(14 years, 1 month ago)
Lords Chamber
That this House takes note of the Report of the European Union Committee on Protecting Europe against large-scale cyber-attacks (5th Report, Session 2009-10, HL Paper 68).
My Lords, this report on protecting Europe against large-scale cyberattacks followed an inquiry by the Home Affairs Sub-Committee of the European Union Select Committee. The chairmanship of the sub-committee is now in the safe and capable hands of the noble Lord, Lord Hannay of Chiswick. However, I was the chairman during the course of that fascinating inquiry and it therefore falls to me to open this debate.
We published the report on 18 May, seven months ago, the inquiry having begun in November last year. It is a long time, with a very fast-moving subject, since we published the report, and it is unfortunate, for such a fast-moving topic, that we have been prevented—mainly, of course, by the dissolution of Parliament—from having this debate earlier. I know that this is a continuing problem for Select Committees, which spend a lot of time and put a lot of work into their reports and then have to wait for a long time before the discussion comes to the Floor of your Lordships’ House.
I called this a fascinating inquiry. Certainly for me, it opened entirely new vistas. I believe that that was true of many other members of the committee. The process of educating us fell to Doctor Richard Clayton, our specialist adviser, and I pay particular tribute to his expert knowledge and helpful facility for explaining things to those less expert than him. I especially want to thank our clerk, Michael Collon, whose expertise, both in the past and in a continuing way, is of huge value to the Select Committee. The debate today brings with it two maiden speeches to which I, for one, am eagerly looking forward. They are from very distinguished experts in this field, both former Defence Secretaries, and I look forward enormously to their comments in the context of this report.
Anyone who doubts the havoc that successful cyberattacks can cause, and so the importance of protection against these attacks, needs to look no further than the opening pages of our report to see how in May 2007 Estonia virtually ground to a halt as a result not of, as it thought, activities by the Russian state, but perhaps more probably—no one is entirely sure—of activities by a number of disgruntled Russian students. More recently, noble Lords may have read about Stuxnet, a highly sophisticated virus designed to attack specific industrial infrastructure. It is so refined that many think that it could have been created only by a state. Computer systems in Iran have been particularly affected, and there is speculation that it could have been directed at one of the Iranian nuclear facilities—the Bushehr nuclear power plant or the Natanz uranium enrichment facility. There is no doubt that an appropriate virus of that sort could cause catastrophic failure at such a facility. That is a genuine example of cyberwar.
Colleagues will be aware of a speech made this week by Iain Lobban, the head of GCHQ at Cheltenham, which was reported in the Daily Telegraph yesterday. He said that cyberattacks pose a threat that,
“goes to the heart of our economic well-being and national interest”.
He went on to warn of,
“the threat from terrorists, criminals and hostile states using the internet”.
He said that:
“Government systems are being hit by email-borne attacks 1,000 times a month”.
Finally, he spoke of GCHQ,
“detecting more than 20,000 malicious emails on government networks each month”.
Those are examples of the possibilities with regard to cyberattacks.
I mention them for two reasons: first, as an illustration of the importance of protection against cyberattacks, although I am sure that noble Lords were never in any particular doubt about that; and, secondly, to make clear what our report means by cyberattack, since it is often confused with cybercrime. Cyberattacks are aimed at destroying or disabling major computer networks, such as power networks, communications or financial operations. They are obviously criminal acts. What is more accurately described as cybercrime is interference with personal internet security. By its nature, it relies on internet systems being up and running.
The trigger for our inquiry was a communication published by the European Commission in April 2009, entitled, Protecting Europe from Large Scale Cyber-attacks and Disruptions: Enhancing Preparedness, Security and Resilience. The disruptions to which the title refers are those caused by major natural disasters, such as Hurricane Katrina in 2005, or major accidental damage, such as the explosion at the Buncefield oil refinery in December 2005, which destroyed the offices of a company running a payroll system for employers of one in three Britons. In that case, the disruption was potentially severe, but the effects were not. That is an illustration of a point that witnesses made to us repeatedly; namely, that the internet is remarkably resilient. One of our witnesses said that it was designed to withstand a nuclear war. Noble Lords may find that comforting. Certainly I do. But at the same time it still means constant vigilance and absolutely no complacency.
The internet is global. Attacks are potentially global in scope and protection mechanisms must be prepared to meet global attacks. Our inquiry examined what role the European Union could play in defending the member states against attacks which would as easily come from outside the European Union as inside. Our conclusion was that much could be done only at local or at global level, but that there were also many areas where intervention at EU level could be helpful. However, the communication says little about the role of the European Union in a global context. That is unfortunate because there is no way in which any effective action can be taken at EU level without consideration of its effects at global level and the effects on it of global developments.
Network security is largely in the hands of organisations called computer emergency response teams, or CERTs. These organisations study network security to provide incident response services to victims of attacks and to publish alerts against attacks. In the UK, many large companies have their own CERT, as do organisations which have a common interest. JANET is a CERT for the academic world which protects up to 16 million people who are probably mostly unaware of its existence. The Government have their own CERT to protect the public sector, but there is no UK national CERT—nor does the committee believe that there is any need for one. The current system seems to work extremely well.
We were concerned that the Commission proposed that all member states should have national CERTs. We were hoping to read in the Government’s response that they had no intention of setting one up in the UK. In fact, we read in their response:
“The Government understands the argument that a national CERT would be of no added value to the UK, and that the current CERT network provides more effective protection. At this stage, we need to keep an open mind as to the best structures to support cyber defence and response in future”.
I am all for the Government keeping an open mind, but I hope that the Minister can assure us that they will not be setting up a national CERT just to satisfy the Commission’s yearning for tidiness. This is a classic example of, “If it ain’t broke, don’t try to fix it”.
But that is not always the case elsewhere. While some member states have the same model as the UK and others have national CERTs that work well, other states have little or no CERT capacity and what they have is distinctly broke. In the case of these states, what the Commission proposes could be valuable. It will benefit the United Kingdom if other states have effective internet protection because we could suffer problems within the global network through ineffective protection in other member states. We suggested that in the member states where there are too few or inadequate CERTs, the Government should support this proposal. Their response did not address this and I should be most grateful if the Minister would give us that response today.
