HSE ransomware attack: Government’s cybersecurity policy priorities

August 2021

Following the ransomware attack on the HSE and amid a growing threat to Ireland’s critical national infrastructure, the Government has sought to strengthen the capacity of the National Cyber Security Centre (NCSC). Minister of State with responsibility for Public Procurement and eGovernment, Ossian Smyth TD writes.

The recent cybersecurity incidents in the Health Service Executive (HSE) and the Department of Health are the most serious cyberattacks we have ever faced in Ireland. These attacks, which were likely carried out by an international cybercriminal gang, caused major damage to IT systems that continues to impact on the delivery of services throughout the country.

This heinous attack on our health services in the midst of a global pandemic shocked the world but is just the latest in a series of major ransomware attacks which have targeted critical industries such as health, energy and agriculture. The whole-of-government response to the HSE incident was led by the NCSC, a division within my department which plays an important role in defending Ireland from the global threat of cyberattacks.

The NCSC was established by government decision in 2011, with a very broad remit covering government ICT and critical national infrastructure. The role of the NCSC is to monitor and to respond to cybersecurity incidents in the State, to manage and share intelligence relating to threats to network and information security in the State including during incidents, and to lead efforts to improve the resilience and preparedness of the State in cybersecurity terms, including government, critical national infrastructure, and business.

Recognising that cyber threats present a significant threat to life and livelihoods, in 2016 the European Union (EU) adopted the Network and Information Security Directive. The Directive sought to ensure member states are prepared to respond to cybersecurity incidents and to develop a culture of cybersecurity in the delivery of services essential to human life, or in key social or economic functions.

In accordance with the Directive, the NCSC works closely with stakeholders in five critical sectors – digital infrastructure, energy, healthcare, transport, and drinking water – while the Central Bank of Ireland oversees cybersecurity in the banking and financial services sectors. NCSC staff engage on a regular basis with designated operators of essential services to support them to improve their cybersecurity.

Within the NCSC, the Government has established a dedicated incident response unit called the Computer Security Incident Response Team (CSIRT). Ireland’s CSIRT is internationally accredited and engages with its counterparts in the EU and globally to share information on vulnerabilities and threats. The CSIRT team led the initial response to the incidents in the HSE and the Department of Health and continues to support these bodies in recovering their systems. I have been very impressed by the knowledge and technical skills of the CSIRT team, but moreover their hard work and commitment in the face of a major crisis for the health service.

In common with similar bodies in other EU member states, the NCSC has also developed a more proactive approach to cybersecurity within the State. The NCSC engages with a broad range of stakeholders in both the public and private sectors, for instance sharing information on vulnerabilities and threats by way of advisory notices. In the days after the HSE incident, the NCSC engaged with all of its constituents to share information on the malware deployed by the cybercriminals to reduce the risk of successful attacks on other vital services. In the weeks since then, the NCSC staff have had extensive engagement with organisations across the public sector to provide advice and support to enhance their cybersecurity and resilience.

“Against the backdrop of a growing threat, the Government has recently agreed to an expansion of the NCSC from 25 to 45 staff over the next 18 months, and to 70 within five years.”

Minister of State Ossian Smyth TD

The nature of the digital transformation in our lives is such that no country or organisation can be 100 per cent protected from the threat of a significant cyberattack. As the digital landscape evolves so too does the level of threat from cyber attackers. So far this year, Ireland has been affected by the SolarWinds supply chain attack, the malicious exploitation of Microsoft Exchange Server vulnerabilities and the destructive ransomware attack on the health sector, as well as many other localised cyber incidents. This trend is reflected across the globe with high profile ransomware attacks such as the Colonial Pipeline, JBS and most recently Kaseya which all had severe impact on individuals and businesses.

Against the backdrop of a growing threat, the Government has recently agreed to an expansion of the NCSC from 25 to 45 staff over the next 18 months, and to 70 within five years. A significant package of other measures to further strengthen the capacity of the NCSC to respond to the growing threat from cyber criminals was also agreed by government, including the development of legislation to establish the NCSC on a statutory basis with a set of formal powers and a legal mandate. A five-year technology strategy for the NCSC that scopes its internal requirements and its relationship with academia and industry will also be developed.

In addition to the recruitment of 20 additional fulltime roles, a cybersecurity graduate training programme will be initiated by the NCSC in 2021, with four computer science graduates recruited each year on contracts of three years duration. Staff in my department are already progressing these measures and will work closely with the departments of Defence, Foreign Affairs and Justice, the Office of the Government Chief Information Officer, An Garda Síochána and the Defence Forces, and with all relevant partners to further enhance cybersecurity and resilience in the public sector.

Cybersecurity is a global challenge which can only be addressed through collective action. I was heartened by the significant assistance the NCSC received from partners in the EU, the UK, and the US in response to the HSE incident, for which we are very appreciative. I also welcome that the European Council has condemned the recent malicious cyber activities against member states including Ireland.

Ireland also spoke recently at the UN Security Council about the damaging impact of malicious cyber activities which can threaten international peace and security. Ireland is working closely and proactively at UN level to promote a secure, safe, open, and free internet, firmly grounded in the application of international law in cyber space and norms of responsible state behaviour. It is also important that States take appropriate actions against actors conducting such activities from their territory.

The Government is also working with EU partners on the timely review of the Network and Information Security Directive, recognising that the threat landscape has evolved considerably since 2016, to ensure an appropriate regulatory framework is in place across the EU to safeguard essential services and digital platforms from cyber threats. This reflects Ireland’s long-standing support for the EU vision of cyberspace grounded in the rule of law, human rights, fundamental freedoms, and democratic values. International cooperation between states, with international organisations and involving industry is essential to keeping cyberspace global, open, stable, and secure.

Related Articles

Government departments’ AI approaches

Public procurement buyers should act now to retain past competition data

Innovation in public services

National Data Infrastructure: Data as a strategic asset to the public service