Cybersecurity Policy

I thank Deputy McAuliffe for this timely question. The threat of attack by cyber criminals is increasing across the world.  Ireland is recognised by the global cybersecurity index as one of the countries that are ranked highly in terms of our commitment to cybersecurity. Addressing the growing threat requires a combination of responses, including actions by the State, by individual organisations and by all of us, as citizens. While ensuring the security of the networks and information systems of organisations is a matter for each individual organisation, the National Cyber Security Centre, NCSC, plays an important role in this area.

The NCSC was established by Government decision with a broad remit across the cybersecurity of Government ICT and critical national infrastructure. It acts as a central contact point in the event of a Government-wide or nationwide cybersecurity incident affecting the State. The NCSC also co-ordinates and supports the response to significant incidents, with the lead role being taken by the entity affected by the incident.

Information sharing is a key component of the work of the NCSC, whereby it acts as a source of expert advice and guidance. The NCSC gathers threat intelligence data, trends and risks from national, global and local sources, and it then shares that information with the people and organisations who need those data to protect their own systems. It supports public bodies, operators of essential services and digital service providers to improve their cybersecurity posture and to fulfil their obligations under the European network and information security directive. The NCSC takes a very proactive role by supporting these organisations to build their cybersecurity resilience continually through a range of initiatives, including by publishing advisories based on the most recent threat intelligence and by hosting seminars and workshops.

Going forward, it is important that every organisation, public and private, continues to invest in strengthening its cybersecurity resilience. Recognising the need to evolve continually, a capacity review of the NCSC is being undertaken. The review, which is due to report shortly, will inform the future development of the NCSC and the extent of any additional resources required for the NCSC to continue to deliver on its important mandate.

I thank the Minister of State. It is an incredibly difficult time for all those in the HSE. They managed to continue to provide services during what can be only described as an unimaginably difficult 12 months and then faced the difficulties of the cyberattack. My heart goes out to everybody in the HSE who has had to deal with that situation.

We are lucky. I pay tribute to the Minister of State in terms of his experience outside of politics. Having somebody in government who knows this area and brings expertise to it is important. In addition to the 29 staff of the NCSC, the increase in the budget from €1.7 million to €5.1 million has been very welcome. Is it sufficient? What will the review bring?

I cannot say what the review will bring, but I can say what it is meant to determine. Under the terms of reference, the review is to establish if the NCSC is fit for purpose, if it is lacking anything, if it needs any additional skills or staff and how it compares with other similar organisations across Europe and the world. That is the purpose of the review. The review is due in quarter 2 of this year and will report in the coming weeks. I will need to consider it carefully in light of the recent events. It cannot be taken in isolation and considered as if the recent attack on the HSE had never happened. The review will make recommendations. I will publish as much of the review as possible without endangering national defence while at the same time trying to make sure we are preserving transparency and democracy as we consider our cybersecurity.

I acknowledge the work that is being done. In particular, the review will be important because it will ask question whether the NCSC is fit for purpose and what we need to do to ensure it is. In many ways, the cyberattack gives the Minister of State the opportunity to engage with other Ministers on the need for investment in this area. I would support the Minister of State in that regard. The incidents over recent weeks demonstrate we must continue to invest in this area. We need to do it primarily because of the reputational risk it poses to Ireland's foreign direct investment policy as well. I would like to know if the Minister of State intends to engage with the FDI sector in Ireland that has expertise in this area and equally with international defence experts. As I said, I appreciate the work that is being done.

I would agree with an awful of what was said in some of the interactions the Minister of State and I have had on the need for the NCSC review to take into account the shameful ransomware attack carried out on this State. We need to ensure we are up to spec. The general conversation is that 29 staff, no director and a €5 million budget is not going to cut it, but I assume we will get that answer from the NCSC review, which we will need to implement as soon as possible.

I would also like to know the status of the risk assessments that are being carried out. We need to make sure they are completed. Do we need to look to having a great level of capacity? I heard the term "counterstrike capacity" being referenced by a number of experts. Do we need to consider the establishment of another agency, which might fall within the remit of the Department of the Taoiseach or somewhere equivalent to that?

I thank the Deputies. The budget for the NCSC was trebled last year. The review was initiated more than six months ago and so it is not that we are reacting to this incident suddenly. I was asked about co-operation with FDI companies and international law enforcement and intelligence agencies. That is critical and it goes on all of the time. We have been interacting with those agencies and companies and they have been raising this issue with us over many years. There is nothing new there.

Deputy Ó Murchú asked about our offensive capability, which does not fall within the remit of the Department of the Environment, Climate and Communications or the NCSC. The question is one for the Minister for Defence. On the risk assessments, they are carried out by all critical infrastructure providers. They are required to do that and to address any shortcomings that arise as a result of those risk assessments. It is a legal requirement under the NIS directive.