Those who in the past have listened to debates on the European Union Committee’s reports on home affairs will have heard me, on a number of occasions, deploring the lack of co-operation and co-ordination between the European Union and NATO. Protection against cyberattacks is a form of civil protection and one that is increasing exponentially in importance. After the attacks on Estonia in 2007, NATO became alarmed and stepped up its work in this field. So did the EU, but not in a co-ordinated way between them. We recommended, as we have before, that the two institutions should co-operate and co-ordinate rather than proceeding on their separate, parallel ways, and we urged the Government to intervene to make this happen. In their response the Government said that greater co-operation between the EU and NATO was a priority. I should be glad to know what developments have taken place in the mean time, and how successful they have been in pushing what they describe as “their own priority”.
In evidence to us, the then Minister for security, the noble Lord, Lord West of Spithead, was doubtful whether NATO had any part to play in protecting the internet, saying that he did not regard it as the appropriate body unless the security of an individual member was threatened. As his successor as Minister, does my noble friend Lady Neville-Jones share that view in the light of what I have just said?
Lastly, I turn to the European Network and Information Security Agency. The Council decided that the agency should be sited in Greece, and the Greeks decided that it should be sited in Crete at Heraklion. They do not seem to have given any consideration to the problem of recruiting and retaining specialist staff in a remote place which has no international school, nor to the fact that it can mean up to two extra days of travelling time for those attending meetings, especially in winter when flights are very limited. We recorded the criticism and frustration that this has aroused, but we accept that nothing can be done at this stage to reverse the situation. However, we welcomed the decision of the Greek Government to make office space available in Athens for meetings, eliminating the need to go to Crete. I am glad to read in the Government’s response that this arrangement is working well.
At this stage I should like to suggest that in the future, when the European Union is sharing functions around the member states, the allocation should not just define the state concerned but also where that state intends to locate it. The Government say that the location does not seem to have resulted in an inability to recruit and retain staff, but in the next breath in the response they add that,
“it is clear that the location is a major factor when professional staff consider applying for posts”.
This seems to imply that the persons best qualified may not be applying for jobs. I hope the Minister will say whether or not this is so. I am far from suggesting that only second-rate persons apply for these posts, but it would be unfortunate if the best are inhibited from applying. This would be particularly the case for applicants from the United Kingdom, which is about as far from Heraklion as it is possible to get within the European Union.
ENISA was originally set up with a five-year mandate. This was extended by a further three years, expiring in March 2012. We expressed the hope that agreement could be reached well before then to extend the remit of ENISA to cover matters such as police and judicial co-operation over criminal use of the internet. Within the past two weeks, the Commission has issued two proposals. The first would simply extend the mandate by a further 18 months, expiring in September 2013. The express purpose of this is to give time for consideration of a second proposal; namely, a revision of the regulation setting up ENISA.
In its Explanatory Memorandum to the regulation, the Commission said that it had considered three options. It agreed to some expansion in the tasks of ENISA, adding law enforcement and privacy protection authorities as fully-fledged stakeholders, but it decided against adding either fighting cyberattacks or the response to cyberincidents, or supporting law enforcement and judicial authorities in fighting cybercrime. This is a rather timid move and is not in accordance with the rather bolder suggestion in our report. We expect in due course to receive from the Government their own Explanatory Memorandum of their views on this, but I should be grateful if the Minister could today give the House some indication of their thinking about an extension of ENISA’s role. What I would hope to hear is that they share our view and intend to press for further expansion of ENISA’s remit in the course of the negotiations on this proposal.
I have come to the end of what I want to say on this fast-moving topic. The United Kingdom, the EU and, indeed, the whole civilised world must keep a step ahead of potential attackers. The previous Government seem to have recognised the importance of this and to have taken decisive steps to counter the threat. I hope the Minister can confirm that the coalition Government will continue on this path and, particularly, encourage the European institutions to play a useful part. I commend the report to the House. I beg to move.
My Lords, I am delighted to make my first speech in this Chamber, particularly in the company of my noble friend Lord Browne. I do not suggest that this is as fair a pair of maidens as has ever graced the Chamber, but I hope that our contributions will in some way illuminate the deliberations here. I am also pleased to be making my first contribution during such an important debate and discussion—albeit late in the day and late in the week. Nevertheless, I thank the noble Lord, Lord Jopling, for introducing it and the noble Baroness, Lady Neville-Jones, for the response that she will give on behalf of the Government on such an important issue.
I declare a manifest interest in these matters, as registered, not least as chair of the Institute for Security and Resilience Studies at University College London, which attempts to address some of these difficult issues.
I had the honour of serving for almost quarter of a century in another place and in one or two ministerial posts—there were about nine, actually—at the behest of the last Prime Minister but one, my friend and colleague the right honourable Tony Blair. During that time, I hope that I gained a little experience with which I can contribute in this House. I was always impressed by the wisdom of this House. The first part of that wisdom is to recognise that, when one comes here, whatever one’s experience, such is the experience already vested here that it would be extremely wise to approach the place not with pride but with a degree of humility. So I do tonight, in the company of some honourable and right honourable previous friends, now noble Lords, who have graced this Chamber with their views on security matters. I thank them and all the staff for the welcome that I received when I arrived here. It was warm; it was cordial; it was hospitable; and, for those of us who came from another place and were more used to the Jeremy Paxman approach to building relationships, it was disconcertingly fraternal from every other point of the House. I thank everyone for that.
I should also place on record my thanks to my constituents in Lanarkshire, who until the last election gave me loyalty and support for some 23 years and who in their wisdom have now chosen the baby of the other House, Pamela Nash, who, at 25 years of age, brings to the post of MP for Lanarkshire the youth, grace, dynamic approach, energy and attractiveness that have always marked Lanarkshire MPs. I wish her well. At 25, she has, I am sure, a long and very successful future in front of her.
It was in Lanarkshire, that area of coal, steel, comradeship and what we called the craic, that the character, values and world views that I now hold were first forged. It was there that I first saw, through my parents—Tommy, a postman, and Mary, a factory labourer—and our neighbours, that potent combination of features that have formed the basis of my outlook in politics. It is a combination of individual personal aspiration, community solidarity and indomitable endurance in the face of adversity. Though the material conditions that gave rise to that particular holy trinity of elements of political philosophy have now disappeared, the potency of their inherent value remains within the culture and character of this nation as a whole. Any political party that fails to realise that and abandons those three characteristics will fail to connect with the electorate. The true dynamo of our society is not the actions of politicians or the intervention of the state but the aspiration of ordinary men and women to forge a better life for themselves and their families than they inherited from their parents. The role of the state in these matters—this is part of personal security—is to act as a platform to help people to realise their ambitions. It is never to act as a substitute for those ambitions. If it ever becomes that, it will only stifle the growth and dynamism that is within the British culture.
