Thursday, 12 May 2022
Nithe i dtosach suíonna - Commencement Matters
I thank the Minister. We now move to to the third Commencement matter of the morning which has been tabled by Senator Craughwell. This refers to the need for the Minister for the Environment, Climate and Communications to make a statement on the consultations undertaken with industry experts and other stakeholders ahead of the publication of cybersecurity legislation. I notice that the Minister of State, Deputy Burke, is in the hot seat once again. Senator Craughwell now has four minutes in which to make his case.
I thank the Acting Chairperson. I am sorry that the Minister of State, Deputy Burke, has been thrown into this issue as it is not his area of responsibility. It is regrettable that the Minister who is responsible for cybersecurity is not here.
Legislation on cybersecurity is scheduled to come before the Oireachtas in the summer of 2022, as the cybercrime Bill is due shortly. I have attended a number of conferences and have engaged with quite a number of cybersecurity companies operating in the State. The first I heard of this legislation was when it was announced at the Joint Committee on Transport and Communications last week. It is simply not good enough that legislation on a matter as important as cybersecurity would arrive without the opportunity for fair engagement right across the industry.
As the Minister of State will be aware, the HSE cybersecurity attack will have cost this country in excess of €100 million and probably a great deal more by the time it is finished. We have also had a cyberattack on the Rehab Group and cyberattacks are part and parcel of every day life now. The ambition set out by the newly appointed director of the National Cyber Security Centre is appallingly weak with respect to the number of people it expects to employ in that centre by 2023.
The industry wants to engage with Government. We want to be the best country, the most cyber-aware country, and the most cyber-protected country in the world. As the Minister of State knows, we are never totally protected because the criminals are always one step ahead of us. I ask, as I have in the committee, that the Minister of State relay this message back to the Government. I have written to the Taoiseach on this issue and have made a number of points.
First, I do not know why cybersecurity is located in the Department of the Environment, Climate and Communications when it should be in either the Department of Defence or the Department of Justice, or, more properly, directly under the Department of the Taoiseach. This makes absolutely no sense to me. This is the primary defence of the nation. A cyberattack could bring this economy down in a nanosecond. The last time cybersecurity was discussed in either House was in June 2021 and that is simply not good enough.It should be discussed on a regular basis. The National Cyber Security Centre, NCSC, should be educating people all the time rather than hiding in the background. The strategy for 2019-2024 is a work of fiction because it has not delivered on its claims.
The bottom line is that we have attracted the greatest companies in the world from an IT perspective. We have Google, Twitter, Facebook, etc. Not only that but we also have very large chemical and pharma industries. We have a massive amount of research and development going on here. All we need is one successful attack on one of these companies and the likelihood is that we will see a flight from this country. Cybersecurity has to become the most important thing in this country because it is a battle we are fighting all day and every day.
It would be better to stall the legislation, although we do not know what is in it, and to engage with the industry. Let us have the experts in here. We are lucky in that because of the organisations we have in this country, we have some of the greatest minds in the world in regard to cybersecurity. We should be tapping into those minds to make sure we have the best possible cyberdefence in the world.
I ask the Minister of State to go back to Government and ask it to stall this legislation and give the Oireachtas Joint Committee on Transport and Communications an opportunity to engage with these people to inform the legislation that will come before both Houses, even if that is in the autumn of this year, rather than rushing it through in the summer.
I have heard Senator Craughwell raise this issue a number of times in the past. I want to apologise for the absence of a Minister from the Department of the Environment, Climate and Communications.
Officials in the Department of the Environment, Climate and Communications are in ongoing consultations with cybersecurity industries. That is obviously at variance with what the Senator said. We will probably have to square that circle in regard to what is stated in the reply. Cyber Ireland is a national industry cluster headquartered in Munster Technical University in Cork. Cyber Ireland’s board membership indigenous and multinational firms as well as third level institutions engaged in cyber education and research. Ministers and officials are in regular contact with Cyber Ireland and its members and the Minister of State, Deputy Ossian Smyth, will tomorrow participate in the launch of Cyber Ireland’s Cybersecurity Sector in Ireland report. The Minister of State will also soon be travelling to the US with the Industrial Development Authority, IDA, to promote Ireland as a destination for foreign direct investment. During that visit he will meet with the multinational cybersecurity and digital services firms, which have a base here. The Government will continue to consult with Cyber Ireland and relevant stakeholders in industry and in the academic community to inform the drafting of legislation and the forthcoming review of the national cybersecurity strategy later this year.
I would like to highlight on behalf of the Minister that a large proportion of legislation covering cybersecurity in Ireland has its origins in the EU and officials are in frequent contact with Cyber Ireland and other industry stakeholders both in Ireland and Brussels to ensure Ireland’s national positions are informed by the perspective of industry. The Department of the Environment, Climate and Communications has conducted an extensive industry consultation following the publication of the European Commission’s proposal for a review of the network and information security directive in December 2020. Officials have continued to engage with industry stakeholders during the Council negotiations last year and the ongoingtrialogue negotiations. Most recently officials have engaged with stakeholders about the Commission’s industry consultation and forthcoming Cyber Resilience Act, which closes later this month.
In respect of other key stakeholders I can assure the Senator that the officials in the Department are in regular and ongoing contact with relevant Departments and agencies in the drafting of legislation for the NCSC. The Government has agreed that legislation will delineate the NCSC’s role in relation to other actors in the cyber area. The NCSC has long-standing co-operation with An Garda Síochána and the Defence Forces, including secondments of personnel. To address this ever-growing threat of cybercrime and malicious cyberactivity by state and non-state actors, it is essential that the co-operation can be expanded and deepened into the future.
Two years before the HSE was hit the NHS in the UK was taken down and nothing was done in this country to check our systems to make sure we would be robust enough in the event of an attack. The document given to the Minister of State by the Department today reads well. It reads as well as the strategy document but I am afraid the Department should read what was said at the last meeting we had with people in the cyberindustry to see what they had to say. They condemned everything about our cybersecurity. I ask the Minister of State to bring this back to the Taoiseach and the Government. We need to move the area of cybersecurity into the Department of the Taoiseach, the Department of Defence or the Department of Justice where it will get the proper support, and we need to do it urgently. We need to engage with the industry and listen to what it has to say. Those in the industry are the experts out there fighting crime every day. The cost to this economy of cybercrime runs to billions of euro. It is now more profitable than the drugs industry, and that is frightening.
Senator Craughwell raised this issue before and he made a very valid point. I will raise it with the Minister and do a note for the Taoiseach on foot of this Commencement matter. It is not an area in which I have great expertise but I will provide the Senator with what was in the reply in regard to the interactions with industry.