Oireachtas Joint and Select Committees

Wednesday, 3 November 2021

Joint Oireachtas Committee on European Union Affairs

EU Cybersecurity Strategy: Discussion

Photo of Brendan HowlinBrendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

On behalf of the committee, I welcome, from the European Commission, Ms Lorena Boix Alonso, and from the European Parliament, Mr. Ciarán Cuffe MEP. Before we begin, I will read a note on privilege and housekeeping matters.

All witnesses are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable, or to engage otherwise in speech that might be regarded as damaging to the good name of the person or entity. Therefore, if the statement of a witness is potentially defamatory in respect of an identifiable person or entity, the witness will be directed to discontinue these remarks. It is imperative to comply with any such direction.

For witnesses attending remotely outside the Leinster House campus, there are some limitations to parliamentary privilege and, as such, they may not benefit from the same level of immunity from legal proceedings as a witness who is physically present does. Witnesses participating in this committee session from a jurisdiction outside the State are advised that they should also be mindful of their domestic law that would impact on their evidence.

Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official either by name or in such a way as to make that person identifiable.

For anyone watching the meeting, Members of the Oireachtas and witnesses now have the option of being physically present in the committee room or of joining the meeting remotely via Microsoft Teams. I remind members of the constitutional requirement that members must be physically present within the confines of the Leinster House complex in order to participate in public meetings. I will not permit members to participate where they are not adhering to this constitutional requirement. Therefore, any member who attempts to participate from outside the precincts will be asked to leave the meeting. In this regard, I ask any members participating via Teams to indicate and confirm that they are on the Leinster House campus. If members are attending in the committee room, they are asked to exercise personal responsibility to protect themselves and others from the risk of contracting Covid-19. They are advised of the good practices in terms of using masks and sanitisers.

With the formalities over, I am pleased to invite Ms Boix Alonso to make her opening statement.

Ms Lorena Boix Alonso:

A chairde - although I cannot pronounce it correctly, I am trying anyhow - I thank the Members of the Houses of the Oireachtas for inviting the Commission. I am very honoured to join the members in this meeting of the Joint Committee on European Union Affairs, in particular, to speak about this very important subject of cybersecurity.

The Commission President, Dr. von der Leyen expressed it well in her state of the Union address on 15 September when she said that "If everything is connected, everything can be hacked." In recent times, unfortunately, we have witnessed the hacking of the Colonial Pipeline in the US, the Solarwinds incident, the ransomware attack on the IT supplier, Kaseya, and, of course, one that the members are all very well aware of, the massive cyberattack on the Irish Health Service Executive precisely at a very bad moment which was in the middle of fighting a worldwide pandemic. This, unfortunately, according to our figures, will not diminish. According to the European Union Agency for Cyber Security, ENISA, so-called "supply-chain attacks", which are very difficult to fight regardless of how many measures you are taking in your own company or administration because they come from someone else in the supply chain, will multiply by four this year and attacks on cloud infrastructure have increased fivefold in one year. You have seen also the increase of ransomware attacks. Some studies state that they have increased by 60%. Others give a higher figure. This is the reason the status quois not an option. Basically, what we have been doing until now is clearly not sufficient because the attacks keep on increasing, and the impact keeps on increasing as well. Sometimes you would believe there are no limits for the hackers. They just attack everything.

This is why the Commission, in December of last year, came with a strategy to reinforce what we have now and to make sure that citizens and business are protected, both online and offline. This strategy, which was adopted by the Commission and the High Representative of the Union for Foreign Affairs and Security Policy together, was presented at the same time because it is part of the Network and Information Security Directive, a reform of our NIS directive. The strategy provides, from our point of view, a fresh vision and plan for cybersecurity to deal with the challenges we are facing. The idea is to build resilience and ensure we can all benefit from digital technologies because digital technologies promise a lot of things. Of course, if they are not cybersecure, none of the benefits of digital technologies will be available to citizens and businesses. Building upon what we already have in place, the strategy focuses on three main angles. The first angle is to build resilience, so-called "technological sovereignty" and leadership. The second angle is to build operational capacity so that it is not only about making sure we are protected and are resilient, but that we have a capacity to act, whether it is to prevent, to deter or to respond to large-scale cyberattacks, in particular. Lastly, of course, the international dimension is extremely important and advancing a global and open cyberspace through increased co-operation is also important.

For each of these pillars, there are concrete actions. I will not go through all of them because there is no time. As I mentioned already, an important pillar of building resilience is the NIS 2 directive, which is currently being negotiated in the Parliament and the Council of the EU.

We hope that the trilogues will start as soon as possible. The main objective was to build on the success of the NIS directive and go beyond that by enlarging the scope in order that more sectors can be covered by or subject to the obligations of this directive, ensuring that the rules are clear and that there are stronger supervision tools. That is the main objective behind the NIS directive reform.

