The HSE cyberattack should prompt us to join NATO

hmmm

It was instructive that during the last 4 years, US cybercommand has tried to protect election integrity in the US (despite the at best apathy of the administration). One of the most valuable contributions was from their Dutch allies who hacked their way into the physical location of the Russian military hackers responsible for hacking the DNC, and captured them on CCTV.

Allies - that's what they do.

We are facing a wave of cyberattacks on this nation as we are now perceived as a soft & wealthy target. I think we still haven't quite processed the threat we are facing from well resourced and skilled attackers who are protected by a nation state, some extra funding and sending civil servants off to attend conferences isn't going to (literally) keep the lights on.

Swindled

The HSE is a toxic dysfunctional workplace, managed by incompetent management types.
Ireland has one of the best private sector cyber security industries in the world.
No amount of NATO cyber security or expertise can protect the HSE from its incompetent management.

sparky42

Swindled wrote: »

The HSE is a toxic dysfunctional workplace, managed by incompetent management types.
No amount of NATO cyber security can protect the HSE from its incompetent management.

It’s got little directly to do with the HSE and it’s internal problems, no government department in Ireland has the cyber protections they need I’d bet.

sparky42

hmmm wrote: »

It was instructive that during the last 4 years, US cybercommand has tried to protect election integrity in the US (despite the at best apathy of the administration). One of the most valuable contributions was from their Dutch allies who hacked their way into the physical location of the Russian military hackers responsible for hacking the DNC, and captured them on CCTV.

Allies - that's what they do.

We are facing a wave of cyberattacks on this nation as we are now perceived as a soft & wealthy target. I think we still haven't quite processed the threat we are facing from well resourced and skilled attackers who are protected by a nation state, some extra funding and sending civil servants off to attend conferences isn't going to (literally) keep the lights on.

It will however allow the minister of the day and the SG of which ever department is being asked to cover their asses while doing nothing to fix the issue... So basically the same stance of defence we’ve taken since the founding of the state.

Swindled

sparky42 wrote: »

It’s got little directly to do with the HSE and it’s internal problems, no government department in Ireland has the cyber protections they need I’d bet.

I would agree, the management in any other dept. is not any better, but the HSE is particularly notorious.

As usual everyone has forgotten PPARS already, despite the fact you're all still paying it off.

https://www.independent.ie/irish-news/ppars-fiasco-as-costs-hit-220m-26567284.html

Dohvolle

Larbre34 wrote: »

So, it seems the nation of Belarus has committed, prima facie, an act of air piracy on an Irish/EU registered aircraft.

An EU internal Ryanair flight from Athens, Greece to Vilnius, Lithuania received a warning from air traffic control in Minsk, Belarus, while transiting the airspace of that jurisdiction, that they had information of some sort of security compromise on board and that the aircraft should land as an emergency, which it did in Minsk.

It turns out a Belarusian dissident was on board and was taken into custody, suggesting the security message was a ruse to interfere with the flight, aka piracy.

Another act of aggression against this State from a totalitarian Country in eastern Europe, although much more serious because it seems to have been perpetrated by the State authorities.

When is our Government growing to grow some balls in my question?

It's a Polish registered aircraft (once on the Irish register, like many leased aircraft around the world).
While Ryanair may be in theory an Irish Company, its operating bases are all over Europe. Its Head office is in Dublin though.

This is not an Irish Problem. It's an international one.

sparky42

Swindled wrote: »

I would agree, the management in any other dept. is not any better, but the HSE is particularly notorious.

As usual everyone has forgotten PPARS already, despite the fact you're all still paying it off.

https://www.independent.ie/irish-news/ppars-fiasco-as-costs-hit-220m-26567284.html

As opposed to the Leap card project, or Eircode? Look the HSE is a steaming pile of ****e that could only be improved by nuking it from orbit and starting over but all the interest groups from managers to consultants to Unions will never allow the problems to get fixed.

donvito99

sparky42 wrote: »

So basically the same stance of defence we’ve taken since the founding of the state.

In the past you would have been forgiven for the lack of funding for conventional, peer adversary defence - we continue to be of no strategic importance and we are sandwiched between two nuclear powers, with another to our south east, meaning that no conventional assault can be made against us unless the entire continent is in flames.

