|Previous Section||Back to Table of Contents||Lords Hansard Home Page|
Nowhere is that vulnerability from interdependence clearer than in network capabilities. A few days ago, the Secretary of State for Defence pointed out, correctly, that if someone were to explode a nuclear weapon in the skies above this country, the electromagnetic pulse would bring down all our networks. That is accurate, but there are three problems with sending such a nuclear weapon. First, it is very costly. Secondly, it takes years to develop. Thirdly, people can generally tell where it came from and spot the culprit. If you wanted to bring down the electronic systems on which the whole of this country is now based, why would you send an expensive, long-developed, easily identifiable intercontinental ballistic missile when you could do it with a mobile phone? It is on one of 32 platforms that would enable you to cripple someone's network and it is developed cheaply by other people. The great thing about sending a message on it is that you can disguise where it came from. If noble Lords think that that is big, let me tell them that in 2008 the biggest intervention of a virus in the American security system was done quite simply with a memory stick, which was given to a member of the American military/security forces. It
14 Oct 2010 : Column 680
Weapons that attack us no longer have to be frigates or sophisticated military systems. They do not have to be expensive and they do not have to give away the attacker. That is the nature of the problem that we are facing. As the good Lord said, it is growing exponentially. I spoke yesterday to somebody from Sophos. When noble Lords turn on their parliamentary machine, they will see that they are protected by Sophos. He told me that last year Sophos found 5,000 incidents of Malware every day among their clientele-that is, interventions of a non-benign nature. This year, there are 80,000 a day. At present, the American security system and the public sector in America receive interventions that are unsourced and unidentified to the extent of 250,000 every hour.
There is a vulnerability here that we must try to understand, although we have come late to it. I hope that, as we address it, we will remember one thing-the renowned wisdom of this House. As I said, this device is a means of production of communication but also a potential source of vulnerability, which has been learnt by children and taught by children to parents. It is to be expected in a House like this, for all our wisdom, that we might not be as au fait with technological advances as the younger generation. However, we ignore this at our peril. It should be at the front of our considerations here; I know that it is at the front of the considerations of the noble Baroness who will respond tonight and I hope that it will be at the front of the Government's security deliberations and their conclusions next week. Above all, I hope that, in the course of that debate and in the midst of the wisdom and experience that exist already in this Chamber, I can make some contribution towards our deliberations.
Lord Harris of Haringey: My Lords, it is an enormous pleasure to follow my noble friend Lord Reid of Cardowan and his maiden speech, in the course of which he paid a very graceful tribute to his successor as Member of Parliament. He told us that she had already attained the ripe old age of 25. I am informed that the noble Lord started his political career some considerable period earlier than 25. I am told, in fact, that he led his first strike at the age of about 14 and a half when he was still at school and was objecting to the practice of the fairly disciplinarian head teacher that the children should be kept outside, irrespective of the weather, until the school started. He called a strike of his fellow pupils on the basis that, if they were not allowed in until nine o'clock, they would not go in after nine o'clock. My understanding is that he was successful in that, which demonstrates a robustness and forceful nature, which we have seen in this afternoon's speech. However, we have also seen the noble Lord's other side-his erudite and thoughtful nature. I understand that it is that side that comes in particularly useful in his latter-day role as chairman of Celtic Football Club, where erudition and thoughtfulness are particularly important.
The noble Lord has had 10 years in very senior roles as a member of Her Majesty's Government. He
14 Oct 2010 : Column 681
I am grateful to the noble Lord, Lord Jopling, for his introduction of the report and his work, and the work of his colleagues, in pulling together the report which we have had. It is a very important Select Committee report, and I had the privilege of sitting in on a couple of the evidence sessions to hear the discussion. As the noble Lord pointed out, we are having quite a timely debate following the reported comments of the director of GCHQ in the past few days. He has talked about the significant level of attacks on government systems, many of them precisely and deliberately targeted at those systems. The debate is unfortunately not quite as timely as it might be in that we do not yet have the benefits of the results of the security and defence review or the comprehensive spending review. We will have to wait a few more days for those. However, I hope that that fact of timing will not prevent the Minister from providing us with some more information on how the Government's thinking on these matters is developing.
I have high hopes for the noble Baroness, Lady Neville-Jones, because I am aware of her continued personal interest in matters of cybersecurity and information assurance. I have attended so many meetings over the past few years which she has been at, and which have discussed these matters, that I know that she takes these matters extremely seriously. That includes, for example, her chairing for a period the Information Assurance Advisory Council, which brought-and continues to bring-together industry, academia and government to talk about these matters. We have high expectations of the Minister in what is going to be done in this field over the months and years to come, and I am sure that she will not disappoint us today in her response to this debate.
It is important that we recognise several elements in the issues around cyberattacks and the matters which this report has covered. A few years ago, a lot of these matters were dismissed as the actions of teenage cyberjuvenile delinquents who were merely interested in getting into systems because they were there and, perhaps, in gaining some element of self-respect by leaving their mark on those systems, proving that they had been there-a sort of petty vandalism, expressed in the cyberworld as opposed to the physical world that other juvenile delinquents might be engaged in. Yet we have to recognise that those juvenile delinquents have grown up. Some have grown out of those issues, but others have started their own criminal enterprises; some have been bought up by much more organised and serious criminal enterprises; some have, no doubt, become fundamentalist in their religious views; others
14 Oct 2010 : Column 682
We therefore have not only the continued action and vandalism of the juvenile delinquents but the issues around cyberactivism, of people trying to make a political or other point by mass cyberaction. We have small-scale crime, but more significantly we have an enormous wave of organised crime using the techniques that are now possible through the internet. That is now having an effect. We also have otherwise respectable businesses making use of these criminal techniques to inform themselves of their competitors' activities and, indeed, trying to obtain intellectual property. Then we have state-sponsored activity, some of it at the commercial end but some of it much more about creating the opportunity to attack other nation states if that is necessary. The noble Lord, Lord Jopling, has talked about what happened to Estonia, and numerous incidents are now reported of what are perceived as being-although this is not necessarily the case-attacks sponsored by one nation state against another in this sphere. We have yet to see a serous terrorist act perpetrated through these means, but it is only a matter of time before terrorists also make use of these techniques as an adjunct, as part or as the main focus of their attack.
