Gavan Reilly: Better late than never: time to beef up our cyber security
One of the first things to turn my head on the UCD campus when I arrived there in 2004 was a quiet looking door on the fringes of the Belfield science block. Opposite the building from which computer science was taught, was a plain white door: ‘National Cybercrime Laboratory’. Cool, I thought, as any passing 17-year-old would. That laboratory remains in use today, as the temporary headquarters of the National Cyber Security Centre - an agency about which you’ll have seen a lot in the last few days.
If you look up mentions of the NCSC on the Dáil record you’d come away with a sense that it’s being invested in all the time. Eamon Ryan (who carries overall responsibility for it, as the Minister for Communications) told TDs in March that staffing at the agency increased from just 8 roles in 2017 to 26 today. That’s all fine and dandy, but in fact the increase to 26 occurred in 2019, and the numbers have remained static since then - Ryan’s language isn’t incorrect, nor wholly misleading, but it doesn’t tell the whole story.
And when you consider the breadth of duties that the NCSC has, you’d wonder why it doesn’t have multiples of that number. Its remit concerns protecting the cybersecurity of all of Government – all of it! – and of critical national infrastructure, like the electricity grid, as well as sharing intelligence threats which could amount to threats to the State itself. Moreover, the NCSC itself is said to have 160 ‘constituents’ to whom it offers advice, monitors threats, and generally oversees. In 2021, that’s a lot of duties to fall upon a team of 26 who are presumably required to keep 24-hour watch.
Moreover, one of those 26 roles has been vacant for a while, and it’s an important one: that of director. Purportedly this is because of the salary on offer: €89,000 is hardly to be sniffed at, but contemplate for a moment exactly how much responsibility is carried by the NCSC and those who run it - and the speciality of the expertise you’d need to do the job properly. How many Chief Technology Officers would leave a major technology firm to provide that service for a salary of €89,000? You’d need to think about doubling it before many top-quality candidates could have their heads turned. Ossian Smyth, the junior minister for e-government, has at least acknowledged the need to do so.
But there’s also a fair amount of finger-pointing within government over whether the NCSC is supposed to do the job alone. “We also have a large quantity of people in the gardaí, in military intelligence and in all of the different government departments” who also share the load, Smyth told Newstalk yesterday. That would be fair enough if it were consistent, but when Helen McEntee was asked about cybercrime preparedness in a Dáil question in March - in her capacity as the minister responsible for the Gardaí - she said it was first and foremost the NCSC’s area.
And then there’s the fact that the temporary lab being used in UCD in 2004 is still the NCSC’s interim headquarters; NCSC was founded in 2011 but nobody will invest in the infrastructure they ought to have until they have a permanent home to live in.
Ironically Eamon Ryan ordered a review of its staffing and capacity only a few months ago, but I’m told that given the previous sense of disinterest, there wasn’t much expectation of new staff for the unit. That report is already on Ryan’s desk: one wonders what it says, and how quickly it might be acted upon. now.