National Cybersecurity: Discussion (Resumed)

We are continuing our discussion of national cybersecurity. The specific purpose of this meeting is to discuss national cybersecurity in light of the recent cyberattacks on the HSE and the Department of Health. I welcome the Minister of State at the Department of the Environment, Climate and Communications, Deputy Ossian Smyth.

All witnesses are again reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable, or otherwise engage in speech that might be regarded as damaging to the good name of the person or entity. If statements are potentially defamatory in respect of an identifiable person or entity, witnesses will be directed to discontinue their remarks. It is imperative that they comply with all such directions. For witnesses attending remotely, outside of the Leinster House campus, there are some limitations to parliamentary privilege. As such, they may not benefit from the same level of immunity from legal proceedings as a witness physically present does. Witnesses participating in this committee session from a jurisdiction outside the State are advised that they should also be mindful of their domestic law and how it may apply to the evidence they give.

Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official either by name or in such a way as to make him or her identifiable. I remind members of the constitutional requirement that to participate in public meetings members must be physically present within the confines of the place the Parliament has chosen to sit, namely, Leinster House or the Convention Centre Dublin. Reluctantly, I will not permit a member to participate where he or she is not adhering to this constitutional requirement. Any committee member who attempts to participate from outside of the precincts will, reluctantly, be asked to leave the meeting. In this regard, I ask members participating via Teams to confirm, prior to making their contributions, that they are on the grounds of the Leinster House campus.

For the information of anyone watching this meeting online, Oireachtas Members and witnesses are accessing the meeting remotely, with committee members being in the precincts of Leinster House or the Convention Centre Dublin. Only I, as Chairman, and the staff essential to the running to the meeting are physically present in the committee room. Due to the unprecedented circumstances of Covid-19 and the large number of people attending the meeting remotely, I ask everyone to bear with us should any technical issues arise.

I call the Minister of State, Deputy Ossian Smyth, to make his opening statement. He has approximately five minutes.

I thank the Chair. We meet against the backdrop of the significant ransomware attack on the HSE that has seriously impacted on the ability of our hospitals and wider health services to provide essential services to our citizens and on the front-line staff in the health service who have been working under extraordinary pressure over the last 14 months since the start of the pandemic.

The National Cyber Security Centre, NCSC, has been supporting the HSE in dealing with the ransomware attack since the NCSC was notified of the incident early on the morning of Friday, 14 May. Following this notification, the NCSC immediately activated its national critical cyberincident response plan. Since that initial contact, the NCSC has been working intensively to support the HSE and external contractors in the response to the incident and to restore essential services as quickly as possible. From the outset, the NCSC has liaised with European Union and other international partners to share information and to ensure that the HSE had immediate access to international cyber supports.

While steady progress is being made in bringing systems and services back online, the HSE is best placed to provide updates on the restoration of services and it is doing so on an ongoing basis. The NCSC has also worked with the HSE and external experts to identify the technical details of the malware used in this incident, so that it can share these details with both its constituent bodies and more broadly through advisories. The NCSC has issued public advice concerning the cyberattack on the HSE and general guidance on ransomware attacks. This information is available on the NCSC's website and will be updated as required. A dedicated team in the NCSC has also been providing specific guidance to its constituents, including Departments and Government agencies, together with operators of essential services, on appropriate measures they can take to reduce the risk of further ransomware incidents on their networks. Staff at the NCSC have been in direct contact with the operators of essential services and this will continue throughout the coming days.

I will now provide the committee with some information on the role and functions of the NCSC, including how it supports hundreds of organisations across the Irish public and private sectors as they seek to mitigate the risk of a cyberattack. The NCSC was established by a Government decision and it has a broad remit encompassing the cybersecurity of Government ICT and critical national infrastructure. It acts as a central contact point in the event of a Government or nationwide cybersecurity incident that affects the State. The NCSC also co-ordinates and supports the response to significant incidents, with the lead role being taken by the entity affected by the incident. The computer security incident response team, CSIRT, is the team within the NCSC that leads in responding to cybersecurity incidents. The CSIRT has achieved international accreditation, and it is this team that engages with the affected body to support it in addressing a threat.

Information sharing is a key component of the work of the NCSC, and it acts as a source of expert advice and guidance, as well as a clearing house for information. It takes in threat intelligence data and trends and risks data from national, global and local sources and then analyses the information. Subsequently, the centre ensures that the people and organisations that need those data get them to protect their own systems or to assist them in carrying out their statutory roles. The NCSC is in regular and frequent communication with international counterparts and the exchange of information is a two-way street. The NCSC also supports public bodies, operators of essential services and digital service providers to improve their cybersecurity posture and fulfil their obligations under the European Union's network and information security, NIS, directive. The NCSC takes a proactive role in supporting these important bodies to continually build their cybersecurity resilience through a range of initiatives, including by hosting seminars and workshops.

A great deal of commentary has addressed the level of funding and resources allocated to the NCSC and to cybersecurity across Government. When considering the overall resources available to the State in preventing, mitigating and managing cyberattacks, it is important to recall that the principal investment made by the State is the substantial investment made by individual Departments and public sector bodies in their own IT security infrastructure and IT security staff. In the case of Departments and non-commercial State bodies, this money is funded from the Exchequer and is many times the figure of €5 million which has been quoted in commentary in the last fortnight.

The NCSC team comprises highly skilled, specialist technical civilian staff, with skill sets in areas such as computer science, software engineering, malware analysis, information technology forensics, cryptography, software development, and cybersecurity compliance, as well as general cybersecurity skills.

The expertise and competence of the NCSC team has been very much in evidence over these past 13 days in how the team has supported the HSE in dealing with the attack.

