The State’s cyber security centre is “under-resourced and over-tasked” and does not have the “organisational design or capacity” to meet its goals, a confidential report has found.
A capacity review into the National Cyber Security Centre (NCSC) was carried out by consultants between January and March of this year which compared the centre to other organisations of a similar scope internationally.
In May of this year, a ransomware attack on the Health Service Executive’s IT systems wreaked havoc across the health service.
The confidential report from the consultants found that a “significant burden” rests on the cyber centre to deliver against the national strategy but “based on our review, it does not currently have the organisational design or capacity to achieve all of the objectives.”
It also anticipated a “considerable strain” being added to the centre in the coming years with forthcoming cyber initiatives planned in the EU.
The report found that in terms of wider engagement with national infrastructure, the NCSC is “under-resourced and over-tasked” when providing advice to around 120 operators of essential services.
The review has made 45 recommendations including to develop a cross-Government taskforce; to develop a strategy for the NCSC; and to ensure legislation allows for the detection and disruption of “sophisticated threat actors” and to enhance the technical monitoring capabilities.
The consultants found the workload in the centre has increased significantly since its inception and they also raised concerns about the fact it acts as an advisor and regulator in some sectors.
The report called for an increased headcount and said the operations team should be augmented “as a priority” to include a dedicated intelligence team.
It also called for the development of a five-year strategy that would outline the role of the NCSC as the clear lead authority in cyber security within the State.
Overall the report found leadership in the centre have a “clear understanding of the organisation’s role and purpose, as well as a good understanding of how they would like it to develop.”
“However, legislation that gives ‘statutory legal vires’ to the full operation of cyber security capability required by NCSC is critical for an effective future operational posture.”
“Future legislation should provide an explicit mandate for NCSC to properly monitor for cyber threats; establish its status as an independent organisation; define its remit within the national security framework of which cyber security is a critical domain and secure a defined single budget to enable longer term planning and capability development.”