The Edward Snowden affair has drawn worldwide attention to information security and protection of personal data online. While the information and communication technology of the digital age has transformed our lives for the better and remains vital to economic growth and our future prosperity, the security of that technology is of fundamental importance to the individual, to businesses and to the State.
Intellectual property theft, data breaches and other kinds of cybercrime are becoming increasingly commonplace and now pose a very real threat to all sections of society. Only this week, it was reported that the credit and debit card details of up to 43,000 people may have been compromised by a large-scale cyber attack on an Irish company processing holiday bookings.
The Snowden revelations have highlighted that data is the new gold, and that urgent action is required to ensure it is adequately protected.
There is increasing awareness of the enormous cost of failing to protect ICT systems from attack and misuse for either terrorist or criminal purposes. Ireland’s position as a hub in the global digital economy and dependence on foreign direct investment in the ICT, pharmaceutical and financial sectors, mean that it needs to be at the forefront in ensuring its critical infrastructure is secure.
Both Ireland and the European Union face the challenge of keeping legislation apace with rapidly-evolving threats. The European Commission put forward a major new package of reform during Ireland's EU Presidency. The new EU Cybersecurity Strategy, published in February 2013, underlines that cybercriminals are using ever more sophisticated methods for intruding into information systems, stealing critical data and holding companies to ransom. It calls for a more united approach to ensuring an open, safe and secure cyberspace in Europe.
The Commission has also put forward a new directive on measures to ensure a high common level of network and information security across the EU. The new legislation aims to address disparities between individual member states' readiness to combat cyber attacks and to encourage better sharing of information between businesses, operators of critical infrastructure and governments on security incidents. The current lack of information-sharing, the Commission claims, is aiding criminals, compromising vital services and generating substantial financial losses for the EU economy.
The directive would mean that Ireland and other EU members would have to put in place structures to deal with the protection of network and information systems, and that businesses would face new obligations to report security breaches to those national authorities. It also sets out the respective roles for the new European Cybercrime Centre, set up in January 2013, and the European Network and Information Security Agency (ENISA).
The EU’s proposed legislation faces intensive debate in the coming months, but there is little question that urgent action is required at European level. The Snowden revelations and unauthorised surveillance and collection of European citizens’ data have given fresh impetus to moves to better protect individuals and their personal information in the online world.
Closer to home, Ireland also faces the challenge of keeping up with new kinds of cybercrime in its domestic legislation. Ireland has signed but not ratified the 2001 Council of Europe Convention on cyber-crime, (known as the Budapest Convention), which provides a model for cooperation in combating cybercrime.
While Section 5 of the Criminal Damage Act 1991 and Section 9 of the Criminal Justice (Theft and Fraud Offences) Act 2001 prohibits unauthorised use of a computer with intent to access data or for personal gain respectively, these Acts require constant updating if they are to capture the ever-evolving range of cybercrimes.
The Data Protection Acts 1988 and 2003 are designed to regulate access, collection and use of personal data and require appropriate security measures be taken to prevent unauthorised use of such data. Given the rapid development of social media, mobile technology and digital communications in the last decade, the challenge of meeting new security and privacy demands is clear.
These challenges will be explored in a major Cybersecurity Conference organised by the Institute of International and European Affairs (IIEA), which will take place this Friday at Dublin’s Mansion House. Speakers include President Obama’s Cybersecurity Coordinator, representatives from the European Cybercrime Centre and other EU agencies, security officers from major financial institutions, and the NATO Assistant Secretary General for Emerging Security Challenges. A key focus of the Conference will be the need for greater cooperation between the private sector and state bodies in addressing cybersecurity challenges.
Eugene Regan is a senior counsel. The IIEA cybersecurity conference will be opened by Minister for Communications Pat Rabbitte and closed by Tanaiste Eamon Gilmore, who will consider the foreign policy implications of the issue. For last-minute tickets see iiea.com.