Derek Mooney: Doing National Cyber Defence On The Cheap Costs More

at

From top: HSE CEO Paul Reid. The HSE was hit on Friday by a ransomware attack, while the Department of Health shut down its systems after finding a similar digital threat; Derek Mooney

Though I have related this Jeffrey Bernard anecdote here before, it still bears repeating. When Jeffrey Bernard was too “tired and emotional” to submit his weekly column to The Spectator, the editor would place an apologetic line explaining that there was no column that week as: “Jeffrey Bernard is unwell”.

There was also another one. It was longer, but less apologetic and appeared when the editor was feeling less charitable. It read:

“Mr Bernard’s column does not appear this week as it remarkably resembles the one he wrote last week”.

Broadsheet’s editor could be forgiven for posting a similar renunciation here, as the discourse on the HSE cyber-attack I propose to put to you is effectively a re-statement of arguments and commentaries I’ve made many times over the past few years.

I have been warning about our failure to take national cyber-security seriously since late 2019. I highlighted it as a sub-plot in this column from Sept 2019 and then expanded on the problem in a column entitled: Pleading No Defence On Cyber Security.

I could quote chunks from both pieces today, because the arguments made then are even more relevant as we count the cost of the sophisticated cyberattacks which hit the Department of Health over the weekend and shut down the HSE’s IT systems since last Thursday.

Similarly, I could quote large elements of what I said in my July 2020 column: No Ministering On Data Or Cyber Defence when I critiqued the glaring gaps in this government’s approach to data protection and national cyber security.

In all these articles, and some others, I did more than highlight the problems, I tried to offer proposals that would address them. These included assigning responsibility for the co-ordination of national cyber security and the protection of key elements of national infrastructure – included our communications, power, transport, and health IT systems to the Defence Forces.

Some in the political sphere get this, including the people who wrote the defence and cyber security portions of the Fianna Fáil 2020 manifesto.

It recognised that cyber security is a matter of national defence, not just because of the importance of the digital sector to our own economy but due to Ireland’s strategic importance to the EU’s digital economy.

The manifesto said that “Ireland needs to recommit to its Defence Forces and its defence capability” identifying cybersecurity as a vital element of national defence and committed to “…transferring this important function to the Defence Forces/Department of Defence”.

Sadly, the enthusiasm and commitment of the Fianna Fáil manifesto never made it through to the joint Programme for Government. In place of the specific commitments came this empty promise to:

“Implement the National Cyber Security Strategy, recognising the potential and important role of the Defence Forces”.

How did that happen? How did an active commitment turn into a barely passive suggestion? It can hardly be due to Fine Gael and the Greens being so opposed to the very notion of taking cyber-security seriously that they blocked Fianna Fáil’s efforts in the talks?

Or, is it not more likely that the inner civil servant mentality of many around that negotiating table – not to mention the cache of Dept of Finance bean counters outside the room, totting up the costs – won out. It was decided to do nothing, as doing nothing, costs nothing. The Irish Department of Finance’s secret mission statement is: proudly saying No for over 100 years, after all.

Not that the Merrion Street bookkeepers are wrong on costs. Having a robust national cyber defence capacity will cost a lot of money, particularly if we hope to attract and retain people with the highly specialised and transferable skillsets required.

Doing that would mean reversing the flow of qualified personnel out from the defence forces and towards the private sector, attracted by higher salaries and better career prospects.

It will also mean making tough decisions on co-operating with our European partners on cyber defence. Ireland is only involved in one of PESCO’s 46 projects – it is a very important one on upgrading maritime surveillance, but we have opted not to participate on any of PESCO’s four cyber defence projects, including the Cyber Rapid Response Teams (CRRTs) project that enables member states to help each other to ensure a higher level of cyber resilience and collectively respond to cyber incidents.

We do have a choice – having a modern cyber defence capacity costs money but, as the HSE and Department of Health attacks show, not having one also costs. Remember, the two attacks I am talking about here are only the latest of an increasing series of attacks.

Up to now, the Irish state has followed Homer Simpson’s “Can’t someone else do it?”  slogan from his stint as Sanitation Commissioner, and effectively relied on private militias, in the form of  security firms protecting the digital assets of IT giants like Google, Apple, Facebook etc.

Government has assumed that these big tech companies would more likely be the targets of malevolent cyberattacks, than it would.

But it forgot that those behind these attacks, be they criminal gangs or hostile foreign governments will attack out the weak spots, not the strong ones. (See this Reuters report on how Russian intelligence agency and Chinese spies were behind cyberattacks on the European Medicines Agency (EMA) last year)

Irish government policy over the past few years has effectively turned our critical national infrastructure into a soft target for bad actors. But Ireland is home to more than its own vital infrastructure. Around three quarters of all transatlantic cables* in the northern hemisphere pass through or near Irish waters, mainly along the South West coastline.

