Oireachtas Joint and Select Committees
Wednesday, 31 May 2023
Joint Oireachtas Committee on Transport, Tourism and Sport
A Common Vision for Cybersecurity: Discussion
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
The purpose of today's meeting is to discuss a common provision for cybersecurity. We are joined today by representatives from 4Securitas, Cyber Ireland and Cyber Skills Training, and by people from academia. On behalf of the committee I am very pleased to welcome Mr. Stefan Umit Uygur, chief executive officer, 4Securitas; and Mr. Pat Larkin, chief executive officer of Cyber Ireland. Joining us remotely are Professor Donna O'Shea from Munster Technological University, with advisers Dr. Paul Miller, deputy director of the Centre for Secure Information Technologies at MTU; Professor Thomas Acton, professor in business and administration systems; Dr. Sean McSweeney, head of department, MTU; and Dr. Brian Lee. We are also joined by Mr. Colm Hyland from the CJH network and Cyber Skills Training. The witnesses are all very welcome.
Witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech that might be regarded as damaging to the good name of the person or entity. If the witnesses' statements are potentially defamatory in respect of an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative that they comply with any such directions.
Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official either by name or in such a way as to make him or her identifiable. I remind Members of the constitutional requirement that Members must be physically present within the confines of the Leinster House complex in order to participate in public meetings. I will not permit a Member to participate when they are not adhering to this constitutional requirement. Therefore, any Member who attempts to participate from outside the precinct will be asked to leave the meeting. In this regard, I ask any Member partaking by MS Teams that prior to making his or her contribution to the meeting to confirm that he or she is on the grounds of the Leinster House campus.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
In attendance we also have Mr. Adrian Kelly from the Advanced Manufacturing Training Centre at Dundalk Institute of Technology.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank Senator Craughwell. I welcome Mr. Kelly. I now invite Mr. Stefan Umit Uygur to make his opening statement on behalf of 4Securitas, and then we will go to the other witnesses.
Mr. Stefan Umit Uygur:
I thank the Chair and the committee members. It is my pleasure to speak at this committee and give an opening statement in relation to preparing Ireland as a country to be more cyber-ready and resilient. I will gladly answer any questions that members may have at the end of my statement.
There should be only one common vision and a single agenda for Ireland with regard to cybersecurity. My statement is about the role played by SMEs and, in particular, indigenous organisations, as detailed in the paper Cyber Security Vision for Ireland 2022, published by Senator Craughwell. The paper sets out a vision to make the island of Ireland a global cybersecurity leader in skilled talent, technological innovation and research. Ireland can provide a safer digital environment by starting with tomorrow’s skills today for the benefit of all. This is the primary objective of my speech and is the outcome of the Cyber Security Vision for Ireland 2022 paper for strengthening Ireland’s position in cybersecurity.
Globally, the lack of cybersecurity continually presents huge concerns as to how the future will look if government, public and private entities continue to be inadequately prepared for cyberattacks. Global organisations such as NATO have added cybersecurity as a fifth domain. The fear is that cybersecurity will become the primary problem globally and cybersecurity will dominate the other four domains of land, air, sea and space.
It is now clearly evident that if a country is not prepared for cybersecurity and cyberattacks, the future prospects of that country will be greatly challenged. Today’s ransomware attacks, with which we are so familiar, are a training ground for tomorrow’s more devastating attacks and a more serious proliferation of same. The fear is that if criminals move from the training ground towards nation states, the targeted area increases and represents one of the biggest threats the world will ever deal with. Cybersecurity will be the next pandemic. To tackle the problem, nations must prepare.
There must be a greater focus on indigenous cybersecurity companies of all types, including start-ups, scale-ups and consolidated organisations. Investing more in sovereign technologies, supporting them and connecting into the national ecosystem, the public, private, academic and international collaborations take place, will be most beneficial. Collaboration is at the heart of the vision I am presenting, where we see Ireland being among the most cyber-ready countries and transformed into a global cybersecurity hub. To give a simple example, the public tendering and procurement process needs to be reviewed generally for all SMEs. There needs to be local software working for local organisations. Changes need to be made to success criteria and insurance levels. Appointing Irish companies to do local work is critical for medium and long-term success in the cyber sector. We need to be more creative in the tendering process. For instance, to give another simple example, Enterprise Ireland clients should be given special consideration to support their development and scalability. Public procurement people generally need to be more strategic and encouraging of Irish companies. Cybersecurity is too important and critical to be treated like other topics. Supporting sovereign cybersecurity companies will help Irish SMEs to position themselves for expansion and growth, therefore creating jobs. This will also facilitate improvements in the cyberskills gap. Strengthening local industry will strengthen the country. Collaboration between private, public and government bodies and academia in an ecosystem will ultimately transform Ireland into a cyber-ready and resilient country. As a country, we must believe in our own technologies, use them, support them, provide feedback and continually improve them by investing in them. Supporting sovereign technologies will generate a strong cybersecurity industry in Ireland and these companies will expand their services to all SMEs. Ireland can assist SMEs that are not in a position to secure their digital assets. This will make the nation even more resilient and strong. To summarise in one sentence, by adopting and supporting sovereign solutions, we will be investing in them, helping their growth, increasing staff numbers, creating skills and creating more jobs. Irish SMEs can compete with big players by strengthening their solutions and creating solid enterprises that directly act towards creating a better economy, ultimately resulting in having a future-ready, cyber-resilient country.
I will try to wrap up in a mix of English and Gaeilge. Is lá deas é inniu agus tomorrow can be brighter than today. I look forward to any questions committee members may have. Gabhaim buíochas leis an gcoiste.
Mr. Pat Larkin:
It is my pleasure to attend this committee again. This is my third time, but this time I am here in my role as chairperson of Cyber Ireland. Cyber Ireland's raison d'êtreis collaboration, co-ordination and leadership to develop our sector. We are delighted to be here with this wide and diverse group, a number of whom are Cyber Ireland members. Our common purpose is to articulate and execute a common vision for cybersecurity for Ireland. Cyber Ireland, as an already established and functioning resource, is best placed as the tip of the arrow to help to develop, co-ordinate and lead on this common vision. I will give an overview for members who are not familiar with Cyber Ireland. It is a national cybersecurity cluster organisation and an industry representative body launched in 2019 to bring together industry, academia and the Government to represent the needs of the cybersecurity sector in Ireland and support its growth. The cluster is industry-led, hosted at MTU, and is supported by the Government through the National Cyber Security Centre, NCSC, with funding from the IDA and Enterprise Ireland. We have more than 160 members, of which 50 are multinational companies, 90 are SMEs and indigenous companies, and ten are universities. The NCSC, IDA and Enterprise Ireland are also on our board. Our cluster vision is to be a driving force to support world-class talent, innovation and solutions for Ireland’s cybersecurity cluster. We have four different workstreams we have been working on since we were established: building the community; developing a sustainable talent pipeline; enhancing collaborative research and development; and supporting the growth of the domestic sector and foreign direct investment, FDI. There is further detail on workstreams in our submission but in the interests of time I do not propose to go into them now.
Cybersecurity is a rapidly growing industry internationally, for which there are a number of opportunities and challenges. The market size of the industry is currently $250 billion worldwide and is growing at a compound annual growth rate of 12% per annum. The annual global cost of cybercrime has exceeded $10.5 trillion annually. I apologise that there was a mistake on the original version of the opening statement I submitted yesterday. The correct figure is $10.5 trillion annually. It is the third largest economy in the world and is growing at 15% compound growth. There is 0% unemployment in the cybersecurity sector. In fact, it is estimated that approximately 3.5 million roles are unfilled worldwide and that is forecast to grow to 4.2 million in the next two years. Increasingly, because of the size of the opportunity and the challenge, there is increasing global competition for talent and investment.
I will move on to the risks and challenges for Ireland. Ireland is the data centre of Europe with its multinational presence of social media and cloud-based companies. There is increased cybercriminal activity globally and in Ireland. The economic impacts of cybercrime put our indigenous SME sector at risk and have knock-on effects on our FDI brand. Ireland is a digital leader and security laggard. The European Commission publishes the Digital Economy and Society Index, DESI, which ranks member states according to their level of digitalisation and digital transformation. Ireland is a digital front-runner in Europe, ranking fifth of the 27 EU member states in the 2022 edition. However, a similar cybersecurity industry index benchmarks Ireland as a laggard internationally. The International Telecommunication Union's global cybersecurity index, GCI, measures the commitment of countries to cybersecurity at a global level. In the 2020 version of the GCI, Ireland ranked 46th globally and 28th of 36 European regions. We have significant strengths with respect to cybersecurity. We have a significant base of international technology and security companies. According to Cyber Ireland's report, the inaugural State of the Cyber Security Sector, which was published in 2022 and mapped the size and make-up of the cybersecurity sector for the first time, six out of the top ten software security companies are based here; 160 pure-play cybersecurity companies and 300 companies with cyberoperations are located in Ireland; the sector employs 7,500 people, with revenues in excess of €2 billion per annum; and it currently contributes approximately €1.1 billion in gross value added, GVA, to the economy. We have a strong talent pool, a highly skilled multilingual workforce and talent development programmes to which Cyber Ireland is participating and contributing. We are a digital leader, attracting FDI, and we host much of the EU’s data. Dublin is Europe's largest data hosting market.
Ireland is uniquely placed to benefit from increased global investment. It has an opportunity to position itself as a global leader for cybersecurity talent, innovation and investment. Cyber Ireland aims to facilitate the cybersecurity ecosystem to capitalise upon this opportunity. The report highlights the potential growth of the sector to 2030 to support 17,000 jobs and €2 billion in GVA.
