25 minute read
National Cyber Security Centre Director Richard Browne on risks and threats
National Cyber Security Centre Director Richard Browne: Managing resilience
Having been with the National Cyber Security Centre (NCSC) since 2014 and led each of the State’s two national cybersecurity strategies to date, Richard Browne was appointed as NCSC Director in January 2022. He speaks with Ciarán Galway about his current priorities and emerging trends in cyber risks and threats.
What are your reflections on your time as a Director of the National Cyber Security Centre?
While I was nominally appointed full time in January 2022, I had been in the role as Acting Director since July 2021, having previously held roles in the NCSC between the end of 2014 and late 2020.
Two or three things have changed in that time. First is the much more public character of the challenges, not least since the ransomware attack on the HSE, as well as other high-profile incidents in the UK and the US.
Second is that the cybersecurity industry in the State has grown significantly, both in terms of international and domestic companies. We have 7,500 cybersecurity employees in the private sector alone, which gives you an idea of the scale of the industry here.
Third is the geopolitical tension; we cannot overstate the implications of the Russian invasion of Ukraine and the widespread use of cyber-enabled tools in that conflict, which just goes to show how dramatic and kinetic a situation can get.
What are the main functions of the NCSC?
Typically, we describe the NCSC as having three primary functions:
The first function is that it undertakes full spectrum cybersecurity incident response. Anything from relatively small-scale incidents to coordinating the response to major national cybersecurity incidents. This involves an amount of national security work along with cooperation with other entities in their jurisdictions, exercises in training and planning, and resourcing those activities.
The second function the NCSC performs is building resilience across the State’s public and private sectors through a variety of different actions. These include supporting skills development, supporting companies in their development, by sharing information on best practice, and by publishing guidance and supporting documentation on an ongoing basis. have a very significant role in the regulation of critical infrastructure in the State with regard to cybersecurity. We have designated a substantial number of entities as critical infrastructure; as operators of an essential service. Through a series of assessments and audits, we ensure an ongoing programme of compliance with a designated standard for cybersecurity.
How has the NCSC led national cybersecurity policy, including coordinating the National Cyber Security Strategy 2019-2024, to date?
Until 2020, I held a dual policy and operation role, so the 2015 and 2019 strategies happened under my remit. Now, however, policy is dealt with by a separate part of the Department. Regardless, the NCSC still has an active role in contributing to the policy discussion, both within the Department and across government, not just within cybersecurity either, but also into defence, justice, foreign affairs, and related spheres.
What progress has been made on implementation of the 2019 strategy?
The 2019 strategy contains 20 deliverables. Under each of those is a series of individual stepping stones. The vast majority of those are either delivered or well underway. Some of them have been passed out by time in the sense that the EU legislation has leapfrogged them. This will be dealt with in the upcoming mid-term review.
I think that the NCSC itself has moved on beyond that which was explicitly identified on the strategy. The strategy pointed out that the NCSC would need to be substantially reinforced and the Government’s decision last year made on the foot of the capacity review of the organisation suggested that the organisation needed to expand to 45 staff by the end of 2022 and to at least 70 by year-end 2024. That is well underway. We will surpass 45 in 2022 and hopefully grow to 62 next in 2023.
now and the NCSC is fully participating in it. To an extent, this review will have to call out the things that we have achieved, that we need to do more on, and particularly call out the areas from the 2019 strategy that have been surpassed at the European level.
One of those obvious requirements is the need to expand our existing Network and Information Security [NIS] compliance regime. That regime is built upon the 2016 EU Network and Information Security Directive. We were seeking to expand our existing application of that directive. However, the EU has published and agreed a revised NIS2 Directive, so that supersedes our existing plans.
What do the Cyber Security Baseline Standards mean for public service bodies?
Last year, the 2019 strategy established the Cyber Security Baseline Standards to build cyber resilience across all public service bodies. This was undertaken by
a group of ICT experts from across Government and led by the NCSC and the Department for Social Protection. In other words, it is a standard which everyone in the public sector should meet.
