Joint Committee on European Union Affairs díospóireacht -
Wednesday, 1 Dec 2021

Apologies have been received from the Chair, Deputy McHugh, Deputy Calleary and Senator Keogan. In accordance with current guidelines, all documentation for the meeting has been circulated to members using the Microsoft Teams platform. I remind members that our work this morning will be in two separate sessions and we will subsequently have a private session briefly to discuss internal matters. I ask members to bear with us.

We resume our consideration of cybersecurity, and on behalf of the committee, I wish to welcome to our deliberations Mr. Juhan Lepassaar, executive director of the European Union Agency for Cybersecurity, ENISA.

Before we begin, I have to do the tedious task of reading a note on privilege. All witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him or her identifiable or to otherwise engage in speech that might be regarded as damaging to the good name of any person or entity. Therefore, if the witnesses’ statements are potentially defamatory of an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative that they comply with such direction. For witnesses attending remotely outside of the Leinster House campus, there are limitations to parliamentary privilege and as such they may not benefit from the same level of immunity from legal proceedings as a witness who is physically present. Witnesses participating in this committee session from a jurisdiction outside of the State are advised that they should be also mindful of the domestic law as they give evidence.

Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside of the Houses of the Oireachtas or an official either by name or in such a way as to make him or her identifiable. Again, I remind members that they must be within the Leinster House complex to participate and anybody outside might identify themselves as such.

The tedious bit is done. I invite Mr. Lepassaar to make his opening statement to the committee.

I thank the honourable Chair and Members of the Oireachtas for inviting ENISA to give the committee input to its valuable work and evidence. I will say a few words on the agency. The mandate of the agency is to assist member states in the Union in their pursuit of establishing a high common level of cybersecurity across the Union. Of course, we mainly focus our work on ensuring that cybersecurity, a critical service, and the providers of this service, are of a high level. Under the network information security, NIS, directive, approximately 70 entities in Ireland were designated as essential service providers. I am not saying it is too low of a number, but it is clear that across the Union we seem to have a different understanding of what "critical" means. For example, in Finland, 10,000 entities have been designated as operators of essential services. Cyber threats are cross-border and as long as we seem to have differences in defining what is critical and what is not critical, there always will be an issue regarding how to set a common standard across the Union. We need a revision of the network information security directive so that we have a more common understanding of what critical means and how to protect critical service providers.

Ireland has recently experienced an attack on its heath service providers, and members know the consequences of it; obviously, we should draw our own conclusions as well. From the cybersecurity point of view, the Irish National Cyber Security Centre does an excellent job, not only in responding to the crisis, but also in making sure that entities are well prepared. It rolled out procedural guidelines, manuals, trainings and exercises. It responded in an agile and prompt fashion and it shared information with other member states with the computer security incidence response teams, CSIRT, network so that other member states were knowledgeable about what was going on and could prepare as well. It was an exemplary response.

One might ask, of course, why the attack was successful. At the EU level, most entities of essential service providers fail normally because, perhaps somewhat naturally, cybersecurity is not seen as part of their core mandates or core missions. Guidelines and trainings are not picked up because organisations have not invested in their human resources to make them work. They lack a dedicated and sufficient number of experts to make things work and they do not invest in cybersecurity. Some 67% of operators of essential service providers across the EU have told us they need more investments to make the network information security directive work for them.

In Ireland, we surveyed 36 operators of essential service providers in 2021 and 22 of them said they need more investments. Overall, EU entities invest 41% less in cybersecurity than their counterparts in the United States. On average, the budget that goes to cybersecurity is around 10% of the IT investments that these entities make. Money will not do the trick and service providers need to invest in their staff, and not only into their IT and cybersecurity experts.

Perhaps following the lessons learned, Irish entities are showing the way. The median number of new hires for cybersecurity functions is highest among all the EU member states. Also, 50% of the surveyed operators of essential service providers in Ireland have cyber insurance, whereas the EU average is 43%.

For the benefit of the common level of cybersecurity across the EU, I call on this committee to do two things. First, I call on it to express its support for the quick and swift adoption of the review of the network information security directive that should bring a better common understanding on which critical entities need to be protected across the Union.

Second, I call on it to find ways to support an increase of cybersecurity investments by the entities that operate in critical sectors and ring-fence these investments in cybersecurity. Member states have different practices. For example in Germany, by law, all health service providers must invest at least 15% of their total digital investments into cybersecurity. We hope that in the long term this will make these entities more resilient.