Cyber Ireland published a position paper, Achieving Our Cyber Potential 2030, in addition to our market survey, with recommendations on how to realise our cyberpotential and growth targets by addressing key challenges and calling for a collaborative approach from stakeholders across industry, academia and government. The challenges are that we need to have better Government co-ordination on cybersecurity across Departments led by the NCSC; to scale and mature the indigenous cybersecurity sector; to address the cybersecurity skills shortages in industry and the public sector; and to address the fragmented and under-supported research and development landscape, and the low level of collaborative security research and development between industry and academia in Ireland.
What are our suggestions? A mature and diverse cybersecurity industry will play a significant role in supporting Ireland’s national cyber-resilience. This has been demonstrated internationally across leading cybersecurity nations that have supported and developed strong cybersecurity industry sectors, such as the United States of America, the United Kingdom, Australia, Netherlands and Israel.
A whole-of-government approach is required to ensure that Ireland improves its cybersecurity commitment and delivers on the national cybersecurity strategy vision of a society that can continue to safely enjoy the benefits of the digital revolution and play a full part in shaping the future of the Internet. This highlights the need for better co-ordination in Government regarding cybersecurity. This should be led by the NCSC within the Department of Communications, with buy-in from the Departments of Further and Higher Education, Research, Innovation and Skills; Enterprise, Trade and Employment; Public Expenditure, National Development Delivery Plan and Reform; Justice; and Defence, and relevant agencies including, among others, Science Foundation Ireland, SFI; Enterprise Ireland; IDA Ireland; An Garda Síochána; the Defence Forces; and the Office of Government Procurement.
To address current challenges, support co-ordination and ensure future cyber resilience, Ireland should invest in a cybersecurity campus that would bring together the key stakeholders across Government, industry and academia to contribute to our national cyber resilience under one branded entity. The campus would provide a centre of gravity for cybersecurity in the State, coordinating government Departments and agencies across the NCSC, An Garda Síochána and the Defence Forces, supporting enterprise development, from start-ups to SMEs to multinationals, providing training and enhancing technological innovation in most likely some form of hub-and-spoke model. It should also engage with the public, supporting cybersecurity awareness and education and strengthening a digital society. International examples already exist, such as the French Campus Cyber, The Hague Security Delta, the Netherlands' National Cyber Security Centre, Sweden's RISE Centre for Cybersecurity , and the Centre for Secure Information Technology, CSIT, in Belfast, the UK's innovation and knowledge centre for information technology.
A minimum investment of €40 million a year would be required for a cybersecurity campus in order to ensure that the gap between Ireland's digital index and cybersecurity preparedness is addressed. To ensure that Ireland maintains its competitive advantage as a safe place for doing business and to establish national trust needed for future inward investment, greater investment of up to €80 million per year is required. We need to train up 10,000 new professionals with cybersecurity skills to create a sustainable pipeline of talent for the private and public sectors. Funding for a national cyber education and career programme for young people between the ages of 11 and 18 is also required.
We need to deliver a cybersecurity baseline certification for all companies in Ireland, for example, Cyber Essentials or CI4, which Cyber Ireland has been working on, and a requirement for companies supplying public sector bodies. There are three goals. The first is improved cybersecurity protection to support all organisations to mitigate their cybersecurity risks, with the priority that it is an effective means for SMEs to protect themselves. The second is to demonstrate supply chain security to be an effective tool for large organisations and the Government to help manage third-party cybersecurity risks. The third goal is to reduce cyber insurance premiums, which are increasingly problematic, through a certified cybersecurity baseline.
Cybersecurity should be designated as one of five national clusters under the Department of Enterprise, Trade and Employment’s national clustering programme by 2025. We need to ensure that cybersecurity is incorporated into strategic Government funding mechanisms to support our cyber ambition, such as Enterprise Ireland, enterprise supports, PEACEPLUS, which is a €1.1 billion programme, and SFI's research centre programme. European funding should also be increasingly targeted.
Investing in cybersecurity is unique among national security spending. If we can move our national cybersecurity capabilities to European and global leadership status, we will secure our digital economy, our digital society and our citizens. In doing so we will project Ireland as a leader in cybersecurity practice and innovation, with a very real opportunity to generate five to ten times order of magnitude return on this national investment.
Professor Donna O'Shea:
It is my pleasure to be here to contribute to this important discussion. I hold the position of chair of cybersecurity at MTU. I am accompanied by Dr. McSweeney, Dr. Miller, Professor Acton and Dr. Lee.
Cybersecurity has been growing in importance over the past decade as the rate, frequency, scale and sophistication of cyberattacks has increased. This importance is reflected in the growing number of EU policies and directives, such as the EU network and information security, NIS, 2 directive, the Digital Operation and Resilience Act, DORA, and the critical entities resilience, CER, directive, and national policies such as Ireland's smart specialisation strategy and the digital Ireland framework. These policies correctly detail the risk associated with digitalisation. The more we digitalise, the greater the risk of cybercrime and the need to take cybersecurity precautions to prevent the financial loss, business disruption of a successful cyberattack.
As the rate of Ireland’s digitalisation continues to increase, so too do the risks. The World Economic Forum defines cybersecurity as one of its highest likelihood risks over the next ten years, along with climate action failure, digital power concentration and digital inequality. Cybersecurity is now considered the linchpin in building the digital resilience necessary to future-proof our businesses, society and economy. This resilience, according to the World Economic Forum, will become the defining mandate of our time. It will mean the difference in being able to detect, respond and recover from future digital shocks in the form of inevitable cyberattacks of increasing frequency, scale and sophistication.
The reality is that, to date, Ireland has lagged in prioritising cybersecurity, and there is now a gap between our digital development and our cybersecurity readiness. Over the past number of years, we have witnessed first-hand the impact of this gap. While most fraud incidents in Ireland cost less than €80,000, the cost can be much greater. For example, the clean-up from the cyberattack on the HSE has cost the Irish taxpayer €80 million to date, with the cost of the remediation programme likely to be approximately €300 million over the next two to five years
When benchmarked against their counterparts in other countries, we can see that Irish companies are falling victim to cyberattacks at double the rate of reported global levels. The cost and clean up of cyber incidents also costs Irish businesses more. While the current cost of a cybercrime incident can be significant, the societal impact can be much greater, with impact on critical services and loss of personal data. For example, in the cyberattack on the HSE, 113,000 individual medical records were illegally accessed and copied.
The challenge and opportunity for the future is to ensure that Ireland has the capacity and capability to respond to the risk associated with digitalisation and bridge the gap between our digital development and our cyber readiness. One way to achieve this is by ensuring advances in cybersecurity research can be applied to improve the resilience and security of Ireland’s critical infrastructure, public sector and digital economy. In Ireland, this is providing ineffective, however, because the landscape in cybersecurity research is highly fragmented. This has led to a slow and limited impact response that follows from individual academic institutions and SFI research centres trying to address national-scale research challenges in cybersecurity with disconnected and small-scale responses. This fragmented and incoherent approach needs to be resolved if we wish to develop cybersecurity research solutions in sectoral applications where Ireland is leader, with the aim of increasing its market position.
We have a number of recommendations. The first is to establish an SFI research centre in cybersecurity that would together higher education institutions with industry, business, public sector and security forces partners. The second is to ensure a fixed percentage of all national funding for digitalisation to be specifically ring-fenced for cybersecurity. Our third recommendation is to invest in our cybersecurity infrastructure to support collaborative research and development and skills training.
Ireland also lacks a mechanism to engage its highly skilled workforce to participate in the innovation economy, ensuring that, as a country, we can develop cyber capabilities within our own borders, enabling the rapid and agile development of indigenous innovation solutions to cybersecurity and digitalisation challenges. This is important as research has proven that even though talent can often be evenly distributed throughout the world, the opportunity for engaging talent in the innovation economy is not equal, and innovation-driven entrepreneurship clusters develop at high concentrations in certain places around the world. In the cybersecurity sector, this clustering is particularly evident, with cybersecurity innovation highly localised to specific regions supported by government funded innovation ecosystems. Be'er Sheva in Israel, Tallin in Estonia and Belfast in Northern Ireland are well known examples of established innovation ecosystems in cybersecurity.
Within this research, development and innovation ecosystem, we have a lot to learn from our partners in Belfast. We have the potential to build a shared digital island that would present enormous opportunities for economic and social advancement as physical and political borders become increasingly insignificant. To realise the full potential of our digital island, we cannot replace the Border with a digital border that would mean standards, policies and strategies would be different. A common approach is needed.
As part of the approach, we need to explicitly include cybersecurity in an all-Ireland collaborative research innovation programme. We also need to establish an all-island co-ordination of national cyberdefences by developing cybersecurity infrastructure and cyberdefences to protect the nation as a whole, as a firewalled island.
Our success in building a strong research, development and innovation ecosystem is highly dependent on a skilled talent pool and workforce. Last year, for the first time, the International Information System Security Certification Consortium, ISC 2, reported that Ireland closed its cybersecurity skills gap to 19.5%, while the global gap grew by 26.2%. This success can in part be attributed to investments made by the Government in specialised initiatives, such as the Higher Education Authority, HEA, human capital initiative, HCI, pillar 3 cyberskills initiative, growth in apprenticeship offerings, Springboard and other HCI pillar 1 funding.