I mentioned operational capacity and the need to react together in order to help each other. The incident that happened in Ireland is a good example of the potential of this operational capacity. At the time that happened, the co-ordination system at EU level was triggered. The Irish authorities triggered it. They sought to receive support from the European computer security incident response team, CSIRT, network of all the member states. The idea of going beyond being operational was put in the strategy by a proposal to create what we call a joint cyber unit, namely, a hub that would potentially allow all communities, not only civil but international communities and law enforcement communities, to share information and co-ordinate potential collective responses to major crisis and incidents. That idea is being discussed with the member states.

Another element of the strategy being pushed by the Commission President is the cyber resilience Act. In the strategy, we set out the need to have horizontal rules that would set common cybersecurity standards for connected products and services in the Internal Market in order that we ensure cybersecurity by design whenever a product or service is put on the market and that a whole-life cycle of that product or service will be done. President von der Leyen, in her state of the Union speech, announced a cyber resilience Act, and this will be a follow-up of that announced initiative.

I will not continue further. I will stick to the five minutes allocated in order that we can have a debate. I believe cybersecurity is one of those challenges that is impossible to face alone. No member state alone can face it. That is clear by now. The attacks will increasingly have an impact across borders. We are here to be in solidarity and to support each other. I thank Ireland in particular for the constructive and co-operative role it always plays in discussions on cybersecurity. That is very much appreciated. We will continue to listen to members' views. I am happy to answer any questions they may have and to engage in a debate.

Photo of Brendan HowlinBrendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

I thank Ms Boix Alonso for her contribution. I invite Mr. Ciarán Cuffe to make his contribution before I open the meeting to members of the committee to put questions to both our guests. Ciarán, welcome back.

Mr. Ciarán Cuffe:

I thank the Vice Chairman for that. I have a certain sense of déjà vubeing back here. On a personal level, it is nice to be back and in a committee room again. To introduce why I am here, I sit on one of the 20 committees of the European Parliament, the Committee on Industry, Research and Energy, ITRE, which deals with cybersecurity. I want to give members a brief overview of the EU's cybersecurity strategy as well as touch on some other topics that might be relevant. We have just come to the end of European Cybersecurity Month, the European Union's annual campaign dedicated to promoting cybersecurity among EU citizens and organisations, therefore, it is an appropriate time to be here.

The European Commission published a joint communication on the EU's cybersecurity strategy for the digital decade last December, just under a year ago. The latter aims to bolster Europe's collective resistance against cyberattacks and threats and ensure citizens and businesses can fully benefit from trustworthy and reliable services and digital tools. The strategy includes a proposal for the revision of the directive on measures for high common levels of cybersecurity across the Union, which is the network and information security directive or NIS 2, and a proposal for a new directive on the resilience of critical entities.

The original directive dating from 2016 has three parts, national capabilities, cross-border collaboration and national supervision of critical sectors. First, EU member states must have certain national cybersecurity capabilities and they must have a national cybersecurity incident response team and perform cyber exercises, etc. Second, we need to collaborate across borders. The strategy provides for that also. Third, member states have to supervise the cybersecurity of critical market operators in their country such as in transport, water, and health sectors. Obviously, the focus has been on health, but it must also be on the energy sector, as we saw from the recent incident in the US, and in the finance sector to ensure we have good measures in place. However, member states were quite slow to fully implement this directive and, therefore, the Commission proposed this new directive, a revision of the directive last year. That has just come through committee last week and I voted on it. Therefore, a new directive is in the offing. The question is: will it change things?

NIS 2 aims to strengthen cybersecurity capabilities and to have better information sharing and co-operation on cybersecurity crisis management at national and EU level. It provides for an all-hazards framework to support member states to prevent, resist and recover from disruptive attacks wherever their source may be. My group has strongly pushed for the need to develop those cybersecurity skills we all need, particularly to get better gender representation in the industry.

From January 2019 to April 2020, the EU Agency for Cybersecurity reported approximately a quarter of a million malware infections every day within the Union. Europol highlighted a notable increase during the pandemic in the number of ransomware attacks on public institutions and large companies. Europol’s Internet organised crime threat unit stated that targeting such institutions allows cybercriminals to increase the ransom amount and has noted a significant increase in attacks on governments such as healthcare and education, energy and transport systems. EU institutions and bodies as well as member states have been targeted. We are all aware of the attack six months ago on the HSE but in the same month there were two large-scale cyberattacks against public service organisations in Belgium. The first concerned Belnet, the network which serves third level institutions and research centres as well as hospitals and federal ministries. The federal internal affairs department was subjected to a cyberattack of such a scale that it raised suspicions of the involvement of a foreign state. Given the Vice Chairman's caveats at the start of this meeting, I am reluctant to name names but it is commonly known certain states outside the EU would appear to be the focus for our attention on these attacks.

