Ireland’s latest cybersecurity strategy is expected later this year: This time, it’s too important to get wrong

An student issue analysis for MIS41240 at University College Dublin.

Written by Anonymous, Summer 2019. Dublin.

Earlier this year, the Irish government opened a public consultation on the future direction of the national cybersecurity strategy. The declaration, which Minister Richard Bruton described as an issue of national importance, was made with little fanfare and is seen as an implicit reflection of the government’s list of cybersecurity priorities. Only 30 days for public contributions were offered, which is not enough time to debate a document that will define how our state manages cybersecurity long into the future.

Only 50% of medium to large businesses in Ireland are actively building defensive measures against cyber-attacks

To some, the most recent cybersecurity strategy document (published in 2015) did not appear to have a clear plan of action. The tone and rhetoric of the document is descriptive, with little statement of intent. In hindsight, we also now know that the execution of the key objectives/measures contained in the document have been underwhelming at best. A report from the Comptroller and Auditor General, who oversee the public auditing process in Ireland, noted that four of the objectives were partially implemented, while four others were not implemented at all.

The performance of the National Cyber Security Centre, which is responsible for securing government networks and critical national infrastructure while assisting industry and individuals in protecting their own systems, has also faced questions. The aforementioned report from the Comptroller and Auditor General discovered that the committee that evaluates the performance of the NCSC had last convened in 2015. The unit, the report concluded, is completely devoid of any strategic plan. Furthermore, the NCSC’s initial budget allocation of €800,000, which had been decided upon at launch, had been reduced to €250,000 during the period between 2012 and 2015. Thankfully, and commendably, this figure has since risen to €1.95 million as of 2017.

It is hoped that the government begins to take a far more proactive approach to empowering the security of Irish businesses and citizens, which I believe has become a necessity.  A recent report from PwC Ireland noted that only 50% of medium to large businesses in Ireland are actively building defensive measures against cyber-attacks.

There are also reasons to buttress Irish cybersecurity beyond the protection of Irish businesses and citizens. The continued emergence of Dublin as the nucleus of technological innovation in Europe adds a critical economic—and global—dimension to this discussion. Ireland is home to a plethora of multinational technology companies, and many prospective ones, that rely on the state to create a safe and secure environment for business operations. Moreover, the state has a responsibility to ensure the security of services provided to European companies located here.

Since the government released the most recent iteration of its cybersecurity strategy, much has changed with how we interact with and perceive the digital world. We have observed significant regulatory changes in the European Union, a dramatic lowering of public trust in the ability of companies to manage data, high profile cyber-attacks on national critical infrastructure (e.g., Luas ransomware attack, Tullamore Hospital, Wexford ransomware attack) and the emergence of more sophisticated offensive techniques for hackers.

The development of future strategy should generate renewed debate about the exact role and responsibility the state has in protecting cyberspace and the rights of citizens online – does the state wish to assume greater responsibility, or does the burden lie in the self-regulation of citizens and businesses themselves?

In a historical sense, the internet has proven to be one of the most liberating technologies of our time. Despite being in the best interests of national security, however, most would balk at the idea of the government assuming too much control in this area. This, understandably, could be for good reason. The direct alternative to this, however – minimal government interference – is something we have already attempted and, I would argue, resulted in failure. As is the case with complex issues, the answer typically lies somewhere in the middle—between free markets and restrictive regulations. I argue that there is a strong case to be made for governments to assume the level of responsibility which is bestowed upon them in other areas of public life, such as food safety or worker’s rights.

The volume of public information companies manage is continuing to grow. As a result, they are also becoming increasingly attractive targets for hackers and cyber-attacks. So, considering many of these companies provide what are considered crucial public services,  is it unfair or irresponsible to leave the management and secure storage of this data solely with companies? The recent views from Silicon Valley—formerly strongly free market—are nothing short of a remarkable turnaround. Some of the most notable technology leaders, such as Tim Cook and Mark Zuckerberg, have publicly called for governments to assume a greater responsibility in shaping both the security and operation of key information and communication technologies. Coming from a political hotspot for libertarianism, this is significant and suggests a turning point in corporate views about responsibility.

I believe that the time is now for Ireland to begin delivering on the potential it wants (see notable views by Deloitte Ireland and Irish Tech News). Despite the issues with our previous strategy, there is much to be positive about. There are plans for the announcement of cyber safety guidelines, as well as the establishment of a cyber safety commissioner.

To help this transition to a safer Ireland and more responsible corporate environment, we should look to other European countries, such as Estonia, which has become known for its strong commitment to a truly digital economy, particularly in cybersecurity. Estonia could serve as an example of what we can achieve. For instance, the 2018 National Cyber Security Index placed Estonia third overall, a remarkable achievement for a country with a population of just 1.3 million, which shares demographic similarities and economic ambitions with Ireland.