Joint Committee on Transport and Communications debate -
Thursday, 17 Oct 2024

Good afternoon everyone. Apologies have been received from Senator Craughwelll and Deputy Duncan Smith. The purpose of today's meeting of the joint committee is to discuss pre-legislative scrutiny of the National Cyber Security Bill 2024. I am very pleased to welcome Mr. Brian Honan, chairman of Cyber Ireland. I thank him for his attendance.

I remind witnesses of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech which might be regarded as damaging to the good name of the person or entity. Therefore, if their statements are potentially defamatory in relation to an identifiable person or entity, they will be directed to discontinue their remarks and it is imperative that they comply with any such direction.

I remind members of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against any person outside the House or an official either by name or in such a way as to make him or her identifiable. I would also like to remind members of the constitutional requirement that members must be physically present within the confines of the Leinster House complex in order to participate in public meetings. I will not permit a member to participate if they are not adhering to this constitutional requirement. Therefore, if any member attempts to participate from outside the precincts, they will be asked to leave the meeting. In this regard, I ask that any member participating on MS Teams to the meeting to confirm prior to making their contribution that they are on the grounds of the Leinster House complex.

We will commence with the opening statement of Mr. Honan.

I thank the Chair. Cyber Ireland is the national cybersecurity cluster organisation, an industry-represented body launched in 2019 to bring together industry, academia and government to represent the needs of the cybersecurity sector in Ireland and support its growth. The cluster is industry-led, hosted at Munster Technological University and is supported by the Government through Enterprise Ireland, IDA Ireland and the National Cyber Security Centre. Cyber Ireland represents over 180 companies and organisations nationwide, including 100 Irish start-ups and SMEs, 50 multinational companies and 15 universities and training providers, as well as Government agencies, not-for-profit organisations and investors across the cybersecurity ecosystem.

The cluster brings together all the relevant stakeholders under one umbrella organisation with a clear strategy to drive the growth of the cybersecurity sector in Ireland through collaboration, talent development and innovation. Our aim is to position Ireland to become the leading location for cybersecurity in Europe. We have all the ingredients to achieve this but there are significant barriers that need to be addressed by both the private and public sectors.

In January 2024, Cyber Ireland launched its new cluster strategy 2024-27. The strategy steers the cluster’s activities across four focus areas. First, building the community, to bring together the people in the cybersecurity sector, to connect organisations, facilitate information sharing and drive collaboration. Second, business growth, where we support companies from Irish start-ups, SMEs and multinational companies to grow their operations, realise collaborative business opportunities and support innovation. Third is developing the workforce. Our job is to understand the skills and training needs of industry at a national level and work with the education and training providers to ensure we have a sustainable supply of cybersecurity skills to meet industry needs. Fourth is promotion and advocacy. The Cyber Ireland cluster is now the collective voice for the cybersecurity industry in Ireland. We aim to understand the barriers to growth for industry and address these with partners in the private and public sectors. We also champion the importance of the cybersecurity sector to Ireland’s digital economy, with the recent publication of an updated report on the size and economic contribution of the sector to Ireland.

The Ireland Cyber Security Sector Snapshot 2024 report launched in September this year provides an update on the baseline report from 2022 on the size, operations and economic contribution of the cybersecurity sector in Ireland.

On the sector's firms and employment growth, over the past two years, Ireland’s cybersecurity sector has shown significant resilience and robust growth during a global technology sector downturn that particularly impacted Ireland. The number of firms in the sector grew to 535, an increase of 9%. These firms employ almost 8,000 individuals, an increase of 8% since 2022.

On economic contribution, cybersecurity-related revenue from firms in the sector is approximately €2.7 billion, which is up by €600 million, or 29%, in two years. Gross value added, GVA, a measure of productivity, for 2023 is estimated at €1.2 billion, an increase of €120 million, or 11%, over two years.

On office locations, we now have over 750 cybersecurity offices nationwide. The geographical spread of cybersecurity firms across Ireland is a testament to the sector’s nationwide impact and promotes both regional economic development and strengthens the cybersecurity resilience of organisations nationwide.

On diverse firm composition, of the 535 firms in the sector, 47% are Irish businesses and 53% are from outside Ireland. Approximately 60% of firms are small companies with under 50 employees and these firms are primarily Irish-owned. Conversely, 27% of firms are large, with over 250 employees globally, and the majority of these are US firms. Ireland continues to be an international hub for multinational companies' cybersecurity operations. The majority of these are from the US, at 33%, with 8% from the UK and 7% from the rest of Europe. This points to the need for a twin-track approach. First, to support Irish companies to scale to become internationally competitive, and, second, to continue to support foreign direct investment as a key driver of the sector for both dedicated and diversified firms. Developing distinctive supports for each cohort of firms, along with broader sectoral supports, is critical in driving growth across the sector.

