Ireland and Europe at risk of cyber attacks from Russia and China, Dáil committee told

Ireland’s cyber agency has launched 211 investigations so far this year, compared to 309 for all of last year, it has emerged.

The National Cyber Security Centre (NCSC) said the cyber landscape had been “worsening” in the last number of months, with Russia’s continuing aggression in Ukraine resulting in a “degradation” of cyber security across Europe.

NCSC director Richard Browne said this had been compounded by espionage, with Germany recently attributing cyber attacks to a group associated with Russian military intelligence.

He told the Oireachtas communications committee China was also heavily involved in cyber security threats, with Britain's Electoral Commission recently attributing a breach of its system to a group linked to Chinese authorities and an attack on US critical infrastructure also being blamed on a China-based group.

Mr Browne said the strength of NCSC had grown from 25 to 57 and should hit 75 by the end of the year, much of it due to obligations stemming from the European Union.

He said continuing obligations from the EU, including a new directive this year, and two more directives soon after, may mean NCSC staffing will need to reach 120-130 staff within three years, adding “it could be a lot more”.

He said ransomware — where a gang targets and cripples a company’s IT system and demands payment to release its control — is still the biggest threat, saying the number of estimated incidents rose by 75% globally in 2023.

He said this included a significant number of incidents in the US targeting the health sector. 

He said evidence suggests relatively poor cyber security and a willingness to pay ransoms has created a bit of a “feeding frenzy”.

He said global estimates suggest ransomware payments exceeded €1bn in 2023.

Mr Browne said the NCSC, an executive office inside the Department of Communications, received 5,200 reports last year, with 721 confirmed cyber incidents and 309 investigations.

He said there were 211 investigations so far in 2023, which was “substantially up” on the same time last year.

Mr Browne said a major EU directive, called NIS 2, will see a “dramatic increase” in both the number of entities and companies covered in Ireland and the requirements on these entities regarding cyber security.

He said the number of entities will go from over 100 “to at least 3,000”.

He said the directive will create national competent authorities for various sectors — such as telecoms and energy — which the NCSC will provide guidance to and oversight.

The NCSC will keep a direct brief over the government and key entities.

He said the NIS2 will be followed by the EU Cyber Resilience Act and the EU Cyber Solidarity Act.

Mr Browne said while Ireland may be small, it has “twice the number of IP [internet] addresses per head than the UK” because of the number of high-tech companies, and related economic activity, here.

“We have a substantial cyber security real estate and we have collective responsibility to everybody else that our estate isn’t used for attacks on other jurisdictions,” he said. 

It’s a question of our neutrality — we can’t be used as a base of an attack on other jurisdictions.

Mr Browne said the figure of €100m had been put on “some of the costs” caused by the cyber attack on the HSE in 2021.

He said: “The HSE [attack], in many ways, is one of the largest cyber security incidents in history, globally — not just the scale of it, but the implications for individuals and their lives was particularly egregious, and just for criminal gain.”