Previous Section Back to Table of Contents Lords Hansard Home Page

Lord Bassam of Brighton: My Lords, I would like to place on the record my thanks to all those who have taken part in this short but very valuable debate this afternoon about something which is obviously of central and critical importance. I am especially grateful to my noble friend Lord Harris for his continued interest in this area of government activity.

We have heard a lot this afternoon about cyber-vandalism, "botnet armies" and attacks on systems from slammer worms and so on. It begins to paint a picture of quite understandable concern about a very complex issue. Today's society is complex and inter-connected. We live in complex times and in a world where global events determine what happens across and between nations and where systems can be particularly susceptible to attack from places far away. It is right that we carefully look at and manage our response to that.

At its heart is a technology infrastructure that supports virtually every aspect of our interdependent lives. Some parts of that infrastructure are considered to be so important that the loss of them would cause serious disruption or worse to society. We have heard some examples of that during the course of the debate. This structure, the critical national infrastructure, (CNI) is well known to all of us.

In the United Kingdom the CNI is broken up into 10 sectors—communications, energy, finance, government and public services, water and sewerage, health, emergency services, transport, hazards and public safety, and food. Each of those touches our lives in some way, from significant through to trivial. The failure of parts of the CNI might have drastic consequences in personal, economic, commercial, law enforcement or even national security terms.

Like every other strategic service that the nation operates, the CNI is vulnerable to attack from a list of potential aggressors. However, the nature of the CNI makes it particularly vulnerable to attack by the very components from which it is constructed; namely, computers. A range of individuals may seek to do damage. Those range, as my noble friend Lord Harris said, from the nerdy schoolboy with a computer in his bedroom able to hack into a system, through to the hostile state anxious to acquire our secrets or to damage our economy.

More seriously, there are also terrorists who would challenge and seek to undermine democratic society using any methods within their grasp. It is not
9 Dec 2004 : Column 1075
complacent to say this; but perhaps it should be made plain that at the moment they do not appear to be interested in attacking us electronically. However, as we all know, that could change at any time. So it is right that we should be in a state of ready preparedness.

To focus and co-ordinate the Government's response to these threats, in 1999, as my noble friend Lord Harris said, the then Home Secretary set up the National Infrastructure Security Co-ordination Centre (NISCC). Its remit remains unchanged: to minimise the risk of electronic attack against the critical national infrastructure.

A number of parts of government contribute towards NISCC—defence, trade, the intelligence agencies, central policy and law enforcement. The Home Office, the Cabinet Office, the Department of Trade and Industry, the Ministry of Defence, the Security Service, the National Hi-Tech Crime Unit and CESG—a part of GCHQ—all contribute effort and expertise to that.

However, not all of NISCC's expertise is drawn from the public sector. Most of the CNI is owned and operated, as we know, by the private sector. NISCC has developed a number of innovative ways in which to harness the very extensive expertise that exists in that sector. It seeks to combine this with public sector input to provide assurance to the Government about the resilience and robustness of the CNI to withstand electronic attack.

NISCC conducts its work through four broad streams of activity: threat assessment, using a wide range of resources to investigate, assess and disrupt threats; through outreach work, promoting protection and assurance through outreach information sharing and varied communications; by response, by warning of new threats, advising on mitigation, managing disclosure of vulnerabilities and helping the CNI to investigate and recover from attack; and through research and development by advising the most advanced techniques and methods to support efforts across all work streams.

The NISCC is unique in the world as it brings together open sources of information with some of the most sensitive to combine to a common purpose. It produces threat assessments, some general in nature and others tailored to a specific critical national infrastructure sector or company. It will always seek to prevent or disrupt damaging activity against the CNI.

The NISCC issues alerts and advice, often on a 24/7 basis. In the past 12 months, it has issued 40 alerts about incidents or important issues requiring immediate action; for example, news of newly discovered viruses. It has issued 713 briefing papers and technical notes, providing background on IT security matters, and 83 protectively marked assessments and formal reports on the threat from electronic attack to various elements of the CNI. I hasten to add that those latter documents are not in the public domain for important national security reasons.

