Ireland’s neutrality does not stop it from being eyed as a cyber target
Richard Browne, left, director of the National Cyber Security Centre said the HSE attack was 'one of the largest cybersecurity incidents in history, globally — not just the scale of it, but the implications for individuals and their lives was particularly egregious'. Picture: Larry Cummins
Three years ago this month, all of the HSE computer systems that had been crippled by a cyberattack the previous May were decrypted and back working.
It was the biggest — and most damaging — cyber security incident ever in the State and brought home how Ireland was no different than any other country in the threat posed to its security by cyberattacks and the need to invest in protecting our critical infrastructure.
The financial cost of the ransomware attack on the HSE — in terms of the technical recovery — is estimated to be around the €200m mark, so far.
Estimates from the Comptroller and Auditor General in September 2022 said about €660m will need to be spent over seven years to implement the necessary cybersecurity improvements identified by the HSE.
In addition, 470 legal cases have been lodged against the HSE by people whose personal data was compromised in the attack.
The financial and legal bills could be substantial.
Almost 100,000 staff and patients had their personal data accessed and stolen by the Conti cybercrime gang.
This is not to mention the incalculable human costs for patients — including children and their parents — whose medical treatment and mental health care were disrupted and delayed by the shutdown, which also happened during covid-19.
Richard Browne, director of the National Cyber Security Centre (NCSC), said the HSE attack was “one of the largest cybersecurity incidents in history, globally — not just the scale of it, but the implications for individuals and their lives was particularly egregious”.
The gang responsible, Conti, was based in Russia and was one of the biggest cyber gangs at the time.
Much has been said that it was acting as a 'proxy' for the Russian state and its intelligence services.
A study by the Stanford University Cyber Policy Centre in July 2023 examined 55 Russia-based ransomware groups on the dark web.
It found an increase in their attacks leading up to elections in several major democracies and on companies that withdrew from Russia following its invasion of Ukraine in February 2022.
The study specifically looked at 60,000 leaked messages from Conti and found it “generally acted independently” from the Russian state.
But it added: “However, they also reveal connections between Conti leaders and Russian government contacts and show cooperation on at least one state-backed cyber operations.
The study concluded: “Our data is consistent with a model where the Russian government maintains decentralised yet cooperative relations with Russia-based ransomware groups.
"The government offers safe harbour from prosecution in exchange for plausible deniability for attacks and access to skilled cyber actors. The Kremlin also benefits indirectly as groups primarily target victims in Western countries. Our findings suggest ransomware presents an international security threat in addition to functioning as a form of crime.”
The attack, along with other reviews and obligations from EU Cyber Directive NIS 2, has seen a significant increase in the resources of the NCSC, in contrast to investment in Garda Security and Intelligence and Military Intelligence.
The NCSC is also set to get increased powers in its ability to scan and detect threats in relation to essential State and non-State bodies and ensure those institutions are complying with new EU standards.
While Ireland does have a National Cyber Security Strategy and another is being developed, the country still does not have, after many years waiting, a national security strategy, and a maritime security strategy is only now being developed.
In their absence, other steps have been taken in identifying our interests, threats and capabilities.
In recognition that partnerships with like-minded countries are crucial to combating cyber security threats, NCSC is part of a plethora of EU networks working to improve cybersecurity.
Ireland has also signed up to voluntary programmes with both the EU and Nato to join networks, and share expertise and knowledge to protect essential services from cyberattack — whether the motive is money or malice.
In the EU, Ireland has joined two European Defence Agency (EDA) projects, including Cyber Defence Exercises, in addition to two under Pesco (Permanent Structured Cooperation Projects), including one protecting critical infrastructure.
Commenting on this last July, Tánaiste Micheál Martin said: “This [cyber] project allows our Defence Forces experts to gain insight into cyber threats experienced by other members states and, importantly, learn from these in an effort to mitigate any national attacks. The main aim is to strengthen cooperation of cyber defence education, training and exercises.”
He said the NCSC could also take part in some of the programme.
Ireland has also signed up to several Partnership for Peace (PfP) projects with Nato, including one on cyber.
Again, like with the EU programmes and in line with our policy of military non-alignment, Ireland has been a voluntary participant in PfP since 1999.
