State cyber security body understaffed and overworked, report finds
The report said internal National Cyber Security Centre capability was the “most urgent” issue in terms of its technology strategy and said there needed to be an “urgent review” of its internal structures to provide a career path and “boost retention”.
The country’s cyber security body is understaffed and overworked and lacks the structures and laws to do its job, a Government-commissioned report has said.
Cyber minister Ossian Smyth said all the report’s recommendations would be implemented but flagged that it “will be a challenge” to fulfil the Government’s own promises to boost staff at the National Cyber Security Centre (NCSC) from 25 to 45 by the end of 2022.
The capacity review of the NCSC, conducted by external consultants, said that the necessary increase in staff was against the background of the centre's workloads having “increased significantly” since it was set up in 2011.
It further said that forthcoming EU cyber security measures will “add considerable strain” to the centre in the coming years.
In a heavily redacted three-page summary provided by Minister of State Smyth to the Oireachtas communications committee, US-based FireEye consultants recommended:
- Increase NCSC staff from 25 to 41 “at a minimum” within the next 18 months;
- Provide the centre with a single HQ facility;
- The centre’s Operations team should be increased “as a priority” and have a dedicated intelligence team;
- Regulatory functions of the centre be transferred to separate body;
- New laws to formally and fully make the centre a national security and intelligence body, with the ability to detect and disrupt sophisticated cyber attacks The report said laws setting up the centre on a statutory basis, with full cyber capabilities, was “critical” for its operational future.
It said legislation should set the centre up as an “independent organisation”, define its national security remit, provide it with a dedicated budget and enable it to “properly monitor” cyber threats.
The report said the NCSC had three functions — an advisor to external bodies, a manager of cyber incidents and a regulator of cyber laws, with potential for conflict between the roles.
It said its workloads “have increased significantly” since it was set up and said a “significant burden” rests on the centre to deliver on the National Cyber Security Strategy 2019.
It said the centre “does not currently have the organisational design or capacity” to achieve all the strategy’s objectives.
It said recent and forthcoming measures and directives from the European Commission “will add considerable strain” to the NCSC in the coming years.
The report said the centre is 'currently under-resourced and over-tasked' in having to provide advice to around 120 bodies, agencies, and institutions deemed part of the country's critical national infrastructure.
The report said internal NCSC capability was the “most urgent” issue in terms of its technology strategy and said there needed to be an “urgent review” of its internal structures to provide a career path and “boost retention”.
Committee chairman, Fine Gael TD Kieran O’Donnell, said that while the report’s summary was “generally complementary” of the centre’s staff, it suggested the structures of the NCSC were “not fit for purpose”.
Sinn Féin’s Darren O’Rourke echoed that and said the summary was a “very damning indictment”.
He said the summary left him in no doubt that the State “could have been better prepared and should have been better prepared” for the HSE attack last May, given the report said that the centre was “underresourced” and “overtasked”.
Mr Smyth disagreed that the report said the centre was “unfit for purpose” but that it needed more resources.
He said the Government announced last July that staff at the centre would increase from 25 to 45 within 18 months, and to 70 within five years, but accepted it "will be a challenge".
He said around €2m was provided in current spending this year and €5m in capital spending, representing a significant increase.
Mr O’Donnell said experts had told the committee that current funding should be around €50m, based on a per capita comparison with the UK.
Independent senator Gerard Craughwell said €13.8m was provided to the centre between 2017 and 2021 and described that as 'a joke', adding that Malta was due to spend €1.9bn on cyber security over the next six years.
Mr Smyth said that the NCSC funding was only a “very small” portion of total State cyber spend, estimating the total cost was in the “hundreds of millions of euro”.
He pointed out that the US and the UK had been hard hit by cyber attacks — including to hospitals and pipe lines — adding that they “haven’t been protected by enormous spend”.
He also said that the NCSC has contracts with international cyber security consultants.
He said that none of the tech giants in Ireland had contacted him about the HSE attack or “expressed concerns in any way” about Ireland’s cyber security capabilities.
Asked by the committee chair, he said he would provide the full redacted report in the coming weeks.
In relation to reports that 30,000 computers in the HSE were operating off Windows 7, Mr Smyth said that around half of them were linked to machinery, such as MRI scanners, that could not take updated software.
He said there was “too much focus” on these computers and suggested that HSE plans to restore networks would include updating computers.
My Smyth said the NCSC warned last October about ransomwear attacks on the health sector.
He said the HSE were “well aware of the risks and took steps to mitigate risks” and firewalled the computers with Window 7.
Mr Smyth said the NCSC’s new offices, which he said would be “world class”, would be on one floor of the department’s new building, which he said was “expected to be completed in 2023”.
He said the centre would be provided with temporary accommodation in the meantime.
He said his officials were conducting a consultation regarding drafting new legislation for the centre, which he hoped would be completed by the end of the year.
Next year a draft heads of bill would be published, which he hoped to progress through the Oireachtas “before the end of 2022”.
He said the new legislation would give the centre a legal basis to conduct “intelligence gathering” and engage in “cyber defence”, the latter involving the ability to “disrupt” cyber attacks.
He could not provide the committee with information in relation to any proposed increase in NCSC funding in next year’s budget.
NCSC resource and funding issues were revealed back in September 2018 by the Comptroller and Auditor General, which found that while the centre received a budget of €800,000 in 2011, it was given annual funding of just €250,000 by the Department of Communications between 2012 and 2015.
Describing the centre as providing a “critical function”, the State’s auditor said its staff grew from just five staff in 2012 to eight staff in 2016.
It was only when its budget increased to €1.95m in 2017, did staff reach 14.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
