Cyber threats, rogue states and why Ireland needs a dedicated intelligence agency

  • by

Recently one of my former colleagues kindly sent me a link to a public consultation submission page on the development of a National Security Strategy.

The Irish Government is basically looking for suggestions from the public on what to include and what to focus on the most in their National Security Strategy 2020-2025.

As per their website, “the formal Consultation process will run from 5 to 31 December 2019 and feedback is welcome from any interested parties. You are invited to respond by email to the questions below“.

This is an opportunity I simply could not overlook.

Especially now, when I no longer work for the government and when as a private individual I can freely opine on any matters without having to look for an official permission.

I’m by no means an expert in the field of state security but I decided to throw in my twopence worth on this topic, because:

  1. I have experience working within State security specialist sections of An Garda Siochana – you can check out my background here.
  2. I currently work in information security and I have witnessed first hand at least some of the emerging threats within the cyber security landscape.

 

I fully accept that my opinions are subjective and could be flawed and based on incomplete information. I am open to be corrected on anything I say below – feel free to criticise or disagree in the comments below or by email.

To get back to the point – the questions asked by the National Security Analysis Centre are as follows:

  • Question 1 – In a rapidly changing world what in your view will be the principal threats to Ireland’s national security from 2020 – 2025?
  • Question 2 – In your opinion, what strategic goals should Ireland adopt for national security?
  • Question 3 – In your view, will the traditional national security policies and approaches remain relevant for Ireland over the coming decade?
  • Question 4 – What strategic capabilities will the State need to develop in order to enhance its capacity to protect the State and the people from current and emerging threats?

You can send your own answers to these questions by email or by post:

National Security Strategy Consultation
Email: Contact@nsac.gov.ie
Address: National Security Analysis Centre, Department of the Taoiseach, Merrion Street Upper, Dublin 2, D02 R583

 

So let me get down to business!

Question 1 – In a rapidly changing world what in your view will be the principal threats to Ireland’s national security from 2020 – 2025?

In short – cyber attacks, cyber espionage & cyber warfare.

To be clear, I’m just not talking about hackers targeting companies in Ireland for monetary gain. I’m talking about hostile, premeditated actions by foreign states or advanced persistent threat actors sponsored by foreign governments. Like the infamous cyber attacks on the Ukrainian power grid conducted by Russian cyber operatives in December 2015 (more details here).

Another example of such a cyber threat is the WannaCry ransomware attack, attributed to a North Korean state-sponsored Lazarus Group. This attack caused havoc within the UK, with their NHS being one of the most prominent and badly affected targets.

Irish political neutrality is a convenient stance in some cases, but it’s obvious from any non-Western perspective that Ireland is very closely aligned with NATO and indeed with the US. During the recent Middle East conflicts, US military planes were given access to Shannon airport, which sparked a number of domestic protests and controversies.

Moreover, Ireland is home to over 1000 multinational companies, mainly American ones. Many of these companies have chosen Ireland as their headquarters for all of their European operations. The list includes tech giants such as Google, Apple, IBM, Intel, Hewlett Packard, Facebook, Linkedin and Twitter. These entities use and rely on the Irish power grid and telecoms infrastructure. They are potential targets of hostile actions in the Irish cyberspace.

The US has always had a special diplomatic and socio-political relationship with Ireland. This special status is unlike any bond Ireland has with countries like Russia, China, Iran or North Korea – all of which are by the way perceived by the US as adversaries. And their relationship with Ireland is, well, non-existent at best.

It’s only natural to consider a certain threat vector posed by the above states who will think nothing of targeting US interests indirectly. This includes US interests in Ireland.

While no conventional adversarial action is likely against Ireland, an isolated act of cyber warfare or a sustained campaign of cyber attacks against the national infrastructure is very possible over the next 5 years. The state must be able to defend its cyberspace and all that is contained within it.

Of course, if one was to adopt a cynical viewpoint, it’s hard to give the Irish government any credit when it comes to judging their cyber defence capabilities – after all, they can’t even get the rural broadband scheme right

Question 2 – In your opinion, what strategic goals should Ireland adopt for national security?

The answer to this one will be short and sweet.