The NCSC had a staff complement of 29 at the start of 2021. In addition to payroll costs, the NCSC has funding of €5.1 million available to it this year, compared with €1.7 million in 2020. I stress again, however, that the principal investment in cybersecurity is in the form of the collective investment made by individual organisations.

Recognising that the environment in which the NCSC operates is extremely dynamic, a detailed capacity review of the NCSC is being undertaken to inform Government as to how the NCSC needs to evolve going forward. This capacity review is being carried out by an expert international consultancy. It is due to report in the coming weeks, in line with the timeline for completion of this work of the second quarter of 2021, set out in the 2019 national cybersecurity strategy.

I will consider the report of the capacity review and its recommendations, together with the Minister for the Environment, Climate and Communications, Deputy Eamon Ryan. Government consideration may also be required, having regard to the focus of the report. It will inform the future developments of the NCSC and it will indicate the extent of any additional resources required to deliver its mandate, the objectives under the 2019 strategy and other emerging obligations arising at EU level.

As I have outlined, the NCSC is working with stakeholders to strengthen cybersecurity across Government networks and critical national infrastructure. Ireland’s national cybersecurity strategy for the period of 2019 to 2024 sets out an ambitious programme of measures to further develop Ireland’s cybersecurity capacity. The key themes of the strategy are to protect, to develop and to engage. That involves the protection of the State, its people, and its critical national infrastructure from threats in the cybersecurity realm; the development of the capacity of the State, of research institutions, of businesses and of citizens; and the engagement by the State, nationally and internationally, in a strategic manner, supporting a free, open, peaceful and secure cyberspace.

An interdepartmental committee, chaired by my Department, oversees the implementation of the national cybersecurity strategy. The committee meets quarterly to review progress. To date, good progress has been made in delivering the 20 measures in the five-year strategy. The capacity review will feed into decisions to be taken, to ensure that this ambitious strategy is delivered in full.

Finally, I want to put on record my gratitude to the HSE staff, the NCSC, external contractors, An Garda Síochána, staff from the Office of the Government Chief Information Officer, international partners and others who have been engaged 24-7 in dealing with this appalling criminal attack.

I would be happy to take questions from this committee on the role and functions of the NCSC, although there may be questions that it would not be possible or appropriate to address in a public forum and particularly where doing so could disclose information which might assist criminals to identify potential vulnerabilities in IT security arrangements.

I thank the Minister of State. I will now call members. The first slot is a Fianna Fáil one. Senator Dooley, you have approximately four minutes.

I thank the Minister of State for his presentation. He will rightly understand that, as politicians, we all share the same objective. It is, in the first instance, to try to understand insofar as we can, what vulnerabilities existed that we might have protected against and then what we can do, from a legislative perspective, to put ourselves front and centre in the defence against the next wave of cyberattacks. I have watched the Minister of State's television and media appearances in recent days and it is clear that he is far better versed in this area than I am, or perhaps others are. He is well suited to the job at hand.

From my perspective, I want to understand what gaps he has identified. Is it possible that we could have been better protected or that our overall defence architecture could have been better? This is not about blaming anybody. It is about an iterative approach to the learnings towards finding a solution. It would be remiss if we were dive in and attempt to find a solution without first taking a careful approach to understanding what happened and what needs to be put in place.

We had some discussions last week about a review that was already under way. Is there some report or perhaps a draft report in place? Maybe the Minister of State could confirm that and whether he would be in a position to share that with the committee on a confidential basis, if necessary. We all recognise what happened here. There are committees in other jurisdictions that are briefed in a very detailed way about matters of national security, and this is certainly one. It is the case that documents circulate from committees but in an issue like this, it might be worth, on a pilot basis, briefing the committee and, if necessary, having people sign the Official Secrets Act, to see if we can develop some kind of an approach towards an ongoing process in terms of an input into the defence.

I do not know if the Minister of State had the opportunity to hear some of the briefings yesterday but one of the contractors made it clear that cybersecurity is not a destination; it is a journey. That would seem to suggest that we need to be engaged on an ongoing basis. I will leave it at that and will listen to what the Minister of State has to say.

I thank Senator Dooley. He is absolutely right that cybersecurity is a journey, and not a destination. I will start with the Senator's question on what vulnerabilities might have shown up that we might have protected against. That question will be analysed as a result of the three inquiries that will go on. Clearly, the focus right now is on resolving the problems with the HSE's network in getting its services working again. However, the Garda investigation is going on. There will be a data protection investigation. The HSE will have to report back to us. It is doing is IT investigation to see how this happened. It will report back to the NCSC and we will analyse and strengthen as a result of that. We do not know the result of this yet.

In terms of the report of the capacity review, which was commissioned at the start of the year, this was envisaged in the programme for Government, that we should review the capacity of the National Cyber Security Centre to see whether it is capable of carrying out its functions and how it compares with other cybersecurity centres of similar size with similar challenges around the world. Are there any skills that we do not have? Does it need additional resources? It is not just a question of what we do this year, but of how that plays out for the next five years. How should the National Cyber Security Centre develop over the coming five years to address increasing challenges? Obviously, every year more services go online, more people go online, and the threats become larger, as these cybercriminals collect ransoms from companies which pay up. They are becoming stronger and there is an arms race, then, between them and the cybersecurity professionals in protecting themselves.

In terms of whether I can publish the report that comes out, I do not have the report yet. A draft has been done. I have been briefed about it by my officials. Of course, it will be reviewed in the light of this most recent incident. However, it will recommend what the staffing should be over the coming five years and whether we are lacking any resources.

I need to strike a balance between transparency, democracy and being able to share with the committee what the conclusions are, while at the same time being able to protect the national interests and make sure they do not expose weaknesses to attackers that they could potentially use to their benefit. I am happy to engage with both the Chair and the committee members to find how we do that. I will look at how other cybersecurity centres find that balance between transparency, democracy, and national security.

