The National Cyber Security Strategy 2015-2017 for Ireland sets out how the country will engage with a dynamic and challenging aspect of developments in digital technology, defining the government's approach to facilitating the resilient, safe and secure operation of comput networks and associated infrastructure used by Irish citizens and businesses.
Obj. 1 - Improve the resilience and robustness of critical information infrastructure in crucial economic sectors, and particularly in the public sector.
Obj. 2 - Continue to engage with international partners and international organisations to ensure that cyber space remains open, secure, unitary and free and able to facilitate economic and social development.
Obj. 3 - Raise awareness of the responsibilities of businesses and of private individuals around securing their networks, devices and information and to support them in this by means of information, training and voluntary codes of practice.
Obj. 4 - Ensure that the State has a comprehensive and flexible legal and regulatory framework to combat cyber crime by an An Garda Siochana (Ireland's national police service) that is robust, proportionate and fair, and that accords due regard to the protection of sensitive and personal data.
Obj. 5 - Ensure that the regulatory framework that applies to the holders of data, personal or otherwise, is robust, proportionate and fair.
Obj. 6 - Build capacity across public administration and the private sector to engage fully in the emergency management of cyber incidents.
Appropriate definition of critical infrastructure? Yes, the development of a national emergency management system to better protect Ireland’s critical infrastructure is regarded as a key measure. The measure covers infrastructures such as energy, water, social welfare, telecommunications, banking and healthcare. The strategy also makes a specific reference to telecommunications and the EU Telecommunications Framework Directive (2009/140/EC), which provides for mandatory and security requirements for telecoms operators.
NATIONAL CYBERSECURITY STRATEGY - NIS Capacities
|Year of adoption||December 2014 for the period 2015-2017.|
|Updates and revisions||
This is the first NCSS for Ireland. An external assessment was published in May 2016, which is incorporated in this analysis.
A related document is the National Risk Assessment for Ireland (2015) published by the Department of An Taoiseach (department of the office of the Prime Minister), which notes that cyber-attacks could potentially threaten Ireland’s key national infrastructure (such as energy, transport and telecoms systems). It also identifies the specific risk for the public service in respect of theft or compromising of data collected by the public service.
It remains to be seen what steps will be taken for the new national cybersecurity strategy.
|Implementation and monitoring||
The Department of Communications, Energy and Natural Resources is responsible for implementation, including the establishment of the National Cyber Security Centre. The Minister for Communications is expected to bring a memorandum to Government in early September proposing the formal establishment a National Cyber Security Centre.
Implementation is dependent on effective interDepartmental co-operation. The strategy places an emphasis on task-sharing and building trust relationships between the State, public and private partners, academia and civil society. However, at the current time there is no evidence that protocols to facilitate the flow of information have been implemented.
|Operational capacity building||
A key element of the 2015-2017 NCSS is the establishment of the National Cyber Security Centre (NCSC), whose primary focus is on the protection of government networks, personal and business systems, protection of critical national infrastructure but not yet established.
The objective for 2015-2017, the skillset and constituency base of the NCSC will be developed to:
The NCSC's mandate includes:
The NCSC will expand its information sharing arrangements with national and international stakeholders with timely public notification.
Legal foundations will aim to fully implement the EU NIS Directive by means of primary legislation. This legislation will give effect to national cyber security arrangements and transpose the NIS Directive. The process will involve regulatory impact analysis and legislative scrutiny by parliament (Oireachtas). The strategy does not make explicit references to specific legal foundations and therefore requires future investigations.
To date, the Criminal Justice (Offences relating to Information Systems) Bill has been introduced. The Bill will enable ratification of the Council of Europe Convention on Cybercrime and the transposition of the EU Directive 2013/40 on attacks against Information Systems.
|Businesses and Public Private Partnerships||
Cork is Ireland's most prominent Cybersecurity Hub with a mix of indigenous start-ups and multi-nationals, which have chosen Ireland as their EU HQ or set up a centre there. A critical factor underpinning this growth is Cork’s strong ecosystem, which can deliver the technical talent required to support the cybersecurity sector.
Cork’s higher education institutions are also playing a key role in the development of the cybersecurity cluster, such as the Cork Institute of Technology (CIT) and the University of Cork. Security for embedded systems and the Internet of Things is a rapidly growing area of focus for us currently through CIT's NIMBUS Research Centre. Deep engagement with industry partners and advanced programmes are part of the capacity-building measures being taken. Programmes cover security management and law, digital forensics, malware analysis, applied cryptography, offensive security, and network security and forensics.
Cork’s local authorities and Ireland’s national development agencies are strategically committed to providing the supports that advanced IT organisations require to compete globally. Access to decision makers, a favourable tax environment and a willingness to engage strategically while adopting a joined-up-thinking approach all combine to make the Cork cybersecurity value proposition exceptionally strong.
|Other capacity-building measures: research and education||
Programme of education and training, with a revamped "Make IT Secure" website to help citizens and SMEs better protect themsleves online.
Ireland has become a significant base of international technology and security companies stemming from a growing, well educated and flexible workforce with a rapidly increasing graduate output.
The NCSS is a mix of compliance with international and EU developments, alongside national initiatives with a strong focus on legislative and policy aspects. In 2017 the NCSS has embarked on a major recruitment campaign for experts who will help protect critical national infrastructure such as electricity, water, ports, airports and hospitals from potentially crippling cyber attacks.
|Date of last WISER analysis||July 2017|
Compliance with the GDPR and NIS Directive: Report a cyber incident
|Report a cyber incident to national CERT/CSIRT||
Irish Reporting and Information Security Service IRISS-CERT, Ireland's first CERT (Computer Emergency Response Team) to provide services to all users within Ireland. It provides clients with incident reporting, alerts and warnings, sanitised attack notifications, guidelines and advice, surveys and research into information security matters in Ireland. Accredited by Trusted Introducer.
|Guidance and Updates||
Services provided by IRISS-CERT to its clients include:
|Date of last WISER analysis||July 2017|