Ireland’s strategic goals should be universal, clearly defined and long-term:

  1. Maintain the political stability on the island in anticipation of the very likely reunification of Northern Ireland with the Republic.
  2. Align the state security objectives and tighten cooperation with the European Union partner states while suppressing extremist movements, sectarian and subversive groups, populists and right wing organisations that might attempt to gain power and collapse the democratic system.
  3. Monitor the corporate landscape in Ireland with the view of not allowing any corporation to grow in power to such an extent that it could overshadow the state’s capability to regulate it.
  4. Effectively combat the domestic narco-terrorist organised crime by implementing a wide-spread legalisation, regulation and taxation of supply of herbal cannabis and other “soft” drugs.

Question 3 – In your view, will the traditional national security policies and approaches remain relevant for Ireland over the coming decade?

The traditional approach to national security in Ireland is the one based on a largely unarmed police service, which is simultaneously responsible for border integrity, immigration, state security, counter-terrorism, intelligence, international liaison, cyber crime, regular and organised crime, road safety, and several other domains.

In the 21st century world of rapidly growing complexities in every sphere of life, this jack of all trades and master of none approach is destined to fail.

And failing it is.

The key component of proficiency, no matter where or in what, is specialisation. While being a generalist who is good at a number of things at the same time is a desired trait, being a specialist in a narrow field of expertise is really what enables cutting edge excellence and makes all the difference.

Whether we’re talking about politics, sports, science or business, a team made up of generalists will never be as successful or as effective as a team of specialised individuals, each an absolute expert in their own line of work.

An Garda Siochana has traditionally adopted the generalist approach and it continues to do so, while structurally it remains embedded in the mid 20th century (which could as well be the equivalent of the Medieval Age).

The organisation has literally no flexibility when it comes to recruiting individuals with a very particular set of skills.

Image result for specific skill set liam neeson

If for example an experienced Arabic linguist wants to join the ranks of An Garda Siochana with the view of serving in a section responsible for monitoring Islamist extremists, he/she is first typically looking at spending 3 – 5 years as a regular Garda dealing with street crime anywhere in the country.

Same goes for an experienced private sector fraud investigator who suddenly would like to work in the The Garda National Economic Crime Bureau. There is no mechanism or prospect of transitioning into a specialist unit, regardless of your experience and potential.

If a skilled network engineer suddenly wants a career change and desires to become a sworn cop, then guess what, he/she must walk the beat first for a couple of years before even dreaming of working in cyber crime.

This approach results not only in negating nearly every benefit gained by hiring individuals from diverse backgrounds, but it also prevents effective professional development. One can spend 4 years studying Middle Eastern linguistics at a leading Dublin university with the view of serving at the Middle Eastern intelligence desk in An Garda Siochana. Instead of honing their relevant skills further in the initial stages of their to-be intelligence career, that person might spend a number of years enforcing the public order legislation in Temple Bar.

Obviously, this highly hypothetical, very artificial scenario is unlikely to happen, because there is currently absolutely no incentive for a logically-thinking person with that sort of background and education to even contemplate joining the police service in Ireland.

During my time spent in the ranks of An Garda Siochana, did I become the best cybercrime cop ever?

No. Quite the opposite. I would say I was one of the worst ones. And all the prior years I spent working as a uniformed cop hardly added any value to my subsequent role in the Garda National Cyber Crime Bureau.

There are hundreds of similar examples out there, where decent, hard working, talented cops, some with a great aptitude for intelligence work, spend years slogging away as street cops for the lack of a better alternative.

The story would be totally different if we had a dedicated, professional intelligence agency free to focus on key elements of state security as opposed to being a generalist police service. 

I think it is the time for An Garda Siochana to let go of the intelligence portfolio and to hand it over to another government body. This includes digital intelligence as well as the traditional, old school intel, other than the strictly criminal stuff.

Question 4 – What strategic capabilities will the State need to develop in order to enhance its capacity to protect the State and the people from current and emerging threats?

An advanced cyber defence system, incorporating elements of cyber offensive approach when necessary.

Currently, the main entity responsible for cyber defence in Ireland is The National Cyber Security Centre (NCSC). On its website it describes itself as “an operational arm of the Department of Communications, Climate Action and Environment”. There is no doubt that an inter-agency cooperation is in place and that the NCSC regularly liaises with other relevant state security organs, like the Garda and the Irish military.

