Seanad Éireann debate -
Thursday, 22 Jun 2023

The Minister of State is very welcome to the Seanad. I also welcome Deputy Naughten and his guest to the Gallery.

I will hand over to the Minister of State. Senator Davitt and I are in the Chamber and we are listening.

I thank the Chair, Senator Davitt and those in the Gallery.

During the pandemic, there was an acceleration in the pace of digitisation in Ireland. Because people could not travel around and many facilities, businesses and Government facilities were shut down, they were forced to go online. As people were worried about becoming infected, they were doing things like visiting their doctors online. Many facilities that were not previously available were opened up to be accessed online and, therefore, the pace of digitisation in Ireland accelerated. People ended up doing things online they never expected, for instance, a lot of shopping and so on.

The result of more online more activity and more people spending time and money and transacting online meant that was where criminals started to move as well. There is an attraction to carrying out crimes online. Because criminals are carrying out their crimes remotely, they hope they are going to be at a remove from law enforcement. There is also the hope that it will be harder to detect that type of crime and criminals will be able to escape because perhaps they will be in another jurisdiction and will be able to cover up or plausibly deny that they carried out the crime. They will be able to point and say it was not them sitting at that computer at that time.

The result of this is that our State has to defend itself from cybercriminals, which come in different varieties. We have the type of cybercriminal who is just in it for the money. This is the type of gang that carried out an attack on our health service in 2021. They were carrying out a form a crime involving ransomware where they break into the computers in an organisation, take the data, lock it up and encrypt it and charge a ransom to have the information returned. They have two forms of threat in a ransomware attack. One threat is that they will never give the data back and will delete it and the other is that they will take the data and publish it on the Internet to embarrass people. In the case of a hospital, the threat is that the medical records would be published and that people would be ashamed by what was shown. The other type of cyberattack comes from a nation state. This is the type of attack involving either gathering information for espionage or to carry out an influence operation, which is where one country seeks to influence the politics in another country by manipulating perhaps their social networks or by carrying out psychological operations.

We have to defend ourselves against these different threats. The division in Government I look after is a cybersecurity division called the National Cyber Security Centre, NCSC. Its role is to protect Ireland from civilian cybersecurity threats. We have two other divisions that really provide cybersecurity in Ireland, one of which is the Garda National Cyber Crime Bureau, which is tasked with law enforcement and intelligence gathering. There is also a division within the Defence Forces that provides cyber defence and protects Ireland's military installations from being attacked.

Those three organisations, namely, the civilian NCSC, the military cyber defence division and the Garda National Cyber Crime Bureau are all co-ordinated under the National Security Analysis Centre in the Department of the Taoiseach. It is timely that we are talking about this today because as Members know, there is a consultative forum on national security going on around Ireland. Today, they are meeting in County Cork and our cyber security director, Mr. Richard Browne, is discussing the cyber threat to Ireland.

Traditionally, with the military, we could think of three domains. There are air, sea and land wars but now we have the additional domain of cyber war, which is another area that can be used to attack from one country to another. The attraction of using a cyberattack is, of course, that it can be done remotely and that its provenance can be hidden. There is a big downside to it, however, which is that it does not always work. It is not very dispatchable or deployable. We expected at the start of the Ukraine war that there would be a large cyberattack from Russia on Ukraine, but it turned out that did not really happen. There were attempts at it, but it is much easier to fire a missile at a particular location and expect it to connect and for something to happen. A cyberattack might take months to prepare and might not actually work at the end of that time. We are learning in an active war situation about the effectiveness of cyberattacks.

I will briefly run over where the country is in terms of laws, policies, strategies and skills.

The National Cyber Security Centre, NCSC, has two purposes. The first is to educate the public, and to provide the information to people so they can protect themselves from a cyberattack. The second is to provide an emergency service, so it provides a similar service to the fire brigade or the ambulance service, in that if one is the victim of a cyberattack or one is hacked, it will come out to one's facility and provide assistance. It has got those twin responsibilities of education and emergency incident response.

Our laws on cybersecurity have to line up with what is happening in the rest of Europe and the rest of the world. The reason for that is that a cyberattack typically happens because of a group of people who are certainly in another jurisdiction, but often in a number of different jurisdictions. Those gangs tend to attack a number of different countries. In order to protect ourselves from cyberattack, we need to co-operate with other jurisdictions and countries. There is a lot of co-operation at European level. To give an example of that, when the HSE was attacked in 2021, we immediately went to our European partners and asked if they had any information about the particular gang that was carrying out the attack, what their methods of operation were, and how we could defend ourselves. We got co-operation right away, particularly from the Polish Government, which had been attacked by the same gang known as the Conti gang.