I welcome Mr. Lepassaar and apologise for the mispronunciation of his name. It is an issue I have faced for many years. I welcome what Mr. Lepassaar said. Obviously, there is a huge disparity between what people believe is a critical service and what is not. That was put in a very straight forward fashion by Mr. Lepassaar in the sense that Finland has it down as 10,000 and this State has it as 70. It is vital that to get the correct answers we need to ask the correct questions. Would Mr. Lepassaar foresee that the update of this and the review will take all these factors into account? He no doubt has a number of proposals he is putting forward in regard to what needs to happen to ensure that NIS or NIS 2 does the business it is meant to. Can Mr. Lepassaar answer that?

I thank the Deputy for his question. I would not dare to pronounce his name, and I am sorry about that. On the issue of where the threshold is, where we say that something is critical or not critical, what the Network Information Security, NIS, directive revision does is that it establishes a common minimum threshold across the European Union which captures entities above a certain size. Given that the negotiations at EU level, among member states and the Parliament, are still ongoing, I do not want to step into this, but the proposal of the directive also foresees an option for member states to include entities which are below this threshold. That is a good provision because member states have very different economic and social frameworks in place. Big entities in some member states might be small entities in others. The country I know best is a very small one. Critical entities in this country also may have an employee count of only 50, which would not even be considered a start up in some other member states. There is flexibility but at the same time the NIS directive foresees certain common thresholds. It is important that we establish this common threshold because if we do not protect critical service providers in a similar fashion across borders, then we establish loopholes. As is common in cybersecurity, the strength of the chain is determined by the weakest link. That is why it is important that we have a certain harmony in establishing what these entities are and where the threshold is.

That makes complete sense and there is obviously the need for flexibility because all member states are coming from a different place in regard to this. I get the fact that there has been a huge uptake in regard to cybersecurity defences among many businesses across Ireland because of the ransomware attack on the HSE. If ever there was a lesson that needed to be learned, that is the lesson. It shows the dangers we live with. Following the review of the NCSC here, we saw that there was a requirement seriously to ramp up investment and capacity within it. I welcome what Mr. Lepassaar said in regard to the actions that were taken and on the collaborative approach that was taken around CSIRT and the transfer of necessary peer learnings and knowledge in regard to the attack. It has been said that there has been perhaps a failure to take on board some of the expert knowledge out there, even within this State, that is, among people who have been involved in academia and have been dealing with these subjects for possibly 20 years. We probably failed to avail of that. That is one thing.

We had dealings with the European Defence Agency, EDA, in regard to its role and remit and what it terms cyberdefence. There is considerable talk in regard to the European cybersecurity unit. I asked a question last week on who has the most use or who is going to be the lead in regard to that. How does Mr. Lepassaar's outfit fit into that diagram? Can he explain that to me?

I need to emphasise that the EU Agency for Cybersecurity is an Internal Market agency. We do not deal with national security directly. Of course, in the domain of cyberspace civilian security and defence matters overlap to a certain extent. That was also the premise of the Commission's proposal to establish a joint cyber unit. The name is a bit misleading because no structured unit will be established. Rather it is foreseen as a collaboration platform or a co-ordination framework so that different actors who deal with cybersecurity at the EU level, first and foremost, co-ordinate their activities for the benefit of the member states. For example, ENISA has a mandate to establish synergies when it comes to operational co-operation in cybersecurity at EU level between different EU actors. Let us imagine the situation whereby there is a crisis that involves a certain sector which is deemed a critical sector at EU level. Of course it is the member states which are in charge of the response but they may need assistance. The EU will then co-ordinate assistance to members states. It could be the agency I am in, it could be Europol or it could be a specific agency in the sector such as the European Union Agency for Railways for the railway sector or the European Maritime Safety Agency for the maritime sector, or the European Banking Authority for the financial services. We all have one bit of cybersecurity in our mandates. To be useful for the member states in these terms, and not only to respond to crises but to prepare for crises and understand the situation and create a common situational awareness, these different bodies of the EU need to collaborate and co-ordinate their activities better so that one plus one plus one does not equal only three, but five. That is the premise of the joint cyber unit.

Of course the European Defence Agency has a very important role to play when it comes to raising the capacity of member states in terms of defence and cybersecurity capacities. Again, as I said at the beginning, we also need to respect each other's domain of action and ENISA is, first and foremost, the cybersecurity for the Internal Market.

I appreciate all that and I will finish by asking a short question.