In March, the European Council adopted a cybersecurity strategy. It states we need to have a network of security operational centres across the EU to both monitor and anticipate signals of attacks on member states and a common cyber unit to provide clear focus to the crisis management framework at EU level. It also promotes strong encryption standards while permitting law enforcement and judicial authorities to exercise their powers online and offline to prevent such cyberattacks.

To touch briefly on the new legislation, it insists that member states have national cybersecurity strategies, establish computer security incident response teams and appoint national competent authorities for cybersecurity.

We need to strengthen the security requirements of member states, address the security of supply chains, streamline reporting and introduce more stringent supervisory measures. We have an awful lot on paper but really it comes down to the individual member state to implement not only the first directive from five years ago but the new directive when it comes into force. This is where the critical weakness is. It is about the implementation of the directives at member state level.

It is not just about the EU or the member state. It is also about ourselves. We need to be cyberaware. We tell our children not to get into a car with a stranger but all too often we click on the wrong link on our device and that opens up the pathway for a security breach. We are all guilty of simplifying things. In a world where half a dozen passwords are often needed in the course of a day we often take shortcuts. We need to practice better security awareness in our own operations. We are only as strong as the weakest link. We need to improve our own security. We need to do exercises at a member state level in the same way as our Defence Forces do physical exercises to prepare for attacks on us as a member state. At a cybersecurity level we need to prepare and share information and be ready for the next attack. It might not be on our health system. It might be on our energy networks. We are only as vulnerable as the weakest link and we have to take action to prepare for the next attack.

Photo of Ruairi Ó MurchúRuairi Ó Murchú (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I thank Ms Boix Alonso and Mr. Cuffe for coming before the committee. I hope I have pronounced the name correctly. I am fairly sure I got Mr. Cuffe's name right.

We all accept the reality of the world we live in and the dangers as regards cybersecurity. The ransomware attack on the HSE brought it absolutely home to us. My question breaks into a number parts and, in fairness, the witnesses have dealt with some of them. I am looking for a greater amount of information. We all accept it is down to capacity and, of course, we all work better together. However, it fails miserably if nobody follows through on implementation, particularly as regards where the directives are at this point in time.

There is capacity at State and EU level. There is international engagement. We have had enough people and experts throw out commentary on certain states where there may be operations that almost operate on a subcontractor basis. While they are not necessarily within the employ of the state, they can be brought into action. We even heard commentary that they were generally given operational rules not to touch anything infrastructural on the east coast of the United States or anything that brings too much heat. I assume the ransomware attack on the HSE might have been one of those things where they bit off more than they could chew and could be the reason keys were handed over.

We suddenly became aware of the number of companies paying off money, including to avoid reputational damage. There was a report out a while ago that stated €22,712 was the average payment made. For small and medium enterprises this is not nothing. In many cases I do not think people got all of their information back. I suppose it was a case of mitigating harm from their point of view.

We have the capacity at localised level. We have had the National Cyber Security Centre, NCSC, review here. We were not up to scratch. We would like to think that in future we will have a greater element of capacity. This is accepting that it will always come down to the best level of digital hygiene that can be employed, whether at an individual level or a group level. This is an absolute no-brainer.

What do the witnesses see as regards the joint cyberunit? What will be its remit? I have a slight fear. We all accept the necessity to secure ourselves from cyberattack. The problem with this is that it has become conflated with general defence, a European army and these wider questions. This is something that has to be separated. This is not taking away from the absolute danger.

We have experts in the State who said the NCSC should probably have made greater use of the expertise we have in third level institutions. People have been running courses on cybersecurity over many years and have much more expertise than an awful lot of others. My question is on long-term proposals for what the unit will do and how we ensure we have and maintain best practice and capacity at a localised level. Some experts have spoken about an ability to disrupt. I will use the term "counterstrike". This would be in the middle of an attack.

There is also the issue of what we intend to do on an international basis from a legislative point of view or in conversations with certain states and certain players. We have all heard anecdotal stories on members of certain elements of the US Administration that may have made their voices clear to certain of these players. This is not something I would anticipate happening at European level. I apologise for the circular way I have asked these questions. It is about the unit and state and international capacity. It is what we do on an international basis. I would like a bit more detail. I thank the witnesses for their commentary.

