Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

3. To ask the Taoiseach the position regarding IT security in his Department. [33803/16]

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

My Department depends on its information and communications technology, ICT, systems to perform virtually all of its functions. It is vital, therefore, that those systems are securely managed. To that end my Department has developed security policies and procedures and put in place safeguards to mitigate the threats and risks as far as possible. Policies and procedures cover a wide range of issues, including access to the Internet, e-mail usage, mobile device and remote access arrangements and password and other user authentication requirements.

IT security is taken very seriously in the Department not only in the IT unit, but across the organisation. A new security awareness training programme has recently been piloted and it is planned to roll out this training to all staff in the Department in the coming months.

My Department uses industry leading security products to filter e-mail and web traffic to automatically stop spam, viruses and other malicious agents from infecting the network.

My Department maintains ongoing contact with the computer security incident response team, CSIRT-IE, in the national cyber security centre, which provides regular guidance and advice relating to current Internet security alerts and threats. Prevention and mitigation measures recommended by the CSIRT-IE are reviewed as soon as they are received and, where appropriate in our IT environment, implemented.

The Deputy will appreciate that many IT security measures are quite technical in nature and officials in my Department with the necessary skills, knowledge and expertise provide ongoing appropriate support to me and the staff in the Department in this regard.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Taoiseach for his comprehensive reply. This is a very serious issue. For some years other member states of the European Union have been subject to ongoing cyber intimidation. In the case of Latvia, a Russian-based attack brought down the country's Internet and paralysed official business. This year, we have seen a serious escalation in the use of cyber intimidation between countries. There was a time, perhaps, when leaks were justified on the basis that they involved whistleblowing or the revelation of hidden illegal activity, but now it appears to be about intimidation. Even Edward Snowden has condemned the approach of publishing anything and everything, including outing people in countries where to be outed might threaten one's life.

It is striking that all of the attacks have been directed against countries with free elections and high levels of personal freedom. It appears that the online crusaders have no interest in tackling authoritarian states, which has been evident over the past 12 months or so. Given that, we cannot expect to be isolated from such developments. The Taoiseach indicated that his Department has a strong awareness of this and that it is using the highest industrial standard to ensure IT security, given how much essential Government business is now done online. I take it that applies across the Government. At European Union level, is the Government sharing and engaging with other member states on experiences with breaches of IT security? Has there been engagement with the United States in this regard? During the recent presidential election there were extraordinary assertions and allegations about, for example, the hacking of Democratic Party headquarters by other countries. I cannot validate or confirm the veracity of who did what but, nonetheless, there appears to have been an unprecedented involvement or engagement by others through the IT networks to undermine people's reputations.

The volume of e-mails between personnel in Democratic Party headquarters that was put into the public domain is quite striking. People were having what they thought were bona fide honest, thinking conversations and every item was subsequently hacked and made available. The act of the revelation, as it were, became secondary to the revelations because the content was considered juicy or interesting enough not to worry about how it had got into the public domain. What was important was the content, despite the fact that, in life, people have conversations in which they think things through. Before such technology ever existed, one might be in a room with three or four other people to talk through an issue with them. One might ask: "Should we do X, Y or Z?" That is an important human process. The degree to which privacy is out the window in that respect is retrograde in my view. However, it shows what can happen. In the context of elections and free democracies, the democracies are the most vulnerable in these scenarios. Authoritarian states can suppress the Internet in the some aspects and can take steps to protect the citadel, so to speak. Democracies are far more vulnerable.

Cyber warfare is now a new part of engagement. It can wreak huge economic damage, as entire systems can be shut down. That happened recently with various services. Without any use of conventional warfare, it can do enormous damage to economic life and the quality of life of many citizens.

Has there been an international engagement by the country, by the Taoiseach's Department or others in government, with the American experience with other democracies in Europe and further afield across the globe? The evolution of it has the potential to do untold damage and hold countries to ransom if it continues at the current pace.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The Deputy has raised an issue that is probably beyond the competence of most people to deal with, unless they are experienced in electronics, IT and security systems. I take the view that anything that is put into the cloud is retrievable. Most governments and companies, when they put their information on the Internet and the cloud find that the problem is how to protect themselves. The Deputy is correct that governments and many major security elements of governments have been attacked. It happens mostly in democracies. There has been evidence of attacks in certain places in Ireland. Regarding security in the Department of the Taoiseach, information is never released in respect of any attacks, given that it would lead to those who conduct such business. There are only two websites that provide information from the Department of the Taoiseach, namely gov.ieand merrionstreet.ie.

The Minister of State, Deputy Dara Murphy, looks after questions on EU data protection regulations and implications for IT security. In my time at European Council meetings there has never been a discussion about governments being attacked, although officials may be in contact with each other. The new general data protection regulation comes into effect on 25 May 2018, with the aims of strengthening citizens' data protection rights, harmonising data protection legislation across the EU and updating the law in line with advances in digital technologies. It brings obligations on public sector data controllers, including in the area of security. The interdepartmental committee on data issues, which his chaired by the Minister of State, Deputy Dara Murphy, is supported by my Department and the Department of Justice and Equality. It is an important part of Government Departments in preparing for the implementation of the new data general regulation.

The computer security incident response team is the operational role of the Department of Communications, Climate Action and Environment, and it encompasses the State's national governmental computer security incident response team. It seeks international recognition with peers in respect of Government and national CSIRT communities so it can effectively undertake its work on situational awareness and incident response. It focuses initially on the State sector and acts as a national point of contact. The National Cybersecurity Strategy 2015-2017, published in 2015, is a high level policy statement from the Government announcing and acknowledging the challenges with facilitating and enabling the digital economy and strategy.

While I can manage the fundamentals of the iPhone, I could very quickly get lost in many of these fields. There are those who would be able to give so much more information about firewalls and how attacks can be presented. One of those security people told me it is like breaking into a house, in that if a person gets in the front door, the entire house is open. Many companies have to block off each room individually, so if the firewall is breached, there are other security elements in place. This is way beyond my knowledge or understanding. I am a mere citizen with a scope that is appropriate to myself to write and send messages and receive phone calls and so on. I am not an expert in this field, and I admit it.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I commend the Taoiseach's humility and I join him in saying that I am not an expert either. We do not need to know the detail. It is a very big issue. Years ago, when I was the Minister with responsibility for enterprise, McAfee came to Ireland and the McAfee view was that it was protecting against viruses. The managing director told me he thanked God that there were people out there creating viruses, given that he would not be in business otherwise. It was a very striking comment. Most of us would not have a clue about how people penetrate firewalls, and this is one of the great problems with modern technology. People who are interested have the wherewithal, capacity and knowledge. The problem is serious regarding energy systems and the operation of society in that a country could be closed down by a concentrated cyber attack. This is modern warfare. If a person does not like us or a country does not like what we are saying, we could get a wallop without even realising it. This is the sinister dimension. The Taoiseach said it had not been discussed among EU member states. I presume we should be open to international collaboration and discussions on it, given that we could learn from others whose security has been breached.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The Deputy is correct. There must be international collaboration at government level on these matters. Given the Internet of things, the way the car industry has moved and the advances being made here digitally, if a car is stolen, the company can disable it from anywhere around the world. All these changes bring advantages and challenges. We need to apply the same to the aviation industry. The Deputy can understand the necessity of having secure methods of transmitting information and seeing that systems are not attacked; otherwise there could be catastrophic consequences. The point is valid.