You have to feel sorry for the National Cyber Security Centre (NCSC), and not just because the “S” on its logo is so truncated it looks like it ran out of money before it could finish it off.
This is not an easy time to warn about things that might happen or are even likely to happen at some point over the next two years, as opposed to, say, on Saturday night in a city near you.
When the news is a string of hate crimes, smashed glass and riot shields, when people are tracking the cross-border movements of water cannon almost as closely as they are the dire utterings of Elon Musk, there doesn’t tend to be much spare bandwidth for the intricacies of the National Cyber Emergency Plan.
The fun part can be found in the appendices, which is where the NCSC outlines a taxonomy of cyber incidents ranging from the ‘localised’ to the ‘highly significant’
Maybe it’s never a good time. When the State was hit by a big ransomware attack on the HSE in May 2021, the seriousness of the incident competed with the pandemic for attention. From the outside, it was hard to tell where general Covid chaos ended and chronic cybercriminal-inflicted damage began.
It’s reassuring, of course, to know that as of this week, we have a publicly available National Cyber Emergency Plan and that the relevant officials from Government agencies and departments have probably read it.
The fun part can be found in the appendices, which is where the NCSC outlines a taxonomy of cyber incidents ranging from the “localised” to the “highly significant”, above which sits a full-blown national cyber emergency involving “sustained disruption of essential services” or the kind of security breach that leads to “severe economic or social consequences or to loss of life”.
But when stories about cybersecurity threats are illustrated with images of abstract data points — a nexus of meaningless neon — it’s tough to really grasp the gravity of NCSC director Richard Browne’s caution that there is now a “far greater” risk of cyberattacks in Ireland than there was before.
I left home that morning knowing Sky News had fallen off air, but when I discovered minutes later that the Transport for Ireland app was down, I’ll be honest, it didn’t occur to me that these two things might be linked
July’s surreal CrowdStrike outage — not a cyberattack, but the ironic result of a botched update to software designed to defend against cyberattacks — exemplified how broad and diverse cyber incidents can be.
I left home that morning knowing Sky News had fallen off air, but when I discovered minutes later that the Transport for Ireland app was down, I’ll be honest, it didn’t occur to me that these two things might be linked, like the plot and sub-plot of a crime drama. My first thought was not, “oh, I’ve no idea when my bus is coming, this must be part of a global pattern of technology failures”.
Actual cyberattacks can be fuzzier still. Organisations are not always keen to declare they have been the victim of one because the confession itself can hurt their reputation — though not as much as a head-in-sand reaction inevitably will.
To this day, the extent of what happened at and to the Health Service Executive in 2021 is not widely understood. When Browne told the Oireachtas communications committee in May that it was “in many ways, probably one of the largest cybersecurity incidents in history”, he was asked, “in Ireland?” No, he replied, “globally”, eliciting a “wow!”
‘A matter of days’ from insolvency: How an Irish company came back from the brink
Still, if critical infrastructure is taken out, we can expect to hear about it. Fallout from another type of cyberattack has a grim tendency to just rumble on in the background, rarely troubling front pages even as recovery bills spiral.
The October 2023 attack on the British Library triggered one such costly, discombobulating mess. Media coverage of this ransomware attack, which mostly affected authors and the academic community, has been muted, yet the “painstaking” restoration of its services remains ongoing.
The British Library is not the only cultural institution to be targeted. The Metropolitan Opera in New York, Toronto Public Library and, most recently, the Grand Palais in Paris have all been subject to cyberattacks. In January, the Arts Council of Ireland was unable to display its art collection online for a spell after museum software provider Gallery Systems was hit.
The gradual sense of becoming inured to technological s**tshows instigated by malicious actors should feel like a concession
Some incidents can be classed as near misses. Some are peripheral, their consequences esoteric. They lack the visual drama of a flip-chart departures board at a delay-stricken airport. They have none of the urgency of a power grid sabotaged by a propaganda-spewing hostile nation — an event simulated in April in a Nato-led cyber wargame in which NCSC personnel took part.
But there is a quiet insidiousness to each and every attack. The gradual sense of becoming inured to technological s**tshows instigated by malicious actors should feel like a concession. Someone else is winning, and it’s not us.
Simple opportunism is likely at play. If governments insist on underfunding public bodies — including cultural ones — to the point where they cannot invest in their crumbling IT systems, they leave them exposed.
The rise across Europe in cyber espionage attributed to Russia and China is important context here, not least because the theft of data may be accompanied by another form of dismally familiar cyber warfare
As for the NCSC’s budget, it has climbed from €5.1 million in 2021 to the still modest sum of €10.7 million in 2024, with its headcount set to reach 75 people this year. It has a “substantial ask” in for Budget 2025 so it can continue hiring.
The rise across Europe in cyber espionage attributed to Russia and China is important context here, not least because the theft of data may be accompanied by another form of dismally familiar cyber warfare: the spread of disinformation to sow discord. It’s often the same bad guys.
That foreign bot armies have the capacity to ramp up social unrest and incite ugly scenes on our streets should be enough to convince the Government that the NCSC’s warnings must be heeded, its funding not skimped on. It would be nice to think so.
But there’s always the wishing-and-hoping approach, I suppose.