Tuesday, 24 September 2019

Ceisteanna (6, 11)

Jack Chambers

Ceist:

6. Deputy Jack Chambers asked the Taoiseach and Minister for Defence if he will report on the work of his Department and the Defence Forces in cybersecurity; and if he will make a statement on the matter. [38426/19]

Amharc ar fhreagra

Eamon Ryan

Ceist:

11. Deputy Eamon Ryan asked the Taoiseach and Minister for Defence the role his Department has in the management of cybersecurity threats; the way in which he co-ordinates this work with other Departments; and if, in his view, there is a sufficient level of cybersecurity resourcing and preparedness. [38499/19]

Amharc ar fhreagra

Oral answers (9 contributions) (Ceist ar Defence)

Will the Minister of State please report on the work of his Department, and the work done by the Defence Forces on cybersecurity? He will be aware that when I raised this issue previously, he deflected and referred to the Department of Communications, Climate Action and Environment, which is out of sync with how similar issues are managed by western democracies. The Department, the Minister of State and the Defence Forces need to show more leadership in this area. It represents a risk to the State. We already know of the underlying criticism from the Comptroller and Auditor General of the current unit within the Department of Communications, Climate Action and Environment.

I propose to take Questions Nos. 6 and 11 together.

As outlined in the Government's White Paper on Defence 2015, the issue of cybersecurity has significant implications for governmental administration, industry, economic well-being and the security and safety of citizens. Cybersecurity is a standing item on the agenda of the Government task force on emergency planning, which I chair. The response to cyberthreats remains a whole-of-Government challenge, with the Department of Communications, Climate Action and Environment taking the lead role, with inputs in the security domain from An Garda Síochána and the Defence Forces. The Department of Defence and the Defence Forces are committed to participating, under the leadership of the Department of Communications, Climate Action and Environment, in the delivery of measures to improve the cybersecurity of the State.

The first national cybersecurity strategy, agreed by Government in 2015, set out a series of measures that would be taken to build the capability of the National Cyber Security Centre, NCSC, and to achieve a high level of security for computer networks and critical infrastructure in the State. The NCSC, which is located in the Department of Communications, Climate Action and Environment, provides a range of cybersecurity services to owners of Government ICT infrastructure and critical national infrastructure. The centre is focused on developing capacity to protect Government information and communications networks, and on engaging with stakeholders on sharing information, securing systems and responding to incidents.

The NCSC is also home to the national computer security incident response team, CSIRT, which acts as a national point of contact involving entities within Ireland and as the point of contact for international discussions and collaboration on issues of cybersecurity. A revised national cybersecurity strategy is to be published by my colleague the Minister for Communications, Climate Action and Environment, Deputy Richard Bruton, in the coming weeks that will address issues raised by the Deputy such as resourcing and preparedness. Officials from my Department and members of the Defence Forces have been actively involved in the development of this revised strategy which, in conjunction with the White Paper on Defence, will continue to inform our engagement in this critical area.

In addition, the Department of Defence and the Defence Forces have a service level agreement with the Department of Communications, Climate Action and Environment to provide support in the area of national cybersecurity. The overall aim of this agreement is to improve the cybersecurity of the State through various types of assistance and support while also ensuring the operational requirements of the Defence Forces are prioritised.

As the Deputies will no doubt be aware, cybersecurity is a multifaceted challenge that is constantly evolving. The nature of the threat and the potential impact also varies considerably depending on the approach and objective of those with malicious intent. In that context, my Department implements a programme of continuous review in relation to ICT security to keep up to date with current threat levels. Details of measures taken are not publicised for security reasons.

Additional information not given on the floor of the House

While it would also be inappropriate for me to comment on the specific cyber activities and the resourcing of same by the Defence Forces, for both security and operational reasons, the priority for the Defence Forces communications and information services, CIS, corps is the protection of the Defence Forces communications network. Other activities undertaken by the CIS corps include the monitoring and handling of cyber incidents, the enhancement of Defence Forces cyber situational awareness, and the provision of cyber awareness training.

I thank the Minister of State for his response. Cyberattacks signify a grave threat to countries across Europe, yet we are not doing enough to protect ourselves. One example was in 2017 when Ireland's power grid was the subject of a suspected nation-state attack, which was discovered two months after the initial attack. It was not detected by Ireland; it was instead notified to the Irish authorities by the UK's national cyber security centre. This is an example of how cyber attacks represent a threat to our State infrastructure and to the broader foreign direct investment here. It should not take a serious attack to properly resource and plan a significant, modern defence matter, which is being reflected across many countries in the EU. We need to resource it.

It was reported during the summer that the Defence Forces stood down an internal cybersecurity team because of the lack of personnel and qualified staff and a further exodus of specialised personnel. That team was responsible for monitoring the security of military IT networks to safeguard them from hostile state attacks. Not only do we have an issue with the unit within the Department of Communications, Climate Action and Environment, due to the exodus of personnel, there are question marks over monitoring our own internal networks in the Defence Forces. That is also a concern.

My colleague, the Minister, Deputy Bruton, retains overall responsibility for cybersecurity at national level. The Government task force on emergency planning also maintains cybersecurity as a standing item on the agenda where regular updates are provided and where issues of common interest may be raised and addressed. The Deputy is correct that cyber attacks present a new threat and it has to be taken seriously by Government. This is why we have a dedicated team in the Department of Communications, Climate Action and Environment. As I said, my colleague, the Minister, Deputy Bruton, retains overall responsibility for this area. The Defence Forces have their own cybersecurity team to look after their own networks. It is important that we are able to maintain security on our own networks, that we do not depend on any outsourcing of any capabilities to come in to assist in that, and that we can handle our own cybersecurity. This is a matter of concern. Given the number of multinational companies operating in Ireland, we have to be prepared for any cyberattack. As chairman of the Government task force on emergency planning, I assure the Deputy that we get regular updates. I have met people who work in the cybersecurity centre and they are top class. We would want to be very careful not to rubbish their capability and what they are able to do.