Ms Lorena Boix Alonso:

I thank the Deputy for the very good questions and analysis. I will begin with the question on whether there is an issue with implementation. There is an issue with the nature of the NIS directive. A number of sectors are included and it is up to member states to decide which companies to identify. We are in the hands of member states. This is why we decided to propose a revision of the directive. We were facing situations where some member states, including Ireland, had identified, for example, a huge number of hospitals in the health sector. Other member states had not identified any. This was not ideal for merging. This is what we are now trying to fix with the new NIS directive. All of the sectors identified will be extended and companies will be covered automatically and, therefore, subject to these obligations. The nature of the legislative technique will make a difference. That being said, what is clear and what has to be acknowledged is that we constantly receive input, including in the context of the negotiations, from member states complaining they do not have sufficient resources. This is not something I can evaluate because I do not have the exact picture. The solution we propose is to have an overview in the new directive. It is very valuable to know the amount of money, and let us hope it is only money, that is being lost due to cyberattacks.

Are we putting the right resources into cybersecurity at all levels? That may include ourselves in the European Union in that. This is a very valid idea which probably goes beyond purely implementing legislative acts.

On ransomware I do not have much to add. Of course, under the NIS directive if there is an incident there is an obligation to notify if one is covered. A different thing is the whole debate about communicating payment or non-payment. Again, that is also a very valid debate.

The Deputy's main question was about the joint cyber unit. What is the joint cyber unit? My first answer is that the joint cyber unit will be what member states decide they want it to be. The European Commission is perfectly aware that this is a subject where there is a lot of sovereign power of member states, which is why the Commission came with our recommendation on a process to set up the joint cyber unit. This would then go to the Council to be blessed. In a way we said this is our proposal and left it up to the member states to decide.

The idea that we have is basically to set up something that to date has not existed. There is a gap. The gap is that right now there are a number of different communities, including the international community with the cyber toolbox, the law enforcement community and the civil community. Very often large-scale incidents happen together because it is not only a civil attack but a criminal attack. As the MEP correctly said, very often it comes from third countries so there is an international angle and sometimes a different angle. What we are missing today is a structure, a network, a one-stop shop, that is, a single point of contact. It can be defined in many different ways but it is a way to co-ordinate all of these communities when something big happens.

What are the advantages of having a joint cyber unit? Of course, the idea is to have well-defined roles and responsibilities so that if something happens, everybody knows who does what and whom to call. There would be a crisis response plan to a cybersecurity incident. There would also be constantly updated information and situational reports because the entire community would have the same information. The Deputy rightly asked about these cybersecurity rapid-reaction teams that we propose. The idea is not at all to create an army. The idea was very much like what we have today in the civil protection mechanism, the civil reaction teams. For example, during the summer there were fires in many member states and those member states that had capacity available helped member states that were in trouble if they so wished. The request for help is voluntary. That is basically what we had in mind and these are the types of ideas that are currently being discussed with member states.

Mr. Ciarán Cuffe:

As a committee charged with the oversight of European Union affairs, it might be worthwhile to look at the process of implementation of directives by member states. It seems clear that the weakest link is the implementation of the directive. I am not familiar with the operation of the computer security incident response team here in Ireland. I do not know how many people are employed in this area. However, as a test case it might be useful to quiz those people on the staffing they have and what exercises they perform. We could even look closer to home to the Houses of the Oireachtas Commission, which has charge of the IT systems in these buildings. We could use it as a test case for what kind of readiness or exercises are in place.

I am mindful that cybersecurity in Ireland also has a non-EU component. Our energy grid is managed by EirGrid, which manages the electricity grid in the North of Ireland as well as in the South. It is important to think about the challenges that emerge from these issues of semi-State agencies having joint jurisdiction over this member state and over part of a foreign state. That might also be worth dwelling on.

In Brussels, we are providing the framework for member states to fill with the staffing, finance and oversight that is required. Perhaps it is a good exercise for the committee to interrogate that in the Irish context to see if we are ready.

Photo of Ruairi Ó MurchúRuairi Ó Murchú (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

May I-----

Photo of Brendan HowlinBrendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

We will try to get everybody in first and then we will come back for a second round.

Photo of Neale RichmondNeale Richmond (Dublin Rathdown, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I thank both the witnesses for their very enlightening opening remarks. I want to drill down on two areas, one a bit more parochial than the first. Ms Boix Alonso alluded to the first one, which relates to working with partners throughout the world. Cybersecurity strategy includes a programme of action in the UN. What form has that engagement taken? Where is the discussion at? What sorts of insights are there for enhanced engagement?

My second issue is a bit more practical and relates to the cyber resilience Act planned for late next year. I understand the purpose of the legislation is to introduce common cybersecurity standards for connected devices. How will it address any gaps left by the Council's and Parliament's NIS 2 proposals? Will it come soon enough to address these gaps?

Ms Lorena Boix Alonso:

What Mr. Cuffe said on making sure the resources are in place was very interesting. A system of peer reviews would help. I am comfortable with the negotiations with member states, but it is something that would help.

