Cybersecurity Policy

I propose to take Questions Nos. 132 and 133 together.

Cyber-crime and cyber terrorism is an ever-present and growing threat to all sectors of society.

Following the significant IT breach in Munster Technological University (MTU), the Department of Further and Higher Education, Research, Innovation and Science is engaging with relevant stakeholders to understand the extent of the breach and its impacts on MTU students and staff.

It is important that there is clarity about the respective roles of different institutions, agencies and Departments when it comes to the critical matter of cyber security.

- As autonomous bodies, higher education institutions have governance and legal responsibility for their own administrative and corporate affairs, including in their management of ICT infrastructures, risk management - including cyber risk, business resilience and contingency planning.

- At Government level, the National Cyber Security Centre, which is part of the Department of Environment, Climate and Communications, has lead responsibility for cyber security in the State, with inputs from An Garda Síochána and the Defence Forces. Their role covers incident response, cyber resilience and information provision, including to the tertiary education sector.

Therefore, in cases such as the incident in MTU, the primary engagement in responding to the cyber incident is between the institution and the National Cyber Security Centre, with regular updates also being provided by the institution to the Department of Further and Higher Education, Research, Innovation and Science and the Higher Education Authority. There should also be clear communications by the institution to students and stakeholders.

MTU is working closely with the National Cyber Security Centre in relation to the breach, which has resulted in data from MTU’s systems being released on the dark web. MTU Students and Staff that may have been affected, will receive specific communications from MTU and all have been advised to remain extra vigilant to potential phishing attacks by email or SMS or other unsolicited communications.

My Department, in close collaboration with the Department of Education, has an important role in resourcing and supporting the work of HEAnet, the education sector’s ICT shared services provider. Last year, my Department confirmed significant multi-annual funding for cyber-security resources to HEAnet. These resources will equip HEAnet to expand the reach of its ICT Security Services offering to all eligible HEAnet client members, including institutions across the tertiary education sector. This service encompasses provision of advice and training to end users with the objective of reducing the risk of user-initiated cyber security events.

The Department is also providing funding to mobilise a sectoral Security Operations Centre and Security Incident Event Management (SOC/SIEM) service via HEAnet for the education sector, to mitigate the risks associated with cyber-attacks, through consistent and comprehensive 24/7 detection and response capabilities. These two services combined will better position HEAnet clients in mitigating the risk associated with cyber-attack. This allocation followed engagement between the HEA and the higher education sector, and a high level proposal put forward by the Irish Universities Association, in cooperation with HEAnet. HEAnet subsequently submitted a detailed business case for funding of the SOC/SIEM service.

Additionally, my Department allocates recurrent funding to the Higher Education Authority (HEA) for direct disbursement to HEA designated higher education institutions. The HEA provides grant funding to the Higher Education Sector through the Recurrent Grant Allocation Model (RGAM) as a block grant to cover teaching, research and supporting activities; the internal allocation of funds is a matter for each institution. HEIs must consider their local requirements and contexts in determining their priorities for funding, including in relation to enhancing the security of their IT systems.