On the labour market, there is an international shortage of cybersecurity skills, impacting organisations both large and small. However, in Ireland, we saw a 10% drop in cybersecurity vacancies between 2022 and 2023. Median salaries are €75,000, demonstrating these roles and the sector are highly skilled and high value.

On the future, from our baseline study in 2022 we see the potential for the cybersecurity sector to grow to 17,000 jobs by 2030, more than doubling today’s figure of almost 8,000, and the potential for €2.5 billion GVA.

Given the sector growth over the past two years, the opportunity still exists for Ireland to capitalise on its strengths to develop a leading cybersecurity sector in Europe, and globally. This will have a threefold impact: providing national cyber resilience to our country and organisations, making companies across all sectors more internationally competitive through improved cybersecurity, and the significant economic growth of the cybersecurity sector and digital economy

On EU regulations and market opportunities, the European Union is taking an increasingly central role in cybersecurity with new regulations including the Network and Information Security Directive, NIS2 and the Digital Operational Resilience Act, DORA, among others. Across the EU, it is estimated that more than 180,000 companies will become regulated entities under NIS2. In Ireland alone, it will expand from approximately 70 under the current version, NIS1, to more than 4,000 regulated entities under NIS2 according to initial estimates. Furthermore, it will impact third-party suppliers, potentially impacting millions of companies, not just large enterprises but small and medium-sized enterprises, which are the backbone of Europe’s digital economy. The cost of these regulations to business will be significant, with research predicting the estimated cost of NIS2 at €32 billion per annum across the EU.

The regulations aim to improve the EU’s cyber resilience, safeguarding our communications and data and keeping the online society and economy secure.

It will require increased investment, resources and prioritisation of cybersecurity across sectors and regulated entities. This will require innovative cybersecurity solutions and even more people with cybersecurity skills. Therefore, we believe that cybersecurity companies have a critical role to play in proactively supporting the adoption and implementation of these regulations, supporting skills development and providing the solutions required.

Cybersecurity companies in Ireland can not only support regulated companies across Ireland but also have the opportunity to assist companies across EU countries. It should be noted these regulations will bring increased competition from cybersecurity providers in Europe targeting the Irish market, which we have already seen where EU companies have won tenders to provide cybersecurity solutions and services to the Irish Government. A significant challenge we have identified is the European Union’s focus on technological sovereignty, resulting in restrictions on EU public funding, research and development and tenders being provided to non-EU entities, such as those from the UK or USA. This poses a challenge for Ireland where our sector relies on foreign companies, which make up 50% of firms in the cybersecurity sector here, the majority of which are US-headquartered and employ over 70% of professionals. In addition, indigenous Irish cybersecurity firms looking to grow and expand internationally often require funding, which mostly comes from US or UK-based investors. We must prepare companies in Ireland to proactively adapt to these regulations to be able to secure their organisations and customers. Our people are highly skilled and our cybersecurity companies provide effective and high-quality solutions. As a nimble and adaptable country with a great legacy of tech success, Ireland can take the lead in responding to the impact of EU regulation through adequate strategy, preparation, investment and execution. We can make Ireland a global leader in cybersecurity, exporting secure solutions and protecting organisations across the EU.

On challenges and requests, a mature and diverse cybersecurity industry will play a significant role in supporting Ireland’s national cyber resilience and adopting to these new regulations. What we require is Government prioritisation of cyber security. The Government needs to further prioritise cybersecurity as a key technology and sector to Ireland’s economy and society, similar to other European leaders such as the UK, Netherlands, Finland, and Estonia. A whole-of-government approach is required with significant investment to ensure Ireland addresses significant cybersecurity risks and delivers on the national cybersecurity strategy vision of "an Irish society that can continue to safely enjoy the benefits of the digital revolution and can play a full part in shaping the future of the internet". We need to train up 10,000 new professionals with cybersecurity skills to create a sustainable pipeline of talent for the private and public sectors. Funding for a national cyber education and career programme for young people, that is, for 11 to 18-year-olds, is urgently required, as is a broader cyber awareness and literacy programme for all citizens.

Ireland’s small and medium-sized enterprises, SMEs, are the backbone of our economy and can be the forefront of national cyber resilience. However, they are time-poor, underresourced and lack the skills to ensure their organisations are secure online. While NIS2 primarily focuses on large enterprise and SMEs in critical sectors, we must also support SMEs across all sectors of our economy. Cybersecurity grants to improve Irish SMEs' cybersecurity standards can make a significant impact and funding is required on a long-term basis. However we also need dedicated supports for microenterprises, especially in traditional sectors.

To become a true leader in Europe for cybersecurity, Ireland needs to invest in a cybersecurity research and development centre. The centre would provide a centre of gravity for cybersecurity in the State by co-ordinating Departments and Government agencies, supporting enterprise development from start-ups and SMEs to multinational corporations and providing training and enhancing technological innovation in, most likely, some form of hub-and-spoke model. It should also engage with the public, supporting cybersecurity awareness and education, thereby strengthening a digital society. International examples already exist such as in France, the Netherlands and Sweden and, across the Border, in the centre for secure information technologies, CSIT, at Queen’s University Belfast, the UK's innovation and knowledge centre for secure information technologies.

