Late into the festive period of 2019, Ireland’s National Cyber Security Centre (NCSC) published its National Cyber Security Strategy 2019-2024, setting out a plan to action over the next five years. It positions the NCSC for a more proactive role in ensuring the resilience of the nation’s Critical National Infrastructure (CNI).
The NCSC provides assistance to Government bodies and Critical National Infrastructure providers across Ireland and so this strategy will be of particular interest to those groups.
The strategy is an important document, as it recognises Ireland’s increasing significance in the digital economy, estimating that the country is home to over a third of EU data. This reality illuminates the NCSC’s role as a key player in realising the EU’s cyber security objective of ensuring a high common level of cyber security across Member States. The EU Network and Information Systems Directive (NIS Directive), which the NCSC is tasked with implementing, is the legal instrument designed to achieve this objective.
The strategy highlights the measures needed to proactively improve the resilience of key infrastructure and services.
The Irish NCSC was established in 2011, operating as an arm of the Department of Communications, Climate Action and Environment (DCCAE). The organisation includes the nation’s Computer Security Incident Response Team (CSIRT-IE) and is charged with providing assistance to Government bodies and Critical National Infrastructure providers across Ireland in responding to cyber security incidents at a national level, an example being the 2017 hacking attempt of the ESB by adversaries with possible links to Russia.
Other incidents that have spurred the evolution of the NCSC in recent years include the handling of events such as WannaCry2 and NotPetya which, it has been alluded to, were significant learning events for the organisation.
The organisation periodically updates the National Cyber Security Strategy, taking into account the evolving threat landscape. This is the first update since the first such strategy in 2015 and takes account of the need to comply with the NIS Directive which came into force when implemented into Irish national law in 2018. The UK NCSC also periodically releases a National Cyber Security Strategy, with the current one in place until 2021.
The updated strategy sets out twenty measures to develop Irelands cyber security sector, and deepen its international engagement on the future of the internet. They can be summarised as:
Increasing Monitoring & Analysis Capability
The strategy’s primary purpose is to ensure that the NCSC can meet the nation’s cyber security goals and recognises its role in achieving this through measures such as expanding its ability to monitor and respond to cyber security incidents and developing threats in the State. This includes working with partners to enhance threat intelligence and analysis and carry out updated risk assessments of the vulnerability of all Critical National Infrastructure and services to cyber-attack.
Expansion of Scope of Critical National Infrastructure
The existing Critical National Infrastructure protection system will be expanded and deepened over the life of the strategy to cover a broader range of Critical National Infrastructure, including aspects of the electoral system. This will involve enhancing cooperation between relevant groups such as the existing Threat Sharing Group, a new Government IT Security forum and interdepartmental group (IDG) on internet governance and international cyber policy.
Sectoral Guidance & Setting Minimum Standard
The NCSC, similarly to other National Cyber Security bodies, will continue to be a source of relevant guidance regarding measures to enhance the cyber security of organisations. The strategy commits the centre to releasing sectoral guidance (regarding security of telecommunications infrastructure) and the development of a baseline security standard to be applied by all Government Departments and key agencies.
Training, Education & Research
The Government has committed in this strategy to developing second and third-level training in computer science and cyber security, and supporting the work of organisations such as Skillnet Ireland, SOLAS and Science Foundation Ireland in developing training, research programmes and further career options. The centre will engage with the Industrial Development Authority (IDA) and Enterprise Ireland to facilitate collaborative links between enterprise and the research community with the goal of supporting the practical application of cyber security research in business.
The strategy commits to reinforcing Ireland’s diplomatic commitment to cyber security, including by stationing cyber attachés in key diplomatic missions and by engaging in sustainable capacity building in third countries. In addition, the centre plans to deepening existing engagement in international organisations, including by joining the Cyber Security Centre of Excellence(CCD-COE) in Tallinn, Estonia.
The Government will develop a national cyber security information campaign using information provided by the NCSC and the Garda National Cyber Crime Bureau.
While the strategy is broad and addresses a number of problem domains, it is light on the details of what is needed to realise the measures set out in it, and ambitious in terms of the timeline set out to achieve them, given the strategy’s already delayed publication.
The strategy would be well served by including a greater importance on bringing the private sector under the umbrella of the National Cyber Security Strategy, particularly as there is often a dependence on private sector operators for the provision of state services.
The planned measures incur a cost, and the strategy does not address the budget that is necessary to achieve them. We have seen with the Data Protection Commission that as its mandate has grown, its budget has not kept pace. The NCSC faces a similar challenge to ensure that its capability matches its mandate. The creation of a Joint Security Operations Centre (JSOC), targeted for the end of 2020, will require an increase in availability of expertise and peoplepower. It is worth noting that it is estimated that demand for cyber security graduates is expected to continue to outstrip supply.
There are positives to be taken from the National Cyber Security Strategy. It is a key component of meeting the requirements of the NIS Directive, highlighting what needs to be achieved to proactively improve the resilience of key infrastructure and services through measures aimed at increasing co-operation, preparedness, and incident response capabilities. It is clear that significant consideration has been given to identifying the problem domain and that there is a vision for what the NCSC needs to achieve. The execution of that vision will require sufficient availability of expertise, time and appropriate budget, all of which pose their own challenges.
At Trilateral, we work with public and private sector organisations to evolve their cyber security strategy. Feel free to get in touch with our Data Governance and Cyber-Risk Team, who would be happy to assist you with your data protection and cyber security needs.