| Previous Section | Back to Table of Contents | Lords Hansard Home Page |
Baroness Miller of Hendon: My Lords, we should all be grateful to the noble Lord, Lord Harris of Haringey, for having initiated this most timely debate, and for sharing his expertise with the House.
There are three kinds of cyber-attack, the first of which are the so-called viruses and worms which are intended to disrupt individual personal computers.
9 Dec 2004 : Column 1071
Almost 13 million United Kingdom households have access to the Internet, and it is probably fair to say that a large proportion of those have already been subjected to such an attack. They are mischievous and malicious attacks often perpetrated by vain young men simply to prove their own computer skills, to use slightly different words from those used by the noble Lord, Lord Harris. They are no different from any other acts of vandalism. Sometimes these young men are situated in remote places and are very difficult to track down, especially when they are careful enough to launch their attacks via a series of different, but connected, telephone links. I believe that one such young man was found recently in a remote part of Thailand.
Secondly, moving one step up the scale, there are the activities of criminals. We recently saw the publicity about attempts at identity theft in the form of requests for banking information, including passwords, from bogus banking websites. That is done by sending out thousands—perhaps hundreds of thousands—of e-mails in the hope of finding a customer of the bank concerned and, in addition, one who is gullible enough to respond by providing the confidential information requested, enabling the victim's account to be looted before the fraud is discovered.
Before I comment on this aspect further, I want to mention another form of cyber gangster—one who, for political reasons, deliberately tries to sabotage mail order companies and other concerns which are conducting legitimate business via the Internet or which are trying to provide legitimate information on their websites. This sabotage is carried out by overwhelming the website with multiple simultaneous hits until the site simply breaks down. Often such sabotage is conducted by self-appointed, answerable-to-no-one, so-called anti-globalism activists.
The further comment that I was intending to make was as follows. There is a duty on several fronts to guard against this criminal activity and, first and foremost, it is on the users of the Internet—you and me, my Lords. We must ensure that we do not give out sensitive information over the net or even to some anonymous person who asks us to confirm our details over the telephone when we have not even initiated the call.
Then there is a responsibility on the so-called service providers—those who run the systems on which the fraudulent websites exist. Of course, I concede that it is impossible for service providers to monitor the activities of each and every one of their customers all the time. But, as commercial concerns receiving fees from those criminals, they do have a duty to cut them off as soon as suspicious activities are detected, in the same way as they do when they discover objectionable material being disseminated by racists and other similar sources.
Then there is the responsibility of those who run search engines. A search engine is just an index which leads the searcher to a site in which he may be interested. Those running search engines cannot possibly control the millions—I have heard it suggested that it may be
9 Dec 2004 : Column 1072
hundreds of millions—of websites that can be found on their lists. But they can continue to delete fraudulent, racist and terrorist sites from their systems as soon as they are detected.
In addition, there are the manufacturers of the computer operating systems. Obviously we must respect matters of commercial confidentiality, but there must be some degree of co-operation among the handful of giant concerns which each generate vast amounts of profit by exchanging information about potential loopholes in their systems. Also, individually, whatever the commercial pressures, they should never launch a new product on to the market, or upgrade an old one, until they have taken the additional time to see that it is not vulnerable to an attack.
The problems that I have just mentioned are only on the periphery of the concerns raised by the noble Lord, Lord Harris. But cyber vandalism, in the form of launching destructive viruses and worms, is just as much a crime as vandalising someone's house, and cyber crime in the form of identity theft or fraud is just as much robbery as housebreaking or mugging. Spreading racism or incitement to terrorism is no less objectionable or criminal than any piece of street-corner demagoguery—in fact, it is worse because of the worldwide audience that it can reach.
The state has a duty to protect its citizens against all these crimes, just as it has a duty to protect them against any other crime. But, in addition to these cyber crimes against individuals, there is also a far greater potential crime: it is what may properly be described as the weapon of mass destruction of cyber space. This is not mere hyperbole. What else is a weapon that can disrupt water supplies without poisoning a single reservoir, that can disrupt communication and transport networks without bombing a single building, or that can cause chaos to social services without killing a single pensioner? It is not a weapon dependent on the production of nuclear, chemical or biological weapons, and it is not dependent on the attacker breaching the frontiers of our country or evading biometric passport controls. All that is needed is a source of electricity and a telephone line.
The entire industrial world and, indeed, most countries are now entirely dependent on computer systems for banking, finance and other commercial interests, telecommunications, transport systems, including air traffic control, water systems, energy and emergency services. There is no doubt that a determined attack on any of those could wreak havoc, at least for a short time, and could possibly cost lives.
I hope that the Minister will tell us what the Government are doing to protect us against such a situation. I shall tell him what we on these Benches would like to see in place. First and foremost, we would like there to be a Minister for homeland security, such as now exists in the United States of America. It is no use such a responsibility simply being a part of the duties of the Home Office. The Home Secretary has more than enough to preoccupy him. We
9 Dec 2004 : Column 1073
need a single Minister with the single duty of protecting us and our commercial interests from attack within our shores.
I hesitate to reopen old battles, but I would like to remind the Minister of the efforts that I had to make in the interests of academic freedom during the passage of the Export Control Act 2002 to permit the continued exchange of information between scientists, particularly in the area of encryption of computer data, which is an essential tool in the protection of communication systems.
In 1998, President Clinton issued a presidential directive requiring,
"a goal of a reliable interconnected and secure information system infrastructure by the year 2003".
The directive goes on to require policies that,
"address the cyber and physical infrastructure of the . . . Government by requiring each department and agency to work to reduce its exposure to new threats".
Those objectives will be achieved by setting up a national co-ordinator whose scope,
The National Infrastructure Protection Center, set up by the FBI, fuses a whole alphabet soup of government agencies. The presidential directive calls for the setting up of an information sharing and analysis centre by the private sector.
I would be the last person to advocate the setting up of any more quangos in the United Kingdom, but it is clear that national and local government have neither the time nor the expertise to handle that very critical problem on their own, to say nothing of the waste of time caused by duplicated effort and interdepartmental rivalry and secrecy.
As long ago as February 2003 the Government announced the setting up of an organisation called the Central Sponsor for Information Assurance to,
"bring together information technology expertise from across government and to work with the public and private sectors to ensure that risks to the national information infrastructure are appropriately managed".
It would be most helpful if the Minister could define the word "appropriately" so that we can judge the adequacy of those plans.
This debate gives the Minister the opportunity to tell your Lordships within, of course, the constraints of national security—mentioned by the noble Lord, Lord Bradshaw—what progress that new agency has made in meeting its objectives; what progress has been made by the European Network and Information Security Agency, set up at the same time as our own domestic agency; what degree of co-operation exists between our own agency and the European one; and what degree of co-operation exists between both of them, on the one hand, and the United States' National Infrastructure Assurance Council, on the other.
All the activities to which I have referred are criminal. What is required is an international convention whereby the perpetrators can be tried like the pirates they are, wherever they are caught, no
9 Dec 2004 : Column 1074
matter to which country their activities are directed and no matter what their motivation. Personally, I would like to see the Government undertaking to promote such an international convention, especially in our forthcoming capacity as president of the EU and of the G8 industrial giants.
In the light of recent small-scale, random and individual computer attacks, which the Government should regard as a warning of things to come, I hope that we shall receive from the Minister, not just warm words of reassurance, but news of what Winston Churchill used to describe as "action this day".
| Next Section | Back to Table of Contents | Lords Hansard Home Page |