Strengthening Ireland’s cyber resilience

Brendan Ring, Digital Engagement Lead in the National Cyber Security Centre, outlines the challenges of strengthening Ireland’s cyber resilience.

In meeting the challenge of strengthening Ireland’s cyber resilience, Ring cites three key challenges:

1. the changing cyber threat landscape;

2. implementing the NIS2 Directive; and

3. meeting the findings of the National Cyber Risk Assessment.

Cyber threat landscape

Ring states that the cyber threat landscape has “changed significantly in a few short years”.

“We have had Covid, the HSE cyberattack, Russia’s invasion of Ukraine and subsequent supply chain attacks highlighting new and unpredictable threats.”

With the coming of the NIS2 Directive, the specific role and remit of the National Cyber Security Centre (NCSC) will be altered. The NCSC was formally created by government in 2015, with a mandate which includes:

• reducing the vulnerability of critical systems and networks within the State to incidents and cyber-attacks;
• effectively responding when such attacks occur;
• responsibility for the protection of critical information infrastructure; and
• establishing and maintaining cooperative relationships with national and international partners.

Ring describes the role as “leading Ireland’s response to cyber risks”. “We are defending today, responding to incidents, taking down actors, and building networks. We build these networks nationally, globally, and regionally,” he explains.

NIS2 Directive

The “comprehensive” NIS2 Directive – which replaces the 2018 NIS Directive – will create national competent authorities for various sectors — such as telecoms and energy — which the NCSC will provide guidance to and oversight, while keeping a direct brief over the Government and key entities.

NIS2 provides that: “Member states shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities… oversee its implementation and can be held liable for infringements by the entities of that Article.”

With Ring citing the cost of implementation as “very significant”, he asserts that meeting the Directive’s obligations will be a challenge as it applies to all businesses classified as medium or above in scope, In other words, those with over 50 employees or a turnover of €10 million.”

National Cyber Risk Assessment 2022

The National Cyber Risk Assessment 2022 report, concluded in May 2022, examined the systemic cyber risks faced by the State’s critical services from a range of threats. It examined espionage, destructive cyberattacks from nation states, and criminal actors.

In terms of the main lessons being drawn from the National Cyber Risk Assessment, Ring lists off the introduction of a suite of legal measures such as the Network and Information Systems (NIS) Directive and its upcoming replacement NIS2, the Cyber Security Act for certifying products and services, and the upcoming Cyber Resilience Act which seeks to embed security into products.

All of these initiatives, he asserts, will “place an emphasis on organisations to ensure services and products are created and delivered with embedded security from the outset”.

The Digital Engagement Lead further outlines that, as a result of the findings of the assessment, “risk profiles of individual suppliers can be assessed on the basis of several factors, notably, the likelihood of the supplier being subject to interference from a non-EU country”.

Such interference may be facilitated by, but not limited to, the presence of the following factors:

• a strong link between the supplier and a government of a given third country, the third country’s legislation, especially where there are no legislative or democratic checks and balances in place, or in the absence of security or data protection agreements between the EU and the given third country;
• the characteristics of the supplier’s corporate ownership, the ability for the third country to exercise any form of pressure, including in relation to the place of manufacturing of the equipment;
• the supplier’s ability to assure supply; and
• the overall quality of products and cybersecurity practices of the supplier, including the degree of control over its own supply chain and whether adequate prioritisation is given to security practices.

More broadly, Ring states that a trend in recent years is a “blurring of the lines between the three categories of threat actors”. Threat actors can be categorised as: cybercriminals, nation states, and hacktivists.

On this blurring of lines, Ring explains: “The Russian invasion of Ukraine has accelerated this trend; you have the coopting of cybercrime groups with state-sponsored actors featuring strongly, along with hacktivists.

“The rise in the use of indiscriminate ransomware in recent years by cybercriminals is motivated by financial gain and continues to leave a trail of destruction and devastation and has elevated the threat from this group to nation state actors across all our target types from operators of critical national infrastructure, to large and small businesses, to individual citizens.”

He continues: “State-backed actors are expected to continue to pursue their strategic objectives via cyber operations for intelligence gathering for advantages in decision-making, stealing intellectual property, and pre-positioning of military and critical infrastructure [preparation of the operational environment] for future conflicts.”

Ring suggests that it is “very likely” that hacktivism will continue to encompass a variety of political ideals, particularly in countries experiencing civil unrest or war.

“Some of these groups will remain active for a longer period of time,” he states, “where others will dissolve, and their members will continue operations under the umbrella of other groups”.

Concluding, Ring states that while there is an increased understanding of the cyber risk landscape, boosting resilience by raising the cybersecurity ‘bar’ across all elements of the technology ecosystem remains the most effective means of reducing risk to critical services.