I thank the Minister of State-----

Can the Senator be very brief? We are very short on time.

I will be very brief. Yesterday we probed with one of our guests, who has an expertise in recruitment, the concern the committee had, and I am sure the Minister of State has too, that the office was without a director for a considerable period of time. The recruitment process seemed to be taking too long. I am sure the Minister of State has read, like others, in our national media suggestions that-----

Please get on with your question.

I know Stephen Rae was writing about it a number of months ago. It would be difficult to find the appropriate person with the salary scale set as it was. We understand that it was at about €89,000 or €90,000, something like the payscale of a principal officer. The evidence that we deduced yesterday was that we need to be looking at somewhere between €200,000 and €300,000, when we take in salary, package and all of that. Is that something that the Minister of State has had any thoughts or views on, or where he might be hoping to go with this particular issue?

I will start by saying that the salary offered originally was not €89,000. To correct the record, it was in the range of €106,000 to €127,000. Second, the figures discussed at the committee yesterday are far in excess of the salaries paid to any other national cybersecurity centre of comparable size across Europe. We discussed that with our partners yesterday. Certainly, I will be recommending an increase in the salary, but it is not a directly comparable role with somebody who is in charge of security in a commercial operation.

They face a different set of challenges. This job will involve aspects of diplomacy, internal Government oversight, management and so on. It is not a purely technical role. We have a chief technical officer. The jobs are not directly equivalent but I take on board what is being said. I will be recommending a higher salary for it.

Does the chief technical officer role attract a higher remuneration package than that of the director?

No. I am happy that the people who are doing those jobs are extremely skilled and well able to do them. The jobs are not directly comparable. The set of obligations and the compensation one gets in a commercial company are very different to what happens in the context of the Government. There will be no penny-pinching here. It is not the case that we will underpay or try to get a bargain. Everybody understands how absolutely critical this role is.

I will take up that point. The Minister of State referred to the job offer being €106,000 to €127,000. Did the Department get people applying and were the applicants deemed not suitable? What does the Minister of State regard as a comparable salary for a similar position elsewhere? What range of salary are we looking at? What will the process be to recruit such a person now?

We did receive applications. The person who was selected and who went through the process knowing what the salary was eventually decided, for personal reasons, not to proceed with taking up the job.

How long ago was that?

Approximately three months ago. It is a new position. The idea of having a director of the National Cyber Security Centre was a new position created at the end of last year. The initial candidate who went for it decided not to take up the offer. We will go back out to the market. We will be looking for somebody and will be offering a higher salary. I have not decided on that yet and will not give the range, but it certainly will be considerably higher than what was offered before.

So it will be higher than €106,000-€127,000 scale.

Exactly, it will be a higher grade.

What is paid for comparable positions elsewhere, such as in the UK, or countries of a similar size to Ireland such as Estonia? Does the Minister of State know what salaries are being paid for similar roles?

I do not have those figures to hand but I would be very happy to provide the committee with a list. I presume the positions have openly known salaries that a matter of public record.

The Minister of State is looking at a salary well in excess of €127,000.

I am, but the decision will not be mine alone. I will go back to discuss it with the Minister for Public Expenditure and Reform, Deputy Michael McGrath. He will certainly want to know about it. Then it must go to the Government. A memo will go to Cabinet asking it to agree to the appointment. It is not solely at my discretion but I will make a recommendation on it. I will take into account that it will be in the context of what a person would be paid to do the job in a country of similar size for a similar national cybersecurity centre.

That is to be welcomed. When is it expected to advertise the position?

In the next few weeks.

Mr. Pat Larkin was a witness before the committee yesterday. He said that he measured Ireland versus the UK spending in cybersecurity per capita. Mr. Larkin expected that we should be spending in the order of €50 million per annum, but we are spending about €5 million per annum. Does the Minister of State believe that the National Cyber Security Centre is under-resourced? Does he agree with Mr. Larkin's figure of €50 million? What is the Minister of State's view on this, as the person in charge of the area?

Our current funding is approximately €7 million, including pay and non-pay for this year. This is a considerable increase on last year. The €50 million figure quoted is, I believe, based on a per capita comparison with the UK. Clearly, the UK is in a completely different situation. It is a nuclear power, it has a different type of security apparatus, it has the Government Communications Headquarters, GCHQ, it carries out mass intelligence surveillance and there is a different relationship between its service and the public. Ireland has a very different set-up. Our cybersecurity function has different roles and responsibilities compared with what is relevant in the UK.

What level of funding would the Minister of State like to see in place for cybersecurity for the State in the context of policy, advice and structures?

This is exactly why we carried out a capacity review beginning at the start of the year. An external consultancy looked at what we are spending, to compare it with other countries and to tell us how much we should be spending ongoing over the next five years. I have not seen the report yet and I will have a lot more information about that when I do see it.

Does the Minister of State expect that we will see a substantial increase in cybersecurity funding from the Government and the State?

Yes. The cybersecurity budget was tripled last year and I would imagine that it will go up again next year. This reflects increasing threats and increasing numbers of people going online. It also reflects the increasing difficulty in trying to deal with cybercriminals. It is an increase in budget and it is an evolving market. Certainly, we will see an increase in this years' budget. Of course we will.

I thank the Minister of State.

I thank the Minister of State for the update. I will pick up on some of the points already made, but I will come at it from the perspective of the increase in budget that happened last year. I have raised this previously with the Minister of State and with the Minister for Transport. What prompted the tripling of the budget then? Is it the case that flags were raised and the Government responded? Was that response too late and not significant enough? Should we have increased the budget more and earlier?

