Plan to establish beefed-up cyber defence body sanctioned by government

The report of the CDF – and its second investment model or level of ambition 2 (LOA2) – was accepted in principle by the Government, which signed off on a High-Level Action Plan in July 2022. The Implementation Plan is still awaited.

A key recommendation under LOA2 is a massive investment in the resources and staffing of the Defence Forces cyber sections and a significantly expanded role.

Traditionally, and currently, the cyber remit of the Defence Forces is the security and protection of its own IT systems, although it does have members seconded to the National Cyber Security Centre (NCSC) as well.

LOA2 sees the establishment of a new Joint Cyber Defence Command, with an additional 100 personnel. This ambitious recruitment target would take 5-10 years, the report said.

The CDF said that under LOA2 the Defence Forces would have the capacity to defend the State from a military cyber attack and deter aggressive acts.

The commission said the ultimate objective would be that the command would be able to identify and intercept cyberattacks or other hybrid aggression “in order to defend Ireland’s sovereignty, its sovereign rights, its national interests and resources”.

It said the command would conduct three main types of operations: defensive operations; intelligence operations and “offensive operations for defensive purposes”.

The report said the Defence Forces needed to “radically alter” the way it sources personnel to work in its cyber sections and said the traditional approach of recruiting military personnel first and then training them “must be set aside” or supplemented.

It said “large” numbers of civilians would need to be directly recruited, but the report was silent on how the Defence Forces could offer a sufficiently attractive package, particularly at a time when both the NCSC and the Garda Cyber Crime Bureau were also recruiting from the same pool.

In the Dáil, Tánaiste Micheál Martin, who is Minister for Defence and Minister for Foreign Affairs, said the Defence Forces' role in cybersecurity was being developed under the High Level Action Plan.

He said the importance of this role would grow as threats in the cyber realm increase.

In reply to a question from Sinn Féin’s defence spokesman Matt Carthy, Mr Martin said the recommendation to create a Joint Cyber Defence Command was accepted in principle by the Government, which meant that it required further consideration on the best way to implement it.

He said: “Sanction has been given for the Defence Forces to create a new Cyber Development Planning Office which will start the planning needed to enhance Defence Forces structures across the cyber domain required by a new Joint Cyber Defence Command, including the management of Defence Forces IT Services, CIS Services and Cyber Defence.

The Tánaiste added: “This Cyber Development Planning Office will also progress other cyber-related recommendations identified in the High Level Action Plan, including updating and publishing a cyber defence strategy in line with best international practice and standards as well as incorporating practical lessons identified from comparator countries and EU Member States’ maturing cyber commands.” 

Mr Carthy also asked Mr Martin about the 130 recommendations in the CDF and when the implementation plan would be published.

The Tánaiste said 103 of the 130 recommendations were accepted by Government for implementation, or accepted in principle, with 17 requiring further evaluation and a further 10 to revert to Government.

“The High Level Action Plan set out a total of 38 early actions to be completed within 6 months of the Government decision,” he said.

“A comprehensive written update on all 38 early actions was published on 23 March of this year and includes the status of each of the 38 early actions in tabular form. At that time over 80% of the early actions had been achieved.” 

He said progress continued on the remaining early actions, and that approximately 90% have been achieved, with the remainder at an advanced stage and due to be completed shortly.

“The development of a detailed implementation plan is at an advanced stage and is expected to be published in Q2 of 2023," he said. "When published, it will set out the approach to implementation for each of the 130 recommendations.

“Effective reporting mechanisms were put in place for the 38 early actions, and once the detailed implementation plan has been published similar reporting mechanisms will track the progress of all the Commission’s recommendations.”