It was also in Lanarkshire that I was first acquainted with the essential problem depicted in tonight’s debate—that of digital communication, transfer of information and cybertechnology, with all its opportunities and challenges. I want briefly to tell a story, because it illustrates how the world has changed. Just under 25 years ago, on 3 January, I set out with 12 others to walk from Gartcosh in Lanarkshire to London in an attempt to retain the Gartcosh steelworks. We believed that, if the steelworks went, that would be the precursor of the decline of steel and 25,000 jobs in Lanarkshire, as happened subsequently. As we set out on the journey, I was given—by a Scottish newspaper, the Daily Record, if I remember correctly—the latest in global human technological communications. It was called a mobile phone. It looked like a brick. It weighed the same as a brick and was just about as effective as a brick when it came to telecommunications. It had to be charged overnight for 12 hours and it lasted for two hours, provided that you did not make any phone calls. However, it was a revolutionary transformation in communications. In its essence, it was a leap change from anything that had gone before. It was the beginning of a global revolution.
I recalled that experience earlier today when I was reading the report on cyberattacks to which the noble Lord referred. In the past 25 years, we have travelled further and faster in human communications and information exchange than in all the previous millennia in aggregate. That is the true meaning of a globalised world. It is a world that is becoming more complex and more difficult to understand. It is a world in which, for the first generation, parents have been taught by their children how to communicate through the internet. But it is a world that we in this House must attempt to understand because, if we do not, we will not understand any of the problems that we face.
Perhaps I can convey it this way. I do not know how many noble Lords have read Stephen Hawking’s A Brief History of Time. I commend it to everyone in the House, although I could not understand anything beyond chapter 4. One element of it gives us a model for understanding the present world. His contention is that, if we could understand the laws that govern the movements of the smallest things in the world, or quantum mechanics, and combine them with the laws that govern the movement of the largest things—planets and the general theory of relativity—we could understand the mind of God.
I am far too modest to claim that I will explain the mind of God tonight, but if we want to understand the world in which we live we should start with the smallest thing, the microchip, and combine it with the largest process, which is globalisation. “Globalisation” is a word that it is continually used but rarely defined. It has two characteristics. It is a network world—its first characteristic is the interchange of finance, trade, goods, people and ideas, which have been enabled by digital communications. But it also has interdependence. We are now so interlinked to that network world that, if swine flu starts here, it spreads rapidly everywhere. If a financial crisis starts somewhere, within days it can spread throughout the globe. If a foreign country cuts off our energy, it can cripple us.
Nowhere is that vulnerability from interdependence clearer than in network capabilities. A few days ago, the Secretary of State for Defence pointed out, correctly, that if someone were to explode a nuclear weapon in the skies above this country, the electromagnetic pulse would bring down all our networks. That is accurate, but there are three problems with sending such a nuclear weapon. First, it is very costly. Secondly, it takes years to develop. Thirdly, people can generally tell where it came from and spot the culprit. If you wanted to bring down the electronic systems on which the whole of this country is now based, why would you send an expensive, long-developed, easily identifiable intercontinental ballistic missile when you could do it with a mobile phone? It is on one of 32 platforms that would enable you to cripple someone’s network and it is developed cheaply by other people. The great thing about sending a message on it is that you can disguise where it came from. If noble Lords think that that is big, let me tell them that in 2008 the biggest intervention of a virus in the American security system was done quite simply with a memory stick, which was given to a member of the American military/security forces. It was a handy gift; he put it in his laptop, plugged in and logged on and, within hours, the virus was all over the American security system.
Weapons that attack us no longer have to be frigates or sophisticated military systems. They do not have to be expensive and they do not have to give away the attacker. That is the nature of the problem that we are facing. As the good Lord said, it is growing exponentially. I spoke yesterday to somebody from Sophos. When noble Lords turn on their parliamentary machine, they will see that they are protected by Sophos. He told me that last year Sophos found 5,000 incidents of Malware every day among their clientele—that is, interventions of a non-benign nature. This year, there are 80,000 a day. At present, the American security system and the public sector in America receive interventions that are unsourced and unidentified to the extent of 250,000 every hour.
There is a vulnerability here that we must try to understand, although we have come late to it. I hope that, as we address it, we will remember one thing—the renowned wisdom of this House. As I said, this device is a means of production of communication but also a potential source of vulnerability, which has been learnt by children and taught by children to parents. It is to be expected in a House like this, for all our wisdom, that we might not be as au fait with technological advances as the younger generation. However, we ignore this at our peril. It should be at the front of our considerations here; I know that it is at the front of the considerations of the noble Baroness who will respond tonight and I hope that it will be at the front of the Government’s security deliberations and their conclusions next week. Above all, I hope that, in the course of that debate and in the midst of the wisdom and experience that exist already in this Chamber, I can make some contribution towards our deliberations.
My Lords, it is an enormous pleasure to follow my noble friend Lord Reid of Cardowan and his maiden speech, in the course of which he paid a very graceful tribute to his successor as Member of Parliament. He told us that she had already attained the ripe old age of 25. I am informed that the noble Lord started his political career some considerable period earlier than 25. I am told, in fact, that he led his first strike at the age of about 14 and a half when he was still at school and was objecting to the practice of the fairly disciplinarian head teacher that the children should be kept outside, irrespective of the weather, until the school started. He called a strike of his fellow pupils on the basis that, if they were not allowed in until nine o’clock, they would not go in after nine o’clock. My understanding is that he was successful in that, which demonstrates a robustness and forceful nature, which we have seen in this afternoon’s speech. However, we have also seen the noble Lord’s other side—his erudite and thoughtful nature. I understand that it is that side that comes in particularly useful in his latter-day role as chairman of Celtic Football Club, where erudition and thoughtfulness are particularly important.
The noble Lord has had 10 years in very senior roles as a member of Her Majesty's Government. He was in the last Government what I think should be described as a “big beast”, with the emphasis on some occasions on the word “beast”. I worked closely with him in a number of those roles, in particular in his time at the Home Office. One of the achievements of that period is a lasting one: the creation of the Office for Security and Counter-Terrorism. This country will learn to realise how significant and important it has been, and that is down to my noble friend. His contribution today has demonstrated the qualities of robustness and erudition that we will all expect to hear much more of in the time ahead. We do indeed look forward to many further contributions of a similar nature.