We therefore have to examine the issues raised by this report in a number of ways. First, while they might not quite meet the definition that the noble Lord, Lord Jopling, gave of a cyberattack, the activities of serious and organised criminality in terms of fraud and all the things that it is trying to do are of such a scale that Governments-national, Europe-wide and worldwide-should be taking them seriously and acting on them.
Secondly, we have to look at the scale of what is happening in terms of corporate raiders, intellectual property theft and the potential for industrial disruption. Again, some of this is by organised crime, but my understanding is that a significant proportion of that is carried out by nation states or at their behest.
Thirdly, and this is particularly important in terms of the responsibilities of our Government and the Minister, there are issues around the attacks on, and the vulnerability of, our own critical national infrastructure. Some of those attacks on government systems are about espionage, but some of them are about creating the potential for disruption.
I have a number of questions or issues that I hope the Minister will be able to respond to. The first relates to the sheer volume of criminality and whether as a nation we are equipping ourselves to keep up with those who are trying to defraud our citizens or otherwise cause problems. There has been a history of law-enforcement initiatives taken in this field. The National Hi-Tech Crime Unit, which was very successful, appeared to disappear when its responsibilities were taken over by the Serious Organised Crime Agency, so much so that the police had to set up a new unit, the Police Central E-Crime Unit-I declare an interest as someone who has been closely involved in that, as a member of both the Metropolitan Police Authority and the ACPO board that oversees it-which has had a series of successes, like the arrests a few months ago of the five
14 Oct 2010 : Column 683
I understand that there are rumours that this unit should be subsumed into the proposed new national crime agency. I have no objection to the new agency, once it is established, maybe taking on this responsibility; it must certainly have a capacity to deal with these matters. My concern is that if we move too quickly to that process, the idea of subsuming a body that is only just beginning to work into a new body that will be going through its own birthing pains is not necessarily sensible. We have had evidence from the outgoing chief executive of the Child Exploitation and Online Protection Centre about the fragility of those structures and the private sector funding of them. He suggested that Microsoft may propose to withdraw the resources that it puts into CEOP because of the uncertainty about its future. I hope that the Minister will give us some assurances today about the continued budget to enable the police to play their role in fighting e-crime, that we will not see the fragile new arrangements subsumed too early into a national crime agency and that there will at least be time for any national crime agency to be established, and to establish itself, before such a change takes place-if that is what happens.
The second issue was referred to by the noble Lord, Lord Jopling, when he talked about the so-called Stuxnet attacks on the control systems of the Iranian nuclear power programme. I have been concerned, as have several noble Lords and others, about the vulnerability of SCADA systems to attack. Is the noble Baroness personally satisfied that enough is being done at present to protect such control systems for our critical national infrastructure, against both the sort of electronic attack that the Stuxnet attack seems to have been and the electromagnetic pulse attacks that the noble Lord, Lord Reid, referred to? He made the valid point that exploding a nuclear device might be rather a visible way of producing an electromagnetic pulse. However, there are regular cycles of sunspot activity that could produce the same sort of effects. The issue of protection remains, whether it is an external attack, a natural event or something triggered electronically.
I would also like the noble Baroness to tell us whether enough is being done to protect the intellectual property of the United Kingdom against electronic attacks. In this context, is she satisfied that the major contractors that provide services to government departments are themselves adequately protected against this sort of penetration? I have heard stories about some of those major contractors being heavily penetrated in possibly state-sponsored incidents. If that is the case it is extremely serious. It is important that the noble Baroness should give us her assurance as to what can be done.
Finally, I hope the noble Baroness will give us, in the course of her remarks, a route map that tells us who is in charge of the various key elements of this matter. Who is in charge of setting the standards of
14 Oct 2010 : Column 684
Baroness Hamwee: My Lords, I thank the noble Lord, Lord Jopling, for introducing this debate. I am glad that there are people who understand all this and can speak the language and handle the acronyms. I use that thought to evade the rule that there should be only one formal thanks to maiden speakers before the winders. I am very glad that we have a "big beast" who was able to get his head around the issues sufficiently to start a new area of work. I am not sure that I should refer to the Minister as a big beast other than intellectually and, to be even-handed, as someone who also has a track record in security.
The noble Lord, Lord Harris, and I briefly discussed the report the other day. Although his speech did not tend in this direction, we agreed at the time that this amounted to something very serious and that something should be done. I tend to see that thought in the report, where we read:
"There was consensus among our witnesses that this was a legitimate area for the EU to be concerned about, and that it had some role to play, but there was no unanimity as to what that role should be".
This is a report about the EU but I entirely take the point made in the speeches we have heard so far that this is a global issue. I was not surprised to read that American witnesses were encouraging about the role of the EU as distinct from national roles. This is a global issue. The phrase "asymmetrical development" is a very polite term for describing the problem of the lowest common denominator.
This is not just about the EU and it is not just about government. As the noble Lord, Lord Harris, said, it concerns every sector from contractors to government departments and the services provided by the private sector. We heard about Northgate but utilities could be affected-the water services, to take one-and traffic lights. The list is very long indeed and it does not take a lot of imagination to get beyond the jargon and think about the real problems that a cyberattack could cause.
I very much agree with the committee that it is for the public sector to take the initiative and offer a real say to experienced internet entrepreneurs in how public/private partnerships are best developed and not leave it to the private sector to come forward with ideas.
While I take the point made by the noble Lord, Lord Jopling, that this is not about cybercrime, like the noble Lord, Lord Harris, I will be interested to hear from the Minister about the role of the new National Crime Agency. Behind technology of any sort are people. That comes through very clearly in the committee's comments on ENISA. The noble Lord, Lord Harris, referred to juvenile delinquents. I sometimes wonder whether states should thank innocent or naive hackers for showing them where problems and weaknesses arise.
The other day I heard a tale from Bletchley Park about a code-not Enigma-which was cracked because the transmitter of a message in code realised that he had made a mistake and transmitted a second message correcting it. That gave those at Bletchley the material to be able to crack the code. It is individuals who can, in what might appear to be small ways, undermine the security of systems.
