Oireachtas Joint and Select Committees
Wednesday, 29 May 2024
Joint Oireachtas Committee on Transport, Tourism and Sport
National Cyber Security Centre: Discussion
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Apologies have been received from Deputy Cathal Crowe.
The purpose of the meeting is to meet with representatives of the National Cyber Security Centre, NCSC, to discuss its activities and operations. I am pleased to welcome on behalf of the committee its director, Dr. Richard Browne; Ms Kerri-Ann Woods, the programme management office lead, who is joining us remotely; and Mr. Joseph Stephens, engagement team lead. They are all very welcome.
On privilege, witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech that might be regarded as damaging to the good name of the person or entity. Therefore, if their statements are potentially defamatory in respect of an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative they comply with any such direction.
Members are reminded of the long-standing parliamentary practice to the effect they should not comment on, criticise or make charges against a person outside the Houses or an official either by name or in such a way as to make him or her identifiable. I remind members of the constitutional requirement that they must be physically present within the confines of the Leinster House complex in order to participate in public meetings. I will not be able to permit any member to participate where he or she is not adhering to this constitutional requirement. Therefore, any member who attempts to participate from outside of the precincts will be asked to leave the meeting. In this regard, I ask any members participating via Microsoft Teams to confirm, prior to making their contribution to the meeting, that they are on the grounds of the Leinster House campus.
I invite Dr. Browne to make his opening statement.
Dr. Michael Browne:
In my opening remarks, I’m going to cover three issues. I will open with a brief analysis of the state of play and the risks facing the State in the cyber domain. Then I am going to provide an outline of recent developments in the NCSC, and close with a number of points on the coming challenges.
First on the state of play, events over the past few months show an ongoing worsening of the global cybersecurity environment, both in terms of new vulnerabilities and in the nature and extent of activity by threat actors. We have seen a number of very significant vulnerabilities in widely used applications, including some very serious ones in edge devices such as firewalls and VPN systems used to enable remote working. These vulnerabilities have been rapidly and extensively exploited by threat actors. The ongoing Russian war of aggression against Ukraine continues to result in a degradation of the cybersecurity environment in Europe. While cyber tools are still heavily used by Russian forces in Ukraine, and in close co-ordination with traditional military tools, there are indications that the restraint previously shown around the use of these tools more broadly in Europe is fading. In particular, so-called hacktivist attacks are becoming more co-ordinated and effective and far larger in scale. Espionage also remains a key risk, as the recent attribution of incidents by the German and Czech governments against the group APT28–associated with Russian military intelligence shows. There have also been a number of notable developments associated with China-based threat actors, including the recent UK attribution of an incident affecting its electoral system. Notably also, the so-called Volt Typhoon incident in the US marks a very substantial development. This involved prepositioning by a China-based threat actor on US critical infrastructure, including energy and telecoms. Quite aside from the seriousness of the incident itself, this has also given rise to a very fundamental reassessment by the United States Government of the likelihood of destructive attack against critical infrastructure in the short to medium term. Of course, the risks associated with ransomware remain probably the most immediate risk critical infrastructure and services in most of the world, with the number of estimated attacks rising by 73% in 2023. In recent months, the ongoing pattern of ransomware has been punctuated by a significant number of incidents affecting large health care providers in the United States and elsewhere. In fact, there is now sufficient evidence to conclude that a combination of relatively poor cybersecurity practice and a demonstrated willingness to pay has resulted in somewhat of a feeding frenzy against some healthcare providers.
There have been some marked successes against some of these groups, with the ongoing disruption of the “Lockbit” group, called Operation Cronus, being one of the most effective in history.
However, these ransomware groups are underpinned by two things. The first of these is a diverse and robust marketplace for tools, investment and skilled personnel, which provides a fertile growth medium for new groups. The second is the fact that, by some estimates, global ransom payments last year exceeded $1 billion. This provides an obvious incentive for these groups to keep redeveloping and going.
These trends are reflected in the work of the NCSC. Last year, we received more than 5,200 reports, which gave rise to 721 confirmed incidents and a total of 309 investigations by the centre. Over the year, we also initiated 1,365 threat hunts and issued more than 8,000 vulnerability notifications. Already this year, we have launched 211 investigations, which is substantially up on this time last year.
All of this means that the cyber domain is an increasingly contested space and threat actors continue to find new ways to compromise data and systems, and are willing and capable of putting these abilities into use to a variety of different ends. States are faced with a complex and rapidly evolving threat landscape and policy and operational responses need to be similarly agile and co-ordinated to manage these risks.
I will turn briefly to developments in the NCSC. The primary role of the centre is to monitor, detect and respond to cyber security incidents in the State. In the past year or so, the investment in additional threat intelligence and analytical capabilities have seen a shift in the incident response flow in the organization. Prior to that time, the majority of incidents we responded to were reported to us. However, we have seen that reversed. Now, the vast majority of incidents we respond to are detected directly by the NCSC and we bring them to the attention of the victim, rather than the other way around. This is direct evidence of the value of this investment in protecting the State. Key to this process is the ongoing co-operation and sharing relationship we have with a range of partners, domestically and internationally. These partnerships are essential for us to understand the precise nature of the threats that face us but also to allow us share what we know about incidents in other jurisdictions.
The NCSC also has responsibility for large scale incident response co-ordination in the State. To that end, we have drafted and have continually revised a national cybersecurity emergency plan, which we have exercised in two full annual national exercises. The second of these, held late last year, involved a simulated incident in Dublin Port and involved almost 200 personnel from across the public and private sector.
The NCSC also has a very considerable series of resilience building measures in operation. Perhaps the most significant aspect of this flows from the implementation of the first EU network and information security, NIS, directive, which has seen critical infrastructure operators across seven sectors designated as so-called operators of essential services, and have been subject to a rolling annual programme of assessments and audits since 2018. Later this year, the second iteration of that directive will come into effect across the European Union. This will bring with it a dramatic expansion in both the number of entities covered by the legislation and in the requirements placed on them. NIS2, as this second iteration is generally termed, will see that the number of entities designated here will grow from just over 100 to at least 3,000, and across a larger range of types of entities.
Following on from a Government decision last year, sectoral regulators will be taking on the national competent authority, NCA, roles in respect of most of the critical infrastructure in the State, with the NCSC taking on the NCA role for government entities and for a large number of so-called "important" entities, which is the lower tier of entities under the terms of the directive. This process has drawn in resources from across the NCSC and will give rise to a requirement for further staffing and investment in years to come, quite aside from other areas of work.
At present, the NCSC has 58 staff with sanction in place for growth to 75 staff this year. All of those additional staff have been called from panels we established in the past few months, and subject to security clearance and processes within the Public Appointments Service, will be with us over the summer.
