Two days after Christmas day, the Department of Communications, Climate Action and the Environment published the National Cyber Security Strategy that outlined how the government plans to protect the state against cyber crime.
In case you were doing something else that day and didn’t get the chance to read it, here’s what you may need to know.
1. In September 2018 the Comptroller and Auditor General reported that “The overall strategic direction of the National Cyber Security Centre is not clear. There is no strategic plan currently in place.” The C&AG also questioned whether the body was sufficiently funded. Fast forward to the final days of 2019 and the publication of the strategy covering 2019-2024.
2. The report identifies 20 measures intended to “to protect our nation, to develop our cyber security sector, and to deepen our international engagement on the future of the internet.” These measures cover the areas of National Capacity Development, Critical National Infrastructure Protection, Public Sector Data and Networks, Skills, Enterprise Development, Engagement and Citizens.
3. The measures will impact all government departments and requires specific input from a further eight as well as all of the following stakeholders; the National Cyber Security Centre, the National Security Analysis Centre, the Office of the Government Chief Information Officer, the Office of Public Works, An Garda Siochana, the Defense Forces, the Central Bank, COMREG, the Commission for Regulation of Utilities, the Irish Aviation Authority, the Office of the Attorney General, the Office of Emergency Planning, the Centre for the Protection of National Infrastructure UK, Telecoms Operators, Skillnets, SOLAS, the Government IT Security Forum, Science Foundation Ireland, Cyber Ireland and Enterprise Ireland. They’ve totally got this, we’ll be fine.
4. Four types of cyber risks are identified. (i) Strategic Risks that include threats from rogue actors and the risk that comes from hosting over 30% of all Europe’s data. This risk extends beyond just the data centres to include the infrastructure that supports them, both public and private. (ii) Hybrid Threats, which are defined by the EU as “combining coercive and subversive measures, using both conventional and unconventional tools and tactics (diplomatic, military, economic, and technological) to destabilise the adversary.” (iii) Risks to Critical National Infrastructure and Public Sector Systems and Data (see point 5). (iv) Risk to Citizens and Business including phishing scams and cyber crime.
5. The report gives special credence to Critical National Infrastructure (CNI) across seven named sectors (energy, transport, drinking water, banking, financial markets, healthcare and digital infrastructure). Seventy ‘Operators of Essential Services’ have been identified and are subject to a formal set of security requirements and are obliged to follow a predefined reporting process when in the event of a security breach. The NCSC has enforcement powers and can conduct security assessments and audits in 5 of the 7 identified sectors.
6. One thing the report does well is to break down each of the 20 measures into their component parts, identify each component’s owner and stakeholders and put a timeframe on each task’s completion. There are 50 tasks scheduled for completion this year, 12 of them due to be completed by the end of March. Time will tell.
Kieran’s verdict: The report, much like all cyber security, feels reactionary. It will always be a barn door closing industry, but the target of training a 5000 strong army of security personnel over the next three years should help to keep a few horses in their stables.