One of the reasons the budget was increased was a projected increased capital spend, which is to provide a new headquarters for the National Cyber Security Centre. They have identified a location for that and are working with the OPW in that regard. This will provide a joint security operations centre, which is where the CSIRT-IE incidence response team can be gathered together when there is an incident that needs to be managed and monitored. That budget increase is so we have that best possible world-class facility. To this end, senior members of staff toured other cybersecurity operations centres in other countries to see how they work. That was part of the reason for the increase in the budget.

The increase in threats and the increase in numbers of services being offered online means that cybersecurity needs more money. This is why we agreed to increase the budget last year, and this is why the budget will be increased again next year.

I thank the Minister of State. Based on what we heard yesterday and at previous committee meetings, we will all be very interested in that review, and especially in the scale of investment needed. We can also see what comes out with regard to the suggestion that the sector and the National Cyber Security Centre is possibly under-resourced to a significant degree.

More broadly, I want to know about the governance structure, and the regulatory and legislative basis of the National Cyber Security Centre's relationship with its up to 150 partners. Is the Minister of State satisfied that this structure is robust enough? Does the Minister of State intend to bring forward legislation or is there legislation coming from an EU level, that needs to be implemented more rigorously here?

How does the Minister of State envisage the governance and regulatory framework changing in the time ahead?

That is a good question. On EU legislation there is the directive on security of network and information systems, NIS, which has been transposed into Irish law. There is a new NIS directive, NIS 2, coming. That is part of the legislative agenda. We also planned in the 2019 strategy to have primary legislation to deal with cybersecurity. That is being developed at the moment. That is on the legislative agenda as well, just to give the Deputy an idea of what is coming.

Of the 150 organisations that are helped in their cybersecurity by the NCSC, approximately 70 are categorised as operators of essential services. The HSE is one of those. Then there are Departments and, for example, large commercial facilities that also work with us and get advice, the research we share and information about threats. If there is an incident, the incident response team can come in and help them, just as they have done with the HSE.

There is an analogy here with the fire service. The fire service is there, they come out when someone has a fire and then offer information about fire protection. However, every organisation is responsible for doing its own protection, taking due caution and making sure that it has protected itself.

I thank the Minister of State. I call Senator Gerry Horkan from Fianna Fáil who has four minutes.

I thank the Minister of State for his opening statement. It was useful and helpful for us to get his take on exactly what the NCSC does. According to the previous couple of committee meetings and in general commentary, it seems that the NCSC is responsible for everything on its own. It is almost, as the Minister of State referenced, a GCHQ kind of scenario, but the analogy of the fire service is quite useful. Ideally, one does not need them at all, but they need to be there because if there is an incident, they can get involved.

I asked some of the experts before us yesterday what countries are best at addressing and getting involved with these particular scenarios. They mentioned Estonia, the UK and Israel - somewhat controversially I suppose in the context of other events going on - but they did say that they are particularly good at it. Is there an EU role for this particular office? Could or should there be? Clearly, a threat to one member state is a threat to all of us. Equally, has there been any contact with experts in the field, whether they be Israeli, British or equally any member state, particularly the likes of Estonia, which had a very digital economy when it was set up in 1991?

We have also talked a great deal about funding, salary scales and so on. The Minister of State clarified some of that for us. I suppose his point is that it is every organisation's responsibility, whether it is the Revenue Commissioners or the Department of Social Protection. They have large databases. Almost every family in the country has a link to the Department of Social Protection and to Revenue.

What is the Senator's question?

They are the organisations I am very worried about, because they have so much very private personal data on people, as much as the HSE does.

I thank the Senator. One of the things the capacity review does is that it benchmarks Ireland against other countries, particularly against those of similar size, to see how we stack up. That is going to be of interest. Second, every country obviously has different needs. They are protecting different things. I understand approximately one third of European data is stored in Ireland. We have all these large headquarters of global IT firms and pharmaceutical companies. We have, therefore, different needs. We have a different type of military apparatus and so on, compared to other countries. Every country is different.

As the Senator said, Estonia is often mentioned as one of the most advanced technological countries in the world and certainly in Europe. Scandinavian countries are, of course, as well. I know that from my responsibilities with eGovernment. Certainly, Estonia is a country that is very much online and one that we should talk to and communicate with.

The European Council meeting on communications is coming up on 3 June 2021. Ministers from every member state will discuss cybersecurity. That will be on the agenda. I will certainly take the time to talk to my counterparts from the countries from whom I think we could learn the most.

I wish the Minister of State well in this regard. There is no point in us trying to reinvent the wheel. I accept that different countries have different priorities. However, I was interested to hear that yesterday that some countries are proactive. They have their own team of hackers trying to hack into their own systems. I am not sure that we have anybody doing that. Maybe the Minister of State is not in a position to tell us. No more than people check their windows and doors at night to make sure that they are locked, we need to have people testing these systems. We need to have -----

I thank Senator Horkan.

We do. It is a normal part of security practice to, for example, send an email to everybody in an organisation and see what proportion of them click on the link in an email that is trying to phish or store information. Typically the results of that, even in software companies that are very advanced, is between 5% and 10% of staff members still click on the link. One’s security team has to accept that this will happen and that once somebody is in the network that they cannot progress all the way through. That is the idea of defence in depth. That advice comes from the NCSC and is available to any organisation that wants it.

I thank the Minister of State. A number of members want to come in so I am conscious of time.

I call Senator Buttimer in the Fine Gael slot. He has four minutes

I thank the Chair. I want to commend the Minister of State on his excellent handling of this.