The overarching law is the information and security directive called the network and information systems directive, NIS 1. That has served its purpose until now, but, of course, the world changes rapidly, and particularly in the technology area. Now, the European Commission has proposed a revised directive called NIS 2. This will require that more organisations in the country are designated as being critical infrastructure, that those organisations protect themselves, that they make sure that the equipment they use is certified for cybersecurity, and that they make sure their suppliers are safe. What we are finding now is that when a cyberattacker goes out to attack critical infrastructure, instead of attacking the organisation itself, they attack their suppliers because they see them as a weaker link in the chain. This is a direct recognition of the extent to which we are interconnected, and how our essential services and important entities are interdependent.

My Department is going to lead on the transposition of this new NIS 2 directive, but it will be a whole-of-government effort to ensure that Ireland fulfils its obligations. We cannot underestimate the scale of the challenged posed by implementing this directive. Of course, the NIS 2 directive is just one of a range of EU interventions aimed at strengthening cyber-resilience and incident response throughout the Union.

Recently, I welcomed the establishment of a new national cybersecurity co-ordination and development centre. This project sits within the National Cyber Security Centre, and its aim is to co-ordinate with industry, academia, research and other stakeholders to develop awareness, and promote funding supports and associated networking opportunities. It will also distribute EU and national funds to industry and societal stakeholders, notably, small- and medium-sized enterprises, with the aim of strengthening the uptake of state-of-the-art cybersecurity solutions. It will also contribute to policy and strategy formation on cybersecurity funding.

This project will run for two years. It is being funded by an EU contribution of €2 million, and another €2.2 million from the Department of the Environment, Climate and Communications. The funding is in line with similar investments in other EU member states. It will resource the National Cyber Security Centre's capacity-building function, and it will finance a support programme for industry and societal stakeholders to facilitate cybersecurity innovation and resilience. This project will start in the autumn. It will help to meet our national obligations under EU law, and will have a focus on creating a vibrant national cybersecurity ecosystem that is engaged with communities in other EU member states. It is an exciting new development for the NCSC, and it is important that we play our part, as a member of the EU, in seizing the cybersecurity opportunities in research, innovation, technical development and commercial exploitation as part of the green deal and digital transformation agendas.

I will mention skills. The best way that we can protect ourselves against cyberattack is through the development of our skills. This applies not just to the high-tech skills - in other words, making sure that university-level people cybersecurity qualifications - but aims to have everybody starting from primary school up to secondary school is skilled up in this area. I am very impressed by the work of Professor Rachel Farrell in University College Dublin, UCD, who has been going out to primary schools and developing a programme whereby primary school students can learn to protect themselves online. They have to do that, because we know that children in primary school are on their iPads already, and are the subject of scams, frauds and worse.

At second level, UCD's programme is trying to encourage girls and people from non-traditional Irish backgrounds to get involved in cybersecurity and take it as a career. The reason for that is not political correctness. The reason we want more women involved in cybersecurity and more people from non-Irish or non-white backgrounds is that when one has a diverse team of people who come from different backgrounds, a diverse team, that team is better at solving problems. They have different perspectives. They are in a situation of conflict, and they are competing against a criminal gang that often comes from different countries and different cultural backgrounds. If one has a team of people that comprises all male, middle-aged white people with the same kind of education and background, they cannot solve problems as well as a diverse team. We are bringing female role models into schools and saying to young women and girls to please take this as a career. It is an exciting career. It is extremely well-paid, and it is high-status. One gets to deal with foreign intelligence agencies and so on, and one's work is meaningful and Government-level. We are really trying to encourage people to do that. We are having success in that area, and I am very proud of the work that Professor Rachel Farrell has done.

Cybersecurity is not something that merely affects large companies and organisations like the HSE. It is also something that affects every one of us every time we get scammed, or get scam texts and calls. There are constant attempts to persuade us to share our identities or bank account details. I am impressed by the work ComReg has done, and I believe we have done all the right things in the last two years since the HSE attack to strengthen the defences of our country.