I imagine that Mr. Lepassaar's answer will be that he foresees that the review will deal with the due diligence that will be required in this field. What sort of structure is needed? What sort of lead operation do we need that would make sure that we covered all of the bases? I get the idea of a framework that respects individual states and their wants, needs and requirements. Obviously one is going to have digital hygiene. That is absolutely necessary and would stop this before it happens, particularly if we consider the ransomware attack. Obviously there is a wider issue. On the defence end, people are in great fear of a cyberattack, which is an almost like a physical attack, and I do not know how one could get collaborative results. Where defence meets disruption, and I have heard it said and I used the term before, everyone needs a counter strike capacity. I do not mean that one engages a huge amount of hackers to attack but more to disrupt in the middle of a chain of attacks. We must make sure that collaboration happens and is useful and, as Mr. Lepassaar said, that it is greater than the sum of all its parts.

There is the wider question of making sure that we have the legislation or policing part. Then we need diplomacy, and even hardline diplomacy. I say that because we are talking, at some stage, of dealing with some of these actors where they are almost subcontractors that have a relationship with certain states that are beyond the borders of the European Union.

I have always hoped that the persons responsible for the ransomware attack had bitten off more than they could chew and that we had learned lessons. I hope that Mr. Lepassaar can answer all of that in the next two minutes. I would be delighted if he could assure me that everything is going to be sorted from a European point of view in terms of cybersecurity and defence into the future.

I will try to provide a short answer. Let me consider preparedness and raising resilience. What we have at the European level in terms of framework is the network information security directive and the Cybersecurity Act. There is a lot of collaboration taking place among the member states in the NIS Cooperation Group, which is a group of experts that deals with exchanging best practices when it comes to implementing the NIS directive in different sectors. The good work they have done is something we should also appreciate.

The second level is operational response and co-ordination. We have two levels. First, we have the technical level, which is the Computer Security Incident Response Teams, CSIRTs, network, which are national CSIRTs that collaborate in a cross-border manner. This is a network that was instrumental during the attack against the Irish health sector providers. It enabled the Irish authorities to share information so that all other member states were knowledgeable about what was happening and shared the technical details about it so that everybody was aware of the attack. Also, they could rely on the network to extract expertise and member states could, in practice, require assistance from experts.

Second, there is the operational level which is relatively new. It is built on the blueprint, which is a political framework that foresees co-ordination and collaboration between the heads of the EU cybersecurity agencies. This is the part where the network information security directive really institutionalises this kind of collaboration. Of course there is a diplomatic toolbox at EU level to co-ordinate a potential joint response by member states, where it is non-EU actors, but when it necessary and required. At EU level we seem to have all the boxes but now the question is to make them more resilient, more stronger and more effective.

I thank Mr. Lepassaar for his presentation and answers. I wish to ask relatively short follow-up questions on his presentation. I do not know to what extent he can provide the information but I hope that we can discuss the matter.

Based on the statistics provided, there has obviously been a huge increase in attacks and a specific increase in the healthcare sector. Has Mr. Lepassaar found either through his own work or in co-operation with others an explanation for the increase? There are lots of theories on that. Why has there been an increase in attacks on the healthcare sector and the healthcare systems of members states?

ENISA has just released its annual threat landscape report on cyber threats. What we have seen, which is not a surprise, is that ransomware is a rising and increasing threat to different sectors. It has become increasingly easy because ransomware is used as a service by some malicious actors. Of course that means it has become easier for an attacker not only to attack but monetise an attack. However, we need to defend ourselves from any possible attacking actor, which is always costly and requires more money. There is a dichotomy or imbalance from the point of view of the defender and that of the attacker. That is difficult to manage if these organisations that need to defend themselves do not prioritise cybersecurity investments, if they do not have incentives built into their own policies to tackle these issues or if their boards and stakeholders do not want them to invest in cybersecurity. We need to find ways to incentivise these organisations to ring-fence cybersecurity investments but also make the managers and boards of these organisations more responsible for cybersecurity.

I thank Mr. Lepassaar for his presentation. My first set of questions are on the annual budget for ENISA. What is the annual budget for this year and next year? Does he envisage the budget increasing over the next five years? Are discussions taking place on that?

Where does Mr. Lepassaar see his organisation going in the next five to ten years? What are the long-term plans? Is there a plan to expand? What priorities and services would ENISA wish to provide or engage in?

ENISA has a set agenda, role and remit in terms of the European Union. Does ENISA face significant obstacles at an EU level or in any member state in terms of doing its job to the best of its ability and achieving the goals that have been outlined?

I thank the Senator for her good questions. Unfortunately, I do not have a day to give a full brief.

I will address the questions one by one. The budget of the agency for this year is €24 million. It will increase slightly again next year. There has been a huge increase in the budget over the past three years, which was due to the adoption of the cybersecurity Acts. If the Senator is asking me whether these funds are sufficient, my response would be sufficient for what purpose?