Under the most recent version, Individually Tailored Partnership Programme (ITPP), Ireland is taking part in four-year-long projects on cyber, hybrid, resilience and maritime/critical undersea infrastructure (CUI).
The took part in a visit, organised by the US Embassy in Dublin, to Nato headquarters in Brussels and the Supreme Headquarters Allied Powers Europe.
Hybrid attacks are a category of hostile state activity below open warfare and can include disinformation and political interference, espionage, sabotage, attacks on critical infrastructure and provocative military displays of power.
Any or all of the above hybrid measures can be undertaken to undermine the resilience of a democratic state, its cohesion and its ability to govern.
The Nato analysis — one shared by the EU diplomatic service — is pretty clear: the scale and severity of hybrid attacks by Russia on the West have increased considerably since the invasion of Ukraine and through the summer’s European elections and general and local elections in member states.
This is now continuing in the US, which has its presidential election in November, with disclosures only yesterday from the US Department of Justice on recent Russian hybrid activities in the country.
Odds are shortening on an Irish general election in November, followed by a presidential election next year, both of which may attract hostile state hybrid attacks.
Ireland is one of four countries in the Nato Western European Partners, along with Austria, Switzerland and Malta — all of which are militarily neutral.
In relation to hybrid attacks, Nato countries have seen Russia use ‘middlemen’ in Europe to carry out acts of sabotage, including fires in Poland affecting supply routes to Ukraine as well as companies and military installations and, in Poland and Baltic States, violations of airspace.
The feature of hybrid attacks is that it is very difficult to prove attribution (who was behind it) meaning they are easy to deny.
Experts say they are noticing a pattern of criminal cyber gangs being used by the Russian state to conduct sophisticated espionage campaigns and disinformation, with artificial intelligence and so-called ‘deep fakes’ set the “turbocharge” this area.
Those tasked with tracking hybrid measures say Russia does not create divisions in Western societies but is very experienced at identifying the faultlines and exploiting them.
This is to undermine support for Ukraine, undermining trust in democratic governments and institutions, as well as the free press, and heightening polarisation in societies.
“It’s like money laundering, but is information laundering,” one expert said, “and AI is becoming a huge problem and is only beginning.”
Ireland was at the centre of a particularly provocative hybrid attack in February 2022 — just before the Russian invasion of Ukraine — when the Russian navy conducted military manoeuvres just off the edge of Irish-controlled waters – the Exclusive Economic Zone (EEZ).
This area of activity was also above a massive cluster of transatlantic undersea cables, most of which pass near and through the EEZ.
The suspected attacks on gas pipelines in the Baltic and Nordic countries have resulted in increased Nato activity in the Baltic Sea and the North Sea.
The Tánaiste said in July those attacks by hostile powers “force us to confront vulnerabilities in our offshore infrastructure”.
The Russian fleet is back off Irish waters this month as part of its annual global ‘Ocean’ exercise.
The naval exercise in February 2022 happened just before Russia’s invasion of Ukraine and took place shortly after Russia announced in late January that its exercise would take place well inside the EEZ.
It became international news when Irish fishing vessels protested at the exercise over fears of damage to fishing and Russia said it would move the exercise back to the borders of the EEZ.
The lack of visible strength by the Irish Naval Service drew a lot of criticism both within the Oireachtas and among military experts.
Sources have said they expect the Russian exercise to be “much smaller” this year.
Military experts point out there are two purposes to these Russian exercises in the North Atlantic.
The first is strategic, to be visibly present in the so-called GIUK gap, between Greenland, Iceland, Britain and Ireland, a major sea supply route.
The second purpose was to conduct manoeuvres around the cluster of cables off the southwest coast of Ireland, mapping the location of cables.
Imagery posted just yesterday by maritime experts showed Russian naval exercises that morning off the southwest coast of Britain and northwest coast of France.
Sources say that the Russian navy is “struggling”, with maintenance and refuelling a major problem given the war in Ukraine and international sanctions.
However, its submarine patrols are thought to be largely continuing.
A recent paper by the Centre for Strategic & International Studies said Russia has several advanced submarines, including the Losharik, which are capable of operating “at extreme depths” and equipped with “manipulator arms” for interacting with undersea infrastructure.