Yesterday, the Mercy University Hospital, Cork, which is a voluntary public and private hospital, went before the High Court where they sought an injunction to prevent the publication of personal medical and private data of patients of the hospital. They should not have had to go alone. They should have been conjoined with the HSE. What is the status of other private and voluntary hospitals? First, have any random messages been left for them? Second, where do they stand in terms of the sensitive data of patients in their care? Third, is the Minister of State aware of the status of the HSE regarding other voluntary or public hospitals, particularly in Cork, but across the country?

I thank the Senator for his question. As I understand it, a voluntary hospital is an independent body, separate from the HSE, although greatly funded by the HSE.

The Mercy University Hospital Cork had some systems that were tightly integrated with the HSE systems and that the attack spread into their systems,as a result. I do not think they were specifically targeted. There was no indication that the ransom note was any different from that left on all the other HSE systems. The reason that they took a separate legal case is they are a separate legal entity from the HSE. Legally, they were advised that they had to get their own injunction to protect their own data. There is no suggestion that they are in any way more at risk than any other parts of the HSE. There is certainly no information yet that any of their data have been leaked or are at risk.

As I understand it, the process that the HSE is going through at the moment started with restoring their central services in their core network, their radiology system and their patient administration, and it then went out to all the different regional hospitals to make sure that they all came back online. As the service was restored and the hospital was restored, the two things work together. They are making great progress in that regard. I do not know if Mercy University Hospital Cork, is entirely back online. What I do know is that the HSE is publishing regular reports on its website, where people can go to their own county, look at a particular hospital and find out which of its services are back. There is, therefore, an indication of that.

Given the model of healthcare that we have, what is the status of other voluntary and community hospitals? Hospitals are intertwined with the HSE. This is not just about funding but about the provision of services. We have outsourced, as the Minister of State knows quite well, many different aspects of our health service. Where do other organisations stand? Will they have to seek an injunction? Are they conjoined and included with the HSE? It is important to give comfort to people who are concerned about their own privacy and information being put in the public domain.

Some hospitals were almost untouched. From talking to the IT staff in St. Vincent’s University Hospital, they never had to stop any of their systems. They managed to continue. I cannot imagine that they are going to be joining into any future injunctions.

It is really a legal question for those hospitals. If the hospital is a separate, independent legal body and finds ransom notes on systems within the physical hospital building, then it may be advised by its lawyers that it needs to seek a separate injunction. It is a legal question for the hospitals to discuss with their counsel.

That applies to all service providers that are section 38 or 39 organisations and that have interactions with the HSE.

I thank the Minister of State for his work.

I welcome the Minister of State's presentation. To put it starkly, Mr. Padraic O'Reilly stated yesterday that ransomware attacks have gone up by 311% in the past number of years. Mr. Pat Larkin told us that where they once dealt with one ransomware attack a week it is now happening every day. We all get that this is incredibly serious. I think we would all accept that, due to the ad hoc nature of the HSE and the historical way the network architecture and whatever else was designed, it was probably susceptible to such an attack. We need the results of the review to be communicated to us in whatever way so we can play a part in that. That review will deal with staffing and any capacity requirements.

Can the Minister of State provide any information on the primary legislation being suggested and what gaps it would be designed to try to plug? Obviously there is a need to deal with this problem in a technological, legal and international way. We want these people to become pariahs and we want it to become uncomfortable for states that have allowed some of this action to do continue to so. As regards the critical organisations with which the Minister of State is dealing, it is hoped that the NCSC has sufficient capacity to ensure compliance and enforcement. What is the state of play in that regard? I accept that the Minister of State is not going to give specifics. Some of the speakers yesterday talked about the fact that the budget is insufficient. They also said we need a greater level of maturity and a defensive ecosystem, and that we not only need defensive capacity but also counterstrike capacity.

I believe Deputy Ó Murchú has experience in the HSE and in IT so this is an area about which he knows something. He asked if the HSE is particularly at risk. It is a very large body. Whole hospital groups are at risk and part of the reason is that, by their nature, there are life-and-death situations going on all the time. There is a pandemic going on, staff are running around and IT security may not be top of their priority list. That is especially true when they are being asked to rapidly develop new systems to cope with the pandemic and bring them online within a couple of weeks. All the staff were working hard to enable the clinical staff to work from home. They were under pressure but the HSE was in a much stronger position this year than it would have been two years ago, for example. Since then, its IT staff and budget have been doubled to €203 million. It is a much more resilient organisation and when this episode is over it will be more resilient still.

As regards the primary legislation, at the moment the NCSC does not have a statutory footing, although the CSIRT does. The NCSC is not defined in law and giving it statutory powers and roles and so on would strengthen it. It would also enable it to co-operate with other national cybersecurity centres across Europe and tell them it is actually legally empowered to do these things. In other words, we can get enhanced co-operation.

I obviously cannot comment on the ongoing Garda investigation, what the source of the problem was or how the Garda is getting on in pursuing the criminals. Was there anything else the Deputy wanted to ask me?

I referred to protective or defensive capacity but also-----

Offensive capability.

The NCSC has no mission to carry out offensive counterstrikes. That is not part of its function. It is there to provide advice, research, risk assessments and incident response. It is not going to hack the hackers back, if that is what the Deputy is asking. That would not come under my remit.

I accept that. That is one of the things that needs to be looked at. Maybe it is beyond the NCSC.

Briefly, Deputy.

We are talking about the organisations with which the NCSC is dealing. We need to make sure it has the capacity to carry out the risk assessments. Where are the risk assessments for some of these critical organisations? Without getting into a huge amount of detail, are the Defence Forces and the Garda sufficiently connected with the NCSC and are they resourced to be as fit for purpose as they need to be?