Investing in cybersecurity is unique amongst industry support as it will not only support the growth of the industry but also will deliver national cyber resilience and secure our digital economy, our digital society and our citizens. With the headquarters of so many international technology companies based in Ireland and as a hub for data centres, we have an economic obligation to invest in cybersecurity and secure our country for organisations and all our people.

I thank Mr. Honan for a comprehensive and informative opening statement. It is very much appreciated by the committee as it gives us a good steer on what is at the moment only the heads of a Bill. That gives us an idea but we have to flesh out this process to ensure that we capture as many third-party views as possible, such as those of Cyber Ireland and the organisations it represents, as well as our own views with regard to what is an important Bill governing a very important institution within the State, the National Cyber Security Centre.

I have a few observations regarding Mr. Honan’s opening statement. He mentioned NIS2 and how the regulation of entities is to be carried out in the State. Separately, as committee Chair, I have written to the NCSC to ask it to outline how it is that it proposes to do that. Mr. Honan has put it in such a way in his paragraph that 180,000 companies will be regulated entities under NIS2. In Ireland, the number will be approximately 4,000. Fundamentally, my question is how is the NCSC to do that? In Mr. Honan’s opinion as a professional in the sphere, does it have the resources and competence to do that? I am not casting any aspersions on the NCSC but I appreciate we need to build up this resource. This is one of the many stepping stones in that process. I have a number of other questions and then the other members will come in. How does Mr. Honan envisage the NCSC regulating that very large number of companies?

To be fair, I cannot comment on the capacity and capabilities of individual agencies. From my own experience and as we highlighted in the statement, there is a skills shortage; not only in Ireland but worldwide. The World Economic Forum estimates that there are 4 million vacancies worldwide in cybersecurity.

I will jump back to the previous question, if the Chair does not mind. The agencies will need to get the adequate resources. That may be a combination of using existing resources and skills within their own teams or may mean diverting those resources from their current jobs and then having to backfill those roles. It may mean having to outsource to third parties. One of the things we have been pushing for in Cyber Ireland and we have worked with the NSAI, is the creation of a cybersecurity standard called CI4. This would be a standard that companies could achieve that gives them a stamp and shows they have met the minimum requirements for the national cyber security Bill and NIS2. That could be a way to take the burden from each of those entities of having to audit every single one of these companies.

I believe there is one in Belgium and one in Germany. I cannot recall the name of it. Within the United Kingdom, there is a scheme called the cyber essentials scheme and cyber essentials plus. Indeed the UK has a system whereby a company that is going to do business with any public body in the UK, must be at least cyber essentials certified. We do not have an equivalent here in Ireland for that. There is an international standard called ISO 27001. That is viewed as a gold standard from a cybersecurity point of view and is potentially quite difficult for SMEs, which are a big concern for us in respect of NIS2.

While they will not be directly regulated by NIS2 and the national cyber security Bill, they will have to be managed by their customers, who are regulated, to make sure they have adequate security in place.

In Mr. Honan's opinion, is there any mechanism to mitigate those costs for businesses? I do not think we are talking about small firms but, that being said, 25% of a firm's IT-related budget is still a very significant cost and would be quite something for the accountants to swallow. In the Irish context, most of these firms are going to be very significant players in the market and they probably will have share outside of our jurisdiction as well. Is there something we can do, either through this Bill or secondary legislation, to somehow mitigate such costs, or are they unavoidable?

As with any journey, how long it takes to get there depends on where you start from. Any firms that have not prepared for NIS2 are going to get a shock. They are going to struggle to meet the requirements. Those that have already been prepared for NIS2 and are getting there will, hopefully, have had those costs spread out already. We are going to see an increase in costs on firms to meet the requirements.

The Government could look at providing grants or some sort of supports for firms to improve their cybersecurity. We provide our personal data and we rely on so many organisations to keep the lights on, keep our communications going and keep our society and economy going. If those firms do not have the appropriate security, it could interrupt the benefits that we have. It is appropriate to give them the supports they need to get there. It is perhaps similar to the climate action plans where homeowners and businesses were given SEAI grants to meet certain levels. A similar scheme could be devised from a cybersecurity point of view.

I am from the west so I am very familiar with the clouds. There are concerns at EU level and member state level as to how secure our stored data is in these organisations outside of the EU. Many of those organisations based in countries outside the EU look at our regulations as being anti-competitive and as trying to create a barrier for them to sell into the EU. We have the yin and yang of regulation to ensure appropriate and good cybersecurity and the protection of citizens' rights versus firms trying to make money.

Yes, I understand that. I will go back to the educational side, and the pathway into the sector to provide the level of expertise we will require on an ongoing basis, not just as a result of this proposal but because of the growth within the sector. It is very easy for me to say it is likely that we have yet to do enough, but we probably have proposals to expand capacity. Is that Mr. Honan's view?

