Inside the Defence Forces response against the HSE ransomware hack
AN OFFICER IN the Irish military’s response to cyber threats said the State must maintain momentum to prevent future online attacks.
Commandant Frank Hickey is a senior officer in the Irish Defence Forces’ Communications Information Services Corps (CIS).
Hickey said that attacks such as the HSE ransomware incident shows the importance of continuous growth in Ireland’s cyber defences.
The CIS and the wider Defence Forces are not the primary agency – the responsibility for running the response to threats is owned by the National Cyber Security Centre (NCSC).
The Defence Forces, and their expertise in the area, was called upon during the health service crisis.
Hickey spoke to The Journal this week to reveal how the State’s response to cyber threats has changed since the HSE hack, the threats currently faced and how the Commission on the Defence Forces could see his team grow to better confront future attacks.
The military’s cyber defence capability is contained within the CIS Corps, and Hickey also spoke about the behind the scenes efforts of dozens of CIS teams.
CIS are tasked with many jobs in the Defence Forces, including the operation of radio systems and IT networks, and have a number of cyber defence specialists. The soldiers and technicians in the unit were key to getting HSE systems back online after the hack.
Hickey was eager to stress that the primary agency is the National Cyber Security Centre, and that CIS only becomes involved when called upon to assist in the response.
In any incident, Hickey said, his unit’s primary role is to ensure that the Defence Force’s systems are secure. The Commandant explained that the role for the Defence Forces during the HSE hack was to participate in the “recovery process” of HSE data and to get computers back working.
He said one key to the response was that there already was a very good link between the HSE and the Defence Forces as both responded to Covid-19. He said this helped to make the response a much more rapid deployment.
The task force dealing with the pandemic was not the correct command and control structure to deal with the cyber attack, so that was changed and CIS specialists developed a strategy to deal with the problem.
Some in CIS were advising while other members were dispatched to begin the process of getting the HSE computer systems back online. Hickey said that there were an estimated 12,000 HSE centres affected across the State, with a list of 49 critical locations that needed an immediate response.
To achieve that, Hickey and his team devised a strategy which saw their core response team within the CIS augmented by other teams from the various Defence Forces elements across the country.
The specialists pivoted from managing the internal communications of the Defence Forces to the frontline of a fight to save the HSE in a very short period of time – travelling across the State to find the locations to help.
“I think it was a great source of pride to be honest. A number of people would have commented it was probably one of the highlights of their career,” he said of that urgent time.
It had real world consequences beyond just an IT system, it meant that people’s health care was delayed, maybe didn’t go ahead, maybe they got sicker because of this.
You could see when the teams went down to the various hospitals, the relief on people’s faces when they have somebody coming in to support them.
“Then from our own perspective people were jumping into vehicles to go down to support these locations. It was a great sense of pride, because everybody just wanted to help.” He said they even had people coming from Galway to Dublin “because their family members were treated in a particular location that we were supporting. And they felt obliged, it was a sense of duty”.
Hickey said that the CIS Corps’ experience in the HSE cyber attack was a major learning opportunity for the unit. It was a huge opportunity to test their skills in a real world major incident.
Away from the HSE, Hickey said that recent cyber attacks on Okta and Microsoft show the level of activity of criminals and bad State actors across the internet.
Okta is a US based company specialising in managing secure access – it was hit in March. The same South American group of hackers thought to have targeted Okta were also suspected of being behind a cyber infiltration of Microsoft.
While Russian hackers were suspected of the HSE ransomware shutdown, Hickey said that the threat is multi-dimensional, with many groups operating in states where they are enabled by rogue Governments.
“It is a mix of state actors and just criminals. But there is a grey area in the middle and there are actors who are operating within nation states, known to the governments of the states and allowed to conduct their business within the state uninterrupted,” he explained.
“(The state-backed actors) are the ones that have the most resources behind them; are the ones most persistent; and most coordinated. So from that perspective they will be one of the biggest worries, but I’d say the most realistic and most common type would be criminals that are just looking to get a payday.
“They are then targeting organisations’ networks and using ransomware and flipping their network, ransoming them looking for payments – they would be the most widespread, but then state actors would be, from a world perspective, the most persistent and most likely to do major damage,” he went on.
Hickey said that generally the method for cyber criminals is the same as that used in the HSE incident – they infiltrate the system, hijack it and then hold the victim to ransom.
“There are certainly victims who would be the private networks as opposed to State infrastructure but I’m sure State infrastructure is always under attack via our networks that are connected to the wider internet.
“So [the hackers] are all the time looking for loopholes and weaknesses – they’ll be going after all sorts of networks, including space infrastructure,” he added.
No news is bad news
Support The Journal
Your contributions will help us continue
to deliver the stories that are important to you
Support us now
Ireland has been directly involved in international efforts and liaising with other countries taking part in large-scale exercises with other countries such as the Locked Shield event, said Hickey.
This event is organised by NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCE) in Estonia and sees the world’s cyber response teams, including Ireland, come together to practice and develop ways to fight a live hacker attack.
The CIS also has an officer seconded and working at the CCDCE based in the Estonian capital of Tallinn.
For Hickey the next most important issue to solve is the retention crisis, and also the implementation of the recommendations by the Commission on the Defence Forces to grow CIS.
The Defence Forces has been suffering a major difficulty in retaining talented and highly skilled staff, with bodies such as the Representative Association of Commissioned Officers stating that better pay in the private sector was a major draw for members.
“To be able to retain people that we have, those that are coming through, that’s the number one thing I think, because our numbers are reducing all the time. People are leaving all of the time,” he explained.
“Recruitment is a big challenge, we’re never increasing our numbers, we’re not getting back to where we should be in terms of our current establishments.
“If we could retain our staff, it would make things an awful lot easier, it would take the pressure off people, those who are left behind are doing more and more of the work on their own, as opposed to spreading the load evenly among a number of people,” he said.
Hickey believes that the recommendations contained in the Commission on the Defence Forces would see the CIS Corps increased in strength by 100 specialists.
There are also calls to bring a direct entry capability for civilian experts to help to protect the State.
But Hickey ends on a positive note about the cyber threat: “I don’t think people should be overly concerned.
“However, it always remains a significant threat to Ireland. We saw how quickly it happened with the HSE and if that was to happen again, and to replicate across other services, it could be quite significant.
“However, I think there’s a lot of improvements in different areas. There’s the Commission on the Defence Forces report, a number of key positions being filled in the NCSC, and as long as momentum is retained I think that Ireland will be in a much stronger position into the future,” he said.