity role. The EU does not deal with national security issues in cyberspace. NATO does, which is why our having access to those feeds is really important. It allows us to deal with the full spectrum of cybersecurity issues.

Matt Carthy (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I just have one question. In the closing part of his opening statement, Dr. Browne touched on the challenges that artificial intelligence, AI, technology is going to present. He rightly mentioned that there has been an awakening to the full potential of AI technology through the increased presence of ChatGPT. In that regard, does Dr. Browne share my view that it is concerning that there are virtually as many different responses as there are Departments that have been asked about the protocols currently in place? For example, we are told that the Department of Foreign Affairs is assessing the risk presented by ChatGPT while the Department of Defence has not used it. The Department of the Environment, Climate and Communications has restricted access to it while the Department of Transport has used it. The Department of Finance made no comment on the grounds that it is a security matter. The Department of Public Expenditure, National Development Plan Delivery and Reform does not use ChatGPT but has used other AI technology. The Department of Enterprise, Trade and Employment has used it but has advised staff to use caution. The Department of Agriculture, Food and the Marine has used ChatGPT and other AI. The Department of Education has not used it. The Department of Justice has no specific departmental policy. Others have said that they are carrying out risk assessments.

Surely, that is a red flag if this is something that has the potential to be used in a way that affects cybersecurity, which is not to say that it creates a cybersecurity threat in and of itself. In the first instance, should it not be the case that we have a uniform approach across Departments? We have not even gone into what State bodies and agencies are doing in this regard but, based on the responses from Departments, I take it that there is likely a myriad of other responses and approaches to this technology within those agencies. Does Dr. Browne see the NCSC as having a role in providing direction and setting out a uniform policy and protocol with regard to the use of this type of technology among State bodies?

Dr. Richard Browne:

I absolutely can. The question of AI is one for the whole of society. In many ways, it is going to be the defining issue of our age. That has been clear for a long time. It is also worth briefly genuflecting in front of the idea that all of us, conscious or subconsciously, have been reading, hearing and watching films about AI for all of our existence. "2001: A Space Odyssey" is 60 years old and it is about an AI so, in that context, it is not a new concept to any of us.

Matt Carthy (Cavan-Monaghan, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

There is also "The Terminator".

Dr. Richard Browne:

There is "The Terminator" and "The Matrix". Fritz Lang's "Metropolis" was made in 1927.

Dr. Richard Browne:

Fritz Lang's "Metropolis" was made in 1927 and it is essentially about AI. The idea of thinking machines is not new but there are implications for society from the latest developments. ChatGPT is a very public example but there are much more interesting and much larger issues happening in the background, some of which will become public in the next three or four months. To begin with and to answer the question directly, we cannot ban anything. We do not have the power to prohibit anything. We provide guidance and support, which is what we have done in respect of social media, which was raised in previous questions.

In this case, and this has crept into the media to some extent, it is not true that the use of ChatGPT by a Department poses a cybersecurity risk to that Department. The primary issue is whether the data that is being applied to it or any data being released to it was sensitive in any way, shape or form. That is already Departments’ data protection policies. From a cybersecurity perspective, there is no dramatic risk from the use ChatGPT right now. We published a blog on this recently that pointed out that threat actors, as distinct from civil servants, using ChatGPT or other generative AI models could pose a risk. That is very different from the Civil Service using it and posing a risk. From our perspective, the real risks in this are because threat actors, criminals and states can become much more productive and effective in developing their tool sets, be that writing code, writing malware or generating much more believable and coherent narratives for phishing. Those are the real risks from ChatGPT. Individual Departments and agencies bear their own risk; they write their own IT policies. We will publish a piece of guidance on the use of generative AI models in the next little while. It is also important to point out that much of the challenges here are for other entities. Data protection is for individual Departments and the Data Protection Commission, DPC. The DPC is involved in a European-wide project right now looking at the risks of these kinds of issues. There are other questions, such as the types of intellectual property used to inform and build these models.

Like I said, this is a whole-of-government challenge. AI is explicitly referenced in our 2019 strategy. The Government has had an AI strategy for three years at this point. This is not the first time Government has thought about these issues. This one has happened to all of us suddenly, but we have been working on it for a long time.

Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source

Dr. Browne will be aware that a forum on the future of Ireland’s security neutrality will be held at University College Cork, UCC, University of Galway and Dublin Castle. I was at the Tallinn 2022 conference. There are no borders in cyberspace. There is a conversation going on in Ireland about our neutrality or lack thereof and the future position in foreign affairs. The truth of the matter is that there are four pillars. I cannot ever see us being involved in a NATO army, navy or air force. We simply would not meet the criteria. However, from what I understand and am hearing internationally on the NCSC, it is pure equals to anybody out there. The question arises whether Dr. Browne or the NCSC have been invited to give an overview of the importance of working with like-minded countries in the field of cyberspace, AI and all things tied up with that. I will leave it at that.