The next few months will be very significant for the NCSC. In the coming weeks the draft legislation to transpose NIS2 will be brought to Government for decision. These heads of Bill will include a series of measures to enhance the ability of the NCSC to detect and properly respond to incidents, as well as a formal assignment of roles. The work to transpose NIS2 is very much under way, however, including a very substantial set of information technology, IT, projects to support the increased number of subject entities, that is, entities subject to the directive. Part of this work involves supporting the new NCAs and the NCSC has established and chairs an NCA forum to that end. The National Cyber Security Centre is also developing a new national cybersecurity framework based on experience in implementing the first iteration of the network and information security directive, NIS1, and premised on recent developments in international best practice. This will be a set of binding security measures that entities must take to secure their organisations from security threats.
Work is also under way to develop a national cybersecurity certification process and to transpose the relevant EU legislation in this case. The first national scheme will convert the previously mentioned cybersecurity framework into a certification scheme which can be used by organisations of all kinds to demonstrate compliance with NIS2, and to assure their customers of their cybersecurity.
The NCSC is also home to the national coordination centre, NCC, for the wider cybersecurity sector in the State. This is a formal designation under the European cyber competence centre regulation. This unit is focussed on enhancing Ireland's national cybersecurity capacity and will be hosting a meeting of the European network in late June, alongside our national conference. The organisation is also in the process of moving into new premises and has a significant number of IT projects in train to support and enable that.
In addition to NIS2, we also have two further European cyber Bills that have recently received political agreement in Brussels and that will likely be published in the Official Journal of the European Union, OJEU, later this year: the Cyber Resilience Act and the Cyber Solidarity Act. The first of these will be very significant and, because of the main establishment basis of the regulation, will also have additional responsibilities and challenges for Ireland as opposed to every other member state.
Lastly and obviously, the NCSC has at all times sought to retain the capability to fulfil its primary mission which is to respond to cyber security incidents of all kinds in the State. If recent experience is anything to go by, this is unlikely to be straightforward.
Joe Carey (Clare, Fine Gael)
Link to this: Individually | In context | Oireachtas source
I thank Dr. Browne very much and I will bring in our first committee member, Deputy O'Rourke, who I think is online. As he has gone offline I invite Deputy Kenny to take that slot now, please..
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
I thank the Chair very much and I thank Dr. Browne for his opening remarks. For many of us, we are all very conscious of the situation, particularly with what happened with the HSE and other entities that have also been under threat in recent years. Dr. Browne mentioned the expanded role the NCSC must have and that more companies and entities must deal with this. He also mentioned that the designated entities will grow from just over 100 to at least 3,000. With a larger range of entities, that will put greater pressure on. He also mentioned that a NCA would be put in place sectorally for this. How much work has been done on that and where are we at in seeing that happen? While obviously there is a very high level of expertise in his organisation, how can that be expanded and extended into all of these other groups and organisations to ensure that they will be able to perform the role efficiently and effectively?
Dr. Richard Browne:
The directive is very complex. I will not bore everybody with all of the detail of it but in very simple terms, the national competent authorities under the directive were designated by Government decision last year. We will have at least ten competent authorities covering telecoms, energy, and so on. It will be a broad set. The NCA forum has met once and it will meet again in person next week. All of the competent authorities are in the room and understand what their roles will be. It is important to stress that the actual role competent authorities will have is quite narrow. It is just assurance and to ensure that security measures which will be provided to them by us, or by the European Union in one case, will be applied to the entities in their sector.
The rationale for doing this is very important to explore. The first reason is that in many cases there are sector-specific Acts with a cyber component either in place or coming. That means in practical terms that, for example, in aviation, there is aviation legislation with a cybersecurity component. That is the case in electricity supply, healthcare and a number of other areas. Sectoral regulators are already in the cybersecurity regulation space. This Government decision essentially streamlines or mainstreams cybersecurity regulation by making the sectoral experts the cybersecurity regulators in those specific cases. In many cases, that means that the regulators have some expertise and are well embarked on that process.
Moving to the Deputy's second point, and I will come back to the state of play thereafter, the NCA forum has a number of different roles. The first is to ensure consistency of application of the directive, that is to say that every single sector gets the same level of attention and has the security measures applied in the same coherent way. As I said in my opening address, we are well embarked in drawing up and establishing those security measures and that will be done at later stages with the NCAs in the room. They will see these as they evolve and they will learn this process as they goes on.
There are a number of other things in train that I will not go into right now.
They will allow us to help these NCAs in the area of staffing and procurement, for example. We can procure things on their behalf that they can then draw down for use in their own piece.
On the state of play, it is important to point out one thing in particular, which I believe we inevitably will come back to in future meetings. Part of the NIS2 has a substantial main establishment component, which is to say that for digital infrastructure under the directive for large entities, cloud computing and other similar entities, the site of the European headquarters of those companies will dictate from where they are regulated. That means that for large multinationals with a European headquarters in Ireland, the regulatory locus for NIS2 will be in Ireland. This means the telecoms regulator, ComReg, will have a substantial role in upscaling, quite significantly I suspect, to meet a substantial pan-European challenge.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We actually had them here last week talking about that part of their role.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
To get clarity, each sector will deal with its own security but that is really about compliance to ensure they have the correct firewalls and security measures in place to keep everything safe. The National Cyber Security Centre is an overarching body that is keeping an eye on everything and Dr. Browne mentioned that more people or entities are coming after the centre has detected the problem, rather than them coming to report the problem. That suggests there is proactive work going on. Does that mean the NCSC will have more of a role in trying to foresee the potential of an attack or perhaps will be able to point to the beginning of a problem where it may be opening up? I imagine in all of this, artificial intelligence and technology is moving to our benefit as well as to our disadvantage. It has the two sides of that coin. How much of that is done from a perspective of using AI and systems in place to detect the kind of operations some of these players engage in?
Dr. Richard Browne:
I thank the Deputy. There are three questions implicitly in that piece. The answer to the first two is yes, and I will come back to AI in a second.
On the first two, in terms of our role versus the roles of the NCAs, the NCAs' roles will not be technical in the sense of them looking at whether they have the right firewall or the right piece of infrastructure or software. It is a controls-based environment and an audit-based process. It is much higher level than that, which essentially means it is primarily a paper-based exercise. It does not usually involve rooting through people's offices or their hardware, although aspects of that can be done under the powers in the directive.
NCAs will sit in that kind of compliance space without worrying about the ones and zeroes essentially. Our role, as the Deputy suggests, will continue to evolve along the path we are already on. We will garner much more technical capability and powers to access information and to understand what the risks are before they actually happen. Much of the work we are doing right now is managing the national attack surface. We can see what systems are deployed across the State, in the public sector and private sector. We have some powers in some cases to engage with vulnerabilities and say to people they need to fix that specific problem or, even worse, we can tell people they already have an active incident under way and they need to take specific steps to stop that.