I am grateful to the noble Lord, Lord Jopling, for his introduction of the report and his work, and the work of his colleagues, in pulling together the report which we have had. It is a very important Select Committee report, and I had the privilege of sitting in on a couple of the evidence sessions to hear the discussion. As the noble Lord pointed out, we are having quite a timely debate following the reported comments of the director of GCHQ in the past few days. He has talked about the significant level of attacks on government systems, many of them precisely and deliberately targeted at those systems. The debate is unfortunately not quite as timely as it might be in that we do not yet have the benefits of the results of the security and defence review or the comprehensive spending review. We will have to wait a few more days for those. However, I hope that that fact of timing will not prevent the Minister from providing us with some more information on how the Government’s thinking on these matters is developing.
I have high hopes for the noble Baroness, Lady Neville-Jones, because I am aware of her continued personal interest in matters of cybersecurity and information assurance. I have attended so many meetings over the past few years which she has been at, and which have discussed these matters, that I know that she takes these matters extremely seriously. That includes, for example, her chairing for a period the Information Assurance Advisory Council, which brought—and continues to bring—together industry, academia and government to talk about these matters. We have high expectations of the Minister in what is going to be done in this field over the months and years to come, and I am sure that she will not disappoint us today in her response to this debate.
It is important that we recognise several elements in the issues around cyberattacks and the matters which this report has covered. A few years ago, a lot of these matters were dismissed as the actions of teenage cyberjuvenile delinquents who were merely interested in getting into systems because they were there and, perhaps, in gaining some element of self-respect by leaving their mark on those systems, proving that they had been there—a sort of petty vandalism, expressed in the cyberworld as opposed to the physical world that other juvenile delinquents might be engaged in. Yet we have to recognise that those juvenile delinquents have grown up. Some have grown out of those issues, but others have started their own criminal enterprises; some have been bought up by much more organised and serious criminal enterprises; some have, no doubt, become fundamentalist in their religious views; others are being employed by nation states. We have to recognise the scale and effectiveness of the targeting that can now be done.
We therefore have not only the continued action and vandalism of the juvenile delinquents but the issues around cyberactivism, of people trying to make a political or other point by mass cyberaction. We have small-scale crime, but more significantly we have an enormous wave of organised crime using the techniques that are now possible through the internet. That is now having an effect. We also have otherwise respectable businesses making use of these criminal techniques to inform themselves of their competitors’ activities and, indeed, trying to obtain intellectual property. Then we have state-sponsored activity, some of it at the commercial end but some of it much more about creating the opportunity to attack other nation states if that is necessary. The noble Lord, Lord Jopling, has talked about what happened to Estonia, and numerous incidents are now reported of what are perceived as being—although this is not necessarily the case—attacks sponsored by one nation state against another in this sphere. We have yet to see a serous terrorist act perpetrated through these means, but it is only a matter of time before terrorists also make use of these techniques as an adjunct, as part or as the main focus of their attack.
We therefore have to examine the issues raised by this report in a number of ways. First, while they might not quite meet the definition that the noble Lord, Lord Jopling, gave of a cyberattack, the activities of serious and organised criminality in terms of fraud and all the things that it is trying to do are of such a scale that Governments—national, Europe-wide and worldwide—should be taking them seriously and acting on them.
Secondly, we have to look at the scale of what is happening in terms of corporate raiders, intellectual property theft and the potential for industrial disruption. Again, some of this is by organised crime, but my understanding is that a significant proportion of that is carried out by nation states or at their behest.
Thirdly, and this is particularly important in terms of the responsibilities of our Government and the Minister, there are issues around the attacks on, and the vulnerability of, our own critical national infrastructure. Some of those attacks on government systems are about espionage, but some of them are about creating the potential for disruption.
I have a number of questions or issues that I hope the Minister will be able to respond to. The first relates to the sheer volume of criminality and whether as a nation we are equipping ourselves to keep up with those who are trying to defraud our citizens or otherwise cause problems. There has been a history of law-enforcement initiatives taken in this field. The National Hi-Tech Crime Unit, which was very successful, appeared to disappear when its responsibilities were taken over by the Serious Organised Crime Agency, so much so that the police had to set up a new unit, the Police Central E-Crime Unit—I declare an interest as someone who has been closely involved in that, as a member of both the Metropolitan Police Authority and the ACPO board that oversees it—which has had a series of successes, like the arrests a few months ago of the five men and one woman engaged in stealing the details of more than 10,000 bank accounts and allegedly netting themselves more than £3 million as a consequence. That unit, working with the private sector and levering in resources from it, has been remarkably successful, but it is still new and fairly fragile.
I understand that there are rumours that this unit should be subsumed into the proposed new national crime agency. I have no objection to the new agency, once it is established, maybe taking on this responsibility; it must certainly have a capacity to deal with these matters. My concern is that if we move too quickly to that process, the idea of subsuming a body that is only just beginning to work into a new body that will be going through its own birthing pains is not necessarily sensible. We have had evidence from the outgoing chief executive of the Child Exploitation and Online Protection Centre about the fragility of those structures and the private sector funding of them. He suggested that Microsoft may propose to withdraw the resources that it puts into CEOP because of the uncertainty about its future. I hope that the Minister will give us some assurances today about the continued budget to enable the police to play their role in fighting e-crime, that we will not see the fragile new arrangements subsumed too early into a national crime agency and that there will at least be time for any national crime agency to be established, and to establish itself, before such a change takes place—if that is what happens.
The second issue was referred to by the noble Lord, Lord Jopling, when he talked about the so-called Stuxnet attacks on the control systems of the Iranian nuclear power programme. I have been concerned, as have several noble Lords and others, about the vulnerability of SCADA systems to attack. Is the noble Baroness personally satisfied that enough is being done at present to protect such control systems for our critical national infrastructure, against both the sort of electronic attack that the Stuxnet attack seems to have been and the electromagnetic pulse attacks that the noble Lord, Lord Reid, referred to? He made the valid point that exploding a nuclear device might be rather a visible way of producing an electromagnetic pulse. However, there are regular cycles of sunspot activity that could produce the same sort of effects. The issue of protection remains, whether it is an external attack, a natural event or something triggered electronically.
