Investment in national cybersecurity centre less than €14m over 10 years

Minister defends figure as a ‘drop in the ocean’ of overall State spend on cybersecurity

Department of Health, along with the HSE, was  subject of  cyberattack.  Photograph: Dara Mac Dónaill

Department of Health, along with the HSE, was subject of cyberattack. Photograph: Dara Mac Dónaill

Your Web Browser may be out of date. If you are using Internet Explorer 9, 10 or 11 our Audio player will not work properly.
For a better experience use Google Chrome, Firefox or Microsoft Edge.

 

Less than €14 million, excluding pay, has been invested over a decade in the agency tasked with leading the State’s response to the cyberattacks on the health service.

The National Cyber Security Centre (NCSC) also has fewer than 30 staff, despite having sanction for more as far back as 2018.

The €5.1 million allocated to the NCSC this year has been criticised by Opposition TDs, with Aontú TD Peadar Tóibín claiming in the Dáil on Tuesday that it is “paltry” in the the context of the responsibilities the agency has. 

In response, Taoiseach Micheál Martin defended the current funding, saying it had been “trebled” over what was provided in 2020, while Minister of State for eGovernment Ossian Smyth said the NCSC budget represents just a part of State spending on cybersecurity.

Figures previously published in a Public Accounts Committee (PAC) report shows just €1.37 million in expenditure for the NCSC, excluding pay, between 2012 and 2016.

The Department of Communications on Tuesday evening provided figures for non-pay allocation totalling €12,450,000 for 2017-2021. This includes both current and capital funding. The figures show that the total investment in the NCSC amounted to €13,820,000 over the past 10 years.

The department also provided figures showing that the spending on pay for the NCSC’s staff came to €6,050,000 in 2017-2020, with a further €1.8 million estimated to be spent on salaries this year. 

A report published by the Comptroller and Auditor General shows spending was much lower than expected for the first four years of the NCSC’s existence.

A chapter in the C&AG’s annual report for 2017 says a government decision approved the establishment of the NCSC with an initial resource allocation of €800,000 a year. It says the funding allocation for cybersecurity in the period 2012-2015 was less than a third of the amount that had been approved.

A Department of Communications official told the PAC in 2018 that the NCSC had 22 staff at the time but a “full complement” would be “substantially more than that figure”. The PAC was told that the organisation had sanction for 34 staff at the time. It currently has 29 staff members.

Asked about the levels of funding for the NCSC over the past decade, Mr Smyth told The Irish Times it is just a “drop in the ocean” of the overall State spending on cybersecurity.

He said the agency is principally involved in risk assessment, in helping “critical infrastructure” bodies to audit their preparedness for cyberattack and in offering advice on what actions they need to take to secure their facilities as well as providing an incident response team.

Mr Smyth said there are hundreds of people working in cybersecurity across the Government and in State companies.

He said Minister for Communications Eamon Ryan “did the right thing” in tripling the budget this year and added that he expects there will be an increase in the number of NCSC staff to “match the escalating professionalism and threats from cybercriminal gangs”.

The Government has faced criticism from Opposition TDs that the role of director of the NCSC remains vacant amid suggestions that the salary on offer had been €89,000 and was not attractive to those working in the private sector.

Mr Smyth said the salary scale that had been offered in a public appointments service competition actually ranged from €106,000 to €127,000.

He said someone was selected for the job but had decided not to go ahead with it.

Mr Smyth said he would be recommending a higher salary for the role but the sum has not yet been determined and would have to be approved by Government. He said the Government is trying to recruit someone who would normally have a cybersecurity role in a multinational company “so we have to take into account what they would be paid if they had a job in one of those companies”.