A delay in hiring a new director for the State’s National Cyber Security Centre (NCSC) has been criticised at the Dáil’s Public Accounts Committee (PAC)
A two-month period between a higher salary being approved for the role and the job being readvertised was described as “not good enough” given the cyberattack against the health service earlier this year.
The NCSC led the State’s response to that attack.
The committee heard that the agency dealt with more than 3,000 cybersecurity incidents in 2020 a number that was said to be a “significant increase”.
The PAC was told by Department of Communications secretary general Mark Griffin that a “particular vulnerability” arose that year due to the “massive shift” from office to home working during the Covid-19 pandemic and the “very significant degree of disruption caused in how businesses functioned.”
The PAC was told that that an offer for the job of NCSC director is not expected to be made until December – about seven months after the ransomware attack on the HSE in May.
The issue was raised by Fianna Fáil TD Cormac Devlin who asked Mr Griffin about the recruitment progress.
Mr Griffin outlined how it had been expected that a person would be appointed early in 2021 but the individual declined the offer “for a number of reasons”.
He said: “We’ve gone back out to the market at a higher salary level.”
The Government approved the new €184,000 salary in July and Mr Griffin said the job was readvertised a number of weeks ago with the Public Appointments Service handling the process. An executive search company is assisting in looking for a suitable candidate internationally.
The closing date was Thursday and he expects final interviews and an offer to be made in December.
Mr Devlin suggested that given the number of cybersecurity incidents last year – and an expectation that they are increasing – the recruitment process should have begun again the day after the position was declined by the original candidate. He also said a plan to increase staff numbers at the NCSC to 45 should have started earlier too.
Mr Griffin said that at the time a capacity review of the organisation was being conducted and was not completed until the end of June.
The PAC was later told that an extra 20 staff are to be hired by the NCSC by the end of 2022.
He also said: “these processes take time” but offered an assurance that a “very competent” person is working as acting NCSC director at present.
Mr Griffin said: “If you cut corners you’re at risk of not having a competition that is as robust as it needs to be.”
Mr Devlin said he accepted that but added that it took until mid-September – after the new salary was approved in July – to readvertise for a job that had previously been on offer earlier in the year.
“I think it’s not good enough given the sensitivity and the scale of the attack that took place on arguably our most important department and potentially others.”
Mr Griffin said: “I accept your point of view but you’ve heard what I said in terms of importance of the integrity of the process.”
Mr Devlin said he had and “I accept that too”.
Separately the PAC was told that the target for the delivery of broadband to rural homes by the end of 2022 could be reduced to between 130,000 and 150,000 premises passed by the new network – down from the original goal of more than 200,000.
The rollout has been hit by the Covid-19 pandemic which Mr Griffin said caused a “whole swath of problems” for National Broadband Ireland (NBI), the company tasked with delivering the network.
Staff working on the National Broadband Plan (NBP) caught Covid-19 or were close contacts during the surge in the virus at the start of the year, there were supply chain and logistical delays, a UK company that was due to work on the project postponed the setting up of its Irish operation and there were difficulties in recruiting staff.
The rollout target of 115,000 premises passed this year will be missed with that figure expected to be down to 60,000, of which 27,000 premises have been passed with 2½ months left in 2021.