I would also like the noble Baroness to tell us whether enough is being done to protect the intellectual property of the United Kingdom against electronic attacks. In this context, is she satisfied that the major contractors that provide services to government departments are themselves adequately protected against this sort of penetration? I have heard stories about some of those major contractors being heavily penetrated in possibly state-sponsored incidents. If that is the case it is extremely serious. It is important that the noble Baroness should give us her assurance as to what can be done.
Finally, I hope the noble Baroness will give us, in the course of her remarks, a route map that tells us who is in charge of the various key elements of this matter. Who is in charge of setting the standards of security for our critical national infrastructure? Who is responsible for attributing where attacks are coming from? Who is responsible for managing resilience and recovery, should an attack take place? Who is responsible, if necessary, for retaliation or taking out those who are carrying out these attacks?
My Lords, I thank the noble Lord, Lord Jopling, for introducing this debate. I am glad that there are people who understand all this and can speak the language and handle the acronyms. I use that thought to evade the rule that there should be only one formal thanks to maiden speakers before the winders. I am very glad that we have a “big beast” who was able to get his head around the issues sufficiently to start a new area of work. I am not sure that I should refer to the Minister as a big beast other than intellectually and, to be even-handed, as someone who also has a track record in security.
The noble Lord, Lord Harris, and I briefly discussed the report the other day. Although his speech did not tend in this direction, we agreed at the time that this amounted to something very serious and that something should be done. I tend to see that thought in the report, where we read:
“There was consensus among our witnesses that this was a legitimate area for the EU to be concerned about, and that it had some role to play, but there was no unanimity as to what that role should be”.
I suppose that is formal speak for the same thought.
This is a report about the EU but I entirely take the point made in the speeches we have heard so far that this is a global issue. I was not surprised to read that American witnesses were encouraging about the role of the EU as distinct from national roles. This is a global issue. The phrase “asymmetrical development” is a very polite term for describing the problem of the lowest common denominator.
This is not just about the EU and it is not just about government. As the noble Lord, Lord Harris, said, it concerns every sector from contractors to government departments and the services provided by the private sector. We heard about Northgate but utilities could be affected—the water services, to take one—and traffic lights. The list is very long indeed and it does not take a lot of imagination to get beyond the jargon and think about the real problems that a cyberattack could cause.
I very much agree with the committee that it is for the public sector to take the initiative and offer a real say to experienced internet entrepreneurs in how public/private partnerships are best developed and not leave it to the private sector to come forward with ideas.
While I take the point made by the noble Lord, Lord Jopling, that this is not about cybercrime, like the noble Lord, Lord Harris, I will be interested to hear from the Minister about the role of the new National Crime Agency. Behind technology of any sort are people. That comes through very clearly in the committee’s comments on ENISA. The noble Lord, Lord Harris, referred to juvenile delinquents. I sometimes wonder whether states should thank innocent or naive hackers for showing them where problems and weaknesses arise.
The other day I heard a tale from Bletchley Park about a code—not Enigma—which was cracked because the transmitter of a message in code realised that he had made a mistake and transmitted a second message correcting it. That gave those at Bletchley the material to be able to crack the code. It is individuals who can, in what might appear to be small ways, undermine the security of systems.
I, too, am interested in resilience to cyberattacks, the work that is going on and that which can be undertaken in this area—that must be harder to tackle at an international level than at a national or local level—to anticipate technological aspects and human reactions in dealing with cyberattacks. I know that I am not the only person in the Chamber who has heard about what went on immediately following the 7 July bombings. One of the problems of which we became aware pretty quickly was people’s tendency to use mobile phones and the effect that had on the mobile phone networks. It is a very human reaction to pick up a phone to find out whether one’s family is safe. I wonder whether any thought has been given to involving the media in resilience exercises. I take this lesson also from 7/7: the media have a very important role as people tend to turn on their televisions and radios.
Finally, as result of work that I and other Members of the London Assembly did following those July bombings, I keep in mind the words of the then managing director of London Underground. He said that the big lesson for us was:
“Invest in your staff, rely on them. Invest in technology, but do not rely on it”.
My Lords, it is a great pleasure to follow the noble Baroness in contributing to this debate. I will not follow the threads that she pulled from it because this is my maiden speech and I am constrained to be, what some might say, uncharacteristically brief. I commend her on her contribution to the debate and the issues that she picked from this helpful report—and more broadly. I, too, await the responses of the Minister to the points that she raises.
As I rise to make my maiden speech, one view is that it is a contribution to the House of Lords that I have waited 14 years to make. In 1996, I was part of the legal team that injuncted—or interdicted, as we say in Scotland—the BBC from broadcasting an interview with the then Prime Minister John Major in the context of the local government elections in Scotland. We were told after the appeal in Scotland that the BBC would take us all the way, and it was granted permission to appeal to the House of Lords. I had my foot almost on the first step of the stairs to the London shuttle when the BBC abandoned its appeal. So while it is characteristic for many maiden speakers in this House to say that they never expected to speak in the House of Lords, I suppose that in my case it could be said that my expectations have waited 14 years to be fulfilled properly.
In those 14 years, I found myself another job as I waited. It was a significant honour and a pleasure for 13 of those years to serve my constituents of Kilmarnock and Loudon in the other place. They are now represented by Cathy Jamieson, who is already an experienced Member of the Scottish Parliament, and indeed was a Minister in the Scottish Executive. She is an excellent Member of Parliament, and that is not just my view but is the view of her constituents who have granted her an even more impressive majority than the healthy majority that I enjoyed during the time that I was there.
It is a particular pleasure to speak in the debate following my noble friend Lord Reid—a habit that I have developed over the years. I shall come to that in a moment. We both learnt our politics in the robust environment of the Labour Party in the west of Scotland, and I can tell noble Lords that we have had a lot of similar experiences, but I know that his collection of anecdotes—or at least the way he tells them—are much more entertaining and certainly more exciting than mine ever were.
After re-election in 2001, my ministerial career was largely spent following my noble friend. I will always be grateful to him for the experience of working with him in the Northern Ireland Office. In many ways, that was the happiest time of my varied ministerial career and I am proud to say that I still have many friends there. That is perhaps not surprising, as my mother—an inspirational 95 year-old—hails from Warrenpoint in the stunningly beautiful County Down. My time in Northern Ireland encouraged my interest in conflict resolution; and that was reinforced by later experiences of conflicts. It is my intention to use the opportunities that my membership of your Lordships’ House generates to work in that area, among others.
