Cyber attacks on EU presidency designed to have a reputational impact
Draft laws published in August 2024 envisages setting the National Cyber Security Centre as a formal state agency with far greater powers. File picture
Just over two weeks ago, Ireland’s presidency of the EU suffered “a national cyber crisis”.
It started small, but escalated over two days into a full blown emergency.
Fortunately, it was an exercise — one testing the success, or otherwise, of cyber security systems.
“We had a national exercise two weeks ago (called Exercise Eriu) – a two-day exercise on the Presidency,” Richard Browne said.
As Ireland’s top cyber boss, his agency took the lead: “It was a broad national exercise, a whole simulation of a national cyber crisis run in the Government Task Force facility.”
The first day was run from inside the National Cyber Security Centre — a secure, state-of-the-art facility in Dublin.
“The focus was on telecoms and technology — so we had senior people from both sectors in our [operations] room on the Wednesday,” Mr Browne said.
“Then on Thursday, in the National Emergency Coordination Centre, we had the Defence Forces, the gardaí and representatives across government, conducting a full operational national cyber crisis.”
The National Emergency Coordination Centre (NECC) is located on a special floor of the Department of Agriculture, behind Government Buildings, where the Government monitors and responds to varying national emergencies.
Mr Browne, director of the National Cyber Security Centre (NCSC), said it provided an opportunity to train and test his own staff and his agency and also to put into practice the coordinated response on a national level.
Mr Browne said the exercise went through a “rolling series of incidents” around the presidency, starting at a low level and developing up “to a national crisis, involving either hacktivist groups, non-state actor, or state actor”.
To provide an independent analysis of how the NCSC and the Government performed, the Council of Europe Hybrid Centre — an expert body on hybrid threats — observed proceedings.
Mr Browne said it is due to provide a written report in the coming weeks — giving both his agency and departments, an up to date insight into how Ireland is prepared for cyber threats during the EU presidency, staring on July 1.
He said the two-day simulation starts with something very small that is not unlikely to happen, but which “very quickly” escalates to crisis scenarios, which he said are “very unlikely to happen”, but need to be put through tests to see how systems respond.
“Most incidents, the vast majority are hacktivism, we see it almost daily and it’s all managed,” he said.
“In June 2024, during the European Parliament election, we saw it. We had very significant hacktivism from the usual Russia-based hacktivist groups.”
He said the NCSC has conducted a presidency threat assessment and that as part of this they carried out a “detailed analysis” of the last 10 years of EU presidencies and the type of cyber incidents that occurred.
Mr Browne said incidents during the current Cyprus presidency centred on its airports but that was more likely to be linked to Iran, but added that the previous presidency, held by Denmark, experienced disruption caused by drone activity — the deterrence of which in Irish territory primarily falls to An Garda Síochána.
Last September, Danish military intelligence said they did not have information as to who was behind the incidents, but did add there was a “high” risk of Russian sabotage.
While Irish intelligence services are not thought to have evidence of who was behind the drone activity at the time of Ukraine president Volodymyr Zelenskyy’s flight to Dublin last December, the initial suspicion pointed to actors backed by Russia.
Mr Browne said: “We are in a heightened environment now,” he said.
“It’s entirely likely we’ll have incidents during the presidency — it’s also very likely we’ll have incidents that are nothing to do with the presidency.”
The NCSC director said: “Attacks on presidency are not designed to affect the infrastructure here — they are designed to have a reputational impact, they are designed to have a political impact — that is the most likely means of targeting.
“It’s not that they will go after a target here for the sake of a target, they’ll go after a target here to affect the reputation of the presidency or the reputation of the State.”
He said meetings around political events is where Ireland is likely to see cyber incidents.
“The most pressing issues are around three to four large political events. We have significant European summits in Dublin and in Cork, so if you have a website that goes down, people can’t get their accreditation — that’s the kind of thing that could happen.
"It’s not dramatic, no one gets hurt, but it disrupts the presidency, so that’s where we are focusing our attention.”
He said critical infrastructure in Ireland — such as electricity and telecoms — that could have a major impact if successfully targeted in cyber attacks are “well protected”.
He said espionage activity, primarily the remit of Garda Security & Intelligence and Military Intelligence, was different: “That’s an ongoing issue —
and the risk of that remains high — but disruption of critical services [from a cyber attack] is much more difficult. It’s not impossible, but much more difficult and less likely.”
In terms of the relative security of critical infrastructure he did point out that Poland was subject to a “very large” cyber threat last December, but added that some of the private energy companies were not well protected.
He said: “We are in a different situation here.”
A report by the Polish cyber agency said 30 wind and other energy farms were targeted in a coordinated attack, affecting IT systems and physical industrial devices.
It said it was the result of “long-term infiltration and theft of sensitive operational information”.
The Polish government blamed Russian government hackers.
Last April, Sweden said Russian hackers attempted to breach one of its thermal power plants, but was repelled by its cyber defences.
Ireland is taking part in another major cyber event, early in June — the annual #CyberEurope exercise, which this year is focusing on railway and maritime sectors and run from the headquarters of the EU cyber agency, ENISA, in Greece.
Mr Browne said they are working with the Department of Transport and relevant agencies and private companies on this exercise.
He said no one knows what it will involve: “We won’t know until the day of the exercise, which is the whole point — ut’s not rehearsed.”
He said cyber attacks could hit areas like signalling on a train network and the exercise is about how the sector responds to this, including manual alternatives to get services going.
Mr Browne said the country saw the reality of disruption to the operation of key ports last April with the fuel protest blockades.
“That was not a surprise to us at all or the State, as ports are critical and that’s why in 2024 we did an exercise at Dublin Port and the national implications of a shutdown. We had gardaí involved, the NCSC UK, colleagues from Belfast, also Rosslare, Cork and Foynes.”
Draft laws published in August 2024 envisages setting the NCSC as a formal state agency with far greater powers.
The National Cyber Security Bill — which implements the recent EU NIS2 cyber directive — will also give the agency a statutory role in protecting the national security of the country, joining gardaí and the Defence Forces.
The bill includes “emergency powers” to conduct surveillance on all Irish web traffic where there is a “pressing national security threat”.
This includes the power to seek court approval to place devices on public communication networks and data centres for an emergency period.
The agency could also “block or suspend” websites that have been compromised with the intent of causing harm against the State or other states.
The Department of Justice said the final bill is “very advanced”, with the expectation that the minister will bring a memo to Government shortly seeking approval to publish the bill.
Asked whether the bill will be published, enacted and commenced, before the summer recess — and before the presidency — the department said the progress of the legislation was solely a matter for the Oireachtas.
Mr Browne said the bill has been out of the hands of the NCSC for a “substantial period of time” and that he understood its publication was “imminent — but how imminent we don’t know”.
He said: “Do we need the powers — yes, absolutely, some of the powers are [related to] NIS2, some are around exactly the types of incidents we are talking about here.”
He added that in relation to what are called the Frontier AI models — the likes of Mythos announced last April, which can beat humans in identifying, and potentially attacking, system vulnerabilities — there are provisions in the bill that “would be very useful for us in dealing with those”.
“On 7 April, Mythos announced publicly that it can autonomously conduct cyber-attacks — far better at identifying vulnerabilities than before — and there are a number of other models pending, you’ll hear about them very shortly, that are even better again.
“It means it is now really possible for bad guys to use these models to penetrate systems that were previously thought to be secure — that’s a big deal.”
CONNECT WITH US TODAY
Be the first to know the latest news and updates
