Wednesday, 27 March 2019

Questions (56)

Thomas P. Broughan


56. Deputy Thomas P. Broughan asked the Minister for Communications, Climate Action and Environment the status of his consultation on the draft guidelines for operators of essential services in the State; the changes that will have to be made to security and incident reporting under the new EU directive; and if he will make a statement on the matter. [13998/19]

View answer

Oral answers (6 contributions) (Question to Communications)

We are used to traffic filtering on our websites, including the Oireachtas website, although I believe the latter was down this morning. Is it not the case that the Government has been very lethargic? It is now nearly three years since the EU network and information systems directive, No. 2016/1148, was introduced. The Government has been engaging in consultation only recently. I am not sure exactly what happened under the Minister's predecessor. Who has been designated operator of essential services? Exactly what changes to security and instant reporting will have to happen on foot of the directive if we are to have secure systems in essential services?

I reject the suggestion that the Government has been lethargic in this area. We have a national cybersecurity strategy in place and we are currently reviewing it. It is out for public consultation at present.

If the Deputy has particular proposals, there is an opportunity to improve our cybersecurity plan. The EU directive to which the Deputy refers was transposed into Irish law on 18 September 2018 by SI 360/2018. Under Regulations 17 and 18 of that statutory instrument, operators of essential services in key areas of critical national infrastructure in energy, transport, banking, financial market infrastructures, health, drinking water supply and distribution and digital infrastructure are required to meet specific security requirements and incident reporting requirements relating to their network and information systems. My Department has drawn up draft guidelines for operators of essential services that are designed to assist operators to meet these security and incident reporting requirements, manage the risks posed to the security of the network and information systems used in their operations and minimise the impact of incidents affecting those systems. As the operators of essential services for which my Department has responsibility are spread over five separate sectors, the changes that need to be made will be dependent on the existing level of preparedness of each individual operator. The proposed guidelines were published for public consultation on 11 January in accordance with Regulation 25.2 of that statutory instrument, which requires that persons be afforded an opportunity to submit written representations relating to the draft guidelines within 30 working days from publication. The deadline for submissions was 27 February. The representations that have been received as part of this process are under consideration. The changes to be made to the guidelines are minimal and relate primarily to some of the controls to be used and to indicative incident reporting levels. The final version of the guidelines will be published and will come into operation in the second quarter of this year.

I have the NIS compliance guidelines in front of me. What was the level of engagement? People are very sensitive regarding any major faults in the electricity sector, for example, the Boeing crashes and various other events that have happened such as what is happening with electricity supply in Venezuela and the powerful and central role IT systems play in the delivery of essential services, particularly health. Can the Minister tell me when he will designate operators of essential services? Who are they? Will there be different sectoral requirements in energy, health and finance compared to other areas? The computer security incident response team, CSIRT, is in the Minister's Department. Why has he designated his Department and himself as the regulators of this vast area that is so central to our lives? Is it intended to introduce legislation in the House so that we get an opportunity to discuss all aspects of cybersecurity and to decide whether or not we need a fully independent regulator? There are so many elements to this, for example, the Internet of things and block chain technology in finance. Many people are very interested in technology and wonder if we are being incredibly lethargic in this area.

The Deputy likes to dish out complaints but I am not so sure he is aware that a consultation is underway to which he could submit his view if he believes there should be an independent regulator and that it should not be done by having it within the Department, as it has been done in the past. He can submit that view. Clearly, this consultation is open to evaluating whether the structures in place are adequate. I agree with the Deputy that this is an area where there are growing threats. The measure about which we are talking today is not showing delay. We are designating all of the areas I pointed out such as transport, energy, banking, financial market infrastructures, health and drinking water. They will be required to identify means of protecting their infrastructures. That means they must look at human issues, access control policies, technological responses, electronic measures to protect their infrastructure, firewalls and encryption. All of those issues must be addressed. They must also have adequate measures to detect anomalies or events on a system, including how monitoring is to be conducted, the processes in place and whether they are fit for purpose. This is putting in place the protections we need in the banking system, the electricity system and so on. If the Deputy has ideas about the future direction of cybersecurity policy, now is the time to submit them.

In his original reply, the Minister said the changes that would be needed would be minimal. How does he know that? How does he know that we could not face a significant emergency in the delivery of electricity all across the economy? To some extent, he is prejudging it. He mentioned finance. I know the Department of Finance has produced a paper on block chain technology but what is the approach of the Department of Communications, Climate Action and Environment as the Department responsible for cybersecurity? What kind of audits are our organisation and his Department looking at down through the years? Is he concerned about the behaviour of the huge digital companies, the likes of Google, Apple, Facebook and Instagram, given that there have been more and more complaints about the misuse of personal data? Does he have any views on whether or not Ireland should be more digitally independent? He may have heard me talk about that previously. It is an issue that has been raised by our constituents. We are independent but we are not remotely independent digitally. I notice that the cybersecurity centre is based in Cork Institute of Technology. Is that something the Minister wants to build upon?

The Deputy misquoted me. I spoke in respect of the statutory instrument following the consultation. The Dáil has passed a statutory instrument. Consultation is required within it. The feedback from those who will be regulated does not require substantial change in what is proposed. That is the only aspect where I said change would be minimal. In terms of the development of a broad-based cybersecurity policy, I recognise that this is a very fast-changing area and that is why consultation is underway to look at whether our structures and systems are adequate and to anticipate the sort of changes that will be needed. Significant progress has been made within my Department in setting up a system for identifying weaknesses, reporting incidences and strengthening cybersecurity that is very well-connected internationally and well-regarded. This is not an area where we can ever be complacent, as the Deputy noted. We spoke earlier about the need for an online safety commissioner, which I hope to legislate for before the end of this year.