On the objectives, under the strategic objectives of the ENISA, there are seven clear objectives in terms of what we want to achieve. The first is that all policy domains in the Union take cybersecurity as one of their core missions. Cybersecurity should not be regarded as an annex or an afterthought. When we build new policies, we should try to make them cyber secure by nature and design.

The second big objective is to make sure that the products that are in the EU Internal Market are cyber secure and that there is trust from the end-user in these products. At the same time, we also try to raise capacities of the member states of the organisation so that they become more cyber resilient. We try to help member states in times of crisis, but also to prepare for crisis. We do not look at everything; we concentrate on potential cross-border large-scale cyber events. The organisation cannot do all of these things alone and so one of our biggest cybersecurity strategic objectives is to ensure that we have communities that work with us. These communities are well-organised, they know what to do and they feed their own desires into the agency. These are the five big objectives. We have an understanding as well that we need to be knowledgeable of the future threats and risks. We should have foresight of what is coming around the corner, but while doing that we should not forget that the majority of cybersecurity incidents happen because of existing vulnerabilities in legacy systems. The future is important, but the past is as important.

On the final question with regard to the obstacles, one of the biggest obstacles I see at EU level is how we deal with the past not only in terms of how we deal with legacy systems in technical terms because they include technical vulnerabilities - the Internet was not built for cybersecurity; it was built for free-flow of information - but how we deal with the past in policy terms and how we deal with the fact that the majority of software providers do not have the same level of responsibility or liability when it comes to the cybersecurity of their products as, for example, do manufacturers of physical objects or products in the Internal Market. Cybersecurity was not a mature policy domain, but it is becoming gradually more mature. With this, we need to reassess whether the rights and obligations that were put in place or existed within the policy framework need to be reviewed now and whether it is now time to make the products and services that circulate within our Internal Market more cyber secure by putting more obligations on manufacturers of these services and products so that the end-users do not have to bare the responsibility of always worrying about whether the service or the software they use is cyber secure, but so too do the producers of this software.

I thank Mr. Lepassaar for his very comprehensive reply. I appreciate his straightforwardness. On the final point with regard to the producers of software, that is, the big corporates, what type of interaction does the agency have with them? Does it deal directly with big producers such as Intel, Microsoft and so on? What type of interaction does the agency have with them? If the agency finds - I am not trying to implicate any of those companies - that a product or software is not meeting a certain standard, what steps does it take? Is there a reporting line or are there sanctions? If a standard is not being met, what is the next step?

I would like to ask another question not related to my previous line of questioning. In terms of the agency's work, what are the top three threats in the EU? What are the three areas it is monitoring the most? Has the Covid-19 pandemic impacted the agency's work? Has it looked at other areas, changed its approach or identified any new or different threats to assess because of the pandemic?

I do not want to create an impression that the companies that produce software do not care about cybersecurity. That is not an issue. They care and they reach out. We have good collaboration and contact with them. The issue is the balance. Where is the balance in terms of obligations? Is it tilted more towards the consumer or the provider? We need to assess whether the balance is right for the current environment.

When it comes to threats, it is difficult to say what are the top three. I will start with the critical sectors because this is where the focus still is. We have critical sectors that are more mature and critical sectors that are less mature. There are other sectors which we now think are critical but they are not covered by the network and information security directive. We found that out because of the pandemic. There is a second category. Cyber threats are becoming more hybrid and more linked to other threats. Whenever a certain sector or domain is under attack, we see an uptake of cyber attacks against this sector. It happened during the pandemic when it came to health service providers. Vaccine makers were also targeted. Research and innovation is not currently covered under the network and information security directive, and neither are higher education and food service providers. The hybrid nature of the cyber attack means it is becoming more ingrained into the overall threats landscape. That worries me. The fact that most products and services that are circulating in the market are not resilient or as high-level in terms of their cybersecurity as they could or should be and that the security by design and default approach is not ingrained into the product design worries me a lot as well.

I thank Mr. Lepassaar. If I may, I would like to pose a couple of questions. We are looking at the impact of the cyberattack on our health system, which literally not only cost enormous sums of money, but cost lives, and at how we can make ourselves more resilient. I am taken by Mr. Lepassaar's observation that Germany has a legal obligation on some actors to invest a percentage of its IT budget in cybersecurity. In Mr. Lepassaar's view, is that a model that should have general application across all states and public agencies and is 10%, which is the figure mentioned by him in regard to Germany, the optimum or what other figure should we be looking at for legislation?

