Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

1. To ask the Taoiseach if he has changed the protocol in his Department regarding the use of private e-mail accounts (details supplied) for Government business. [7362/17]

Gerry Adams (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

2. To ask the Taoiseach if he has changed the protocols in respect of the use of private e-mail accounts within his Department. [8551/17]

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The Department of the Taoiseach has detailed information and communications technology policies relating to the use of e-mail and the Internet. These policies, which are provided to all staff, also deal with software downloads, media device usage, remote access and the security responsibility of users. While the existing policies do not explicitly ban the use of unofficial e-mail accounts for official purposes, they stipulate that individuals using the Department's electronic media should handle their communications with the same care as any other type of business communications. I informed the House in December 2016 that the Department's information and communications technology policies were being reviewed and that a process of consolidation would be undertaken following the review. The review has now been completed and the consolidation process is under way. Text dealing explicitly with the use of unofficial e-mail accounts for official purposes will be included in the consolidated policy.

For the information of Deputy Micheál Martin, the consolidation process involves bringing together multiple individual policies dealing with various aspects of information and communications technology security, such as e-mail and Internet usage, remote access, mobile device usage and software downloads. These policies have been reviewed and updated and are being consolidated into a single overarching policy that will be a single point of reference for all staff in the Department. When the consolidated policy has been approved by senior management, it will be circulated to all staff.

That new protocol will contain specific guidance relating to the use of private e-mail accounts and other forms of electronic communications. Although there has not been a particular formal protocol, that will now become part of the process with which all staff will be fully acquainted.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

I thank the Taoiseach for his reply. Many people would have been surprised by the way the Minister for Social Protection had enough time on his hands to set up and administer a discussion group for the Fine Gael Parliamentary Party. Clearly he did not spend enough time showing them how to use the application properly and it has been confirmed that the old group has now been shut down and replaced by a service where messages cannot be recorded through screen grabs and they disappear once read. Does the Taoiseach remember the "Mission: Impossible" series some time back?

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I do. The message would self-destruct in five seconds.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Yes. That is the new order within Fine Gael.

Joan Burton (Dublin West, Labour)
Link to this: Individually | In context | Oireachtas source

It is more like "Get Smart".

Brendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

A code of silence.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

There is a serious point to all of this because of the growing concern that efforts may be made by Ministers to discuss public business without recording this in accordance with the law. There is an obvious difference between party political business and public business but what protection do we have to know that private e-mails and non-recorded chat groups are not being used for official business?

I do not know if the Taoiseach saw Mr. John Mooney's article in The Sunday Times, where he stated the Taoiseach and the Tánaiste and Minister for Justice and Equality, Deputy Frances Fitzgerald, broke e-mail protocol by using "personal email accounts for sensitive government-related business". It was reported the Taoiseach has used his personal e-mail 161 times since 2011 in this regard and the information came from the freedom of information process. Will the Taoiseach confirm it is true that he has used that account 161 times? Is it appropriate that the Tánaiste and Minister for Justice and Equality would use her personal Gmail account for correspondence to and from the Attorney General, the Garda Síochána Ombudsman Commission and for issues relating to immigration, asylum-seeking cases and judicial investigations?

The Taoiseach has indicated a review and consolidation is afoot but will he state if there has been any vulnerability in this regard? Have any of the private accounts of the Taoiseach or the Tánaiste and Minister for Justice and Equality been compromised in any way by hacking or whatever? Is the Taoiseach concerned about this? There are sensitive issues in the justice sector relating to judicial investigations, Attorney General communications and so on. Mr. Mooney was able to read these e-mails and I was stunned, to a certain extent, when I read the front page of the newspaper and the level of material that got out.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I have seen headlines indicating matters were so sensitive, people were not allowed to see them. Clearly, some items are available under the freedom of information process and some are not. My private office uses a number of secure corporate e-mail accounts for conducting day-to-day business on my behalf, such as dealing with correspondence from the public or arranging events to be attended. My constituency office also has a secure corporate e-mail account and these accounts are managed by my staff in my office. They are only accessible on the Department's network. I use a secure corporate e-mail account to enable officials to send me priority e-mails and when I am out of the office, I can only access this e-mail account on mobile devices approved by my Department. No corporate data other than e-mail and calendar data are accessible from these devices. All data on the devices are encrypted and the devices are protected through specialised mobile device management products.

I have a private e-mail account that predates my time as Taoiseach and which I use for personal correspondence or party political correspondence that would not be appropriate for transmission on the official e-mail account of the Department. I generally use my corporate e-mail account for official purposes but I have, on occasion, used my personal e-mail account for official purposes for operational reasons. As far as I am aware, no particularly sensitive information has been used with that account. I do not know the number of times referred to in the article that mentions me and the Tánaiste and Minister for Justice and Equality.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

It is 161.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Official e-mail accounts are only accessible on my Department's secure network at Government Buildings and remotely using official laptops and mobile devices. Those laptops issued to staff for remote access are fully encrypted and remote access to the network is only permitted from sanctioned devices using strong authentication protocols. The Deputy and I discussed this before and we can see what happened internationally, with hundreds of millions of e-mails that were supposed to be safe and secure being publicised all over the world.