Many challenges remain, however, if Ireland wants to achieve its ambition of growing its cybersecurity workforce from 7,300 today to 20,000 by 2030. We need to deliver highly skilled graduates to the sector at a faster rate by investing in cybersecurity training at all levels. We need to achieve this goal in a way that does not compromise on the quality of education delivered. As part of this, we recommend that Ireland establish a baseline in cybersecurity education and agree key knowledge, skills and abilities that courses should teach. We also recommend that 50% of all cybersecurity courses should be dedicated to practical activities and the funding of initiatives and academic programmes that focus on collaboration in the higher education institution, HEI, sector. This is required as cybersecurity as a discipline is constantly evolving and training and education need to adapt at a faster rate.
To summarise, the challenge and opportunity for the future is to ensure that Ireland has the capacity and capability to develop research, development and innovation solutions that deal with the increasingly complex and expanding threat landscape that is a consequence of digitalisation. To realise this opportunity, greater investment is required to ensure that we develop a more cohesive and responsive research, development and innovation ecosystem supported by a highly skilled workforce of professionals. If we achieve this, then in the future we will ensure that Ireland can meet the demands of industry for cybersecurity products and services, which will maximise our retention of existing industries and also ensure that Ireland becomes a nexus for the growth of industries where cybersecurity is an absolute necessity.
Mr. Colm Hyland:
I will reinforce some of the points made in the previous presentations. One of the key things coming through is that we have a problem when it comes skills shortages and, related to that, the notion of skills gaps. That is probably one of the single biggest challenges we have as an economy, which has a knock-on effect for anybody involved in any form of digitalisation. We have a problem that transcends the private and public sectors. The easiest way to summarise that is to say that everybody is at risk. Therefore, we need to ensure that every citizen has some basic knowledge of cybersecurity and a select group of people have the skills appropriate to their organisations to try to defend this difficult situation.
As suggested by Mr. Larkin, the cybersecurity sector is growing rapidly within the country. Numerous reports suggest that we have approximately 7,500 professionals and the potential for 17,000 jobs by about 2030. That is all to be encouraged, but one of the issues we are very interested is the idea that cybersecurity skills need to work across the entire economy, not just exclusively within higher education in particular. We have done a good job, especially Professor O'Sullivan and her colleagues, as regards the number of accredited courses within the country. The issue is that this does not meet the demand. The demand is so large that we need to ensure we have skills-based programmes that actually meet the demands of smaller organisations, in particular, manufacturing organisations.
We know we have a shortage of people. There are significant shortages as regards understaffing. As cybersecurity jobs are well paid, we also have a problem with attrition. Even if you manage to hire some cyber people, one of the difficulties is other people want them as well. There are serious problems with the recruitment process, even when it comes to longevity, in filling a particular job, and the pricing has become slightly outrageous.
When we go into organisations to see what their cyberneeds are, the other bigger issue is that sometimes people do not know they have a problem. One of the most fundamental aspects of this is there is such a level of a skills gap, people do not know a problem is actually knocking on their door or sitting on their systems today. Part of this process we are engaging in is about trying to ensure that more people understand problems are out there, which are happening every day. The issues is not just that managers do not know in their organisations. Sometimes, their IT people do not know either. There is a real difference between IT people and cyber people. One of the significant things we need to bring home here today is to suggest very clearly that IT departments need to be upskilled in cyber, just like everybody else. One of our real interests, and Mr. Kelly will back me up on this later on, is that we have not paid enough attention to SMEs in the country. We still have a very strong manufacturing base, much of which are indigenous companies that we need to support. We have issues in making sure that we identify these skills gaps and that we really pay attention to SMEs and manufacturing companies in particular.
These problems will not go away. A plethora of legislation is coming through from Europe. All the members know about the general data protection regulation, GDPR, but DORA is now knocking on the door in the context of financial companies. The network and information security, NIS 2, directive is coming through as well. There are a whole bunch of other things, including the, DMA, the, DSA, and a consolidation Act, primarily around cybersecurity, which will hit us in 2025. As if things were not bad enough, we now have to be compliant with a rake of EU directives and regulations that will be transposed into Irish legislation. It is difficult for an SME to keep in tune with what is going on, but the fact that we have a serious legislative requirement coming through makes it even more difficult. One of the good things coming out of the Cybersecurity Act is the notion of having cybersecurity skills academies, which we are very interested in. These academies will bring the training and education down to a level for the ordinary guys on the shop floor, including the technicians and engineers, who need this. It is not just about the graduates but the people who actually do the work on the factory floors or within small businesses, whether they are retailers or whatever.
We know there is a solution out there; it just requires a huge amount of work. Very good work has been done in defining what the skills requirements are, particularly through the national initiative for cybersecurity education, NICE, the National Institute for Standards and Technology, NIST, and the European Union Agency for Cybersecurity, ENISA, frameworks, which are very beneficial. We also need to concentrate on things such as leadership. One of the obvious things is that our managers do not know enough about this stuff. We need to start to look at additional, what we call, transversal competencies that will fit into this particular profile. A lot of good work has been done throughout the country but it is not co-ordinated, intensive or impactful enough. We have a lot of work to do in this area. Some good work has been done in schools but it is a little hit or miss. As usual, there has been a series of pilots and initiatives, but nothing comprehensive in getting down to five- and six-year-olds, never mind the 18- and 19-year-olds. A real piece of work is to be done in that regard.
Various organisations have been working away on this stuff but it has not been full of impact at all. Our friends in what used to be called Blanchardstown Institute of Technology, which is now part of the Technological University, TU, Dublin, do a wonderful event, Capture the Flag, for secondary and third level students. Those sorts of things are very helpful in assisting people to understand there is a problem and acquiring some skills in that regard. Again, we have great programmes that fit people. Mr. George Ryan and his team work particularly well on apprenticeships. We have digital and cyberapprenticeship schemes. In fact, the Advanced Manufacturing Training Centre of Excellence, AMTCE, in Dundalk runs one such scheme in collaboration with other things it does in the cyberspace. Cybersecurity apprenticeships are critical and are a key component in filtering the skills levels down.
We have been very lucky in doing some work with the AMTCE in Dundalk. It will be reopening in September. If members have not yet visited it, they should because it is exceptional. We have been working with the guys there on a full curriculum of skills-based accelerated learning for cybersecurity. We take the view that it is great to have multiple degree programmes working for us within the country, but the fastest way to get people up to speed is through accelerated learning processes, and taking advantage of the web and digital learning platforms, of which there are an abundance in this space.
We have an opportunity within the AMTCE, in particular through the good offices of Mr. Adrian Kelly, Mr. Martin O'Brien and Mr. Denis Rowan, who are really supporting this activity at the moment. It is exceptional work and it really will hit the nail right on the head. It has a big interest in SMEs and in operational technology. As the name indicates, it is an advanced manufacturing centre. There is some really good work starting within that, including some work which we could potentially emulate across all of the education and training boards, ETBs. We have to get the young people in fast on this stuff and the ETBs provide this through the secondary and the tertiary education they provide. They are a wonderful vehicle for delivering a lot of this stuff and that is something we need to encourage. There is lots of good work being done in the cybersecurity area generally, but not enough. We need to get faster, smarter and brighter about the whole thing. We need projects like those in Dundalk, which are going to be exceptional in terms of what we can do and are underpinning the whole advanced manufacturing piece. How much is this going to cost us? Over about four years, I estimate about €60 million. It is an investment that is necessary but we have to do it right away.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank Mr. Hyland and will now go to Members who will each have ten minutes. Senator Craughwell is first on the rota.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
I thank all of the presenters. It really is great to have the entire spectrum of the education and training section before the committee. I will direct specific questions to the witnesses, starting with Professor O'Shea. I have been to MTU, and the committee should visit to see what is going on there. There is great work going on. Professor O'Shea mentioned to me the need for a standard qualification or curriculum that would meet the needs of cybersecurity in Ireland. She has expressed some concern that people tag the word "cyber" onto a degree or postgraduate programme without really hitting the nail on the head and getting into the work that she does down in Cork with respect to postgraduate programmes. I ask Professor O'Shea to give us something on that in a moment. I will move on but Professor O'Shea or her colleague might answer that question.
Due to being limited in time, I have to ask all my questions upfront and then we call the witnesses in for answers. Previously at the University of Galway, I met Professor Acton who has a very interesting programme coming up in the area of crisis management and the like. I ask him to give us some insight into what is going on there.
Dr. Lee from Athlone is also here from the software side and I would be interested in getting his insight. The reason I am asking for this is that this is a one-time opportunity for the committee to hear what is going on in these sectors, particularly around the asks they will have.
I move on now to Mr. Larkin. Cyber Ireland does tremendous work and there is no getting away from it. As he is the chairman of the organisation, I am delighted to see him before the committee again. He will also have concerns about the qualifications and streams that are coming through. More importantly, he has some great insights into the benefits to our economy of putting strong cyberprogrammes in place. Will he quantify where he sees the likely returns on investment that there would be from there?
I move on to Mr. Kelly. I apologise to him for not getting things right in having him listed as one of the speakers. He is the top man in the AMTCE in Dundalk and he has some very ambitious ideas there, particularly in delivering programmes in association with Mr. Hyland in the area of information technology-operational technology, IT-OT. A lot of work has been done by Mr. Kelly, Mr. Hyland and Mr. Umit Uygur in putting a programme together which is going to be most interesting and should be replicated around the county. It delivers skills so that the people with the skills can feed into programmes like that being run by Professor O'Shea in MTU. We should have a constant stream of people going through to Professor O'Shea, Professor Acton, Dr. Lee and people like that to build the skill set in the country.
