State ‘vulnerable’ to cyber attacks if security documents exposed, official said
Recommendation subsequently included in FoI Bill presented to the Oireachtas
Cyber security: head of the national cyber security centre Aidan Ryan said it was necessary to “exclude entirely” from the scope of FoI “all records associated with the security of IT systems in the State in the interests of protection of such systems from cyber attacks”. Photograph: Ralph Orlowski/Bloomberg
The head of the national cyber security centre at the Department of Communications warned the State could be left open to cyber attacks if records associated with the security of the State’s IT security systems were not explicitly excluded under proposed Freedom of Information legislation.
In emails to the Department of Public Expenditure and Reform, Aidan Ryan, who also chairs an interdepartmental committee co-ordinating cyber security across Government departments, noted a draft of the proposed legislation, circulated to Government departments as part of an internal consultation process, contained no explicit safeguards as regards network and information security.
He recommended that all information relating to IT security systems should be made exempt under the proposed legislation to protect against cyber attacks which could disrupt the national economy by undermining Government networks, banking, telecommunications, energy and transport infrastructure.
He said it was necessary to “exclude entirely” from the scope of FoI “all records associated with the security of IT systems in the State in the interests of protection of such systems from cyber attacks”.
He added that, because it was necessary to share information on vulnerabilities with IT security experts in other countries, it was also important such intelligence information could not be released under FoI.
This provided that a request would be refused if it related to “planning for, or responses to, threats or incidents in respect of network and information security” whether generated in the State or elsewhere.
Network and information security is defined under the Bill as the “ability of a network and information system to resist accidental or malicious action that compromises the availability, authenticity, integrity and confidentiality of stored or transmitted data or the related services offered by or accessible via that network and information system”.