State cybersecurity centre ‘underresourced and overtasked’, warns report

NCSC does not have ‘capacity’ to meet goals and faces ‘strain’ over planned EU initiatives

A ransomware attack in May on the Health Service Executive’s IT systems wreaked havoc across the health service. Photograph: iStock

A ransomware attack in May on the Health Service Executive’s IT systems wreaked havoc across the health service. Photograph: iStock

Your Web Browser may be out of date. If you are using Internet Explorer 9, 10 or 11 our Audio player will not work properly.
For a better experience use Google Chrome, Firefox or Microsoft Edge.

 

The State’s cybersecurity centre is “underresourced and overtasked” and does not have the “organisational design or capacity” to meet its goals, a confidential report has found.

A capacity review into the National Cyber Security Centre (NCSC) was carried out between January and March by consultants who compared the centre to other organisations of a similar scope internationally.

A ransomware attack in May on the Health Service Executive’s IT systems wreaked havoc across the health service.

The confidential report from the consultants found that a “significant burden” rests on the cybersecurity centre to deliver against the national strategy but “based on our review, it does not currently have the organisational design or capacity to achieve all of the objectives”.

It also anticipated a “considerable strain” being added to the centre in the coming years with forthcoming cyber initiatives planned in the European Union.

At the Oireachtas communications committee on Wednesday, Sinn Féin communications spokesman Darren O’Rourke said a capacity review of the NCSC – a redacted version of which was shared with the committee – was a “very damning indictment” of its capacities.

Mr O’Rourke said it found the centre was “under-resourced and overtasked”. He also questioned whether it could recruit 20 new staff in 18 months.

Minister of State Ossian Smyth conceded it would be challenging to compete against other states and organisations seeking similarly skilled workers.

He said new legislation providing for “intelligence gathering” for the NCSC was to be brought forward.

Requirements

“To empower the NCSC to carry out its necessary functions, it is inevitable that the proposed legislation will provide for intelligence gathering, which will bring with it certain governance requirements as well as requirements on the legislative process,” he told the committee.

Mr Smyth said that new powers for the NCSC were unlikely to include “offensive capacity” – or the capacity to carry out cyberattacks, but rather having the ability to act defensively and disrupt attacks.

He said there had been a sixfold increase in cyberattacks during the pandemic and, rejecting the suggestion the NCSC was unfit for purpose, he accepted that any organisation facing such an increase in its workload “is going to be challenged”.

He said the new people needed to work in the NCSC could not be pulled out of the thin air and that existing staff at the organisation had not reported low morale to him.

Mr Smyth said the HSE was in a “uniquely vulnerable position” at the time of the cyberattack as it dealt with the combined workloads associated with the pandemic and the vaccine rollout.

The committee heard that large healthcare systems, which are under the pressure of life and death situations, are often vulnerable to attack and the HSE had made improvements in its cybersecurity in the lead-in to the attack.

He said two consultants’ reports are under way into the hacking, and that these would be published “shortly”. A Garda investigation, he said, has established when and how the network was compromised.