On the United Nations, our colleagues in the European External Action Service are dealing with it. We are very much engaging with the United Nations. We consider that this is extremely important. These things are delicate. The engagement and co-operation with like-minded countries is always easier and there is a lot of engagement, as the Deputy knows. Recently the United States in particular regarding ransomware launched a big call to work together and we are basically working with all like-minded countries. We have a number of cyber dialogues with them. Of course, it is more delicate with other non-like-minded countries. Voila. In particular on the UN convention, we are engaged in the push for norms of behaviour in cyberspace and also on the Budapest Convention where we are quite advanced. It is going well there.

On the cyber resilience Act and what would be the complementarity with the NIS directive, basically we are dealing with two different things. The NIS directive is about the obligations on companies to report, notify and take certain security measures on incidents, and the monitoring and enforcement tools. We are at the exploratory phase of the cyber resilience Act.

What we are exploring at this stage is the gap that exists in the current legislative framework in respect of products and services that are put on the market. Right now, what we have are very scattered sectoral pieces of legislation that deal with specific products and very often deal with security without necessarily having cybersecurity in mind. We have launched a study that we are closing now that has performed this exercise of identifying the current gaps. Those gaps are that we do not have anything general that would cover those products and services that are connected and, therefore, as the President of the Commission has stated, are subject to being hacked. That relates specifically to their cybersecurity. This is the analysis we are doing now. We will see whether these Acts should cover more or less than that but, right now, this is the analysis we are doing.

Photo of Lisa ChambersLisa Chambers (Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank Ms Boix Alonso and Mr. Cuffe. It is good to see Mr. Cuffe back in again. This is my second day in a row of engaging with him. Both our guests referred to the level of attacks that are currently being experienced. Ms Alonso stated that there is an expectation that we will see a fourfold increase in 2021, as reported by the European Union Agency for Cybersecurity. Mr. Cuffe pointed to the highlighting by Europol of a notable increase in attacks on public institutions. That is quite alarming. It sounds as though a degree of urgency is required on this matter. The revised or updated directive is very welcome, but it seems to be more a medium-term plan. What is being done right now at European Union level to deal with what appear to be attacks that are happening today and will happen tomorrow and the day after that? What is being done to increase supports for member states and in terms of co-ordination at EU level to deal with these ongoing attacks? I genuinely was not aware how large-scale the problem was and is, or the rate at which it is increasing. That is quite alarming. We certainly need to get that information out to citizens in member states because it will generate broader supports for what our guests are trying to achieve in terms of the directive.

Mr. Cuffe referred to the original directive and what was required of member states. I am not sure if he has this information to hand. He referred to the requirement for member states to have certain capabilities at a national level. I ask our guests to comment on that. Where is Ireland at in that regard? How well did we do in transposing the directive and meeting the minimum requirements for member state capabilities under the original directive? I am trying to figure out what gap we need to close in order to get to where we need to be. Ms Boix Alonso and Mr. Cuffe both referred to the HSE attack. It has focused minds here and brought home to every household how important this issue is and how much it impacts on all our daily lives. It is tangible. If we can take any positive from what happened, it is that it will allow us to respond better to future attacks.

Mr. Ciarán Cuffe:

The dreadful thing about being a Member of the European Parliament is that we pass the directives but we do not receive sufficient feedback on their implementation within member states. That is certainly the situation in the case of the committees on which I sit. However, I note that, anecdotally, several State agencies draw attention to the risk of cyberattacks. Each year, Irish Water drew attention to the critical risks to its infrastructure in delivering drinking water to the public, industrial users and the IT sector. All it would take is for one or two pumps to be taken over to dramatically damage the resilience of our entities. There may be a role with regard to quizzing the institutions in Ireland that have responsibility for implementing those directives.

In addition, we are seeing an extraordinary increase in the number of connected devices. The Internet of things is taking over the world, from washing machines to teddy bears, and we need to educate citizens on good practice in the context of cybersecurity. As I was leaving Brussels last week, I noticed a big billboard advertising cybersecurity month, but I do not know whether that permeated through to national campaigns or campaigns within organisations such as this one or State bodies. In a world that is increasingly connected and where, due to the pandemic, many people are working remotely, the IT links we have are crucial to carrying out our daily work, so it is important that the committee ensures the resources are available at a national level to make sure that we are cyber vigilant, that exercises are carried out and that there is in the public domain a report on the main bodies in Ireland and how well they are performing. Just like the generals fighting the last war, next time it probably will not be the HSE that is under attack, but it could be the energy networks that keep the lights on or the water coming out of taps or the infrastructure that allows us to appear in committee rooms. There is a need to hold public bodies in particular up to scrutiny.

