Ireland just released its cybersecurity strategy. It is a very interesting document because, considering the size of the country, Ireland is a crucial backbone of the EU digital economy.
Ireland knows this and it mentioned in the strategy very prominently: around 30% of “data” are based in Ireland. Big global companies have their headquarters there. The reasoning is as follows: if Ireland becomes a target of a high-impact cyberattack, the whole of Europe will feel this, therefore Ireland is a potentially Europe’s critical point. Saying this aloud means taking a lot of responsibility. While I would say it is fortunate that all of the big companies have strong cybersecurity posture, let’s not forget there are many other, smaller players as well.
Cybersecurity strategy and... great power politics?
Ireland framed its cybersecurity strategy in the theme of “the changing of the global security environment”, specifically the return to "great power politics”. This is interesting in itself, although no concrete implications (or aima) are mentioned. It is, therefore, a remark, rather than an actionable diagnosis. While such remarks are usually not included in documents like that, you would, therefore, expect extraordinary elements includes in a strategy put forward in such a context. I am rather familiar with the landscape (look for my previous takes: Luxembourg’s civilian strategy, French doctrine of offensive cyberattacks, French application of international law to cyberwarfare, Dutch application of international law to cyberattacks, ICRC position on cyberwarfare [...]). Whether the Irish strategy is delivering on such an ambitious challenge (“return to power politics”) is anyone’s guess. It’s not like there are any metrics for "appropriateness of cybersecurity in situation of a global rerturn to power politics" (unless you know of some, in that case please let me know). What is clear, however, is that the strategy does not speak of allocated funds in any form.
Critical Infrastructure
Ireland makes it clear that the emerging risks of ‘hybrid threats’ usually contain a ‘cyber component’, and as a liberal democracy Ireland is particularly vulnerable. Ireland identified its relative vulnerability to cyberattacks on critical infrastructure (who didn’t), which in their words are enabled by the years of development and spread of offensive tools (“the development and use of tools to compromise, disrupt and even destroy these systems...”). There is nothing particularly surprising in this part of the strategy, except perhaps the inclusion of threats like “web site defacement” and government-sponsored advanced persistent threats… To improve this landscape, Ireland will engage actors such as the army and the police, probably by improving their cybersecurity competences (details unspecified).
NIS Directive is not enough
It is interesting that Ireland speaks about the introduction of more (and broad) cybersecurity regulations in the sector. It even sounds like going beyond NIS Directive, including also the electoral system in the scope of protection. Limitations of NIS Directive are overtly highlighted (is NIS not good enough?). This amendment of the Critical National Infrastructure regulations is to start in late 2021 and run in 2022. The good question is if there will be a synchronized update of the respective directive on the European level.
GDPR as cybersecurity regulation
Ireland is probably the only country that states the obvious, so I am rather happy here. Currently, the major motivator behind significant and general cybersecurity improvement is the General Data Protection Regulation. It is this regulation that is comprehensive, actionable, and enforceable (with the risk of fines). I always found it clear: Europe’s cybersecurity was/is being driven by GDPR to a far greater extent than any other regulation (I think this message still did not reach the general public to a sufficient extent). We can speak about specialized regulations or whatnots. But in the end what we have is GDPR and the fact that it applies, more or less, to almost every private business. GDPR is usually framed as a privacy regulation, and this is fine. But the practical aspect of building data privacy is the need to improve data security, as well as the appropriate processes.
Lastly, the Irish strategy itself identified a number of goals to pursue (such as the expansion of the National Cyber Security Center). It presented as actionable, with deadlines specified, though with no mention of allocated funds, and this is perhaps the biggest shortcoming of the strategy. But there are two key aspects: the will, and the resources.
Summary
This document joins many other countries that currently either publish or work on their own strategic refinements. Ireland is a significant place when it comes to digital aspects (including vulnerabilities). While there are limits to what the State can do on defence side (most of infrastructure or devices are private, for example), and the documents did not look to particular local vulnerability in context of hybrid threats (why would you imagine these be similar to, say, those in East Europe?), the strategy offers a sound insight of Ireland being a (digital) point of vulnerability.
Did you like this writeup? Do you have a comment or remark? Feel free to get in touch (me@lukaszolejnik.com)