Malcolm Byrne (Wicklow-Wexford, Fianna Fail)
Link to this: Individually | In context

I thank the Minister for taking this critical issue. As he knows, we all live in a digital world. It is one where computing in general has made our lives better and easier and we are far more interconnected. Artificial intelligence, quantum computing and other technologies have the potential to deliver evermore effective and efficient public services. However, as cyberspace becomes more critical to all of our lives, the risks and threats are also increasing exponentially.

Our society depends on a free, open and secure cyberspace. Ireland should do everything to support those values at a global level. In our engagement in multilateral efforts, we need to ensure international law applies in cyberspace as much as it does on the ground. In that regard, we have to support the work of the United Nations, the European Union and others in this field. Like other countries, there are challenges to Ireland in the cyberattacks we face, including those from other states or malign actors aligned to those states, as well as those who want to hack State infrastructure systems for financial, political or ideological reasons.

I commend the work of the National Cyber Security Centre, NCSC. As the Minister knows, it needs to continue to expand. In one of its most recent reports, it talked about 2023 as being its busiest year. At that time, it received 5,200 cyber reports and while many were minor, it identified 721 cyber incidents that represented a threat to a network and required a response. The National Cyber Security Centre has now found there is enough evidence and information in a number of those cases to attribute activity to specific foreign intelligence and security agencies.

We know that businesses are regularly hit by cyberattacks, but I want to talk about the potential impact on critical State infrastructure. Everyone will remember May 2021, when the HSE faced a major ransomware attack. We know that the costs to date have been more than €150 million, not to mention the many lives that were undoubtedly lost as a result of the attack, as well as delayed appointments and the impact on people's health outcomes.

For security reasons, we often cannot discuss cyberattacks. When I put a question to every Department as to how many cyberattacks they faced in recent years and how much they were spending on cybersecurity, a lot of them replied that they could not answer for security reasons. Interestingly, some of them were able to provide details on how much they were spending on cybersecurity. Given the amounts involved, it shows most are taking it quite seriously.

It is important that we know the State has a plan in place to combat any major cyberattack we face in the future and to address situations where critical infrastructure may be brought down. This could be in health, transport, financial services, Government payments or energy. We need to have an all hands on deck approach if this is to happen, similar to what we have seen with major weather events. I hope we have learned from the experiences of the HSE attack and that we are constantly learning from efforts to attack critical State infrastructure.

The Minister will also be aware of the risk of destabilisation to the State when there is a malicious cyberattack. The spread of misinformation and disinformation represents a threat to democracy. Trust in Government and our provision of services can also be damaged when critical infrastructure is brought down. Our sense of freedom to enjoy certain rights can also be under threat. This issue needs to be taken seriously and I am glad the Minister is here today to take the question.

Jim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context

I thank Deputy Byrne for raising this important issue. The reason I am here is because of the importance of it.

Deputy Byrne is well aware that cybersecurity threats pose a major risk to essential services and critical sectors in Ireland and throughout the world. One of the consequences of being a modern, successful economy is that this is the type of threat to which the country is exposed, I regret to say. I therefore welcome that Deputy Byrne has raised this issue. It is important for me to outline, not just to Deputy Byrne, but to the House, the measures taken by my Department to ensure the State’s cybersecurity resilience and preparedness are where they should be.

Deputy Byrne referred to the 2021 ransomware attack on the HSE. That was a very significant event from the point of view of the country and our preparedness for such cyberattacks. Since then, the National Cyber Security Centre has had a significant increase in its resources. It is essential that those resources have increased very significantly. Back in 2011, the NCSC only had four staff. At the end of 2024, it had 75 staff and an annual budget of €12 million. There is also a commitment in budget 2025 that the number of staff will increase by a further 30, bring it to more than 100 people working in the NCSC. The continued growth of the NCSC reflects the constantly evolving threat landscape and the importance of a resilient national network.

It is appropriate, and I welcome the fact, that the NCSC has come within the jurisdictional control of the Department of justice. Considering the threat posed to the country, it is appropriate that the Department of justice should have departmental and ministerial responsibility for issues concerning cyber threat attacks.

