Tackling the challenge of cybersecurity
Paul Duffy, Director of the newly renamed Digital, Security and Finance Shared Services within the Department of Finance speaks to agendaNi about the restructuring and how AI will change cybersecurity.
Having originally been named Enterprise Shared Services, Duffy’s directorate was restructured and renamed to better reflect its role in providing digital security and finance shared services to the nine Executive departments and a range of other public sector bodies in Northern Ireland.
“The reason for the change in the name is to be clear on the services we provide across government and to raise the profile and prominence of security as a shared service,” Duffy explains.
The change comes at a time when the world is still dealing with the shockwaves of the Covid-19 pandemic and its associated changes to working and living patterns, with life lived more online in both the professional and personal senses than ever before. “We must be able to trust the systems that connect us and enrich our lives economically and socially,” Duffy says.
“Recent global events have reminded us that this can have a direct impact locally, with data showing that the UK is the third most targeted country for cyberattacks, behind only the US and Ukraine. In 2022, the UK was the target of 30 per cent of all cyberattacks across Europe.”
Highlighting the disruption caused by interruptions to networks and communications systems, Duffy recalls a day in 2023 when the Northern Ireland Civil Service experienced an outage and was left without access to its digital network on a Monday morning. “Evidence clearly shows that Monday is the most popular day for working from home in the public and private sectors, meaning that there were, at that time, thousands of public servants with no connection to our digital network.
“In addition, as many of our public services are now delivered and accessed digitally, we saw a widespread impact on many diverse public services, ranging from cattle sales to criminal cases in our courts, and while there was a timely and successful resolution to the issue, it clearly highlights how reliant we are on our digital infrastructure.”
This reliance creates a landscape that is challenging to protect and an attractive target for malicious actors. To tackle these challenges, the UK Government launched its National Cyber Security Strategy in 2022, with the aim of significantly strengthening all critical government functions by 2025 and making all government and public sector organisations fully cyber resilient by 2030. Central to this will be the Cyber Assurance Scheme, known as GovAssure, a five-stage process underpinned by the National Cyber Security Centre Cyber Assessment Framework that aligns critical national infrastructure best practice and uses a comprehensive approach to ensure government is constantly assessing cyber resilience.
Locally, the framework is currently being piloted against three critical systems within the Department of Finance.
“The intention is that this will be rolled out to all Northern Ireland government departments in 2024, incorporating any of the lessons learned through the pilots currently underway,” Duffy says. “Across the NICS, a cross-departmental GovAssure Implementation Board has been established and is responsible for overseeing implementation by all departments.”
Along with this work on public infrastructure, Duffy acknowledges that much of Northern Ireland’s critical cyber infrastructure is in private hands. “This means that the involvement of the private sector is essential for any national cybersecurity strategy to be effective. The Government must find a way to share intelligence about cyberattacks safely and encourage the private sector to feel confident about revealing security concerns and problems to government.
“Transparency and early visibility of potential and actual cyberattacks on private organisations remains a challenge. Early engagement with statutory organisations can assist in the response to an incident, it can limit its potential impact on other organisations, and this early engagement is likely to be viewed positively in the event of legal consequences that an organisation may face. It is important that we learn from each other’s experiences. Cyber is an ever-evolving threat and we must work together to minimise its impact.”
“Recent global events have reminded us that this can have a direct impact locally, with data showing that the UK is the third most targeted country for cyberattacks, behind only the US and Ukraine.”
With 95 per cent of cybersecurity breaches said to be a product of human error, Duffy also stresses the importance of open and encouraging cultures within both the private and public sectors that would allow employees to be unafraid to promptly report mistakes that could leave an organisation vulnerable to attack. To complement this, he states that expertise must be present at board level in order to provide direction, policies, standards, and the ability to make informed decisions.
Turning towards the technological topic of the moment, AI, Duffy says that it will “almost certainly increase the volume and impact of cyberattacks”. “The impact on the cyberthreat will be uneven in terms of utility, type of actor, and level of sophistication,” he says. “Regardless of whether the original cyberattack was conducted using AI, it will almost certainly make cyberattacks on the UK more impactful.
“Using AI, threat actors will be able to analyse extracted data faster and more effectively and use it to train AI models. AI’s utility in social engineering, password cracking, and phishing lowers the bar for novice criminals, hackers for hire, and hacktivists to effective access and information gathering operations. While there are clearly opportunities to use AI to strengthen cyber resilience, it is highly likely to intensify UK cyber challenges for government and the private sector.”
Concluding, Duffy states that Northern Ireland is “widely recognised globally for its cybersecurity innovation, with a thriving tech and cyber industry playing an important part in creating a secure digital environment for society”.
“Our digital world is continually evolving, and the pace of change will only quicken to embrace new and emerging technologies. This growth in digital and technological advancement brings many benefits to society but it also creates challenges that we can only tackle collectively. It is this partnership between the public sector, industry, the voluntary community sector, and academia that is our greatest strength.”