Yes, I would have a similar view on that. When it comes to cybersecurity skills, the focus is on post-secondary. When you go into third level, you may have the choice of doing something on cybersecurity. We have nothing here in Ireland at primary or secondary level to encourage not just the development of cybersecurity skills but to create awareness and the ability to be safe and secure online citizens so that young people can identify misinformation and disinformation. We have seen lots of examples of how that has caused disruption not just online but also in the real world and lately here in Ireland as well. In Finland, for example, it is part of the primary and secondary curriculum to teach people how to identify and spot misinformation. In Luxembourg, cybersecurity awareness is also part of primary education. As a country, if we want to become a recognised leader in cybersecurity, we must start at the very beginning and not try and catch people at 18, 19 or later to educate them on cybersecurity.

That is very interesting. As a committee, we might write to the National Council for Curriculum and Assessment and ask for its opinion on that. It would be interesting to hear from it, and it would certainly be helpful for the committee in compiling its report to the Houses.

I promise members that I have just two more questions. I am sorry. A cybersecurity campus is a nice idea. It sounds interesting. I have just scribbled down "where, how and what is the net benefit?". The questions are self-explanatory. That being said, I understand the benefit of it. Is there potential here for it or are we already addressing it through research and development, taxation, etc., and the support we offer businesses through the tax code to develop the technological side of this? If so, is there a specific location? Are we talking about a centre in the style of the International Financial Services Centre, IFSC? What does Mr. Honan envisage?

It would be something similar to the Centre for Secure Information Technologies, CSIT, in Queen's University in Belfast. CSIT is a unit on the campus which focuses on cybersecurity research. Our vision is that it would be a cross-sectoral initiative between the Government, the education sector and the private sector. Private sector research and development is very different to societal or educational research and development because it is focused more on how quickly it can get something to the market. If it is not going to make money, it will not do any more research on it. That is on the product and technical side. We must be able to focus on more than just the technology here.

A problem we have had, historically, with cybersecurity is that people see it as being a technical or IT problem. We cannot think that way any more. This is a national security risk because our society, personal lives and business lives rely so much on the Internet, cloud computing, computers, etc. It is an economic risk for businesses. It should be treated as a business risk not an IT risk. Therefore, our research and development should look at educational awareness programmes and how we make citizens more aware and better at staying safe online. If an individual citizen is safer online, then employees will be safer in those businesses as well. There is a net benefit across the board.

The academic environment traditionally takes a more long-term view than the research and development sector.

It may look at areas that technical firms would not look at because they would not see a quick return on it. Academic research can also lead to new technology and other benefits. This is where I see the benefit coming from.

As we know, because they got themselves into a bit of hot water about it, some of our third level constituents have, to be fair, developed technology which has been quite competitive. There certainly is an option for this. It is an interesting area and I welcome the discussion on it.

My next point is on governance and oversight, on which Mr. Honan might have a view. I am a member of the committees on justice and climate action. In recent months the committees of the Houses of the Oireachtas have had discussions on sea cables. I tabled a question on this to the Minister for Defence this morning with regard to investment in the protection of these cables and undersea sonar. From a parliamentary perspective, governance and oversight of the national security sphere, in which I include cybersecurity, is sadly lacking in this jurisdiction. We do not have any. We literally do not have oversight in the Houses of the Oireachtas, other than the Minister and, presumably, the Cabinet. I am not sure it is in the best interests of the Irish people for it to be known to only certain souls in the State. I do not know who these people are. It is probably not a place we should be as developed advanced democracy. Does Mr Honan have a view on this? I am not speaking about a special committee with eyes only where the door gets locked but there should be an oversight function outside of the ordinary committee structure, whereby the NCSE comes before this committee or the relevant committee and speaks about its budgetary expenditure. There needs to be another layer of oversight for such organisations. Does Mr Honan have an opinion on this?

This is something we should definitely explore. As I said earlier, cybersecurity is not just an IT problem. It is now also a national security problem. The Cathaoirleach mentioned the subsea cables. Ireland is particularly at risk because we host so many data centres. We host one third of the EU's data. We can become a collateral target if somebody, either a nation state, cyber criminal or politically motivated person, decides to attack an entity based in Ireland. This would not necessarily be an Irish entity or an Irish Government body. It could be a foreign company hosting its data here. If a party tried to attack that, it could lead to collateral damage to us. The issue of cybersecurity spreads across a number of areas, including defence, justice and industry. We need similar oversight in all of these areas. The fact that we lack national security strategy is a big weakness. How can we align a national cybersecurity strategy with a national security strategy if no national security strategy is in place?

My interest in and curiosity about the oversight were sparked by an article in The Sunday Times a few weeks ago. I thought it would be an interesting question to Mr. Honan as an industry representative. On reflection for later, do any of the firms which Mr. Honan represents have a particular view on this? Mr. Honan might ask, as we are interested in this feedback if it is possible. I thank him for his answers. I will now open the discussion to the floor.

