Ossian Smyth (Dún Laoghaire, Green Party) | Oireachtas source

I thank the Chair, Senator Davitt and those in the Gallery.

During the pandemic, there was an acceleration in the pace of digitisation in Ireland. Because people could not travel around and many facilities, businesses and Government facilities were shut down, they were forced to go online. As people were worried about becoming infected, they were doing things like visiting their doctors online. Many facilities that were not previously available were opened up to be accessed online and, therefore, the pace of digitisation in Ireland accelerated. People ended up doing things online they never expected, for instance, a lot of shopping and so on.

The result of more online more activity and more people spending time and money and transacting online meant that was where criminals started to move as well. There is an attraction to carrying out crimes online. Because criminals are carrying out their crimes remotely, they hope they are going to be at a remove from law enforcement. There is also the hope that it will be harder to detect that type of crime and criminals will be able to escape because perhaps they will be in another jurisdiction and will be able to cover up or plausibly deny that they carried out the crime. They will be able to point and say it was not them sitting at that computer at that time.

The result of this is that our State has to defend itself from cybercriminals, which come in different varieties. We have the type of cybercriminal who is just in it for the money. This is the type of gang that carried out an attack on our health service in 2021. They were carrying out a form a crime involving ransomware where they break into the computers in an organisation, take the data, lock it up and encrypt it and charge a ransom to have the information returned. They have two forms of threat in a ransomware attack. One threat is that they will never give the data back and will delete it and the other is that they will take the data and publish it on the Internet to embarrass people. In the case of a hospital, the threat is that the medical records would be published and that people would be ashamed by what was shown. The other type of cyberattack comes from a nation state. This is the type of attack involving either gathering information for espionage or to carry out an influence operation, which is where one country seeks to influence the politics in another country by manipulating perhaps their social networks or by carrying out psychological operations.

We have to defend ourselves against these different threats. The division in Government I look after is a cybersecurity division called the National Cyber Security Centre, NCSC. Its role is to protect Ireland from civilian cybersecurity threats. We have two other divisions that really provide cybersecurity in Ireland, one of which is the Garda National Cyber Crime Bureau, which is tasked with law enforcement and intelligence gathering. There is also a division within the Defence Forces that provides cyber defence and protects Ireland's military installations from being attacked.

Those three organisations, namely, the civilian NCSC, the military cyber defence division and the Garda National Cyber Crime Bureau are all co-ordinated under the National Security Analysis Centre in the Department of the Taoiseach. It is timely that we are talking about this today because as Members know, there is a consultative forum on national security going on around Ireland. Today, they are meeting in County Cork and our cyber security director, Mr. Richard Browne, is discussing the cyber threat to Ireland.

Traditionally, with the military, we could think of three domains. There are air, sea and land wars but now we have the additional domain of cyber war, which is another area that can be used to attack from one country to another. The attraction of using a cyberattack is, of course, that it can be done remotely and that its provenance can be hidden. There is a big downside to it, however, which is that it does not always work. It is not very dispatchable or deployable. We expected at the start of the Ukraine war that there would be a large cyberattack from Russia on Ukraine, but it turned out that did not really happen. There were attempts at it, but it is much easier to fire a missile at a particular location and expect it to connect and for something to happen. A cyberattack might take months to prepare and might not actually work at the end of that time. We are learning in an active war situation about the effectiveness of cyberattacks.

I will briefly run over where the country is in terms of laws, policies, strategies and skills.The National Cyber Security Centre, NCSC, has two purposes. The first is to educate the public, and to provide the information to people so they can protect themselves from a cyberattack. The second is to provide an emergency service, so it provides a similar service to the fire brigade or the ambulance service, in that if one is the victim of a cyberattack or one is hacked, it will come out to one's facility and provide assistance. It has got those twin responsibilities of education and emergency incident response.

Our laws on cybersecurity have to line up with what is happening in the rest of Europe and the rest of the world. The reason for that is that a cyberattack typically happens because of a group of people who are certainly in another jurisdiction, but often in a number of different jurisdictions. Those gangs tend to attack a number of different countries. In order to protect ourselves from cyberattack, we need to co-operate with other jurisdictions and countries. There is a lot of co-operation at European level. To give an example of that, when the HSE was attacked in 2021, we immediately went to our European partners and asked if they had any information about the particular gang that was carrying out the attack, what their methods of operation were, and how we could defend ourselves. We got co-operation right away, particularly from the Polish Government, which had been attacked by the same gang known as the Conti gang.