The last part of my questioning is directed at Mr. Umit Uygur. He spoke about public procurement. It is a matter of some concern to me that the tendency in public procurement is always to go for the big name. This means that small indigenous companies that are developing really interesting software are not recognised. To quote a civil servant who answered a question for me one time about trying out something new, "We do not do pilot projects in this country". Does Mr. Umit Uygur think that is something the small SME start-ups are suffering under? Are we afraid to take the chance in case it goes wrong? Organisations have to be proven before they can feature in the public sector. I have asked those questions. We will start with Professor O'Shea and we will work our way around the academic group and then work down the list.
Professor Donna O'Shea:
I thank the Senator for that very insightful question. The reality is that there are a large number of cybersecurity courses in Ireland at the moment. Of our 52 cybersecurity programmes, 50% of these programmes are at level 9 and most exist in Munster and Leinster. There is a concern that some of these programmes may only contain one module on cybersecurity yet they have "cybersecurity" as part of their programme titles, giving the impression that they contain a much larger concentration of cybersecurity content. There is a fundamental problem in actually training cybersecurity professionals for the industry which needs to be explored as part of this session. There is a global lack of cybersecurity talent but qualification typically requires an undergraduate degree and a postgraduate specialisation. A postgraduate specialisation is mainly focused on MSc and MEng awards. I will pass over to Dr. McSweeney in a minute to talk about the ones we have on offer in MTU. Due to it being very long and extended, inflexible and expensive to actually get into the career of cybersecurity, there has been a market saturation of companies trying to fill this gap through industry certifications. The barrier is high. Then there is a market saturation of certifications, which is different from education, and is focused on an all-or-nothing approach. This is a problem.
As we go forward, we need to look at all of these courses to try to establish a baseline and to agree key knowledge, skills and abilities that should be taught across courses that have "cybersecurity" in their title. These baselines already exist. The committee members have heard colleagues mentioning the National Institute for Standards and Technology and the national initiative for cybersecurity education, NIST- NICE framework but there is also a very similar one, namely, the UK National Cyber Security Centre baseline standard. This would allow education providers that are training a cybersecurity professional to say that they know what kind of knowledge, skills and abilities are needed and these can be built into their programme structure and module content. I mentioned to the Senator previously that training a cybersecurity professional is like training a nurse. It is more or less the same thing. When one trains a nurse, on completion of their graduation they are actually expected to be able to perform their job to a baseline standard. A nurse or doctor cannot go out into a ward to administer drugs and do their job without being able to do it properly. It is the same with a cybersecurity professional. There is less opportunity for actually being able to learn on the job. On graduation, they have to be able to do this to a baseline level. That is why it is so important that there is a high degree of practical content in cybersecurity courses in order to reinforce their learning and to make sure that when they are graduated and working on the job, they have the necessary skills to actually perform that job. I invite my colleague, Dr. McSweeney, to contribute also to that point.
Dr. Sean McSweeney:
I thank Professor O'Shea. One of the specific challenges that Professor O'Shea has mentioned multiple times - the committee will have heard it coming across in the opening statements - is consistency in terms of programmes and ensuring there is consistent mapping. A number of mechanisms could be used. An analogue to this is the Institute of Engineers Ireland where programmes could be validated to ensure they meet the set requirements for knowledge, skills and abilities. Within MTU and a number of other academic institutions, we have a tradition of producing skills-based programmes so we are naturally aligned to some of these frameworks.
It is imperative we come up with a consistent approach across the country for this because it is a risk for us in terms of maximising our economic capacity for a number of the emerging technologies.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I call Professor Acton.
Professor Thomas Acton:
I thank the Chair and Senator Craughwell. I am with the University of Galway. I agree with everything Professor O'Shea and Dr. McSweeney have just said. If there was ever a topic where we are all on the same hymn sheet, this is certainly one. We need to take a national view of this, and in fact an all-Ireland view.
Coming on stream for us in Galway are two new masters programmes in cybersecurity and the content is cybersecurity-focused. We have the horse blinkers on it. We have a highly technical master's programme in adaptive cybersecurity and we have a business risk management perspective - Senator Craughwell mentioned the crisis management perspective - coming from our business school on cybersecurity. We can take numbers into these programmes and they typically tend to be people coming out of graduate degrees seeking employment pathways in a particular area with a technical background. They tend to be people who will then go out into industry and find themselves taking a number of years to creep up the ladder into positions where they can have significant managerial impact. In that sense, therefore, it is too slow. We produce really capable graduates but we need what Mr. Hyland mentioned as well, namely, the faster-track, skills-based delivery. That feeds into an holistic approach to skills development.
It is almost as if we are back in the 1970s and somebody is asking whether we want to hire the computer person. We are sort of at that point. If we look back now we might say that would have been a good idea and we should have hired as many as possible. This area in cybersecurity needs to become the default thinking for our management, company organisations and behaviours. We have little time in which to do it because the threats are becoming more magnified and far cheaper. That is the key thing. They are so cheap. Ransomware is so cheap, so available and is increasing in frequency. When we look at what some nefarious groups seek to do around cyber, it is incredibly fundamental and basic. All they do is try to pin down three different things. They will try to pin organisations that deal with sensitive information and this helps explains why our health and education systems get hacked. The second one is organisations that have computing systems constructed over decades, such that there are different systems there with some weaknesses in them. Again, we see this across our health services, organisations like our schools, third level education and Government. The third bit that forms a good target is organisations that operate with tight operational budgets. In a sense, that is very worrying because these are the three common denominators that draw attacks like a magnet.
We have our programmes coming on stream and Professor O'Shea has programmes on stream. A core point she made with which I strongly agree is that we are seeing the proliferation of content around cyber that is pretending to be cyber, but actually is not. It is not core cybersecurity skills development, which is what we need to focus on. We need to do it holistically across Ireland and beyond just Ireland as a nation.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Dr. Lee may want to come in as well.
Dr. Brian Lee:
I would like to reiterate what most of the other people have said. Professor O'Shea brought up two points I would like to refer to. One is the need for a standardised set of qualifications. Some years ago, when we were setting up our cyberprogramme, we did a canvass of industry to get a list of job descriptions. Depending on which company we talked to, we found something like 40 job descriptions, most of which seemed to be covering the same things, or certainly there was lots of overlap between them. Thus, there is a need for a standardised approach across the setting of the research qualifications and looking at the content and looking at the whole area around the skills and educational side.
The second point to reiterate is the need not just for more collaboration, but also for something that has been identified by at least three of the witnesses; namely, a unified, co-ordinated centre. Professor O'Shea focused on SFI whereas one of the other speakers was addressing the need for a cybersecurity campus. I do not know which model is best or if both are different sides of the same coin, but there is definitely a need for co-ordination to harmonise all the contributions. Those two points seemed to be particularly pertinent. All the others were good as well, of course. Mr. Umit Uygur's point about the need for the involvement of SMEs and taking things down to a national level is well made.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank Dr. Lee. I am moving on to our next contributor, but if there is time afterwards we will let people back in again. I thank Senator Craughwell and all our contributors so far. Deputy Dillon is next.
Alan Dillon (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source
I thank the Chair and all our guests. It has been insightful so far and we appreciate their time. Following on from Senator Craughwell's questioning, are there examples out there of successful initiatives or programmes in other countries that have effectively improved cyber-education and cybertraining? How can Ireland learn from them to enhance its cybersecurity workforce? I would be interested in more information on the proposed cybersecurity campus, including its potential structure, services and the expected outcomes of such an initiative. From listening to our guests, we can only get so far on the educational journey, be it graduate or postgraduate, as it is about skills and experience gained in the field dealing with ransomware attacks and the like. I would like to get a better understanding around collaboration between industry, academia and Government to provide and strengthen cybersecurity training or educational programme in this area. Mr. Larkin might begin, if that is okay.
Mr. Pat Larkin:
On the cybersecurity campus, one of the factors in successful cybersecurity is collaboration. That could be threat intelligence sharing or collaboration on research and development. There are some good models, especially the Centre for Secure Information Technologies, CSIT, in Belfast, which is a kind of one-stop shop for research, development and innovation, but also the full collaboration and co-ordination of all the key stakeholders under one branded entity. It may have geographic outreach like a hub-and-spoke model to all the stakeholders and participants in it. This has been the subject of a proposal for funding from some of our members and they have estimated the cost of constructing and running such a campus at about €40 million a year. We see it as key to the acceleration of the co-ordination and collaboration on the development of the sector in Ireland to address such a centre. It would address issues my colleague, Professor O'Shea, has raised with regard to research and innovation. It would also deal with educational issues and even some of the problems articulated by our members. It is the talent pool, it is research, development and innovation and then it is scale. It is the opportunity also to scale our indigenous organisations and bring in FDI at scale. This campus is key to that as well. If the Deputy looks at the first point we raised, the challenge for the sector and even Cyber Ireland in trying to move forward the cybersecurity agenda here is the fragmented nature of how cyber is dealt with at a government and societal level. This is the opportunity to bring this kind of co-ordination at an industry level under one umbrella branded-entity organisation.
Alan Dillon (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source
Again, who would fund the cost associated with this centre?
Mr. Pat Larkin:
Who would fund it is probably a bigger question. As cyber has a societal impact, the challenge is if it sits within the Department of Education or the Department with responsibility for communications, etc., we are reinforcing the fragmented nature of the approach.
More generally, because cybersecurity is a national security question as much as it is a national economic opportunity, there is possibly an argument that it should sit at an overall co-ordinated Government level, such as under the Department of the Taoiseach. It impacts on all facets of government and all facets of society. There might then be a consolidation of funding streams under one such role. Our argument would be that although there are a number of discrete asks, such as €40 million for this and that, we have to think really big in terms of the scale of both the challenge and the opportunity we are facing. The threat is to Ireland Inc. We need to consider ring-fencing perhaps €1 billion over the next seven years for all these programmes. Again, that might be delivered by way of the Department of the Taoiseach co-ordinating various funding streams.
