The Irish Government has published its five-year plan for ensuring its infrastructure and computer networks are “resilient, safe and secure”. The new National Cyber Security Strategy 2019-2024 is an update to the first strategy which was published in 2015. Here’s our analysis of the plan.

The 60-page strategy paper [PDF] sets out a series of 20 measures under seven headings: developing national capacity to handle cyber security incidents; protecting critical national infrastructure; addressing public sector data and networks; skills; enterprise development; engagement and citizens.

All the right moves

The measures include further developing the Government’s National Cyber Security Centre (NCSC) and expanding its ability to monitor and respond to incidents and threats. The NCSC will work with the Defence Forces and the Gardai to carry out a risk assessment of current vulnerability of all CNI infrastructure and services.

The NCSC will develop a baseline security standard for all Government departments and key agencies. There will also be a public awareness information campaign, due to start later this year. The strategy also sets out a detailed implementation plan of action against each of the 20 high-level objectives.

The strategy recognises Ireland’s role in hosting data centres for many world-leading tech companies. “Ireland is home, according to some estimates, to over 30% of all EU data, and to the European Headquarters of many of the world’s largest technology companies. Our economic success is therefore closely bound up with our ongoing ability to provide a secure environment for these companies to operate here,” the document states. In covering the launch, the Irish Times led with the risk of a possible attack on Ireland’s many data centres.

Risky business

The strategy notes some of the changes that have taken place since the first version was published in 2015. For example, the NCSC itself has grown significantly in scale and capacity. The introduction of the EU Network and Information Security (NIS) Directive in 2016 (the first piece of EU-wide legislation on cybersecurity) has given Government departments and agencies a framework for managing their systems.

The plan notes that there are approximately 70 designated operators of critical national infrastructure and these “have been made subject to binding security requirements and to a binding incident notification requirement”. These developments mean that national infrastructure operators are “far better prepared to deal with cyber security related risks than before”, the document says.

The new strategy comes at a time when cybersecurity incidents and attacks are an increasingly common occurrence. The Journal’s story about the launch of the strategy noted that the Government’s recent white paper on defence also found that cyber threats were increasing.

Interestingly, the strategy itself reveals that “the NCSC was involved in a number of serious cyber security incidents in 2016 and 2017”. The Irish Times report suggested that these events pointed to weaknesses in the previous strategy. It also noted that an official from the Department “declined to provide more detail”.

Without knowing what happened, it’s possible there are sound operational reasons for not saying more. In the broader security field, it’s become accepted good practice to share information about incidents so that the wider community can understand the threats and learn from the experience. But this feels like a missed opportunity. The strategy would have been an ideal forum to highlight how the NCSC or Government agency was able to mitigate a particular threat or show how it discovered an attack.

Omission possible

Reacting to the plan, BH Consulting CEO Brian Honan said it was an improvement on the previous version. Speaking to the Daily Swig, Brian said he was disappointed the strategy makes no reference to the indigenous private sector. “Instead, the focus of the strategy is primarily geared towards the public sector, those organisations covered by the EU Network Information Security (NIS) Directive, and the larger data providers located in Ireland,” he said.

“Given the reliance the Irish economy has on the indigenous private sector, and in particular the SME organisations within that sector, I had hoped to see more focus on what supports and initiatives would be introduced for that sector,” Honan said.

By that omission, the strategy also seems to ignore the concept of supply-chain security. In the broader industry, organisations have been spending more time ensuring that not only are they protected directly, but they also put checks in place to ensure that their suppliers are taking security seriously. Many small businesses sell into Government departments and public sector agencies.

Show me the money

As Brian noted when the strategy came out, “what we need is commitment from the government in properly funding and resourcing the NCSC, otherwise this strategy will fail”. Yet the strategy contains no mention of specific investment figures over the five-year lifetime of the plan. The word ‘budget’ appears nowhere among its 60 pages.

Interestingly, when the NCSC director Richard Browne spoke at the Irisscon cybercrime conference in 2018, he referred to the strategy that was still in development at the time. He told the assembled delegates “if I wanted more money in the morning, we could get it”, saying it was “effectively a blank cheque.”

But it’s not an encouraging sign when another arm of the State’s information protection machinery, the Data Protection Commission, only got a third of the extra funding it had asked for in the most recent Budget.

It might be a minor point, but the launch date also deserves comment. The strategy went public on 27 December. If a fanfare is something you desperately want to avoid, the Christmas lull is a good time to launch something. True, some media outlets picked up on the story, but when public awareness is one of the aims, it’s an odd time to choose.