The HSE ransomware attack showed that we need to rethink how we view cyber security and the public investment required to make the state and citizens safe and secure online. This was the nation’s most serious cyber-attack shutting down much of the HSE’s IT system and thereby compromising patient care and confidentiality. Luckily the restoration of the HSE IT system is progressing well with 95% of servers back onlinei, the estimated IT costs of the attack to be at least €100 million with longer re-investment costs to perhaps reaching a half a billionii with the cost to patient health and wellbeing yet to be calculated.
At the moment the government’s cyber security policy team resides in the Department of the Environment, Climate and Communications with National Cyber Security Centre (NCSC) its main operational arm. The NCSC was established in 2011 with its prime focus being intelligence, education, inter-departmental co-ordination and incident response. It works in partnership with the An Garda Siochana’s cybercrime unit (established in 1991) who are responsible for cyber investigations. The NCSC strategic plan (2019) includes the goals:
“To identify and protect critical national infrastructure by increasing its resilience to cyber-attack and by ensuring that operators of essential services have appropriate incident response plans in place to reduce and manage any disruption to services.
To improve the resilience and security of public sector IT systems to better protect services that our people rely upon, and their data.”
However, the budget for the NCSC at the time of the HSE attack was €50 million covering just 25 staff with the NCSC Director post has been vacant for about one year now.
Looking at the rapid developments in technology e.g. the deployment of AI into applications, the connection of a broad range of computerised products and devices (IoT), the rapid move to Cloud, the growth of e-commerce, 5G telecommunications, and globalised supply chains, one might wonder how we can actually defend against cyber hackers (many who have state support, ‘ransomware as a service’ and AI based phishing and hacking tools).
Consider that we have the Central Bank for financial regulation and the EPA for environment regulation. Do we need an equally resourced agency body focused on the safety and security of our online environment? It could bring together the different cyber security strands from NCSC with the departments and agencies covering cybercrime, defence, enterprise, trade, commerce, communications, consumer protection, media and much more; all into one comprehensive agency with strong regulatory powers. This agency could need be tasked with keeping pace with technological developments and building a strong regulatory framework to which all online product and service providers must operate to.
Is it time our government put cyber security into one place to better manage all these technological developments? Should it significantly ramp up the resources needed to police these policies? Alarm bells are ringing, and the penny is dropping for many leaders across the globeiii. The US government recently made a number of big announcements involving big tech to enhance cyber security, e.g. Microsoft $20 billion for improved cyber security design and Google $10 billion for securing supply chains. There is now an urgent imperative that much more needs to be done to secure the government, the economy and citizens from cyber-attacks. We don’t need to wait for the next EU directive or the next big hack to act. Let’s start asking for a fully integrated, fully funded department for cyber security. Let’s take the lead in creating a proactive and joined up approach that makes Ireland a safe and secure place to live and do business.