But technology now places us on the front line and as a member of the EU, if we continue to be a weak link our energy, transport, communications and financial services systems will be attacked even if we have no dog in the fight. We are too small for the larger nations to intervene if we are attacked (lest the circumstances escalate against their interests) and if we are not careful, we will be the only victim of a Tete a Tete between the remaining powers. And that's before you get into non-state or criminals acting unilaterally (although that remains to be seen in this case) again.

Neither the DoD nor any political party has indicated that they have any interest in funding the DF conventionally, but a proper cyber capability (unlikely to sit in whole in the DF) may crop up now that our health service has been sent back to the 70s minus the clerical staff.

Swindled

sparky42 wrote: »

As opposed to the Leap card project, or Eircode? Look the HSE is a steaming pile of ****e that could only be improved by nuking it from orbit and starting over but all the interest groups from managers to consultants to Unions will never allow the problems to get fixed.

I agree, but the claim that NATO can fix their incompetence / protect such an incompetent dysfunctional management from Cyber attack is utterly ridiculous.
It starts with the management, not NATO.
Irish private sector cyber security staff in Ireland, protect multinational organisations, far larger than the HSE.

hmmm

Swindled wrote: »

Ireland has one of the best private sector cyber security industries in the world.

Can we stop with this chest-thumping stuff?

There are a couple of foreign security companies located here, some doing good stuff but most doing basic sales and marketing functions. We do not have an army of cyber-defenders ready to go into battle, or whatever other walter-mittyish idea people have.

The state of the Irish security "industry" is shocking. Most companies involved in security just want to sell you some gadget. The people you hear interviewed in the media (with 1 or 2 exceptions) wouldn't be let near a local newspaper in the US.

The reality we face is that security has not been a focus for Irish business. Our investments and practices are years behind where our peers are. We have a small number of specialists who are qualified, and they are largely not on the government payroll. You can't manufacture cyber-security people and their skills overnight, this is something which takes decades to cultivate. As a nation we are woefully unprepared to protect both our national infrastructure and the companies and organisations who operate on the island, and we have little to no capability to respond or give assistance when attacks occur.

Swindled

hmmm wrote: »

Can we stop with this chest-thumping bull****?

It's nothing to do with chest thumping, we have thousands of specialist IT staff, working for multinationals in Ireland, a significant proportion of whom are devoted to cyber security from monitoring and prevention to pen testing. This is not a "boast", just a fact of the Irish IT industry.
Cyber security is long hard boring detailed work, just like any other job. Nothing glamourous about it whatsoever.

hmmm wrote: »

Can we stop with this chest-thumping bull****?

There are a couple of security companies located here, some doing good stuff but most doing basic sales and marketing functions. We do not have an army of cyber-defenders ready to go into battle, or whatever other walter-mittyish idea people have.

The state of the Irish security "industry" is shocking. Most companies involved in security just want to sell you some gadget. The people you hear interviewed in the media (with 1 or 2 exceptions) wouldn't be let near a local newspaper in the US.

The only walter mitties here are the ones that don't know anything about the Irish IT industry. We're not talking about small little Irish firms, serving small Irish clients.

hmmm wrote: »

The reality we face is that security has not been a focus for Irish business. Our investments and practices are years behind where our peers are. We have a small number of specialists who are qualified, and they are largely not on the government payroll. You can't manufacture cyber-security people and their skills overnight, this is something which takes decades to cultivate. We are as a nation are woefully unprepared to protect both our national infrastructure and the companies and organisations who operate on the island, and we have little to no capability to respond or give assistance when attacks occur.

Again the majority of very capable Irish IT specialists are not working in Ireland for Irish firms, that's a very small pond. They are working in Ireland for multinationals that dwarf the Irish public service by many times.

hmmm

Swindled wrote: »

Again the majority of very capable Irish IT specialists are not working in Ireland for Irish firms, that's a very small pond.

What has any of this got to do with protecting the Irish State? An IT specialist making kitten videos for Facebook isn't going to be much use when some government decides they need to pressure the Irish state over something by demonstrating their ability to cause a power or water outage.

Swindled

hmmm wrote: »

What has any of this got to do with protecting the Irish State? An IT specialist making kitten videos for Facebook isn't going to be much use when GRU decide they need to pressure the Irish state over something by demonstrating their ability to cause a power or water outage.

