ineedeuro wrote: » We are funding cyber defences. Otherwise the ransomware would have taken out the whole government, do you honestly think the hackers just went after the HSE and didn't bother with any other government department? They will go after all of them to have max exposure and max reward to bring systems back.
sparky42 wrote: » The EU is to create a joint cyber security unit by this time next year to counter major cyber attacks like the HSE one. Course since it’s likely we still won’t be funding cyber defences we’ll just have to hope they can handle things.https://www.independent.ie/business/world/eu-proposes-new-security-unit-to-counter-increasing-number-of-cyber-attacks-40574244.html
fly_agaric wrote: » On being "over the top", I don't think so. That HSE were the target might suggest they were particularly weak (vs some other area of public sector), but maybe that should be a wake up call that more needs to be done generally? Also, a better resourced/more capable/larger govt. body auditing them for cybersecurity and getting on their case about their weaknesses might have led the HSE to protect itself better and avoided this.
ineedeuro wrote: » We are going over the top here, the HSE got attacked and yet we had another government agency easily stop the attack. Would that not suggest the problem is the HSE and not everythign in Ireland?
fly_agaric wrote: » It was articles like this:https://www.irishtimes.com/news/politics/cyber-security-centre-director-salary-should-be-up-to-185-000-higher-tds-told-1.4574677 I'd read since HSE attack where the low budget was pointed out in addition to that vacant post. Thanks for explaning rationale (it is part of Communications) but as per post above maybe Defense or the Guards need to become far more involved. I know, not easy especially if they are not very proactive as regards IT themselves (!), but you have to start somewhere. Ireland is both "neutral" (generally on side of the US/West) and geographically/geopolitically fortunate enough to have been able to completely neglect defense/the military here, but alot of that does not really apply when it comes to cybersecurity. Anyone can reach out to attack you from anywhere on Earth if they have a mind once your networks have external connections to the internet & as we've seen the non state actors often don't care about how innoffensive/harmless/neutral you are and are well able to inflict serious damage.
ineedeuro wrote: » The NSCS is part of Dept of Communication, Climate & Environment. The communications part if why it is aligned to this.I haven't heard it is poorly resourced, people seemed to have jumped on one specific role which was open but I can't find any others. This was also mentioned that the HSE can't hire Cyber Security people yet they have zero vacancies in the HSE at the moment for those roles. i can't find any for the NSCS either apart from the one discussed. It is strange now that people might apply for that role are saying they need 200k+ plus bonus of over 100+. If they offer those crazy wages of course you will have a flood of people, they would be better getting a proper view of what the wages need to be. The NSCS supposed to link directly with the Gardai & Army. Both of which are not Cyber organisations so I don't see why they would be included in that sector. Depart of communications seems the correct location for me.
The committee also heard that the budget for the NCSC should be “at least 10 times” its current funding of €5.1 million.
fly_agaric wrote: » I wonder what the reasoning was for it being put in Environment?
fly_agaric wrote: » Posted this idea on the larger "HSE ransomware" thread in Current Affairs forum but may as well stick it here (where I never post...) to see if there's any other thoughts given this is the Military forum. According to the various media reports the "National Cyber Security Centre" (which I'd never heard of prior to last week) is very poorly resourced. One thing that struck me as odd was that it was located in Dept. of Environment I think. As shown by impact of the HSE attack, I think such things are really a national security/defence task (given importance of IT to so much critical infrastructure & the running of a developed country) So seems the role fits more in Defense, the army or perhaps the gards (?) I mean "security" is in the name which should be a pointer I would have thought. I wonder what the reasoning was for it being put in Environment?
Larbre34 wrote: » That level of resourcing is not in the gift of HSE managers. The Social Welfare system, the Education and Examinations systems, Agri subsidies etc etc are all likely as vulnerable. This is about the Government setting a very high standard of protection and security for all State systems.
Larbre34 wrote: » That level of resourcing is not in the gift of HSE managers.
