Ireland has the potential to become a global cyber-security hub. Nine of the top ten global software companies, all of the top ten global ICT companies and the top ten "born on the Internet" companies have major operations here. If any of these companies, or indeed any other international company that has found a home here, falls victim to a significant cyber-attack, there may be a serious risk of damage to Ireland's reputation abroad as a great place to do business.
The National Cyber Security Strategy 2015-2017, published by the Department of Communications, Energy and Natural Resources on 3 July, recognises this. It also recognises that, given the large number of data centric international companies here, Ireland faces a more complex set of risks than many other countries. Yet, information security and securing the long-term future of the tech sector is of crucial importance to the Irish economy.
The Strategy sets out the Government's vision of a safe and reliable cyberspace and the measures proposed to achieve this vision. These measures are as follows:
- National Cyber Security Centre (NCSC): the formal establishment of the NCSC, the primary focus of which will be to:
i. secure government networks;
ii. assist industry and individuals in protecting their own systems; and
iii. secure critical national infrastructure.
- Public bodies: the introduction of a series of measures to improve the network and information security used by Government departments and agencies.
- Legislative measures: the introduction of legislation to transpose the proposed EU Directive on network and information security and legislation to give effect to the provisions of the Budapest Convention on Cybercrime and Directive 2013/40/EU on attacks against information systems.
- Information sharing and cooperation:
- continued participation in EU and global discussions on network and information security, and engagement with key partners in delivering policy measures to improve cyber security.
- the expansion by the NCSC of its information sharing arrangements with national and international stakeholders; and the development, in conjunction with the internet service providers, of a protocol to help identify threats to customer data and devices.
- formalising existing arrangements between the NCSC and the Defence Forces in areas such as technical skill sets and technical information sharing. This will be achieved by means of a Service Level Agreement with the Department of Defence.
- National security and policing: putting An Garda Síochána (the Irish police) in a position to advise on preventative and investigative strategies. An Garda Síochána will also draw on relationships with other security services to identify emerging threats, vulnerabilities and best practice preventative measures.
- Critical infrastructure: continuing the central role played by the Department of Communications, Energy and Natural Resources in the protection of critical national infrastructure (electricity, water, transportation, telecommunications, commerce and health). The Department will also operate as Lead Government Department for emergency situations relating to failures of, or attacks on, ICTs.
- Education and training:
- the development of a programme of structured exercises for critical national infrastructure owners and for public sector bodies, and revamping the 'Make IT Secure' website to help citizens and SMEs better protect themselves online.
- fostering a culture of cyber security across society.
- the continued development of partnerships with third level institutions through the use of Memoranda of Understanding to aid the sharing of knowledge, experience and best practice, and to support the developing research agenda in this sector.
The Strategy places an emphasis on task-sharing and building trust relationships between the State, public and private partners, academia and civil society. These principles were considered at a recent discussion on 'Understanding Cyber Risk', which we were privileged to moderate. The speakers emphasised the importance, not just to businesses and organisations, but to the Irish economy in general, of the public and private sectors sharing information which might help to mitigate cyber risk.
They urged businesses and organisations to involve Government and An Garda Síochána both when planning for a breach and when dealing with the consequences of a breach. Raising awareness of the responsibilities of personnel in the fight against cyber threat also featured high on the agenda. You can read our 'Key Takeaways' from the discussion here.
Don't wait for the breach to happen.
Devise a strategy now.
Have a plan in place and test it.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.