Ladies and gentlemen, good morning.
I want to begin by thanking ISC squared for the invitation to be here today and for giving me the opportunity to address this important Conference. I hope those of you who have travelled from across the globe get the opportunity to experience Irish hospitality.
Ireland has a good story to tell when it comes to the Digital Economy. It employs approximately 100,000 people of which well over 6,000 are working in cyber security.
Vice President Ansip of the European Commission, on a visit to Dublin last month confirmed we rank 8th place among the 28 member States according to the Commissions’ Digital Economy and Society Index and in terms of e-commerce and small and medium-sized enterprises, Ireland ranks first in the European Union.
Ireland is also home to 9 of the top 10 global software companies;
9 of the top 10 global ICT companies are here;
the top 10 "born on the internet companies" all have significant operations here in Ireland;
and the top 5 cyber security software firms in the world are based here too.
Security, of devices and of data, is perennially under threat.
We live in a digital world where everything is becoming interconnected, bringing huge opportunities for business and society. Our homes are becoming smarter, from TVs, to fridges, alarms, baby monitors, heating and air conditioning. All of these are being networked and accessible for personal convenience and enhanced control as well as for energy efficiency.
The Strategy
Last year my Department published Ireland’s first National Cyber Security Strategy, which built on the long standing recognition of the State’s own role in facilitating improved security in the on-line world. The Strategy set out how we would protect our digital assets, including personal data and infrastructure. Following on from this, I will be bringing a memo to Cabinet next week to establish a National Cyber Security Centre (NCSC). The Centre will have a primary focus on securing Government networks and assisting industry and individuals in protecting their own digital assets. It will also cover the security of critical national infrastructure. This will build on the existing Computer Security Incident Response Team that has been in place in my Department since 2011, providing incident response services to Government Departments and core State Agencies.
The Directive
Earlier this year, the institutions of the European Union agreed, after three years of negotiations, a Directive on the security of network and information systems. For many of you, I suspect, this will be the first time that an EU Directive has landed in your industry. At the moment, we are engaged with the European Union institutions and public bodies on the precise details of implementation, but either way, this will be law in May 2018. It will have very significant implications for many companies who want to do business in the EU.
The Directive represents a step change in how countries in Europe approach cyber security, and involves a shift in approach towards a more formal type of regulatory relationship in certain key industries.
In some essential services, we will be required to identify critical infrastructure operators, and to require them to report incidents on a mandatory basis and to meet certain security standards. In practical terms, this means that across the energy, transport, finance, health, water supply and digital infrastructure sectors, we will be actively identifying which physical infrastructure we regard as critical. We will be compelling owners or operators to take measures to secure these against attack. Critically, of course, security is always contingent, so we will be taking a risk focussed approach from the outset, and building a legislative and technical system that can be updated as the threat landscape evolves.
For Ireland though, that’s the easy bit, relatively speaking.
The other core component of the Directive covers so called ‘Digital Service Providers’ – those search engines, sales platforms and cloud providers that power and underpin the global internet economy. We won’t be designating these, but in Ireland the list of eligible companies suggests itself. More to the point, given that many of these companies have their EU headquarters here, we will be required to manage their compliance with the Directive on a pan European level. That will be challenging, to say the least.
More to the point, all of this will need to be completed and in place within the next 2 years.
I will be launching a public consultation on implementing this Directive in the coming days. I invite those of you with suggestions on the approach Ireland should take to make those suggestions known. We will be looking carefully at the responses before making our next move.
Our likely approach is to incorporate both regulatory and operational functions within the National Cyber Security Centre, folding the existing Computer Security Incident Response Team into this new Office.
Effective and acceptable cyber security involves a balance of individual rights, particularly in regard to privacy and data protection with the public safety interests of protection of life, property and national security. In line with the Directive, it is envisaged that personal data such as Internet Protocol (IP) addresses will be exchanged with competent third parties for the purpose of network and information security so that the property of individuals and of businesses can be protected.
The Directive provides for the European Commission to set out via EU secondary legislation known as implementing acts - security requirements and the parameters for reporting in the case of digital service providers. In practise the minimal acceptable security and reporting requirements for operators of essential services in Ireland will need to be more onerous than those set by the Commission for digital service providers.
My Department is considering whether a documented ‘risk assessment’ approach based on Health and Safety law will facilitate in ensuring that due diligence is followed on a top down basis. It is essential that Chief Executives and Boards ensure that risk management processes fully account for cyber security risks by having appropriate controls in place.
Just last month, the Central Bank of Ireland published its guidance in respect of information technology and cyber security risks. In welcoming this in a world becoming ever more reliant on digital, I echo the need for appropriate governance and risk management processes to be in place. Our banks, hospitals, airports, airlines, shipping, rail and road vehicles together with our utilities providers need to be safe from cyber attacks.
A regime of mandatory reporting of all incidents impacting significantly on the confidentiality, integrity and availability of the digital data and systems underpinning the essential services is envisaged. Data breaches, malfunctioning smart sensors as well as disruption to delivery of the essential services, such as electricity, will need to be reported. There will also be provision for significant regulatory powers encompassing information security audits including penetration testing.
Awareness
I recognise that regulation alone will not be sufficient. There has to be trust and mutual support in circumstances where the operators of essential services and digital service providers are doing more than the minimum legal requirements. Operational support will be available encompassing incident response and secure information sharing arrangements will be further developed.
I am committed to a programme of education and training so that our people as well as businesses are better able to protect themselves in the digital world.
Stronger public awareness of the value of their digital assets will help reduce the impacts and effectiveness of cyber crime on our children, on all of us and on our businesses.
Across Government and in the Oireachtas, I will advocate for the timely enactment of the Criminal Justice (Offences Relating to Information Systems) Bill 2016, led by the Minister for Justice Frances Fitzgerald T.D. This Bill makes provision for a series of explicit offences around hacking, the use of malware, intrusion and theft of data.
Raising standards and having appropriately certified staff in information security in the public as well as the private sector is becoming ever more essential today.
Finally, keeping pace with the ever increasing sophistication of cyber-incidents is a challenge for us all, and I am pleased therefore that ISC squared has chosen Ireland to host this important event.
I thank you again for the opportunity to make this short contribution and I look forward to hearing the outputs of your deliberations.
Thank you.