So today's difficulty in Asia is often tomorrow's problem in Europe. NISCC staff are available throughout the day and throughout the year to help
9 Dec 2004 : Column 1076
support the critical national infrastructure. Now, the NISCC is playing a leading role in identifying key vulnerabilities in systems and working with vendors to get mitigation in place.

Lord Harris of Haringey: My Lords, I am sorry to interrupt my noble friend in mid-flow. He said that the NISCC was available throughout the day and throughout the year. Does that mean that it is not available at night?

Lord Bassam of Brighton: My Lords, perhaps I should have used the term 24/7 because that is exactly what it provides. In the past year it has issued 12 reports about serious vulnerabilities in protocols used across the CNI.

A strong emphasis is placed on international co-operation. As we all appreciate, CNI issues transcend geographical borders. Problems can strike anywhere in the world and affect countries almost immediately. Many countries are seeking to set up structures to protect their critical national infrastructure. Most want to visit the United Kingdom to learn how we do it. We should be proud of our standing as a leader in this important field.

To improve international co-operation, the NISCC publishes an international directory—the first of its kind—of those involved in similar duties across the world. That is no mean feat considering countries have very different ways of organising their CNI protection responsibilities. They often spread across a range of different departments, agencies and private bodies. So far 18 countries have contributed and the list continues to grow.

The NISCC has pioneered a number of information-sharing models which allow CNI providers to "share" experiences in a secure and confidential environment. These models include what are known as information exchanges, which are groups of experts from a particular sector who share experiences on a confidential basis so that the lessons from one can be learnt by many without damaging the commercial interests of anyone. At present, there are six information exchanges and there are plans for more.

Current exchanges are for telecoms, finance, aviation, managed service providers and government. The sixth brings together those companies which use computers to control industrial processes. These processes are known by the generic term SCADA—supervisory, control and data acquisition. In 2003, the NISCC hosted the first ever conference in Europe on SCADA issues. A second conference was held earlier this year, with strong international attendance. The NISCC also works with individual companies and organisations to identify and assure critical systems, examine threats and vulnerabilities and recommend measures further to improve protection.

Another information sharing concept, WARPS—warning, advice and reporting points—encourages the formation of self-help groups for specific communities of interest outside of the CNI. There is no question in my mind that the NISCC's work has improved the
9 Dec 2004 : Column 1077
resilience of the CNI making it much more resistant to attack. Sometimes this work has a much broader impact, improving the resilience of the Internet itself.

It was particularly successful earlier this year in the way it handled a potentially serious Internet communications vulnerability that could have had an enormous impact on the Internet. Over a six-week period, the NISCC team worked with more than 120 software vendors and hardware manufacturers to ensure that sensitive information about the vulnerability was not released before the required software patches were in place. This is just one example of the high-quality and continuing work that is undertaken.

The NISCC is actively engaged with the Department for Transport and industry bodies representing the major transport sectors, such as, in aviation, all major UK airlines. The Multi Agency Threat and Risk Assessment Group, MATRA, run under TRANSEC auspices, covers all UK airport operators. Recently the NISCC started the Aviation Security Information Exchange, to be run like all its other information exchanges and designed to address issues related to protecting that sector from electronic attack.

Turning to the rail system, London Underground, Network Rail, Transport for London and Eurotunnel have all worked with NISCC. It has recently begun preparations on an assurance report on the Channel Tunnel which will comment on its ability to withstand electronic attack. Those are just two examples of the way the NISCC is working.