This matters as over 95% of all global data still passes along cables laid on the ocean floor. Despite all our talk of the “cloud” satellites still only account for a tiny percentage of global data transmission. This leaves Ireland, an Island that has successfully grown a digital economy, with the most to lose if those cables are attacked or damaged.

Fixing Ireland’s cyber defence problem is going to cost money – not fixing it will cost a lot more.

* For a better explanation of their critical importance please read the Chapter entitled: Patrolling Below The Horizon: by the Irish Naval Operations Command’s Lt (NS) Shane Mulcahy, in the 2019 Defence Forces Review. Indeed, check out the Defence Force Review archive for several more detailed articles on how Ireland could deliver an effective cyber defence capacity.

Derek Mooney is a communications and public affairs consultant. He previously served as a Ministerial Adviser to the Fianna Fáil-led government 2004 – 2010. His column appears here every Monday. Follow Derek on Twitter: @dsmooney

RollingNews

Sponsored Link

19 thoughts on “Derek Mooney: Doing National Cyber Defence On The Cheap Costs More

    1. goldenbrown

      €120-150k is the going rate for senior people in this space locally afaik….even more if it’s something prominent

      there’s massive risk in it for the individual who takes it on…you’re only as good as your last day’s work, you can’t have a bad day at the office, fail once and your name is dirt and you’d be lucky to get a job in helpdesk

      career-wise the “peter principle” doesn’t apply at all to this line of work

      1. Janet, dreams of an alternate universe

        plus let’s face it most people really qualified in this field….aren’t Irish

        1. Janet, dreams of an alternate universe

          top ten countries investing in their cyber security
          1. United Kingdom
          2. United States of America
          3. France
          4. Lithuania
          5. Estonia
          6. Singapore
          7. Spain
          8. Malaysia
          9. Norway
          10. Canada

          1. Papi

            19yo will be doing his national service this year and it’s straight to cyber/computer skills, with the navy. They’re using gamers and computer savvy kids straight away for defence.

        2. goldenbrown

          ah see that’s one of the interesting things about that world Janet, there’s actually a good few out there but you just don’t get to hear or see much about them, for the serious operators stealth is an important aspect….I know some fellas that have zero social media footprint for example. Some of them don’t even mix with their “normal” IT colleagues much instead preferring to stick to their own kind networking at weirdo spook conferences. Just different. Like IT Crowd Richmond lol

      2. Janet, dreams of an alternate universe

        plus the certification you need to be country level cyber security, blat hat hacker level, well it can cost a bomb just to get there, 89.000 is just piss taking,
        sure a bug bounty freelance you can hit 100,000

          1. goldenbrown

            yep it’s Masters territory or getting a commercial pilots licence even, I looked at it a long time ago but couldn’t afford it at the time. But the other vital thing is you have to be wired for it brainwise, naturally good at maths, that expert fella I know just “sees” numbers plus is also very street smart, good combo. I prefer the pilot route myself lol

          2. Janet, dreams of an alternate universe

            50.000 some certs,
            himself has a toe in those waters, it makes my eyes bleed,
            Do you ever fly out of Weston Golden !

  1. scottser

    thanks for the ‘i told you so’ derek.
    so are we all enjoying darragh o’brien getting it in the neck for years of FG’s investor buddies profiteering off the taxpayer’s dime? now there’s an ‘i told you so’ ye should have listened to.

  2. Dr.Fart

    they’re hacking something today. lots of peoples phones aren’t working, when they make or take phone calls they get a weird sound, and lots of peoples internets not working.

  3. ReproBertie

    It’s always enlightening when the media dips its toes into an area that you have some knowledge of as it very quickly exposes their ignorance of the subject. This realisation should then colour all future interactions with the media. After all, if they are so out of their depth in this area then it’s likely they are equally out of their depth in all other areas. RTÉ’s use of the results of a DIR command scrolling up a screen to try and illustrate some arcane IT witchcraft cracks me up.

    The language being used in the media to discuss the “cyberattack” is incredibly overblown. This is not a DDOS attack or some first strike by a foreign government. The HSE have confirmed that this is a version of the CONTI virus which, 9 times out of 10, means some sucker opened an email attachment and, in this case, a bunch of criminals got extremely lucky. All the cyber defence budgets in the world can’t protect your systems from a staff member who gormlessly ignores policy and opens an attachment.

  4. Johnny

    Lost me-these cables are privately owned privately financed by Google which has oh 14,Microsoft and Amazon,who charge to use them-but the irish state is in charge security for free ?

    Absolute nonsense,outdated…. out of touch.

  5. Janet, dreams of an alternate universe

    peals tape of camera to sneak a peak at goldenbrown,
    funny how that sentence sounds kinky, I blame your name

    1. goldenbrown

      borrowed from The Stranglers in my case Janet

      but kink away by all means! we need more of it in this overly ordered world of ours I say

Comments are closed.

Sponsored Link
Broadsheet.ie