I thank Mr. Honan for his attendance. This is a very complex area that has developed incredibly quickly and continues to develop. I have no expertise in this area. Sometimes I struggle to comprehend the risks that exist in cybersecurity and the challenges for us to try to counter these risks. When somebody speaks about cybersecurity I tend to think of very high-level national security. Cybersecurity sounds very high level but does it also encompass the everyday use all of us experience online in performing our functions personally and for business?

Absolutely. It covers a wide-ranging sphere. Small accounting firms, businesses and shops all now rely on the Internet. If we look at how we interact with shops, it is all touch and go. We use our mobile phones to pay. Very few people carry cash. Businesses now rely on the ability to be able to process these payments online. We see more and more businesses moving to sell products online and not through traditional shops. Solicitors' firms and accountancy firms must provide security. It is a big area.

This is my view and I just wanted it clarified. We are doing pre-legislative scrutiny on the heads of a Bill that has been presented to us. We will produce a Bill and legislation on this. Mr. Honan has made points on the prioritisation of national cybersecurity. Does he believe that what is contained in the general scheme meets this and that we are prioritising national cybersecurity?

It is getting there. Historically, we have not been good as a nation when it comes to cybersecurity. I can give a personal example. I set up the first computer emergency response team in 2008 due to a lack of movement by the Government to do so. It is a not-for-profit voluntary organisation. Thankfully, the NCSC has been established and has taken away a lot of what we do. The NCSC's remit is still very much for the critical sector and public sector. SMEs in Ireland are left largely exposed with regard to where they can get trusted independent advice on cybersecurity. The Bill will help to raise awareness of cybersecurity. Not only the regulated bodies will be impacted as their supply chains will also have to meet cybersecurity standards under the Bill. Under the NIS2 directive, regulated entities have to manage the cyber risk in their supply chain. They have to be satisfied they have managed cyber risk. This means a regulated entity will probably ask its suppliers questions about what they are doing on cybersecurity and whether they are doing enough for it to be happy with their level of security.

I get the point on our energy transmission systems, telemetry systems and transport. These are our very high-level cyber networks that are at risk. The supply chains go on and on, down to small businesses. Should we apply a cyber safety integrity level system, considering where a company is in a supply chain or what type of SME it is?

This is something that will be coming. We see the EU doing a lot in this regard. Next January, the EU Digital Operation Resilience Act will come into play. This will ensure entities in the financial sector, such as credit unions and banks, will all have to meet cybersecurity standards and their supply chains will also be included. The cyber resilience Act, known as the CRA, will come into effect in approximately three years' time. Under this legislation, any digital device will have to meet a minimum level of standard from a cybersecurity point of view to be sold in the EU. If I want to develop a new digital product and sell it in the EU, it will have to meet certain minimum level of cybersecurity.

It is very similar to the safety standards we see on the products we buy. There is going to be a cyber equivalent of that three years from now. As the National Cyber Security Bill, the Digital Operational Resilience Act and other Bills comes through, the tide will gradually rise and all firms will have to comply with these measures to improve cybersecurity generally. I wonder how many companies would take cybersecurity seriously without this regulation coming in.

I suppose it is only when you are hit by something that you take it seriously. It is something that happens somewhere else and then you think "God, were we not lucky that it was not us?". A lot of the time it probably is luck. On the cyber-resilience rating for equipment, the equipment remains vulnerable to the actual user. You can design a system that is very safe but issues can arise when a human interacts with or uses it. The Chair talked about further and higher education and Mr. Honan talked about the need to develop that skill set. Because it interacts with every part of our life, is it the case that nearly all third level courses should include a module on cybersecurity? It does not matter what course you are doing. If you are studying healthcare, you are dealing with medical records. If you are studying transport engineering, you are dealing with transmission systems. Even at second level, nearly all secondary school students have smartphones now. The Chair suggested asking someone - I cannot remember who - about the third level curriculum. Because it is so prevalent in society, it would make sense to bring in a cybersecurity module for all secondary and third level students.

It is really about building resilience, is it not? Mr. Honan has talked about the strata of Bills and arrangements made to bring this up. Education is clearly one of these. I refer to the provision of courses at third level and also, as I have said, writing to the National Council for Curriculum and Assessment to ask what it is doing in this sphere. That would be very helpful to us. We could also talk to the Department of Further and Higher Education, Research, Innovation and Science about the number of courses on offer and whether individual third level institutes are planning or being asked to expand in that area. We could ask all of those questions. As Mr. Honan has rightly said, this is a very complex area. The heads of the Bill alone run to 179 pages so I can only imagine what the actual Bill is going to be like when it is published at some point early next year. I am sorry; I interrupted Deputy Matthews.

