Richard Browne tells Cormac O’Keeffe the National Cyber Security Centre is growing to face down the threat from hostile states and cybercriminals, often using artificial intelligence
At a time when resourcing and staffing are key problems for public services in Ireland — including security agencies — the State’s cybersecurity body continues to expand. That’s not to say that the National Cyber Security Centre (NCSC) has not suffered neglect — and that it was not until 2020 that its future began to look brighter.
A capacity review conducted in that year, and published in July 2021, came just a few months after the crippling cyberattack on the HSE.
“That capacity review suggested a significant increase to at least 70 staff [in NCSC] by the end of 2024,” said NCSC director Richard Browne.
“We’ve gone from 24-25 [in July 2021] and we now have 57 and we have sanction to go to 62 this year.
“Now, whether we get to the 62 or not depends on how fast the clearance process is going to be.”
The most recent competition for NCSC posts was “vastly oversubscribed”, reflecting a huge interest, he said. “We have a real high-quality field,” he said.
“Those panels are in place and we are starting to draw down on those now and those panels have a life of two years.” It is due to launch another competition for the centre soon.
Security observers, including experts and commentators on the Defence Forces, have remarked at the ability of one arm of the State to attract expert staff — in part because of high salaries — compared to the Defence Forces, where salaries are much lower and where there is a serious retention crisis.
This is despite ambitious targets under the Commission on Defence Forces, published in February 2022 and accepted by the Government, to expand its cyberdefence capabilities.
The NCSC capacity review was published by the Department of Environment, Climate and Communications.
Its implementation plan said there would be a new facility for the NCSC (they are moving into it in January), an expanded operations team, new legislation for the body, with expanded powers, and a formal, legal role in the cybersecurity of the State.
In an interview two years ago with the Irish Examiner, Mr Browne particularly welcomed the expanded operations team, both in terms of numbers and roles.
Getting into people’s faces
At the time he said: “Until you can proactively chase down [cyberattackers] you are always going to be responsive. So you have to get out there and into people’s faces.”
Two years on, he tells this newspaper that, after that, the centre conducted a technology strategy and an internal strategy.
“Back in 2020, I was the only principal officer in the centre,” he said. “Now we have 12 principal officers.
“The operations teams was set up about 14 months ago [replacing the old C-SIRT team] and we now have a director leading it and we have four principal officers and one more hopefully on the way in the next couple of weeks.
“The organisation has gone from having a very much operational incident response to a much more strategic risk management, threat intelligence gathering and threat hunting focus.
“Basically, we’ve gone from being very much reactive to being much more proactive.” He said they have “dramatically increased” the amount of intelligence-gathering they do and now have a “much better picture” of what is happening.
He said this year they have stopped 60 cyber incidents as they were underway, rather than after the event.
“These are incidents where the bad guys had their hands on keyboards inside the organisation,” Mr Browne said.
They have also dealt with more than 500 cases where there were “active vulnerabilities” in organisations, where they prevented them even becoming incidents.
He said a new team they set up on September 1, Strategic Risk Management, deals with future technologies such as artificial intelligence (AI), quantum computing, quantum crypto and other emerging disruptive technologies. This group, he said, also deals with 5G mobile phone security and supply chain issues.
In terms of getting into the faces of attackers, Mr Browne said: “We’ve extended dramatically into that space.”
He said that, because of the substantial expansion of their operations team, they have created sub-teams specialising in threat intelligence and threat hunting. This has meant actively engaging in organisations that are potential victims.
“They’re in organisations on a fairly regular basis now, sitting and going through their systems,” he said.
He said the Department of Communications is combining the additional powers and statutory provisions envisaged in the 2021 capacity review and a new EU directive — NIS2 — into a single piece of legislation. NIS2 aims to increase the overall level of cybersecurity in the EU in light of increasing and evolving cyberthreats.
Among other things, it imposes more strict obligations on organisations designated as critical national infrastructure and gives more powers to supervisory authorities. With those powers are expanded obligations on national authorities, such as the NCSC.
The global threats the NIS 2 directive is aimed at tackling are detailed in the threat landscape report published last month by the European Union Agency for Cybersecurity (ENISA).
This reported a “significant increase in both the variety and quantity of cyberattacks and their consequences”.
In relation to hostile states, it said that their attacks, referred to as advanced persistent threats are generally “well-funded, resourced, and display advanced capabilities”. It said:
Their objective is primarily espionage and revenue generation, sometimes directed by the military, intelligence agencies or state control apparatus of their country.
The report said their motivation and planning allows them to execute “large-scale, advanced, targeted and long-term operations” and their aim is to “remain undetected” for as long as possible.