Concerns have been expressed about staffing and funding. Because of the inter-departmental nature of the NISCC, it is difficult to state the exact number of staff engaged in its work at any one time. The numbers will vary according to the amount of activity required. The NISCC's funding model allows it to buy in extra expertise when needed. Around 90 civil servants are engaged full time on NISCC activity. However, the numbers from the private sector involved in supporting its activities is more difficult to estimate. Not all will work on a full-time basis. Funding for the NISCC is supplied by the contributing departments, and we believe that the level of funding is proportionate to the task in hand.

A number of questions were asked during the course of the debate and I shall try to work through them. An important point was made by my noble friend Lord Harris about how the NISCC operates. As he rightly pointed out, it is only an advisory body. I do not think that that should be seen as weakening the role and function of the body. Although it is advisory, it draws strength from that. In our estimation, the voluntary co-operation that we obtain through NISCC is judged to outweigh the impact of it operating within a more rigorous regulatory framework, although that is not to say that regulation does not play an important part. Indeed, in terms of working with the private sector, there is a certain perception among some elements that there is already
9 Dec 2004 : Column 1078
too much regulation. At this point another layer of regulation might be unwise and perhaps counter-productive.

My noble friend asked whether government departments compile statistics on electronic attacks. Government rules oblige departments to report instances of electronic attacks to the NISCC, which then compiles statistics relating to those, building an understanding of the nature of the problem it regularly confronts. He also asked whether annual exercises are undertaken to test scenarios of electronic attack. Next year a major joint exercise is planned with the US to do precisely that. It will ensure that our systems are protected.

In his contribution my noble friend Lord Harris also stressed the need for powers to recover in the event of an attack on the critical national infrastructure. The general approach in relation to the recovery of those who have been the subject of a serious attack is to place emphasis on the recovery of the system while also taking care to secure the necessary evidence to support a prosecution against perpetrators, if that is appropriate, under the Computer Misuse Act 1990. Moreover, there are further powers under counter-terrorism legislation which the Government can draw on if that is thought to be the right approach. Of course there will be critical times when that is exactly the right approach.

The noble Lord, Lord St John of Bletso, asked about compliance with British Standard 7799. I am afraid that I do not have that information to hand, but I will be happy to write to the noble Lord and copy the correspondence to all noble Lords who have contributed to the discussion this afternoon.

Contrary to the point raised by the noble Lord, Lord Bradshaw, far from being complacent about electronic and cyber attacks we have been very much on the front foot. The setting up of the National High Tech Crime Unit was an important initiative, as was the setting up of the NISCC at the time we did so. We are working very hard to assess the threat and to respond to it.

As to resources, in 2001 we established the High Tech Crime Unit within the National Crime Squad—the noble Baroness, Lady Harris, knows a great deal more about this than I do—and it provides a very valuable service to all. It tackles serious and computer-related crime and helps to enhance the powers of local police forces to investigate criminal activity on-line.

The National High Tech Crime Unit is a key partner within the NISCC and has played a very valuable role. It has established itself as an important focal point for domestic law enforcement. It provides effective strategic assessments on both an operational and tactical support basis and it provides business intelligence and good best practice advice.

Most computer crime is dealt with by officers of the computer crime units of local forces. Child abuse investigation teams and fraud units increasingly have such expertise. These officers will be involved in a range of investigations which will use computer systems and networks to withstand attacks against computer systems.
9 Dec 2004 : Column 1079

As well as funding the National High Tech Crime Unit, we have also provided additional funding for local forces, outside of the police grant, to enhance their ability to investigate criminal activity on-line by funding staff training and equipment. This, together with the creation of the Serious Organised Crime Agency, will help us to lead the way in this field.

We have not been short of putting money into the sector either. The provision for policing in England and Wales has increased by more than £2.3 billion—or more than 30 per cent—between 2001 and 2005, and the recent spending review settlement will allow us to continue with this significant investment in policing. I am sure that I do not need to remind your Lordships that we now have a record number of police officers, and an important element of that is working to take counter measures in this field.

Next Section Back to Table of Contents Lords Hansard Home Page