You are here: Parliament home page > Parliamentary business > Publications and Records > Lords Publications > Lords Hansard > Daily Hansard
Previous Section Back to Table of Contents Lords Hansard Home Page

Lord St John of Bletso: My Lords, I am grateful to the noble Lord, Lord Harris of Haringey, for having introduced this very topical debate today. As the noble Lord said, he has through various Written Questions raised the alarm about this potential threat and been a campaigner for greater awareness of cyber attacks. The noble Lord has drawn attention to the work of the NISCC in monitoring and dealing with cyber attacks. However, he also warned that the role of the NISCC is purely as an advisory body and each element of the critical national infrastructure is really responsible as an individual entity for its own defence. I am not surprised that the NISCC does not have accurate knowledge of how many computer systems comprise the UK's CNI.

I should at the outset declare an interest in that for the past seven years I have been managing director of a listed web-hosting company, with data centres in the United Kingdom as well as the United States. I am now merely a consultant of the organisation. But it is noted that, almost on a daily basis, customers running online gaming companies are under continuous distributed denial of service attacks—known as DDOS attacks—from what are called "botnet armies". Organised criminal gangs are using these attacks for the purposes of theft and extortion.

There is no doubt that the rising incidence of cyber crime and potential cyber terrorism is a matter of grave concern to the United Kingdom. While I fully support the work of NISCC, I question whether our Government are taking this increased threat both to our critical national infrastructure and to our businesses seriously enough.
 
9 Dec 2004 : Column 1068
 

The National Hi-Tech Crime Unit has rightly warned of the threats from on-line theft and extortion but the danger is not just to business. The computer systems that support the CNI are all vulnerable to serious disruption with potentially enormous consequences for public utilities, food distribution companies and the financial services sector. As we have heard, the threat is coming not just from teenage hackers with no more motivation than proving it can be done—I believe the noble Lord, Lord Harris, used those words—but also from cyber terrorists, who are referred to by Scotland Yard as the botnet armies.

So, to what extent is our critical national infrastructure at risk from cyber attack? Thankfully our CNI is owned and operated by almost 50 different companies with their own IT security and with little or no interconnect at an electronic level. By way of example, if a botnet army were to try to bring down our national water companies, there would need to be a cyber attack on all the different water companies' computer systems in the expectation that they all had the same weaknesses and the same lack of IT security, which is, of course, very unlikely.

A far more realistic and grave threat to the water companies—this would be more of a physical attack—would be if deadly chemicals were deposited in one of the main reservoirs. As regards electronic crime, the largest threat to several of the utility companies would be an attack on their billing systems, which is easily achievable through a DDOS attack. Can the Minister when winding up this short debate tell us whether the Government are concerned about the potential for massive financial loss to CNI companies due to the generic threat of DDOS? Moreover, is the Minister able to tell us how many of the CNI companies are BS7799 security compliant?

Our National Health Service is becoming increasingly reliant on information technology. I believe that the level of investment in NHS security is potentially of more concern than the threat to our water and utility companies. There is a very real threat of attack on several of our National Health Service trusts. There are moves to push BS7799 security accreditation on to health authorities. Will the Government consider setting time-scales and budgets for all our health and education authorities to adopt BS7799 and compel the use of best practice security within these critical public services?

To my understanding, there are inadequate IT security protections for most local government IT services. I noted in the DTI's information security report of 2004 on BS7799, which it is encouraging public and private sector organisations to implement to mitigate the security threat, that there is neither overall awareness of this standard, nor for that matter have many UK businesses taken it up. I noted that most UK businesses that were canvassed in the survey thought that they would be subject to a growing threat of cyber crime.

So there certainly needs to be far more partnership with industry stakeholders in pooling resources and knowledge to fight the potential problem. In this
 
9 Dec 2004 : Column 1069
 
regard, I welcome the recent launch of the Zero Tolerance Alliance, with its commitment to reducing organised and international cyber-crime.

As the noble Lord, Lord Harris, has already mentioned, cyber-criminals are hijacking our home computers via broadband accounts and using them to launch extortion attacks, DDOS attacks, spam attacks, phishing scams and virus attacks. The list of e-crimes goes on and on.