I, too, am interested in resilience to cyberattacks, the work that is going on and that which can be undertaken in this area-that must be harder to tackle at an international level than at a national or local level-to anticipate technological aspects and human reactions in dealing with cyberattacks. I know that I am not the only person in the Chamber who has heard about what went on immediately following the 7 July bombings. One of the problems of which we became aware pretty quickly was people's tendency to use mobile phones and the effect that had on the mobile phone networks. It is a very human reaction to pick up a phone to find out whether one's family is safe. I wonder whether any thought has been given to involving the media in resilience exercises. I take this lesson also from 7/7: the media have a very important role as people tend to turn on their televisions and radios.
Finally, as result of work that I and other Members of the London Assembly did following those July bombings, I keep in mind the words of the then managing director of London Underground. He said that the big lesson for us was:
Lord Browne of Ladyton: My Lords, it is a great pleasure to follow the noble Baroness in contributing to this debate. I will not follow the threads that she pulled from it because this is my maiden speech and I am constrained to be, what some might say, uncharacteristically brief. I commend her on her contribution to the debate and the issues that she picked from this helpful report-and more broadly. I, too, await the responses of the Minister to the points that she raises.
As I rise to make my maiden speech, one view is that it is a contribution to the House of Lords that I have waited 14 years to make. In 1996, I was part of the legal team that injuncted-or interdicted, as we say in Scotland-the BBC from broadcasting an interview with the then Prime Minister John Major in the context of the local government elections in Scotland. We were told after the appeal in Scotland that the BBC would take us all the way, and it was granted permission to appeal to the House of Lords. I had my foot almost on the first step of the stairs to the London shuttle when the BBC abandoned its appeal. So while it is characteristic for many maiden speakers in this House to say that they never expected to speak in the House of Lords, I suppose that in my case it could be said that my expectations have waited 14 years to be fulfilled properly.
In those 14 years, I found myself another job as I waited. It was a significant honour and a pleasure for 13 of those years to serve my constituents of Kilmarnock and Loudon in the other place. They are now represented
14 Oct 2010 : Column 686
It is a particular pleasure to speak in the debate following my noble friend Lord Reid-a habit that I have developed over the years. I shall come to that in a moment. We both learnt our politics in the robust environment of the Labour Party in the west of Scotland, and I can tell noble Lords that we have had a lot of similar experiences, but I know that his collection of anecdotes-or at least the way he tells them-are much more entertaining and certainly more exciting than mine ever were.
After re-election in 2001, my ministerial career was largely spent following my noble friend. I will always be grateful to him for the experience of working with him in the Northern Ireland Office. In many ways, that was the happiest time of my varied ministerial career and I am proud to say that I still have many friends there. That is perhaps not surprising, as my mother-an inspirational 95 year-old-hails from Warrenpoint in the stunningly beautiful County Down. My time in Northern Ireland encouraged my interest in conflict resolution; and that was reinforced by later experiences of conflicts. It is my intention to use the opportunities that my membership of your Lordships' House generates to work in that area, among others.
My services as a Minister in the Department for Work and Pensions, the Home Office, the Treasury and the Scotland Office have all individually left their marks on me, but it was my time as the Secretary of State for Defence for two years, between 2006 and 2008, that left the greatest impression. Over my ministerial career, I have developed a significant admiration for the public service of our Civil Service. It has become fashionable to talk of "bloated public service" and of waste, but that is not my experience. In my view, we have the best civil service in the world, which is part of the construct of this land that makes us all proud to be British.
However, if my admiration for the Civil Service is substantial-and it is-my admiration for our military knows no bounds, after my experiences. The courageous selflessness of those who put their lives and health at risk in order that we can sleep safe in our beds at night deserves a form of thanks for which the English language has recently proved to be woefully inadequate. The sadness and grief that I felt when hearing the news that my friend Lieutenant-Colonel Rupert Thorneloe, the commanding officer of 1st Battalion Welsh Guards, had been killed in action in Afghanistan, was but a fraction of that suffered by his wife Sally, his precious daughters and his parents and family. The sacrifices that the families of our service men and women make in supporting them are equally worthy of our boundless gratitude.
My time as Secretary of State for Defence has left me with the conviction that disarmament is as important to our security as investment in the capability of arms.
14 Oct 2010 : Column 687
That brings me nicely, through security, to the topic of today's debate. I pay tribute to the noble Lord, Lord Jopling, and his committee for their deliberations and for the important and extremely valuable report that they have presented to us. As we have already heard, in recent days we have seen both an attack-we know not from where-on the computer systems running the Iranian nuclear programme and a warning from the director of GCHQ on the need to enhance the UK's cyberwarfare capability, both offensive and defensive. The publication of the Government's strategic defence and security review is imminent. As a review, it promises to go much wider than a traditional defence review in assessing the full range of security challenges facing our country and in providing a joined-up response to those challenges. I hope that it achieves what it sets out to achieve, but the public debate currently surrounding it is has not been encouraging. Almost all of the attention, inside and outside government, appears to have focused on the overall size of the defence budget and on which big-ticket defence equipment may have to be scrapped to satisfy the Treasury. This is understandable, given the current economic and financial picture, but it does not amount to strategic thinking. I hope, and wait to be reassured, that the review is conducting that strategic thinking and that the leaks we have witnessed over months have not included it.
As I know the Minister also appreciates, a review of this kind, carried out at this point in our history, needs to focus on more than conventional defence equipment. The nature and character of conflict, and the nature and character of weaponry, is changing. This is not just about unconventional enemies using low technology weapons like those we face on occasion in Afghanistan, but also about high technology weapons being used by potential adversaries to disrupt our society in future. We may be members of NATO, the most powerful conventional military alliance on earth, but we are on occasion in danger of allowing this to generate a comforting misapprehension; namely, that our adversaries will in future engage us in conflicts that play to our strengths, not in unconventional conflicts that play to theirs. This is dangerous thinking.
When the headlines on the SDSR have faded, and the short-term budget battles are over, sober judges will ask not only what we cut but what we invested in. The real test will be whether we have invested to meet the challenges of tomorrow rather than those of yesterday.