We are delighted to welcome the Minister of State back to the Seanad. He is quite a frequent visitor here. I would like to start by saying that I was in Estonia quite recently. I was over with CybExer, the company that was to the fore in dealing with the attack on the Estonian state in 2007. It was attacked by Russians of some sort, or whatever. The identity of the attackers is still a bit in the air. From then on, the Estonians have become very aware of these problems. They are at the cutting edge of it. Estonia is one of the best-placed countries to deal with it, and it has some of the biggest companies in the world that deal with it.

Many of these companies will come in, and will look at one's business. They will attack it to see its vulnerabilities and weaknesses, and do a sort of role-play scenario on it. It is a very successful model. It seems to be a bit weaker in Ireland. These guys are coming to Dundalk, in conjunction with Dundalk Institute of Technology. I think the Minister of State is aware of this, and his Department has been involved in it. They are coming to run one of these exercises, which is a type of war game. They will try to hack a business, and play out a whole role-play scenario. That is very exciting. We have started to up our game over the last couple of years on this.

To follow on from that, Estonia has a type of national security card. People's bank details and pharmaceutical drugs are on it. If they have a gun or driving licence, they are all tied to this particular card. It is a very modern way of looking at things, and they have found it very secure and are certainly big advocates for it.

I refer to something the Minister of State mentioned, namely, the number of these scam text messages being sent, particularly to older people, and he might touch on it again in his summation. The telecommunications companies have a greater responsibility to act on behalf of their customers. To have a sort of a laissez-faire attitude to this is wrong. I know the Minister of State feels strongly about this, and it is something he might touch on in his summation.

I thank the Minister of State for a comprehensive assessment of where we are and of what has been done. Much of the time, we do not realise how much the State is doing in this area. Obviously, the Minister of State is not in a position to declare and share everything but, from conversations with people in the area of defence and so on, I know that we actually have an extraordinary wealth of knowledge, ability and competence in cybersecurity at a national level and at the level of critical infrastructure. The Minister of State has done well. A great deal of work is being done.

While cybersecurity and data protection are inextricably linked, it is the area of data protection that I will talk about a little. I am not sure that we understand data in the way that we should. On my personal knowledge of what now constitutes data about me, what I own and what I do not and what I have control over, there was a time when you owned pieces of paper. They were in your handbag, your pocket or whatever. We do not have that now. Unbeknownst to us, there has been a cultural shift over the last ten years in particular. People give away their data all the time without any real understanding of just how much organisations are intruding into their lives. We see that when we download an app and then, all of a sudden, the ads on our social media mirror what is in our phones or what we have searched on our phones in a completely different app. There is a lack of understanding there. I am not sure what we can do about it. In a way, the horse has bolted and we are trying to close the door.

As we are running advertising campaigns on Coco's Law and the fact that it is now illegal to threaten to publish a photograph of someone else, it is interesting to note that this legislation brings a piece of ownership home. Who owns an image? Where a couple is in a relationship and one gives an image of an intimate nature to the other, who then owns that image? If that image is of me and you threaten to publish it, I own it. Ownership is of the essence. A threat to publish an image is then a threat to property, as well as to the personal autonomy of an individual.

That is very clear-cut in the case of a couple exchanging images. Where the ownership of an image is not clear-cut is where artificial intelligence, AI, is able to manipulate images, perhaps showing Ossian Smyth making a speech that is the complete antithesis of anything he would ever say. We have seen examples of that at the political level in other countries and it may potentially arise in our own country, especially as we move towards a general election. I worry about what could possibly happen there. On the potential use of AI-generated imagery, do we have the intellectual property piece of that issue nailed down? Is it the case that an image of me cannot be manipulated? How do we allow for freedom of expression? It is very complicated. When I try to get my head around these things, I think that we cannot legislate as quickly as these technologies are emerging.

It is the same with ChatGPT. We see the possibility of producing an essay for university. We need to be able to impose markers on such generated content, for example, for journalism purposes. Journalists have credentials that are accepted and believed in to allow them to carry out their investigative role. Generated content may be attributed to an individual and it does not have the same credentials. We need to embed a marker that denotes where content is from, who generated it and how it was generated in order to preserve the integrity of journalism. As to the integrity of our colleges, if I do an essay, it is put through a system by the university to be checked for plagiarism. We need a similar system to be imposed on all of these AI generation applications so that the creation of content without individuals using their own intellectual capacity can be marked. I am always wary of organisations that, for profit-driven purposes, move ahead of nation states and their ability to regulate for the common good. I like the general data protection regulation, GDPR, because it can be quite nimble in capturing emerging technologies as they relate to data. However, we still need to regulate AI. From that point of view, how do we make sure that we stay ahead?

