Something interesting has happened in the past year: the term ‘cybersecurity’ has finally entered the mainstream. Due to a period of global instability and numerous cyberattacks by actors eager to take advantage of the uncertainty wrought by Brexit and Trump, the issue of cybersecurity has never ranked so highly or been as topical as it is right now. In Ireland, the last month has seen sustained attacks against a number of well-known companies, and news has also emerged that North Korean state-sponsored cybercriminals are involved in launching sophisticated attacks against Irish companies, banks and utilities on an almost daily basis.
At the same time, the information security sector is booming, with new jobs and investment being announced every month. Many of the international leaders in the cybersecurity sector, including Trend Micro, McAfee (Intel Security), Symantec and IBM Security, have significant operations here in Ireland, and a growing number of indigenous firms specialise in the area.
Ireland is a perfect place for information security companies to locate their operations. We have a young, well-educated, English-speaking and upwardly mobile workforce, and we are excellently located on the periphery of Europe, providing easy access to many of the key population centres. Taken together, these factors illustrate Ireland’s potential to become a leading light for cybersecurity innovation within Europe—a European cybersecurity hub. However, before we can achieve this goal, we must address the lack of a cohesive national cybersecurity strategy which is holding us back from achieving our potential.
Currently, Ireland’s strategy is reactive and compliance-based, focused on meeting the guidelines laid out under the European Directive on security of network and information systems (E NIS directive). To fulfil our potential we need to implement a new strategy—one that seeks to protect Ireland’s interests first, but sustains and benefits this protection strategy by building a parallel platform for innovation.
Ireland currently ranks high on indices measuring our vulnerability to cyberattack, and low on those benchmarking levels of cybersecurity maturity. This means that the country is potentially open to attacks on critical infrastructure that could result in sustained loss or diminution of services such as health, connectivity, power, water or transport. Any successful attack that resulted in loss of service, theft of data, or financial loss could do significant brand damage to Ireland Inc. The potential for this to have a potential knock-on effect on foreign direct investment (FDI) is clear.
The time is now for Ireland to make it clear to cybercriminals, both state-sponsored and independent, and multinational organisations looking to invest here, that we are a state that takes cybersecurity seriously and performs it effectively. This necessitates a new and informed approach.
I would suggest that we start by splitting cybersecurity policy into two distinct but integrated areas: cybersecurity operational policy and cybersecurity economic policy. Ideally, the former would focus on protecting Ireland Inc., while the latter would seek to nurture a successful strategy to foster the indigenous cyber security industry, promote research and development and attract continued FDI.
Ireland has historically underspent in this area, but spending 0.2% of our GDP (roughly €50 million per annum) could help to raise our ambitions and capabilities way beyond our current compliance-based status. This is also less than what other contenders for the title of ‘information-security-hub’ are currently spending; the UK for example will pump approximately £1.9 billion into its own cybersecurity strategy over the next five years.
In order to be truly successful, this approach will need cross agency buy-in and drive from a number of public and semi-state organisations, including Enterprise Ireland, the Irish Development Authority (IDA), Science Foundation Ireland (SFI), to name just a few. If the amount that these organisations are currently spending in a non-joined up fashion is assessed, it is possible to see how €50 million per annum could be redirected if the right combination of protection plus economic innovation is identified.
Some will baulk at the idea of spending this amount of money, but only to those who have not considered the potential return on this level of spend. The global cybersecurity market is currently estimated to be worth $90 billion, and it is thought that by 2020 this will have grown to $113 billion (Gartner, 2017). If Ireland can succeed in capturing just 5% of this market, this would represent a value of $5.65 billion. With an investment of €150 million over the next three years, this could represent a massive return. With the right approach, the cybersecurity sector could become the next Medtech, an industry that accounts for annual exports from Ireland of €12.6 billion (Irish Medtech Association, 2017).
The potential to become a cybersecurity hub presents a golden opportunity for Ireland, but in order to make it a reality we need to act now.