I apologise for missing the introduction. I did not realise the questions were being grouped.

I heard the Minister of State's words of confidence towards the end of his contribution. Having spoken with some people in the industry at a recent conference, they highlighted the various insecurities in our system. I wonder, specifically, where is this co-ordinated within government? The Minister, Deputy Bruton's, Department, has the key role, as the host for the NCSC. I am interested in how the Department of Defence fits in with that. Where is the primary point of defence for cybersecurity? Where would we best deploy extra resources if we were able to get them? This should be a priority for Government because we live in an increasingly insecure cybersecurity world. As the Minister of State said, given that we are the host for some 30% of all EU data, there could be reputational damage to that industry if the State's security systems cannot protect our networks, and to the defence system of the country. Where is the co-ordination and who is the lead Minister when it comes to cybersecurity?

As I said earlier, the Minister, Deputy Bruton, has overall responsibility for cybersecurity at national level. If business people have come to the Deputy and they are concerned, I ask him to bring those concerns to the attention of the Minister as soon as possible.

If there are Members of this House who are concerned about the inadequacies of Government in this area, there is no point raising them here in the House. They should raise them with the Minister for Communications, Climate Action and Environment, Deputy Bruton, who, with the team working in the departmental cybersecurity centre, has overall responsibility for this area. I have full confidence in this team, led by the Minister, Deputy Bruton.

The Department of Defence and the Defence Forces have a service level agreement with the Department of Communications, Climate Action and Environment to provide support in the area of national cybersecurity. The overall aim of this agreement is to improve the cybersecurity of the State through various types of assistance, while at the same time ensuring the operational requirements of the Defence Forces are prioritised. As I said, there is a service legal agreement in place under which personnel of the Defence Forces are seconded to the Department of Communications, Climate Action and Environment but, as of now, no Defence Forces personnel are on secondment.

The deflection to the Department of Communications, Climate Action and Environment, does not wash. If there is an attack here, the Defence Forces will have to be involved. We know that the Defence Forces are unable to monitor their own internal networks on a 24-7 basis. Coupled with the fact that owing to a shortage of personnel in the Defence Forces, it is not possible to second Defence Forces personnel to the Department of Communications, Climate Action and Environment in the same way as has been done up to now, this represents a serious threat to Ireland that we need to address. It is a threat to our foreign direct investment and State infrastructure and is a threat that exists in many other democracies across the world.

The Minister of State's suggestion that we are criticising the staff is unfair. The strategic role of the cybersecurity unit in the Department of Communications, Climate Action and Environment was heavily criticised by the Comptroller and Auditor General, who said it lacked a strategic approach. We know that owing to the decline in Defence Forces personnel, there are no staff available for secondment to that unit. Deputy Kehoe, as Minister of State with responsibility for defence, has a responsibility to respond to this 21st century threat. It is not politics; it is a reality. The response needs to be greater than a deflection to the Department of Communications, Climate Action and Environment because this represents a serious threat to us all if it comes to pass.

In regard to the cross-departmental preparations for a possible no-deal Brexit, one of the areas where preparation is needed is the area of cybersecurity. We know from the Edward Snowden revelations and others that all digital information leaving Ireland is accessible from Government Communications Headquarters, GCHQ. While in the past we have had a co-operative arrangement with the UK, which I hope will continue, there must be a real risk for us in the UK not being a fellow European Union member, in that it may restrict our access to co-ordination with what is happening in the UK in that regard. One has a different working relationship with a country that is not a member of the European Union. What, if any, preparations have been made by the Department of Defence, alone or with the Department of Communications, Climate Action or Environment, in terms of enhancing our security, taking account of the new cybersecurity environment that will exist when, and if, the UK exits the European Union?

The Deputy's final question is more appropriate to the Minister for Communications, Climate Action and Environment, Deputy Bruton, who has overall responsibility for this area. I am not trying to deflect from or make politics of this issue. I have stated on numerous occasions that cyberattacks are a 21st century threat. There are many international IT companies located in Ireland, including Google, Facebook and Amazon. In regard to what Government has done already, budget 2018 provided increased funding for additional capacity in the national cybersecurity centre, NCSC, in terms of personnel and technology. The resources for the NCSC have been considerably expanded in recent years to meet its new responsibilities under the EU directives. A new cybersecurity strategy is being prepared, which takes into account the latest assessment of risks and international experience. Ongoing resourcing requirements will be reviewed in the context of the next cybersecurity strategy, which will be published in the coming weeks by my colleague, the Minister for Communications, Climate Action and Environment, Deputy Bruton. The Minister provided an update in this regard at the most recent meeting of the Government task force on emergency planning, which is led by Mr. Richard Browne and meets every six or eight weeks. The national cybersecurity centre does fantastic work. Its work, on a daily basis, to protect our IT systems should not be diminished.

In response to Deputy Jack Chambers, the priority of the Defence Forces is to protect its own networks. If there are Defence Forces personnel surplus to requirements, under the service legal agreement, they will be seconded to the NCSC. Unfortunately, there are no surplus staff. These people are highly sought after by the private sector. This is one the issues considered by the pay commission.