Tuesday, 1 June 2021
Ceisteanna - Questions (Resumed) - Ceisteanna ar Sonraíodh Uain Dóibh - Priority Questions
63. To ask the Minister for Communications, Climate Action and Environment his plans to increase funding and resourcing for the National Cyber Security Centre, NCSC; when the capacity review of the centre will be published; and if he will make a statement on the matter. [29408/21]
I thank the Deputy. The NCSC budget allocation for 2021 is €6.9 million, of which the provisional allocation for salaries is €1.8 million. The Government has trebled the capital and programme funding for the NCSC from €1.7 million in 2020 to €5.1 million in 2021. The funding and resourcing of the NCSC have increased substantially over the past five years. Staff resources at the NCSC have been increased from seven persons at the end of 2016 to 29 persons in 2021.
Recognising that the environment in which the NCSC operates is extremely dynamic, the programme for Government included a commitment to undertake a capacity review of the NCSC to expand the centre's ability to monitor and respond to cybersecurity incidents and developing threats. This detailed capacity review of the NCSC will inform the Government as to how the centre needs to continue to evolve. The capacity review is being carried out by an expert international consultancy and it is due to report in the coming weeks in line with the deadline for the completion of this work, quarter 2 of 2021, as set out in the 2019 national cybersecurity strategy.
The Minister and I will consider the report and its recommendations and, having regard to the focus of the report, it is likely to require wider Government consideration. As I have stated previously in this House, the Government will ensure that the NCSC is properly resourced to meet not only the needs of today, and it will also invest further to ensure the centre is equipped to fulfil its vital role over the next five years.
May I ask about the position of director? What moneys are available to fund that role? When will it be filled? There is considerable interest in that. At what stage are the risk analyses of critical infrastructure that are under way or that have been conducted? When will they be reported on?
Is the Minister of State satisfied the review is comprehensive enough in scope? The remit extends beyond the NCSC. There are some indications from expert witnesses that we need a new regulatory structure, the equivalent of the likes of the Irish National Accreditation Board or HIQA, which set and enforce standards. We do not have that. Does the Minister of State believe we need it?
The Deputy started by asking about the position of director. It is a new position. We sought a new director for the NCSC at the end of last year. We advertised a salary of €106,000 to €127,000 and we identified a candidate but that candidate decided a couple of months later not to proceed. We are going to recruit again. The Minister, Deputy Ryan, and I will suggest a new salary for the position. I will discuss it with the Minister for Public Expenditure and Reform to seek approval for it and then it will have to be approved by the Government. That will be in the next few weeks.
Risk assessments, which the Deputy asked about, are being carried out by every critical infrastructure body in the country, as required by the , the network and information security, NIS, directive. Part 2 of the directive is coming out and I will be discussing it with other communications ministers at the Council of Europe meeting on Friday.
I thank the Minister of State. I ask him to revert to me on the regulatory framework that cybersecurity operates within. The NCSC has an important role and needs to be resourced and equipped but it is one piece in an overall jigsaw. Is the Minister of State satisfied? It was suggested by experts that the system is of a type that needs to be taken within the Department of the Taoiseach. Is the Minister of State satisfied that the overarching systems are being reviewed and assessed?
On a related matter, bearing in mind critical infrastructure such as gas interconnectors, there was a major incident in the United States that had a significant impact. Is the Minister of State satisfied this type of critical infrastructure has the necessary systems in place to minimise the risk of the type of attack that the HSE and Department of Health suffered?
The role of the NCSC is to advise critical infrastructure providers on how to protect themselves. It carries out research and training and when an incident occurs, it provides the incident response, which is exactly what it did for the HSE. It does so under the auspices or framework of the NIS directive. That is the overarching, regulatory framework. We are producing new cybercrime legislation to put the NCSC on a statutory footing. At present, CSIRT-IE is on a statutory footing but not the NCSC. With my European partners, we are developing a new NIS directive, the NIS 2 directive, which will go further than the existing one and will probably extend to more critical infrastructure providers. I am happy with the current position but I remind all Deputies it is the responsibility of all critical infrastructure providers to provide their own cybersecurity and to protect their own networks.