The Minister of State spoke very eloquently about our competence in cybersecurity, our abilities and how we are growing. I know there have been instances where we have trained people through our own military and defence organisations only for them to be poached by private business. Does the Minister of State have the freedom to ensure salaries in that area are sufficient? Are they tied to the salaries of the public service? Do we have capacity to ensure we are able to poach people into our services and to hold the people we have? Critical to us being able to stay ahead is being able to hold the competencies, experience and knowledge of individuals who are in place and ensuring that the Minister of State has the financial resources to do so. That is something we should advocate for.

I welcome the Minister of State to the House. This is a very broad topic. I will focus on a couple of areas that I have recently brought up on the Order of Business. The first is the procurement of facial recognition technology by the Government. The State is going to begin the procurement of body cameras that make use of facial recognition software despite there currently being no legislation to provide for the use of such technology. At a time when many cities across the world are banning the use of facial technology in policing, I am concerned that Ireland is pressing ahead and purchasing cameras that have this ability built in. There are obviously significant questions of human rights and EU law involved that require robust debate here in the Houses of the Oireachtas, our Parliament. Does the Minister of State have anything to say about the State purchasing such cameras without any legislative provision or safeguards?

I also want to talk about the public services card. The Department of Social Protection has been building a biometric photo and template database of more than 3 million people. There is no legal basis for collecting these data in exchange for services that people are legally entitled to. Through a freedom of information request, the Irish Council for Civil Liberties and Digital Rights Ireland have found out that the Department of Social Protection has known since 2021 that this database is illegal. The processing of people's personal and sensitive data naturally impacts on people who use this card, primarily people who access State supports. I would welcome the Minister of State's comments on that issue. It is possibly a mass infringement of privacy by the State.

I now come to the Data Protection Commission. Last year, the Minister for Justice committed to appointing two additional data protection commissioners. As far as I am aware, these posts have not yet been advertised. At the time this was announced last year, the Minister indicated that it was expected that the process would take in the region of six months to complete. However, almost 12 months later, these positions have yet to be advertised, much less filled. The Government's failure to appoint these two additional data protection commissioners leaves the Data Protection Commission ill-equipped to fully investigate the range of complaints it receives. GDPR provides strong investigation and enforcement powers to protect people from the misuse of data but, without these resources, the job of the Data Protection Commission becomes ever more difficult.

It was interesting to listen to Senator Seery Kearney talking about the cultural shift that has happened. Many people just do not see data as a human rights issue. I have taken the time over the years to look at alternatives to the mainstream big tech platforms. There are alternative platforms that respect people's privacy and do not track what a person does in the context of advertising, and that do not sell personal data on. For example, Qwant is an alternative search engine, Signal is an alternative messaging service and Proton Mail is an alternative email service. There are other social media alternatives also. With social media and the messaging apps, one needs a host of one's friend group to be on a particular app in order for it to be effective. There are alternatives to big tech.

In 2021, the Joint Committee on Justice called for a review of the Data Protection Act 2018 to ascertain if legislative amendments would be required and to consider codifying some Data Protection Commission processes in legislation. I do not know if there has been any move by Government to review the Data Protection Act 2018. I welcome the Minister of State's comments on any or all of these points.

Senator Seery Kearney asked the question "Who owns your image?" It is a good question. The Senator will remember that this Government passed a law some years ago in respect of intimate images. This legislation had previously been introduced by Deputy Brendan Howlin. It is an important law and I believe it was generally widely welcomed. It prevents people from using intimate images to influence or to attack their former girlfriend or boyfriend, which was generally what was going on there. The Senator has asked a broader question as to who has ownership if the image is not of an intimate nature and is just an image of a person. That has not been fully resolved. A person's photograph, for example, can be taken in a public place and then used. For example, it could be used by a news outlet. I do not believe there is anything a person can do about that. Similarly, when someone the victim of a crime often, his or her photographs from social media may appear in news media and there would not have been any consent. That can be upsetting for the family involved.