The Garda and the Defence Forces both have a position within the NCSC. They have staff seconded into the NCSC so there is a connection between those organisations, which is very useful. I understand the Garda National Cyber Crime Bureau has doubled its numbers and now has around 140 staff. A huge amount of cybercrime goes on. As everything is moving online, because life is moving online, a lot of crimes are being committed online. There are good connections there.

What is the lay of the land as regards the risk assessments for these organisations?

All of these organisations are required to carry out risk assessments, although not all of them were complete. Some organisations were engaging with the NCSC and explaining how far they had gotten. It is a co-operative thing. It is not about catching them out and clamping down on them; it is about us helping them to fill in those holes. All of those organisations would have been involved in risk assessments.

I thank the Minister of State for his opening statement and contributions, as well as for filling in the gaps about the NCSC's capacity and how it works over the last few days. He mentioned that the NCSC's work involves cybersecurity resilience through a range of initiatives, including hosting seminars and workshops, and working with Government agencies and Departments in that regard. Does the NCSC perform audits on Government agencies? Does it have that power? Is it within its remit to go to an agency and say it is going to do a rundown of its system and if it sees any issues they can work through them? Would that all have to come to the NCSC from the agencies? If a systemic flaw or weakness is found, does the NCSC have any powers to compel an agency to fix it? Obviously one would imagine it is in an agency's best interests to fix any weaknesses that are found but has there ever been a case where an agency said it did not have the funding to fix any structural issues, against NCSC advice? How does that dynamic work? What powers does the NCSC have in that regard?

The Deputy's first question was about whether the NCSC audits Government agencies. It does not. It also does not issue compliance orders against other Government agencies, on the basis that one Minister does not tell another Minister what to do. However, that does happen for organisations providing essential services, such as gas or electricity services. The operators of essential services can be, and are, audited by the NCSC and it can issue compliance orders against them. It is empowered by the NIS directive if there is something the operator has not done. That is the balance. There is a difference between risk assessments and audits. Several audits have been ordered by the NCSC. Does that answer the Deputy's questions?

It does. The other questions I had planned to ask have already been asked so I am happy to surrender there remainder of my time, particularly as we are running out of time. I thank the Minister of State.

I thank the Deputy for his generosity. I call Deputy Lowry.

I thank the Minister of State for his frank and clear outline of where we are and, more important, where we need to go.

We have discussed the leadership role within the cybersecurity centre. Obviously, there is a need for that to be dealt with. However, there is also a need for backup support and new architecture to be put in place. In relation to technicians and recruitment, do we have sufficient numbers of people with the necessary skills, qualifications and expertise? At the moment, everyone is on alert. The private sector will also be seeking to recruit these people. Is the Minister of State satisfied that the State can recruit and that the terms and conditions of the offers that we are making will be sufficient to attract people into our cybersecurity centre?

Second, I wish to ask the Minister of State about indications from the private sector on the payment of ransoms. The State, the Minister of State and Government have taken the correct decision to refuse to pay a ransom. If we pay it once, we will be paying it forever. I am getting a fair indication from the private sector that many companies have already succumbed to the pressure and have paid ransoms. What indications are the Minister of State and his Department receiving to that effect? In respect of the HSE and the other State agencies that have a duty of care to protect information, where does the Data Protection Commissioner sit in this? Is there an open line of discussion between the Government and the Data Protection Commissioner?

I thank the Deputy for his questions. I know that he has experience in this Ministry.

The first point I would make is that in respect of recruitment, the NCSC has told me that it has not had any difficulty in the past. It is recruiting both from the private and public sectors. There is an attraction to working in such an important and key role in defending the country in that way and defending our critical infrastructure. My impression, from working very closely with the staff over the last few weeks, is that they are very engaged, highly motivated, have good morale, are extremely skilled, and that we are not in a position of being under-resourced. However, demand for additional increase will, of course, increase over the coming years as the threat increases.

The Deputy also asked about private sector companies paying ransoms. That is what the criminals describe as their business model, but it is really an extortion racket. The idea is that a company is put in a position where it is faced with a choice of paying a ransom or going out of business because its reputation will be so badly damaged, it will not be able to find its customers or how much its customers owe it. It is an existential choice. It is not the same for a non-profit organisation or a Government. We will not go out of business if we do not pay the ransom. Therefore, it is a different situation. If people do not pay the ransom, then the criminals cannot continue and it is the end of their business. Of course, we want to find ways to ensure that people do not pay ransoms. However, I do understand that when a company is put in that position it is do or die. That is the situation with that issue. We have taken the right decision. Other Governments and private companies are supporting us in this and agree that if we were to pay the ransom it would attract more of the same.

On the data protection question, data protection comes under the remit of the Department of Justice. I cannot comment on what the Data Protection Commission will do. It has a statutory function and investigates when a data protection breach occurs. There has clearly been a huge breach in this case. I cannot comment on what the commission will do. However, I think we can all expect what is going to happen.

I thank the Minister of State for joining us today. I am aware that he has plenty of other things to be doing at this time.

I stated yesterday that Ireland lacks security awareness and a culture of security. It may well be based on some sort of belief in the goodness of people, which, I might say, is misguided. Does the Minister of State believe that we should increase the budget for the national cybersecruity to the €50 million that was projected by Mr. Pat Larkin yesterday?

I circulated a paper last night which the Minister of State will have received. Every Member of the Houses of the Oireachtas received a copy of a paper written by Mr. Pat Larkin in 2018 in which much of what has happened was predicted. I know that the Minister of State is not long in the Ministry, so I am not pointing any fingers at him. However, it would suggest a lack of awareness.

