This column appeared on Broadsheet.ie on September 24th and looks at the current government’s ongoing issues with grasping the critical importance of data and data privacy to our continuing economic growth and development. While the governments response to the Data Protection Commissioner’s findings that it broke its own laws in expanding the scope of Personal Service Cards shows a cavalier attitude to data protection, the total inadequacy of the states response to real cyber-security threats is frightening. The State must immediately given the Defence Forces a lead role in building cyber security capacity and give it the resources right now, including the ability to recruit and train the next generation of cyber security experts.
Twenty years ago (last Sunday) the first ever episode of The West Wing premiered on US TV.
Though anyone who has ever served in government can confirm that The Thick of It or Yes, Minister are more realistic portrayals of life along the corridors of power, The West Wing still represents the ideal, the way we would like to think it is.
This is due, in part, to the excellent characterisations, but it is mainly down to the quality of writing. The dialogue not only fizzed, it was informed by actual policy debates.
There were prescient. Much of it is still cogent despite all that has happened in the intervening two decades.
Take this Sam Seaborn discourse from Episode 9 of Season 1. The President’s aides are discussing the views of possible contenders for a Supreme Court vacancy. Sam says:
It’s not just about abortion, it’s about the next 20 years. In the ’20s and ’30s it was the role of government. ’50s and ’60s it was civil rights. The next two decades are going to be privacy. I’m talking about the Internet. I’m talking about cell phones. I’m talking about health records and who’s gay and who’s not. And moreover, in a country born on the will to be free, what could be more fundamental than this?
Two decades later and privacy is still a critical political issue. We don’t always refer to it as privacy, sometimes we call it data privacy or protection, but it is the same thing. Use the word “information” in place of “data” and you realise how fundamental it is to life in this ever more digitalised world.
Two statistics highlight the vital importance of Data Privacy/Data Protection to Ireland.
The first is that 40% of all of the EU’s personal data is stored here.
Think about that. We account for 1% of the EU’s population, but we store 40% of its personal data. That makes data a critical economic issue for Ireland – one that is set to increase post Brexit. A hard Brexit would dramatically limit data transfers between the EU and UK (UK would be outside the scope of the EU’s data protection regime).
Data is not just an issue for the big tech giants or social media platforms. Data processing and transfers are commonplace and essential to all businesses, large and small. The digital revolution has transformed all our lives.
Yet a series of serious, glaring, unforced errors by this government show that the folks around the Cabinet table have not yet grasped the critical national importance of data protection. (Though not as serious as the examples to follow, let me also refer you back to my story about the mess made in 2014 of the appointment of a Junior Minister for Data Protection)
This is not just an issue that the EU can deal with and leave us alone. This is an issue and a moment where we must stop being the slowest mover.
The ongoing saga of the Personal Services Card is a case in point. I have no issue with the State having social welfare ID cards. It makes sense and works efficiently for most who use it.
But one of the core principles of data protection is that personal data is only used for the express purposes for which consent was given. Data expressly given to Welfare is for the use of Welfare. It is black letter law.
It is the rule we insist is applied to private companies who hold our data and the standard must not be lower for the State or any of its agencies.
The Taoiseach’s glib response to the negative report on the PSC from the State’s Data Protection Commission, saying that he will just change the law is not just infuriating, it is idiotic.
To quote from the Data Protection Commission’s statement
A total of eight findings are made in the report. Three of those relate to the legal basis issue; the remaining five relate to issues around transparency. Seven of the eight findings are adverse to positions advanced by the Department, insofar as the DPC has found that there is, or has been, non-compliance with the applicable provisions of data protection law.
So, in seven out of the eight areas examined, the DPC found that the State had breached its own laws.
It is not good enough for the Taoiseach to come back and say… meh, I will change those laws. We cannot allow the message to be sent to the rest of the EU, never mind the world, that the Irish State has a laissez-faire attitude to the protection and integrity of personal data.
The message we should be sending is that we have rules, strong rules and that we are ready to enforce them equally against all entities, public or private.
It is this area, implementation and enforcement, that brings me to the second key data statistic I wish to discuss.
Earlier I mentioned that 40% of the EU’s personal data is stored here. That makes us an increasing cyber target. Last year Ireland was the sixth most cyber-attacked country in the EU.
According to the European Parliamentary Research Service every day more than 6 million data records are stolen or lost worldwide and over 4,000 ransomware attacks are launched.
These attacks cost the European economy hundreds of billions of euros. They not only affect corporations and private entities, they affect critical infrastructure, such as hospitals, transport and information systems.
And what is Ireland’s response to this incresaing threat to a sector that is growing daily in its strategic importance? Almost nothing.
As a senior IT security specialist remarked some months back, we leave the protection of critical economic resources infrastructure to a few private militias. Facebook, Google etc spend hundreds of millions on their data security systems while the State struggles to put even the barest protections in place.
The National Cyber Security Strategy is now over two years out of date. It should have been updated in 2017. Work only started early this year and, according to the Depts website: “an updated National Cyber Security Strategy will be published later in 2019”.
We have no central cyber agency or national security agency. Our Defence Forces are the experts at national defence and should have the central role in national cybersecurity, but they are being pushed aside instead.
Under the civil/military co-operation process set out in the above mentioned 2015 national cybersecurity plan, there is an SLA (service level agreement) in place for Defence Forces support, but the Junior Defence Minister Paul Kehoe has rendered this meaningless, telling Jack Chambers TD in the Dáil that “The Defence Forces provide seconded specialists to assist with the work of CSIRT-IE when resources allow.”
We know from the Comptroller and Auditor General’s report that the cyberunit in the Department of Communications, Climate Action and Environment is not fit for purpose and the Defence Forces cannot fulfil its SLA obligations due to the depletion of qualified defence force staffs across this and many other specialist areas.
Cybersecurity and Cyber resilience are areas where Ireland can and must be to the fore, but instead the government is making us a backmarker. More The Thick of It than the West Wing.