Previous Section Back to Table of Contents Lords Hansard Home Page

Baroness Harris of Richmond: My Lords, I thank the Minister for bringing forward these three orders. We on these Benches welcome the orders dealing with Europol. As a plug, I refer your Lordships to the report of Sub-Committee F of 23 January 2003, Europol's Role in Fighting Crime, in which noble Lords will find every answer they might want about Europol. In our report, we said that Europol had a crucial role to perform in supporting the member states in combating serious organised crime in the EU, which is even more important now, post-Madrid, in relation to terrorism.

Europol is an intergovernmental institution and national parliaments need to be involved as well. We are very happy to support these two orders and we note that the Joint Committee has not seen fit to draw them to the attention of the House.

On the CEPOL order, which sets up the European police college, it is very welcome that its headquarters are at Bramshill, a place I know well. It is a centre of policing excellence. It is very appropriate that the CEPOL headquarters are situated there.

Like the noble Lord, Lord Howell of Guildford, I was interested in the relationship between the proposal for a Council decision to establish CEPOL as a body of the European Union with legal responsibility, and so on, and the immunities and privileges order. Why are the Government bringing forward this order when
9 Dec 2004 : Column 1062
the matter is covered in the draft decision? Is there not a subsidiarity issue regarding the implementation of training? I should be very grateful to learn of the Government's response to that as Sub-Committee F heard that the Minister expressed interest in the provision on national units, under Article 12.

We on these Benches support the three orders.

Lord Triesman: My Lords, I am grateful to the noble Lord, Lord Howell, and the noble Baroness, Lady Harris, for their comments. I thank the noble Lord, Lord Howell, for his welcome. It was particularly kind of him to say that I had got used to the quirks of the House, but they are very enjoyable things to get used to. I thank him very much.

I hope that I can address the specific questions that have been asked. CEPOL is a body of the European Union; it was established by Council decision 2000/820 made under the provisions of Title VI of the Treaty of the European Union. It was unquestionably well within the remit of that part of the European Union's treaty.

The Government believe that the European Police College, making, as it will do, a valuable contribution to the prevention and detection of crime, will be properly affected by a decision under Article 31(c) of the EU treaty. In our view, where the creation of a body is required to facilitate the attainment of objectives that are set out in Article 29 of the treaty, then such a body can be established under the terms of the treaty.

Let me give a little of the legal background. The European Police College, established by that Council decision, means that the protocol does not apply to CEPOL. That is why the International Organisations Act 1968 has been used to make this order. I have no doubt that we will be returning to the question in due course, when the new legislation is before the House.

The noble Baroness, Lady Harris, asked several questions. She asked first about the relationship between the proposal for the Council decision to establish it and the legal personality issue in relation to the immunities and privileges order. I think that I have probably set out the legal basis, and I hope that that answer is satisfactory. If the noble Baroness would like any further detail, I would of course be very happy to write to her.

The Government are bringing forward an order when the matters are covered in the draft decision because the purpose of the order is to implement the headquarters agreement between the UK and CEPOL under which the UK is obliged to confer legal capacity, privileges and immunities on CEPOL. The UK is under an obligation in that context to give effect to this agreement, regardless of the draft decision. The decision is a draft, and there is no guarantee that it will be adopted. Therefore, steps have to be taken under the present rubric to make sure that we are properly aligned with our obligations.

The final question is the intriguing one of subsidiarity, particularly on the implementation of training. That is an important question. The CEPOL secretariat will support
9 Dec 2004 : Column 1063
the national training institutions and the co-ordination of training in each member state. I emphasise that each member state will continue to deliver its national training at its national training institutions. So there will certainly be a level of co-ordination—a spread of best practice. I hope that it will develop methods to enable the pursuit of cross-border criminals to be carried out under the most effective routines that can be established among member states. But it does not remove from any member state its subsidiary responsibility for its own national training institutions. Therefore, there will be no subsidiarity issue as training will continue to be provided in those national centres.

I hope that I have addressed the key points. I look forward to the debate on the new legislation. These statutory instruments are required because our obligation is to do things properly in terms of the current legislation, and we will improve it when and if the new legislation is passed.

On Question, Motion agreed to.

European Communities (Definition of Treaties) (European Police Office) Order 2004

Lord Triesman: My Lords, I beg to move the Motion standing in my name on the Order Paper.

Moved, That the draft order laid before the House on 24 November be approved [First Report from the Joint Committee].—(Lord Triesman.)