Ms Lorena Boix Alonso:

I agree with the Senator that it is worrying. I am not going to hide the fact that it is a worrying situation. A significant number of actions are already being taken under the current legislative framework. For example, I mentioned what happened in the case of the Irish incident. We have the sister network of all these entities at national level, which did act in that case. Whenever there is an incident, the network exchanges information and, if requested, provides support. We have the cyber crises liaison organisation network, CyCLONe, which is more at a political level or between political and operational levels. It is already active and compiles reports on incidents so that lessons can be learned. At the level of the current directive, we have the network and information systems, NIS, co-operation network, through which there are many discussions ongoing to learn from each other and strengthen implementation.

I did not mention it in my opening statement, but there is certainly a need to increase and improve the capabilities at member state level. Unfortunately, the level of investment in Europe in cybersecurity is not yet comparable with that of certain third countries. The first calls will be launched next year under a new digital EU programme that is devoting approximately €3 million to support capability. It is not research; it is really going to the deployment of technologies. We will launch the first calls next year. We are doing what we can to help and support member states. In the context of the resilience fund, we strongly insisted that member states dedicate part of that money to reinforcing capabilities. Many of them have gone in that direction. As regards international co-operation, as I mentioned, several dialogues are taking place with third countries and we are co-operating. A lot is being done now and more will be done in the medium to long term.

As regards the level of implementation by Ireland, as I stated, the current directive has been implemented, but to say whether Ireland has implemented it well or poorly is not so easy because it is very much left in the hands of member states. That is what we are trying to fix. I know that when the incident happened, the health authorities were covered and had been identified by Ireland.

I know that in Ireland a lot of exercises are taking place. Therefore, I would not say that Ireland is not implementing the strategy well. As I said before, a particular country can do a lot of exercises. For example, in hospitals, we do cybersecurity exercises. However, if the investments are not there and as a result, the capabilities are not there or if the relevant authorities do not take the responsibility, things do not happen. It is another issue that we are trying to fix in the new directive. We are trying to ensure that the management of companies and institutions take responsibility for adopting measures. A country can do a lot of exercises, but when the moment arrives, things do not happen. That is not for Ireland but generally, certainly, every member state can do much more.

Photo of John BradyJohn Brady (Wicklow, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I welcome the guests to the committee today. This area is fascinating and is one that needs serious attention and focus, given our recent experience of cyberattacks. We have seen how it has decimated Ireland and our health service. There is a fear that it could be replicated very easily in other areas. I listened with interest to the opening statements and the responses to some good questions. Certainly, Ireland has a responsibility to develop a cybersecurity strategy alongside all of our EU counterparts, but it is only as good as the resources available to back up that strategy. Indeed, looking at the capabilities and responsibilities at a national level, I have some concerns around our responsibilities. I want to hone in on one area in particular, and concerns I have with regard to one of the key pillars in terms of us as a country and a State living up to our responsibilities, namely, the Defence Forces.

There are serious difficulties with the recruitment and retention of Defence Forces personnel. Looking specifically at the Naval Service, there are massive issues there in terms of recruitment and retention of. I also sit on the Oireachtas Joint Committee on Foreign Affairs and Defence and we recently visited the naval base at Haulbowline, County Cork. We listened to the concerns raised by members in all ranks within the Irish navy in respect of the recruitment and retention of staff and how it is impacting on their role and responsibilities. Obviously, they are tasked with a number of responsibilities in policing Irish waters, not just in terms of fishing, but also in policing the multitude of transatlantic data cables that pass through Irish waters off the southern coast, serving all of Europe. I imagine that Ireland must be the first line of defence for those cables that serve not only Europe, but Ireland as well. We have a domestic responsibility and a European responsibility to police those cables.

The concern is that currently, out of a fleet of nine ships designated for policing what is a massive maritime area that is ten times the size of the landmass of Ireland, only one is at sea due to a multitude of reasons and ongoing issues within the Naval Service, including the retention of members of the service. Looking at the fleet of nine ships of which only one is at sea, they have a responsibility to police not just what is at water level, but everything that is above that and, probably more importantly in this case, everything that is below the water level. We do not have sonar capabilities in our fleet, so we are absolutely blind as to what is going on under the water. Concerns were highlighted last August when what was described as a foreign spy ship was alleged to be monitoring some of these critical cables off the west coast of Ireland. All we could do was to monitor that ship; we could not see exactly what it was doing under the water, or whether it was attaching any devices to any of the cables. I imagine that is quite concerning. When we talk about capabilities and responsibilities at a national level, do the witnesses view that as a concern? For me, it is a very serious concern, given that in my mind, we are the first line of defence. We can talk about all of the other issues further down the line, but if we cannot police at that very basic level, it is of serious concern.