A question was asked about deep fakes where a video image is doctored, for example to make a politician say something that he or she should not be saying. This is an aspect of hybrid warfare. It is the idea of misinformation or the doctoring of images to persuade a populace to turn on somebody. After the 2016 election in the United States of America and the Brexit referendum in the UK, there was a general fear across the world that this type of activity would be engaged in by nation states as a form of hybrid warfare.

Ireland joined the European Centre of Excellence for Countering Hybrid Threats in Helsinki in January. I was honoured to be the person who signed Ireland up to that. This is a group of different countries, EU members and also NATO members, researching together on how to protect their countries from this type of threat. It is a research facility that publishes nearly everything it does. This issue will come to the fore in the forthcoming EU elections, the local elections next year and the general election that follows. There is a general threat from other countries influencing elections, including the candidates they want to win, in order to cause chaos in the other country. We need to work hard to protect ourselves from that.

We are all the more vulnerable as a result of generative AI. One of the key new things that this AI can do is to convincingly pretend to be human. This can then be used to create social media bots and characters on the Internet who appear to be spreading stories against one party and putting forward ideas that have come from another country and have a different set of values to us. Europe and Ireland have shared moral values. We support democracy and freedom. This is not the case in other countries that would seek to influence our elections. It is a real problem.

Reference was made to watermarking - although that word was not used - and that we might embed something into an image to see where it had come from. This is certainly a way by which we can trace what has happened. We should follow what is going on in this regard in the EU, which is currently making law around AI. It has been doing this for the past two years, but there is a sudden new sense of impetus with the arrival of ChatGPT. The EU Parliament has signed off on its section of the law, and we are coming towards the end of it. One of the recommendations from the Parliament is there would be tagging on content created by AI. For example, if AI wrote a report, it would have to say at the end that it had been written by ChatGPT. I do not know how that segment would not be cut off it, so it would have to be watermarked or have information deeply embedded into it to show that it had come from an AI.

I will be issuing guidelines to the public sector shortly on how we use AI, which is a very powerful tool. We are not going to ignore AI. It is very useful for research and productivity purposes, but we cannot have a situation where, for example, public sector officials are replying to people's letters and using AI to do so. We cannot have a situation where AI is writing our strategies or policies. I do not want to come in here and find that Senators have had amendments written by AI and that these, if accepted, could form part of our laws. These are all real risks. These are all commonsense things, but we need to write them down in the form of guidelines. Those guidelines will be issued in the coming weeks.

The Senator also asked about the challenge of recruiting people into the public sector for cybersecurity. I have direct experience of this. At the time of the cyberattack on the HSE, there were 27 people working in the National Cyber Security Centre. We now have double that number. We are able to recruit people. We are offering something slightly different from the private sector. We are offering meaningful work relating to the defence of the country. We are using the types of tools that are not available in the commercial sector. We liaise with military intelligence and with larger countries. The proposition to the worker is that he or she has interesting and meaningful work using the latest technologies available, which is not always the case when someone is simply protecting financial assets in a bank or a software company. We are managing to recruit.

Senator Warfield asked how the Department of Justice can be involved in the procurement of facial recognition technology before there is a legal basis for its use. The coalition Government has decided to proceed with the Garda Síochána (Recording Devices) Bill 2022, which provides a legal basis for the use of bodycams by gardaí, but not to legislate for facial recognition technology. We will do that in a separate Bill. The reason for this is that the facial recognition technology had not been through a pre-legislative scrutiny and had not been subject to a strong, democratic debate across the country. We need input from experts. The use of such technology would represent a major change in the context of civil rights. We need to work out where the use of this technology is useful, acceptable and welcome and where it goes too far. That is being worked out at the moment. There is no reason the Department cannot buy the software, it simply cannot deploy it until it has a legal basis to use it.

The Senator asked about the recruitment of additional data protection commissioners. I will ask the Minister for Justice, Deputy McEntee, about that. He asked if there is any more data protection legislation in train. Again, I will ask the Minister for Justice and come back to the Senator with answers. Ireland is well aware of its key position as the regulator of tech companies in Europe. We are in that position because so many high-tech companies are putting their headquarters in Ireland. We are aware of our responsibility to regulate those companies carefully. We are aware that the Data Protection Commission needs to be fully resourced and supported. We are committing to other member states in Europe that we are going to continue to do that. That is most of what I want to say. I thank Senators.