A CONSULTANT TO protect State assets and important infrastructure from cyber attacks will shortly be appointed by the Department of Communications, Energy and Natural Resources.
Following a tender process the winning firm will create the State’s first computer emergency response unit.
The unit’s remit is to protect IT networks used by Government departments, agencies and critical infrastructure operators from cyber attacks. The consultant’s role will be to organise structured exercises, manage incidents involving malicious software attacks and share information about computer vulnerabilities.
“We have taken some people on board and we are building capacity. The process is not finished,” said Aidan Ryan, technical adviser with the Department of Communications.
Similar work has been carried out by a voluntary group, the Irish Reporting and Information Security Service computer emergency response team (IRISS-Cert) which was set up in 2008.
It distributes free security advice and alerts about information security threats to about 450 organisations in Ireland. It is accredited by the Europe-wide body TF-CSIRT and is part of the International Cyber Security Protection Alliance, a global non-profit group that provides technical expertise and resources to law enforcement agencies investigating cyber crime.
Mr Ryan said the Government unit would have access to information that might not be disclosed to a private-sector forum.
“What’s happening across Europe and the world is that government Certs are being set up and the level of information that they share is probably more advanced than the voluntary sharing of information,” he said.
The Irish information security community reacted positively to the news but called on the Government Cert to work with a wide range of stakeholders.
“We would obviously welcome the fact that the Government is looking at having a formal Cert presence,” said Mathieu Gorge, chairman of InfoSecurity Ireland, a local industry body. “If we don’t even have a Government Cert it wouldn’t look good for Ireland Inc.”
However, he questioned whether the tender terms were too narrow. “You have to remember a Cert is about protecting critical national infrastructure from attacks, but that infrastructure is largely owned by commercial entities.”
The department has not disclosed the budget being allocated to its unit, but some believe it’s significant that the tender document put a 45 per cent weighting on the price of bids.
Colman Morrissey, managing director of the security consultancy Espion, said: “The department is doing the right thing given the economic circumstances, assuming the person they appoint is liaising with groups like the high-tech crime forum and other Certs around the EU, in line with recommendations from Europe.”
The EU’s Digital Agenda for Europe document stresses the need for member states to have “a well-functioning network for Certs” at national level by 2012.
