Ireland's cybersecurity body to get power to scan the networks of State institutions

The centre will also the power to “block or suspend” websites where they have been compromised with the intent of causing harmful action against the State or other states.

The general scheme of the National Cyber Security Bill, just published, will give the NCSC a statutory role in protecting the national security of the country.

'Foreign or domestic interference' 

This specifically includes preventing “foreign or domestic interference” in key information and network systems, including in the area of information manipulation, such as disinformation.

The bill also places significant legal obligations on essential and important entities in reporting cyber security incidents to the NCSC, as well as conducting their own risk assessments and security plans.

The proposals give the NCSC legal powers in terms of supervision of compliance, including inspection powers and the ability to conduct searches on foot of court warrants.

It will also have powers to sanction CEOs and directors of essential and important services and even suspend a State business licence.

EU obligations including NIS2

The bill is in the context of mounting EU obligations in the area of cybersecurity including the implementation of the EU Network and Information Security Directive (NIS2).

The bill, published by the Department of Environment, Climate and Communications, will see the NCSC become an executive office of the department, giving it greater independence.

However, as the centre has “a number of national security roles” the proposals said it cannot be fully independent of the minister, to whom it will report. 

On its enhanced role, the proposals say: “The General Scheme sets out roles for the NCSC including national cyber security monitoring, resilience building, information sharing (national and international) and the national incident response.

Proposed NCSC scanning powers 

“It also gives the NCSC specific powers to engage in a range of scanning type activities to identify systems vulnerable to specific exploits. This type of activity is also required of the State under Article 11 of the NIS2 Directive.” 

It said this type of scanning — which can also include assessments — is conducted by similar national cyber security bodies abroad with the aim of identifying system vulnerabilities.

“It is possible, albeit unlikely, that this type of scanning would also identify infrastructure in the State that was in use by a threat actor, without the knowledge of the owner,” an explanatory note to the bill said.

It said that with the consent of entities, the NCSC can place sensors — either physical devices or software — on the systems to collect data to help detect and manage threats.

The NCSC has been operating a sensor system on Government entities, but a bill note said there was “a longstanding requirement” to offer this capability to other entities in order to manage “national security risks to key infrastructure and services”.

Power to act on DNS abuses 

The bill also gives the NCSC powers to take measures where the DNS (domain name system) — described as a ‘phone book’ of the internet — is being abused or compromised by state or criminal actors looking to inflict harm against systems in Ireland or elsewhere.

“The State has seen a significant number of these incidents in the period since February 2022,” an explanatory note said.

It said these incidents can have “complex international elements” whereby the origin of the incident and the target may be in different jurisdictions.

“As such, these powers are necessary to ensure that the territory of this State is not used as a base for offensive action against other states,” said a note to the bill.

“These powers include basic powers to block or suspend certain domains where abuse is determined to have occurred, along with restrictions on their use.”

While the NCSC is the national competent authority under NIS2, the bill sets out sectoral competent authorities in essential areas.

They include the Commission for the Regulation of Utilities, the Commission for Communications Regulation, the Central Bank of Ireland, the Irish Aviation Authority, the Commission for Rail Regulation, the Minister for Transport (for the maritime sector), the National Transport Authority, and health agencies.