Just recently, I hosted a cyber-crime conference here in the House of Lords. The head of the Metropolitan Police Computer Crime Unit came to address us. The list of the various potential threats into which it is looking runs to two pages. Its remit is,

In a supplementary question, I pointed out to the Minister that only 100 detectives in the United Kingdom are currently qualified to investigate computer crimes and that now is surely the time for the Metropolitan Police to give more resources to training those who could look into this growing threat. It is only a matter of time before these methods could be used by cyber-terrorists to launch against our key CNIs.

It takes an average of only 15 minutes for an unprotected personal computer, attached to the Internet, to become compromised, with millions of PCs being hijacked and used against us. I was alarmed to hear at a recent e-crime seminar that up to 35 per cent of Internet credit card transactions are fraudulent and that almost 80 per cent of all Internet e-mail is spam. While anti-virus software and other tools have some benefit, they have not solved, and will not solve, the problem.

Should we not be emulating the success of Sarbanes-Oxley in the United States and encouraging organisations to focus on Internet security control and disaster recovery? What is patently clear and very alarming is that no government organisation has operational responsibility for managing defence against cyber-attacks. As we have already heard, MI5 is right to warn of such a potential attack. What is surprising is the degree of complacency in addressing the threat. Must we wait until we are victims of such an attack before we consider cyber-terrorism to be a viable threat? I hope not.

Lord Bradshaw: My Lords, we would all like to congratulate the noble Lord, Lord Harris, on raising the issue that is before us today. I should declare an interest as a member of the Thames Valley Police Authority. In preparation for this debate, I made some inquiries into this subject and was really rather surprised to find that very little is being done to cope with this threat.

There is some activity, but it is not on the scale appropriate to the threat which either the noble Lord, Lord Harris, or the noble Lord, Lord St John of Bletso, indicated. They described a very serious threat. I certainly do not detect that the preparations in the police force match the threat which has been described to us.
 
9 Dec 2004 : Column 1070
 

I might be wrong, because one is obviously talking about an area of high security and people do not talk much about it, but perhaps the Minister might be able to reassure us that the level of preparation is higher than it appears to be.

We should not be panicked into draconian measures and should always be alert to our civil liberties, which can easily be sacrificed in a rather ill thought-out rush towards a remedy. We should safeguard the right of free speech but recognise that people are entitled to protection in their home and workplace. Their computers are entitled to some protection, as are their employees. They are obviously entitled to that protection from physical and verbal harassment as much as they are from having their computers tapped.

I am concerned about whether the present law allows a sufficient degree of investigation and surveillance of computer systems as we imagine. It has been suggested to me by some police officers that the levels of surveillance that they are able to undertake are circumscribed by the law. I would like the Minister specifically to deal with that when he answers the debate.

I did not hear or read the Questions of the noble Lord, Lord Harris, in the past. However, when I have been present in the House for replies to Questions about the likes of spam, I have detected a rather laissez-faire attitude on the part of the Government. Their attitude implies, "It's a nuisance but we'll get round to it some time". In fact, it is an extremely serious and fast-growing problem, as are all other sorts of intrusion to which we are subjected such as telephone calls from people selling us things that we do not want. There appears to be very little that one can do about that. My present wife was widowed six years ago, but almost every day we still get calls for her husband. There seem to be ways into systems—I certainly do not know about them—that indicate that, if there is a firewall, it has lots of holes in it.

I am aware that police forces around the country undertake a lot of exercises to test their readiness to deal with all sorts of attack that would have catastrophic consequences on those affected—shooting down airliners and so on. Those exercises are hugely expensive; they involve the police, the ambulance service, the fire service, the military and all sorts of other people. They can cost millions of pounds, but they are necessary to test the readiness of this country to deal with such attacks. Particularly in times of tremendous financial stringency, many police authorities take such threats seriously but are unable to undertake the exercises to prepare themselves for such eventualities. Perhaps the Minister will say something about that when he replies.

Next Section Back to Table of Contents Lords Hansard Home Page