My Department hosts the National Cyber Security Centre, NCSC, which was established by Government decision. It is the central cybersecurity incident response unit for the State, with a broad remit across the cybersecurity of government ICT and critical national infrastructure. The NCSC acts as a central contact point in the event of a government or nationwide cybersecurity incident affecting the State. It also provides expert advice and analysis on cybersecurity issues and is involved in co-ordinating and supporting the response to significant incidents, with a lead role being taken by the entity affected by the incident.
Information sharing is a key component of the work of the NCSC, whereby it acts as a source of expert advice and guidance, but also as a clearing house for information. That is to say, it takes in threat intelligence data, trends and risks data from national, global and local sources, analyses them and makes sure those people who need those data get them, either to protect their systems or to assist them in carrying out their statutory roles.
The NCSC team comprises highly skilled specialist technical civilian staff, with skill sets in areas such as computer science, software engineering, malware analysis, information technology forensics, cryptography, software development and cybersecurity compliance, as well as general cybersecurity skills. The computer security incident response team, CSIRT, is the team within the NCSC that leads in response to cybersecurity incidents. The CSIRT of the NCSC is designated as the national CSIRT by Government decision and under the EU network and information security directive. The CSIRT has international accreditation and is the team that is notified by constituent organisations of an incident or a suspected incident. It is this team that engages with the affected body to support it in addressing the threat.
Early on the morning of Friday, 14 May, the NCSC became aware of a significant incident affecting the HSE network. Initial reports indicated a human-operated Conti ransomware incident that had severely disabled a number of systems and necessitated the shutdown of the majority of other HSE systems. The NCSC activated its crisis response procedures and made contact with a major international cyber incident response company which was engaged by the HSE early on Friday morning and began immediately to determine the nature and extent of the incident.
Throughout the past four days, the Minister of State, Deputy Ossian Smyth, and I have been in daily contact with my officials in the NCSC. I was also in regular contact throughout the weekend with the Taoiseach, the Tánaiste, the Minister for Health, Deputy Donnelly, and the Minister for Justice, Deputy Humphreys, as well as Mr. Paul Reid, chief executive officer of the HSE.
In addition, yesterday afternoon An Taoiseach, the Tánaiste, the Ministers for Justice and Health, the Minister of State, Deputy Smyth, and I met to be briefed by the NCSC and the HSE and to discuss the ongoing impact of the cyber incident on the HSE. The NCSC provided a detailed briefing on the incident, technical responses that have been deployed and the ongoing work to recover the IT systems of the HSE, prevent further damage and, very importantly, support the restoration of healthcare services.
A determined and methodical approach has been adopted to resolving the impact of this incident. I understand that all necessary resources and personnel are engaged in support of the HSE. In the coming days, the NCSC will continue to work in close co-operation with the HSE, An Garda Síochána, the Government chief information officer and a specialist cybersecurity contractor. The Minister for Health has already provided information on the measures being implemented to ensure continuity of services during this period.
The NCSC is also supporting the Department of Health in implementing its response plan to a cyberattack late last week, including the suspension of some functions of the IT system of the Department as a precautionary measure. As regards the incident in the Department of Health, the NCSC was notified by the information security team in the Department on the afternoon of Thursday, 13 May, of suspected malicious activity on its network. The NCSC engaged immediately with the Department and, recognising there were indicators of an attempted cyberattack, advised the Department to implement its crisis response plan and to engage a specialist incident response team, which it did on Thursday evening. Throughout Thursday night, the NCSC and the third-party contractors worked closely with the Department to investigate the incident and begin the recovery process.
The NCSC has provided specific advice and guidance to its constituents throughout the weekend based on its analysis of the incident in the health sector.
The NCSC has more than 160 constituents, which includes Departments and operators of essential services. An initial advisory notice was circulated on Friday and an updated advisory was issued by the NCSC on Sunday. In addition, on Sunday, staff at the NCSE were in direct contact with operators of critical national infrastructure, including other bodies within the health sector, to ensure they had received the advisory notices and were implementing appropriate measures to protect their systems.
Yesterday, the NCSC hosted online briefing sessions to answer questions from all its constituents. The feedback from these sessions has been very positive. The NCSC will continue to provide advice and guidance throughout the coming days and its advice will be updated when the malware deployed in the cyber incidents on the HSE and the Department of Health has been further analysed. In addition to the specific guidance issued to its constituents, the NCSC has published on its website general information about these cyber incidents with some limited detail on the malware.
As Deputies will appreciate this is very much a live incident, so it is necessary to limit the circulation of sensitive operational information at this time. I encourage IT managers in all businesses and voluntary organisations to review this guidance and consider what steps might need to be implemented to further enhance the security of their systems.
In conclusion, I assure the House that my Department, through the National Cyber Security Centre, will continue to exert its considerable technical capacity in support of the HSE at this time. It will continue to share any learning from this incident with the constituent organisations across the public and private sector to assist those organisations in ensuring the resilience of their cybersecurity.