The legislation for NIS2 will contain powers to allow us to do a lot more of that. That is a really important step us for us and for everybody else as well. At the same, as the Deputy suggests, we also will have a substantial role in assisting the NCAs and ensuring they know what good looks like. We will be running a number of different software systems to allow NCAs essentially to log in to a central register and exchange and share information with us, as well as with subject entities, in a secure way. We essentially are trying to lift as much of the burden from NCAs as we can to allow them to get on with the critical work of going out and doing compliance.
On AI really briefly, in the past 12 months or even just during 2023, we published a blog post on the use of generative AI from a cybersecurity perspective. We provided guidance for public sector bodies on the cybersecurity risks associated with the use of generative AI and we are active members of the working group on trustworthy AI, which is lead by the Departments of Enterprise, Trade and Employment and Public Expenditure, National Development Plan Delivery and Reform. We are fully involved across the public sector on the use of AI. It is undeniable that AI has a huge number of advantages for both attackers and defenders. The general consensus in the cybersecurity community is that over time, the advantage will float to the defender more because defenders tend to be larger in scale. They can use AI in a more coherent fashion. That is not to say there are not risks associated with it, of course there are. There is some evidence on the fringes that some actor groups are using generative AI to be better and faster at exploiting vulnerabilities.
The key point is that we have yet to see, and this is borne out by a lot of international experience, any attack with an AI component that could not be defeated by traditional cybersecurity practice. In other words, the world has changed but it has not changed that much just yet.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
I have two more short points. At what level is international co-operation? How many of the attacks the NCSC is able to see are something that is reported to the centre from other jurisdictions or other parts of the world?
The other one is in regard to the availability of skilled staff with the necessary technological skills to work in the sector. Is that something we have in Ireland? When we walk around most of the parts of the country where we see the major corporations such as Google, Facebook and all of those, we see a lot of international people there. We see people from other countries who are obviously coming here to work because they have the skills. Are those skills available here? Will we need to see more people come from abroad to take up those skills? How much of that work can be done remotely? How much of that work is something whereby staff can work anywhere in the world to assess it and evaluate such threats and risks and report them back to the centre? While I ask that question, I also note that in his opening remarks Dr. Browne, mentioned the dangers of people working remotely and how doing that could be leaving a door slightly ajar.
Dr. Richard Browne:
I thank the Deputy. There is a lot in all of that. On the partnerships first, cybersecurity is a global team sport. Because the domain is essentially global in nature and interconnected, no one state can do this by themselves. They have to be able to share information and share threat intelligence. They have to be able to share knowledge of new risks and we have been heavily involved through the European Union and other processes from quite some time on all of that. More recently, obviously, we have been heavily engaged through the NATO individual tailored partnership programme, ITPP, and other partnerships on sharing information up to the very highest classification levels on risks, threats and actual incidents.
There is also an important point on partnership in respect of the obligations on this state. We might be a small state in generic terms but in cybersecurity terms, we have almost twice the number of IP addresses per head as the UK, for example. We have a substantial cybersecurity real estate. Because we have that and we host all that economic activity, we have a collective responsibility to everybody else that our estate is not used for attacks on other jurisdictions. It is also a question in terms of neutrality. We cannot be used as a base for an attack on other jurisdictions. We work closely with lots of international partners, through the European Union and other fora, to ensure that if people have an issue with something that is emanating from here, we can stop it. We see it in advance and we can stop it.
There is also a more general question about the use of large-scale command and control networks for malware. These are called C2, command and control nodes, and because of our large IP address space, we tend to see a lot of that kind of activity here. We work closely to ensure that we can continually monitor and take down things that might be affecting any other country in the world, frankly. That is the first point.
On the second point, on staffing, there are two points under staffing. One is the NCSC's own staffing question and the other is the generic point. I will come back to a question on VPNs as well. First, we have recruited very heavily over the last number of years. We have gone from 25 to 60 as of the week after next, and to 75 in a couple of weeks. That has given us a huge amount of exposure to what is happening in the market place. The simple answer to the Deputy's question is that it is entirely possible to get staff. It is very possible to get highly qualified staff but the place is not awash with them. There is a relatively limited marketplace. We find that if we go back regularly to the market we tend to better, rather than going for very large panels in one big go. Our modus operandi has been to go regularly to market and recruit regularly to see what is out there.
At the same time, we have been very successful in getting very well qualified staff. A lot of our staff have joined us from the private sector, from consultancy houses and other commercial companies. We are in that space. The work we do is in and of itself an incentive. Many of our staff are readily employable elsewhere for a lot more money but they choose to work with us which in and of itself tells you a lot about the nature of our work as well.
On the national picture, we have just concluded a consultation on a national cyber industrial strategy, which looks at all of the questions that would be asked around the future and present cybersecurity workforce. Globally, we have a huge challenge in this regard. We are in a period that in the US is referred to as the valley of death. We have identified a huge problem but it probably will be about four to six years before the new graduates and new skilled personnel will come through the cycle. As the Deputy has pointed out, we have a significant international workforce who have come into the country because of the jobs that are here and this has been hugely valuable for the State. It is something that we, SFI, Enterprise Ireland and the Department of Enterprise, Trade and Employment are heavily seised of. It is an area where we have a huge economic opportunity as well because of all the data and cybersecurity companies and connectivity here. This is an area where, hopefully, we can take significant advantage in years to come. The point on the VPNs is not that working from home is necessarily risky but that some of the VPN solutions that have been used have been found to have vulnerabilities. The extent of the exploitation of those vulnerabilities here has been limited because when someone has a global vulnerability of that kind, it will go after the big targets first and the big targets usually mean large governmental organisations in large countries. The timeline from the detection of the vulnerability to the vulnerability being exploited, however, is falling dramatically. We have been lucky in the recent past but we will not be lucky forever.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
While I am next on the roster, I will allow Senator Craughwell, who is under some time pressure, to go ahead of me. Senator Craughwell may go ahead, conscious of the fact that we may have to go and vote in the middle of all of this.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
I welcome Dr. Browne and Mr. Stephens. First and foremost, I must compliment the witnesses. When we first mentioned cybersecurity in this House, at that stage we were struggling to get proper terms and conditions for the organisation but I believe the NCSC is happy with that now. It has moved quite a distance there. Certainly, internationally, as I travel around Europe, I am aware of the liaisons the NCSC has across Europe and I compliment it on that and on its proactivity in that area. Many people speak to me about the fact that Dr. Browne is very much a seen person in Europe and that is an important thing for the Irish National Cyber Security Centre.
I have a couple of issues. The first one is that the NCSC is located in the Department of communications. We both know that I have always thought it should be somewhere else. How many tiers does the NCSC have to get through if it wants to speak to the Taoiseach? If there is a major crisis in which the NCSC needs to talk to the Taoiseach, does the centre have direct access and can it get that? That is the first question.
The second issue is that we floated an idea some time ago - I do not know if we ever got it into the centre - on the notion of a cyber fianna in Ireland, if you will. That is, there would be the National Cyber Security Centre, the people involved in cyber for consultancies and the like and then a third line of reserve, which might be the Civil Defence or the Reserve Defence Force or somebody like that. Generally speaking, I mean people who could help to reinstall software and to get things up and running fairly quickly.