As imminent as the publication of the defence review is that of NATO's strategic concept. That presents an opportunity to address the issue of NATO-EU co-operation. I look forward to the contribution from the Minister in the hope that she will give us some indication that the Government will regard as a priority
14 Oct 2010 : Column 688
My final point may arise from my professional prejudice, but is none the less valid. One major issue that needs to be addressed in the cyberdomain is the role of the law, both domestic and international. Domestically, RIPA was drafted before the internet developed into what it is today. Our law needs regular review to ensure that it keeps up with the rapid rate of change that we are witnessing. In particular, we must find ways of making detection and prosecution easier. Internationally, in the absence of sufficient treaty law or UN statutes dealing explicitly with cyber actions, urgently we need to define the role that international law should play in covering either offensive or defensive cyber actions. I should be grateful if the Minister, who speaks for the Government and who we all know has expertise in this field, will reassure your Lordships' House that action in these fields is contemplated and will give some indication of the steps that we can expect to see in this regard.
In closing, I express my gratitude for the warmth of the welcome that I have received in your Lordships' House. In particular, I thank the staff of the House who, with unfailing courtesy and genuine kindness, have eased my transition in a way that has made me feel as welcome here as anywhere I have ever been in my life. On the day of my introduction, the courtesy and kindness that were shown to my family and guests left them with the most positive impression that will remain with them for the rest of their lives. I trust that, with these words, I have observed the conventions of the House. I respect them immensely and I look forward to engaging in debate across a wide range of subjects, almost certainly learning more than I will ever be able to contribute.
Lord Hannay of Chiswick: My Lords, it is a genuine pleasure to have the task of following the distinguished maiden speech of the noble Lord, Lord Browne of Ladyton, and giving him the very warmest of welcomes. I first met the noble Lord just over a year ago when we were both members of the cross-party group that went to Washington to discuss issues of multilateral nuclear disarmament. Over our three days there, he displayed three qualities: a sense of humour that survived even a bruising encounter with Senator Jon Kyl, no friend of disarmament of any kind; affability; and the capacity to address even the most complex and technical subjects-and they do not come much more technical and complex than nuclear disarmament and cyberwarfare-in comprehensible and compelling terms. All these qualities were demonstrated today in his maiden speech. He will be a timely reinforcement to the group of former Defence Secretaries and military men in the House whose skill and experience will surely be of value when we come to address the coalition Government's defence and security policy review, due out next week. He will bring the same qualities to discussion of the issues of multilateral nuclear disarmament, to which he has already made a notable contribution as founder and convener of the
14 Oct 2010 : Column 689
It can be said with a tolerable degree of certainty that this is the first serious full-scale debate in this House, or indeed in this Parliament, on how best to face up to the threat from cyberattacks. However, it will not be the last, because the target against which that threat is directed-our society's increasing dependence on sophisticated forms of electronic communications-is continuing to grow at a frantic pace which shows no sign of slacking; because that is a worldwide phenomenon which increases the vulnerability of every country in the world; and because the target, as it grows, is likely to become softer unless effective countermeasures and increased resilience can be devised.
To believe that that target will not be at risk in circumstances of heightened international tension or open hostilities would be a triumph of hope over experience. Therefore, this report is surely a timely one-a very necessary reminder of the need for sustained effort at the national, European and wider international levels if we are to deal with that vulnerability. I pay tribute, in particular, to my predecessor as the chair of the sub-committee which produced the report, the noble Lord, Lord Jopling, for the masterly way in which he guided our deliberations and shaped our report, and for his introduction to this debate.
First, I shall say a word about the scope of the report. We were guided, as we had to be, by the EU document that we were examining. That document limited itself to cyberattacks. It did not, therefore, cover cybercrime at all and so nor does our report. However, cybercrime is already a massive enterprise. As usual, the criminals have moved more rapidly to capitalise on the opportunities offered by technological advances than the law enforcers have developed ways of frustrating them and bringing them to justice. Therefore, the scale and nature of the problems faced by us and by other states are a great deal larger and more complex than those that are covered in this report.
This new threat from cyberattacks, which is covered in the report, is in almost every way quite different from most other threats that we have faced, and so will need to be our response. If it resembles any other threat, it is perhaps closer to the one that we faced from nuclear weapons in the early years after their discovery, when we did not have a clear idea of what response would work best and whether deterrence would be effective. I am indebted for that analogy to Professor Joseph Nye of Harvard, whose paper, Cyber Power, was published in May of this year and which I commend for its clarity of thought.
Of course, that analogy is not exact-analogies never are. But just as the doctrine of mutually assured destruction has driven us back towards serious work on nuclear disarmament, the realisation that massive retaliation against cyberattacks could well be a cure worse than the disease, risking bringing the whole or large parts of the internet system down in its wake, should push us in a similar direction. The asymmetry of threats from nuclear weapons in the hands of terrorists, which makes nonsense of earlier deterrence doctrines, is matched in some ways by the inherent
14 Oct 2010 : Column 690
This analysis points, as does our report, to the need for a much intensified international dialogue between the main players-the US, the EU and its principal member states, of which the UK is one, China, Russia and a few others-about how best to understand and how best to counter the risks from cyberattacks. Out of better understanding could come better countermeasures and less reliance on what may prove to be faulty doctrines of deterrence. Would all this lead on to international agreements or treaties, or, rather, would it consist in a system of close consultation and confidence-building measures? I suspect that it is too soon to say. Much will depend on the willingness of the main players to work together and to recognise a common interest in avoiding cyberattacks. After all, every cyberattack, however well concealed in its origin, begins in some state's jurisdiction. The willingness of states to act in a co-operative manner is, therefore, crucial. I hope that the Minister will feel able to respond to that analysis when she replies to the debate.
