Joe McHugh (Donegal, Fine Gael) | Oireachtas source

Ar son an chomhchoiste, ba mhaith liom fáilte a fhearadh roimh an Uasal Olli Ruutu, príomhfheidhmeannach, European Defence Agency. I dtús báire tá cúpla líne le rá agam ar cheist na pribhléide agus rudaí eile.

Before we begin, I wish to deal with the issue of privilege and with some housekeeping matters. I welcome Mr. Olli Ruutu, deputy chief executive of the European Defence Agency. As Gaeilge, I gave Mr. Ruutu a promotion and called him the príomhfheidhmeannach agus ba chóir go dtabharfar leas-phríomhfheidhmeannach air, which is deputy chief executive.

All witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or to otherwise engage in speech that might be regarded as damaging to the good name of the person or entity. Therefore, if the witnesses’ statements are potentially defamatory of an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative that they comply with such direction. For witnesses attending remotely outside of the Leinster House campus, there are some limitations to parliamentary privilege and as such they may not benefit from the same level of immunity from legal proceedings as a witness physically present does. Witnesses participating in this committee session from a jurisdiction outside of the State are advised that they should also be mindful of the domestic law and how it may apply to the evidence that they give. Members are reminded of the long-standing parliamentary practice to the effect that that they should not comment on, criticise or make charges against a person outside of the Houses or an official either by name or in such a way as to make him or her identifiable.

For anyone watching this meeting, Oireachtas Members and witnesses now have the option of being physically present in the committee room or to join the meeting remotely by MS Teams. I remind members of the constitutional requirement that members must be physically present within the confines of the Leinster House complex in order to participate in public meetings. I will not permit a member to participate where they are not adhering to this constitutional requirement. Therefore, any member who attempts to participate from outside of the precincts will be asked to leave the meeting. In this regard, I will ask any member participating by MS Teams that prior to making their contribution to the meeting they confirm that they are on the grounds of the Leinster House campus.

If members are attending within the committee room, they are asked to exercise personal responsibility to protect themselves and others from the risk of contracting Covid-19. They are strongly advised to practice good hand hygiene and have at least one vacant seat between themselves and others attending. I believe that everybody knows the drill in this regard at this stage. Without further ado, I call Mr. Ruutu to make his opening statement.

Good morning to the Chairman and the distinguished members of the joint committee. It is a real pleasure to speak to them today about the EU's cybersecurity strategy, which was released last December as a joint communication of the Commission and the high representative. I am joined by Mr. Wolfgang Roehrig, who is our head of unit for information security at the European Defence Agency, EDA, and who will be very glad to take questions from members after my introduction.

Given my position as deputy chief executive of the EDA, and in line with the agency’s mandate, I will address today’s topic from a defence capability development perspective. It is from that perspective that EDA was involved in preparing the strategy, given the responsibility of Mr. Josep Borrell as head of the agency. We worked closely with the European External Action Service on the defence-related parts of the strategy.

My message today is clear: achieving greater EU digital sovereignty will require a joint endeavour across the EU, bringing together civilian and defence efforts and leveraging synergies where relevant. I will address three dimensions where this will be necessary: policy; capabilities and technologies; and resilience.

On the policy perspective, building on the EU global strategy and the Council’s strategic agenda on the one hand, and on the security union cybersecurity strategies on the other, there would be clear benefits to defining a common approach to digital sovereignty at EU level. I have no doubt the strategic compass, which is currently being prepared, will contribute to this wider objective. At the same time, it will be a long-term endeavour, given, notably, the specificities of the defence community.

After the introduction of the strategic compass, the revision of the 2018 cyber defence policy framework, CDPF, is an opportunity for the defence community to contribute to shaping the ambition on digital sovereignty so an EU approach encompasses the perspective of the military and responds to specific defence needs.

Turning to the second dimension - capabilities and technologies - there is a clear need for more investment in cyber capabilities in the EU in view of the fast-evolving nature of the cyber-threat landscape. With the multi-annual financial framework and Next Generation Europe, the EU will be investing heavily in the digital field. This is very much welcome. In view of the increasing investments by the military on digitalisation of forces, we should leverage all possible synergies in this area. Let me welcome the Commission action plan on synergies between the civil, defence and space industries as an important step in this direction. To foster civil and military synergies, the EDA is working closely with the European Union Agency for Cybersecurity, ENISA, the Computer Emergency Response Team for the EU institutions, bodies and agencies, CERT-EU, and the European Cybercrime Centre, EC3.

When it comes to cyber defence capability development, we are surely not starting from scratch because, in the EDA framework, we have established EU-level priorities to guide the development of cyber defence capabilities and to focus our effort on cyber defence technological priorities.

Given the sensitivities associated with cyber defence, as well as the different levels of expertise and approaches among member states, a co-ordinated approach will, of course, take time. The EU defence initiatives offer a comprehensive framework to foster more collaborative capability development between member states.

The co-ordinated annual review on defence, CARD, for instance, offered a comprehensive defence review. The 2020 report, which was issued last autumn, identified more than 100 collaborative opportunities to develop next-generation systems. Ensuring the cyber resilience of the systems to be developed is a key requirement.

Permanent structured co-operation, PESCO, provides a dedicated framework to develop these collaborative opportunities. Already we can see that a great number of projects in the cyber and C4ISR area, with highly visible projects such as European Secure Software-defined Radio, ESSOR, the cyber rapid-response teams or the Cyber and Information Domain Coordination Centre, are paving the way. Member states have proposed, in the fourth wave of projects of PESCO, a cyber-ranges project that should build on the existing EDA Cyber Ranges Federation operation. The European Defence Fund, EDF, building on the European Defence Industrial Development Programme, EDIDP, will provide a powerful financial incentive to develop these capabilities, bringing together large industries, SMEs and mid-caps.

To avoid losing our technological edge, it is critical to invest in the right technologies. There is a clear convergence of civilian and military needs to master disruptive technologies, from artificial intelligence to quantum technologies. As cyber technologies are by and large dual-use in nature, we see clear added value in the defence community continuing to contribute to the research effort financed by Horizon Europe.

The last dimension I would like to address is resilience. The EDA has taken an important initiative, the EU MilCERT Interoperability Conference, MIC, to foster operational co-operation among EU military computer emergency response teams, CERTs. In fact, today co-operation among military CERTs still remains very limited, unlike in the civilian domain. This is also due to different national approaches - for example, on deterrence or attribution. This is why we have developed the MIC, combining an innovative type of live-fire exercise and strategic discussions. The first edition was successful, with participation from 17 EU member states in addition to Switzerland. We are now preparing the second edition, which is to take place in 2022.

To finish, let me mention two additional areas where, in parallel with the Commission’s agenda on the civilian side, the agency is actively supporting EU defence ministries in increasing our collective resilience, namely supply chain security and the further development of secure networks, which is required from an agency perspective as member states are sharing more sensitive data, including in relation to capability development projects. This is a natural outcome or requirement of deepening European co-operation on defence capabilities.

To keep to the timeline, I will conclude my presentation here, but, together with Mr. Mr. Wolfgang Roehrig, I am ready to go into more detail during the question and answers.