The other issue I wish to raise, which was touched upon quite extensively by Mr. Cuffe, concerns cybersecurity for consumers. It is a key area of concern. Mr. Cuffe outlined all of the activity that consumers and children do online etc. I certainly believe that there needs to be a massive campaign in this area, both nationally and across Europe. Mr. Cuffe spoke about cybersecurity week at a European level. I do not think that was picked up here in Ireland. I imagine that very few people know about that awareness campaign here in Ireland. I am aware of the Webwise initiative that is rolled out by the Department of Education, which is tasked with giving parents, teachers and children the tools around cybersecurity. I am not sure how well that initiative is resonating with people. I am probably showing my age but I refer to the campaigns on road safety and the green cross code. Perhaps some of the other committee members will be aware of those campaigns. I am sure some of them will remember the song that went along with the campaign. The campaigns resonated and stuck with people in respect of safety issues around roads and how to cross roads etc. There is no campaign that delivers that powerful message not just to young people, but to people right across the board in terms of the security, their responsibilities as consumers and how to use the online world safely. Serious focus within our own national strategy must be placed on how we are going to get that message across. Going back to the core point, there needs to be national campaign with the resources behind it to promote it and ensure that when people go online, the message of "security, security, security" is there. The areas that I wanted to touch upon are the national responsibility of the Irish State, the failures, as I see them, around its primary responsibilities in cybersecurity, and at the other end, the consumers and the need for a comprehensive campaign around cybersecurity.

Mr. Ciarán Cuffe:

I thank the Deputy. Certainly, in my own submission to the Defence Forces public consultation on the future of the Defence Forces, I mentioned cybersecurity and stated that it will be a core competency of the Defence Forces in years to come. In fairness to Vice Admiral Mark Mellett, the former head of the Defence Forces, he has spoken at length about cybersecurity threats. The Defence Forces are aware of the issue and I am sure they would like to have more resources to address it.

I am aware of the incidents to which the Deputy referred. There have been incidents where foreign submarines have been located beside undersea cables with aircraft circling overhead. It is like something from James Bond movie. The worry is that foreign powers are stealing data from these cables. We do not have the capability to have complete oversight, particularly when these cables are in international waters.

Whatever about international ICT cables, we will be more dependent on energy networks connecting us to other EU member states. We are already connected to the UK but the Celtic interconnector will connect Ireland to France. A Norway-UK cable opened within the past month. This interconnectivity is happening at an increasing rate and it is hugely dependent on ICT to ensure that these entities operate correctly.

Even closer to home, I remember when a water pipe broke in Dublin and I asked the team repairing it what happened. They told me somebody clicked the wrong button on a pump and the pressure built up. We are really dependent on a secure ICT system to deliver the day-to-day services on which we depend. Every branch of Government must focus on ensuring it is ready for the most severe threats that are out there and that will increase.

Ms Boix Alonso alluded to the need for umbrella legislation at European level to cover all consumer items that are connected and I see a gap there which may be addressed within the European institutions in future years to ensure that any new device has certain levels of protection that are easy to understand for the consumer and that will stop unwanted intrusions into connected devices elsewhere.

Ms Lorena Boix Alonso:

There is not much I can add. Technically, submarine cables are covered by the NIS directive. Is it enough? That is a different question. I am perfectly aware of the issue and debate around it. Defence considerations are beyond my remit because I am dealing with civil matters, but our president is very aware of these issues. She insisted on them in her state of the union speech. We are very much in contact with our colleagues in the Directorate-General for Defence, Industry and Space, DG DEFIS, dealing with defence, on the need to push a cyber defence strategy. We are certainly discussing those issues with the colleagues in DG DEFIS because there are clear synergies in these fields.

The Deputy mentioned the issue of skills. I reassure him that things are being done on the issue of skills on two different fronts. Two types of skills are needed in the cyber area. One is the basic cyber skills whereby people know and are aware where attacks could come from or how to identify phishing and things like that. Those are the basic cyber skills. There is also the extremely worrying subject of specialist cybersecurity. We have a huge shortage of those skills, not only in Europe but in the world. There are not enough specialists. We need to keep up our knowledge because the nasty guys and girls are becoming extremely sophisticated. Those are the two types of skills we need to deal with, and the Commission is doing so now, at least from the point of view of funding. In the digital EU programme that I mentioned before, there is money available for universities and workforces to help in specialisation and providing specialist courses on cybersecurity. We are acting to try to cope with the gap. We must also act on basic cyber skills. As was mentioned before, we had cybersecurity month. Within the competence and education we have, we try to take action but there is certainly an issue around both basic cyber skills and specialist cyber skills to cope with the level of sophistication we are facing right now.

Photo of Sharon KeoganSharon Keogan (Independent)
Link to this: Individually | In context | Oireachtas source

I thank our guests for their presentations. I have a couple of questions, one of which has been addressed by Ms Boix Alonso in her consideration of the skills shortage and how we are going to combat that. That will be one of the biggest challenges we will face in cybersecurity. We must find the brightest and the best for our teams both nationally and at a European level. One of the projects on which we worked together is the EU digital Covid certificate. It has been a large, collaborative project and more than 800 million people have Covid certificates. What measures has the EU taken to avoid cybersecurity attacks on the management of that particular system? Perhaps our guests can reassure us in that regard. If we cannot get that right, we will not be able to get any other critical infrastructure right, whether that is to do with water, health or finance, including the mooted digital euro project which is due in the next number of years. The Covid certificate project is a pilot project for the digital sphere and I am wondering what cybersecurity measures have been taken to ensure the system does not get hacked.

