Securing Ireland's Digital Future

Computer security conceptIreland’s economy is now more than ever dependant on information technology and the Internet.  Both have enabled consumers and businesses alike to better access and deliver services, create new markets, exchange information rapidly and process information in more efficient means.  Technology and the “knowledge economy” are now seen as a strategic path by the Government to get Ireland’s economy back on track again.  Indeed the Minister for Communications, Energy and Natural Resources, Eamonn Ryan TD recently unveiled the Government’s smart economy strategy to create Digital Ireland.  The plan, titled “Technology Actions to Support the Smart Economy” looks to develop over 30,000 jobs in areas such as ICT, green technology, cloud computing and energy efficient datacentres. 

However, this increasing reliance on information technology brings with it numerous risks and threats that if not properly addressed could result in significant negative impact on Ireland’s economy and potentially on the country’s national security. 

The recent Eircom outages resulting from attacks by unknown hackers highlight those very risks that are posed against the Irish Internet space.   Eircom have admittedthat these attacks were the result of DNS poisoning but we still have no further details as to the vulnerabilities exploited by the attacker(s).  Nor do we have any insight into the motivation behind the attacks.  Speculation has ranged from the same hackers that attacked US and South Korean sites, to Russian mafia gangs to disgruntled Eircom customers.

Eircom is the largest ISP in the country providing Internet services for their own customers but also many other telcos and ISPs that piggyback on the Eircom infrastructure.  By default then Eircom can be classified as being part of our Critical Network Infrastructure. 

Eircom admit in their own press release that they had to patch some of their systems to deal with the attack.  They even acknowledge that some of their remediation steps may have caused additional outages for their customers.  This to me is something extremely worryingand raises questions such as; 

  • Why is a key provider of our Critical Network Infrastucture not applying patches in a proactive manner? 
  • Why did it take an attack to ensure that the appropriate patches and fixes were applied? 
  • What incident response capabilities and pre-planning were in place to ensure that the source of the attacks and systems affected were quickly identified, remediated with minimum impact and systems fully recovered?

The main concern I have is what is being done to ensure that the organisations who make up our Critical Network Infrastructure, whether they be private or government entities, are properly securing those systems?  What reassurances do we have that all ISPs have applied the appropriate security patches to their DNS servers and indeed other key elements of their infrastructure?

Industrial and state espionage is not a new thing and with the introduction of information technology it has become even more prevalent.  Countries like the US, UK, France, Belgium and Indiahave all raised concerns about foreign nation states targeting high tech resources in their respective countries.  As recently as late July a German counter intelligence official claimed that Germany is losing an estimated €50 billion and 30,000 jobs a year as a result of industrial espionage.  Some of the key industries included renewable energy and communications, the very industries outlined in Irish Government’s smart economy strategy to create a Digital Ireland.

A number of the countries, such as the US and the UK, have learned from their experiences and are quickly appointing people to ensure their nations’ digital assets are protected. 

Indeed in the United States this whole issue has even gotten the attention of the President.

 

Listen to the above speech and see how the U.S. is taking this issue seriously and then compare it with the below answer given by our Minister of Defenceto a question posed to him on what steps Ireland has taken against the “cyber risks and threats”;

Cyber security, cyber crimeand internet security represent challenges that are constantly evolving and require vigilance and appropriate responses. Cyber security is multi facetted. The nature of the threat and the potential impact also varies considerably depending on the approach and objective of those with malicious intent.

In the first instance, each State agency, business and individual should take every precaution with regard to their security. Awareness of security, the risks and available safeguards, can be seen as the first line of defencefor the security of information systems and networks. I am aware of considerable activity in this regard. My colleague the Minister for Communications, Energy and Natural Resources has undertaken a number of awareness campaigns aimed at individuals, SMEs, the education sector, the public Sector and business. My colleague the Minister for Justice and the Garda Siochana are also active in areas such as cyber crimeand cyber bullying. The legislative programme includes the Criminal Justice (Cybercrime) Bill, being prepared by the Department of Justice. This Bill gives effect to the Council of Europe Convention on Cybercrime as well as to the EU Framework Decision on attacks against Information Systems.

My Department and the Defence Forces focus on the risks and threats arising in the context of the roles laid down by Government for the Defence Forces. My Department and the DefenceForces implement a programme of continuous review in relation to ICT security in order to keep up to date with current threat levels. This risk assessment is carried out by a high-level Board comprising civil and military personnel and is supported by sub-groups who carry out specific reviews where a security risk is identified. Detailed policies and guidelines are provided to all users of ICT systems and considerable resources are invested in assessing weaknesses and protecting systems against cyber attack and malicious security breaches.

I would also point out that the Defence Forces take comprehensive measures with regard to the security of their information and communications systems when deployed, in Ireland and overseas. Details of measures taken are not publicised for security reasons, but given the levels of upgrading and increased protection put in place in recent years, the vulnerability to such attacks has been greatly minimised.

via Kildarestreet.com

I think the fact that Ireland’s CERT (IRISS)is a not-for-profit organisation run by a number of volunteers and depends on sponsorship to survive is another indicator as to how serious the Government appears to view cyber security.

If we as a nation want to seriously become a knowledge economy then we need to take a strategic view on how we protect the digital assets that we are trying to develop.  We need to develop a cyber security strategy and ensure that someone is given the responsibility and most importantly the authority to ensure that all organisations that make up our Critical Network Infrastructure and upon whom we rely on to create the new Digital Ireland do so in a secure manner.

2 Comments

  1. pat mckenna says:

    Hi Brian.
    We live in a proverbial ‘if it isn’t broken then don’t fix it’ bubble that has expanded in the current climate. I read recently that hackers are becoming the equivalent of investigate journalists in the cyber domain, and it would appear that such unethical pen testing gets results – the Eircom patching being a case in point.

    There is a difference between a data protection or security policy, and it’s implementation. Assuming that an organisation has such a policy in the first place, they tend to exist somewhere between the policy aspirations and what exists in reality, and use the policy as a shield in the event of something going wrong.

    Non regulated organisations implement all the security they can afford run by an ‘real’ IT Security Officer IF they can afford one. Add to this the mantra that org’s don’t want security measures that impact on staff doing their work efficiently, and most of all, customers interacting with them: online banking and 2 Factor Authentication come to mind.

    The Minister has great aspirations, and we have enough people and groups such as IRISS in the IT Security Industry in Ireland to assist him.

    The question is this: what’s he going to do about it? Speeches are great, aspirations are great, policies are great, so maybe invite him to have an open Q&A session at the next ISSA meeting and he might get a sense of the gap between policy and implementation in the real world.

    Or maybe I just fell out the wrong side of the bed this morning.

    Pat

    • Brian Honan says:

      Pat

      You are right in the difference between policy and implementation. My concern is that we do not have a cyber security strategy in Ireland and that we are depending on concerned individuals and organisations to plug the gap.

      Interestingly though I saw last night that the Department for Communications has put out a tender for the development of a national cyber security strategy, http://www.etenders.gov.ie/search/show/Search_View.aspx?ID=AUG125013

      It would be nice to think this post had some bearing on that but I doubt it very much

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.