National Security

Who is looking after Ireland’s Cyber-Security?

Apparently, nobody. If a multi-national or an SME suffers a devastating cyber attack, who do they call? If a government or public service like Revenue or the HSE gets attacked, who do they turn to?

Most other EU countries have an information security agency, or at least an information security strategy. We apparently do not have either. I am just back from doing some work with the National Knowledge Centre in Abu Dhabi which takes on this role for the UAE (United Arab Emirates), which is roughly the same size as Ireland.  Full of bright young graduates tasked with protecting their countries cyber borders. We seem to have no equivalent organisation.

Now I think I understand in part the reason for this. In many countries such agencies grew out of already established military signals organisations which have expanded to take on a civilian role. In the UK its GCHQ that does the job. In Germany it’s the long established BSI, aka the Federal Office for Information Security. However although the Irish army has a small signals corps, as far as I know they have no civilian responsibilities. So our lack of a national cyber security agency might in part be down to our history of having a small neutral military.

But wait – there is, needless to say, a European agency with overall responsibility for the EU. Its called ENISA – the European Network and Information Security Agency http://www.enisa.europa.eu/, based in Greece. However this is a small umbrella organization with a coordinating role, which depends on national agencies to do the actual work. They have produced this useful document which lists each country’s National Cyber Security Strategy.

http://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber...

But no mention of Ireland there, unlike, say, Estonia. The good news is that this proposal

http://europa.eu/rapid/press-release_IP-13-94_en.htm?locale=en

has been accepted by the European parliament in a vote on 16th April of this year.

http://www.enisa.europa.eu/media/press-releases/green-light-for-new-regu...

which states that

“Member States must adopt a NIS (Network and Information Security) strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents”

But Ireland apparently has not as yet acted on this. It is not as if we don’t have the expertise – our MSSF postgraduate program has for many years been generating graduates with all the necessary skills.

http://www.dcu.ie/prospective/deginfo.php?classname=MSSF

Maybe the government is about to act. Or maybe they will long finger it as they don’t have the money. But that would be a risky, short sighted strategy. Remember the e-voting fiasco, which was largely a result of a naive ill-informed and cavalier attitude to IT security.

I would suggest that it might take just one major headline-grabbing security breach to result in a serious loss of confidence in Ireland as a safe place to do business. We really can’t afford that. After all the IT industry is probably more important to us than it is to most other EU countries.