Denis Naughten TD: cyber security priorities

Communications Minister Denis Naughten provides an update on Ireland’s cyber security priorities and the work of the National Cyber Security Centre.

Since taking up my present role as Minister for Communications, Climate Action and Environment in 2016, I have been responsible for a number of large, complex and dynamic policy areas. However, of all of these, cyber security has proven to be particularly challenging, not just in terms of the range and breadth of the issues arising but because of the speed of developments and the rapidly diversifying nature of the threat.

Technically, the term ‘cyber security’ refers to the ‘confidentiality, integrity, authenticity and availability’ of IT systems and the data they manage. In practical terms, this means nothing less than ensuring the safe and secure functioning of the IT systems upon which much of modern life depends. This is proving to be a huge challenge for governments globally due to the complexity of the systems themselves, the fact that ownership is widely spread, and the existence of a wide range of threat actors.

The first National Cyber Security Strategy (2015-2017) followed on from the establishment of the National Cyber Security Centre (NCSC) in 2011 in seeking to address these issues, and focused on the protection of critical national information infrastructure in key sectors such as energy, healthcare, and digital infrastructure, along with a series of measures aimed at protecting Government information and data. The NCSC also has a number of roles in terms of incident response, including collation and analysis of data from incidents, both national and international, and sharing that with key partners.

Minister Naughten attending the launch of Ireland 2040.

“For 2018, however, we have two main priorities to deliver. The first of these relates to the full implementation of an EU Directive on Network and Information Security (NISD), the second to the drafting of a new National Cyber Security Strategy.”

This work has proven to be extremely valuable, and has provided the Government with a useful basis from which to expand policy in this area. For 2018, however, we have two main priorities to deliver. The first of these relates to the full implementation of an EU Directive on Network and Information Security (NISD), the second to the drafting of a new National Cyber Security Strategy.

The European Union Network and Information Security Directive places a number of significant responsibilities on the State and on businesses in respect of cyber security. This Directive marks a step change in how cyber security is dealt with at a national level in the EU in that it moves towards a quasi-regulatory model, placing binding responsibilities on a range of actors. These responsibilities are wide ranging, but essentially involve the State identifying Operators of Essential Service (OES) across a range of critical national infrastructure sectors, including energy, financial services, and digital infrastructure and compelling these entities to meet a set of binding security obligations and incident reporting requirements. The State will also be required to apply and police a new regulatory regime on Digital Service Providers (DSPs). These will include cloud computing providers, search engines providers and providers of online market places. The first elements of this Directive come into effect in May, with full implementation due in November.

The next strategy will be able to build on the operational experience of the NCSC and the transposition of the NIS Directive, and set out a broader set of measures to be taken across Government and society in general. A key element of the next strategy will be reaching out, into workplaces and communities, with information on good practices and in with more robust measures in some cases. While the challenges to be faced in this space are not to be underestimated, we have made a good start. We must continue to build on this, and must act, as a Government and as a country, to meet these challenges head on, and to secure our data, our infrastructure and our services against the threats that we know are out there.