My second question relates to a response to external actors, non-EU actors, in that regard. Mr. Lepassaar said there is a capacity for response. Bluntly, it is not very visible. We have suffered a major attack. Is it possible to identify the location of the attacker in these matters? What sort of response is available to dissuade future attacks?

As to whether it is enough, every member state needs to define the needs of the sector in its economic structure. The average percentage of investments across the almost 1,000 entities of essential service providers we surveyed this year is 10%. When I say on average, they also seem to invest 41% less than their US counterparts. If we put those two together, we arrive more or less at the 15% category. I would say 15% is a good number from which to start but I am a cybersecurity expert.

The key factor behind any kind of collaborative or co-operative response is trust. We see a rise in trust at the technical level among CSIRT network members, which is very encouraging because, essentially, that enables member states to reach out in times of crisis both to share information and to find more collaborative ways to respond to potential crisis, and during a crisis to reach out to seek assistance if it is needed. The determining factor in that instance is the will of the member state. The Union cannot and should not impose any kind of collaboration. It should come from member states and they can only probably do that if they have a sufficient level of trust among themselves. We need to find ways to make these collaborative platforms more trustworthy and to ingrain mechanisms to ensure the different actors involved have a certain level of maturity and that maturity is maintained in order that the trust will not diminish. This is something ENISA is in charge of and it should help these platforms to achieve. Whether the capacities or capabilities are there depends very much on this level of trust. I repeat the very good approach of the Irish National Cyber Security Centre. It has invested in building this trust not only within Ireland but across the EU, for which I am very thankful.

Are we dealing with certain sectors or domains that makes it easy for the cyber attackers to misuse the situation? That is how I would define it. If we consider the overall economy of the EU, the agency focuses only on the critical sectors, not on everybody who operates in those critical sectors, only on the most important actors, namely, the essential service providers. The majority of the entities across the Internal Market are not essential service providers of the critical sectors. There is a major issue when it comes to the cybersecurity or small and medium sized enterprises or entities that fall outside the scope of the network information systems directive. That raises the question of how we ensure the level of resilience of not only the critical service providers is high but that the overall resilience of all entities that operate in the Internal Market will be increased.

I will be brief. I wish to follow up on Senator Chambers's point on software providers. Mr. Lepassaar spoke about them having an obligation. We have a sense down the years, perhaps unfairly, that many operating system providers, in particular, not to name anyone, produced something rather badly and then worked on the basis that a company would pay to make sure it got the updates. Mr. Lepassaar spoke of the problem of using legacy technology. We are all aware of pre-Windows 10 operating systems that were used in the HSE. I have two questions. What would be a best cast scenario with respect to the obligation those providers should be under? Is there a difficulty if a sector is literally only using one operating system provider and would it need to build in some sort of redundancy? Could Mr. Lepassaar answer those question initially.

I thank the Deputy for his first question. It helps me to tackle one important domain I neglected, which is the supply chain. The dominance of certain actors in our supply chain either supplying services or products we use is another critical issue because it increases the risk that one single vulnerability could affect very many entities across borders. The nature of how we build our supply chains and the way in which we ensure our supply chains are competitive but also secure is another big problem we need to deal with at EU level. The agency's toolbox has helped member states to build as we pass on to the 5G and offers one potential model of how it can be done but what fits for one sector or one particular technology might not be the best approach to be replicated across the board. In the context of supply chains, whether we are too dependent on single providers is also an issue in cybersecurity.

When Mr. Lepassaar spoke about the NIS review and NIS 2 and essential or critical service providers, he spoke of, not to put words in his mouth, a weakness in the sense that it does not take into account research, innovation or the third level sector. He spoke specifically about those who were involved in innovation around vaccines. I imagine he is proposing that it be revisited. He is obviously involved in those discussions around the worst case scenario. I accept some of that drifts into what people would term "defence", the fear of, say, cyber to physical attack, particularly in the set-up we have in Europe as regards the hybrid migration weapon being used by Lukashenko.

We are in a world where anything goes with regard to what weapon will be used by state or non-state actors in the future.

I take the honourable member's contribution as a comment rather than a question. He summed up quite neatly what is now being observed and what we can see across the board. It is important the honourable members of this committee pick up that it is not so much about the different sectors and whether we should include this or that sector as critical or non-critical, rather we should be agile enough to understand that any sector which could have a significant impact on the functioning of the society and on the wealth and well-being of our citizens is critical.