My colleague, Senator Horkan, referred to ethical hacking. In one of the Minister of State's responses, he mentioned working across other Ministers' areas of responsibility. If I may say to the Minister of State, to hell with the niceties. We are in a war. Cybersecurity is now the fourth realm of national security and we are at war. As we were told yesterday, we are on a journey to which there is no end. Would the Minister of State agree that it is time that we set aside the niceties and started using ethical hacking and finding the weaknesses right across State and semi-State bodies? If we step on somebody's toes in the meantime, sorry about it, but that is what it takes.

Next, I wish to raise the issue of software. We have heard that some of the HSE computers were running Windows XP and Windows 7. If that is true, it is outrageous that it would be allowed to go on. Is the Minister of State going to take steps to ensure that every Government agency updates its software to the most modern version available and has the most modern security software?

Finally, I wish to raise an issue that is perhaps a little out of left field and which the Minister of State may not have expected. He may not wish to respond and I accept that. I have been contacted by a significant number of people who registered on the HSE website for Covid-19 vaccination appointments and all of a sudden started to receive spurious calls asking them for money. I have had a number of the calls-----

I propose to suspend the meeting for a few minutes to resolve the technical difficulties.

Sitting suspended at 1.26 p.m. and resumed at 1.28 p.m.

I am sorry that the Minister of State is being dragged through this again. There is no need for me to go over my questions again. The Minister of State was doing a good job in responding to them. I am a little concerned about the Minister of State's point that we are not at war. Even if they are criminals, I do think that we are at war with them. We must be proactive as well as reactive in cybersecruity.

In my 25 years of teaching computer networks, I have seen what happens when one is forced to use a piece of legacy software.

I recall the National Gallery once had a piece of software dealing with temperature that was not compatible with Windows. It was taken out of the network so it could continue to work. If we have legacy software running big MRI machines it should not be live on the same network as machines that are properly secure. I hope the Minister of State will agree with me on this.

The Senator asked whether the data collected as part of vaccination was at risk, and he named some of the various data fields collected. To put the Senator's mind at rest, my understanding is they are collected by a system in the cloud developed very recently by IBM and they have not been affected by the hack and all of those data are safe.

On the question as to whether we are at war, I believe the Constitution defines when Ireland goes to war. It is a particular state and we are not in that state at present, unless it is a metaphorical war such as the war on drugs or the war on poverty. All institutions of the State are working. I am seeing a lot of harmonious connections between the Departments. Everyone recognises this is a threat to all of the patients and users of the HSE, which constitutes everybody in Ireland. Everybody is working on this at maximum capacity. There is no problem about parts of the Government not co-operating with each other. I meet the Ministers for Health and Justice every day to make sure our response to this is co-ordinated and there really is no problem in this regard.

I am conscious we have another group coming before the committee and I want to allow everyone in so I ask members to be brief.

I will be brief. I welcome the Minister of State, Deputy Smyth. There has been a lot of talk about the salaries and payments required to recruit specialists. Does the Minister of State believe other factors are at play in recruiting such specialists to our NCSC?

Certainly people consider more than money. We do have to pay good and adequate salaries but people are proud to work in the NCSC. They are protecting their country and their vital infrastructure, and they are co-operating with the security apparatus of other countries throughout the world. It is a high-status job and a job people are proud to do. There are more factors than just money involved.

Has the headcount been increased in recent years in the National Cyber Security Centre?

It has. It was at a dozen four years ago and we now have a headcount of 29. It will increase over the coming years. In 2017 it was 12 people, in 2019 it was 22 people and it is 29 in 2021. The capacity review projects an increasing number of staff over the coming four years. We must remember they are a very small number of the staff involved in cybersecurity in Ireland. Throughout the various Departments, for example Revenue and the Department of Social Protection, there are extensive security teams, each of which could be larger than the NCSC itself. Bodies such as Irish Water also have their own cybersecurity teams. It is not the case that, as described in the media, there is €5 million for all of Ireland's cybersecurity and 29 people are doing it. This is simply not the situation.

I get that it is a much more complex situation and that other organisations have their own responsibilities and roles to play. With regard to the incident response by the NCSC, does the Minister of State believe it demonstrated the required capacity in responding to attacks?

The response was exemplary. It was immediately on site and connecting into the network and advising people. I had no sense at all there was an inadequate response or that it was unavailable to do it. I really felt it was very professional. It immediately brought in FireEye, the security consultancy from California with which it has an existing relationship. It is the organisation that carried out the capacity review in the first place. It had offers of support from security consultants who are academics, from the Garda and from the Defence Forces. Many people were on site within a short period of time. That day, they were 300 people available to work on it. Really, the key people to carry out the work were the HSE's own IT staff because they are the people who know their own systems. They have been critical to this. They worked through the first few nights and it was day and night work to get the systems back. I am very happy with how it has gone but there will be a review of how the attack happened and how the response went. Once the systems are back online and the patients are getting all their services again that will be the time to carry out an investigation.

I thank the Minister of State and ask him to pass on our thanks to the team and our ongoing support for what is required to continue on this cybersecurity war, as it has been referred to.

One of the take-home points from yesterday was that it could take five to ten years for Ireland to have indigenous domestic capacity to fully fight off cybercrime and yet, in that timescale the whole world will change entirely and there will be new forms of attack and software. We will set ourselves a goal but by the time we get to that goal, it may have passed us out again. A point I made yesterday was if this is what the next decade will look like and if the past fortnight has proved that Ireland may be the soft underbelly of Europe in some ways and we may be open for more attacks, it may be prudent to look beyond our shores to other countries that have a high budgetary spend on cybersecurity and that are allies of ours within the European Union and to lean on them for a bit of support. Senator Craughwell called this a war. It is not a war but it is a conflict of sorts. By leaning on a European neighbour with a well-developed capacity to do this, we would not compromise our neutrality, to call it that, in any shape or form. We would be doing something smart, which would be to view this as an immediate problem that needs immediate redress.