The two main countries it mentions are Russia and China, while also referencing the activities of Iran and North Korea.
It said state-sponsored cyberattackers “increasingly had, in their crosshairs, employees in key positions, politicians, government officials, journalists, security researchers or activists”.
It said the attackers can impersonate recruiters or journalists and use Linkedin to set up initial contact, and added that disinformation campaigns associated with the Russian war in Ukraine were “high in volume and low in quality”.
ENISA said they expected Russian disinformation campaigns, sometimes in parallel with cyberattacks, to “further increase” in volume, through fake news outlets and social media.
It added that “campaigns associated with China will have an impact in the sphere of European media”.
The report said it was “very likely” that espionage campaigns associated with Russia would persist, possibly moving to support domestic production capabilities or increasing retaliation against those that express solidarity with Ukraine.
It said China was mostly involved in “espionage and information theft” from a range of sectors, including finance, telecommunications, government
agencies, critical infrastructure and military.
It said that outspoken statements from British and US security and cybersecurity agencies consider China “as an immense threat”. The report said that, given the elevation of key security officials into top leadership bodies (such as the Politburo) in China, it was very likely that the volume of espionage campaigns run by groups associated with China was “only going to increase”.
Mr Browne said it was “very
interesting” that, for the most part, Ukraine has been “highly successful” in defending itself against Russian cyberattacks.
Asked whether the NCSC was involved in Ireland’s efforts to combat disinformation campaigns from hostile states, Mr Browne said: “The simple answer is we do, and we always have. And it’s for a couple of reasons, but the most obvious one is that very often the same people who conduct cyberattacks also conduct in that part of the same organisation or some broader organisation the disinformation or other type of active measure type campaigns.”
He added: “It’s something that has happened more and more in the recent past — this increasing correlation between cyber and disinformation/hybrid activity.”
He mentioned that social media companies have called out specifically disinformation campaigns targeting Irish citizens and said the NCSC has been involved in this area.
Last September, Tiktok said it had taken action against a “covert influence operation”, comprising 72 inauthentic accounts in Ireland with just over 94,000 followers.
Mr Browne said Ireland was now developing a national counter-disinformation strategy under the Department of Tourism, Culture, Arts, Gaeltacht, Sport and Media and that the NCSC was involved in that.
He also said the Electoral Commission established last February had “quite extensive powers” in relation to disinformation under the Electoral Reform Act 2022. He said:
We’re working closely with the Electoral Commission, and have been for a while, as they develop their own capabilities.
“Our role [in the area of disinformation] and their role will evolve.”
He pointed out that, last January, Ireland joined the European Centre of Excellence for Countering Hybrid Threats in Helsinki, with disinformation among the hybrid threats.
One of the areas that is being targeted in hybrid attacks is the maritime area, both on-sea and sub-sea, with the threat posed to sub-sea internet cables and pipelines in Irish-controlled waters a top concern.
The report of the Consultative Forum on International Security Policy, published in October, said these cables were of “critical strategic importance” and were “vulnerable to attack”.
It called for greater investment in this sector.
Mr Browne there was a “huge amount of activity” happening in relation to this area at the moment in Ireland and that developments were forthcoming.
He said the NCSC has “an interest and a role” in this area, not least because of its “national security” function but also because it sits within the
Department of Environment, Climate and Communications.
He said the NCSC currently does have a role in relation to telecoms infrastructure, and worked with Comreg in relation to this.
He said that, under the EU telecoms code, states are obliged to have a set of electronic communication security measures, which telecom operators are bound to comply with.
The cyber chief said this doesn’t just involve sub-sea but also involves shore facilities and points of presence on land.
Coming back to another threat identified in the ENISA report — on spies posing as recruiters or journalists in making contact with people — Mr Browne raised a deeper concern, to do with “deepfakes using AI (artificial intelligence) tools”.
He said: “It’s not impossible now, with a little bit of patience and a little bit of resources, to create a workable, meaningful, fake of somebody.
“So, you could be having an interview with somebody, and that somebody could be pretending to be someone else entirely — and you may not be readily able to tell.”
He said that currently, for the most part, there are no technical means of detecting this, and that people are best taking precautions before the actual live communication, by checking if the other person’s email is authenticated, checking that their mobile phone number belongs to the person concerned, and physical knowledge of the person.
“There’s a diversification and proliferation of these readily-available AI tools and we are only at the start of it,” Mr Browne said.
“We’re still at the foothills of this mountain and things are happening quickly.
“In turn, we’re going to have to evolve and develop responses at a technical level, societal level, and procedural level.”
He added: “We’re beyond the point where there’s a choice to make here. This is now where we are — this is happening.”
Source : Irishexamer