We must think big. All the input we have provided today reflects what we have seen over the past three to five years. We have yet to see the impact of artificial intelligence on the threat landscape, and it is going to be phenomenal. There is a gap right now. Already, the cybercrime economy is larger than the illicit drugs economy. Cybercrime is the third largest economy in the world. Its growth is outstripping the growth of the cybersecurity industry response. It is growing compound at approximately 15%, whereas the cybersecurity market is growing at 12%. There is a huge dichotomy there. If we consider the potential impact of something like artificial intelligence on the attacker side, there is potential for the cybercrime economy to become the largest economy in the world over time. We have to think really big and really bold in terms of the co-ordination and funding needed to deal with it.
Alan Dillon (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source
What specific benefits, if any, does Mr. Larkin see from designating cybersecurity as one of the national clusters under the Department of Enterprise, Trade and Employment's national clustering programme?
Mr. Pat Larkin:
Again, the idea here is that bets are being picked by way of the five clusters. The Cyber Ireland cluster is already seen as a kind of marquee cluster in terms of innovation. We have only been in existence since 2019. I do not wish to sound ungrateful but we have been existing off relatively meagre funding streams. We have been living hand to mouth. The funding has been gratefully accepted and it has allowed what we have established to date. However, we have very big ambitions for what we want to accomplish. That is going to need more funding streams. If we are established as one of the five designated cluster organisations, it will provide us with much more security of tenure and much more targeted funding streams. It would mean being designated as one of the priorities in terms of both national security and the economic opportunity.
We have had a really good start from quite meagre resources. As I have outlined, we have a significant degree of catch-up to play. As a global ranking, we are seen very much as a laggard on the cybersecurity indices. This causes two problems. First, it is a problem for security. Second is the fact the cybersecurity sector enables the digital sector. Microsoft, Facebook, Google and the various fintech companies all come here on the assumption that the lights wills stay on and they can deliver their services from the data centre that is Ireland. If that does not happen, this very portable capital asset will flee in the coming months and years. If we cannot keep the lights on, we cannot keep these organisations secure. They invest significantly in their own security but they depend on national infrastructure in order to exist and function here. If we suffer a national security setback and high levels of crime, or if we cannot provide the talent pool needed and we do not have the research and innovation, not only will the cybersecurity sector be unsuccessful, but our digital economy will flee as well.
Alan Dillon (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source
What are the successful initiatives and programmes in other countries that are delivering cyber education and training?
Professor Donna O'Shea:
One of the leading initiatives we work with regularly is the Commonwealth Cyber Initiative at Virginia Tech. It takes a holistic approach, which involves teaching cybersecurity to secondary school students. We can see the impact of that as they go on to third level. The National Cyber Security Centre in the UK has been working to establish a baseline and ensure the quality of the cybersecurity education it provides. The graduates need to be able to perform a function and role on graduation. The UK National Cyber Security Centre manages that process, with academic institutions submitting documentation to show they have designed their programmes bearing in mind the baseline standard. A very good framework has been established in this regard.
Across the EU, the process is less mature. The European Cybersecurity Skills Framework, ECSF, published by ENISA, identifies 14 job roles, the competencies for which are not yet defined. Within the EU, Ireland is leading on the implementation of a baseline framework through initiatives such as the HCI cyberskills programme run by the HEA, which leverages the ENISA framework. There needs to be an overall authority governing this work, which is currently lacking in Ireland. That is the significant landscape across the globe.
Mr. Stefan Umit Uygur:
The Deputy asked about the models functioning in other countries. There are more than a few functioning countries, including Israel, the US and Russia. Their models are very well functioning and also very holistic. They are not focused solely on education and the different parts feed into each other. There is an ecosystem functioning from education to industry to public administration, with the different aspects working together.
As I mentioned in my statement, over the past six to eight months, working with Senator Craughwell, we drafted Cyber Security Vision for Ireland 2022, which sets out the common vision we are here to discuss. The proposal is similar to the Israeli and US models. We have recently been invited, along with Senator Craughwell, to Poland to talk about that vision and what we propose to develop and implement. Mr. Kelly is here representing the AMTCE, which is the industry part we are involving, alongside the academia part. Taking a public-private approach allows us to elaborate a prototype. We are proposing a functioning model similar to the Israeli model. Estonia, which is one of the countries that is quite well prepared and advanced from a cybersecurity perspective, is applying a very similar model. In the past two decades of my career, I have worked with all of these nations, including Israel , the US and UK. I assisted and played a part in developing this model. It is what I would recommend.
Mr. Adrian Kelly:
The AMTCE was set up by Martin O'Brien, CEO, in 2019. A large part of what we were about was to do with industry 4.0. As we talked to people around the country, including owners of both SMEs and large organisations, we were approaching this from a different angle, which was about connecting all their machines, gathering data and making good use of those data. However, in doing so, we were potentially exposing people to cyberattacks by connecting entire factories to the web. In working with Mr. Umit Uygur and others, we have committed to what might be summed up as the old adage that what gets measures gets managed. We want to work with the likes of SMEs to assist them in carrying out cyber-risk assessments. Most of them do not know they have problems. What we are doing is very similar to a model that has just been rolled out in Estonia.
Second, we are looking at several training programmes covering a whole host of IT-operational technology qualifications, to be funded under SOLAS's skills to advance initiative. As a centre, because of our connection to industry and our work in assisting SMEs, we are looking at doing the operational technology side out of Dundalk. We want to lead the way on that. It is about getting down to the programmable logic controllers and the nuts and bolts that make a factory operate. We also continue with our cybersecurity apprenticeship programme, which is very successful. However, one of the issues that has arisen in this regard, again from the academia side, is that we found it difficult to put apprentices in because industry does not have mentors who are qualified in cybersecurity. There is a bit of a chicken-and-egg situation going on there.
As Mr. Hyland mentioned, we intend to work closely with and assist primary and post-primary school students and teachers. When we visited Estonia last year, it was apparent that children as young as five or six are already very tech savvy.
They were using their touchpads in class and everything else. The whole economy is based on the digital side. They are a very trusting group of people, and they take to things very quickly. If we can get in at the grassroots level, we will hopefully fill the gap from the schools up to further education and training. Then, people will hopefully go forward and apply their talents in cybersecurity, and some of them will go on to university and elsewhere.
Alan Dillon (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source
In my previous life, I worked in medtech as a software validation engineer and a computer systems validation engineer. I refer to the installation and operational qualifications relating to software packages, whether they are bespoke or belong to another category. It is a matter of trying to identify the differences between normal qualifications versus what is required by a cybersecurity analyst and what their role entails. Does Mr. Hyland want to comment in that regard?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Briefly, because we want to move on.
Mr. Colm Hyland:
For us, that is one of the key areas. If we are going to go for a skills-based curriculum, which is what we are trying to do within the advanced manufacturing centre, then there are worthy bodies out there such as CompTIA. These are well known within the space of software and cyber. There are qualifications systems out there, but we are trying to get to curricula that will drive people towards practical skills.
We have spoken at length with the Estonians, who have been incredibly helpful. We have had conversations with the Israelis. Again, these have been very helpful. Within the programmes that we have available to the trainees who will come through, it is really about trying to provide them with the knowledge upon which they can build the skills. We are talking about cyber-ranges. We are talking about a training security operations centre, SOC, which will probably be the third of its kind in the country. This will be a place where people can go and apply the skills. All those plans are in process and will be available to trainees as soon as Mr. Kelly opens the door in September.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank members and witnesses. The next slot is mine. I am conscious that we are not the education committee of the Oireachtas. This committee deals with matters relating to transport and communications. As such, it has responsibility for how we deal with cybercrime. I was struck by the figures that were referenced in terms of the size of cybercrime in economic terms. From a regulatory and legislative perspective, I am looking at where we are and where we need to be. We need academia. We need to train people. However, we also need to educate people. In particular, I refer to the non-digital natives, such as older people, who now have smartphones. They see a text and think they must respond to it. They are of a time when you saw a missed call you would ring back. If you got a text, you would click on the link. I do not think they are naive, but they are more trusting than people who are younger and who just know it is a scam. They will say, "Why would they send me that?" It is because they want people's money. How do we educate those to whom I refer?
There are people who are taking courses. Obviously, we need a lot more people to do so. We also need more people to become involved in the industry. It is not so much a matter of whether we can afford to spend the money; it is a matter of whether we can afford not to spend the money. That is my takeaway from today. We would love not to. It is a bit like the area of defence. We do not really want to have to spend loads of money on it, but the alternative can be an awful lot worse.
This matter may be for Mr. Larkin, as opposed to the overall, overarching organisation. Where are we as a country? Where do we need to go? We had discussions around the time of the cyberattack on the HSE regarding where we were with even the salaries of people who were going into the sector and how competitive or not public sector salaries were vis-à-vis the private sector. I am sure Microsoft, Vodafone, Facebook, eBay, PayPal and all the other companies are paying enormous amounts of money because they cannot afford not to. A breakdown in their services would give rise to major losses of revenue, etc. We as a country will be spending money on training people up, and that is fair enough. However, I am more interested in knowing about what the State needs to do to ramp up educating the entire population to be familiar with and cognisant of this. I just got an email from WeTransfer. I think it is completely legitimate, but it contains an .mp4 file. I am wondering whether I want to download it. There are probably all kinds of filters in the Oireachtas that will mean it will be okay, but I would have thought that the HSE had those filters. In that case, clearly something happened and somebody got in somehow. Obviously, there is so much money to be made if you get it right with the ransomware stuff. Equally, I do not think anybody factors in how much of the 113,000 people who might start suing because their medical records are online, as well as the cost of that.
