Extradition of Russian hackers implausible, Oireachtas committee told

HSE cybersecurity improved to extent that another attack would fail, says State agency

Internet threat: Russia is responsible for 65 per cent of all state cyberattacks globally, according to the National Cyber Security Centre. Photograph: Getty
Internet threat: Russia is responsible for 65 per cent of all state cyberattacks globally, according to the National Cyber Security Centre. Photograph: Getty

The extradition of the criminals who carried out the the HSE cyberattack last year would be difficult because of the attitude of the Russian government, an Oireachtas committee has heard.

The head of the State's cybersecurity agency has confirmed it was hackers based in Russia who were responsible for the HSE data breach in May last year.

However, Dr Robert Browne, the director of the National Cyber Security Centre (NCSC), said the agency "cannot substantiate" if the Russian government itself was involved.

He saw little chance of Russia ever extraditing the criminals that took down the HSE system even if they could be identified by gardaí.

READ SOME MORE

“If the host nation is not willing to play ball on a law enforcement basis, and in this case the Russian state does not have a very good history in terms of engaging in criminal investigations, you are relatively limited in what you can do in that regard,” he said.

Dr Browne told the committee that Ireland has never attributed any cyberattack to another state.

“The widely promulgated responsible actor for the HSE attack is in Russia and is largely regarded as being based in a Russian city. We would not demure from that analysis,” he said. The “threat actor” involved in the HSE attack has not been named.

Russia is responsible for 65 per cent of all state cyberattacks globally followed by China, North Korea and Iraq, he told the committee.

When asked why Ireland had never attributed a cyberattack to another country, he responded: “It is a much vexed question. You would have to be extremely sure you can substantiate that in a public way.”

In order to attribute a cyberattack to another state, it is not enough to say that the state was complicit in the attack, it had to be proved it was actively involved. Finding individuals is “extremely difficult”, he explained.

“Attribution is challenging because once you tell the world that you found an incident, you also tell the world how you found the incident. You give away capability.”

Former DCU academic Mike Scott described the NCSC as a secretive organisation which never advertises externally

He also stated that the HSE had strengthened its cybersecurity to the extent that such an attack would not succeed again.

In relation to the cyber threat from Russia arising out of the invasion of Ukraine, he stated there has been a "very pronounced increase in this type of activity in Russia and Ukraine, but there is little evidence of this type of activity outside of this environment".

Cybersecurity spending

The NCSC came in for criticism at the committee which was examining the cyber threat posed by Russia.

Pat Larkin, chief executive of information security consultancy Ward Solutions, said the State only spent between €8 and €9 million last year on resourcing the NCSC.

It is “nowhere near the levels of protection needed” to deal with the cyber threats which are developing internationally, he warned.

He suggested the State should be spending €50 million a year on cybersecurity to bring spending into line with what the UK spends on its internet protection agencies.

Mr Larkin told the Joint Committee on Transport and Communications that cyber crime has become in the last two-three years more lucrative than the trade in illicit drugs.

Former Dublin City University academic Mike Scott described the NCSC as a secretive organisation which never advertises externally for positions nor states who works for it.

Mr Scott said he could not name a single of the 70 people employed by the NCSC other than the director who had appeared in front of the committee earlier. “They are invisible. Are they afraid? Is this how other people do it.”

He said it behaved more like a secretive organisation like MI5. “It is not appropriate. It is not how an organisation like that should behave.”

He described the HSE hack as a “wake-up call” and there appeared to be no expert response from the NCSC.

“Given our generally high standing in the world of IT, it is all rather embarrassing.”

Ronan McGreevy

Ronan McGreevy

Ronan McGreevy is a news reporter with The Irish Times