Last month the Department of Communications, Energy and Natural Resources published the Government's National Cyber Security Strategy 2015-2017 (the Strategy).
In 2013 the World Economic Forum classified cyber related threats as one of the highest of all global risks from the perspective of impact and likelihood. This assessment was echoed at a national level in the Government's 2014 National Risk Assessment. The development and proliferation of Information and Communications technology (ICT) has transformed the way in which society operates. There are few sectors of both society and the economy which do not rely on some form of ICT for their continued operation. This increased dependence has led to increased risk with threats such as hacking, cyber-crime, hacktivism, cyber espionage, software failures and even human error posing a direct threat not only to the daily lives of Irish citizens but also to the economy and the State.
The Strategy recognises that the potential for reputational damage in the event of a cyber attack cannot be underestimated given the huge number of technology dependent international companies and data centres currently located in Ireland. The Strategy refers to the fact that nine of the top ten global software companies, all of the top ten global ICT companies and all of the top ten "Born on the Internet" companies all have a significant presence in Ireland.
The Strategy is based on three key principles; the rule of law, subsidiarity and proportionality. In accordance with these principles, the objectives that the Government aims to achieve through the implementation of the Strategy are as follows;
- to improve the resilience of critical information infrastructure in crucial economic sectors, particularly in the public sectors;
- to continue to engage with international partners and international organisations to ensure that cyber space remains open, secure, unitary and free and able to facilitate economic and social development;
- to raise awareness of the responsibilities of businesses and of private individuals around securing their networks, devices and information and to support them in this by means of information, training and voluntary codes of practice;
- to ensure that the State has a comprehensive and flexible legal and regulatory framework to enable An Garda Síochána to combat cyber crime. This framework must also be robust, proportionate and fair. It is crucial that this framework accords due regard to the protection of sensitive or personal data;
- to ensure that the regulatory framework that applies to the holders of data, personal or otherwise, is also robust, proportionate and fair; and
- to build capacity across public administration and the private sector to engage fully in the emergency management of cyber incidents.
Key measures include;
- formally establishing the National Cyber Security Centre (NCSC). The NCSC already exists within the Department of Communications, Energy and Natural Resources and incorporates the State’s National/Governmental Computer Security Incident Response Team. The NCSC will focus on securing government networks, critical national infrastructure and assisting individuals and industry in protecting their own systems;
- improving the network and information security used by Government Departments and Agencies;
- introducing primary legislation to formalise arrangements in law and to comply with EU requirements on capabilities, co-operation and reporting;
- transposing the Network and Information Security Directive and bringing forward legislation to give effect to the Budapest Convention on Cybercrime and Directive 2013/40/EU on attacks against information systems;
- engaging with key partners on an international level with a view to delivering policy measures to improve cyber security; and
- developing a programme of education and training for citizens and SMEs and foster a general awareness.