I thank the committee for inviting me to participate in this morning’s meeting to consider the EU cybersecurity strategy and the alignment of Ireland’s national strategy for cybersecurity. I am joined by Mr. Richard Browne, acting director of the National Cyber Security Centre, NCSC, my adviser, Mr. David Clarke, and Mr. Peter Hogan, principal officer in the cybersecurity and Internet policy division of my Department.

I welcome the committee’s interest in this important issue. Cybersecurity has correctly been identified as a strategic priority for the European Union to safeguard the benefits of the digital transformation happening throughout Europe. In addition to the growing interconnectedness of digital services, we must recognise that cyber criminals do not respect national borders. Thus, it is essential that the member states of the EU work together to strengthen co-operation and information sharing across borders.

The EU’s cybersecurity strategy for the digital decade sets out an ambitious agenda to meet the growing challenge of cyber threats. The EU has, correctly, seized the opportunity to be a global leader in promoting and protecting an open, free, stable and secure cyberspace grounded in human rights, democracy and the rule of law. The strategy includes an ambition for the EU to achieve technological sovereignty in response to emerging supply chain risks. This will involve strengthening cybersecurity capabilities within the Union through the EU’s industrial strategy, as well as funding cybersecurity skills development and research.

The strategy includes some novel and interesting proposals to enhance co-operation and information exchange between member states and with relevant EU bodies, including a proposal for a secure connectivity system, utilising quantum computing and satellite communications infrastructure. The strategy also details the range of cybersecurity legal instruments the EU has published and will follow, such as the review of the network and information security, NIS, directive; the implementation of common cybersecurity standards for EU institutions, bodies and agencies; and the proposal for horizontal legislation on security standards for connected devices.

I share the ambition of technological sovereignty and supporting indigenous enterprises and academic institutions to deliver Irish and European solutions to strengthen the security of data and critical services. However, as the European Council has emphasised, this must be balanced with the Union’s key objective of preserving an open economy. I am also conscious of the rapid increase in the number of cyber attacks and the crippling impact they can have, as we saw earlier this year with the ransomware attack on the HSE. While it is important to develop the European cybersecurity ecosystem, we cannot lose sight of the need to take positive steps, today and tomorrow, to deploy best-in-class hardware and software to defend networks and systems, whether these come from Europe, the US or elsewhere.

I also highlight the importance of global co-operation to combat cyber criminals. When Ireland suffered its most serious cybersecurity incident last March, we shared information with partners in Europe and received great assistance from the cyber incident response teams in a number of member states. We also received assistance from agencies in the UK, the US and further afield. I am convinced of the need to enhance information sharing and co-operation throughout the Union and with like-minded third countries.

I welcome the leadership shown by President Biden and his administration in building a global alliance to combat the ransomware gangs who have caused havoc in recent years. In the Irish context, co-operation and information-sharing with the UK Government is vital and there is excellent engagement between the NCSC and its counterparts, both on a North-South and east-west basis.

The NIS 2 proposal will be the key implementing Act for the EU’s cybersecurity strategy. Ireland is playing an active role in the ongoing negotiations in the European Council. We welcome the Commission’s initiative and it is timely to review the NIS directive, in light of the massive shifts in the global cyber threat landscape. Our focus in the negotiations is to ensure the directive, when finalised, provides a solid basis for practical measures at national and Union level to strengthen the cyber resilience of critical services and important industry sectors; to facilitate information sharing and exchange of best practices; and to strengthen our capacity to respond to major cybersecurity incidents. This is a considerably important legislative file and it is vital we get this right.

I will speak briefly about Ireland’s second national cybersecurity strategy, which was published in 2019. The vision behind the 2019 strategy is to allow Ireland to continue to safely enjoy the benefits of the digital revolution and to play a full part in shaping the future of the Internet. This involves the protection of the State and its people and critical national infrastructure from threats in the cybersecurity realm; the development of the capacity of the State, research institutions, businesses and people to better understand and manage the nature of the challenges we face in this space; and engagement by the State, nationally and internationally, in a strategic manner, to support a free, open, peaceful and secure cyberspace.

Under the NIS directive, we are required to review the strategy next year. This was also a recommendation of the NCSC capacity review which we commissioned earlier this year. I welcome the committee’s consideration of the EU cyber strategy and look forward to its report. I have no doubt that report will be a valuable resource to inform the review of our national strategy.

I welcome the Minister of State to the committee to deal with this vital issue. We have had previous interactions on this, in particular at the Joint Committee on Transport and Communications. We have also had the NCSC review, the full report of which I request for this committee, excepting the redactions. It would be useful for what we are talking about. We all welcomed the increase in funding and capacity. I have previously said some of the experts said they believed there had been a failure to use the expert knowledge base we had in this State, especially in third level institutions, that had made a detailed study of this. However, we are where we are.

