Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

3. To ask the Taoiseach if his Department has a policy on the use of unofficial e-mail accounts for official purposes; and if not, if his Department plans to have such an e-mail policy in the future. [38480/16]

Gerry Adams (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

4. To ask the Taoiseach the protocols his Department has in place for the use of unofficial e-mail accounts for official purposes by him and Ministers of State in his Department. [39814/16]

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I propose to take Questions Nos. 3 and 4 together.

My Department has detailed lCT policies relating to the use of e-mail and the Internet which are provided to all staff. These policies also deal with software downloads, media device usage, remote access and the security responsibility of users. The existing policies do not explicitly ban the use of unofficial e-mail accounts for official purposes but they do stipulate that individuals using the Department's electronic media should handle their communications with the same care as with any other type of business communication.

These policies are being reviewed and consolidated, and text dealing explicitly with the use of unofficial e-mail accounts for official purposes will be included in the consolidated policy.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Taoiseach for his reply. There appears to be conflicting accounts from his office on this matter. My understanding is that, as he said, the practice has been that he and the political staff of his Department are given access to encrypted communications on a limited range of devices, including laptop computers. The objective has been to control tightly how official documents and information is handled. The Taoiseach might indicate why he thinks there is a need to operate a separate account. Is this for personal matters? What steps have been taken to ensure that all documentation is preserved in accordance with the requirements of freedom of information legislation? Has the Taoiseach submitted his e-mails to any security review? Have the arrangements of his staff been reviewed?

The backdrop to this is the very strong, conclusive evidence of hacking against democratic Governments and political parties across the globe. We are in a new era. The core question is whether the existing system in the Taoiseach's Department and across Government is adequate to cope with the present challenges. Is there a need for people to be fundamentally brought up to speed on the present dangers or the capacity of other states and organisations not only to hack into and disrupt our systems, but also to obtain vital information to undermine aspects of State policy, for example, or to create political mischief? This is a very real situation and a new avenue for espionage and cyber-warfare. I endeavour to ascertain from the Taoiseach whether he is satisfied that our system is fit for purpose in the context of the challenges democratic Governments now face regarding the security of their IT systems, in particular in respect of e-mail accounts and so on. There is the official route of encryption of official documents and so on but also the separate matter of the use of unofficial e-mails. What is the Taoiseach's perspective on this?

Gerry Adams (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

As the Taoiseach knows, the issue of hacking has hit the news recently as a result of allegations that the Russian Government has in some way hacked into the American Democratic Party computer system. The outgoing President has initiated an investigation into this. We read that more recently, in the past few months, there was a theft of millions from Tesco Bank in Britain, so there are a number of issues of concern in this regard. As I understand it, websites of different Government Departments have come under cyber-attacks in the past 12 months and there has been disruption of services, both for workers in the public service and for citizens who avail of online services. We now live in a world in which citizens rely on online services to apply for grants and medical cards, to complete tax returns and to do much more besides, so there is a possibility of personal information being accessed as this continues. As I understand it, the HSE, the CSO, the Department of Justice and Equality, the Courts Service and the Taoiseach's other Department, the Department of Defence, have all been targeted. I read that the Oireachtas network has been targeted as well. I tend not to pay an awful lot of heed to what the media reports, but it was reported that the Taoiseach used Gmail for official correspondence and that this was under review. It is also reported that he and five other Cabinet Ministers had personal information, including passwords, stolen by hackers who targeted the LinkedIn website. I do not know whether the Taoiseach wants to clarify any of these issues for the Dáil. Is he satisfied that enough is being done to ensure that Government IT systems are protected? Government policy does not, I understand, ban office holders and staff in the Taoiseach's Department from using non-departmental e-mail services.

Is that the case throughout all other Departments? The Taoiseach said this is being reviewed. If so, will the Taoiseach indicate the status of the review and when it will be concluded? Will we get a report on it in the House?

Brendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

Obviously, all e-mails generated within the official systems within Departments sent to any e-mail address whatsoever are retained on the central servers and are amenable to being accessed for freedom of information purposes or any other purpose. There have always been concerns over the vulnerability of communications. Back 20 or 25 years ago the concerns would have related to telephones, mobile telephones and the hacking of mobile telephones and so on. I do not believe we are ever going to have a fool-proof system.

It was believed 20 or 25 years ago that any communication between Ministers here was always subject to oversight by GCHQ in Britain and the CIA. That was always a view. Whether that was true, I do not know, but it would be naive to think that sophisticated external intelligence agencies throughout the world would be unable to listen to any communication if they so wished.

The question of cyber-attacks and cyber manipulation represent a new dimension. Does the degree of priority or urgency correspond to the implications of revelations in the United States? I am not suggesting that those of us in this jurisdiction would be subject to the same focus applied by the Russian Government or any other government to the United States. Anyway, we need to take measures to ensure that, as far as is practicable, we have the best defences that technology can provide.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I am advised that the situation is secure. However, given what we read internationally about what happens with WikiLeaks or whatever, is anything secure that is put in electronically? I note from correspondence in America that there were over 60,000 cyber-related attacks on the US Government last year. I have spoken to representatives of some of the companies in California and the United States generally. Cyber-attacks take place on their systems every day of the week. Many of these companies have continuously to employ people with a real interest who can look ahead at the challenges that will arise.

