It should come as no surprise that Richard Browne is grasping a phone in each hand before our chat gets going.
He gives the impression of a man with a lot to do and little time, which may be why he talks so quickly.
In the world of cyber security — a land impenetrable to most and dull to many — you have to concentrate hard to keep up.
That’s not helped by the fact that the cyber world is swirling with acronyms, terminology, and buzzwords.
Mr Browne is the Government’s ‘cyber man’, who formerly ran the National Cyber Security Centre (NCSC) and led the Department of Communications’ internet policy up to the end of 2020.
He then landed a prestigious role as deputy director of the new National Security Analysis Centre (NSAC) in the Department of the Taoiseach, but was then sucked back into his old job as “acting director”, pending a new appointment.
But unlike, say, An Garda Síochána, or the Defence Forces, the NCSC does not have a presence in the public’s mind.
It rarely engages with the media and its parent department, the Department of Communications, does not often put the body out there.
Hence, this interview is rare and does not include an opportunity to photograph the interviewee.
Given the year that was, the obvious place to start is the HSE cyber-attack of May.
“The HSE spotted it,” Mr Browne says.
“At some point in the middle of the night, we know the exact time the system shut down. They spotted it, because everything was encrypted. That’s the nightmare scenario. I can’t go into detail, because we are still in the statutory process, but that’s as bad as it gets.”
Someone at the HSE picked up the phone and said, “We’ve got a problem.” Mr Browne was, at the time, in NSAC.
He spoke to the head of Computer Security Incident Response Team (CSIRT), the unit within NCSC that responds to incidents.
“I said, ‘Clearly, we are setting up the critical national infrastructure response plan?’ That was already effectively in train and that has an escalation procedure.” This plan sits within the Government’s emergency management process.
The system moved quickly: “The HSE had malware samples immediately and we took the sample and pinged it across a system called Malware Information Sharing Platforms (MISPS) globally, so everyone knows what we have. That’s all by 8am, so at 9am in Brussels, when they log in, they have the sample.” The mechanism of these digital attacks — the malware, or malicious software — is not unknown to cyber authorities.
“We are dealing with these issues all the time,” Mr Browne says.
“It’s not like, ‘Oh my God, what is this?’ We can say, ‘This is the one that landed in country X last week, this is the one that landed the week before.’ We can tell what it is and what’s changed.” The NCSC took the lead in the response, which brought other departments and agencies, such as the Garda National Cyber Crime Bureau (GNCCB), as well as the Defence Forces, into assisting the HSE recover and restore systems.
The attack paralysed not just HSE systems for months, but systems linked to it, such as the email systems of GPs, Tusla, and others, affecting tens of thousands of patients and clients.
“The HSE attack was clearly a crime, but we led in the response for the first six weeks or so,” Mr Browne says. “The priority was to get the system back, rather than prosecute the crime. We then step off. Right now, gardaí have the lead on the HSE process. The gardaí role will continue on, depending on when they get to a criminal prosecution.”
The GNCCB investigation led to a disruption operation in September, in which the bureau, with the assistance of foreign law-enforcement agencies, targeted and seized the “technical infrastructure” of the Contigang suspected of being behind the attack.
In an interview with thea month ago, bureau boss, Detective Chief Superintendent Paul Cleary, said they had also gained an insight into the workings of the group and their finances.
He said there was “more to come”, but declined to go into specifics.
Shortly after the GNCCB disruption operation, the NCSC reported on estimates from the US Cybersecurity and Infrastructure Agency that 400 US and international organisations had been hit with a ransomware attack similar to the one that had hit the HSE.
“Health systems are uniquely vulnerable,” Mr Browne says.
“It’s a function of distributed ownership and the pressing needs of clients.”
“In this office, if someone wants a software package and IT thinks it’s not exactly secure, it doesn’t happen, but if a person is keeping someone alive and needs access to clinical data faster, then the balance shifts in favour of the user rather than security. That happening once, that’s an issue; it happening over a long period, decades, it’s a challenge.” Some countries have been repeatedly hit in the healthcare sector by this cyber group and NCSC spoke, after the cyberhack on our systems, to sister bodies in those countries.
“The only difference with the HSE is that the centre of the system was the victim,” Mr Browne says, “not individual hospitals or healthcare provider.”
Mr Browne says the HSE is a tangled web of services, with its own hospitals, voluntary hospitals, and private hospitals.
“A lot of these hospitals, or all of them, have some instances — and instances is the correct term — of HSE systems on their systems.”
For hospital systems to be able to access files from each other, they “have to be able to talk to each other” with an open flow of information.
