I thank the Chair. We meet against the backdrop of the significant ransomware attack on the HSE that has seriously impacted on the ability of our hospitals and wider health services to provide essential services to our citizens and on the front-line staff in the health service who have been working under extraordinary pressure over the last 14 months since the start of the pandemic.
The National Cyber Security Centre, NCSC, has been supporting the HSE in dealing with the ransomware attack since the NCSC was notified of the incident early on the morning of Friday, 14 May. Following this notification, the NCSC immediately activated its national critical cyberincident response plan. Since that initial contact, the NCSC has been working intensively to support the HSE and external contractors in the response to the incident and to restore essential services as quickly as possible. From the outset, the NCSC has liaised with European Union and other international partners to share information and to ensure that the HSE had immediate access to international cyber supports.
While steady progress is being made in bringing systems and services back online, the HSE is best placed to provide updates on the restoration of services and it is doing so on an ongoing basis. The NCSC has also worked with the HSE and external experts to identify the technical details of the malware used in this incident, so that it can share these details with both its constituent bodies and more broadly through advisories. The NCSC has issued public advice concerning the cyberattack on the HSE and general guidance on ransomware attacks. This information is available on the NCSC's website and will be updated as required. A dedicated team in the NCSC has also been providing specific guidance to its constituents, including Departments and Government agencies, together with operators of essential services, on appropriate measures they can take to reduce the risk of further ransomware incidents on their networks. Staff at the NCSC have been in direct contact with the operators of essential services and this will continue throughout the coming days.
I will now provide the committee with some information on the role and functions of the NCSC, including how it supports hundreds of organisations across the Irish public and private sectors as they seek to mitigate the risk of a cyberattack. The NCSC was established by a Government decision and it has a broad remit encompassing the cybersecurity of Government ICT and critical national infrastructure. It acts as a central contact point in the event of a Government or nationwide cybersecurity incident that affects the State. The NCSC also co-ordinates and supports the response to significant incidents, with the lead role being taken by the entity affected by the incident. The computer security incident response team, CSIRT, is the team within the NCSC that leads in responding to cybersecurity incidents. The CSIRT has achieved international accreditation, and it is this team that engages with the affected body to support it in addressing a threat.
Information sharing is a key component of the work of the NCSC, and it acts as a source of expert advice and guidance, as well as a clearing house for information. It takes in threat intelligence data and trends and risks data from national, global and local sources and then analyses the information. Subsequently, the centre ensures that the people and organisations that need those data get them to protect their own systems or to assist them in carrying out their statutory roles. The NCSC is in regular and frequent communication with international counterparts and the exchange of information is a two-way street. The NCSC also supports public bodies, operators of essential services and digital service providers to improve their cybersecurity posture and fulfil their obligations under the European Union's network and information security, NIS, directive. The NCSC takes a proactive role in supporting these important bodies to continually build their cybersecurity resilience through a range of initiatives, including by hosting seminars and workshops.
A great deal of commentary has addressed the level of funding and resources allocated to the NCSC and to cybersecurity across Government. When considering the overall resources available to the State in preventing, mitigating and managing cyberattacks, it is important to recall that the principal investment made by the State is the substantial investment made by individual Departments and public sector bodies in their own IT security infrastructure and IT security staff. In the case of Departments and non-commercial State bodies, this money is funded from the Exchequer and is many times the figure of €5 million which has been quoted in commentary in the last fortnight.
The NCSC team comprises highly skilled, specialist technical civilian staff, with skill sets in areas such as computer science, software engineering, malware analysis, information technology forensics, cryptography, software development, and cybersecurity compliance, as well as general cybersecurity skills.
The expertise and competence of the NCSC team has been very much in evidence over these past 13 days in how the team has supported the HSE in dealing with the attack.
The NCSC had a staff complement of 29 at the start of 2021. In addition to payroll costs, the NCSC has funding of €5.1 million available to it this year, compared with €1.7 million in 2020. I stress again, however, that the principal investment in cybersecurity is in the form of the collective investment made by individual organisations.
Recognising that the environment in which the NCSC operates is extremely dynamic, a detailed capacity review of the NCSC is being undertaken to inform Government as to how the NCSC needs to evolve going forward. This capacity review is being carried out by an expert international consultancy. It is due to report in the coming weeks, in line with the timeline for completion of this work of the second quarter of 2021, set out in the 2019 national cybersecurity strategy.
I will consider the report of the capacity review and its recommendations, together with the Minister for the Environment, Climate and Communications, Deputy Eamon Ryan. Government consideration may also be required, having regard to the focus of the report. It will inform the future developments of the NCSC and it will indicate the extent of any additional resources required to deliver its mandate, the objectives under the 2019 strategy and other emerging obligations arising at EU level.
As I have outlined, the NCSC is working with stakeholders to strengthen cybersecurity across Government networks and critical national infrastructure. Ireland’s national cybersecurity strategy for the period of 2019 to 2024 sets out an ambitious programme of measures to further develop Ireland’s cybersecurity capacity. The key themes of the strategy are to protect, to develop and to engage. That involves the protection of the State, its people, and its critical national infrastructure from threats in the cybersecurity realm; the development of the capacity of the State, of research institutions, of businesses and of citizens; and the engagement by the State, nationally and internationally, in a strategic manner, supporting a free, open, peaceful and secure cyberspace.
An interdepartmental committee, chaired by my Department, oversees the implementation of the national cybersecurity strategy. The committee meets quarterly to review progress. To date, good progress has been made in delivering the 20 measures in the five-year strategy. The capacity review will feed into decisions to be taken, to ensure that this ambitious strategy is delivered in full.
Finally, I want to put on record my gratitude to the HSE staff, the NCSC, external contractors, An Garda Síochána, staff from the Office of the Government Chief Information Officer, international partners and others who have been engaged 24-7 in dealing with this appalling criminal attack.
I would be happy to take questions from this committee on the role and functions of the NCSC, although there may be questions that it would not be possible or appropriate to address in a public forum and particularly where doing so could disclose information which might assist criminals to identify potential vulnerabilities in IT security arrangements.