This week’s column first appeared on Broadsheet.ie on Monday May 17th. I look at the massive ransomware attack on the HSE and the Dept of Health and remind us that experts have been warning for years that government is not taking cyber defence seriously enough.
We risk being the EU’s weakest link on cyber security despite our dependence on the digital economy.
Though I have related this Jeffrey Bernard anecdote here before, it still bears repeating. When Jeffrey Bernard was too “tired and emotional” to submit his weekly column to The Spectator, the editor would place an apologetic line explaining that there was no column that week as: “Jeffrey Bernard is unwell”.
There was also another one. It was longer, but less apologetic and appeared when the editor was feeling less charitable. It read: “Mr Bernard’s column does not appear this week as it remarkably resembles the one he wrote last week”.
Broadsheet’s editor could be forgiven for posting a similar renunciation here, as the discourse on the HSE cyber-attack I propose to put to you is effectively a re-statement of arguments and commentaries I’ve made many times over the past few years.
I have been warning about our failure to take national cyber-security seriously since late 2019. I highlighted it as a sub-plot in this column from Sept 2019 and then expanded on the problem in a column entitled: Pleading No Defence On Cyber Security.
I could quote chunks from both pieces today, because the arguments made then are even more relevant as we count the cost of the sophisticated cyberattacks which hit the Department of Health over the weekend and shut down the HSE’s IT systems since last Thursday.
Similarly, I could quote large elements of what I said in my July 2020 column: No Ministering On Data Or Cyber Defence when I critiqued the glaring gaps in this government’s approach to data protection and national cyber security.
In all these articles, and some others, I did more than highlight the problems, I tried offer proposals that would address them. These included assigning responsibility for the co-ordination of national cyber security and the protection of key elements of national infrastructure – included our communications, power, transport, and health IT systems to the Defence Forces.
Some in the political sphere get this, including the people who wrote the defence and cyber security portions of the Fianna Fáil 2020 manifesto.
It recognised that cyber security is a matter of national defence, not just because of the importance of the digital sector to our own economy but due to Ireland’s strategic importance to the EU’s digital economy.
The manifesto said that “Ireland needs to recommit to its Defence Forces and its defence capability” identifying cybersecurity as a vital element of national defence and committed to “…transferring this important function to the Defence Forces/Department of Defence”.
Sadly, the enthusiasm and commitment of the Fianna Fáil manifesto never made it through to the joint Programme for Government. In place of the specific commitments came this empty promise to: “Implement the National Cyber Security Strategy, recognising the potential and important role of the Defence Forces”.
How did that happen? How did an active commitment turn into a barely passive suggestion? It can hardly be due to Fine Gael and the Greens being so opposed to the very notion of taking cyber-security seriously that they blocked Fianna Fáil’s efforts in the talks?
Or, is it not more likely that the inner civil servant mentality of many around that negotiating table – not to mention the cache of Dept of Finance bean counters outside the room, totting up the costs – won out. It was decided to do nothing, as doing nothing, costs nothing. The Irish Department of Finance’s secret mission statement is: proudly saying No for over 100 years, after all.
Not that the Merrion St bookkeepers are wrong on costs. Having a robust national cyber defence capacity will cost a lot of money, particularly if we hope to attract and retain people with the highly specialised and transferable skillsets required.
Doing that would mean reversing the flow of qualified personnel out from the defence forces and towards the private sector, attracted by higher salaries and better career prospects.
It will also mean making tough decisions on co-operating with our European partners on cyber defence. Ireland is only involved in one of PESCO’s 46 projects – it is a very important one on upgrading maritime surveillance, but we have opted not to participate on any of PESCO’s four cyber defence projects, including the Cyber Rapid Response Teams (CRRTs) project that enables member states to help each other to ensure a higher level of cyber resilience and collectively respond to cyber incidents.
We do have a choice – having a modern cyber defence capacity costs money but, as the HSE and Department of Health attacks show, not having one also costs. Remember, the two attacks I am talking about here are only the latest of an increasing series of attacks.
Up to now, the Irish state has followed Homer Simpson’s “Can’t someone else do it?” slogan from his stint as Sanitation Commissioner, and effectively relied on private militias, in the form of private security firms protecting the digital assets of IT giants like Google, Apple, Facebook etc.
Government has assumed that these big tech companies would more likely be the targets of malevolent cyberattacks, than it would.
But it forgot that those behind these attacks, be they criminal gangs or hostile foreign governments will attack our weakest spots, not the stronger ones. (See this Reuters report on how Russian intelligence agency and Chinese spies were behind cyberattacks on the European Medicines Agency (EMA) last year)
Irish government policy over the past few years has effectively turned our critical national infrastructure into a soft target for bad actors. But Ireland is home to more than its own vital infrastructure. Around three quarters of all transatlantic cables* in the northern hemisphere pass through or near Irish waters, mainly along the South West coastline.
This matters as over 95% of all global data still passes along cables laid on the ocean floor. Despite all our talk of the “cloud” satellites still only account for a tiny percentage of global data transmission. This leaves Ireland, an Island that has successfully grown a digital economy, with the most to lose if those cables are attacked or damaged.
Fixing Ireland’s cyber defence problem is going to cost money – not fixing it will cost a lot more.
* For a better explanation of their critical importance please read the Chapter entitled: Patrolling Below The Horizon: by the Irish Naval Operations Command’s Lt (NS) Shane Mulcahy, in the 2019 Defence Forces Review. Indeed, check out the Defence Force Review archive for several more detailed articles on how Ireland could deliver an effective cyber defence capacity.