Apart from these wider international considerations, our report focuses naturally on the EU dimension. Here both the report and the Government's very constructive response reveal much common ground. Although national security remains a national responsibility, the UK has an important interest in strengthening the resilience of all 26 member states against cyberattacks and some of them are clearly not well prepared at all. As a member state which is better prepared than most, we could and should play an important role in strengthening overall resilience. After all, these are our biggest markets and our most integrated partners and there should be an opportunity for the UK to play a leading role. It was a welcome sign that all our Commission and ENISA witnesses, as well as those from outside Government, seemed to share that analysis and to welcome a very active British role. I hope that the Minister will confirm that we will do just that; we will do what we can to make Europe-wide training exercises and the testing of systems a real success.
On ENISA and the possible widening of its mandate in the review of its activities which is now taking place, I thought that there was a rather grudging tone in the Government's response, which perhaps is a reflection of financial concerns. But using ENISA to strengthen the European response to cybercrime would surely make sense. Cybercrime does not stop or start at our borders. Weak handling of it elsewhere in the EU will impact negatively on us too, so I hope that the Government will think again about that and will take a positive attitude towards an extension of ENISA's mandate. Of course, the siting of ENISA in Heraklion should never have happened and it would be good if the Government would confirm that that sort of aberrant decision will not be repeated. All the evidence that we received indicated that ENISA was valued by practitioners and was rated as doing a good job, so the case for putting it to better use would seem to be quite compelling.
In conclusion, I would like to pay tribute to the previous Home Office Minister, the noble Lord, Lord
14 Oct 2010 : Column 691
Lord Mackenzie of Framwellgate: My Lords, I congratulate my noble friends Lord Reid and Lord Browne on their powerful contributions to this debate, which augur well for the future of the House. I also thank the noble Lord, Lord Jopling, for his chairmanship of the sub-committee, of which I am a relatively new member, and for securing this important and timely debate in your Lordships' House. His stewardship and guidance were models of how an inquiry should be chaired.
Cybercrime is a growing threat to us all. In my experience, the criminal fraternity will always find new ways to achieve its objectives by harnessing new technology and resources to try to outwit the forces of law and order. Every week, we read of new fraudulent scams to relieve the citizens of Europe, and the world, of their hard-won savings or the use of the internet to groom and subsequently abuse our children. We also hear of new squads being set up by law enforcement agencies to deal with those threats. Indeed, as has been mentioned, we heard only this week from the head of GCHQ that the Government are the target of a thousand malicious e-mails each month. Of course, that figure is increasing in line with the growth of the internet by some 60 per cent each year. It follows that these criminal entrepreneurs-that is what they are-will be recruited by intelligence services of ill disposed foreign powers to penetrate the computer systems of the liberal democracies, epitomised by the European Union countries, either to obtain secret intelligence or to damage defence systems or the basic infrastructure, which we take for granted, of the country being attacked.
We all get unwanted e-mails. I will always remember that, a few years ago, when I first came into this House, there was a debate on spam messages in your Lordships' House. I recall a very elderly Member of your Lordships' House, who is unfortunately no longer with us, rising to berate the Government of the day for doing nothing about them. He said: "They are always advertising the same products: body enhancements, Viagra or inkjet cartridges". He finished by saying indignantly, "My Lords, do I look like a man who requires inkjet cartridges"?.
Our inquiry heard evidence from a number of individuals and organisations, but it is fair to say that we were disappointed by the response to our call for evidence. None the less, we should thank those who responded and gave time to assist us in our deliberations. I am pleased that the Government's response is broadly in agreement with the committee in its criticism of the Commission. Through our examination of specific examples of cyberattacks or disasters, it became evident that, although major disruption can be caused, Great Britain is indeed a leader in Europe in dealing with such disruption; others may well follow.
If the EU is seen as a club, the club rules should set standards for dealing with cyberdisruptions or attacks that all member states should aspire to uphold. We are only as strong as our weakest link. Unlike the European Union and the states within it, the internet has no borders and, in a global economy, with multinational corporations using the internet for business, it is imperative that we have a global response to large-scale cyberattacks or disasters. The development of international rules that are properly policed would deter some countries from turning a blind eye, for whatever reason, to such attacks from within their borders.
The Commission communication was therefore a little disappointing in its lack of global response to the growing threat. To attempt to bring down a nation's communications system, transport or banking structure is tantamount to an act of war and it would be legitimate for an organisation such as NATO to be brought into play. Not only would that be using the collective wisdom and resources of the alliance countries, but it would act as a powerful deterrent, as it has to conventional threats. The Commission report was almost silent on that. There may be some value in holding joint exercises in that area to reinforce the essential need for more co-operation among NATO countries. In my experience, it is essential for member states to carry out exercises in this area to enable them to participate more fully in future joint efforts.
The European Network and Information Security Agency, ENISA, has been mentioned. It is an important body and exercised the committee greatly, because policing the internet and dealing with criminal enterprises in this area is important. It is to be hoped that the resources can be found to reinforce ENISA so that it can extend its role. Needless to say, I am rather disappointed once again with the lukewarm response to the committee's recommendations, which seems to raise doubts about the existence of the agency. Perhaps in reply the Minister could give us further assurance on that.
Cybercrime and terrorist attacks are a fascinating subject and I have little doubt that they will exercise us in our deliberations in the months and years to come. As we used to say in the police service, the six "p"s apply: proper planning prevents pretty poor performance. I hope that our deliberations in this area add value to planning to prepare to deal with these matters before they happen.
Viscount Waverley: My Lords, I apologise for rising in the gap. One aspect of today's debate that could be usefully underlined is the need to ramp up co-operation with countries and regions where we have strategic interests and which are themselves at risk, whether because of direct interests in energy supplies, for example, or indirectly through narcoterrorists funding a low-cost cyberattack capability, which would be cheap in relation to the mayhem that can be caused. The central Asia and Caucasus region contains ever growing strategic infrastructure that one way or another does or will serve Europe. The Baku-Ceyhan pipeline is one example. It is doubly more pressing as it is in exactly this region where, some say, the majority of cyberattacks originate.
