Thursday, 8 October 2020

Ceisteanna (7)

Sorca Clarke

Ceist:

7. Deputy Sorca Clarke asked the Minister for Defence the number of Defence Forces personnel with expertise in security, process development and threat intelligence assessment seconded to the national security analysis centre, NASC, in view of the recognised potential and important role of the Defence Forces in the national cybersecurity strategy as outlined in the programme for Government. [28525/20]

Amharc ar fhreagra

Freagraí ó Béal (6 píosaí cainte) (Ceist ar Defence)

The current national cybersecurity strategy, which was published in December last and runs until 2025, refers to the need to improve the ability of the State to respond to and to manage cybersecurity incidents, including those with a national security component, and to identify and protect critical national infrastructure by increasing resilience to cyber attack. Given some of the most skilled and qualified cyberdefence experts are in our Defence Forces, how many of them are seconded to the NASC?

I thank the Deputy for raising this question because it is an important one. Arising from the recommendations in the report of the Commission on the Future of Policing, a new national security analysis centre was established during 2019 under the aegis of the Department of the Taoiseach. The purpose of the new centre is to co-ordinate between the various State bodies with national security functions and to provide strategic analysis for the Government on security threats.

Defence policy and operations form a centrally important aspect of this work, given the nature of the threat environment. In this regard, NSAC commenced work on the development of a national security strategy in 2019. The strategy will aim to set out a whole-of-government approach for how the State can protect its national security and vital interests from current and emerging threats. An expert policy forum and a public consultation process have provided significant inputs for this process. While further consultation has been constrained by the restrictions necessitated by Covid-19, the centre has continued its research activity in this regard over the recent months.

A director has been appointed to lead the NSAC and a number of support staff have been appointed. A number of personnel with a range of expertise have been assigned from the partner bodies to the centre, including two experienced personnel from the defence organisation, one civil and one military, who were seconded in 2019.

The national cybersecurity centre, NCSC, which is part of the Department with responsibility for the environment, climate and communications, is the primary authority responsible for cybersecurity in the State, including incident response, cyber resilience and information provision. The NCSC maintains a significant threat intelligence capability and this is a key tool in the work of the NCSC in mitigating risks to the State and its people from cybersecurity threats. The NCSC works closely with the Defence Forces in this regard. While the primary role of the Defence Forces with regard to cybersecurity relates to the defence and security of its own networks and systems, the defence organisation is committed to participating in the delivery of measures to improve the cybersecurity of the State. This is being done in line with the programme for Government commitment to implement the national cybersecurity strategy.

Additional information not given on the floor of the House

Ireland’s current national cybersecurity strategy was published in December 2019 and follows on from the country's first strategy, which issued in 2015. There is a particular emphasis in the strategy on improving the protection of government ICT and other critical national infrastructure; on education, research and training, and on enhancing Ireland’s international engagement. My Department and the Defence Forces have inputted to the development of this strategy. Department officials and the Defence Forces are also actively involved in the implementation of the new strategy which, in conjunction with the White Paper on Defence 2015, will continue to inform our engagement in this critical area. This includes work to develop an updated and detailed risk assessment of the current vulnerability of all critical national infrastructure and services to cyberattacks and the provision of a member of the Defence Forces for secondment to the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia. In addition, my Department actively participates on the interdepartmental committee overseeing implementation of the strategy, which is chaired by the Department with responsibility for the Environment, Climate and Communications.

The White Paper on Defence, produced in 2015 and amended in 2019, identified hybrid attacks or cyberattacks and threats to the cyber domain and from espionage have been assessed as increasing since 2015, while the wider political and global environment is more complex and uncertain. We have seen similar attacks in Britain on the UK National Health Service, which was a specific and targeted attack. Organised crime is seen as on a par with terrorism by the UN office on terrorism and terrorism prevention in terms of threats. Why then does the NCSC fall under the remit of the Department of environment, climate and communications, and not under the Departments of Justice and Equality or Defence? The Minister has referred to security and An Garda Síochána as having been a key tool. It seems to be a piece of a jigsaw that is slightly misaligned with where the NCSC is sitting.

I can understand that concern and I have asked that question because it was when I was last in the Department of Defence that we put together the White Paper. At that time, there was a discussion within government on national security infrastructure, how the Defence Forces interact with An Garda Síochána and how we can respond to an emerging cybersecurity threat. There is significant expertise in the Department with responsibility for the environment, climate and communications from a communications perspective, which is essentially the platform for cybersecurity attacks. One could argue for the NCSC to come under the Department of Justice and Equality, the Department of Defence or the Department with responsibility for the environment, climate and communications or for central co-ordination from the Taoiseach. The decision was made, after a lot of discussion, that the national cybersecurity centre should come under the Department with responsibility for the environment, climate and communications because we are talking about communications networks being intercepted and compromised by security threats.

I understand the argument the Deputy is making but there is significant expertise in that Department. Most important, the message is that the NCSC is about pulling together all of the expertise from different Departments, including the Defence Forces as well as the Department of Defence, to make sure we have a central office that is using all of the expertise available to make sure we are protecting the interests of the State from cybersecurity attacks, which are a significant threat internationally. Ireland rates well internationally and we are learning from others. There is a European centre of excellence in Tallinn, Estonia, which we are interacting with to make sure we are fully up to speed with the kind of response that is needed.

The Minister mentioned State infrastructure there but it is more than State infrastructure. It includes State assets as well. I recognise, however, that he referenced the continual learning because that is critical when it comes to issues such as this.

Ireland has a high level of foreign direct investment. We have multinational corporations here that are household names. The investment they have made here is colossal.

However, in terms of State protection that can be offered to them, it seems like very little to none. Foreign direct investment alone, as one entity, needs assurance that at the very least, our national electricity grid is protected from a cyberattack. Is this an assurance the Minister can reasonably give and reasonably stand over? Foreign direct investors also assume that our national technical means are of a standard that is fit for purpose in the current environment in 2020 and that we properly monitor our cyberdomain and our digital space. Is that a reassurance the Minister can give to them and stand over?

I think "Yes" is the answer to that question. I do not believe there is a country in the world, even the superpowers of the world, that can give an absolute 100% guarantee against the threat of cybersecurity challenges. There is not. We have seen such attacks on the United States of America and in China. Even the countries that spend hundreds of billions on this issue are not absolutist in the guarantees they can give. Having said that, the Deputy has asked if we can assume a reasonable level of assurance and I think we can. In our cybersecurity strategy, we recognise that Ireland has a significant international presence in this area. A lot of data are managed and held in Ireland in very large data centres. Many communications and IT companies are based in Ireland managing sensitive and confidential data from all over the world. We have focused on this area in a way that prioritises it significantly. We can give a reasonable level of reassurance on the policy response in that regard.