CYBER Minister Ossian Smyth was grilled by a Dail Committee today over why the HSE is still running nearly 30,000 computers on antiquated operating systems six months after the hack hell.
IT security experts have branded the out-of-date PCs “potentially vulnerable”.
But Smyth claimed that the ongoing use of outdated software, including obsolete Windows 7, was not the reason the devastating cyber attack was successful.
The Minister told the Oireachtas communications committee it “didn’t help” but “definitely” didn’t cause the hack to take place.
He said: “It (the cyber attack) would not have been prevented if they had all been upgraded.”
Instead Smyth stressed the HSE was stretched amid the Covid-19 crisis in the lead-up to the cyberhackers hit.
CYBER ATTACK INCREASE
The Minister of State flagged up the workloads associated with the pandemic and the vaccine rollout for putting the HSE “in a uniquely vulnerable position at the time”.
He said: “You can’t say to someone who is trying to save a patient’s life, you need to have a better password to go and look up a patient’s file.”
Smyth also said that there had been a sixfold increase in cyber attacks during the pandemic.
And while rejecting the suggestion the NCSC was unfit for purpose, he conceded that any organisation undergoing such an increase in workload “is going to be challenged”.
The Minister told how two reports by consultants into the HSE hack were underway and pledged they will be published “shortly”.
But he faced fierce fire over the resourcing of the National Cyber Security Centre after a redacted capacity review of the organisation was shared with the committee.
The hearing heard the report laid bare the shortcomings in the capacities and resources of the NCSC.
Sinn Fein communications spokesman Darren O’Rourke branded the capacity review a “very damning indictment”.
O’Rourke declared the report found the NCSC was “under resourced and overtasked”.
And the TD said it underlined Ireland should have been better resourced prior to the HSE cyber attack.
He rapped: “We could have better prepared and, not only that, we should have been better prepared.”
Smyth vowed to ramp up cyber defences, telling the committee that a new multi-million-euro headquarters for the NCSC was on the way.
The Oireachtas committee heard that new legislation providing for “intelligence gathering” for the NCSC is to be brought forward.
Smyth told the committee that an inter-departmental committee met to consider new legislation that might be needed to strengthen the NCSC.
He said: “To empower the NCSC to carry out its necessary functions, it is inevitable that the proposed legislation will provide for intelligence gathering, which will bring with it certain governance requirements as well as requirements on the legislative process.”
A recruitment hunt is being launched this week for a new head of the State’s National Cyber Security Centre NCSC, with a bumped-up salary of €184,000.
The Minister also insisted “good progress” was being made bolstering staff numbers for the NCSC, with headcount to rise to “at least” 70 within five years.
MORE STAFF NEEDED
In July, just 25 staff were employed full time at the NCSC. But Deputy O’Rourke questioned whether it could recruit 20 new staff in 18 months.
In response, Smyth admitted it would be “challenging” to compete against other states and organisations seeking similarly skilled workers.
O’Rourke today called for the National Cyber Security Centre to be immediately provided with more resources needed to combat the threat of cyberattacks.
He said: “What is evident from this partial, redacted copy of the capacity review, is that the National Cyber Security Centre was not provided with the necessary funding, staffing or resources to meet the growing challenge of cyberattacks.
‘ASLEEP AT THE WHEEL’
“The NCSC has been and still is under-resourced and over-tasked.
“The government has been caught asleep at the wheel when it comes to cybersecurity, and they need to acknowledge their failings in this area.
“This report also begs the question as to whether the recent cyberattack could have been prevented or mitigated had the NCSC been fully equipped.
“It’s beyond any doubt that more could have been done to better prepare for cyberattacks.”
He added: “A single headquarters for the NCSC and considerably more staffing are cited as key areas that need to now be addressed, in addition to underpinning legislation, a new strategy and taskforce.
“While I cautiously welcome the Minister’s commitment to this, the upcoming budget will tell if the government is serious about investing in cybersecurity.
“The damage from the cyberattack on HSE back in May was enormous, both in financial terms and on the provision of healthcare, and it’s imperative the government move now, albeit belatedly, to address the deficits identified.
“This cannot be another report that sits on a shelf and gathers dust. The government must move with urgency, as the potential damage further cyberattacks could have on other vital IT systems, such as the electricity grid or banking system would be disastrous.”