This is in addition to ‘research’ vessels, like the Yantar, which has been seen off Irish waters in 2021.
“Yantar has been observed loitering near undersea cable routes, equipped with submersibles capable of cutting or tapping into these cables, signalling a clear intent to exploit these vulnerabilities in a potential conflict scenario,” it said.
The paper said data cables were “critical” for almost all aspects of commerce and business, responsible for 95% of international data.
It said the need for cable capacity is increasing to allow for the operation of data centres and cloud storage, and the coming AI revolution.
In Ireland, the report of the Consultative Forum on International Security Policy, published last October, said data cables were of “critical strategic importance” and were “vulnerable to attack” and urged investment in this sector.
The National Risk Assessment 2024 said threats to critical infrastructure and maritime security “from acts of sabotage have become more pressing” and the concentration of communication and cloud infrastructure in Ireland exposed Ireland to “an additional degree of risk”.
This view was echoed by the Department of Defence’s Defence Policy Review 2024, which also linked threats to critical infrastructure to espionage.
“Enhanced counter-intelligence and cyber capabilities and cooperation with international partners will therefore be essential,” it said
The sharing of intelligence through partnership in the Nato cyber project is not part of the agenda and any such sharing, say between the British Royal Navy and the Naval Service, would have to be done on a bilateral basis.
The projects on cyber, hybrid and CUI are in their early stages and run for four years.
The first meeting of the CUI network was only held in the spring, with a second meeting towards the end of the year.
The initial phase is described as “dialogue and understanding”, to establish what individual countries are doing in this area and what the threat assessment is.
It is thought it will take a couple of years before pragmatic cooperation begins.
A crucial area of critical undersea infrastructure (CUI) — and one area only beginning to attract attention in Ireland — is the security of energy infrastructure in Irish waters.
Various wind energy and enterprise strategies and reports in Ireland in recent years are sparse on any reference to security threats in Irish and EEZ waters.
But they are cited in both the National Risk Assessment 2024 and the Defence Policy Review 2024.
The risk assessment said a reliable supply of electricity and gas was “critical” to the economy and society. It said one estimate, albeit from 2011, said the loss of gas-fired electricity would cost the state up to €1bn per working day.
An expert focus group for the assessment concluded the loss of gas connection to the UK, coinciding with a period of high demand, represented a “reasonable worst-case scenario” and the impact on electricity generation was deemed “critical”.
The defence review said Ireland was “one of the most energy import-dependent countries” in the EU, with the risks heightened by our geographical position and limited supply lines.
The planned, massive increase in offshore wind energy — including ambitions to see Ireland producing excess energy for export — will significantly increase those risks, given the significant infrastructure investments in energy storage systems and interconnectors, all of which rely on cyber-infrastructure.
Nato set up an Undersea Infrastructure Coordination Cell in Britain in February 2023, to “map vulnerabilities” and coordinate efforts between members.
This operational unit is not part of the ITPP, so partner countries like Ireland are not included as it is only for members.
However, it is thought the next four-year version of the ITPP could see that change, depending on the views of partners and the agreement of the 32 Nato states.
As a North Atlantic military and political alliance — crossing North America and Europe — Ireland is the “missing piece”, as one source said, “sitting right there in the middle” of the Nato network.
Some experts point out Russian agencies are always “looking around for weak spots” and that is what they focus on, not on whether the country is a member of Nato, knowing the interconnection of European energy and digital infrastructure.
Security experts believe countries “must demonstrate advantage” to deter hostile acts, requiring both investment and a willingness to act — otherwise authoritarian states will see that as weakness.
There seems to be a general acceptance on almost all sides that, whatever the rational pros and cons of joining a military alliance, Nato membership is simply not on the agenda in Ireland.
The alternative path — of gradually increasing voluntary partnership with Nato and deepening EU security cooperation, along with sustained and significant increases in Irish defence and security budgets and a functioning national security infrastructure — seems to be the best path ahead for Ireland.
Whether that approach will be enough to prevent a HSE Mark II or a ‘Cable Cut’ Mark 1 is in the balance.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