I am extremely concerned about the lack of awareness amongst CEOs and CFOs. If asked about their state of cybersecurity, they will refer one to their IT department. We both know that IT departments might be great at making machines talk to one another but they do not always have a security lens. The course run by Professor Tom Acton in Galway, which is going to lead to cyber officers in organisations in the future, is a good move and I would be interested in Dr. Browne's view on that.
I am not going to hog the day. On national schools, the National Cyber Security Centre was very good to endorse the idea of bringing in cybersecurity training and awareness to national school kids from the age of nine and upwards. We are currently trying to get a national geographic project off the ground with the Department of education and I thank the NCSC for its assistance and its staff in that regard.
I have one last point and that is that we have discussed the issue of critical risk analysis tools before and Dr. Browne and I have seen the output from one of those. Is the NCSC going to license the users of these CRAs? It strikes me, and I am aware that Dr. Browne had some concerns about the amount of information that could be gleaned from a CRA, that it is great when dealing with somebody that can be trusted and who will do the right thing but bad actors come in all shapes and sizes. Is the NCSC going to start or does it already have a register of what CRAs are in use in the country, and who has access to them? I will leave it at that and I appreciate the Chair letting me in on the time.
Dr. Richard Browne:
There are six points there and I will respond quickly. as I know the Senator is under time pressure. The first one on visibility is really important and it goes to our shared responsibility in terms of our position in the global cybersecurity ecosystem. The reason Ms Woods is not in the room is because she was stuck in Frankfurt late last night getting back from another trip abroad, so this is an ongoing piece. It is a huge workload but we have to do it because the State has to be represented in those multiple forums. On visibility and access, it is immediate. I can be in Government Buildings in a single phone call. There is no barrier to access, if required. On the cybersecurity reserve question, this is one that has been around the European construct for a very long time. I think we both have mutual contact in the Baltic states who have explored components of this over the years. There are three things to note. The first is that cybersecurity reserves have been varied in effectiveness in operational use because very often, one goes to war with the army one has, not somebody else's army that has been borrowed on Saturday morning. This in and of itself sounds very obtuse but that is generally how it works. If there is a crisis, employers will have first call, which is fair enough. There is, as I have mentioned already, under the new EU Cyber Solidarity Act, a European-level reserve, that is, a mobile reserve that can go from a member state to other member states in times of crisis. That is one which, when it comes into affect several years from now, will have some utility.
The second thing is that the Defence Forces have a substantial number of reservists with a foot in this space and that is a construct that works well for them. I suspect we will see more of that happening in the short and medium term. They have access to some really excellent staff from across the private sector who work in uniform, in the Defence Forces, in various different cases. My last piece refers to Locked Shields, which is the major European NATO exercise held every year. This year, we played for the first time with a full team. We had people from across the private sector playing as well, exactly as we would in a real-world incident. We had people from some of the cybersecurity firms involved in front-line defence of infrastructure, Defence Forces personnel in uniform and Defence Forces personnel who were from the private sector but were in uniform that day. In a real-world case, like with the HSE, that is exactly how we have to play it. That is the way it works.
I will address the last three items quickly. On the question about the CEOs, it is important to note that under NIS2, under Article 20 of the directive, the CEOs and managing bodies of organisations will be directly responsible for cybersecurity. For those 3,000 plus organisations, they will be directly responsible under the legislation. We have worked with the Institute of Directors and other management organisations to try to frame some work in that space. It is very challenging. There remains, we are not unique and this is a global problem, a disjunct between the boards of organisations and the IT function, as the Senator noted. Elevating IT risk into the boardroom agenda has been a concern of ours for many years. It is happening but it is happening far too slowly and NIS2 will help with that. Regarding the second last item on schools, it is a very challenging area. We have had a junior cycle short course on cybersecurity in place in ten to 12 schools a year for quite some time now. Going from that to a mainstream deployment is very challenging. Finding the teachers who can do it is a challenge. I know there are a number of other initiatives under way as well in primary schools and elsewhere. We have looked at it in our cyber industrial strategy. If we can get anything material going, the outcome will be in that formal version of that strategy.
The last item I will come to is the use of scanning tools. First, there is a large number of scanning tools out there. There are two difficulties upfront. The first one is that threat actors use the same tools. If you are a bad guy or a white hat, it is the same tools and in some cases, it is deliberately so. When we see people doing it, it triggers alarms on our end as well because we see those scanning attempts. The second piece is that, as people will probably be aware, aspects of the criminal justice Acts also impinge on the types of scanning people do. People consequently have to be extremely careful that they do not inadvertently cut across and commit a crime, which is in and of itself unlikely, but it is a problem. We use some scanning tools ourselves and have done so for many years. We will have much greater scanning powers once our NIS2 legislation is in train.
It is much better that this stuff is done using a co-ordinated vulnerability disclosure process, which we will also be establishing under NIS2. This will allow these types of white-hat entities to engage with us. We will act as the interlocutor between them and the victim.
Gerard Craughwell (Independent)
Link to this: Individually | In context | Oireachtas source
That is excellent. I will not push Dr. Browne anymore. I thank the Chair for allowing me the time. I thank Dr. Browne for his ongoing drive and support in this area. Anything we can do in this House for him, we should be doing but I think he is well capable of doing everything he needs himself.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I am going to start my questioning now but I am conscious that, as there is an vote upcoming in the Seanad, we may need to suspend for a short while. I will start anyway.
First, I thank the witnesses for being here. This is an important and timely meeting. There is quite a bit of jargon which the witnesses are all very familiar with. I will try to get familiar with it but not all of it is as familiar to me as it might be to the witnesses. I had not heard the phrase "edge devices" before. Maybe that is my own fault. What are edge devices, as such?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Okay, so it is kind of the border of an existence or whatever. Clearly it is going to be the bit that is most vulnerable because it is the bit at the edge. Is it fair to say that Russian aggression in terms of cybersecurity is at a level never seen before?
