2 March 2020
Caitríona Heinl, ‘Developing an effective security strategy in Ireland: Lessons from the cyber domain’, Commentary for the Nortia/IIEA seminar series on ‘Strategy building for small states in European security and defence
Ireland has a unique global brand as a smaller, even-handed state with balanced foreign policy approaches, strong moral and soft power. Irish interests include support for multilateralism and the international rules-based order, the pursuit of a militarily neutral/non-aligned defence policy and a strong track record of cooperation with like-minded partners. It is imperative, therefore, that our approaches to national security, whether relayed by way of a new national security strategy or through the reform of existing security structures, work to complement, align and support Irish interests and values. The original commentary published as part of the series on ‘The security and defence of small states: Nortia Blogs @IIEA’ is available here.
EFFECTIVE SECURITY STRATEGY IN IRELAND: LESSONS FROM THE CYBER DOMAIN
Ireland has a unique global brand as a smaller, even-handed state with balanced foreign policy approaches, strong moral and soft power. Irish interests include support for multilateralism and the international rules-based order, the pursuit of a militarily neutral/non-aligned defence policy and a strong track record of cooperation with like-minded partners. It is imperative, therefore, that our approaches to national security, whether relayed by way of a new national security strategy or through the reform of existing security structures, work to complement, align and support Irish interests and values.
Modern threats challenge traditional approaches
Dual-use technologies, modern cyber-related threats and malicious peacetime state activity can challenge traditional approaches to national security, including in Ireland. Nonetheless, while new risks like cyber threats are sometimes hijacked to argue for radical change, a healthy approach would include the retention of those established practices and structures that function while working to adapt, reform and adopt new practices to effectively tackle such new challenges.
Modern cyber threats: Where change is likely needed
Several aspects of modern cyber threats clearly challenge traditional approaches to national security in the Irish context. First, global trends and threats such as traditional espionage, cyber-enabled commercial state espionage, the use of offensive cyber capabilities, peacetime influence tactics and strategic technology investments are increasingly prevalent in the Irish theatre. This has come about for several reasons that include the increasing irrelevance of physical border protection and Ireland’s exceptionally high global interconnectedness.
Moreover, the line between criminal and state activity in cyberspace is blurring, and states are becoming increasingly proficient at integrating malicious activities across different threat vectors. This means that the State’s security agencies must be able to counteract this proficiency, by strengthening security capabilities and appropriate human resources. The clarity provided by a new national security strategy as well as the increased coordination that is expected from the National Security Analysis Centre (NSAC) should be helpful in this regard.
Many modern risks, and especially cyber risks, require strong public-private partnerships and collaboration with civil society, research institutes and academia – even where government will lead decision-making. Such a partnership must be concrete and substantial, and not simply a talking point or a ‘tick the box’ exercise. While the second Irish cybersecurity strategy for the period 2019 to 2024 outlines the importance of R&D and the importance of partnerships, the level of investment thus far in cybersecurity is widely criticised by non-governmental stakeholders as being insufficient. A critical good practice evident in other jurisdictions is the ability of government to leverage key national experts effectively to supplement, complement and support government efforts in their efforts to mitigate new risks such as cyber threats. In the Irish context, the state hosts many leading researchers in key disciplines such as artificial intelligence or machine learning. These experts are often regarded as best in their class among their European or foreign counterparts, but there is often a sense that the state’s agencies overlook these resources.
Irish national cybersecurity strategies have thus far drawn on a disparate range of foreign policy and defence documents, without the benefit of engaging with broader national security thinking. They also lack the clarity provided by a national security strategy dealing with key strategic questions. Other national security strategies often provide this type of strategic clarity, helping to guide aspects of how sub-fields such as cyber should be approached. A key question, therefore, is how – in addition to the National Cyber Security Centre’s provision of threat intelligence and analysis to NSAC – that this relationship would be sufficiently bi-directional to allow overarching strategic thinking to guide cybersecurity thinking in the near future and within the next national cybersecurity strategy.
In order to facilitate sustainable national security strategy development and possible capabilities’ enhancement, these steps must naturally be reasonable and acceptable to the Irish public. This may require a more in-depth discussion between the traditionally closed community of security experts and the public on the nature of modern risks such as climate disruption or cybersecurity, as well as 21st century security and defence questions that have implications for Ireland and the state’s economic security.
There is also a related trend beyond Ireland’s borders for the need to open up and be more transparent to effectively address some modern risks where security agencies have naturally had to operate in a more secretive manner. For some modern risks, such as cyber threats, there is an argument that the fear factor and the mystique often associated with cyber threats may not be useful for sound public policy making. This could signal a shift in how these security questions might be addressed. For instance, the United Kingdom’s National Cyber Security Centre is a global thought leader in this regard, by taking steps to publish and declassify more information, to provide tools and advisories for public consumption, and to publish more statistics through its highly active Twitter account. These steps aim to provide practical steps for citizens to be better informed, more resilient on an individual basis, and by extension, on a national level.
There are big questions to address in relation to new foreign direct investment. While Ireland is home to many cybersecurity companies and multinational technology giants, a cybersecurity strategy alone is not enough. It is necessary to have the clarity of a national security strategy and the comfort that additional steps are being taken by the state to address national security and cybersecurity gaps. So far, the state has developed a reasonable approach to key related subjects that are in line with Irish interests and values, and acceptable to Irish citizens as well as many foreign citizens or customers of global corporations.
The state’s good reputation on proportionate surveillance, which became particularly apparent following the Snowden revelations, as well as its solid track record on data protection offers some evidence of an ‘Irish way,’ respected at home and abroad. The third aspect of this cyber or ‘data triangle’ is the way in which the state approaches both national security and cybersecurity questions. Unfortunately, here, it does not have a strong international reputation. Concrete steps to address this gap will be one factor in ensuring that Ireland will be a truly attractive and competitive global destination for foreign direct investment.
However, to achieve these ends, it will be important to strike the right balance between the clear need for significant structural changes on security questions alongside a well-defined Irish approach to values, interests and economic needs. In other words, new risks like cyber threats will likely act to bring about structural changes in how Ireland approaches national security. Technical attribution, for example, should not be the sole basis for the state’s sovereign decision-making on nefarious state activity. All sources of intelligence are likely to continue to be needed, but with less reliance on foreign sources so that the political legitimacy of government decisions is not undermined due to over-reliance on these external sources. Alternatively, the State’s approach to such partnerships may have to be revisited, bringing with it a host of challenging foreign policy and defence questions.
With the above in mind, procedure should still not be a substitute for substance. This is especially important at a point when the newly published national cybersecurity strategy is in the implementation phase, when the first ever national security strategy is about to be published and when a new NSAC is just beginning to find its feet.
ABOUT THE AUTHOR
Caitríona Heinl is Executive Director at The Azure Forum for Contemporary Security Strategy, Ireland and Adjunct Research Fellow at the School of Politics and International Relations (SPIRe) at University College Dublin (UCD).