Two immediate difficulties exist: resources within those regions to counter the problem and the lack of sufficient exchange of information among intelligence communities as a result of insufficient in-depth bilateral co-operation. I hope that an immediate effect of the Foreign Secretary's visit to Moscow will be closer co-operation among our respective intelligence communities. That, in turn, would lead to Russia ceasing to apply pressure on opposite numbers within central Asia and the south Caucasus to be unco-operative with western interests. It should be remembered that central Asia and the south Caucasus are, after all, Russia's backyard. The noble Lord, Lord Browne, mentioned Lisbon. Can the Minister inform us whether Russia has now agreed to attend? That country must be included in debate on international affairs. To improve the situation immediately, I urge the Minister to encourage the sending of representatives at Secretary of State level to Kazakhstan's December heads of state OSCE summit in Astana, with a possibility of a one-day or two-day extension for bilaterals. This would be viewed as the United Kingdom working for mutual benefit.
I listened carefully to the remarks made by the noble Lord, Lord Jopling. The committee and the Home Office appear to agree that cybersecurity is a global phenomenon and requires globally co-ordinated action. The EU appears to be on track in combating the threat of cyberterrorism with its ENISA proposals of 30 September. However, more should be done on basic concepts and on a mid-term to long-term strategy, particularly in regard to an integrated approach including all major players. The Minister could be encouraged to ramp up the debate and implement initiatives at at least G20 level.
In conclusion, a simple analogy to reinforce the case for global endeavours is to compare the threat of cyberterrorism to the threat of the banking sector. We now know that one bank failing can have a catastrophic global impact. The same can apply to the world of cyberterrorism. I do not wish to appear alarmist, but I fear that, whereas suicide bombings have been the weapon of choice in certain quarters, carefully targeted cyberattacks will be the weapon in tomorrow's world.
Lord Rosser: My Lords, I am the final warm-up act before the much referred to and much awaited speech by the Minister. I wish to add my thanks to those already expressed to the noble Lord, Lord Jopling, for the work that he and his sub-committee have undertaken in producing such an informative report into a subject of ever increasing importance and concern. Those concerns have been reflected by every Member of your Lordships' House who has spoken with authority in this debate. I also congratulate my noble friends Lord Reid of Cardowan and Lord Browne of Ladyton on their, as anticipated, impressive and thought-provoking speeches, which gave us the benefit of their considerable and real expertise and knowledge in this field.
The noble Lord, Lord Jopling, in his helpful and informative opening speech, drew attention to the key findings in the report, including the issue of the part that the European Union can usefully play in protecting
14 Oct 2010 : Column 694
There has, of course, been a change of Government since the report was concluded. While we have read their written response, I hope that we will hear more from the Minister when she responds about the views of the new Government on the report and the serious issues it raises, and the extent to which the Government do or do not agree with the stance adopted by the previous Administration in their evidence to the sub-committee. In their reply of 6 July 2010 to the report, the Government state:
"While we are in agreement that cyber security is a significant and increasing facet of national security, the present Government is in the process of reviewing whether there are things we can do better or differently to achieve the same national security goal; that this is likely to extend to the European Union".
It would be helpful if the Minister could explain what that statement means in practical terms. When did the review start? Who is undertaking the review? When will the review be complete? Will its findings be made public? What "things"-that is the word that the Government use-are being looked at to see if they can be done better or differently to achieve what is referred to as the "same national security goal"? Finally on that paragraph, what exactly is it that is,
A number of UK organisations and bodies with independent expertise are referred to in the report and in the Government's response. Will the Minister confirm that these bodies will survive the forthcoming cull?
In their response, the Government say that they will remain actively involved in the discussions under way at the European level on the role for the European Union and that they support the committee's recommendation that this should be focused on the promotion of best practice and on reducing the gap between the most advanced and the less advanced member states. As has been said on more than one occasion today, cyber does not recognise national or European Union boundaries but is also a global threat. We need our international partnerships and alliances, since we have common interests with other responsible nations in sharing information on threats and vulnerabilities.
What are the objectives of this new cybersecurity strategy that it is felt may not currently be being addressed or need updating? Is it part of the "process of reviewing" referred to in the third paragraph of the Government's response, to which I referred earlier?
The importance of this debate and the importance and relevance of the committee's report has been further enhanced in the light of the speech the other day, to which the noble Lord, Lord Jopling, referred, by the director of GCHQ on cybersecurity. He said, as did the committee in its report, that this was not solely a national security or defence issue but went to the heart of our economic well-being and national interest. The committee's report, as the noble Lord, Lord Jopling, highlighted, gives examples of cyberattacks that have occurred which seek to strike at the heart of a country's ability to function. The GCHQ director added further weight to this point in relation to our own country when he said that the threat of cyberattacks to disrupt seriously critical national infrastructure,
"There are over 20,000 malicious emails on Government networks each month, 1,000 of which are deliberately targeting them ... that we have seen the use of cyber techniques by one nation on another to bring diplomatic or economic pressure to bear ... we have seen the theft of intellectual property on a massive scale, some of it not just sensitive to the commercial enterprises in question but of national security concern too ... and that the risks in all these areas are growing along with the enormous growth of the Internet. At the moment it's expanding by about 60% a year".
This includes growth stimulated by the Government as they seek to get services online, not least in response to an increasing public expectation that services will be available in this way. The expectation is that within the next few years, online tax and benefit payment systems could be processing over £100 billion-worth of payments at a time when the increasing cost of e-crime to the economy runs into billions of pounds and organised groups attack not just commercial targets but also online tax systems across Europe.
The GCHQ director commented that cyberspace is contested every day, every hour, every minute, every second, and that he could vouch for that from the displays in his own operations centre of minute-by-minute cyberattempts to penetrate systems around the world. He went on to say that:
Perhaps the Minister could answer the question that the director in effect posed-namely, how high a priority compared with other spending priorities does this Government give to providing the necessary resources to ensure that this country continues to be protected effectively from cyberattacks?
I conclude by congratulating the noble Lord, Lord Jopling, and his committee on a thorough, thoughtful and informative report which has rightly raised the profile of this important and, indeed, worrying issue.