Dr. Richard Browne:
It is more complex than that. The details of much of this are not in the public domain but it is safe to say that across Europe last year, and even to an extent in 2022, things were relatively quiet in this regard because the war in Ukraine was pulling in a lot of resources. It is clear from what is in the public domain in the past six to eight months that this has changed quite a bit. If we leave the cyber domain slightly aside for a moment and look at what is happening in terms of hacktivism and in other domains such as maritime, there seems to be a change in the tenor of activity.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Not everybody is as much into this as Dr. Browne is. There are people watching the broadcast of these proceedings. I ask him to explain what hacktivism is. These are anarchist types or something who are-----
Dr. Richard Browne:
In theory, yes. "Hacktivism" is a portmanteau of "hacker" and "activism". We can go back 20 years and more to groups like Anonymous. These groups were random, often anarchic, online collectives and individuals who conducted destructive or nuisance-type attacks for political gain. Very often, it was just to make a name for themselves and sometimes it was with other political motives in mind. One of the things that has been characteristic of European experience in the past 18 to 24 months but particularly in the past 12 months has been the rise of much more orchestrated hacktivist groups that are clearly focused and have set targets. They operate much more advanced tooling than they did previously and are becoming much more effective. It is important not to overstate the effectiveness of what they are doing. I apologise for the jargon, but it is mostly to do with distributed denial-of-service attacks. They point a huge volume of traffic at a website, hoping that it will fall over and, in turn, that will draw attention to the political cause. In many cases, the hacktivist groups we are talking about are pro-Russia. They include groups like NoName and a series of others, which I will not go into. On a European basis, it is possible to track the targeting of individual sectors by groups. For example, a group might go after ports in eight or ten European countries over the course of a week. They will publish on a website that they are going after port facilities in certain countries. Ireland might be included on that list. They do that and then move on. It may never come to the attention of the public that this has happened but they are trying continuously to do this. It is important to note that colleagues in the Baltic states and elsewhere have seen a huge number of these incidents. We have seen some, but nowhere near the same level.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We will suspend the sitting for a vote in the Seanad. Once the vote is over, we will come straight back.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Apologies for that slight delay. In his opening statement, Dr. Browne stated that the NCSC is now much more proactive than it was originally, when it was more reacting to what was fed in to it. Without giving away the game to all of these hacker-type people, what is it doing now that was not being done before?
Dr. Richard Browne:
In a binary sense there is very little we are doing that we were not doing previously. What is more important is the extent to which we can do it. This gets very complex but in simple terms, a lot of what we do is take threat intelligence from private entities, partners, neighbours and friends which would say that-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
When Dr. Browne says neighbours and friends does he mean other countries and cybersecurity agencies in other countries?
Dr. Richard Browne:
In some cases it is private sector companies or even some NGOs on a global sense that scan or look for particular vulnerabilities. An organisation might come to us and say that six particular IP addresses in Ireland have a problem and it thinks that problem is a certain actor group. We will then sometimes visit the entities involved, conduct checks and assessments and if there is an intelligence product from this that is of national security importance, we will take that through the proper channels. We will clean up the mess, as is required, or get someone else in to do it.
More of the broad spectrum, large-scale stuff relates to the ability of the NCSC to consume much larger threat intelligence feeds. In other words, we can take much larger datasets now, analyse them ourselves and then output a product that says these 16 IP addresses may have a problem and we should conduct an investigation, as we have. If it is a significant incident, we can chase down to a granular detail within an IT system to look for a problem.
There is another issue here and it is a challenge facing every European jurisdiction. Very often when the NCSC finds a vulnerability with an IP address, sometimes we cannot identify the owner of that. Legally, we cannot work out who the owner is. Home IP addresses, where there is a home router sitting on a hall table or wherever it might be, are connected to an Internet service provider, ISP. That ISP owns an IP address block and randomly reassigns within that block to different customers. In some cases, thanks to something called IPv4 carrier grade NAT, which is a long story, the ISP might have 20 or 30 houses hanging off one IP address. If we find that one IP address has a problem, we have no legal means of compelling the ISP to tell us who is using that IP address-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Should the NCSC have that means?
Dr. Richard Browne:
Most jurisdictions either have or are working on legislation to allow them to do that. That would allow the NCSC to go directly to victims and say to them,"Here is your very specific problem." Up to this point there was something called a botnet, a robot network. These are often very large collections of compromised devices. Some of these devices are things such as home routers, the digital video recorder that sits under a television, a security camera or whatever. Those devices are often joined together in a botnet on a global basis which can be used then for all kinds of malicious activities. The so-called Mirai botnet was responsible for a substantial Internet outage on the east coast of the United States two or three years ago. These botnets are mainly a nuisance but sometimes they are very serious. Our ability to police the national IP address base and have those removed is really important.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Is the NCSC getting those powers?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
With every answer I am probably thinking of ten more questions. I am conscious I do not have all day and that, equally, the witnesses cannot tell us everything. From a consumer perspective, what can any or all of us do in our daily lives? We have laptops and phones and I am sure some people have game stations and various gaming devices that are linked to the Internet. Maybe people have security cameras and other devices such as televisions that can be linked in and all that kind of stuff. How can we all play our part? I know we are only a small part but in most of these situations, once the hackers get in, they are in. There has to be a way in. The HSE attack was due to things like very old computers being used and people leaving passwords on screens and information available. How can we make sure we are as compliant as possible while being conscious of the fact that everybody gets tired of trying to remember 50 different passwords and all the rest?
I thank Dr. Browne for the email we received today with the NCSC's guide to political activity and various things. I do not know when the guide was published but it was sent to us today. I thank Dr. Browne for the work the centre is doing in that sphere.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thought it was an obvious question for us all.
Dr. Richard Browne:
It is obvious and critical. There is a piece of European legislation which will resolve many of these issues. Upfront, as consumers there are a few simple things we should all be doing as a mater of course. Changing default passwords on devices is really important. Every IP-connected piece of equipment in a home or business has a default password. It is usually "0000" or "1234". Threat actors know what these passwords are and can hack the devices readily from a distance. We have seen some destructive attacks here that used that kind of technique.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
These are attacks on devices such as modems.
Dr. Richard Browne:
Precisely, or even attacks on group water schemes, in one specific case. A group water scheme had its supply stopped because somebody managed to access a device remotely and, in essence, disable it. That is one thing.
There are a couple of other basic things. First, people should ensure devices are continually updated and they have the latest version of the working software. Multi-factor authentication, MFA, should be used at all times. Every single service or device should have MFA and people should use it. If MFA was properly applied and people had devices patched to the latest standard, from the assessments I have seen - I have heard from CEOs of some of the leading IT companies in the world who will tell you the same thing - that would stop 90% of attacks. It is as simple as that. The basic things still work and those two basic things really matter.
Complex passwords is another thing. These are long, complex passwords. I know it is difficult. People should use a password manager. Using difficult passwords that are difficult to guess will save a lot of trouble.
While that remains the case, no matter how many people we can persuade to do the right thing, there will always be some people who will not be able to, will forget or will not be sufficiently interested to do it. Collectively, we all bear the risk of that issue. There is a piece of EU legislation called the cyber resilience Act, CRA, which has been agreed and will be published formally later this year.