But the role of the NCSC seems to be mainly passive and reactive, as opposed to focusing on active cyber recon efforts that many other European countries engage in.

Ireland should prioritise setting up a dedicated national cyber defence and digital intelligence agency, perhaps by building up and expanding the existing structures which could over time evolve into a separate entity.

This new entity however should not just be an ad hoc amalgam of civil servants from various government Departments, but a dedicated, professional structure with authority to conduct defensive and offensive cyber operations when and where needed.

Over two years ago, the Irish government brought in a piece of legislation – Criminal Justice (Offences Relating to Information Systems) Act 2017 – aimed at playing catch-up with the rapidly increasing complexities of information systems and criminal offences against them. Section 10 of that Act allows for criminal prosecution of “the person outside the State in relation to an information system in the State”. This allows the government to seek criminal charges against foreign-based hackers or persons responsible for organising cyber attacks who reside abroad.

In my opinion, this section of the Act is completely redundant – the Irish government currently has no powers or technical capabilities within the current cyber security structures to conduct digital intelligence operations that would allow them to identify foreign hackers (and put them on a wanted list!), the way the US or the UK agencies do.

I certainly have not heard of any prosecution efforts under Section 10 of the above Act – but if you did, please let me know.

This state of affairs should change and the only way to change it is to enable cyber operations that extend beyond the state borders. How to do this?

The best solution I can think of is to create a separate, non-military state security intelligence agency, adequately resourced and authorised to conduct intelligence gathering missions abroad. I have already expanded enough on the intelligence agency topic further, as this matter goes beyond the cyber threats and cyber intelligence angles. It certainly does include traditionally understood intelligence acquisition methods.

But without any doubt, cyber operations and pro-active response to cyber attacks and cyber espionage conducted by other states should be a key responsibility of this new intelligence agency.

Ireland already has an army intelligence apparatus – the D J2 branch, based in the McKee Barracks in Dublin. I have no first hand knowledge of the Irish army, but I like to think that this branch has some decent cyber defence capabilities, but obviously not as good as if it were a dedicated cyber warfare branch.

Besides, the army intelligence directorate has an overall responsibility for gathering intel regarding military or quasi-military threats to the state. Such threats from within the cyber sphere are, I dare assume, only a fraction of what the army intelligence section must deal with. Besides, it does not focus on the civilian threat actors, such as organised cyber criminals often funded by rogue states.

I would also hazard an educated guess that there is an imbalance within the D J2 in terms of active intelligence gathering vs counter-intelligence. This is mainly due to the politically declared neutrality of the Irish state and is understandable to some degree. The army rarely deploys its intel personnel, including cyber specialists, on missions overseas and at that, this usually happens under the auspices of the UN.

So in contrast to the Irish approach, I would like to lean on the example of Switzerland. Also a traditionally neutral country, Switzerland has a military intelligence branch as well as its civil counterpart (called NDB). Moreover, the Swiss rely on an advanced signals interception system called Onyx, which is a big part of their cyber security strategy. The country’s intelligence services maintain active interest in monitoring “regions of interest” – from North Africa and Middle East, to Russia. And somehow, their political neutrality remains intact…

Summary:

Adverse actions in cyberspace against Ireland will continue and will intensify in the next decade. The government should prioritise cyber defence capabilities while also developing and equipping state bodies with offensive options.

As aggressive as it might sound, foreign signals interception, offensive actions in cyber security or foreign human assets acquisition are often “active defence” preventative measures.

I don’t believe that the state’s neutrality is jeopardised by conducting operations like remotely disabling hostile servers located overseas that are conducting denial of service attacks or deploying ransomware to targets within Ireland.

Likewise, I don’t think that recruiting sources of information outside the state for state defence purposes is a violation of neutrality.

One of the conclusions of my lengthy submission is that the Irish government should remove the intelligence gathering and processing functions from An Garda Siochana (both cyber and traditional intel) and place them in the remit of a dedicated, professional and specialised intelligence agency.

I posit that actions normally reserved to dedicated intelligence bodies in Europe and worldwide, as well as activities related to hunting for digital intelligence, cyber threats and other types of threats outside the state, should not be left within the remit of a national police service like An Garda Siochana or civil servants from the Department of Communication.

Thank you for reading and please do leave a comment below.

Leave a Reply

Your email address will not be published.