Following on from that we established an operational group of IT Security professionals – the Government Cyber Security Coordination and Response Network (Gov CORE). The Gov CORE is now tasked with implementation of that standard, alongside informationsharing, incident response, and capacity building across the public sector. In turn, the Gov CORE will develop that standard further, using its own certification tools which will receive a legislative basis in the next couple of years.
By the end of 2024, thanks to NIS2, the Civil Service will become legally obliged to meet those standards and there will be a compliance system in place for public administration bodies. In practical terms, that means we have a very tight timeline. This will be very challenging for many different types of organisations and structural changes will be required.
However, in many ways, the intervening period is a fantastic opportunity to reconfigure and reconsider the role of public sector ICT, assessing legacy systems, and preparing for what will be a significant challenge between now and 2025.
What are some of the emerging trends in cyber risks and threats that the NCSC is observing?
The geopolitical environment is very fraught, as everyone understands, but we have not yet seen direct manifestations of the kinds of attacks experienced in the rest of Europe. We have seen some in parts of Europe that are not necessarily direct, rather they are accidental overflows of less aggressive emanations. At the same time, the likelihood and consequences of this kind of thing happening are high. It is something that we cannot ignore.
The risk of ransomware and cybercriminal activity remains extremely high. We have observed daily incidents of this type, not just here but across Europe. We are now starting to see the actors targeting smaller entities for several reasons. This is partially due to the fragmentation of the actor groups responsible for this activity, including because security forces, police, and intelligence services have had a lot of success against these groups recently and they have been disrupted.
Others have gone underground for other reasons.
Primarily, larger entities have become better at protecting themselves and are much less likely to pay ransoms because they have backups. They can afford to turn around and rebuild from scratch. Smaller entities may not have that luxury and may be more likely to pay, which is what we are seeing.
Another trend we have noted is the rise, once again, of hacktivism whereby website defacement, small scale DDoS, and other low level, small-scale cyber activity is undertaken with political or personal motivation. In recent months, we have started to observe an increase again, sometimes in association with events in eastern Europe. Fundamentally, the consequences of these attacks are minimal; they are small scale nuisance attacks, but they tend to get press, which is the intention.
“It is fundamental to the corporate governance of any organisation in 2022 and you should not be treating safety as something distinct from cybersecurity because they are both on
the same page.” Richard Browne, Director, National Cyber Security Centre
Can you discuss how your response to the HSE ransomware attack manifested? How did that materialise?
The initial incident response process lasted between 10 and 14 days, depending on your perspective, by which point the majority of HSE services were back up and running again. There is still some ongoing clean-up and rebuilding of networks one year on, but that is quite normal with a case like this. 4
In some ways, it was quite remarkable how quickly the HSE was able to get its network back up and functioning even though core elements of it had been damaged. The HSE itself, as well as people from several other private sector companies throughout the State ,stepped in and helped us in rebuilding individual networks in the hospitals.
It was an entirely preventable incident. A significant number of similar incidents never got through the system. Either we were able to stop them, or the network operators managed to stop them themselves.
There were at least three occasions referenced in the independent report on the attack commissioned and published by the HSE. This is partially because the HSE was so badly stressed as a consequence of the Covid crisis. It is also down to the fact that they were reliant on private sector operators who missed obvious signs that there was something very badly amiss.
For example, the Department of Health had a very serious incident the day before and they spotted it immediately, called us and they never had the incident. So we were able to help them stop the incident before it ever came to anything. That is the model we try to pursue.
Cybersecurity, when it is done right, should be boring. It should be dealt with before there is any media coverage or flashing lights or drama. If you are in a large-scale incident response process, something has gone wrong somewhere.
What are the lessons of the single most significant cyberattack in the history of the State to date?