That in turn will put binding obligations on manufacturers of all these kinds of devices to ensure that this is done by default and to support these devices for a fixed period of time. This will again take this vast constellation of often very cheap connected devices and make them much more secure.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I could probably go on for another half an hour but I will not. Does Deputy Farrell wish to come in at this point? He is on mute and could be on another meeting. I will bring Deputy Kenny back in.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
To expand on the discussion about the companies, Dr. Browne mentioned a group water scheme, which is usually a voluntary organisation set up to try to bring water to a rural area where it would not have had it before. It is certainly not something you would think anybody in St. Petersburg would try to hack but there you go. The issue is the responsibility of the owners of businesses or charities or whatever to have adequate measures in place. Where there is responsibility, there is also a certain liability. Are there commercial providers working in the field to assist people to ensure they have the level of capacity they need and are properly and well enough protected? Are they expensive? Is that whole cyber-protection area something we can envisage opening up as a potential market? Is that something that is going to become a part of the consultancy firms we have had down the years? They have done a certain amount of work on it. Is it a field they are moving into? What is happening in respect of that space?
Dr. Richard Browne:
That is a good question. First, this point goes to the very heart of the Cyber Resilience Act, CRA, process at a European level. The US policy in the current White House has moved towards exactly the same issue. We have a risk asymmetry here and a capability asymmetry. Those who run charities, sporting clubs, websites or a small piece of infrastructure cannot ever hope to be fully secure because they will never have the capacity or capability to do that. The aim of European policy and elsewhere in the world is to shift the burden of responsibility up the chain to the companies that can actually do that, to the people who make the equipment. Of course, there is always a risk that link would make it more expensive but that is a separate conversation. That is one thing. The solution here is to make everything more secure and take it out of the hands of individuals who will never be able to fully do that. Having said that, we do have a very expansive and quite capable domestic cybersecurity sector here. There is lots of advice, guidance and support out there, even on our website, to allow people to secure stuff like that. For the most part, however, and this is really important, the same guidance will apply to sporting clubs, charities and those running social media accounts and so on as will apply to politicians in the democratic process. This advice is to use multi-factor authentication, complex passwords and to ensure that access control is fully enabled. Once one has done this, that is quite a lot of what can be done because it is only really when dealing with much larger and much more complex pieces of infrastructure that more complex cybersecurity rule sets will become a thing. For the small scale, the simple things still work.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
And what of the availability of assistance of companies that are providing services for organisations? As for the big organisations as well, we talked about a group water scheme but were Irish Water to be taken out, we would have a huge problem across the State, as we would in the case of one of the other big utility providers like telecommunications or electricity, for example. What level of preparation have these providers got?
Dr. Richard Browne:
There are two different elements to all of this. The first one is that for smaller entities, the risk they pose to society is much smaller. In this case of a group water scheme to which the Deputy referred, 85 families were affected. That was significant for them, given that they were 12 or 13 hours without water. At the same time, however, it was a manageable risk. For much larger entities, as the Deputy noted, the real question is on the consequences for the State as a whole and for much larger numbers of people. The network and information security directive, NIS2, process is the first and most important way of dealing with that. We have binding requirements on large critical infrastructure operators to make sure they do their things properly. They then go out and deal with private sector operators in cybersecurity for consultancy and other vendors to ensure that they have the right controls, systems and processes in place. The audits and assessments that we do on an ongoing basis are key to driving all of that on. There is a market out there for that.
The second order piece is the work we do in the operation space, in the scanning, in the threat intelligence sharing and through something called CORE, which I will come to in a second. All the work we do is to build resilience across the system. I will explain CORE very quickly, and then Mr. Stephens who is sitting next to me and who is responsible for all that project will come in. We have, like many of the member states, had a series of different attempts to share information across sectors in order that we could bring in the key people from key critical infrastructure sectors on a regular basis. We have done this for ten years in various different ways. Over the past three years, we have evolved the new model which we call the CORE model, co-operation and response, which is essentially sectoral groups that are chaired by sectoral chairs from the area. The first one was Gov Core, which is the Government CORE. We have a series of others, which Mr. Stephens can speak on in detail in a moment. Each of those COREs is designed to share information, training and best practice and allows us to speak to, for example, the energy sector and the heads of all the major energy sector operators on a regular basis and say these are the issues they should be aware of and these are the things they should be doing. Mr. Stephens might give some more details on the next plans for the COREs.
Mr. Joseph Stephens:
Building on what Dr. Browne has said, that model has been really successful in government and we have actively stopped a number of attacks by everyone working together. One person will see one aspect of a cybersecurity incident, which then can protect other people when they share that information. We are expanding it into multiple other sectors such as energy, telecommunications, health and education. We are also setting up a bespoke one for small and medium enterprises because of the issues both Deputies raised in terms of the imbalance there to try to help such businesses. There has been great value seen in this in Europe, which is co-funding this. It has given us 50% of the funding. It is a €3 million project and half of the money has been provided by the European Union. It kicked off at the start of this year and it is a three-year project, so by the end of the three years, it will be fully operational and will have a technical infrastructure to share cyber-indicators with one another, as well as a community where people know one another other and can build capacity within the sector. It has been highly successful so far and we probably will expand further at the end of the project.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
I have one other small point which goes back to something I mentioned in the beginning about artificial intelligence, AI, and how that can monitor patterns of behaviour. Is that part of what can be done here? If for instance, there was a pattern of behaviour in attacks seen in Latin America and something similar then started in another country, which could then be picked up. Is there a worldwide network where this can be picked up on to ensure that we can get ahead of, or at least be up to date with, the various nuances of changes and adoptions the actors will have?
Mr. Joseph Stephens:
Artificial intelligence is already built into a lot of the products and services and has been for a number of years. There has been an explosion in the last 18 months since the launch of ChatGPT when it came into the public domain in large language models. AI has been around for many years and is in products. It is the way patterns can be detected with those huge amounts of data that no human could ingest. That is something we have done for a long time and will continue to do. As an aspect of the CORE project I was just speaking about, we are going to partner with a research institute to look at how large language models and artificial intelligence can be used for precisely that purpose that the Deputy mentioned, where it can draw out those patterns and perhaps provide a human-readable report to set out its understanding. It is an active area of research that we are funding and hopefully we will have results and a working prototype for that in the coming years.
Dr. Richard Browne:
To follow up on that, on the operational perspective, we have a very large amount of threat intelligence data going back more than a decade now on "stuff that has happened". The scale of some of that threat intelligence is vast. It is hundreds of millions of data points. The only way of assessing all of that in a material sense, is by using some form of language-based or rules-based process, like AI or something else.
We have done aspects of that for many years, to assist in our analysis. This ensures that we determine exactly what we are seeing in all of our data. As part of the move into our new premises, we are building all of our IT infrastructure again from scratch, to enable us to use much more processing power to get into both our existing data sets and those we are onboarding. This allows us to ensure we can do all of this analysis across everything. There is not much point having the information, in paying public money for the information, unless we can use it properly.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
When will the organisation be in the new premises?
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
By the end of the year, anyway.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank Deputy Kenny and call Deputy Farrell.