Mr. Honan mentioned the data centres. Ireland is a data centre hub. Some people are very much against that. Others are not as concerned about it. However, one third of EU data is stored in Ireland. It is obviously in private companies' interests to ensure that we have the highest level of cybersecurity but it is also in the interests of the EU in general. Mr. Honan mentioned cloud-based systems and fibre connectivity. It is hard to draw a border on a cloud or a fibre cable. There is no doubt but that this will cost money. What sort of cost-sharing is proposed at EU level? Will it be done on the level of data risk in a given state or will it just be a national-----

I am not sure what way it is going to be done. My understanding is that the European Union Agency for Cybersecurity is being tasked with providing and managing funding throughout the EU to help organisations to meet the requirements of NIS2 and so on. There will be funding at the EU level to enable organisations and countries to improve their cybersecurity.

That will obviously require risk assessment. You have to carry out a risk assessment to know where the weaknesses are and where needs the most investment. When speaking in public meetings, I am always very conscious of the danger of discussing risks in Ireland and potential gaps in our cyber network but these risks need to be assessed. Is there a national risk assessment?

That brings me on to my next point, which is on the expertise and training required to do this. When you are an expert and a very experienced and competent person, you can do good with that or you can do bad with it. How do we certify cyber professionals? What is the certification process? How are safety management systems and so on assessed for quality and safety? How do we certify a cybersecurity professional?

Deputy Matthews probably saw me smile when he asked that question. This has been one of my campaigns or high horses for many years now. I wrote an article about the issue for a magazine in 2013. There are industry certifications that individuals can achieve. There are institutions such as ISC2 where you can study, do exams and pass to become a certified cybersecurity professional. ISACA is another organisation with which you can do similar. However, in many of these cases, there is no accountability. I often use the analogy that if I have to get wiring done in my house, I have to hire a qualified, certified and registered electrician. Otherwise, I could be in trouble if I want to sell the house in the future. The onus is on me, as a purchaser, to make sure I get a qualified electrician, plumber or whatever to provide these services. However, if I am a business owner and I am looking for a cybersecurity expert, how do I know if a given person is an expert? What accountability is there? In other professions and trades, if you are found to be unprofessional or not to meet the required standards, you can be struck off. We do not have that in the cybersecurity industry. As an individual, rather than as the chair of Cyber Ireland, I have been advocating for some sort of scheme to certify individual professionals and to hold them accountable should they act inappropriately or incorrectly leading to costs for organisations.

I absolutely agree. There is a whole layer of stuff. Coming back to the Deputy's comment about introducing cybersecurity as part of a module in all third level institutions, I am familiar with many institutions that provide training to students who wish to be software developers but I question whether they are being trained to develop software in a secure way, thereby building security systems. These are the tenets we are now bringing in. Under GDPR, you must have privacy by design and by default in every system you set up and design. What level of competence do the individuals the Deputy mentioned, who are designing, developing, installing and maintaining those systems, have? What level of training do they have? What assurances do we have that they are doing things in accordance with those provisions? That is a big problem at the moment. Cybersecurity is a small niche in the overall IT industry. The industry is really only 20 to 25 years old whereas IT is decades older. In many ways, we are still trying to find our feet, which is why it is important that we have these research areas and so on to ensure we are doing things in the most secure way. This is particularly relevant in the context of new technologies coming in. How do we ensure that AI and everything else that is coming on board is being deployed in a way that is not going to introduce insecurities, whether accidentally or deliberately, or-----

I will not even go into AI because I have not even attempted to try to understand it. Sometimes I reach a point where I ask if I really need to know a technology as I have enough in my life at this stage.

I know I am taking up a bit of time but I want to expand on one point. We talk about designers, installers and so on, and we could certify them and have a level and a standard for that. However, the users can be very much the weak point. I did a survey recently on how cybersecure I am. It was one of these multiple-choice surveys where two of the answers are obviously wrong, one is partially right and the other is dead right. It mentioned a cybersecurity bulletin that we get sent every quarter and it asked whether you read it or skim-read it. Obviously, I skim-read it, if I read it at all. I am putting this in the context of something like a fire drill in a building, which is a practical application of what we do in a fire situation and although it is controlled, we can see how people react. Is it possible to randomly test people or, in other words, have a controlled cybertest?

I get a lot of emails and I am very conscious of opening attachments. I sometimes get emails with attachments from constituents who I do not know and I do not open the attachment or am cautious about that. I will open attachments from trusted people who I have received attachments from before, such as those in Departments and so on. Within industry, in order to test people, would it be possible to send them some sort of cyber-risk scenario, see how they react to it and then tell them the risk they had run? Rather than sending someone a bulletin saying “Don't do this” or “Don't do that”, putting them in a scenario where they get caught out might mean they are glad they had the test. Is there something like that out there?