Ultimately, the lessons are very straightforward. Firstly, this was a preventable incident. As such, there is the need to proactively manage risks and manage networks. Having a coherent system of operations for monitoring threats is important, particularly for a large-scale network. Secondly, we need to have a proper incident response plan in place. In any network, cyberattack must be treated as a ‘when’ rather than an ‘if’ and work on the basis that it will occur.
Finally, there is a serious question as to how we manage resilience more generally. We were very lucky with the HSE incident in many ways because most of our larger hospitals remained operational. Next time, that might not necessarily be the case. There is a real question as to how we build redundancy into systems and how we can fall back onto other older segregated systems, not just in healthcare, but across the State’s critical infrastructure.
What is your vision for the future of the NCSC?
The NCSC’s long-term strength has always been that it has led on a technical basis. We have led on our reverse engineering and our cybersecurity incident response capability. We need to continue to consolidate that.
In the first instance, we need to have a single pane of glass for end-to-end visibility of incidents in the State and an ability to respond quickly and proportionately. We have a significant capability already and we need to continue to develop that. There are many lessons we can learn from our colleagues throughout Europe and in the US. It will never stop; there will never be a point where we are finished or done.
To ensure this, we must have an evolving, best-in-class national strategy involving coherent, continually amended legislation, a skills base, and technology; this is an ongoing project. The short-term goal is that, when we move into our new facility next year, we will have that security operations centre that gives us that ability, backed by legislation that allows us access in a transparent, open, non-intrusive way. We need to be able to see what is happening in the world and to respond.
Furthermore, I think we have significant work ahead of us in terms of developing the cybersecurity sector in the State for public sector and national security goals, but also economic development. This is a slightly arcane point, but because of the State’s history and our relatively benign foreign policy context, we have not developed some of the technology that some other states have in terms of information security, and around cybersecurity more generally. We are having to develop those now ourselves, quite late in the day. This is an opportunity to do so in a best-in-class way by learning from other states.
Digital adoption is crucial for SME survival
With the ever-increasing digitalisation of personal and work life, it has become increasingly evident that cyber threats, be they from criminals or nation-state actors, pose an evolving risk to the everyday working of society, writes Mick Begley, Chief Information Officer of .IE.
The Network and Information Security Directive (NIS 1) set the precedent for EU legislation when it came to cybersecurity. Its goal was to achieve a high common level of cybersecurity across EU member states. It resulted in member states designating key “entities” as “operators of essential services” (OES) and led to regulations being put in place in national law around the area of cybersecurity, including incident notification by such entities.
Revised directive
Since the NIS 1 Directive was adopted, the threat landscape has moved on. As a result, the European Commission (EC) proposed a revised directive, NIS 2, which would widen the scope of the application to more entities in the sectors of the economy already within scope, as well as adding new sectors. The EC, when framing the proposed directive, also had the objective to create a high level of harmonisation with regard to security requirements and reporting obligations across the Union.
The new directive does away with the NIS 1 terms of OES and digital service provider (DSP) and instead replaces them with “important entities” and “essential entities”. The classification of organisations is determined by Annex I and II of the directive. By default, all entities belonging to a sector are automatically allocated to that category. Sectors that are deemed “essential entities” include:
• energy (electricity, energy storage, district heating, oil, gas, and hydrogen);
• transport (air, rail, water, and road);
• banking and financial market infrastructures;
• health (including research and manufacturing of pharmaceuticals and medical devices, EU reference labs);
• drinking water and wastewater;
• digital infrastructure (IXP, DNS, top level domain (TLD) registries, cloud, data centre service providers, CDN, trust service providers, and electronic communications)
• public administrations; and
• space.
Sectors under “important entities” include digital providers such as online marketplaces, search engines, and social networks.
There is a size-cap provision in place which should exclude certain SMEs (under 50 employees, turnover ceilings) from the scope of the directive. However, some small organisations may not qualify for this size exception if the entity comes within the scope of Article 2 of the revised directive.