Ms Lorena Boix Alonso:

I thank the Senator for the question. I appreciate it because from the technical side, the EU Covid certificate was done by my team. The beauty of being the director of a directorate that deals with cybersecurity and e-health is that you can put the two teams together. Privacy was very much taken into account when designing the system. The fact that the EU Covid certificate is the only certificate today that is available in the world across borders is precisely because it was conceived from the outset to take into account security and data protection. It was decided together and that is why it has been such a big success. We did not even wait for the legislative proposal to be on the table, even less to wait for the close of negotiations, to put the system in force. It was a beautiful joint project.

It was, from the beginning, foreseen with a gateway. The gateway, which is managed by a contractor, is centralised by the European Commission. The certificates are done with a digital and electronic signature so that it cannot be faked. It is not like a PDF, which can be faked from home. The certificates need a digital signature. It is done in a way which requires a private key and a public key, to be a bit technical. If a person does not have both keys, he or she cannot create or read a certificate. That is the secure way we did it. I assure the Senator it is working. She will have seen fake certificates in the press. There are certificates in the name of Adolf Hitler or Bob l'Éponge. There are all types of unpleasant jokes. In those cases, it was not a result of a hack or an attack. Those cases are, unfortunately, because somebody who had the right to validly issue certificates made fake certificates. It has, fortunately, only happened in a few countries, but it is a criminal act. It has, in some cases, been a doctor with the power to issue a valid certificate who has issued these fakes. The system has not been hacked, for the moment. It is working. It has been, unfortunately, at member state level where some unpleasant people have abused the system. We are now working on a centralised system for revoking those certificates.

What is done in those cases, and what has been done, is revoke the certificates. We are working to see whether we can make the revocation system even more efficient. This system aside, we have weekly meetings with the contractors to analyse every possible incident and act accordingly. I reassure members of that. Could something worse happen? I do not know. I cannot commit to saying it will not but every measure is being taken and, for the moment, it has not been cyberattacked.

Photo of Brendan HowlinBrendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

I thank Ms Boix Alonso for that strong reassurance. As no member is indicating, I will ask a question. It concerns parliamentarians, democrats and civil society across Europe and the integrity of our democratic system. We have seen interference and hacking in various elections internationally. There are a lot of data and we have seen inquiries into the matter in the United States. There are grave suspicions of interference in referendums in the United Kingdom. How focused is the European Union at Parliament and Commission level on protecting the integrity of our electoral systems and democracy? What measures are in play to ensure upcoming elections across the European Union are safe from external or internal interference?

Mr. Ciarán Cuffe:

From the parliamentary representative perspective, Members of the Parliament monitor elections mainly beyond the EU's borders. I have done a training exercise for that. Increasingly, the focus of election monitoring is on the electronic side. There is monitoring of social media and the integrity of the ballot box. As some elections move more online than is our experience here, we increasingly need IT skills to understand what is going on and safeguard the process. It will require a new set of skills for those of us interested in the monitoring process. I imagine the European Commission is also moving with the times and ensuring its skill set changes on this. I will leave it up to Ms Boix Alonso to answer on that side of it.

Ms Lorena Boix Alonso:

It is an important question. We have, as was mentioned, our CSIRT for the institutions that works on the cybersecurity of EU institutions. I can give that reassurance. As was mentioned, we do exercises and a cyber exercise was done in 2019 for the European elections which was a success and went well. We also have a compendium on election cybersecurity which is a practical tool for national election authorities. For the European Parliament and national parliaments, we are trying to invite help and support.

Photo of Brendan HowlinBrendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

I thank both witnesses for their interesting and wide-ranging contributions and answers to a broad spectrum of questions. This is the first engagement on this important topic for the committee. The witnesses have indicated avenues of further scrutiny in which we will be involved. It is our intention to produce a report at the end of our discussions and deliberations. I thank the witnesses for helping in that process.

Mr. Ciarán Cuffe:

Thank you, Chair.

Ms Lorena Boix Alonso:

Thank you very much.

Photo of Brendan HowlinBrendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

As I indicated, the visit, in person, by Members of the House of Lords next week has been deferred but we will have an online virtual meeting with the House of Lords committee. That will take place next Wednesday at our normal time of 9.30 a.m.

The joint committee adjourned at 10.56 a.m. until 9.30 a.m. on Wednesday, 10 November 2021.