Cybersecurity Policy

As this is my first opportunity to address the Minister in this forum, I extend my very best wishes to him and his family on his recent appointment. Specifically in regard to his role as Minister with responsibility for communications, I would be grateful if he can update the House on his initial assessment in regard to the ability of this country to prevent and protect itself against cyberattack.

I thank the Deputy for his good wishes and look forward to working with him in this Thirty-third Dáil.

First and foremost, our preparation for cyberattacks has improved. I have returned to the same Ministry where I was ten years ago. At that time, a single individual was working on an informal basis, as much as anything else, to protect our systems. That has now been replaced with the new National Cyber Security Centre, NCSC, which is located within my Department. It is the primary cybersecurity authority in the State and has a number of roles, including leading on cybersecurity incident response and on the resilience and security of critical infrastructure.

The NCSC contains the State’s computer security incident response team, CSIRT. This is the body that responds to the full range of cybersecurity incidents in the State. The CSIRT has international accreditations and operates its own, purpose-built, secure incident response software environment. Since its foundation in 2011, the CSIRT has developed significant expertise in managing cybersecurity incidents and now handles in excess of 2,000 incidents each year. The CSIRT has also developed and deployed the Sensor platform across Departments, and deployed malware information sharing platforms, MISPs, across a range of critical infrastructure operators.

The NCSC has a set of statutory powers to ensure critical infrastructure operators maintain and operate critical infrastructure in a secure manner. To date, 67 operators of essential services have been designated. The compliance team in the NCSC has been working with these entities to improve their security since 2018, and formal audits will start before the end of the current quarter.

The programme for Government commits to the implementation of the 2019 national cybersecurity strategy in full. This strategy includes a number of measures designed to ensure our level of preparedness remains appropriate to deal with likely future threats.

I thank the Minister for that informative response. I commend his Department on publishing the national cybersecurity strategy in December of last year. It is a very good document. I am heartened that there is a significant reference to cybersecurity in the programme for Government. It is important considering the number of international technology firms based in the country and the increase in the move towards digitalisation and remote working as a result of the crisis we are going through.

I am encouraged by the fact that a capacity review is taking place in the NCSC. This is vital, particularly considering how small the centre is. It has only 24 staff approximately, and it is operating on a shoestring budget of only €4 million per year, which is very small considering the major strategic risks the centre is attempting to protect this country against.

I have three questions. Is there any indication when the capacity review is likely to be completed? Will the Government commit to publishing it? Will it commit to implementing its recommendations?

It is true that the importance of this work cannot be understated but I am confident, from my initial briefings from departmental officials, that the scale and expertise are sufficient in the office. The Deputy will be aware that there are other areas of expertise in the State, including in the Garda and Defence Forces, where there are additional resources. Bringing those resources together is often what is needed.

I do not have a completion time for the review but I will ask the Department to revert directly to the Deputy on that.

My philosophy in general, even on cybersecurity, is that openness and transparency are often among the best protections in terms of security in that people can see what our structures are and, if there are weaknesses, help us to address them. I will certainly be compelled to follow the advice in the recommendations once received. I would like to implement them as soon as I can.

That is great. I thank the Minister for clarifying that the programme for Government commits to the full implementation of the national cybersecurity strategy, which is good.

The programme for Government has a specific reference to utilising the potential and important role of the Defence Forces in this regard. How does the Minister envisage the relationship between his Department and the Defence Forces evolving over the lifetime of the Government?

I see the relationship as one of co-operation. Primary responsibility will lie with the NCSC. That is proper and it mirrors best practice throughout the EU, where it is in the civil authorities that overall control and cybersecurity management rest. That will involve a lot of collaboration and personnel moving from the Defence Forces into this area. That provides for a healthy level of operational cohesion. The Defence Forces have specific responsibilities, including in managing their own security and systems. That expertise feeds into the NCSC but primary responsibility rightly lies within our Department. That, however, does not preclude the provision of further resources to the Defence Forces. In the programme for Government talks, we discussed the Defence Forces Reserve and the possibility of building up cybersecurity capabilities through it that might assist with the Defence Forces' work and the wider work of the NCSC.