Gerry Adams (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

I am not clear from the Taoiseach's initial answer as to whether there is a protocol for the use of private accounts for official business. One presumes official accounts would have more security built in and it would make sense, I presume, for Ministers not to use private accounts for official business. The Taoiseach mentioned what has happened internationally with the amount of hacking ongoing and people accessing information. The Sunday Timeshas indicated that seven senior Ministers admitted to receiving e-mails for official Government business in their personal e-mail accounts and the Taoiseach used his personal account at least 161 times since 2011, with the material on 23 such occasions too sensitive to be released under the freedom of information process. That contradicts the assurance given by the Taoiseach in the Dáil last December. The newspaper claims the e-mails include information on corporation tax. The Tánaiste and Minister for Justice and Equality also allegedly used a personal Gmail account to deal with matters relating to An Garda Síochána, judicial investigations, the Attorney General and so on.

Will the Government put in place a protocol that prevents a Minister or someone in the Department using private accounts for official business? Is that now the case? Is it the Taoiseach's view that if it is not now the case, it should be the case?

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

What was the last question?

Gerry Adams (Louth, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

Is it the case that personal accounts will not be used for official business? If that is not the case, does the Taoiseach believe it should be the case?

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

There has not been a formal protocol but this matter came to light and the review is complete. What has been referred to as a consolidation process is being put in place. That takes into account the issues I mentioned, including e-mail and Internet usage, remote access, mobile device usage, software downloads etc. All of that has been put into a single overarching policy, protocols will apply and everybody will understand clearly what that means. There was nothing to breach before but when this consolidation process is made available to everybody, people will have a clear set of rules they can all understand.

Brendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

I wish to broaden the question a bit if I can. The Taoiseach will recall that in our time we established the national cyber security centre to deal with the revelations that virtually any system is subject to hacking. What are the results of establishing that centre and has it completed a risk assessment of our vulnerability? Has it made any recommendations to strengthen the systems of communication within the Government? It is a matter of fact that even the most sensitive of documentation controlled by the National Security Agency in the United States is subject to hacking and release. Nothing can be foolproof in such matters but we should use the best technology. What risk assessment has been completed and have we taken any action on foot of that?

Joan Burton (Dublin West, Labour)
Link to this: Individually | In context | Oireachtas source

I will give more context to the question. Will the Taoiseach tell us how many cases of hacking in his Department have been recorded? If there have been cases, did the Taoiseach receive warnings about his own devices? Has malware been a problem for his Department? I hope his forthcoming visit to the United States will be enjoyable but what special precautions will be made in that regard?

There are many recorded instances of people's devices being hacked when they go to the US. Have any special arrangements been put in place to ensure the Taoiseach, who seems determined to meet President Trump, will not be hacked and bugged? It could be done by people from here, anxious to know how the Taoiseach is getting on. Equally, it could be people with bad intent.

Micheál Martin (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

We are not as overly exercised about e-mails.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The German Chancellor's phone was hacked and she was very upset about it.

Joan Burton (Dublin West, Labour)
Link to this: Individually | In context | Oireachtas source

I recall it.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Other countries might also listen in.

Brendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

We can depend on it.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

We must be cognisant of the issue. I do not know whether any special arrangements have been made. My old mobile phone is still working and maybe they listen to everything. I do not know. I will be very careful. Deputy Howlin's point is very serious. I will not have time to read out all my notes.

Brendan Howlin (Wexford, Labour)
Link to this: Individually | In context | Oireachtas source

The Taoiseach might circulate them.

Enda Kenny (Mayo, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Cybersecurity is operated through the Department of Communications, Climate Action and Environment and operates out of University College Dublin, separate from here. My Department maintains contact with the computer security incident response team, CSIRT, in the National Cyber Security Centre which provides regular guidance and advice relating to Internet security alerts and threats. Prevention and mitigation measures recommended by the CSIRT are reviewed as soon as they are received and, where appropriate in our IT environment, implemented. We never release information on the number of attacks on the Department. The release by any organisation of any details relating to cyberattacks or specific measures taken to counter such attacks could expose vulnerabilities in their defences that could be exploited and provide potential attackers with useful information that would enable them to design more effective attacks.

In Austria, a hotel came under a cyberattack in which all the doors were locked and a ransom demanded. People could not get out. People who apparently know these things tell me the issue of the terrorist bomb will be surpassed by the ability to hack into driverless cars and use them for whatever purpose. Two years ago in America, attackers took over a driverless car and controlled its speed and direction remotely. One can imagine the implications. It is an issue for everybody. We have billions of digital content and technology assets, and they must be protected and safeguarded. Electromagnetic bursts can destroy and close down sections very quickly. How it works is beyond my understanding. However, I am informed by those who know that we should take these issues very seriously. The new president of University College Cork is an acknowledged expert in physics and has a great to deal of advice to offer in these matters.