On Question, Motion agreed to.

European Communities (Immunities and Privileges of the European Police Office) (Amendment) Order 2004

Lord Triesman: My Lords, I beg to move the Motion standing in my name on the Order Paper.

Moved, That the draft order laid before the House on 24 November be approved [First Report from the Joint Committee].—(Lord Triesman.)

On Question, Motion agreed to.

Critical National Infrastructure

Lord Harris of Haringey rose to ask Her Majesty's Government whether they are satisfied with the ability of the critical national infrastructure to withstand cyber-attack.

The noble Lord said: My Lords, I am pleased to have this opportunity to raise a matter that I believe is potentially of enormous importance to the security and well-being of this country. I should begin by declaring an interest as the Home Secretary's nominee as a member of the Metropolitan Police Authority with responsibility for the Met's national and
9 Dec 2004 : Column 1064
international functions including counter-terrorism. However, I should make it clear that none of what follows has been informed by or influenced by anything that I have been briefed about or learned in that capacity.

Many of your Lordships will have suffered viruses on home computers or will have installed software to protect them from such attack. Indeed, some of you will no doubt have done both. Your Lordships will also recall that on 4 May 2000 the "Love Bug" virus caused the parliamentary network to be shut down. That virus crippled computers world-wide causing billions of pounds of damage.

Since then, in 2003 alone, we have seen the "Slammer" worm which infected more than 300,000 servers in less than 15 minutes and clogged networks across the globe, crashing bank ATMs and delaying airline flights; the "Blaster" worm that infected more than half a million PCs, attempting to hijack them for a coordinated attack on Microsoft's security web site; the "Sobig" worm that turned tens of thousands of PCs into a network sending out spam; and the "Welchia" and "Nachi" worms that disabled many corporate networks for days on end.

As a nation, the systems that are essential for our health and well-being rely on computer and communications networks. Whether we are talking about the energy utilities, the water and food distribution networks, transportation, the emergency services, telephones, the banking and financial systems, indeed government and public services in general, all are vulnerable to serious disruption by cyber-attack with potentially enormous consequences. Indeed, the Coastguard Service was laid low by the "Sasser" worm in May this year.

The threat could come from teenage hackers with no more motivation than proving that it could be done; but even more seriously it could come from cyber-terrorists intent on bringing about the downfall of our society. Let us be clear, the destructive virus and worm attacks that I have mentioned were the result of individual uncoordinated efforts by a small handful of anti-social "electronic juvenile delinquents". They were not a systematic attack by an organised adversary, intentionally designed to disrupt our systems and services. An organised attack would be many, many times more dangerous.

I am not alone in these fears. General John Gordon, the White House's homeland security adviser, has said that he believes that Osama bin Laden plans to use the Internet to cause serious damage to the economies of the West; and it is well known that computers seized from those allegedly engaged in Al'Qaeda activities have demonstrated that those using them have a high level of IT skill and literacy. At the same time, the South Korean defence ministry—admittedly not the most impartial observer—has said that North Korea has trained as many as 600 computer hackers, so as to be capable of launching a cyber-war.

Well over 100 other nation states are reported to have some form of offensive information warfare programme. It is not inconceivable to assume that the
9 Dec 2004 : Column 1065
knowledge and skills developed by such programmes represent a potential threat to the UK critical national infrastructure.

Over the past few months I have sought in a series of Parliamentary Questions to establish what measures are in place to ensure that the UK's critical national infrastructure is protected against such attacks. The responses have all referred to the pivotal role of the National Infrastructure Security Co-ordination Centre (NISCC), established five years ago this month. However, the same responses have made it clear that the NISCC is only an advisory body and that each element of the critical national infrastructure, whether in the public or private sector, is responsible for its own defence. The NISCC does not even know how many computer systems the UK's critical national infrastructure comprises. The advice and alerts issued by the NISCC have helped to make systems more resilient. But my core question remains: is enough being done, and is the framework of powers within which it operates sufficient for its purpose?

I understand that, since 20 May 2002, when records were first centralised, the Ministry of Defence has reported 71 instances when malicious programs compromised the security of its system—that is to say, 71 instances when systems were not just attacked but compromised. One of those was the LovGate virus, which affected more than 4,000 MoD computers at more than 30 sites. It took over four weeks to rid MoD computers of that malicious program.