That's what you think Irish IT cyber security staff working for multinationals in Ireland do all day ? Then you know nothing. What has to do with it, is the expertise and capability is here, the HSE just have to recruit it/pay for it, which they won't, and even if they recruit all the professionals in the world, their dysfunctional management will make it pointless. Once the cyberhacking community has worked out what a soft touch the Irish public service is, what a mess their systems are in, and how dysfunctional its management is, they are going to keep hitting it. Current Industry standard cyber security practices in the Irish public sector are almost non existent. Easy pickings.

ineedeuro

hmmm wrote: »

Can we stop with this chest-thumping stuff?

There are a couple of foreign security companies located here, some doing good stuff but most doing basic sales and marketing functions. We do not have an army of cyber-defenders ready to go into battle, or whatever other walter-mittyish idea people have.

The state of the Irish security "industry" is shocking. Most companies involved in security just want to sell you some gadget. The people you hear interviewed in the media (with 1 or 2 exceptions) wouldn't be let near a local newspaper in the US.

The reality we face is that security has not been a focus for Irish business. Our investments and practices are years behind where our peers are. We have a small number of specialists who are qualified, and they are largely not on the government payroll. You can't manufacture cyber-security people and their skills overnight, this is something which takes decades to cultivate. As a nation we are woefully unprepared to protect both our national infrastructure and the companies and organisations who operate on the island, and we have little to no capability to respond or give assistance when attacks occur.

You don’t need cyber security people in ireland, you just need access to them and ireland has one of the best portfolios of companies in the world

Remote services can provide everything companies need, they just need to stop buying off mick who buys them a few pints at Chrismas

Swindled

Well at least we have our priorities right . . .

Ireland’s Cyber Attack: budget for Security Centre is a THIRD of Taoiseach’s PR Department's budget
€16.9 million spent on PR for the Taoiseach last year.

https://gript.ie/irelands-cyber-attack-budget-for-security-centre-is-a-third-of-taoiseachs-pr-department-says-td/

View

Somehow I don’t see NATO launching a nuclear counter strike against persons unknown because the HSE didn’t have its software up to date.

Sonic the Shaghog

View wrote: »

Somehow I don’t see NATO launching a nuclear counter strike against persons unknown because the HSE didn’t have its software up to date.

Will you stop it's laughable. It reminds me of the anti DVD piracy ad in the IT Crowd with the FBI bursting in and shooting a young one in the head for downloading a film illegally :pac:

hmmm

View wrote: »

Somehow I don’t see NATO launching a nuclear counter strike against persons unknown because the HSE didn’t have its software up to date.

We're talking about cyber-security resources here, not nuclear strikes.

We're at a turning point in warfare where cyber capabilities are allowing attackers to reach out and strike with no geographical restrictions. We're seeing similar technological advances with drone warfare which is bypassing what would be seen as traditional military strengths (the Bayraktar effectively routing the Armenian army recently).

It won't be long I'd say before a war is won without a physical bullet being fired.

Dohvolle

hmmm wrote: »

We're talking about cyber-security resources here, not nuclear strikes.

We're at a turning point in warfare where cyber capabilities are allowing attackers to reach out and strike with no geographical restrictions. We're seeing similar technological advances with drone warfare which is bypassing what would be seen as traditional military strengths (the Bayraktar effectively routing the Armenian army recently).

It won't be long I'd say before a war is won without a physical bullet being fired.

In the last week alone we have seen it is capable of shutting down fuel supplies to one region, and shutting down the health system of another.
Imagine what a coordinated attack on all fronts could achieve?
An attack on the state IT systems of Health, Finance, Social welfare and Internal revenue could shut down a state in less than 24 hours.

Swindled

One EMP can do in an instant, what it would take years and an army to do with a cyber attack.
No amount of Cyber-security expertise and systems are of use, when the HSE managers are not convinced of the need to put resources into keeping their software / using secure procedures.
Systems and technology are not the weak link of cyber-security . . incompetent management and human beings are.
No amount of money and Cyber expertise / systems matters if management are not suffiecntly interested, and don't apply and enforce it correctly.
Cyber security just means additional daily inconvenience to them.

Larbre34

That level of resourcing is not in the gift of HSE managers.

The Social Welfare system, the Education and Examinations systems, Agri subsidies etc etc are all likely as vulnerable. This is about the Government setting a very high standard of protection and security for all State systems.