The overarching law is the information and security directive called the network and information systems directive, NIS 1. That has served its purpose until now, but, of course, the world changes rapidly, and particularly in the technology area. Now, the European Commission has proposed a revised directive called NIS 2. This will require that more organisations in the country are designated as being critical infrastructure, that those organisations protect themselves, that they make sure that the equipment they use is certified for cybersecurity, and that they make sure their suppliers are safe. What we are finding now is that when a cyberattacker goes out to attack critical infrastructure, instead of attacking the organisation itself, they attack their suppliers because they see them as a weaker link in the chain. This is a direct recognition of the extent to which we are interconnected, and how our essential services and important entities are interdependent.

My Department is going to lead on the transposition of this new NIS 2 directive, but it will be a whole-of-government effort to ensure that Ireland fulfils its obligations. We cannot underestimate the scale of the challenged posed by implementing this directive. Of course, the NIS 2 directive is just one of a range of EU interventions aimed at strengthening cyber-resilience and incident response throughout the Union.

Recently, I welcomed the establishment of a new national cybersecurity co-ordination and development centre. This project sits within the National Cyber Security Centre, and its aim is to co-ordinate with industry, academia, research and other stakeholders to develop awareness, and promote funding supports and associated networking opportunities. It will also distribute EU and national funds to industry and societal stakeholders, notably, small- and medium-sized enterprises, with the aim of strengthening the uptake of state-of-the-art cybersecurity solutions. It will also contribute to policy and strategy formation on cybersecurity funding.

This project will run for two years. It is being funded by an EU contribution of €2 million, and another €2.2 million from the Department of the Environment, Climate and Communications. The funding is in line with similar investments in other EU member states. It will resource the National Cyber Security Centre's capacity-building function, and it will finance a support programme for industry and societal stakeholders to facilitate cybersecurity innovation and resilience. This project will start in the autumn. It will help to meet our national obligations under EU law, and will have a focus on creating a vibrant national cybersecurity ecosystem that is engaged with communities in other EU member states. It is an exciting new development for the NCSC, and it is important that we play our part, as a member of the EU, in seizing the cybersecurity opportunities in research, innovation, technical development and commercial exploitation as part of the green deal and digital transformation agendas.

I will mention skills. The best way that we can protect ourselves against cyberattack is through the development of our skills. This applies not just to the high-tech skills - in other words, making sure that university-level people cybersecurity qualifications - but aims to have everybody starting from primary school up to secondary school is skilled up in this area. I am very impressed by the work of Professor Rachel Farrell in University College Dublin, UCD, who has been going out to primary schools and developing a programme whereby primary school students can learn to protect themselves online. They have to do that, because we know that children in primary school are on their iPads already, and are the subject of scams, frauds and worse.

At second level, UCD's programme is trying to encourage girls and people from non-traditional Irish backgrounds to get involved in cybersecurity and take it as a career. The reason for that is not political correctness. The reason we want more women involved in cybersecurity and more people from non-Irish or non-white backgrounds is that when one has a diverse team of people who come from different backgrounds, a diverse team, that team is better at solving problems. They have different perspectives. They are in a situation of conflict, and they are competing against a criminal gang that often comes from different countries and different cultural backgrounds. If one has a team of people that comprises all male, middle-aged white people with the same kind of education and background, they cannot solve problems as well as a diverse team. We are bringing female role models into schools and saying to young women and girls to please take this as a career. It is an exciting career. It is extremely well-paid, and it is high-status. One gets to deal with foreign intelligence agencies and so on, and one's work is meaningful and Government-level. We are really trying to encourage people to do that. We are having success in that area, and I am very proud of the work that Professor Rachel Farrell has done.

Cybersecurity is not something that merely affects large companies and organisations like the HSE. It is also something that affects every one of us every time we get scammed, or get scam texts and calls. There are constant attempts to persuade us to share our identities or bank account details. I am impressed by the work ComReg has done, and I believe we have done all the right things in the last two years since the HSE attack to strengthen the defences of our country.