Alan Farrell (Dublin Fingal, Fine Gael)
Link to this: Individually | In context | Oireachtas source
I thank the Leas-Chathaoirleach and our witnesses. I apologise for having missed the opening statement as I was pulled away to another committee. I have read it. I do not have any operational questions other than to ask where does the organisation sit in the hierarchy of security within the State, if I can call it that, that is, within its security services. Am I right in suggesting the organisation is funded by the Department of communications? Dr. Browne might clarify that for me. He mentioned the staffing levels the organisation would like to attain by the summer. Has the organisation had any difficulty with the recruitment of the specialisations it requires? I was informed recently that this is an issue within the cybersecurity sphere. Does Dr. Browne expect that this will curtail any of the roles or responsibilities the organisation is taking on in relation to its appointment as a designated organisation? Finally, expectation and desire are two different things. Does Dr. Browne expect to be able to fulfil the role with the present level of funding, staffing and expertise within the organisation into 2025?
Dr. Richard Browne:
I thank the Deputy for the three questions. I can be relatively brief in terms of the hierarchy. The NCSC is an executive office, a part of the Department of communications. The reason for that, historically, is that EU cyberpolicy comes through the telecoms working parties. Our policy stream is in the telecoms policy area. Aside from that, I am on the managing board of the Department and sit in that way. The future of that obviously remains to be seen but right now it is a very effective way of working, in the sense that we have direct linear access to policymaking and they to us. In terms of hierarchy, we have responsibility for the cybersecurity domain. So we are the State's primary cyber defence entity. The Defence Forces have four domains, we have one. That is the first question.
On staffing, this was partially covered already. It is important to say that the rate at which we can grow is curtailed. We cannot readily add 50 staff in the morning if we want to. What we can do is progressively grow by recruiting on a steady basis and always going to the market twice a year for different panels. We pull people from the market as time goes on and we are growing in that way. Right now, today, we have extended two panels . We are drawing from panels at CSS and CSR and at those two grades, we have at least 20 more on each. We have staff there we can draw from when we get the sanction for additional staffing. It is not easy, but by going regularly to market we find there are always people with the right skills who want to come and work for us. There are not 500 of them, but there are enough to meet our needs in the short term.
To the Deputy's last question, it was in my statement, we will be going back and looking for further staffing, particularly for NIS2. If we look across the operational domain and elsewhere, we have a substantial requirement for additional growth. That will be put into a multi-annual plan. The work is under way at the moment. We will be bringing that up the line in our Department in the next little while. We are looking at a three-year growth plan for the organisation. To answer the Deputy's question, no, not right now with what we have. We need to grow more.
Alan Farrell (Dublin Fingal, Fine Gael)
Link to this: Individually | In context | Oireachtas source
I thank Dr. Browne for his reply. I hope he will forgive me if he has already covered this but Tuesdays and Wednesdays are very busy for committee business for me and I also was chairing the Dáil at the beginning of this meeting. My question regarding interagency co-operation is whether the organisation deals with the Defence Forces if a matter overlaps, for instance. Does it deal with An Garda Síochána or the national emergency co-ordination group or both with regard to exercises to ensure the State is ready for any such matters that might arise or actual events or both?
Dr. Richard Browne:
I thank the Deputy. In simple terms, yes. That is the answer to all of those questions. We deal extensively, as we have for many years, with various different parts of the Garda and of the Defence Forces at both a senior management level and working level. We have strong information-sharing relationships across all those organisations and these are in various ways that are required to meet particular needs at different parts of those organisations.
On the Government task force and emergency planning, we are a lead Government agency in respect of cybersafety, so we are the State's cyber emergency response planning entity. We have a national cyber emergency plan, which has been exercised twice in recent years and hopefully will be published in the next while in the present draft. That document is not a simple one in many ways, given the complexity of cybersecurity. It impinges on literally every part of society at the moment. It is very important to point out that the GTF process, the Government task force and emergency planning process and the SEM, that is, the strategic emergency management process that sits under that, gives us a whole-of-government template for its response. It is very rare that we would have a cyber incident that is just a cyber incident. It will be a cybersecurity incident in healthcare or in drinking water supply or in something else. We have to work with another entity to help manage an incident in its area. The GTF process gives us the framework to do that in a very open, transparent way, together with the facility to do it.
Alan Farrell (Dublin Fingal, Fine Gael)
Link to this: Individually | In context | Oireachtas source
I thank Dr. Browne. My last question relates to whether the National Cyber Security Centre is responsible for either co-ordinating, working with or carrying out any work that relates, for instance, to Cabinet, senior public servants or civil servants, that is, those who might be carrying out sensitive work on behalf of the State. Does that purely fall to An Garda Síochána or another group? I mean on the cybersecurity side, I should say.
Dr. Richard Browne:
We have a number of different roles with regard to the security of Government communications. The details of those are what they are. The physical security and the larger national security questions fall to the Garda as the internal security arm of the State but we do have some roles around all of that, yes.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank Deputy Farrell. Just briefly in terms of the global industry, there are certain countries from which more of the cyber threats seems to be coming.
Can you tell me where they are mostly coming from or-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Yes and equally, does the NCSC believe them to be state-backed or do they happen to be in these particular countries without necessarily being state-backed?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We knew the origin of the HSE attack but we have never said the state was directly responsible for it, which is a diplomatic distinction. I obviously will not be doing that now. It is very safe to say that the international assessments are that the majority of offensive cyber actions can be associated with groups in four countries, namely, Russia, China, Iran and North Korea, DPRK. That has not really changed; that has been the case for a very long time. The extent to which these are state-backed or state-funded or even where the state is aware of them varies by incident and by the period. It is safe to say that the ransomware industry is, by and large, heavily premised on activity in Russia. Is that not the case? It does not necessarily mean always based in Russia or in any way working under the auspices of the Russian state. There is, however, a heavy emphasis on the Russian criminal ecosystem in that world.
Beyond that, it is important to note that offensive cyber tools are in use broadly across the world but the manner in which they are used and the ends to which they are used differ. There is a clear distinction that can be drawn between different actor types. If members are looking for a more detailed outline of this, in the middle of last year we published a national cyber risk assessment. It called out both the major sources of these kinds of activities and the effects. I think the effects really matter as well. Calling something an attack is all well and good but some incidents have very low impact and some incidents have very high impact. That should be taken into account in all of this too. The assessment was published in July of last year.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Dr. Browne might circulate that to us or maybe send it to the secretariat so we can have access to it without having to Google all over the place. I know Deputy Farrell made a reference to it as well, but in terms of the staffing levels, it was 25 not that long ago and it is at 75 now. Where does Dr. Browne anticipate being in the medium term? It is a moveable feast, I take that point, and when this stuff happens there could probably be thousands of people and still not have enough. Where would the National Cyber Security Centre like to be in terms of staff numbers in the medium term?
Dr. Richard Browne:
I think the Leas-Chathaoirleach has covered the two most important points already in his question. One, it is a moveable feast. It depends on what else we are asked to do in the period. Second, essentially an infinite number of staff could be added and the centre could still be struggling with aspects of all of this. There are a number of elements coming up including the CRA and the EU Cyber Solidarity Act that will have other questions for us. To do NIS2, we will need quite a few more staff to make NIS2 really work over the next couple of years.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Just for people watching, NIS2 has been referred to but what will it mean?