What does the State need to do to educate everybody? I am interested in Mr. Larkin's perspective initially, as well as those of the representatives from academia and Mr. Umit Ugyur. Where do we need to go?
Mr. Pat Larkin:
The challenge from a national security perspective is always seen as a spend. It is perceived as a must-have spend that involves no return and is just about securing citizens, organisations or the Government. However, the Government has a unique opportunity here. With every euro that is spent in this area, there is a potential fivefold economic return.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I do not doubt him, but can Mr. Larkin explain why that is the case?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Is it the case that the alternative is that one does not do this, and then companies will leave?
Mr. Pat Larkin:
They will go to Israel, the United States, the United Kingdom or Estonia. We also have an opportunity in the sense of awareness. The cyberattack on the HSE was a seminal moment. Estonia and countries like that had their seminal moments in 2008, 2010 and 2014. We have a high level of political and societal awareness. People saw the direct impact on the health service-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Have we identified where the cyberattack on the HSE came from?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Where are they based?
Mr. Pat Larkin:
They are in Russia. Apparently, they were a cybercrime group, but, as soon as the Ukraine war emerged, these guys swore allegiance to the Russian state. Cybercriminals exist hand in glove in a very nefarious relationship, as perhaps independent or non-attributable entities, generating revenue and return for the actors in that case. Yet, in many cases, they are closely aligned with national security and geopolitical agendas. Unquestionably, there is a close relationship between Conti and the Russian state. There is a published report that identified the timelines, what occurred, etc., in the HSE. Again, that is being amplified by what is happening in Ukraine and the geopolitical-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We do not want to spend money if we do not have to, particularly as the country has scarce resources.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We might be richer than we ever were, but we could still spend more money on hospitals, housing or whatever.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
There will be employment from corporation tax and all the rest. What do we need to do as a State?
Mr. Pat Larkin:
We need to make it a national economic and security priority. We need to co-ordinate it and think really big. We need to ring-fence a significant amount of money to enhance our national security. This should cover everything from Joe Citizen to every Department to every commercial organisation and NGO. We need to have a strategic approach to the dual strand of securing our national security and our national digital realm. Simultaneously, we need to capture the opportunity. I refer to the Israeli model and the Estonian model. There is naked collaboration. I am a former member of the Defence Forces. I was bilateral missions within Israelis forces. The hand-in-glove relationship between the Israeli Government and commercialising its output is incredible. We will have a unique value proposition in Ireland if we build the same collaborative relationship. In states where there are large military-industrial complexes and national security agendas, there is always a suspicion of national security interference in the technologies and products originating from those states. There is no such military-industrial complex or national security agenda in Ireland. As a result, anything we produce here is unquestionably pure and will contain no backdoors. We have a trust-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
There is no hidden agenda.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I could ask Mr. Larkin to keep going for ages, but I am conscious that even though I am the Chair, I will still have to stick to my time to a certain extent. I want to bring in Professor O'Shea and Professor Acton, who had their hands raised. Professor O'Shea can come in, and then I will bring in Mr. Umit Uyghur.
Professor Donna O'Shea:
I will highlight that we have been working on cyber-resilience of citizens for a number of years. We obtained funding through the SFI discover programme. We call our programme "Cyber Futures", and it is to increase and improve the cyber-resilience of citizens.
I want to let the Chair and the committee know that it is very difficult. Developing a cybersecurity awareness programme for our citizens to improve their cyber-resilience means having to look at the various demographics in society. National schools, secondary schools, third level students and senior citizens who want to know about their banking information will have different awareness programmes. College students need to be given information about money mule scams and Tinder swindling. It is a different campaign for each group. This is very difficult for us to manage. There is also the longitudinal impact of these types of programmes. We are all funded through public funding. Cyber Futures is funded through SFI. It is dedicated to education and public engagement on cybersecurity. The impact of this programme will not be seen for a decade. This is a problem because it is difficult to track and measure it. It is longitudinal in nature.
I want to highlight a national initiative we led out last Christmas. It is check.cyberskills.ie. It specifically addresses the scam links received in emails and text messages. The link can be typed into check.cyberskills.ieand, with a high degree of accuracy, it states whether the link is most likely authentic or legitimate. We have developed this in collaboration with An Garda Síochána, Trend Micro and CONNECT and CONFIRM which are two SFI research centres. A lot of work is being done but it is difficult and challenging and the impact will not be seen now, tomorrow or the day after and this is a problem.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Covid showed us how much of a move we made towards digital with tap-and-go and less cash. For most of us if the battery dies in our phone or we leave it behind it is like we have our hand chopped off. We are very dependent on it in everything we do, from reading the newspaper to checking our emails to tapping to pay for almost anything.
Professor Thomas Acton:
There was a great example earlier with regard to whether a person clicks on a link. This is a particular vulnerability and weakness. One of the things we have been trying to do at the University of Galway is to liaise with industry to see what skills are needed when we put together new programmes. Clearly we want to create good pathways for students. It is of mutual benefit. Something we notice in this is there is a massive gap about awareness, which Mr. Hyland mentioned early in our discussion today. We see this gap in SMEs. While larger technological companies have a high level of awareness of cybersecurity it is not necessarily tied to a high level of preparedness and resilience. Nevertheless there is a high level of awareness. We see a huge gap in SMEs. Small companies see this as being nothing to do with them. This is incredibly worrying. Because of this gap among businesses in the sector, we need bodies such as Enterprise Ireland to be involved. It makes sense that we try to inform SMEs, pull in their skills, mix them with bigger companies and get them together in various forums to spread their knowledge because it benefits everybody. Weaknesses in this regard are like a leaking bath. They create a message external to Ireland that perhaps we are not robust. This is a significant danger in terms of continued direct investment, as was mentioned earlier.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Even by being here we are raising consciousness. On "Drivetime" on Monday afternoon somebody was speaking about being scammed and how they believe the voice used was probably artificial intelligence. We have not mentioned artificial intelligence, chatbots or ChatGPT. To people of a certain age, what is capable of being done is absolutely frightening. Even the sharpest minds seem to be getting caught and are willing to say it and we all need to do so. Someone's email being hacked can be significant depending on the data in there, particularly in a work scenario where people are being asked to pay money to a different organisation that looks like the one they want to pay but is not.
Professor Thomas Acton:
Mr. Larkin mentioned the Conti group earlier. It is almost a year to the day, unless I have the month wrong and it was April, since a Conti group attack cost Costa Rica's Government the equivalent of revenue.ie. It was disastrous for that Government and the country. Its systems were as robust as ours in many ways. The guys who are state-sponsored are unscrupulous. They do not care. They will chance their arm if there is any weakness. The perception of weakness is a danger and this has been spoken about.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Effectively they are cyberterrorists. It is the old adage that they have to be lucky only once and we have to be lucky every time.
Mr. Stefan Umit Uygur:
As we can see, all opinions can be concentrated and boiled down to the model and where to start. There is no single opinion on where to start in industry, academia or the public. Israel has been mentioned. Mr. Larkin touched on which are the best countries. Israel invests in its local start-ups and scale-ups. Start-up and scale-ups are where we can start with awareness and innovation. Awareness and innovation go together and I will give an example. In 2010 nobody knew what a smartphone was. Two years later, in 2012, everyone in the world was able to use such a phone. This is the model we need to follow. We need to begin by investing in-house.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Three years ago nobody knew what Zoom was.
Mr. Stefan Umit Uygur:
Absolutely. We should start investing locally. We do not do this. I have been to Israel many times. It has Start-up Nation Finder, which raises unicorns and creates start-ups and multinationals which can export. Here we do it the other way around. Start-ups barely survive and they get bought and acquired. This is our gold mine and where we should start.
Most importantly, as everyone has mentioned, collaboration is at the heart of all of this. We have to stop working in silos with everyone having their own agenda. As I said earlier, we have to unify the agendas in industry, the public sector, the private sector and academia. No one alone can make the future brighter. We have to start somewhere and this is why we have drafted a cybervision for Ireland.
Mr. Colm Hyland:
I would like to add a completely different angle. I will recount a story I heard yesterday from someone in Limerick. We were speaking about children. His view is that we need to begin at junior infant level not only for cybersecurity but also for sustainability and coding. There are certain skill sets we will need over the next 30 years. Our education system is still somewhat traditional, to say the least. If we are serious about trying to win the cyberbattle, the educational system needs to address it specifically.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
It needs a whole-of-government approach.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
It is everything and everywhere.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I certainly could keep going but I want to bring in Deputy Kenny. There will be an opportunity to have a second round of questions. I thank all of the witnesses for their statements and for all they are doing. It is a pity we have to do all of this but we must do so. The consequences of not doing it are far worse than doing it.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
I thank the witnesses for their contributions. The big danger people fear is a similar situation to what happened with the HSE. We have vulnerabilities in our big infrastructure companies that can be dangerous. We also have scams that affect individuals. While all of these dangers exist the witnesses have all pointed out in their contributions that there are also great opportunities to be able to develop an industry to work against them and put up a barrier.
There are several sides to this. We need to have security guards who will monitor every company to find out where the weaknesses are and to work on them. We also need alarm systems so that when an attack happens an alarm goes off so everyone knows to shut down everything and do what is needed. Some of this is software based.