“So, if you patch a system, it has to be patched everywhere at the same time, so that creates a huge number of problems for any entity to manage that IT estate, not least because they own this bit, but they don’t own the ICT system over there,” Mr Browne says. “This is a global phenomenon and they are very, very difficult to secure.”
In recent weeks, the Canadian provinces of Newfoundland and Labrador suffered a cyber-attack that severely disrupted healthcare providers and hospitals, while, in Israel, which has a sophisticated cyber-security set-up, hospitals experienced a series of cyber-attacks.
The NCSC statutory duties are now beginning to kick back in with the HSE.
“We now have a process to go through around the resilience of the HSE,” Mr Browne says. “Under the European Information Network Security (NIS) Directive, we have statutory powers around resilience of critical national infrastructure.”
70 or so entities in Ireland were designated OES (Operators of Essential Services).
They include entities in energy, transport, banking, financial infrastructure, health, water, and digital infrastructure.
“The directive says this service is essential to the economic and social life of the country and you must protect it,” Mr Browne says.
“Their responsibility is to secure their own system. Our responsibility — and the way the directive is worded is messy — is to check on them that they are doing it, rather than police it per se.” In 2018, the NCSC started recruiting cyber-security compliance officers and took on four or five of them.
They provided information to the bodies concerned, which, in turn, had to carry out a self-assessment process and correct any shortcomings.
“We audit against that,” the NCSC chief says. “We’ve done a number and more are on the way.”
This is “boring” compliance work that involves “chasing people down”, but a crucial part of the overall jigsaw.
The HSE crisis “absolutely helped” to focus minds in companies and agencies and ensure that everyone — the IT teams, middle management, and the board — is on the “same page” on cyber security and “aware of the risks” and the importance of treating it seriously, he says.
Speaking of realising the importance of cyber security, the NCSC is at last — way past time, many experts believe — getting proper recognition of its crucial work.
This includes government plans to set the body up on a proper legal foundation, give it greater powers, and increase its staffing levels and funding.
In September 2018, the Comptroller and Auditor General revealed the lack of funding to the centre.
While it received an initial budget of €800,000, in 2011, it got just €250,000 from the Department of Communications between 2012 and 2015.
Describing the centre as providing a “critical function”, the State’s auditor said its staff grew from just five in 2012 to eight in 2016.
It was only when its budget increased to €1.95m, in 2017, that staff reached 14.
Three years later, a heavily redacted summary of a review of the NCSC, commissioned prior to the HSE attack, said the centre was understaffed and overworked.
The review, published last September, furthermore, said the centre lacked the laws and structures to do its job.
It recommended staffing be brought from 25 to 41, “at a minimum”, by the end of 2022.
Cyber minister Ossian Smyth — who himself has a background in IT — has said all the report’s recommendations would be implemented.
But he said it “will be a challenge” to fulfil the Government’s own promises, made last July, to boost staff to 45 by the end of next year, with targets to reach 70 staff within five years.
The capacity review said the necessary increase in staff was against the background of the centre’s workloads having “increased significantly”.
It said forthcoming EU cyber-security measures will “add considerable strain” to the centre in the coming years.
- Providing the centre with a single HQ facility;
- That the centre’s operations team be increased “as a priority” and have a dedicated intelligence team;
- Regulatory functions of the centre be transferred to separate body;
- New laws to formally and fully make the centre a national security and intelligence body, with the ability to detect and disrupt sophisticated cyber attacks. The report said laws setting up the centre on a statutory basis, with full cyber capabilities, were “critical” for its operational future.
It said legislation should set the centre up as an “independent organisation”, define its national security remit, provide it with a dedicated budget, and enable it to “properly monitor” cyber threats.
On this, Mr Browne says: “We have a number of legislative shortcomings right now, which prevent us from doing the things that we need to do.” He says the Government’s decision committed to a legal instrument for NCSC, establishing it, and giving it formal legal roles.
He says the EU GDPR law in 2018 “imposed restrictions” on what they can do with data.
“We have a lot of powers regarding critical infrastructure under European legislation, but we ran out of road quickly in some cases on the Government, so that’s the first thing: The primary legislation will give us a formal set of roles and powers,” Mr Browne says. Some of those powers are in relation to threat intelligence and collection. He says the centre was constrained with the handling of some IOCs (indicators of compromise), where they are considered personal data.
“In terms of the broader question — what does the NCSC need to be? — the capacity review is very clear that we are fit for purpose on the basis of the limited functions we are doing right now, but it needs to expand significantly to deal with things that are coming.” Cyber attacks are “getting messier and more complicated”.