My services as a Minister in the Department for Work and Pensions, the Home Office, the Treasury and the Scotland Office have all individually left their marks on me, but it was my time as the Secretary of State for Defence for two years, between 2006 and 2008, that left the greatest impression. Over my ministerial career, I have developed a significant admiration for the public service of our Civil Service. It has become fashionable to talk of “bloated public service” and of waste, but that is not my experience. In my view, we have the best civil service in the world, which is part of the construct of this land that makes us all proud to be British.
However, if my admiration for the Civil Service is substantial—and it is—my admiration for our military knows no bounds, after my experiences. The courageous selflessness of those who put their lives and health at risk in order that we can sleep safe in our beds at night deserves a form of thanks for which the English language has recently proved to be woefully inadequate. The sadness and grief that I felt when hearing the news that my friend Lieutenant-Colonel Rupert Thorneloe, the commanding officer of 1st Battalion Welsh Guards, had been killed in action in Afghanistan, was but a fraction of that suffered by his wife Sally, his precious daughters and his parents and family. The sacrifices that the families of our service men and women make in supporting them are equally worthy of our boundless gratitude.
My time as Secretary of State for Defence has left me with the conviction that disarmament is as important to our security as investment in the capability of arms. Many senior political leaders across the whole world are currently coming to the conclusion that the existence of nuclear weapons, the security challenges that they pose and the risk of their proliferation are among the greatest threats that this world faces. I agree with them. With the support of a significant number of senior Members of your Lordships' House and of the other place, I intend to devote myself to the advancement of multilateral nuclear disarmament, improvement of the non-proliferation regime and improved nuclear security.
That brings me nicely, through security, to the topic of today's debate. I pay tribute to the noble Lord, Lord Jopling, and his committee for their deliberations and for the important and extremely valuable report that they have presented to us. As we have already heard, in recent days we have seen both an attack—we know not from where—on the computer systems running the Iranian nuclear programme and a warning from the director of GCHQ on the need to enhance the UK’s cyberwarfare capability, both offensive and defensive. The publication of the Government's strategic defence and security review is imminent. As a review, it promises to go much wider than a traditional defence review in assessing the full range of security challenges facing our country and in providing a joined-up response to those challenges. I hope that it achieves what it sets out to achieve, but the public debate currently surrounding it is has not been encouraging. Almost all of the attention, inside and outside government, appears to have focused on the overall size of the defence budget and on which big-ticket defence equipment may have to be scrapped to satisfy the Treasury. This is understandable, given the current economic and financial picture, but it does not amount to strategic thinking. I hope, and wait to be reassured, that the review is conducting that strategic thinking and that the leaks we have witnessed over months have not included it.
As I know the Minister also appreciates, a review of this kind, carried out at this point in our history, needs to focus on more than conventional defence equipment. The nature and character of conflict, and the nature and character of weaponry, is changing. This is not just about unconventional enemies using low technology weapons like those we face on occasion in Afghanistan, but also about high technology weapons being used by potential adversaries to disrupt our society in future. We may be members of NATO, the most powerful conventional military alliance on earth, but we are on occasion in danger of allowing this to generate a comforting misapprehension; namely, that our adversaries will in future engage us in conflicts that play to our strengths, not in unconventional conflicts that play to theirs. This is dangerous thinking.
When the headlines on the SDSR have faded, and the short-term budget battles are over, sober judges will ask not only what we cut but what we invested in. The real test will be whether we have invested to meet the challenges of tomorrow rather than those of yesterday.
As imminent as the publication of the defence review is that of NATO's strategic concept. That presents an opportunity to address the issue of NATO-EU co-operation. I look forward to the contribution from the Minister in the hope that she will give us some indication that the Government will regard as a priority the issue of our contribution not just to the conclusion of the review of NATO's strategic concept, but to the important communiqué that will follow it and to the summit meeting that will take place in Lisbon.
My final point may arise from my professional prejudice, but is none the less valid. One major issue that needs to be addressed in the cyberdomain is the role of the law, both domestic and international. Domestically, RIPA was drafted before the internet developed into what it is today. Our law needs regular review to ensure that it keeps up with the rapid rate of change that we are witnessing. In particular, we must find ways of making detection and prosecution easier. Internationally, in the absence of sufficient treaty law or UN statutes dealing explicitly with cyber actions, urgently we need to define the role that international law should play in covering either offensive or defensive cyber actions. I should be grateful if the Minister, who speaks for the Government and who we all know has expertise in this field, will reassure your Lordships' House that action in these fields is contemplated and will give some indication of the steps that we can expect to see in this regard.
In closing, I express my gratitude for the warmth of the welcome that I have received in your Lordships' House. In particular, I thank the staff of the House who, with unfailing courtesy and genuine kindness, have eased my transition in a way that has made me feel as welcome here as anywhere I have ever been in my life. On the day of my introduction, the courtesy and kindness that were shown to my family and guests left them with the most positive impression that will remain with them for the rest of their lives. I trust that, with these words, I have observed the conventions of the House. I respect them immensely and I look forward to engaging in debate across a wide range of subjects, almost certainly learning more than I will ever be able to contribute.
My Lords, it is a genuine pleasure to have the task of following the distinguished maiden speech of the noble Lord, Lord Browne of Ladyton, and giving him the very warmest of welcomes. I first met the noble Lord just over a year ago when we were both members of the cross-party group that went to Washington to discuss issues of multilateral nuclear disarmament. Over our three days there, he displayed three qualities: a sense of humour that survived even a bruising encounter with Senator Jon Kyl, no friend of disarmament of any kind; affability; and the capacity to address even the most complex and technical subjects—and they do not come much more technical and complex than nuclear disarmament and cyberwarfare—in comprehensible and compelling terms. All these qualities were demonstrated today in his maiden speech. He will be a timely reinforcement to the group of former Defence Secretaries and military men in the House whose skill and experience will surely be of value when we come to address the coalition Government's defence and security policy review, due out next week. He will bring the same qualities to discussion of the issues of multilateral nuclear disarmament, to which he has already made a notable contribution as founder and convener of the top-level all-party group set up to match here the advocacy in the United States of Messrs Shultz, Kissinger, Perry and Nunn.
