The National Cyber Security Centre (NCSC) has it tough, not simply because its logo’s “S” appears financially unfinished due to its extreme abbreviation.
Forewarning about potential future events, especially those that are predicted to occur within the coming two years, presents challenges in this day and age, compared to, let’s say, foretelling something about to happen near you on a Saturday evening.
During the times when hate crimes, broken glass, and riot shields dominate the news, and individuals are observing cross-border water cannon movements almost as much as they follow Elon Musk’s ominous declarations, there isn’t enough capacity to fully comprehend the National Cyber Emergency Plan’s complexities.
The amusing part is located in the appendices, where the NCSC classifies cyber incidents from ‘local’ to ‘extremely significant’ incidents within its scope.
Perhaps there’s never an ideal time. In May 2021, a major ransomware attack on the State coincided with the ongoing pandemic, making it difficult to discern where the COVID-19 turmoil ceased and the severe damage caused by cybercriminals began.
Of course, it is comforting to know that we now have the National Cyber Emergency Plan available to the public. It’s highly likely that relevant officials from governmental agencies and departments have perused it.
Within the appendices of the plan, one can find the enjoyable section, where the NCSC classifies a variety of cyber incidents from ‘localised’ to ‘highly significant’. Above this level, we face a full-fledged national cyber emergency, denoted by a “sustained disruption of essential services” or a security breach causing “severe economic or social consequences, or even loss of life.”
Cybersecurity threats might seem unimportant when depicted with fluorescent, abstract data points, which makes it hard to fully comprehend NCSC Director Richard Browne’s warning of a significantly heightened risk of cyberattacks in Ireland now compared to before. Heading out one morning, aware of Sky News’ broadcast disruption, the connection between this and the unresponsive Transport for Ireland app didn’t immediately dawn on me.
The bewildering instance when CrowdStrike failed— not from a cyberattack, but due to a mishandled software update that was intended to guard against just such risks— demonstrates just how wide-ranging and varied cyber incidents can be. Admittedly, even when the Irish transport app wasn’t working, the thought of joining the dots between the varied technology glitches as though it was a crime storyline didn’t cross my mind.
The nature of actual cyberattacks is even more complex. Organisations are often hesitant to confess having been attacked as it may tarnish their image – though burying their head in the sand is bound to do even more damage. The magnitude of the 2021 Health Service Executive incident is yet not comprehended by many. Upon mentioning to the Oireachtas communication committee in May that it was “one of the biggest cybersecurity incidents in history,” Browne received a stunned “wow!” when he clarified that was the case globally, not just in Ireland.
On the other hand, if crucial infrastructure fails, it’s likely to make news. Yet another type of cyberattack often silently causes havoc in the background, seldom making headlines while the costs of recovery escalate. The October 2023 ransomware assault on the British Library led to one such expensive and confusing debacle. Though this assault mainly affected writers and academics, it has received little media attention; meanwhile, efforts to meticulously restore the library’s services are still in progress.
Several cultural entities have fallen victim to cyber attacks, including the British Library, New York’s Metropolitan Opera, Toronto Public Library, and most recently, the Grand Palais in Paris. The Arts Council of Ireland was also compromised early in the year, with their art display online halted due to a subsequent attack on their museum software provider, Gallery Systems.
These experiences, though not as visually dramatic as a disrupted power grid or delay-laden airport, have a subtly destructive undertone. Their occurrence results in a gradual acceptance of these technological disturbances incited by ill-willed individuals. It implies conceding that we are losing the battle against these individuals driven by pure opportunism.
The lack of adequate public funds, including those meant for the cultural sector, renders these institutions vulnerable, unable to update their deteriorating IT infrastructures. The escalating cyber espionage incidents across Europe, mainly linked to Russia and China, paint a grim picture. As well as data theft, these cyber warfare elements also spread misinformation aiming to create disharmony and discord, usually perpetrated by the same culprits.
There exists a worrying potential that these foreign cyber militias can intensify societal tension and trigger violent demonstrations. Consequently, there’s a pressing need for the government to pay heed to the warnings issued by the National Cyber Security Centre (NCSC) and adequately fund it. Since 2021, the NCSC has seen a budget escalation from €5.1 million to €10.7 million in 2024 and is projected to employ 75 staff this year. They have requested a significant endorsement for Budget 2025 to facilitate continued recruitment.
Pinning hopes for a better situation without concrete actions is wishful thinking at its highest level.