Deputy Adams asked when the review would be complete. I am assured that these things are fireproofed or fire-walled and safe. I am assured that the review and the consolidation process are almost complete. I expect that that new consolidated process will be completed by the end of January.

I have a private e-mail account that pre-dates my time as Taoiseach and which I use for personal correspondence or for party political correspondence that would not be appropriate to transmit on an official e-mail account from the Department. The Department has an official account for my constituency office for receipt of matters relevant to the Cabinet or the agenda in that sense. Sometimes I receive correspondence through that official e-mail address. If it is a matter that should be addressed to the Department or the Minister who might be concerned with it in an official capacity, I will send it off to the person concerned.

The private office uses a number of secure corporate e-mail accounts for conducting day-to-day business on my behalf, such as dealing with correspondence from the public or arranging events to be attended. My constituency office also has a secure corporate e-mail account. These accounts are managed by staff in my office and are only accessible on the Department's network. I also use a secure corporate e-mail account to enable officials to send me priority e-mails when I am out of the office. I can access this e-mail account on my mobile telephone or iPad. No corporate data, other than e-mail and calendar data, is accessible from these devices. All corporate data on the devices is encrypted. Both devices are protected through specialised mobile device management products.

The official e-mail accounts are only accessible by the Department's network in Government Buildings and remotely using official laptops and mobile devices. All devices issued to staff for remote access are fully encrypted and remote access to the network is only permitted from sanctioned devices using strong authentication protocols. Corporate e-mail is deployed on some telephones and tablets, but my Department's mobile security policy has to be deployed on the devices first. This policy controls a number of device settings, including enforcing the use of a complex passcode. Apart from e-mail and calendar data, no other corporate data is accessible from these devices. All mobile devices are managed using a leading mobile device managing product. In the event that a device is reported lost or stolen, a device-wipe signal is sent to the device to remotely remove all access to e-mail. My information technology unit also has the capacity to render the devices completely unusable.

The Department of the Minister for Communications, Climate Action and Environment, Deputy Naughten, has a unit dealing with security encryption and this particular area. The unit is being expanded for obvious reasons. It is going to be located in UCD separate from the Department. This initiative is already paying dividends by way of warning individual entities or institutions of a cyber-attack. Clearly, this is a specialised area. The issue is being addressed through the Department of Communications, Climate Action and Environment. The Department will have a unit removed from the Houses of the Oireachtas area and located independently in UCD, operated by personnel who are specifically focused on working on this area. The Department intends to expand those numbers again next year.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

The Taoiseach has confirmed that he has his own separate personal e-mail account. Is that correct?

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I have had it since before I became Taoiseach.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Can the Taoiseach guarantee that it is the case that no Government business or material or material pertaining to Cabinet ends up in that e-mail system? Presumably, less security is attached to the Taoiseach's personal e-mail account than would attach to his Government related e-mail account. Can the Taoiseach clarify that? Is material that may go from one to the other sufficiently secure in the Taoiseach's private e-mail account? I presume the service is owned by a private company. Can the Taoiseach clarify that for us?

Penetration by hackers and other states has been acknowledged as has the ease with which they can penetrate people's accounts and so on. In parallel, there has been a headlong rush to move everything online and to put all manner of crucial information online, including financial information. Increasingly, Revenue operates online, banking transactions are going online and so on. It is somewhat paradoxical. We are telling everyone to do this while the security situation is not sorted. Gaping holes exist in terms of people's security. It is a wider issue of policy. We need to be more cautious in forcing Seán Citizen down a certain line when the security for Seán Citizen is not sorted in terms of either the privacy he can expect or phishing relating to banking and so on.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I have had an e-mail address since long before I became Taoiseach. Obviously, I generally use the corporate e-mail for official purposes. In the past, there have been occasions when I have used that personal e-mail because of operational reasons. However, information does not go there from the secured encrypted e-mails. Government agenda or business comes to me via encrypted e-mail addresses.

I have seen what happens internationally. Irrespective of the firewalls put in place, I have a healthy scepticism of the ability of people to be able to breach them. Let us consider the extraordinary extent of e-mail production throughout the world.

Hundreds of thousands of e-mail messages that apparently were deemed to be encrypted are being published. I have to say I have a scepticism about things that are put on the cloud electronically. There is somebody out there with a capacity to breach that unless the walls are absolutely fireproofed. My Department has assured me that these e-mails are completely encrypted and encoded in a complex manner. The Minister for Communications, Climate Action and Environment is expanding the unit of people who are dealing with this. The unit will be in a stand-alone position to advise and inform companies and institutions regarding cyber attacks. As I have mentioned, I learned last week that there are thousands of attempted hits and attacks on the systems of American companies every day. In addition, there were many thousands of attacks on the systems of the American Government last year.