While it is no secret that the IT industry in Ireland was uniformly dismayed and disappointed by the decision to appoint a CIO council instead of a government CIO, a consensus is now emerging among IT security professionals of an even more pressing need.
Now, given that the current Government has seen fit not to appoint a government CIO, one person through whom the Government speaks on all aspects of technology and information strategy, it seems highly unlikely that it would see the need for an even more niche appointment. So, why would a group of intelligent, respected and worldly people be asking for such a thing?
Well, it all goes back to that dreaded E word again: economy. As everyone from the local grocer and bank CEO to the dogs in the street now knows, Ireland has a two tier economy. We have the domestic economy which is, depending on which metaphor you want to use, on its knees, in the toilet, hanging by a thread (delete as appropriate). Then we have the multinationals and the economy in which they operate, which is booming to say the least.
But, imagine for a moment that someone should take umbrage, and consequently take aim, at one of those multinationals. How does one take down such a behemoth and give it a good bloody nose, or better yet, create a sufficient diversion to allow its intellectual property pockets to be picked? One finds a soft spot of course.
Such a soft spot might be unprotected underlying infrastructure, such as a power grid or other critical utility. As we reported here, earlier this week, Ireland is very highly rated for the intelligence of its national grid-this is a good thing. However, little is said about its security.
Were a group of criminals, terrorists or hacktivists to decide to take on one of the many multinationals who are based in this country, for whatever reason, an attack on national critical infrastructure would not be out of the question, in fact it is an area of increasing concern.
Among the IT security professionals here, such an attack is not even necessarily seen as part of an attack on the multinationals specifically, taking them offline may actually be a mere consequence of such an attack-collateral damage, if you will.
However, the point is the same. As attacks on critical infrastructure have been shown to be effective through cyberweapons such as Flame, Stuxnet and more, it is a threat that must be addressed. How best is that to be accomplished? By appointing a government CISO, say our IT security experts.
Imagine the scene, if you will: you wake one morning to the news that a cyberattack has taken place that has not only compromised but severely damage water processing plants that feed the data centres of several multinationals. Unlike electricity, few would have back-up systems that can meet demand for more than a short while. If coupled with this, there was also electricity disruption then operations could be severely impacted.
Who would coordinate the efforts to speak to the public, law enforcement and the multinational community on the extent of the damage, the efforts being undertaken to rectify the situation and the hunt for the perpetrators? A minister? A minister of state? The Gardaí? Or someone who is knowledgeable, experience and respected by the industry?
Even stepping back from disaster scenario, if the realisation is made that greater effort must be made to protect critical infrastructure from cyberattack, who better to coordinate such work than a single, focused individual who knows the industry, the methodologies and issues involved?
Well, I think the answer is obvious, as are the consequences of failing to recognise the need for such a post.