It scares me to think it could take five or ten years. Yesterday, we had a debate about the cost of hiring the helmsman or helmswoman for this organisation. I believe we are getting very caught up in that issue and are not looking at where the next attack could happen. As a former primary schoolteacher, I fear for the sensitive data of many schools on Windows XP and Windows 7. Tusla files could potentially get out there. Worst of all would be if the Garda PULSE system was hacked in some way. Imagine how atrocious it would be, were sensitive files from the local Garda station to be circulating online. Will the Minister of State take on the point there should be some leaning on our European neighbours?

I do not accept Deputy Cathal Crowe's contention or premise that Ireland has proved to be the soft underbelly of European cybersecurity. Yes, we have sustained a significant attack and the attack is far worse than anything that has happened previously in Ireland but these type of attacks are happening throughout the world in countries that have an extensive security apparatus. For example, in the United States there have been 300 very large-scale ransomware attacks on major corporations, including 16 hospitals or emergency departments, in the past year alone. It was revealed last week that an insurance company in Chicago paid out a $40 million ransom. This is in the country that has the National Security Agency, the Department of Homeland Security, the CIA and the FBI. Despite all of this, these organisations have been penetrated and attacked and there has been an attempt to collect ransom. The single incident that has happened in Ireland is not proof there is something fundamentally wrong with Ireland's cybersecurity. Of course it will be a lesson, and it means we will be stronger and more resilient afterwards. We are looking at what the next threat is.

The Deputy spoke about co-operation with our European neighbours and this is absolutely essential. We are a small country. We are 1% of Europe's population. We rely on information sharing and co-operation sharing with our European partners and we are well regarded in this way. We are heavily engaged not just with European countries and members of the EU but also with the UK and the US, and they have been very helpful throughout the incident. As the Deputy knows, there was an attack on a regional health board in New Zealand.

Within hours, my Department was sharing information with them about their experience with the ransomware. That type of co-operation at policing level and computer security incident response team, CSIRT, level is critical. It is the way we can defeat these criminals. The criminals are going around attacking people in whichever country they want. If all the police forces and cybersecurity teams combine, they can track the criminals eventually. It just takes surveillance.

I thank the Minister of State for his response. This gives him a mandate to seek significant funding. In years heretofore, there has been a bit of a Craggy Island approach to computers, including passwords taped onto the covers of laptops, etc. We are at a crossroads from which we either go whole hog, invest heavily and show the world we are cyber safe or we go the other way and say we are going to lean on our European neighbours and concede that we will not have the capacity to build a big system but rely on the fact that we have neighbours and good allies who have that capacity.

It is not a choice. We are going to do both. We are going to continue to increase funding, as we did last year, and we will co-operate with our European neighbours, the UK and the US.

I want to return to the issue of the budget. The committee heard yesterday from Mr. Pat Larkin who is concerned that we are spending one tenth of the amount being spent across the water in the UK in this critical area. Will the Minister of State outline his plans to increase the budget and capacity to deal with this issue on behalf of the State?

I thank the Deputy. I will say again that a capacity review was launched in January. Over the past five months, analysis has been performed by external people to see in what ways we need to increase our budget, in which areas we need additional skills, where we need more staff, whether we need more resources and in which of the coming five years we will need more resources. We have commissioned that review. A draft report is being prepared and will be looked at in the context of the recent attack. The result will be a recommendation about budgets and staffing levels for next year, the year after and the year after that. I have no doubt that the requests for those budgets will be met and I am sure the State fully understands the importance of protecting its data, essential services and critical infrastructure.

I have two quick questions, the first of which relates to HSE patients and will be a concern for members of the public watching this meeting. When does the Minister of State anticipate the HSE will be back to normal and seeing patients, those who are now waiting for appointments? Does the Minister of State think the National Cyber Security Centre, NCSC, needs to be put on a statutory footing to strengthen its capacity to deal with cybersecurity? What message does the Minister of State have for the HSE patients, the public out there, as to when the HSE, hospitals and the Department will be back to normal practice? Will the Minister of State be putting the NCSC on a statutory footing?

The HSE is bringing back services as quickly as it can. It has prioritised its services, starting with its most important ones, its core services, and then it will bring back hospitals. HSE CEO Paul Reid has said it will take a number of weeks but I can say the most important services will come back first. I understand the core systems are all working again and it is matter of ensuring that all the machines that connect to them will come back. I cannot give a clearer statement than that because cybersecurity is my area, rather than HSE services. The HSE is best positioned to make recommendations. The HSE website has a county-by-county breakdown, down to the level of each hospital, stating what is available and what is not. That is available on a daily basis.

The Chairman asked about putting the NCSC on a statutory basis and whether I want that to happen. I do. Primary legislation is coming. The NCSC is not defined in statute at the moment and does not have a statutory role or the power and authority that would arise from that. The incident response team has that authority. I am looking forward to the NCSC being put on a statutory footing.

I thank the Minister of State.

On the basis of the Chairman's last question, it is important that we invite Paul Reid before the committee to continue this discussion. I am not convinced that other hospitals or agencies are protected. I trust the bona fides of the Minister of State but we need to get Paul Reid in.

We will issue an invite to the CEO of the HSE, Paul Reid, and ask him to come in and work with us in this area. I take that suggestion on board. I compliment the Minister of State on his performance. One must give him credit. He has come before the committee in public session. It has been important for us as a committee and for the public. We acknowledge that. We are here to act constructively as a committee but to do that, we need the public to be able to see what is happening. I thank the Minister of State.

I thank the Chair. It is important that questions are asked in an open way because this is an issue that affects everybody.

We look forward to working with the Minister of State in this area.

Sitting suspended at 1.46 p.m. and resumed at 1.49 p.m.