Deputy Byrne will also be aware that the European NIS2 directive also provides a major step forward for overall European cybersecurity and resilience. It will enhance cyber risk management in Ireland, including generating significant improvements in our capacity to protect against and respond to major incidents. Last July, the Government gave its approval to the priority drafting of the national cybersecurity Bill, which is currently being undertaken by my Department. That Bill will transpose the NIS2 directive into Irish law. It will also enhance the role of the NCSC, which will include national cybersecurity monitoring, resilience building, information sharing and the national incident response. It will give the NCSC specific powers to engage in a range of scanning-type activities to identify systems vulnerable to specific exploits.

The national cyber emergency plan was published in May 2024, and it sets out the national approach for responding to serious cybersecurity incidents that affect the confidentiality, integrity and availability of nationally important information technology and operational technology systems and networks. The NCSC is currently working on the national cyber risk assessment for 2025, which will take into account the changing international threat landscape.

As Deputy Byrne mentioned, it is regrettably the case that some of the attacks taking place on national cybersecurity networks are emanating from malign state actors. It is important that we be prepared in order to respond to and deter that.

Deputy Byrne referred to a number of international agreements. I am pleased to say that Ireland is an active participant in a number of UN and other international processes where issues of cybersecurity arise. Among these is the UN open-ended working group on security of and in the use of information and communication technologies, which was established to develop norms, rules, and principles for responsible state behaviour in cyberspace.

Ireland also participates in the Organization for Security and Co-operation in Europe, in particular as regards cybersecurity, conflict prevention and crisis management.

It is important to emphasise that we are prepared, but this is a constant risk and it is inevitable that we will be subject to further attacks in the future.

Malcolm Byrne (Wicklow-Wexford, Fianna Fail)
Link to this: Individually | In context

Like the Minister, I welcome the fact that the NCSC is now within the remit of the Department of justice. I welcome the fact that he is giving priority to the cybersecurity Bill, but he might provide an outline as to when he envisages it coming before the House. While I welcome the fact that the NCSC regularly carries out assessments of cyber risk, I wonder if an assessment has been carried out as to exactly how vulnerable some of our critical infrastructure happens to be. For instance, how easy might it be for a malign actor to knock out the traffic lights in Dublin, with the ensuing chaos that would result, or stop all bank payments to public servants or social welfare recipients? What systems do we have in place to seek assistance from or offer assistance to like-minded states if a cyberattack were to happen here? We need to co-operate, particularly with our EU partners. Similar to Storm Éowyn, where we sought assistance from overseas, I believe we will need to seek and offer assistance where like-minded countries are attacked.

This is a global issue and, therefore, when it comes to overseas aid, we should be offering to help developing countries to build their cyber resilience, given the expertise in this country. They are often subject to attacks by some of the rogue states in this area. We need at an international level to start demanding accountability, particularly from the four states most responsible for cyberattacks around the world: Russia, China, Iran and North Korea. They are engaged in or sponsor cyberterrorism, cyberespionage and the spreading of misinformation and disinformation, which represent threats not just to this State, but to others that share our values. In the same way we rightly hold countries to account for actions in wars on the ground, we need to hold them to account where they act in a malign way in cyberspace.

Jim O'Callaghan (Dublin Bay South, Fianna Fail)
Link to this: Individually | In context

I have had frequent meetings with the Garda Commissioner and the head of the NCSC in respect of the threats to which this country is exposed as a result of malign actors seeking to attack our cyber technology. It is important that I am updated on a continuing basis.

I regret to say that the Deputy is correct, in that the threat does exist. It is a threat not just to our national State-owned infrastructure, as he has indicated, but also to private enterprise within the country. The NCSC is to the forefront in this matter, as am I. There is an obligation on State agencies to ensure that each State agency has measures in place to ensure that it can withstand whatever form of cyberattack is forthcoming. I know it will be impossible for all cyberattacks to be withstood, but if we have preparedness and measures in place in State agencies, that at least will increase and strengthen our resilience.

The Deputy also indicated issues in respect of private sector companies. They all have an obligation to ensure, particularly if they are providing services to the public at large, that they have measures and protections in place so that, be they banks, communications providers or other agencies, their customers are protected in this respect. One of the reasons Ireland is an attractive location for malign State actors or persons who are involved in trying to extract data from private and public enterprises via ransomware is the important link between Europe and the United States. That is a very significant role, one that is now more apparent because of the success of the Irish economy, and we really need to defend it.

The cybersecurity Bill was approved for priority drafting and I hope it will be introduced in the not-too-distant future, but I will get back to the Deputy specifically on that.