Ruairi Ó Murchú (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Obviously, I missed a considerable amount of the discussion as I attending other meetings. In fairness, AI has been dealt with. We all accept that AI is not necessarily what is discussed in the public domain. There are dangers but we have also seen where AI can aid and abet everything from medicine right through. When people look at the fake video and the possibilities there, no more than people have to be circumspect regarding kids handing in homework from kids handing in homework from here on in, they also have to be aware of the possibilities for somebody playing around with the stuff from a political point of view.

AI can also be the means by which social media companies could find the stuff that we are not particularly happy that they are allowing. We have had the issue in the past number of days of content being left up that should not have been. We have a long history in respect of particular social media companies. They have particular algorithms that are all ready to use nearly weaponised, whether that is for state actors or non-state actors. We have seen the difficulty with disinformation and we know how suggestible we all are, but some are more so than others. We saw huge issues where Covid hit social media and the rabbit holes people have been put down. That has to be dealt with. We have seen the worst-case scenarios as regards Facebook and the issue in Burma and Myanmar relating to the Rohingya. We have most of these companies before us. I assume there has to be interaction with Government. I imagine even at a European level we have to get to a point where we see a greater level of responsibility from them. We are in the age of hybrid and cyber. We know what happened with the HSE.

I will ask a question around Predator and Pegasus and where there are personalised attacks, where somebody goes after Gerry Craughwell or Barry Cowen. Obviously, they would not go after me. I would not be worth it.

Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source

They would be wasting their time.

Ruairi Ó Murchú (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Exactly.

Ruairi Ó Murchú (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I am throwing this out there because Predator is connected to a company that is based here and has connections with the Israeli security sphere, for want of a better term. This State has to get a proper handle on it.

The NCSC is engaging constantly with companies that have importance in critical infrastructure and all the rest of it. In this State, we have a huge number of educational institutes and so on that have been involved in the whole area of cybersecurity of many years. To a degree, are we sweating those? Does the NCSC have a huge involvement with them? Beyond that, what engagements does the centre have at an EU or European level regarding bodies that are all about pooling cybersecurity resources?

I said that was the last question, but with Dr. Browne being appointed and the increase in funding and resources to the NCSC, are we now in the place we need to be regarding being fit purpose for the threats we are dealing with? I asked 17.5 questions and if he could answer them in the next two minutes, I would be delighted.

Réada Cronin (Kildare North, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

No. It is on the European Centre of Excellence for Countering Hybrid Threats in Helsinki. Last week, we talked about how it is up running around seven years. I think we only sent a letter to join in January of this year. Is Ireland a member of that? If we are, who do we send? Will Dr. Browne or NCSC representatives go there or have input into that?

Dr. Richard Browne:

I will run through these questions quickly. I am conscious of time.

On the consultative forum on national security in June, I will be centrally involved on the first day in UCC for the cyber element of it and I suspect some of the hybrid piece as well. We are centrally involved in that process.

On AI, I have rehearsed the issue, but bluntly, this is a whole-of-government challenge. Aspects or elements of government that deal with issues relating to electoral security, for example, will very quickly, I suspect, find themselves dealing with AI-related questions. It is just not Photoshop; AI is more than just that. As the Deputy correctly pointed out, it also offers significant opportunities for productivity improvements in government and completely new ways of approaching issues in our world, for example. It is a technology that cuts both ways.

Forgive me if I am skipping over some of these. The Deputy also asked about mobile malware, particularly the use of so-called spyware on mobile devices. Right now, we are limited by legislation in what we can do with that. We have access to a lot of threat intelligence and we, as is public domain information, conduct assessments of official devices and hardware to check for the presence of or otherwise of said malware. Some of the legislative tools we are looking to build in the new legislation will allow us to engage in tracking this type of activity much more coherently nationally. Again, GDPR limits us from handling personal information in many circumstances and rightly so.

We need to have proper legal authority to deal with these kinds of issues.

On educational institutions, we are sweating and have continued to sweat a lot of the assets. Some of the people who work with us came from the staff of the institutions. I am calling out in particular the UCD centre for cybercrime. A great number of our staff have done the master's there. It was the original master's course in the State. Some have lectured in other institutions in Dublin, such as DCU, Trinity and so on. It is very much a core part of our process. The reason the NCSC CSIRT-IE was originally founded in UCD was so it was proximate to the computer science department there.

On the European piece, we have engaged widely across Europe, not just with member states but also third level institutions. In the UK. we have engaged with Queens and the London Office for Rapid Cybersecurity Advancement, LORCA, as well as ENISA, the European Network Information Security Agency. We have two people on the board of ENISA. We are fully engaged on a lot of its processes, in particular on risk assessment. We have another very public announcement coming on risk assessments in the next while.

Deputy Cronin asked about the hybrid centre. The Department of Foreign Affairs leads on that. We have engaged with the centre for three or four years. A lot of the work we have done on the 2019 strategy and other aspects has leveraged heavily on the work of the centre in cyber and other parts of the national security apparatus of the State.

Dr. Richard Browne:

I thank the Chair for his time.