Cyber security role is vacant because of low salary, TD says

Position of NCSC director, which has a salary of €89,000, has been vacant for a year

Dr Cathal Berry TD said the State did not have the capacity to strike back at those who hacked the HSE IT system. Photograph: Michael Donnelly

Dr Cathal Berry TD said the State did not have the capacity to strike back at those who hacked the HSE IT system. Photograph: Michael Donnelly

 

The position of director of the National Cyber Security Centre (NCSC) has been empty for over a year because the salary offered is €89,000, far below a rate appropriate to the responsibilities, a former senior Defence Forces officer has said.

Independent TD and former member of the Army Ranger Wing Cathal Berry said “you’re looking at the head of IT security for Ireland being paid €89,000 so they couldn’t get someone to take a job”.

He said the NCSC was “supposed to be kicking ass when it comes to all the other Government departments so you’d expect someone to have the appropriate status so they can interact with secretaries general across the Government service”.

But whoever was appointed would only be the equivalent of a principal officer level. “They’d be laughed out of the room which is one of the reasons why the cyber security centre isn’t being taken seriously,” Dr Berry told The Irish Times.

He said the security centre had no permanent premises and while based in a temporary abode it had “no way of customising that building to their own specifications”.

Dr Berry said the HSE cyber attack was the “canary in the coalmine” and he warned that as Ireland became more active internationally such as with the seat on the UN Security Council “we become much more vulnerable. People will be take a lot more interest in us. And if you want to pressurise a country into not voting one way or to punish it having voting another way, it’s very easy to launch a cyber attack”.

Speaking earlier on RTÉ’s The Week in Politics, he noted the NCSC had a budget of just €5 million and a staff of 25 as well as no dedicated premises and no director.

Dr Berry said said the centre was meant to be a multiagency entity with members of An Garda Síochána and Defence Forces embedded in the NCSC but because of the staff-retention crisis in the Defence Forces the two seats for them were empty at the moment “and that’s not good enough”.

He said this was a criminal attack from a small criminal entity. “If this was a full-on military-grade state-on-state attack we’d be looking at much more serious consequences downstream.”

Minister of State Jack Chambers said the Commission on the Future of the Defence Forces was considering cyber security.

“The State has to strengthen cyber security,” he said, describing it as “a serious 21st century” issue for both State and private organisations.

Mr Chambers would not comment on the amount being sought but stressed the State would not pay a ransom.

Sinn Féin enterprise spokeswoman Louise O’Reilly said that under no circumstances should a ransom be paid.

She added that people needed assurances from the Government and the HSE about what they were going to do to prevent such an attack as she pointed to a recent RTÉ report that “there are tens of thousands of HSE computers operating off Windows 7”.

The HSE’s chief operations officer, Anne O’Connor, said the NCSC was in charge of responding to the attack but the centre would “have to take into account” the views of the HSE if the attack continued for a long period of time.

“Our position is that the longer this goes on from a health service perspective, the greater the risk,” she said.

Ms O’Connor said radiology services had been particularly badly hit across the country and that the radiation oncology system for patients with cancer has been compromised across the board.

Speaking on Newstalk’s On the Record with Gavan Reilly, Ms O’Connor said the HSE did have some clean back-up data from which it could rebuild its servers, but that this would be a slow process.

As a result of the cyberattack, a number of HSE hospitals have cancelled all outpatient appointments. However, the country’s large voluntary hospitals, which operate a slightly different computer system, have not been as badly affected.

These include Beaumont, the Mater, St James’s, Tallaght and St Vincent’s in Dublin as well as Mercy University Hospital and Cork University Hospital, she said. “They have not had the same effect on the patient management system but they are impacted on radiology.”