I ask my noble friend Lord Bassam whether it is the case that no other government department even keeps statistics on the number and impact of security compromises of their computing networks. The MoD's experience demonstrates that there are a potentially significant number of incidents to record. Is it not a weakness if Her Majesty's Government do not even know the extent of the problem on their own systems? Moreover, most of the critical national infrastructure is privately operated. In those cases, it may well not be in the commercial interests of those owners and operators even to acknowledge to anyone outside their own organisations that they have had a problem. Is that weakness not compounded if the NISCC has merely an advisory function?

Legislation and regulation extend into almost every aspect of society. Earlier today, noble Lords debated the Institute of Trade Mark Attorneys Order 2004. I do not wish to suggest that it was not an important measure; yet, we regulate there but apparently ignore the need to regulate the UK's critical national infrastructure. I am not a technical expert; however, my understanding is that, where there are multiple workstations, the security of an entire system can be breached by one operator at one workstation failing to follow security procedures adequately, and that once that has happened, it would be impossible to detect whether lurking on that system was code enabling someone from outside to log on as a super-user and control the entire system.

Have not exercises demonstrated that even those UK government systems thought to be the most secure can be accessed in this way very easily and very
9 Dec 2004 : Column 1066
quickly? Will my noble friend confirm whether such exercises have taken place, and, if so, what action has taken place as a result? If no such exercises have taken place, is it not about time that they did?

My noble friend Lady Scotland of Asthal, in response to one of my Questions in May, said,

I understand that. It is in the interests of operators that they operate their systems securely. However, given the consequences to the UK, its economy and the well-being of its people if they fail to do so, should there not be safeguards to ensure that the necessary steps, which in some instances may exceed the operators' immediate commercial interests, are taken? I am told, for example, that certain UK financial institutions have advised their security departments to cease checking for computer system vulnerabilities because of the potential liabilities that may arise if vulnerabilities are identified but not corrected.

In all this, I am not criticising the work of the NISCC. However, it is my contention that some regulation is necessary. As a minimum, the Government should be able to establish standards for the design and operation of the components of the critical national infrastructure, and there should be some system of certification of the arrangements that each operator has in place. Even that minimum would not be sufficient; there must be some system of validation for ensuring compliance and testing the adequacy of security.

For those who believe that that would be an overreaction, I refer again to the way in which the Coastguard Service fell victim to the "Sasser" worm attack. I understand that Microsoft made available on 12 April a patch that would have prevented such an attack. The NISCC issued a briefing giving details the following day, at 19.15; I am not, incidentally, reassured by that timescale. That was followed by alerts and bulletins on 19, 23 and 30 April and on 1 and 3 May. That still did not prevent the Coastguard Service from failing to apply the patch and succumbing to the virus. If the Government's agencies do not comply, what reassurance can we have that those outside government will do so?

The NISCC is an ad hoc, inter agency group. It has no statutory basis and, as such, its funding and future cannot be assured. Even now, after five years of its existence, I remain to be convinced that it possesses sufficient resources to conduct its full mission on a 24/7 basis. Computer network attacks take place and propagate widely in a matter of minutes. UK response mechanisms must be in place and ready to respond when the problem occurs. Calling a meeting of COBRA for the next day to determine what should be done is not the answer.

Finally, may I ask what would happen were there to be a serious attack that severely damaged the critical national infrastructure? What powers are available to the Government to manage the national response and direct the restitution of systems as speedily as possible? I hope that in his reply, the Minister will acknowledge
9 Dec 2004 : Column 1067
that those are serious concerns. A few weeks ago, the Sunday Times reported that MI5 was warning that Britain was,

in effect, that Britain could be quickly reduced to large-scale disorder, including looting and rioting, in the event of a serious disruption of the critical national infrastructure.

I hope that I have said enough to establish the vulnerability of the systems on which we all rely. I hope also that it is acknowledged that if the technology is well within the reach of teenage computer nerds all over the world, it is easily available to organised crime or terrorist networks. Under such circumstances, we cannot afford to be complacent—and it is complacent to rely on a system that is voluntary and powered by advice notes that can be, and indeed are, ignored. It is complacent not even to know the number of computers and communication systems that make up the critical national infrastructure, let alone to have any system of reassurance that these are adequately structured and protected. It is complacent not to have in place any recovery plan in the event of something happening that seriously damages that infrastructure. I look forward to my noble friend's reply, and I hope that I shall be reassured.

Next Section Back to Table of Contents Lords Hansard Home Page