Swindled wrote: » That's what you think Irish IT cyber security staff working for multinationals in Ireland do all day ? Then you know nothing. What has to do with it, is the expertise and capability is here, the HSE just have to recruit it/pay for it, which they won't, and even if they recruit all the professionals in the world, their dysfunctional management will make it pointless. Once the cyberhacking community has worked out what a soft touch the Irish public service is, what a mess their systems are in, and how dysfunctional its management is, they are going to keep hitting it. Current Industry standard cyber security practices in the Irish public sector are almost non existent. Easy pickings.
View wrote: » Somehow I don’t see NATO launching a nuclear counter strike against persons unknown because the HSE didn’t have its software up to date.
hmmm wrote: » Can we stop with this chest-thumping stuff? There are a couple of foreign security companies located here, some doing good stuff but most doing basic sales and marketing functions. We do not have an army of cyber-defenders ready to go into battle, or whatever other walter-mittyish idea people have. The state of the Irish security "industry" is shocking. Most companies involved in security just want to sell you some gadget. The people you hear interviewed in the media (with 1 or 2 exceptions) wouldn't be let near a local newspaper in the US. The reality we face is that security has not been a focus for Irish business. Our investments and practices are years behind where our peers are. We have a small number of specialists who are qualified, and they are largely not on the government payroll. You can't manufacture cyber-security people and their skills overnight, this is something which takes decades to cultivate. As a nation we are woefully unprepared to protect both our national infrastructure and the companies and organisations who operate on the island, and we have little to no capability to respond or give assistance when attacks occur.
hmmm wrote: » What has any of this got to do with protecting the Irish State? An IT specialist making kitten videos for Facebook isn't going to be much use when GRU decide they need to pressure the Irish state over something by demonstrating their ability to cause a power or water outage.
Swindled wrote: » Again the majority of very capable Irish IT specialists are not working in Ireland for Irish firms, that's a very small pond.
hmmm wrote: » Can we stop with this chest-thumping bull****?
hmmm wrote: » Can we stop with this chest-thumping bull****? There are a couple of security companies located here, some doing good stuff but most doing basic sales and marketing functions. We do not have an army of cyber-defenders ready to go into battle, or whatever other walter-mittyish idea people have. The state of the Irish security "industry" is shocking. Most companies involved in security just want to sell you some gadget. The people you hear interviewed in the media (with 1 or 2 exceptions) wouldn't be let near a local newspaper in the US.
hmmm wrote: » The reality we face is that security has not been a focus for Irish business. Our investments and practices are years behind where our peers are. We have a small number of specialists who are qualified, and they are largely not on the government payroll. You can't manufacture cyber-security people and their skills overnight, this is something which takes decades to cultivate. We are as a nation are woefully unprepared to protect both our national infrastructure and the companies and organisations who operate on the island, and we have little to no capability to respond or give assistance when attacks occur.
Swindled wrote: » Ireland has one of the best private sector cyber security industries in the world.
sparky42 wrote: » As opposed to the Leap card project, or Eircode? Look the HSE is a steaming pile of ****e that could only be improved by nuking it from orbit and starting over but all the interest groups from managers to consultants to Unions will never allow the problems to get fixed.
sparky42 wrote: » So basically the same stance of defence we’ve taken since the founding of the state.
Swindled wrote: » I would agree, the management in any other dept. is not any better, but the HSE is particularly notorious. As usual everyone has forgotten PPARS already, despite the fact you're all still paying it off.https://www.independent.ie/irish-news/ppars-fiasco-as-costs-hit-220m-26567284.html
sparky42 wrote: » It’s got little directly to do with the HSE and it’s internal problems, no government department in Ireland has the cyber protections they need I’d bet.
hmmm wrote: » It was instructive that during the last 4 years, US cybercommand has tried to protect election integrity in the US (despite the at best apathy of the administration). One of the most valuable contributions was from their Dutch allies who hacked their way into the physical location of the Russian military hackers responsible for hacking the DNC, and captured them on CCTV. Allies - that's what they do. We are facing a wave of cyberattacks on this nation as we are now perceived as a soft & wealthy target. I think we still haven't quite processed the threat we are facing from well resourced and skilled attackers who are protected by a nation state, some extra funding and sending civil servants off to attend conferences isn't going to (literally) keep the lights on.