Article 18 provides that the entities covered by the Directive will need to carry out “an all-hazards approach when it comes to protecting network and information systems and their physical environment from incidents and shall include at least the following”:
a) risk analysis and information system security policies;
b) incident handling;
c) business continuity, such as backup management and disaster recovery, and crisis management;
d) supply chain security;
e) security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure; and
f) policies and procedures; to assess the effectiveness of cybersecurity risk management measures; regarding the use of cryptography and the use of multi-factor authentication.
.IE’s position
As a country code top level domain (ccTLD) registry we are designated as an “essential entity” under the new NIS 2 Directive. Accordingly, it is essential that we continue to provide a trusted pathway to the internet for Irish people, communities, and businesses. As part of maintaining that trust we have recently completed a programme of work to achieve ISO 27001 security certification.
ISO 27001 is the only certifiable international standard that ensures an organisation manages and mitigates its
cybersecurity risks in an effective manner. It mandates a systematic approach to cyber security risk management including processes, technology and people that helps us protect and manage all our data. By seeking and achieving ISO certification .IE has shown its commitment to taking cyber security seriously and to ensuring we fully meet our obligations, including those within the NIS 2 Directive. ISO 27001 is rapidly becoming the de facto best practice certification for national ccTLDs, as a way to demonstrate its cyber security credentials to national policymakers and legislators.
Collectively and individually, the challenge for business, government and citizens is to continue to improve cybersecurity practices and processes.
“The speedy digital transformation of our society has expanded the threat landscape and is bringing about new challenges, which require adapted and innovative responses… such responses should aim to increase preparedness… and the EU’s capabilities to prevent, detect, respond to and mitigate cyber threats and be prepared to
act in crisis.” - European Commission, NIS 2 inception impact assessment document
Also new within NIS 2 regulatory regime are rules with regard to the accountability and responsibilities of management bodies when it comes to compliance with security requirements. In event of a security incident where an entity is found to be in breach of its NIS 2 obligation, management bodies may be subjected to the following:
• the issuing of fines;
• being held liable for breach of their duties laid down in the directive;
• the levying of a professional ban on members of the management team by the relevant regulatory authority; and
• the imposition of a Monitoring Officer for a set period of time to ensure that the organisation meets its compliance requirements.
The revised directive sets out strict rules with regard to the reporting of security incidents. Entities are obligated to issue an initial early warning within 24 hours and a full incident notification within 72 hours to the relevant regulatory organisation. A final report on the incident will have to be submitted within a two-month period.
Current status
The Commission’s proposal went to both the European Parliament and the Council of Ministers for review. Each body issued a draft with their proposed revisions to the original directive text. This went through a process of inter-institutional negotiations (“trilogue”) from which a political agreement was reached on the final text of the NIS 2 Directive in May 2022. This text will next be read into the next plenary of the European Parliament in the autumn, after which it will formally become law. EU member states will have 21 months to transpose the requirements of the Directive into national law.
E: security@weare.ie W: www.weare.ie Twitter: @dot_IE_Tech
The Internet needs Guardians, Guides and Stewards –and .IE is an active participant in multi-stakeholder forums dedicated to meeting these needs.
The Irish cybersecurity sector: An overview
The Irish cybersecurity sector is growing at a rate of over 10 per cent per annum and could, if such growth continues, employ over 17,000 people and create €2.5 billion of gross value added by 2030.
The 489 cybersecurity firms operating in Ireland have 734 offices, according to the State of the Cyber Security Sector in Ireland report, with 73 per cent of these offices in Dublin, Cork, Galway, or Limerick. While Dublin has the most overall offices, Cork and Galway retain the largest number of firms per capita.
The main products offered by cybersecurity firms in Ireland include managed security service provision and advisory services, offered by 36 per cent of firms, securing applications, networks, and cloud environments services, provided by 31 per cent, and risk, compliance, and fraud services, provided by 28 per cent. Threat intelligence, monitoring, detection, and analysis is served by 26 per cent of firms, with operational technology security and connected devices served by 13 per cent and identification, authentication, and access control by 11 per cent.