The Minister of State, Home Office (Baroness Neville-Jones): My Lords, I join other Members of the House in thanking my noble friend Lord Jopling for introducing this debate and for his committee's report. It has enabled us to have what I think has been a rather wide-ranging discussion of the issues. He rightly said that it is one of the first extensive debates we have had on cyber generally and, in particular, on cybersecurity. I join noble Lords in welcoming the two noble Lords who made their maiden speeches and say how valuable their comments have been. We look forward to further discussions, and no doubt we will be talking about this subject in the future. I think that we have a House that has a considerable contribution to make, and our new Members have certainly increased our capability.
I should also like to point out that the noble Lord, Lord Reid, set up the Office for Security and Counter-terrorism in the Home Office which continues to function to this day and plays a central role in counterterrorism generally, while cybersecurity impinges on it. As everyone knows, capabilities for cyber are located mainly in the Cabinet Office, and indeed it was my predecessor the noble Lord, Lord West, under whom the Office of Cyber Security and the Cyber Security Operations Centre came into being. They have provided a central capability in government for the first time, and the Government are building on those structures. I pay tribute to our predecessors for starting down this road; we intend to contribute and to build on it. There is no doubt that the saliency of cybersecurity is increasing greatly.
The first thing we did in the Office of Cyber Security was to make a small but significant move in joining the strategy of cybersecurity and information assurance together. It seemed to us that these were closely related subjects and that it made no sense to keep them separate. Information assurance-which is provided not only by patching but also by people-is a key element in increasing our level of security. In his speech yesterday, the director-general of GCHQ Cheltenham said that we could deal with 80 per cent of our vulnerabilities if we increased good practice. Obviously good practice, to a significant extent, comprises keeping up systems and ensuring that they remain as invulnerable as possible. This also depends upon the human element. It is extremely important that if the Government purport to take a lead in this area-which I believe they should-they should themselves be an example of good practice. So one of the things we will do is increase the emphasis inside government and preach the message of information assurance nationally as being a contribution we need.
One element which has not been mentioned, but which we regard as an integral part of national security, is that we should increase capability in the population as a whole and encourage the use of good practice by ordinary users of computers. Indeed, we should up skill our population and, in particular, the level of expertise that we will need in the future for both
14 Oct 2010 : Column 697
In referring to the SDSR, I am rather constrained by the timing of the debate. In one sense it is very good because it comes at a moment when we are thinking about this subject; unfortunately it comes just before the publication of the SDSR and I am unable to say everything that I would like to. However, I should like to give an indication of the direction of our thinking.
A number of important points were made-including by the noble Lord, Lord Browne, who made the key point that the nature of conflict is changing. Although this certainly applies to the battlefield, in a sense, it also applies to society. There is no such thing as a valid distinction of any real kind between how we deal with the threats and challenges to our country abroad if we do not also deal with them at home. Conversely, in order to diminish their significance and threat to us at home, we need to act abroad-the so-called upstream. In this, cybersecurity is key to our military capabilities on the battlefield and to our navy. It is no good having your carriers protected by your frigates and your submarines if the whole shooting match has lost its communications; it is dead in the water. Similarly, at home, we will not succeed in defeating a cyber-enabled terrorist enemy if our own communications are vulnerable. We need to be able to disrupt them, not them to disrupt us. This is the new national frontier. It offers very exciting, interesting and intellectually challenging opportunities for younger people and it is of great import to the nation.
National security is a totality of security, whether at home or abroad, and cyber is a central element in it. Though I cannot unfortunately give detail, I hope that the House will agree when it sees it that we have given due prominence and priority to the cyber element of our strategy.
Iain Lobban laid out the threat-I shall not repeat what he said, because it was put extremely cogently as well as accurately. However, the threat has a number of elements. There is indeed the threat of state-led espionage, which is theft by states. They are out for our valuable intellectual property, which they can then use for their own ends and possibly turn against us. This is a serious threat. We have also the activities of the non-state actors, who use cyberspace as an enabler. It is our task to disrupt them, too. In both cases, as has been said, you have real difficulty of attribution and, correspondingly, difficulty in knowing how to respond. We need to work on the issue of attribution, because, if we do not, we will never succeed in having a sufficient volume of successful prosecutions to act as a deterrent. However, we should recognise that attribution is quite difficult and that there are other things that we need to do at least at the same time but preferably earlier because
14 Oct 2010 : Column 698
There is a feature of patrolling our frontier which is very simple but which points up some the difficulties that we face. When I visited the NSA, it was said to me that relatively few practitioners and security officers in large corporations, and even in corporations which are internet providers, know what the configuration of their system is when it is operating normally and according to the rules. So if you do not know what it should look like when it is operating according to its own rules, you are most unlikely to spot when there is anomalous behaviour. But spotting anomalous behaviour is your first line of defence. We keep on coming back to the need for those skills.
It is a feature of modern, strategic national security thinking that, very quickly, the strategic descends to the nitty-gritty of operation, because you cannot succeed in your strategy unless you go right down into the weeds. It is one of the more difficult parts of the challenges that we face and it is certainly the case in the cyber area.
Clearly, another part of our approach has to be a focus on closing our vulnerabilities. The issue of our approach to the law was raised. We need to bring in law enforcement. I am more cautious about the question of operating within legal frameworks when it comes to trying to regulate the international scene. That is not to say that we can never have a valid convention. Certainly, the idea that we could have a convention that gives us the rules of the road instead of simply codes of conduct is an extremely attractive proposition. But you have to be confident of two things. First, that those who sign conventions will actually then obey their precepts and not seek to go outside them while you observe the rules. Otherwise, you are putting yourself at a disadvantage. Secondly, in that situation, you need to be able to ensure that you can verify what they are doing. It adds to your vulnerability when you have people signing up who may not be entirely trustworthy.
With the old-fashioned, legitimate arms control that I and many noble Lords grew up with, you could go out and verify how many missiles you had because you could count them. This is more difficult. We return to the problem of attribution. I am cautious about the notion that conventions in so immature an area would serve our interests. I am keener on the notion that we seek to close our vulnerabilities and ensure that we defend ourselves adequately nationally. We must also propagate best practice among others who are linked to us and who may be less well equipped. I will come in a moment to international co-operation.
