Cyber security unit has no strategic plan, C&AG finds

National Cyber Security Centre also needs review of funding

A report into the operations  of the National Cyber Security Centre by the C&AG has said  an oversight body set up to monitor the centre’s  performance had not met since 2015.

A report into the operations of the National Cyber Security Centre by the C&AG has said an oversight body set up to monitor the centre’s performance had not met since 2015.

 

A dedicated cyber security unit, established to protect government and industry networks, has no strategic plan and requires a review of its funding, the Comptroller and Auditor General (C&AG) has said.

The National Cyber Security Centre (NCSC), based in UCD, was established in 2011 with a view to “securing critical national infrastructure”.

However, a report into its operations by the C&AG said an oversight body set up to monitor its performance had not met since 2015.

The report notes that cyber attacks are an ongoing global threat and cited several examples, including the “WannaCry2” worm in 2017 which hit a HSE funded facility in Wexford among its worldwide casualties.

Faced with the new age of digital threats, the Department of Communications published a National Cyber Security Strategy in 2015.

However, the C&AG has focused on developments of the NCSC and has flagged several issues regarding oversight and funding.

It noted that at its inception, it was financed to the tune of €800,000 but that between 2012 and 2015 cyber security funding fell to less than one third of that amount. In 2017, it was increased to €1.95 million.

EU services

As well as domestic considerations, Ireland is responsible for the security of services provided across the EU by multinational companies who have their European headquarters located here.

When setting up the NCSC, the Government also approved an interdepartmental committee tasked with setting security policy.

However, while the group met in 2013, minutes of only one meeting, dated February 2014, were available to the C&AG. The Department said the group has met five times.

“The Department stated that its management board considers cyber security from time to time,” the report said.

“The National Cyber Security Strategy implementation plan commits to publishing an annual report and to conducting a formal impact assessment of their work in late 2017. These are outstanding.”

The C&AG said while it requested an assessment of the NCSC’s performance, “no evidence” of one having been carried out was provided.

The report also said the level of funding to the centre, which performs a “whole of government” function, was significantly less in its first four years than initially envisaged, and recommended a review be conducted to ensure it was “adequate”.

“The overall strategic direction of the National Cyber Security Centre is not clear. There is no strategic plan currently in place,” the report said.