Oireachtas Joint and Select Committees

Wednesday, 3 November 2021

Joint Oireachtas Committee on European Union Affairs

EU Cybersecurity Strategy: Discussion

Ms Lorena Boix Alonso:

I thank the Senator for the question. I appreciate it because from the technical side, the EU Covid certificate was done by my team. The beauty of being the director of a directorate that deals with cybersecurity and e-health is that you can put the two teams together. Privacy was very much taken into account when designing the system. The fact that the EU Covid certificate is the only certificate today that is available in the world across borders is precisely because it was conceived from the outset to take into account security and data protection. It was decided together and that is why it has been such a big success. We did not even wait for the legislative proposal to be on the table, even less to wait for the close of negotiations, to put the system in force. It was a beautiful joint project.

It was, from the beginning, foreseen with a gateway. The gateway, which is managed by a contractor, is centralised by the European Commission. The certificates are done with a digital and electronic signature so that it cannot be faked. It is not like a PDF, which can be faked from home. The certificates need a digital signature. It is done in a way which requires a private key and a public key, to be a bit technical. If a person does not have both keys, he or she cannot create or read a certificate. That is the secure way we did it. I assure the Senator it is working. She will have seen fake certificates in the press. There are certificates in the name of Adolf Hitler or Bob l'Éponge. There are all types of unpleasant jokes. In those cases, it was not a result of a hack or an attack. Those cases are, unfortunately, because somebody who had the right to validly issue certificates made fake certificates. It has, fortunately, only happened in a few countries, but it is a criminal act. It has, in some cases, been a doctor with the power to issue a valid certificate who has issued these fakes. The system has not been hacked, for the moment. It is working. It has been, unfortunately, at member state level where some unpleasant people have abused the system. We are now working on a centralised system for revoking those certificates.

What is done in those cases, and what has been done, is revoke the certificates. We are working to see whether we can make the revocation system even more efficient. This system aside, we have weekly meetings with the contractors to analyse every possible incident and act accordingly. I reassure members of that. Could something worse happen? I do not know. I cannot commit to saying it will not but every measure is being taken and, for the moment, it has not been cyberattacked.