I was interested in the development with regard to that too. I think software development and its opportunities is one of the sectors in which Ireland has fallen back in recent years. I was also interested to hear Belfast mentioned and would like to hear more about what has happened there. Obviously, it is close to us. What opportunities might there be in cross-border collaboration? There is clearly an issue here. The tone of the contributions is that as a nation, or an island, we need to work together to build an indigenous industry around all of this. The industry we are trying to combat is a multinational and international industry. There will also have to be a lot of collaboration across all states including Estonia, Israel or wherever else. I would like to understand what level of co-operation there is. How do we ensure we can leverage that to our best potential? I am not sure who can contribute to that. Mr. Larkin might have a comment.
Mr. Pat Larkin:
There is emerging co-operation and collaboration. Cyber Ireland is reaching out internationally. We are focused on Ireland but we are reaching out to managers engaged internationally at a clustering level to look at best practice. By its nature the industry is collaborative. The only success you have is through collaboration and sharing threats and ideas. I am aware, as the Cyber Ireland board member on the NCSC, that it is collaborating with national cybersecurity centres across Europe and the world. We have a cluster around An Garda Síochána. There is emerging policing co-operation across Interpol and globally. The challenge of a defence-only mentality is that you cannot have infinite defence infinitely. You defend either to counterattack or solve the problem. You are starting to see the idea of active cyberdefence. That is offensive cyber, which involves going after threats. Rather than waiting for the attack, defending and trying to remediate and recover, you see that you also need a much more aggressive response at the political, policing, intelligence and national security level. You need to go after the bad actors, and take them out along with their infrastructure. You see that in some of the cryptocurrency payment chains. Some of that is now traceable, and money is being chased across cybercriminals internationally. You can see the emergence of various collaborations and consortia. It is fair to say it is the world against what are called the CRINKs - China, Russia, Iran and North Korea. They are typically the malevolent states with the most relationships to criminal activity. North Korea is responsible for more than 60% of crypto-heists, which is hijacking cryptocurrency and placing it in its national reserves. You can start to see the emergence of strong collaboration and active cyberdefence. The challenge for an organisation in Ireland being attacked is that in a lot of cases the response is still not fast enough. You are dependant on industry and your own resources to combat that. For most of these organisations it is an existential threat. If you have a ransomware attack, whether you pay or not, your ability to recover revenue streams and normal business operations is time critical. Even if you do recover, it does not mean that your business will survive. Even though there are national resources available, quite often the response capability and timelines are not nearly adequate enough. Survival depends on an organisation's own capability, and the ability for organisations in industry to assist and respond. National police and security then need to roll in and do the big picture stuff.
Mr. Stefan Umit Uygur:
I come from an industry background. I am purely technical. I only entered entrepreneurship in the past five years. Based on personal experience of what I have seen globally, you cannot jump into international collaboration if you are not ready or prepared. If you are not prepared, you cannot level with those. You cannot even understand them. You cannot respond or give them feedback. What are you going to exchange with them? It first boils down to in-house preparation. The Deputy referred to a piece of software and compared it to an alarm. Before buying a piece of software or an alarm, you first have to create doors and windows, and make sure they are closed and so on. Technically, we call it cyberhygiene and cyberawareness. Believe it or not, 70% of cybersecurity and cyberdefence coverage can be done without a piece of software or anything else, but simply by making small tweaks. Simple things like a complex password or multi-factor authentication will make it difficult for a criminal to break into your system.
We have to start from the basics. Everyone has to take civic action. As the Chair mentioned earlier, every citizen has to be involved, informed and trained to a high level. I am not saying that everyone has to become a cybersecurity expert. Doing cyberhygiene means you have covered up to 70% of defence and have left a gap of only 30%. You then know where the gap is and where you are exposed. You then speak to industry and tell them what you need. It is based on need. That is why Israel is good. They do not just create a product out of the blue and say it is the best product. Why is it the best product? Israel is surrounded by 19 enemy nations and has to defend itself every day. It is based on need. That is what I learned when I visited the Yitzhak Rabin Center. They told me they are good because they have the necessity. We have to do the same, based on necessity.
Everyone should start from the basics. Anyone can secure their phone. We know how to use it. Simple things will help industry. We have to make a huge jump. You can then start to support local organisations and strengthen local start-ups. That will also create an economy. We talk about competing with FDI and multinationals. Nobody wants to compete with them. They are not the enemy. There is a just an imbalance there. Ireland today relies on multinationals by between 65% and 70%. Only 30% to 35% of its reliance is on local companies. That is why the country is so fragile. When multinationals lay people off, their strategies are completely different from the government or local agenda. The idea is to balance that. That comes after cyberhygiene and after everyone has done their part in their house and on their phone through basic tweaks and configuration. Following that, the common objective should be balancing the nation's reliance on multinationals and local organisations 50:50. We are not targeting multinationals as evil. They are not evil. They are welcome to join. However, we have to balance it. Right now there is no balance, and that is why the State is so fragile. It is frightened every time there are lay-offs and they plug out stuff.
Dr. Paul Miller:
I will respond to the Senator's question about what happened in Belfast and about CSIT. It was founded in 2009 through a combination of funding from UK Research and Innovation, UKRI, which is equivalent to SFI; and Invest Northern Ireland, which is equivalent to Enterprise Ireland. There was also some industry funding. It was clear from the beginning that Invest Northern Ireland wanted to use CSIT as an vehicle for attracting FDI around cybersecurity. To help us to do that, and to incubate a Northern Ireland cybersecurity cluster, they funded an engineering group. That was in addition to funding academics and researchers and so on. They also funded a dedicated commercial team. The commercial team was to help us to engage with industry, both local and multinational. The engineering team can also help us to translate our research higher up, at technology readiness level, TRL, so companies can take that to market. When CSIT started in 2009 there were no cybersecurity jobs in Belfast. There are now 2,700. There are 124 companies and we are the largest location for US-based FDI in cybersecurity. I think the same thing can happen in the South with the cybercampus. We have been making links with various academic groups in the South.
They know our model very well. If a combination of funding from, say, SFI, Enterprise Ireland and industry could be brought together, the same thing could essentially be created. There is a very good ecosystem already. There are many companies around both Cork and Dublin. Obviously, there are other models to look at, but, certainly, we want to be part of that as a sort of island cybersecurity capability. We are very keen to work with colleagues to help establish that. It would not take a lot of effort, but what is key is that something like Enterprise Ireland does invest in an engineering team and commercial team and helps them engage with local companies and with FDI and multinational companies. That is maybe some context.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
Mr. Kelly is indicating to speak and then I will come back in with one point.
Mr. Adrian Kelly:
I will make one point. SMEs are extremely important to the Irish economy. The problem is that utilising software like Mr. Umit Uygur's is critical. Most SMEs today assume that they were not hacked yesterday so they will be okay today. That is the kind of process they are going through. Using the likes of the cyber-risk assessment tool, however, they can be shown very quickly that they have usernames and passwords that have been leaked and are out there, and that just because someone has not used them yet does not mean they will in the future. Unfortunately, however, most of the SMEs do not even know that has happened. They are blissfully unaware. Shining a spotlight on that and showing them how advanced this is, the threat actors that are out there and how things can go very wrong very quickly is critical. When I speak at various conferences and so on, it could be the woodwork industry or something like that, these guys maybe set up their businesses at the back of a house and they become extremely large. The have machinery sitting in their warehouses that is worth maybe €5 million or €6 million. When I ask them about how they fix these machines when they break down, they say that they are connected and that a company in Germany or wherever comes in and programmes them and does it for them. They have no IT person on site and no real IT awareness. They are convinced because they are maybe at the back end of somewhere that they are safe and that nobody knows them. They are blissfully unaware. It is critical, using the likes of Mr. Umit Uygur's software, that we shine a light on that and show them some of the gaps and things that are there and close those front doors we talk about. Obviously, it us much easier to walk in a front door than it is to get in a window. We need to start closing those doors.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
The minor point I want to make is that there was much emphasis on developing courses and an academic programme for people to be trained up in all of this. One of the questions I have is about where we are going to find the people to train up. That seems to be one of the problems. Many of our universities were taking a lot of people from other countries to come here to study. They are very welcome and we need to do that. As we also have pressure in terms of getting people to go into healthcare and the various other sectors in which we need them, we will have a difficulty in that while there are great advances in training, actually finding people to train is one of the obstacles into which we may run.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
That is a valid point. I will ask Mr. Larkin a question on salaries in this industry before I bring in Senator Craughwell. I know it is like asking "How long is a piece of string?", but what are the entry-level and base salaries? What is a typical salary? I am not talking about the salary of the chief information officer of Microsoft or Google or somebody like that. What would people who do the various courses and are coming out of college expect to be starting on and expect to be on after five or ten years?
Mr. Pat Larkin:
The salary is very robust. Obviously, it has been a little muted in the past year or so but it is very robust. We have seen scenarios where third year students' work placements were being kept by their work placement organisation at salaries that were perhaps greater than the lecturers they were returning to as a starting point.
We are typically seeing salaries in the range of entry points typically being around €30,000 to €50,000 depending on skill sets. There is very quick progression to medium salaries of €75,000, €85,000 and €90,000. Then, for highly specialist roles like scientists or artificial intelligence, AI, specialists, etc., the sky is the limit in some respects, which comes back to the Deputy's question. We have done a very poor job. One of the opportunities for us is reaching into the very early stage talent pipeline and attracting far more female participation into the industry. Like the tech industry and probably worse, we have very low female participation. There is not good awareness. If we do the basics right, which is to educate our digital natives at a very foundational level from infant level education and upwards about good cybersecurity, cyberhygiene and cyberpractice then, ultimately, we educate them. We have not couched the language. Apart from it being a very technical skill set, there is actually much societal good. In some respects, cybersecurity people are the modern fire people. There is much societal good to what they do. We have not couched that language to perhaps a more female audience to say that apart from this being a highly technical, well-paying job, etc., it involves much societal good. We have not used the language to attract, for example, greater female participation. We view reaching into the ten-year-plus talent pipeline and going back down to primary level and getting some education as key. Where would the €1 billion I was talking about committing to this go? Some of it would go to reaching down into that talent pipeline. There are a number of really good programmes being run in UCD around being cyberwise. These are short courses for transition year and primary schools to make that workforce aware of cybersecurity and encourage good cybersecurity digital natives, but also encourage possible candidates for work in the industry.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Does Senator Craughwell want to come back in?