MikeSoys

Swindled wrote: »

That's what you think Irish IT cyber security staff working for multinationals in Ireland do all day ? Then you know nothing. What has to do with it, is the expertise and capability is here, the HSE just have to recruit it/pay for it, which they won't, and even if they recruit all the professionals in the world, their dysfunctional management will make it pointless. Once the cyberhacking community has worked out what a soft touch the Irish public service is, what a mess their systems are in, and how dysfunctional its management is, they are going to keep hitting it. Current Industry standard cyber security practices in the Irish public sector are almost non existent. Easy pickings.

HSE will recruit people to fit THEIR Culture ..clearly that's the problem, we need to organise against this failed leadership environment

Swindled

Larbre34 wrote: »

That level of resourcing is not in the gift of HSE managers.

Competence in the basics is. They don't even have that. They're not even interested in knowledge of the fundamental principles of cyber security. To them it's just tech geek nonsense. Doctors are treated with same attitude in the HSE, you're just smart arse Doctors, what would you know about management of healthcare, we are your public sector managers betters, but were not smart and hard enough working to be Doctors, so we know better. Same way Dept. of Defence managers look at Officers in the DF, and Dept. of Justice mangers look at Gardaí. Totally dysfunctional and toxic outlook.

No amount of resources can cure that attitude.

ineedeuro

Larbre34 wrote: »

That level of resourcing is not in the gift of HSE managers.

The Social Welfare system, the Education and Examinations systems, Agri subsidies etc etc are all likely as vulnerable. This is about the Government setting a very high standard of protection and security for all State systems.

It doesn't matter what the government does.

All government department are the same. The old saying of "it's not what you know it is who you know"

If you done a review of the security team in HSE and who was interviewed I would expect you will find the best qualified person is sitting in a private company but the gobs**t who knows Mary in accounts is currently running the security for one of the hospital.

fly_agaric

Posted this idea on the larger "HSE ransomware" thread in Current Affairs forum but may as well stick it here (where I never post...) to see if there's any other thoughts given this is the Military forum.

According to the various media reports the "National Cyber Security Centre" (which I'd never heard of prior to last week) is very poorly resourced. One thing that struck me as odd was that it was located in Dept. of Environment I think.

As shown by impact of the HSE attack, I think such things are really a national security/defence task (given importance of IT to so much critical infrastructure & the running of a developed country)

So seems the role fits more in Defense, the army or perhaps the gards (?)
I mean "security" is in the name which should be a pointer I would have thought.
I wonder what the reasoning was for it being put in Environment?

ineedeuro

fly_agaric wrote: »

Posted this idea on the larger "HSE ransomware" thread in Current Affairs forum but may as well stick it here (where I never post...) to see if there's any other thoughts given this is the Military forum.

According to the various media reports the "National Cyber Security Centre" (which I'd never heard of prior to last week) is very poorly resourced. One thing that struck me as odd was that it was located in Dept. of Environment I think.

As shown by impact of the HSE attack, I think such things are really a national security/defence task (given importance of IT to so much critical infrastructure & the running of a developed country)

So seems the role fits more in Defense, the army or perhaps the gards (?)
I mean "security" is in the name which should be a pointer I would have thought.
I wonder what the reasoning was for it being put in Environment?

The NSCS is part of Dept of Communication, Climate & Environment. The communications part if why it is aligned to this.

I haven't heard it is poorly resourced, people seemed to have jumped on one specific role which was open but I can't find any others.

This was also mentioned that the HSE can't hire Cyber Security people yet they have zero vacancies in the HSE at the moment for those roles. i can't find any for the NSCS either apart from the one discussed. It is strange now that people might apply for that role are saying they need 200k+ plus bonus of over 100+. If they offer those crazy wages of course you will have a flood of people, they would be better getting a proper view of what the wages need to be.

The NSCS supposed to link directly with the Gardai & Army. Both of which are not Cyber organisations so I don't see why they would be included in that sector. Depart of communications seems the correct location for me.

hmmm

fly_agaric wrote: »

I wonder what the reasoning was for it being put in Environment?

I think there is a general worldwide drift away from CyberSecurity being seen as a "Technical" issue which the geeks look after, and coming much more under the national defense angle. Environment & Communications makes sense if you're thinking about this in the way we thought about this in the 1970s and 80s, but I think it will eventually end up split between there and Defense.

