Hope is no protection.
Ireland suffered its most serious cyber-attack in its history on Friday May 14th with the HSE ransomware attack. This attack has seriously impacted the HSE IT system and consequently many patient services. Since the attack Ireland’s National Cyber Security Centre (NCSC) has been leading the incident response to manage this situation and help get the HSE’s IT system up and running again. Government reports a task force is responding to this attack while ensuring no ransom is paid.
However, questions are now being raised as to how prepared we were for such an event that we all knew was coming. We now know that the NSCS has just 29 staff and the Director’s post has been vacant for almost a year, attracting a salary of somewhere between 89k to 127k which is around the Principal salary scale range. An Oireachtas Committee on Communications recently heard from cyber experts stating that this salary really needs to be doubled to attract the right calibre of candidate. Naturally one wonders what priority was given to this strategically important post.
Leaving the vacant post aside, how prepared was Ireland overall for this sort of attack? One consideration might be to look at how much we are spending on our national cyber security centre. Let’s look at a few benchmarks starting with our usual comparator the UK. One source indicates that the UK’s NCSC has a budget of about €375 million. Ireland’s NCSC budget for 2021 is €5.1 million, up from €3.4 million in the previous year. The UK’s budget is 75 times larger than Ireland’s while their economy is just seven times larger.
Let’s look at a more similar sized country, Singapore. A similar sized population, the Singapore economy is about 50% larger in terms of GDP, however, the budget allocated to their national cyber centre (the CSA) is about €200 million a year against Ireland’s €5.1 million. Consider also the latest ISC2 report which estimates that Singapore’s total cyber related workforce to be 57,765 compared with 14,212 for Ireland. The picture is stark, we have been under-investing in cyber security ‘hoping’ that the cyber criminals would not notice, they have.
Cyber-attacks are not going to go away after the HSE attack, in fact they may increase, so we need to spend a lot more if we want to protect our open economy and society and ensure multinationals continue to invest here. With a capacity review underway for the NCSC we can safely anticipate a further increase to the NCSC’s budget, but we must also look at the cyber and IT investment across all government IT departments. We can’t wait and hope any longer.
https://www.irishexaminer.com/news/arid-40298483.html  https://www.nao.org.uk/press-release/progress-of-the-2016-2021-national-cyber-security-programme/  https://www.techradar.com/uk/news/national-cyber-security-centre-what-is-it  https://www.straitstimes.com/singapore/singapore-budget-2020-1b-over-next-3-years-to-shore-up-cyber-and-data-security  ISC2 CyberSecurity Workforce Study 2020