The cybersecurity sector is an anomaly in the Irish context due to the makeup of the types of businesses that populate the sector. While the Central Statistics Office’s (CSO) Business Demography 2019 found that over 99 per cent of Ireland’s business were SMEs, 44 per cent of the businesses involved in cybersecurity in Ireland are classified as large enterprises, meaning that they have at least 250 employees and €50 million of annual turnover. This is perhaps not surprising given the prevalence of foreign direct investment in the sector, with 71 per cent of employment in the sector supported by FDI, and 28 per cent of firms headquartered in the United States and 55 per cent of employees employed by those firms.
The Department of Enterprise, Trade and Employment’s 2022 report Attracting Tech Talent to Ireland estimated there to be circa 80,000 professionals engaged in technological sectors in Ireland, meaning that the 7,351 engaged in cybersecurity work account for 9.2 per cent of the total technological workforce.
CSO statistics record Ireland’s gross value added (GVA) as €393.788 billion for the year 2021; the €1.1 billion GVA recorded by the cybersecurity sector in the same year means that it accounted for 0.28 per cent of the national GVA. While broad sectoral figures for the year 2021 have yet to be released, the sector in which the CSO places cybersecurity – information and communication – is now the second largest sector in terms of GVA, behind only manufacturing. The information and communication sector accounted for 17.4 per cent of national GVA in 2020 and has recorded steady growth from €18.166 billion in 2013 to €58.574 billion in 2020.
2020 saw the sector record a growth rate of 13.8 per cent in GVA, from €51.472 billion in 2019. If such a level of growth were to have been recorded again in 2021, this would mean a GVA of €67,377,212,000, meaning that cybersecurity’s €1.1 billion would account for 1.63 per cent of total sectoral GVA. GVA per employee stands at €150,000 in Ireland’s cybersecurity sector, comparing favourably to the UK rate of £100,000 (roughly €120,000) per employee.
As part of Cyber Ireland’s State of the Cyber Security Sector in Ireland report, a survey found 83 per cent of businesses expecting to grow their cybersecurity teams in the year 2022, with half of the businesses expecting growth of over 25 per cent. Findings such as this led the report’s authors to conclude that the 10 per cent plus annual growth rate experienced by the sector in recent years is sustainable in the short term to 2030, whereby the sector could have as many as 17,000 employees and €2.5 billion GVA. However, four-in10 employers attested to a lack of appropriately skilled candidates; 33 per cent noted high competition from other cybersecurity businesses, 22 per cent noted a lack of non-technical skills in the labour pool, and 21 per cent said salaries are unaffordable.
With such growth having been experienced in the sector since 2013, and further growth expected, the enhanced commitments to cybersecurity seen in the wake of the HSE cyberattack will be music to the ears of those invested in the sector, but a significant challenge lies in store with an annual shortfall of people in cybersecurity roles across the broader economy of 10,000 according to ISC2. Research by people such as Leslie Kesselring has pointed to this being a global problem, with skills shortages impacting 70 per cent of businesses. The challenge for the cybersecurity sector is clear; the same can be said of the opportunity.
Irish cybersecurity in numbers
489 firms offering cybersecurity products or services to the market One-third offering dedicated cybersecurity services 7,351 professionals employed by the sector 71% of employment in the sector supported by foreign direct investment 28% of firms and 55% of employees from firms headquartered in the United States €2.1 billion cybersecurity-related revenue generated in 2021 €1.1 billion gross value added in 2021
Source: Cyber Ireland
Every minute, there are 35,000 instances of password attacks and seven phishing attempts by cyber-criminals across the globe. These statistics highlighted in the latest Microsoft Security Insider briefing show the unparalleled scale and cost of cybercrime, with a new cyber threat detected by Microsoft every 35 minutes globally, writes Frank O’Donnell, Public Sector Lead of Microsoft Ireland.