Dr. Richard Browne:
For us it means first, we will have a much expanded role as a national competence authority in our right and in supporting other national competent authorities, NCAs. That is a whole other programme of work. We will also have a substantial IT project, which is well established and well under way now, on building resources for other NCAs to access. That is a huge piece of work. Of course, the operational side will have more powers. The deeper question will be-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
NIS2 is doing what? What is it doing?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
This is telecoms, electricity, water, healthcare and education. Every system will be told to step up to the plate, if it has not been already, to bring itself to a new level?
Dr. Richard Browne:
Precisely. We are also going down several levels where much smaller entities are now being brought in. We have to look at ways of delivering compliance that do not make their costs unbearable. We have to find a compliance model that is effective and meets the requirements of the directive.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
And this is both public and private sector?
Dr. Richard Browne:
Yes. Again, we are trying to do this in a way that uses open, interoperable global standards in order that people do not have to reinvent the wheel. There is no point in us making companies incredibly secure but driving half of them out of business, for example. This is something we have to modulate carefully. To go back to the original question, the implications for us are that we will have a much heavier operational workload and a huge additional compliance, governance and administrative workload. I cannot see us being able to do that with less than 120 or 130 staff three years from now at least. Depending on everything else, it could be a lot more. This is the question that will ultimately be for the Government to decide.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
We all have to ask the question, as legislators and as public representatives, in that it is not what the cost is but what the cost would be were things to go wrong. Do we have an estimated final figure of the level of inconvenience and cost that the HSE attack cost us?
Dr. Richard Browne:
Different figures can be seen going around. Some of those figures relate to something we call technical debt or in other words, things that should have been done before but were not and are now being done as a consequence of the incident. I think it is safe to say around €100 million seems to be a safe bet for some of the costs.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
That is not even taking into account the sheer inconvenience and lack of efficiency that was there because all of a sudden things had to be typed, photocopied or were unable to be emailed. People could not access records. The increased length of time things would have taken because they could not do the things they normally did.
Dr. Richard Browne:
Absolutely, and I think importantly as well, the disruption to critical healthcare services for a large number of very sick people. The cost of that is very difficult to put a number on. The HSE example is in many ways probably one of the largest cybersecurity incidents in history.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Okay. On that very sobering note, I thank the witnesses present and Ms Woods for joining us online. We will have them back again for sure. On a last point, is anything else they need from the Oireachtas or any of us other than for us all to be vigilant with our devices, our phones, our laptops and all the rest, and password security? Is there anything else the witnesses want us to do?
Dr. Richard Browne:
I will ask Mr. Stephens to give a very brief outline of what is in that recently published note. Just before members go into the detail of the guidance to the political system, it is important to point out we have done a huge amount of work for many years on electoral security with the Oireachtas and with partners across the Government. It is important to note that in the first instance, this is a serious issue. It is often the case that politicians themselves and political parties are the primary targets. They are the ones in the public domain; we are not, for the most part.
I think it is also important to note that I would not overestimate the extent to which this really a cybersecurity issue. Very often, it is a cognitive issue. The people who are seeking to disrupt elections very seldom do that by cyber means. They do it by changing what people think about elections. If we panic and overstate the risks, we are actually playing into the hands of those who would seek to do this. Democracy can be protected in lots of different ways. Being calm about the risks is one of the ways that can happen. Would Mr. Stephens like to give a brief high-level outline of the recently published note?
Mr. Joseph Stephens:
I think Dr. Browne has touched on the key point in the advice we have given to political organisations like political parties, as well as parliamentary staff and politicians. While the most talked-about risks might be things like deepfakes, artificial intelligence and so on, our experience of elections throughout the globe has been that it has really been smaller-scale, individual hacks on peoples' Gmail accounts, of social media accounts and of personal devices.
It is really important, as politicians, electoral candidates or prospective politicians, that people are taking those basic security measures that Dr. Browne talked about earlier on. Is multi-factor authentication turned on? When logging into Twitter, does a code have to be approved somewhere else or can I log straight in with a password? If Twitter can be logged straight into with a password, a malicious actor could guess the password and get into the account and spread malicious information from the account, which could have an effect on the election. The idea is not, as Dr. Browne said, to steal information, it is to affect people's perception and make them think something malicious has occurred in respect of the election.
We also have provided advice directly to the local authorities who are running the elections. That is not public advice; it is being provided directly to them. We see the risk as being much more on the candidate side rather than in respect of the systems. In Ireland, as our approach is very much paper-based, cyber is not as much of a concern there. That is really it. The advice is very straightforward and we have tried to keep it as simple as possible. We have linked in with the Electoral Commission and Coimisiún na Meán has also given advice on wider issues in terms of security. We are at the disposal of Deputies and electoral candidates and we are open to providing additional advice if anyone has any questions.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
The concept of a password manager seems slightly counterintuitive to me, in that one is putting all their trust in somebody not being able to hack into the password manager. Could Mr. Stephens develop that concept?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Does it not make it very vulnerable if somebody manages to hack that?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
The corollary would be if it is really simple, it is a gateway into many other things.
Mr. Joseph Stephens:
Exactly. We do not push password managers very strongly because they are a little inconvenient. For high-risk individuals I would say they definitely need to be used. For the average person on the street, I think the penetration of password managers is about less than 5% of people. I would recommend focusing much more on having good passwords. What people do not know about passwords is-----
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
Not having the same common password for lots of different things.
Mr. Joseph Stephens:
Not having the same common password. People struggle with trying to remember multiple passwords but it can be made a little bit simple. It does not have to be some code that you cannot remember. It can be three words separated by spaces that will create a very long password that is hard to guess for a hacker. It could be three unrelated words like ball, Clare and something else.
That length is difficult for a brute-force attack. Day to day that is why I advise people to make sure their passwords are very long. There are easy ways to do that. As I said, high-risk individuals need to take additional measures and I would very much consider a password manager.
Martin Kenny (Sligo-Leitrim, Sinn Fein)
Link to this: Individually | In context | Oireachtas source
In regard to facial recognition on phones or devices, is that foolproof?
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
It could be that the person falls asleep or is drunk.
Gerry Horkan (Fianna Fail)
Link to this: Individually | In context | Oireachtas source
I thank the witnesses for being here and our members who participated. I thank them for all the work they are doing. It is crucial, in all our lives. There are days when I chair in the Seanad and sometimes there are debates complaining about data centres but I look down and every person in the room, except myself, is on his or her phone. We are all dependent on cyber, data and access to the Internet all the time, and probably more than we should be. That is the way of the world and I do not see it being reversed. What the witnesses do is becoming more important every day.
I thank Dr. Browne and his colleagues, Mr. Stephens and Ms Woods, for coming before the committee today to discuss this important matter.