Yes, there are various things like that. I come back to one of the comments made by the Deputy, which was that users are the weakest link. I would argue that should not be the case. I am giving a talk next week at a conference in Croatia and I am going to use the analogy of the car industry and how, over the years, it became more and more regulated. The car manufacturers did not put airbags or seatbelts into cars for the good of our health but because they were forced to by regulation and because Governments got worried about the cost to the economy of the road deaths and accidents that were happening. We have now built into our automobile environment better roads and better cars, which has been driven by regulation and design, and drivers have to be trained. My son is currently preparing for his driving test. When I did my driving test, I did not have to have any lessons whereas he will need a minimum of 12 lessons. We are improving those things. However, we do not have the same level of architecture and design throughout the whole IT and cybersecurity ecosystem.

My argument is this: if somebody clicks on an attachment in an email, why is he or she the one getting the blame for all the security defences that did not stop an email getting in there in the first place? If I crash my car, I may have gone over a white line, been speeding or tried to run a red light, and that is the human factor, but the car is designed to protect me and others if I make those mistakes. That is the way we should be looking at our infrastructure from an IT and cyber point of view. We need to protect people from making mistakes and not rely on the person at the end to not click on the attachment. Email was designed to share links and attachments, so it is kind of counterintuitive.

The car and road safety scenario is fine, and it is a set of circumstances that we are all familiar with. The villains out there in the cyberworld try to trap people. It is like putting in a traffic light that never existed before or putting a bend in the road that someone was not expecting. We are told not to open attachments from untrusted sources but people are doing so much that they make that mistake from time to time. That is where the weakness is. If somebody was tested on that randomly, it would keep them much more alert.

It would. There are various different options available. Organisations can purchase different products and use them to send simulated phishing emails to their staff. If people click on the link or attachment, it reports back to the person who ran the test to say, for example, that 10% of the user base fell for this, and the organisation will need to target them with more training. Organisations need to be very careful how they run those programmes. They do not want to be seen to be targeting certain individuals or people might think they are being harassed. Organisations also need to be careful with the lures they use. I have heard of companies using emails with attachment titles like “Job Cuts”, “Next Year's Bonuses” or “Free Covid Vaccines” when vaccines were short during Covid, which means everybody is going to click on that. It should not be a competition to catch somebody out. It should be an educational tool.

From a corporate point of view, and stepping into my role as CEO of BH Consulting, we test security for our clients. We try to hack into their systems, similar to the way criminals would do. Both physically and virtually, we have broken into client environments to try to identify weaknesses and improve them.

I thank Mr. Honan. We are doing pre-legislative scrutiny of the National Cyber Security Bill. As Deputy Farrell outlined, it is 183 pages of a PDF and that is just the heads of the Bill, so there is a lot in it. We have all admitted that none of us are cyberexperts. I think we will be going from 70 regulated entities to approximately 4,000 but all of those 4,000 have suppliers and customers, and the Bill touches on 18 industries, so it may affect a lot more people than many appreciate or realise. I presume many cyberexperts are looking in today but many others are not cyberexperts. We know the Bill is transposing NIS 2 but, for an ordinary person, what is it really about or what is the crux of it?

The crux of the Bill is that it is trying to ensure the organisations that will be regulated are meeting a minimal level of cybersecurity requirements. Deputy Matthews mentioned risk. It is to ensure organisations are taking a risk-based approach to their security. There is no such thing as 100% security either in the cyberworld or the real world, so people have to take a risk-based approach. That is what the Bill is proposing that organisations will do. They will take a risk-based approach, look at their environment, understand the risks they face as a business or organisation, and then put in the appropriate security controls to manage those risks.

The Bill will directly impact the regulated entities. They have to manage the cyber-risk in their supply chain and their focus will probably be on the first or second-tier entities in their supply chain. Those entities may, in turn, go down the chain further. As to whether it will impact the corner shop or the one-person solicitor’s office, unless that one-person solicitor is providing services to a regulated entity, it probably will not be hitting such organisations. “Hope” is probably the wrong word to use with regard to security, but I hope this uptake of and focus on cybersecurity will have a ripple effect throughout the economy and businesses and that people will realise that cybersecurity is central.

We saw the impact of the HSE attack and how the smallest thing, such as somebody clicking on something or using an old computer with the passwords left on screens or on desks, could have an effect. All of a sudden, it was seismic, given the hassle it caused, the cost of recovery and the slowing down of productivity.

We are here using phones and laptops. All that stuff is everywhere. People get complacent. When everything is working fine, everything is working fine. They have ten passwords, and they are all the same until one gets hacked. I am not saying I do it, but I know people do it. They do not have different passwords for everything. One site gets hacked. I think SuperValu at one stage had the breaks scheme and credit card details were found. It is something we all need to be more conscious of. Data is out their in the cloud and so on, and it is accessible.

Mr. Honan is coming from the industry perspective. His members are in industry, academia and so on. I was looking at IBEC’s submission, particularly in the context of its concerns. Has Cyber Ireland got concerns about what is in the general scheme. Is there too much in it? Is there not enough in it? Have any of its members flagged concerns about what is in the general scheme?