The worldwide economic impact of cybercrime is $1,141,553 per minute. For public services in particular, the threat environment is only becoming more and more sophisticated, and the stakes are getting higher. According to Microsoft’s Digital Defence Report released last year, public sector organisations accounted for almost 52 per cent of the total affected organisations by state nation threats. The report also shows that nearly 80 per cent of those targeted were either in government, NGOs, or think tanks, which often serve as policy incubators and implementers, with strong ties to current and former government officials and programmes. The pandemic has acted as a catalyst for increasing digitalisation across local and central government, and in specific areas such as healthcare, education, and community outreach in Ireland. Online public services have become more vital than ever to communities, and exposure to new technologies has created a desire for sustained digital transformation by leaders of public sector organisations to be able to engage with citizens and keep their workforce connected.
If our ambition is to continue to meet the growing expectations of an increasingly digital
economy and society, then it is clear that establishing secure and resilient IT infrastructure for workers and citizens has become the new frontier for public sector organisations.
The burning question is, how can organisations with such large and unwieldly operations and with such a varied workforce and citizenship achieve this?
Public and private sector collaboration
Closer collaboration with experts and partners both in Ireland and across the globe can provide leaders with new knowledge and access to global efforts to manage the threat of cybersecurity.
The recent announcement that Ireland has now joined over 45 other countries and international organisations as a member of the Microsoft Government Security Program marks a significant milestone for the public sector and the Irish Government in the defence of critical national infrastructure against cyberattacks. This is part of a broader statement of intent to invest and bolster our national critical infrastructure by the Irish Government.
Ireland's participation in the programme will enable controlled access to source code, exchange of threat and early warning vulnerability information, and the ability to engage on confidential technical content about Microsoft’s products and services.
Cloud adoption and a zerotrust approach
Fast-tracking cloud migration and adopting a zero-trust approach provides greater security coverage, particularly for large organisations working across multiple geographies, embracing hybrid working models and delivering varied workstreams. Microsoft adopts a zero-trust first approach, which refers to a proactive, integrated approach to security across all layers of the digital estate that explicitly and continuously verifies every transaction, asserts least privilege, and relies on intelligence, advanced detection, and realtime response to threats. This model starts with strong identity authentication everywhere. Multifactor authentication (MFA), which we know prevents 99 per cent of credential theft, makes accessing apps easier and more secure than traditional passwords.
At Microsoft, we have helped thousands of organisations to evolve their zero-trust deployments to respond to transitions to remote and now hybrid work in parallel with a growing intensity and sophistication of cyberattacks. In the last two years, we witnessed an increase in the adoption of cloud technologies across many government departments and government bodies, which ultimately creates a more secure working environment. This journey is set to continue and accelerate as cybersecurity becomes more and more of an imperative, not only in the realm of the IT function, but also at board and executive level across the Irish public sector.
A cultural imperative: Cybersecurity is an issue for the entire organisation
Cybersecurity should no longer be viewed as a specialised risk that falls only within the purview of the IT department. Technology expertise sits in the IT department, just as expertise in financial risk management generally resides in the finance department, but ultimate responsibility and accountability for the risks lie within the wider leadership team. We cannot afford to treat technology and cyber risk as something separate and contained that IT and security teams are left to manage on their own.
This is a fundamental paradigm shift for leaders in the public sector and is perhaps the biggest challenge in building and implementing a resilient cybersecurity model and to the digitisation of public services. This will require a standardised approach to security culture across different teams in an organisation, and systems to ensure it is embedded from board level across all employees and operations.
Cyberattacks are increasing in frequency and sophistication and are deliberately targeting core systems to maximise the impact of the attack or likelihood of a ransomware pay-out. Within this context, we know a comprehensive approach to operational resilience must include cyber resilience if we are to truly unlock the digital potential of our economy and society, and it is critical that public sector organisations are at the vanguard of this digital evolution.
E: frank.odonnell@microsoft.com S: https://www.linkedin.com/in/frankodonnell/