Jack Chambers (Dublin West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

49. To ask the Taoiseach and Minister for Defence the role his Department plays in national cybersecurity; and if he will make a statement on the matter. [40000/18]

Jack Chambers (Dublin West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

What role does the Department of Defence play in national cybersecurity? Will he make a statement on the matter?

Paul Kehoe (Wexford, Fine Gael)
Link to this: Individually | In context | Oireachtas source

As outlined in the Government's White Paper on Defence 2015, the issue of cybersecurity has very significant implications for governmental administration, industry, economic well-being and the security and safety of citizens. Cybersecurity is a standing item on the agenda of the Government task force on emergency planning which I chair.

The response to cyber threats remains a whole-of-Government challenge, with the Department of Communications, Climate Action and Environment taking the lead role and with inputs in the security domain from An Garda Síochána and the Defence Forces. The Department of Defence and the Defence Forces are committed to participating, under the leadership of the Department of Communications, Climate Action and Environment, in the delivery of measures to improve the cybersecurity of the State.

Ireland’s national cyber security centre, NCSC, which is located in the Department of Communications, Climate Action and Environment, provides a range of cybersecurity services to owners of Government IT infrastructure and critical national infrastructure. The NCSC is also home to the national computer security incident response team, which acts as a national point of contact involving entities within Ireland, and as the point of contact for international discussions on issues of cybersecurity.

The scope of activities of the computer security incident response team, CSIRT, covers prevention, detection, response and mitigation services to Departments and State agencies and critical national infrastructure providers. The Defence Forces provide seconded specialists to assist with the work of this team when resources allow.

The national cybersecurity strategy, published in 2015, is a high-level policy statement from the Government acknowledging the challenges in facilitating and enabling the digital economy and society. The strategy is based on key principles, such as the rule of law, subsidiarity, and proportionality in response to key risks and threats facing Ireland. Work is ongoing on the development of a revised strategy, which is anticipated to be published by the end of the year. This revised strategy, in conjunction with the White Paper on defence, will continue to inform our engagement in this critical area.

Jack Chambers (Dublin West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

As the Minister of State said, cybersecurity is the protection of Internet-connected systems, hardware, software and data from cyberattacks. The risks are growing in presence and destructive potential. The World Economic Forum's top ten risks lists cybersecurity after natural disasters and extreme weather. In recent days, we have learned from the Comptroller and Auditor General that the overall strategic direction of the national cybersecurity centre is not clear. No strategic plan is in place and not all objectives in the previous strategy were achieved.

Despite the high-level objectives in the White Paper, there are clearly issues with regard to cybersecurity. The fact it is in the Department of Communications, Climate Action and Environment means it is seen more as an IT management issue rather than an issue of national security. I suggest, respectfully, that the Minister of State with responsibility for defence should try to have the unit removed from the Department of Communications, Climate Action and Environment and brought into the Department of Defence so he can lead policy on cybersecurity as it grows in the coming years. The report of the Comptroller and Auditor General shows a clear need for this to become functional again. The oversight body set up to monitor its performance has not even met since 2015. We need action on this and it is the responsibility of the Minister of State to get a departmental change.

Paul Kehoe (Wexford, Fine Gael)
Link to this: Individually | In context | Oireachtas source

I must admit I have not seen the report of the Comptroller and Auditor General so I cannot comment on its contents. In budget 2018 additional funding was secured for additional personnel and technology in the national cybersecurity centre. A significant programme of recruitment will commence shortly.

I take on board the Deputy's points but this is a whole-of-Government approach led by my colleague, the Minister, Deputy Naughten. He retains overall responsibility for cybersecurity at national level. The Government task force on emergency planning, which I chair, maintains cybersecurity as a standing agenda item whereby regular updates are provided and issues of common interest may be raised and addressed. It also serves to reiterate the necessity for all Departments and agencies to address these risks when conducting risk assessments and assessing their risk management capabilities. I agree this is a huge issue but we have a whole-of-Government approach led by my colleague, the Minister, Deputy Naughten. He has a dedicated team working on this specific issue.

Jack Chambers (Dublin West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

He might have a dedicated team, but if we want a whole-of-Government approach, it is important it comes from the Department of Defence because to have it in the Department of Communications, Climate Action and Environment means the focus is more on addressing a technology issue rather than a national security issue. With regard to proactive cyberprotection, deterrents and cyberthreats, Ireland's development remains immature or non-existent. The Defence Forces should develop a cyberdefence team to protect the Irish economy and society. Cybersecurity is not being taken seriously by the Government because it is in the wrong Department. The Minister of State should look at the departmental structure and have it taken into the Department of Defence.

The Department of Defence has seconded people to the Department of Communications, Climate Action and Environment but the report of the Comptroller and Auditor General revealed serious difficulties with this. We are at an immature level of development with regard to cybersecurity. The Minister for Communications, Climate Action and Environment has many responsibilities. The report of the Comptroller and Auditor General makes clear there is no strategic direction. The oversight body does not meet and the Government's objectives are not being driven with regard to performance in this area. The Department of Defence should take ownership and control of this so it can develop a proper whole-of-Government response to the area of cybersecurity as it becomes a serious national threat. It would compromise foreign direct investment if our national infrastructure were to be seriously undermined and there were to be an attack. Then we would have proper accountability as to why this was not progressed in the previous months.

Paul Kehoe (Wexford, Fine Gael)
Link to this: Individually | In context | Oireachtas source

There is proper accountability at present in the Department of the Minister, Deputy Naughten. The question raised by the Deputy about the report of the Comptroller and Auditor General would be more appropriately addressed to the Minister, Deputy Naughten. Within the Defence Forces on the security side, we have people dedicated to working on cybersecurity. It would be a matter for the Government to assign the role to a different Department. The Minister, Deputy Naughten, is doing an excellent job. The previous budget provided additional staff and funding regarding cybersecurity. Of course, it is a priority for the Government to make sure the appropriate levels of security are available to the team there.