Nothing major has been flagged to us. What has been flagged, as I mentioned earlier, relates to the territorial requirement whereby if a supplier of cybersecurity services is more than 50% owned by an entity outside the EU, that supplier cannot bid for cybersecurity projects that will be funded by the Government, ENISA, or the EU. From the point of view of our members it means that some of us who have gotten funding from investors based outside Ireland or the EU cannot provide the services.

I am trying to get my head around why that is in the proposal. Are we limiting our scope to access the best technology from wherever it comes? When I was growing up, it was historically Sony. It is more Samsung now. Places like Korea, Japan and China do a lot of tech, and probably do it well. Are we limiting our ability to access the best stuff by saying it must all be owned by certain entities or is there an opportunity for these companies to set up European divisions and then the stuff comes in from wherever in any event?

I do not think the extraterritorial thing is in the proposed Bill. It is more an EU approach to encourage and enable indigenous EU firms to get a chance to grow. The default is maybe to go for the big names. However, this is potentially being brought in to enable European companies to have a fighting chance.

My concern is that we are not able to access the best technology wherever it is from. I get the risk and concern, but I am not sure it makes sense until the infrastructure is in the EU. Maybe it is, but if it is not, are we going a bit too far too fast in saying that we better start setting up stuff when we do not have the best technology? Cybercrime does not respect borders. Those involved do not necessarily worry about whether we are in the EU. Is that a concern?

The concern would be if we are a member company that might be developing a product and that has opted for investment that has come from outside the EU. We are still looking for clarification as to whether that would rule those organisations out of bidding for particular work. I understand the motivation behind it. From a national security point of view, you may want to ensure that EU entities are providing services, and you are not at risk of outside state interference.

The EU comprises 27 member states. We would have historically traded a lot with Britain. The latter would be out of the loop if the company involved were based there. If this were applied, such companies would be in trouble. In its submission, IBEC submission states that it agrees with the vast majority of what is in the general scheme, but there are certain elements that it believes need to be further considered in order to ensure consistency across member states and at European level. The first issue it believes will benefit from further consideration and amendment relates to head 3, which outlines the scope and functions of the NCSC. Although not contained in the NIS2 directive, IBEC states that most of these functions are straightforward and sensible. It also states that head 3(1)d, which would empower the NCSC to deny the use of the network and information systems to acts of foreign or domestic interference that are intended to be detrimental to the interests of the State or its international relations or are clandestine or deceptive or involve a threat to any person, and head 3(1)k, which empowers the NCSC to monitor and identify foreign information manipulation, are disproportionate in their breadth and therefore inappropriate for inclusion in the final Bill. Has Mr. Honan been made aware of that concern? What does he think of the point IBEC makes?

IBEC's concern is that if this is not amended, there is a risk that functions will be applied arbitrarily and unfairly and that sweeping powers will be granted. The concern is that some individual in the NCSC will be able make all the decisions themselves. The Chair may have alluded earlier to there being no real oversight.

I am no expert, but organisations like Cyber Ireland and IBEC are raising concerns. That is what we are here for. It is to tease out whether the concerns raised are valid and whether they have been allayed or addressed. Mr. Honan thinks that there is a greater level of protection and that there would not really be as much of a problem as IBEC thinks.

I believe so. IBEC raises a good point about the transposition of NIS2 into member states' domestic law. We will potentially end up with many different laws in different countries. If an Irish business is operating across multiple member states, it will have to be aware of the different laws in different countries. That is unlike the GDPR, which is a consistent regulation across all of the member states. A directive can be transposed into domestic law in whatever way the relevant member state wants it to be.

The law in Belgium was a straight cut and paste from the directive. IBEC states that head 3 goes further and that the NCSC should be the adviser rather than the entity that pushes the button to say "No" or "Yes". There should ministerial or political oversight or oversight by a particular body in order that there would not just be an individual, a particular civil servant, or head of something who has all the power in his or her hands.

I understand the concern. I am taking my Cyber Ireland and CEO of BH Consulting hats off and putting my CERT hat on. From a national security point of view, you need to act quickly, particularly in the cyber realm. The HSE ransomware attack was mentioned. These things can happen in seconds or minutes. If have to go to a committee or an oversight body and get its members out of bed to make a decision, vital time could be lost in protecting-----

Everybody would want that. None of us wants to see what happened to the HSE happen again, either to the HSE or any other entity. We are reliant on technology for everything - payment systems, Google Maps and so on. We use our phones all the time for everything. If your phone's battery dies, you feel like your right arm has fallen off. What we are discussing is important. The concern is that experts like those in the NCSC and IBEC, who are doing this for a living all day every day, have not had their concerns taken on board. Is Mr. Honan of the view the experts are being listened to?

If the committee is making recommendations, we should make sure we talk to the people who have to implement the stuff about whether it is workable and what the challenges and problems are. I do not mean that we should bow down and accept everything they say as the right way forward, but we should tease matters out with them in order to ensure that the eventual Bill will be workable and will what it is supposed to do as opposed to having unintended consequences, which can happen with some legislation.