Military planners with a bit of forward thinking are recognising the importance - as was mentioned above if you end up losing your hospitals, power & industry/banking infrastructure on day 1 of a war it doesn't really matter how good your conventional forces are (ref notpetya).

There's also some suggestion in the US that the US government will start to provide a certain level of cybersecurity protection for private companies. That has implications for us - it may make the US more attractive place to run your business, but also it potentially pushes the attackers onto softer targets like us.

fly_agaric

ineedeuro wrote: »

The NSCS is part of Dept of Communication, Climate & Environment. The communications part if why it is aligned to this.

I haven't heard it is poorly resourced, people seemed to have jumped on one specific role which was open but I can't find any others.

This was also mentioned that the HSE can't hire Cyber Security people yet they have zero vacancies in the HSE at the moment for those roles. i can't find any for the NSCS either apart from the one discussed. It is strange now that people might apply for that role are saying they need 200k+ plus bonus of over 100+. If they offer those crazy wages of course you will have a flood of people, they would be better getting a proper view of what the wages need to be.

The NSCS supposed to link directly with the Gardai & Army. Both of which are not Cyber organisations so I don't see why they would be included in that sector. Depart of communications seems the correct location for me.

It was articles like this:

https://www.irishtimes.com/news/politics/cyber-security-centre-director-salary-should-be-up-to-185-000-higher-tds-told-1.4574677

I'd read since HSE attack where the low budget was pointed out in addition to that vacant post.

The committee also heard that the budget for the NCSC should be “at least 10 times” its current funding of €5.1 million.

Thanks for explaning rationale (it is part of Communications) but as per post above maybe Defense or the Guards need to become far more involved.
I know, not easy especially if they are not very proactive as regards IT themselves (!), but you have to start somewhere.

Ireland is both "neutral" (generally on side of the US/West) and geographically/geopolitically fortunate enough to have been able to completely neglect defense/the military here - surrounded by fairly / very friendly nuclear powers on UN security council who are armed to the teeth.
Alot of that does not really apply when it comes to cybersecurity.

Anyone can reach out to attack you from anywhere on Earth if they have a mind once your networks have external connections to the internet & as we've seen the non state actors often don't care about how inoffensive/harmless/neutral you are and are well able to inflict serious damage.

ineedeuro

fly_agaric wrote: »

It was articles like this:

https://www.irishtimes.com/news/politics/cyber-security-centre-director-salary-should-be-up-to-185-000-higher-tds-told-1.4574677

I'd read since HSE attack where the low budget was pointed out in addition to that vacant post.



Thanks for explaning rationale (it is part of Communications) but as per post above maybe Defense or the Guards need to become far more involved.
I know, not easy especially if they are not very proactive as regards IT themselves (!), but you have to start somewhere.

Ireland is both "neutral" (generally on side of the US/West) and geographically/geopolitically fortunate enough to have been able to completely neglect defense/the military here, but alot of that does not really apply when it comes to cybersecurity.

Anyone can reach out to attack you from anywhere on Earth if they have a mind once your networks have external connections to the internet & as we've seen the non state actors often don't care about how innoffensive/harmless/neutral you are and are well able to inflict serious damage.

I seen this. Ok first off they ask a recruitment consultant who is never going to make a low figure, she names off a figure and then says she can get someone while taking a 10% cut of the wages.

They also asked a number of small Cyber companies in Ireland who job it is to sell services/product to the Irish government agencies. They are never going to low ball it. You are asking a salesman should they buy more or less. Guess what answer you will always get?

We are going over the top here, the HSE got attacked and yet we had another government agency easily stop the attack. Would that not suggest the problem is the HSE and not everythign in Ireland?
With the amount of work that went into this do you not think these hackers also tried to get into other goverment departments but didn't find a big barn door open like they found in the HSE?

The Gardai and the Army are not cyber security specialist. They might as well go and ask social welfare department for assistance

fly_agaric

ineedeuro wrote: »

We are going over the top here, the HSE got attacked and yet we had another government agency easily stop the attack. Would that not suggest the problem is the HSE and not everythign in Ireland?

On being "over the top", I don't think so.
That HSE were the target might suggest they were particularly weak (vs some other area of public sector), but maybe that should be a wake up call that more needs to be done generally?
Also, a better resourced/more capable/larger govt. body auditing them for cybersecurity and getting on their case about their weaknesses might have led the HSE to protect itself better and avoided this.