It can be said with a tolerable degree of certainty that this is the first serious full-scale debate in this House, or indeed in this Parliament, on how best to face up to the threat from cyberattacks. However, it will not be the last, because the target against which that threat is directed—our society’s increasing dependence on sophisticated forms of electronic communications—is continuing to grow at a frantic pace which shows no sign of slacking; because that is a worldwide phenomenon which increases the vulnerability of every country in the world; and because the target, as it grows, is likely to become softer unless effective countermeasures and increased resilience can be devised.
To believe that that target will not be at risk in circumstances of heightened international tension or open hostilities would be a triumph of hope over experience. Therefore, this report is surely a timely one—a very necessary reminder of the need for sustained effort at the national, European and wider international levels if we are to deal with that vulnerability. I pay tribute, in particular, to my predecessor as the chair of the sub-committee which produced the report, the noble Lord, Lord Jopling, for the masterly way in which he guided our deliberations and shaped our report, and for his introduction to this debate.
First, I shall say a word about the scope of the report. We were guided, as we had to be, by the EU document that we were examining. That document limited itself to cyberattacks. It did not, therefore, cover cybercrime at all and so nor does our report. However, cybercrime is already a massive enterprise. As usual, the criminals have moved more rapidly to capitalise on the opportunities offered by technological advances than the law enforcers have developed ways of frustrating them and bringing them to justice. Therefore, the scale and nature of the problems faced by us and by other states are a great deal larger and more complex than those that are covered in this report.
This new threat from cyberattacks, which is covered in the report, is in almost every way quite different from most other threats that we have faced, and so will need to be our response. If it resembles any other threat, it is perhaps closer to the one that we faced from nuclear weapons in the early years after their discovery, when we did not have a clear idea of what response would work best and whether deterrence would be effective. I am indebted for that analogy to Professor Joseph Nye of Harvard, whose paper, Cyber Power, was published in May of this year and which I commend for its clarity of thought.
Of course, that analogy is not exact—analogies never are. But just as the doctrine of mutually assured destruction has driven us back towards serious work on nuclear disarmament, the realisation that massive retaliation against cyberattacks could well be a cure worse than the disease, risking bringing the whole or large parts of the internet system down in its wake, should push us in a similar direction. The asymmetry of threats from nuclear weapons in the hands of terrorists, which makes nonsense of earlier deterrence doctrines, is matched in some ways by the inherent asymmetry of threats from cyberattacks, where state origin is so easy to conceal, as we have seen in the cases of Estonia and Georgia, and perhaps now in the case of the Stuxnet attacks on Iran.
This analysis points, as does our report, to the need for a much intensified international dialogue between the main players—the US, the EU and its principal member states, of which the UK is one, China, Russia and a few others—about how best to understand and how best to counter the risks from cyberattacks. Out of better understanding could come better countermeasures and less reliance on what may prove to be faulty doctrines of deterrence. Would all this lead on to international agreements or treaties, or, rather, would it consist in a system of close consultation and confidence-building measures? I suspect that it is too soon to say. Much will depend on the willingness of the main players to work together and to recognise a common interest in avoiding cyberattacks. After all, every cyberattack, however well concealed in its origin, begins in some state's jurisdiction. The willingness of states to act in a co-operative manner is, therefore, crucial. I hope that the Minister will feel able to respond to that analysis when she replies to the debate.
Apart from these wider international considerations, our report focuses naturally on the EU dimension. Here both the report and the Government’s very constructive response reveal much common ground. Although national security remains a national responsibility, the UK has an important interest in strengthening the resilience of all 26 member states against cyberattacks and some of them are clearly not well prepared at all. As a member state which is better prepared than most, we could and should play an important role in strengthening overall resilience. After all, these are our biggest markets and our most integrated partners and there should be an opportunity for the UK to play a leading role. It was a welcome sign that all our Commission and ENISA witnesses, as well as those from outside Government, seemed to share that analysis and to welcome a very active British role. I hope that the Minister will confirm that we will do just that; we will do what we can to make Europe-wide training exercises and the testing of systems a real success.
On ENISA and the possible widening of its mandate in the review of its activities which is now taking place, I thought that there was a rather grudging tone in the Government's response, which perhaps is a reflection of financial concerns. But using ENISA to strengthen the European response to cybercrime would surely make sense. Cybercrime does not stop or start at our borders. Weak handling of it elsewhere in the EU will impact negatively on us too, so I hope that the Government will think again about that and will take a positive attitude towards an extension of ENISA’s mandate. Of course, the siting of ENISA in Heraklion should never have happened and it would be good if the Government would confirm that that sort of aberrant decision will not be repeated. All the evidence that we received indicated that ENISA was valued by practitioners and was rated as doing a good job, so the case for putting it to better use would seem to be quite compelling.
In conclusion, I would like to pay tribute to the previous Home Office Minister, the noble Lord, Lord West, who is not in his place, and whose evidence to the committee was frank and valuable. We look forward to maintaining that relationship with his successor; I hope that the noble Baroness will keep the Committee closely informed of developments in this area of EU activity. We look forward to taking evidence from her when the occasion justifies it.
My Lords, I congratulate my noble friends Lord Reid and Lord Browne on their powerful contributions to this debate, which augur well for the future of the House. I also thank the noble Lord, Lord Jopling, for his chairmanship of the sub-committee, of which I am a relatively new member, and for securing this important and timely debate in your Lordships’ House. His stewardship and guidance were models of how an inquiry should be chaired.
Cybercrime is a growing threat to us all. In my experience, the criminal fraternity will always find new ways to achieve its objectives by harnessing new technology and resources to try to outwit the forces of law and order. Every week, we read of new fraudulent scams to relieve the citizens of Europe, and the world, of their hard-won savings or the use of the internet to groom and subsequently abuse our children. We also hear of new squads being set up by law enforcement agencies to deal with those threats. Indeed, as has been mentioned, we heard only this week from the head of GCHQ that the Government are the target of a thousand malicious e-mails each month. Of course, that figure is increasing in line with the growth of the internet by some 60 per cent each year. It follows that these criminal entrepreneurs—that is what they are—will be recruited by intelligence services of ill disposed foreign powers to penetrate the computer systems of the liberal democracies, epitomised by the European Union countries, either to obtain secret intelligence or to damage defence systems or the basic infrastructure, which we take for granted, of the country being attacked.
