I was interviewed by the Irish Times on why “Ireland (is) Vulnerable to Cybersecurity Attack” During my chat with Charlie Taylor I mentioned a number of concerns I have regarding how Ireland is dealing with cybersecurity at a national level and that in many areas it is disjointed with no one department or function taking overall responsibility. The article mentions my calls for a cybersecurity tsar, but this is not the only area we need to work on.
October is known as the European Cybersecurity Awareness Month and countries throughout the EU, and indeed globally, have put together awareness campaigns aimed at their citizens and businesses alike. The whole purpose of these campaigns is to help people become more aware of the cybersecurity risks they face and to take the appropriate steps to protect themselves and others. A good awareness campaign is critical to support an effective cybersecurity strategy. However, when you go to the website for the European Agency for Network and Information Security to see which countries have government sponsored campaigns it is notable that, as per the picture below, Ireland has no such campaign.
This lack of support brought back to me the need for us as a nation to have an effective cybersecurity strategy to better protect our economy, infrastructure, businesses, and citizens.
I wrote about the need for a national cybersecurity strategy in a post back in 2009 “Securing Ireland’s Digital Future”. Since then we have had a strategy published in 2015 and the National Centre for Cybersecurity has been established.
The Government set up the National Cyber Security Centre in 2011 to protect critical national infrastructure. But according to a recent article in the Irish Times, a report by the public spending watchdog found that the unit has no strategic plan and needs a funding review. For anyone keen to establish Ireland as a centre for cybersecurity, then the Comptroller and Auditor General’s review of the National Cyber Security Centre made for disappointing reading.
That’s not to criticise the NCSC: it can only make do with the budget and resources it has. But the story suggests that the Government doesn’t take cybersecurity seriously. In year one, it allocated €800,000 in funding to the unit, but the following year, its funding fell below €266,000 and stayed at that level over the next three years.
The C&AG report also found that the oversight body that’s supposed to review the NCSC’s performance hasn’t met since 2015. That also happens to be the same year when the Government last published a cybersecurity strategy.
You only have to glance at the headlines to see how much of a prominent issue cybersecurity has become. Think of data breaches, DDoS attacks, online financial scams and state-sponsored activity to name just four. Ransomware infections like WannaCry and NotPetya are cost businesses and public agencies significant sums of money, not to mention disrupted operations.
The C&AG also noted that in 2017, the NCSC’s funding rose again to €1.95 million. We know from reports that the Data Protection Commissioner and the Garda’s Computer Crime Investigation Unit also had their funding increased recently. But is that funding enough for that they need?
I would argue the Government needs to go further. We need a coherent and centralised approach to protecting our nation, rather than having responsibilities for various aspects for cybersecurity spread throughout different government departments and agencies.
Given how critical cybersecurity is to our ambitions as a nation to grow as a technical hub for Europe the government should look to;
- Establish a cysecurity tsar with the autonomy and authority to drive a cybersecurity agenda at all levels of the public service, and to engage with the private sector.
- Engage with key stakeholders to ensure all needs are met. The Citizens’ Assembly could be an excellent model or indeed forum to adopt to identify all the relevant needs.
- Based on the above engagement develop a revised cybersecurity strategy with a concrete action plan to achieve the goals of the strategy. Earlier this month at CyberConf in Dublin, Minister Sean Kyne said that a new cybersecurity strategy is due in 2019. That’s not a moment too soon. We’ll await that document with interest.
While cybersecurity is everyone’s responsibility it is now too critical for us as a nation, both from an economic and national security point of view, for it to be left to individual government departments or businesses to look after.
As a small nation we have the unique advantage of being able to quickly engage with all key stakeholders and to implement initiatives to make us more secure. It is time for us to ensure the security of our nation includes the realm of cyberspace and that Ireland can become a leading light in how to create a safe online space on the internet for its citizens and businesses alike.