The head of the national cyber security centre at the Department of Communications warned the State could be left open to cyber attacks if records associated with the security of the State’s IT security systems were not explicitly excluded under proposed Freedom of Information legislation.
In emails to the Department of Public Expenditure and Reform, Aidan Ryan, who also chairs an interdepartmental committee co-ordinating cyber security across Government departments, noted a draft of the proposed legislation, circulated to Government departments as part of an internal consultation process, contained no explicit safeguards as regards network and information security.
He recommended that all information relating to IT security systems should be made exempt under the proposed legislation to protect against cyber attacks which could disrupt the national economy by undermining Government networks, banking, telecommunications, energy and transport infrastructure.
Cyber attacks
He said it was necessary to "exclude entirely" from the scope of FoI "all records associated with the security of IT systems in the State in the interests of protection of such systems from cyber attacks".
He added that, because it was necessary to share information on vulnerabilities with IT security experts in other countries, it was also important such intelligence information could not be released under FoI.
The recommendation was subsequently included in the FoI Bill presented to the Oireachtas by Minister for Public Expenditure and Reform Brendan Howlin last July.
This provided that a request would be refused if it related to “planning for, or responses to, threats or incidents in respect of network and information security” whether generated in the State or elsewhere.
Network and information security is defined under the Bill as the “ability of a network and information system to resist accidental or malicious action that compromises the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system”.