Another part of our strategy is dealing with crime. The noble Lord, Lord Harris, asked whether we are doing enough and the answer is no. We are not doing enough and we have to up our act. We heard that from Sir Paul Stephenson, in terms, a couple of days ago. We have not yet taken a decision on precisely what will happen to the e-crime unit and the position it will have in relation to the National Crime Agency. However, I can say-and I mean this-that it has to be and will be
14 Oct 2010 : Column 699
Focusing resources on detection and on international co-operation is a crucial part of following any crime chain and this is a classic area where there is international contact and an international link. There are few big scams and crimes that do not have a significant international dimension. An attack that takes place in the United Kingdom could originate in another country, so you cannot bring people to justice without the help of others overseas. The answer is that we are barely at the starting gate and in this whole area the House will agree that we are still doing baby steps.
Points were raised in the debate about the vulnerability of our critical national infrastructure. Our predecessors in office did a great deal of serious work in this area but there is still more to be done. The NPIA-I am not sure that I have got that acronym right, but I mean the agency with responsibility for protecting the national infrastructure, which is the office that springs from the Security Service-has a powerful relationship these days with a number of the really strategic elements in the national infrastructure and gives advice. It has helped infrastructure operators to upgrade their performance.
That brings me to one of the major points that I wish to make. I was asked whether we are doing well enough in these areas. I do not think that we are doing badly, but there is clearly more to do. One thing that absolutely stands out when you start to think about cyber is, while the Government must take the lead, where the responsibility will lie. It will lie with the Government, including ensuring that we retain our national capabilities. But we are clearly not going to be able to have an effective national platform, which not only protects the operation of our society but gives us economic advantage internationally, so people decide to invest in the United Kingdom because they know that it has secure communications that they can trust, except in partnership with the private sector. By that I mean not simply getting the private sector to pay or do what we want; I mean a partnership, and developing policy with the private sector. We need to do it at the strategic level, with the direction in which we need to go, and we need both a general and a sectoral approach. We go back to the fact that the strategic level descends extremely quickly to the operation consequence. We need to have a partnership that does both strategy and operational co-operation, whereby the Government's technical expertise can be brought to bear to help to
14 Oct 2010 : Column 700
I am trying to paint an approach on the part of Government that is perhaps holistic and which takes all the issues and tries to put them together. We are further ahead in some aspects than others, and when we are not so far ahead we need to catch up. I hope that we have at least analysed what we need to do. There is a significant road to go down.
The noble Baroness, Lady Hamwee, asked about the role of the media, which gives me the opportunity to say something about an important aspect. The media are important as they are our means of communication in these issues. They are also absolutely vital to government in an emergency. One thing that we need to be able to do and which we will do is to exercise-and everybody who has been in government knows just how important exercising is. That goes right across the board. One thing that you come across when you start is that you can conduct very few exercises without the electronic and cyber element being an extraordinarily important part of getting through. Making sure that in and of itself we are testing our cyber capabilities and our vulnerabilities is an important part of underpinning other forms of exercising that we do for emergency prevention and preparation.
I was asked about the role of ENISA and the Government's attitude to it. There is no doubt about the Government's support for the continuing operation of ENISA. Its life has not been made easy by putting it in Heraklion, and one could perhaps wish otherwise. I gather that the Greek Government are putting in place some facilities in Athens, which will make it a bit easier for people to get there. It is probably fair to say that they have managed to recruit the staff, although they have not made it easy for ENISA staff to travel. But those who know the Union do not think that it is likely that we will be able to change that, so I think that the fact that there are some offices in Athens is probably the way to build. As for its role, we agree that it has done good work. It is a very small agency with a not very big budget. It is being proposed now that it should have quite a significant increase in its budget. Our view of that is: "Give us the reasons why-a justification. We actually want to see what you think you would do with it". We agree that it potentially has useful roles in the area of crime prevention and of linking up, in the cyberarea, the role of other enforcement agencies such as Europol, and of making them more powerful and effective.
ENISA can do what we hope to do in the national security strategy, which is to bring the elements together. That is a classic co-ordination role and an important and valuable one in this area, given that the elements at the moment are so dispersed and that the performance between member states is so highly variable. The whole notion of bringing others up, who are not as operational but who can represent a weakness in the system, is an important part of what can be done for us. Your Lordships may be assured that we take ENISA seriously.
Similarly, we take NATO seriously. NATO is developing its concept and there is quite a debate going on, as I
14 Oct 2010 : Column 701
There is also almost certainly a division of responsibility to be found between the two organisations. Your Lordships will be aware that-and we are not alone in this-we do not particularly wish to see the EU get into things labelled "national security", although I have taken the view that national security is, rightly, rather a big term and that there will be things that the EU can undoubtedly do to contribute to the success of our collective national security. I believe that NATO will also have a role, which I hope it will seize, because I believe that there are important things to be done, particularly in Europe. That will also strengthen the collective approach.
I am told that time is up. Indeed, I have come to the end. Implicit in all that I have been saying is what a number of noble Lords have mentioned: we need strong international co-operation in international organisations, just as we need bilateral co-operation between the competent agencies.
Lord Jopling: My Lords, as we come to the end of the week's business, I shall delay the House for only a very short time. First, let me say how grateful I am, as I am sure the committee will be, for the kind and generous remarks made to me and about the committee's report. I think that I have heard no criticism at all of the report; indeed, there has been generous approval of it. There is no doubt in my mind that this topic-cyberwar or cybercrime, whatever it be-will recur fairly regularly in our discussions in this House. I was particularly glad to hear the Minister saying that we need to talk about it and I hope that we shall.
The contributions today demonstrate that there is a good deal of expertise on this issue lurking within the House. That brings me particularly to the two maiden speakers, the noble Lords, Lord Reid of Cardowan and Lord Browne of Ladyton. I spoke earlier about our anticipation of their speeches. They have given us an example both of the broad view of this problem and of their great expertise, having been Defence Secretaries in the past. We are most grateful to them and we look forward to hearing them both regularly on this and other issues in future.
I thank the Minister for her comprehensive summing up. I was particularly pleased to hear, in the latter part of her speech, what she said about ENISA and NATO. I have probably said enough at the end of this debate, except to say that I beg to move.
|Next Section||Back to Table of Contents||Lords Hansard Home Page|