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
I thank all the participants. It has been really engaging. I have two questions, one of which is for Dr. Miller who spoke about what is going on in Northern Ireland. I know there is huge collaboration between him and Professor O'Shea and various other academic institutions in the Republic. With Ireland being an island - North and South, it really does not matter - we either stick together or hang separately. Would Dr. Miller think that is a fair assessment?
Dr. Paul Miller:
Yes, to stick together would be my view on it. As other speakers said, we share a common infrastructure. We have been talking for the past couple of years about how we can combine the various academic research institutes, North and South, into a coherent cybersecurity centre. As Professor O'Shea said, it is a bit fragmented. There are pockets of accidents all across the island. To try to centralise that and get a more coherent thing going forward, certainly, from a Centre for Secure Information Technologies perspective, anything we can do to help with that we are very keen to do. We will continue to seek funding for collaborating with colleagues. I would see an all-island network with a central hub in Dublin or Cork and another in Belfast.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
I thank Dr. Miller very much. My final question is for anybody who wants to take it . Mr. Larkin mentioned the sum of €1 billion, which is bound to raise eyebrows around here in Leinster House. The State is looking at a surplus of €11 billion this year and €16 billion next year. Mr. Larkin said €1 billion over seven years would be his target. He would want that administered centrally from the office or Department of the Taoiseach. Would he also then fall in line with Professor O'Shea's view that we need to have a recognisable set of qualifications or a curriculum that is common right across all third level sectors, which would ensure that we were actually training people for cyber? I am being somewhat facetious when I say there are programmes out there such as ancient Greek and Roman studies with cyber, which is not really a cyberprogramme. Anybody who wishes to do so may come in here but I will start with Mr. Larkin. He threw the figure of €1 billion out there. It slipped off his tongue as if it were loose change in his pocket. Maybe he would like to expand on that just a little if he can and anybody else can come in after that.
Mr. Pat Larkin:
I am not suggesting we spend that carelessly. There are many really good homes for it. Much thinking has already been done around, for example, the campus, all-island collaboration and the various education programmes that have been talked about. There are really good homes for that with really good outcomes. It is really important to focus and say that based on the current norms we have seen, five times that would be returned in the medium term in terms of the opportunity.
If the State spends it, it will get it back, unlike other demands on Government spending. From an industry perspective, it is absolutely key that we separate the wheat from the chaff in respect of accredited programmes that employers and specialists can lean on and say they are high-quality programmes. It is also important for our international credibility that we do not simply articulate that we have generated X number of cybergraduates with the quality diverging greatly across them. We must be able to stand over who we call industry graduates. The broader point that has been well rehearsed here is that there is an opportunity or need to build cyber into every programme, including law, medicine or whatever, but that is different. It means enabling professionals with cybercapability while recognising that is not cyberaccreditation. It is just cyber-enabling and securing each of the professions and educational streams which is a distinct activity. I wholeheartedly endorse Professor O'Shea's view that, from an industry perspective, we definitely need quality assurance about the quality of education for cyberindustry graduates, apprentices or those coming through further education. We must have it in all the channels. It is important from the perspective of the talent pipeline that we exploit all channels of education, including higher education, further education and apprenticeships. The industry needs them all and there is a use and purpose in the industry for all those skills to come in. It is important that they are all quality assured.
Mr. Stefan Umit Uygur:
I totally agree with what Mr. Larkin and Professor O'Shea have stated. The only point I would like to make is about the €1 billion. If we look at any organisation today, an average expenditure, or the budget reserve, for cybersecurity is identified from the market as 3% of the turnover of the organisation. What is 3% of the GDP of the State? Is it €1 billion? No. That figure of €1 billion is peanuts. Much more money needs to be freed up for cyber. This is what other nations do that are able to keep pace with technology, digital transformation and cyber because they experiment a lot and they get the return. Cyber is not a cost. It is the future.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
I bet the Department of Public Expenditure, National Development Plan Delivery and Reform has just switched on all the terminals to look in here right now.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Its committee meeting is on next door. Today, there is a headline in the Irish Independent, "16,000 victims of an i-spoof site had €40 million taken from them". I was just looking at a text I received at the weekend that stated there were difficulties with my delivery address and asked me to click on a link. It is pervasive. Sarah McInerney stated on the radio that she was caught by an e-flow text scam. I have certainly received text messages stating that I had not paid toll charges. I was not there so I knew I did not have an issue but people are vulnerable. They feel if the messages look like their banks and sound like their banks, it must be their banks but 99 times out of 100 it is not their banks.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
The training for people going into the industry is something that is not totally in the remit of this committee but we need to know about it because cybercrime is pervasive. This is the committee dealing with cybercrime, but not with training people in cybersecurity. The Joint Committee on Education, Further and Higher Education, Research, Innovation and Science will get annoyed with us if we start taking on issues in its remit. I will bring Professor O'Shea in as she has indicated, but first I thank all the witnesses for what they are doing. It is important to raise awareness, as we have done today, and to encourage everyone to be vigilant in all activities, whether working in the industry, in tech, in the HSE using computers, in a bank, in a shop or in some other retail unit. Data are valuable. Everything we do, including going to shops and using various supermarket loyalty cards, all that data is-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Exactly. It is.
Professor Donna O'Shea:
We need more spending on cybersecurity. There is a request for that. We also need to be able to track spending in cybersecurity by developing a standard classification system for cybersecurity in Ireland and across the EU. There is a challenge in that because cybersecurity is never considered its own discipline. It is considered to be part of the ICT domain. When organisations track spending on cybersecurity it is grouped into a category of information, communication and technology investment. It is hard to track. At a country or government level, it is also hard to track because sometimes a spend in cybersecurity is tracked as a percentage of GDP on defence. Ireland does not do that but some countries use the ITU index and other countries use other indexes to track spending on cybersecurity. There is no common framework for tracking spending. However, if we are serious about spending, we should track it. That is the point I wanted to add to Mr. Larkin's request.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
It is also important and the point is well made. We should probably also be tracking the cost of all the scams and of cybercrime - the preventive side is one thing - as well as all the outlay cost that is needed. At one point, we could not get answers from the Department of Health because no one was able to talk to anyone else. There were blocks on questions because staff did not have the ability to talk to one another or access information they would have previously been able to access. The person hours are lost all day every day when staff are not able to do what they normally do, get locked out of or lose their data or have to pay a ransom to get their data back.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
We need to realise that cybercrime is now more lucrative than the drugs industry. It is a cleaner industry for the criminal and the risk of getting caught is probably lower. From that point of view, Mr. Umit Uygur talks about 3% of GDP. In Ireland GDP is a risky figure to be talking about.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We can do gross national income, GNI*, perhaps.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
Yes, today all the sectors involved in cybersecurity are present and I understand we are verging on the edge of the education committee, but-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We are well over the edge.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
-----this is cybersecurity. This is a risk to the State and the people who are here have a unified vision of what the country needs in cybersecurity. The request for €1 billion is a small request at the end of the day, even if it slipped off Mr. Larkin's tongue.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
To make the point, can we afford it and can we afford not to do it Again, I thank all the witnesses for all they are doing. If they want, they can send the committee or individual members submissions about where we need to go as State. I am conscious that companies such as Microsoft are handling their own stuff. Equally as a State, it is the-----
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
We should go to MTU.
Mr. Pat Larkin:
On behalf of Cyber Ireland, I complement and thank Senator Craughwell for his engagement with us. We collaborate with the Government. He is not on our board and there is no political dimension but it is important we collaborate and Senator Craughwell has provided a lot of leadership and access for Cyber Ireland and other players here for us to be able to make our point and get access to committees such as this one. I acknowledge the work he has done in furthering the cyberagenda and thank him for it. I also thank the Chair for the access today.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
It is something we need to keep under constant review because, as Mr. Larkin stated, technology is there. No one had smartphones and then everyone had them. No one was using tap-and-go to buy a bar of chocolate or some ice-cream and many are using it now. Everything we do is driven by technology and is influenced by it. When it goes down, we know instantaneously how much of a problem it is, not only for our personal convenience but for all the businesses that rely on it. We saw that when the cash payment system went down in the Aviva Stadium, everyone had to be given free food and drink because it was a cashless venue and there was no other way to deal with it. It is clearly a threat in every way, including to businesses, to consumers, to individuals and ultimately to people's mental health because there is nothing worse than not being able to access and use everything and to conduct our lives the way we are used to.
I thank all the witnesses.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We have enough of thanking Senator Craughwell. We are fine with that. There is only so much of that I can listen to.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
He got his honorary doctorate from somewhere now at this stage. Go on.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
It was very useful to hear what the witnesses are doing-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
The witnesses might end up also talking to the education committee about what it is there and what needs to be there. I am not on that committee, so they can deal with other members on that.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank all our witnesses in the room and online. I will not list them all as there are so many of them. The meeting is now adjourned. The next meeting will be a private meeting on MS Teams on Tuesday, 13 June at 4 p.m.