Mr. Lepassaar spoke about critical sectors or critical service providers, of which we have 70.

However, Finland has approximately 10,000. I accept that every state is not the same. I put it to the Minister of State that there is possibly a requirement for a reassessment in regard to that. He also spoke about investment across the board by American companies in cybersecurity being at 15%. While there has been an increase across Europe, it has possibly been insufficient. Perhaps it is something of an obligation that has been put in. This would probably need to be addressed more at a European level. I refer to operating systems built with a different business model at a different time. Software is not necessarily always suited from a cybersecurity point of view. Is there a possibility that there would be a requirement to put an obligation in that regard?

Regarding his own baseline standards for cybersecurity that have been released recently that go into that, it comes back to the scenario of where we are and what our plan is to ensure that we have all the due diligence done and as best we can. That is accepting that we have to be able to disrupt and avoid attacks for hygiene reasons and to have whatever defensive or counter-strike capacity that is required, to which I previously referred, but I accept does not fall within the remit of the NCSC.

We have discussed cybersecurity in a number of different contexts before and also on the floor of the Dáil. Deputy Ó Murchú asked about the capacity review. We published the executive summary and we will publish the entire report in a redacted form before the year end. I will share it with this committee as well. I commit to that for a start.

The question about other member states having a much larger number of operators of essential services, OESs, is a reasonable one to ask. We have chosen as a national strategy to focus on a smaller number of OESs and to do that in more depth. The NIS 2 directive is coming and I expect to be in Brussels on Friday negotiating this with other Ministers. Part of the NIS 2 directive is to extend the number of OESs to a much broader sector. Basically, everybody within the sector that is above a certain size will be included. A set number of sectors are included and defined as being OES sectors and every company in that sector will be considered an OES if it is above a certain size. As I understand, that is the proposal at the moment. That would lead to a much larger number.

Deputy Ó Murchú mentioned a secure by design approach for software developers. It is true that we need to design security in from the start. It is not something that should be retrofitted afterwards, or it is much more expensive to do it that way and less effective. I agree with that point. It comes down to there being an education part and a standards part to that as well. In fact, the Deputy may have noticed that yesterday the National Cyber Security Centre published its baseline security standards for public sector bodies and that provides very clear guidelines and a checklist they should all be doing already. This is a very clear and accessible guide for anyone who is running a public sector body and wants to know that the IT security manager is doing what he or she should be doing. Managers can ask if they have identified the key assets to protect, if they are being correctly protected with firewalls or other virus protection, if an intrusion detection system in place, if there is a plan for how to respond and how to recover based on disaster recovery. It is very clear and straightforward and is based on the National Institute of Standards and Technology, NIST, in America. Did I miss something the Deputy asked me about?

There was a question about the investment in security from the point of view of companies and whether there is a requirement for us to look at having a certain baseline. I gave the American example, which could be based on the fact that they have been under attack for longer, so it has just been built into their psyche and planning from the point of view of companies. I ask the Minister of State to deal with that and whether we are now engaging with third level and the expert knowledge base that we have within the State and beyond it. Is he happy that the joint cyber unit framework will be sufficient for whatever collaborative processes we need to be involved in?

Could the Minister of State also provide a little information on the proposal for a secure connectivity system utilising quantum computing and satellite communications infrastructure? We will probably be the only two people interested in this issue, but I would appreciate hearing about it. Beyond that, the baseline standards are welcome. It is about ensuring there are sufficient powers of enforcement or sufficient capacity to deliver on that within these outfits, accepting the difficulties in the likes of the HSE and the number of ways in there are in a system like that.

The first question is about OES standards for private cybersecurity industry outside of the public sector. Many of the OESs that are defined already are in the private sector and that is going to be a much larger number than when the NIS 2 directive comes in. They will be subject to a much stricter enforcement regime than has been in place before, although there is already power to force compliance. That does apply to the private sector.

The second question was on whether we are working with academia. The answer is that we always have. It is a very important part of our defence. When the HSE attack happened, a number of academics volunteered to help us and came in and provided assistance. They were on site as well. I thank them for that as it is vital. A lot of cyberdefence is based around education – user education, education at primary and secondary levels, but also the advanced third level element as well. Cyber Ireland is encouraging co-operation between the Government level, academic level and industry level. Those links are strong and growing.