The centre is completing its national incident response plan, including lessons from the HSE attack.
“We learned a lot in that, so we need a much more expanded operations team in the NCSC.” The important part of the 20 new staff, for him, is that it includes an “entirely new senior management team”, including a director, two deputy directors, and six more principal officers.
There are currently only two principal officers, so the expansion will bring that to eight, three of whom will be assigned to the operations team.
“The operations team is going to get far larger and much more capable, particularly in dealing with these rolling, technologically complicated attacks,” Mr Browne says.
In addition, a government monitoring platform needs to be expanded.
“Sensor sits on government networks and watches for certain types of activity, primarily at APTs [advance persistent threats], serious persistent threats to IT departments,” Mr Browne says. “That system needs to expand to cover a lot more of critical infrastructure.”
The centre also wants to put in its own structure to look at key parts of the internet, something that will also require a legal basis.
“This is not surveilling people, it’s not picking someone’s email,” Mr Browne says. “We are looking for signatures associated with known threat actors, so if actor X, who has just attacked somebody in the UK, who is known to everyone in Europe because we have the IOCs, we need a means to pick that up, that’s what Sensor is.”
Mr Browne says the staff increase will also boost the centre’s Engagement Team, which has currently five or six staff.
“That will need to grow significantly and become segmented to cover particular industry types.”
The public-sector group, which currently has two staff, will need to “expand dramatically” to roll out the public-sector baseline standard that they had built and which will be published soon.
“There’s a decision to be taken how that is implemented: That is pending,” Mr Browne says. “But that engagement team will be much larger and engage with entities in a much more forceful way. That, in itself, is a whole challenge.”
The EU cyber legislation already in existence, and coming down the tracks, is “much larger and more intrusive” than people realise. It has “real implications” for the NCSC and the State, with the centre involved in implementing or overseeing the laws.
Much of this, Mr Browne says, is due to the ‘Anglocentric’ nature of the industry in Ireland.
Many of the major cyber vendors are either US or UK companies, with many having their European headquarters in Ireland.
And there is a growing complexity to cyber-attacks: “Cyber is changing very dramatically: We are having much more dynamic incidents. It’s always been dynamic, but they are getting more messy.”
All this, he says, is pointing to the need for a more assertive NCSC: “We are seeing a requirement for much more intervention by us into industry, not just hand holding, but getting into people’s faces and saying, ‘These vulnerabilities that you have, they need to be fixed’.”
Catching the attackers is the next step: “Underpinning all of this is finding the bad guys, watch what’s happening. If you can’t see it, you can’t prevent it and that’s an issue we’ve always faced.” Some countries have “extremely expansive means” of overseeing what’s happening. Mr Browne picks up his mug, which has GCHQ — the British signals intelligence agency — emblazoned across it.
Other countries don’t have such agencies, and, he says: “Until you can proactively chase down, you are always going to be responsive, so you have to get out there and into people’s faces.” But outstanding obstacles remain over data protection and GDPR.
“There has been a vast series of consequences, intended and unintended, particularly with the gardaí, from data protection, that complicated things, so there are changes needed in our legislation to bring it up to speed for post GDPR. That’s a given,” Mr Browne says. There are other implications: “I think some of it is the private sector now realising when they share a vast amount of threat intelligence data, there might be intelligence that is personal data and that’s a challenge.
“We spent quite a lot of time on the new privacy directive to try and ensure that the upcoming European legislation didn’t make the same mistakes.” They are now working on rewriting the heads of bill that will form the draft laws on the NCSC, updating them on lessons from the HSE attack and other developments.
Mr Browne finishes by commenting on a dramatic term recently raised at an Irish cyber seminar: ‘Cybergeddon’.
Essentially, it’s the digital version of Armageddon, with Hollywood bells on.
“It’s very dramatic,” Mr Browne says. “This is a trope, particularly coming out of the US, the ‘doomsday scenario’. Basically, if all the computers stopped working: Thescenario, which is essentially what it is. In the US, you see arm-waving hysteria about the ‘cyber Pearl Harbour’ or the ‘cyber Hiroshima’, or whatever.
“The term means lots of different things to different people: It’s usually a traumatic, dramatic cyber-security event that cripples the internet or large amounts of computers. It’s not impossible, it’s just an extremely low probability event,” Mr Browne says. He says the fragmented nature of the internet protects against this, that it was designed to survive a nuclear war.
So, a cyber superbomb is possible in theory, but low in probability?
“It’s not impossible,” he says, “but we have more pressing problems right now.”