On the question about the quantum computing aspect, I would prefer to do that another time, as I not think I have the-----

I accept that. The Minister of State made the right call on that. We will revisit it at a later stage. Does he see the joint cyber unit framework and NIS as being sufficient for what needs to be done from a collaborative point of view on a European basis and that we have the capacity to deal with the baseline standards, in particular within the public sector? Beyond that, I am interested in hearing the plan for what we need to do on an international basis and on a state basis?

I thank the Minister of State for his very detailed presentation and responses heretofore. I want to dig into a couple of his earlier comments on EU co-operation and information sharing and the scope for pooling resources and increased co-operation. He referred to novel proposals. Could he possibly detail that a bit more and flesh out what they contain? He also discussed legal instruments. We are going into the realm of information sharing and cybersecurity, but this is a clear aspect of defence as well. Are there any current arrangements in force or proposed areas where Ireland simply cannot or will not participate due to various opt-outs?

Does that need to be remedied at a domestic level?

On our interaction with the European Union Agency for Cybersecurity, a number of points were made, one of which relates to the state obligation in some jurisdictions for a minimum investment of their ICT budget in cybersecurity. In Germany, for public bodies, the figure is 15%. Does the Minister of State envisage that should be replicated, whereby all state agencies would have a mandatory percentage of their ICT budget allocated to cybersecurity, particularly in light of our experience with the attack on the HSE?

On the other point made, which the Minister of State touched on in response to Deputy Ó Murchú, relating to the reliability of software providers to build in security ab initio, as opposed to having to bolt on solutions subsequently, where exactly is the European Union discussion in that regard and what does the Minister of State envisage emerging?

As I understand it, the idea is a state agency would have to allocate a certain percentage of its ICT budget to cybersecurity. This is similar to the rule whereby NATO countries have to put 2% of their budget into defence. It is being promoted by Estonia, which sought and supported it when I visited, and it also supports the NATO approach. The downside is that it is an input measure, which means there is a target that is all about what is put into the system rather than what is got out of it. Our opinion is that we want to see measures of performance, that is, what is being done and achieved and what standards are being reached, rather than how much money is being put into the system. As a result, we do not support that approach.

On security by design and what could be done to ensure companies have secure products, work is being done at EU level on a cyber resilience directive. Members will see in the 5G toolbox produced by the European Commission that there is concern about and interest in whether products are safe to use, whether they have security designed into them and whether they come from trustworthy companies, that is, whether the suppliers can be relied on to supply software that can be used in our critical infrastructure. A framework for that is being developed at an EU level. No one country is going to produce very different policies on the reliability or trustworthiness of various suppliers' software.

On the first issue, relating to there being a designated portion of expenditure for security, I expect that, as a Minister of State at the Department of Public Expenditure and Reform, Deputy Smyth, is trained to expect outcomes for outputs. If money is being expended, there will presumably be targeted outcomes for that. Nevertheless, it seems that if Germany is doing this, and if state actors are already spending enormous sums, we should ensure the infrastructure on which we are spending these enormous sums is as secure as it can be from attack. In the presentation from the European Union Agency for Cybersecurity, it indicated the average security spend within the ICT budget in Europe amounts to 10%, while in the US, the average is 15%. Should we learn from that experience?

Yesterday's announcement of the baseline security standards is a first step. After that, there will be a compliance framework to ensure all the public sector bodies comply with those rules and meet all those standards. Cybersecurity is not an optional area to invest in for any public sector body or something that is just nice to have. It is critical that every public sector body protect its digital State assets, in the same way it would protect its physical or financial assets, and that is now laid down in our policy. It will be supported by matters such as OGP frameworks, and the Chief Procurement Officer is working with the head of the Office of the Government Chief Information Officer, OGCIO, to ensure that when the State enters into contracts, cybersecurity will be one of the specifications and an underlying theme of those purchases. The Vice Chairman indicated that in Germany, a minimum level or measure of how much money is being allocated to cybersecurity is being introduced. I will examine that and talk to my German counterpart to see what that country is trying to achieve from that.

I thank the committee for taking an interest in this. I am dealing with my European counterparts at a ministers' Council meeting. I also met digital ministers in Luxembourg last month and travelled to Estonia to meet people from outside the EU. While it is important we work closely with our European partners, we need also to co-operate with countries outside the EU that share our values. Some of those countries employ many people in Ireland and have very advanced ICT defence systems. We cannot retreat to a fortress Europe, but it is important that we have a degree of independence and sovereignty, that we can provide for ourselves digitally and that we continue to co-operate with other countries that share our values.

I thank the Minister of State for sharing his views with us on this important issue. No doubt we will talk to him again.

I propose we go into private session to deal with housekeeping matters. Is that agreed? Agreed.