We all get unwanted e-mails. I will always remember that, a few years ago, when I first came into this House, there was a debate on spam messages in your Lordships’ House. I recall a very elderly Member of your Lordships’ House, who is unfortunately no longer with us, rising to berate the Government of the day for doing nothing about them. He said: “They are always advertising the same products: body enhancements, Viagra or inkjet cartridges”. He finished by saying indignantly, “My Lords, do I look like a man who requires inkjet cartridges”?.
Our inquiry heard evidence from a number of individuals and organisations, but it is fair to say that we were disappointed by the response to our call for evidence. None the less, we should thank those who responded and gave time to assist us in our deliberations. I am pleased that the Government’s response is broadly in agreement with the committee in its criticism of the Commission. Through our examination of specific examples of cyberattacks or disasters, it became evident that, although major disruption can be caused, Great Britain is indeed a leader in Europe in dealing with such disruption; others may well follow.
If the EU is seen as a club, the club rules should set standards for dealing with cyberdisruptions or attacks that all member states should aspire to uphold. We are only as strong as our weakest link. Unlike the European Union and the states within it, the internet has no borders and, in a global economy, with multinational corporations using the internet for business, it is imperative that we have a global response to large-scale cyberattacks or disasters. The development of international rules that are properly policed would deter some countries from turning a blind eye, for whatever reason, to such attacks from within their borders.
The Commission communication was therefore a little disappointing in its lack of global response to the growing threat. To attempt to bring down a nation’s communications system, transport or banking structure is tantamount to an act of war and it would be legitimate for an organisation such as NATO to be brought into play. Not only would that be using the collective wisdom and resources of the alliance countries, but it would act as a powerful deterrent, as it has to conventional threats. The Commission report was almost silent on that. There may be some value in holding joint exercises in that area to reinforce the essential need for more co-operation among NATO countries. In my experience, it is essential for member states to carry out exercises in this area to enable them to participate more fully in future joint efforts.
The European Network and Information Security Agency, ENISA, has been mentioned. It is an important body and exercised the committee greatly, because policing the internet and dealing with criminal enterprises in this area is important. It is to be hoped that the resources can be found to reinforce ENISA so that it can extend its role. Needless to say, I am rather disappointed once again with the lukewarm response to the committee’s recommendations, which seems to raise doubts about the existence of the agency. Perhaps in reply the Minister could give us further assurance on that.
Cybercrime and terrorist attacks are a fascinating subject and I have little doubt that they will exercise us in our deliberations in the months and years to come. As we used to say in the police service, the six “p”s apply: proper planning prevents pretty poor performance. I hope that our deliberations in this area add value to planning to prepare to deal with these matters before they happen.
My Lords, I apologise for rising in the gap. One aspect of today’s debate that could be usefully underlined is the need to ramp up co-operation with countries and regions where we have strategic interests and which are themselves at risk, whether because of direct interests in energy supplies, for example, or indirectly through narcoterrorists funding a low-cost cyberattack capability, which would be cheap in relation to the mayhem that can be caused. The central Asia and Caucasus region contains ever growing strategic infrastructure that one way or another does or will serve Europe. The Baku-Ceyhan pipeline is one example. It is doubly more pressing as it is in exactly this region where, some say, the majority of cyberattacks originate.
Two immediate difficulties exist: resources within those regions to counter the problem and the lack of sufficient exchange of information among intelligence communities as a result of insufficient in-depth bilateral co-operation. I hope that an immediate effect of the Foreign Secretary’s visit to Moscow will be closer co-operation among our respective intelligence communities. That, in turn, would lead to Russia ceasing to apply pressure on opposite numbers within central Asia and the south Caucasus to be unco-operative with western interests. It should be remembered that central Asia and the south Caucasus are, after all, Russia’s backyard. The noble Lord, Lord Browne, mentioned Lisbon. Can the Minister inform us whether Russia has now agreed to attend? That country must be included in debate on international affairs. To improve the situation immediately, I urge the Minister to encourage the sending of representatives at Secretary of State level to Kazakhstan’s December heads of state OSCE summit in Astana, with a possibility of a one-day or two-day extension for bilaterals. This would be viewed as the United Kingdom working for mutual benefit.
I listened carefully to the remarks made by the noble Lord, Lord Jopling. The committee and the Home Office appear to agree that cybersecurity is a global phenomenon and requires globally co-ordinated action. The EU appears to be on track in combating the threat of cyberterrorism with its ENISA proposals of 30 September. However, more should be done on basic concepts and on a mid-term to long-term strategy, particularly in regard to an integrated approach including all major players. The Minister could be encouraged to ramp up the debate and implement initiatives at at least G20 level.
In conclusion, a simple analogy to reinforce the case for global endeavours is to compare the threat of cyberterrorism to the threat of the banking sector. We now know that one bank failing can have a catastrophic global impact. The same can apply to the world of cyberterrorism. I do not wish to appear alarmist, but I fear that, whereas suicide bombings have been the weapon of choice in certain quarters, carefully targeted cyberattacks will be the weapon in tomorrow’s world.
My Lords, I am the final warm-up act before the much referred to and much awaited speech by the Minister. I wish to add my thanks to those already expressed to the noble Lord, Lord Jopling, for the work that he and his sub-committee have undertaken in producing such an informative report into a subject of ever increasing importance and concern. Those concerns have been reflected by every Member of your Lordships' House who has spoken with authority in this debate. I also congratulate my noble friends Lord Reid of Cardowan and Lord Browne of Ladyton on their, as anticipated, impressive and thought-provoking speeches, which gave us the benefit of their considerable and real expertise and knowledge in this field.
The noble Lord, Lord Jopling, in his helpful and informative opening speech, drew attention to the key findings in the report, including the issue of the part that the European Union can usefully play in protecting Europe against large-scale cyberattacks. It was certainly of some comfort to read that the committee did not feel that this was an area where our Government, in relation to our own country, were being complacent. As the noble Lord, Lord Hannay of Chiswick, said, the witnesses from whom the committee took both oral and written evidence generally thought that the United Kingdom had sophisticated defences compared to most other states.
To quote from the report, the European Network and Information Security Agency, referring to mechanisms for dealing with internet incidents, had stated that,
“the UK, along with a limited number of other Member States, is considered a leader in this area with developed practices that set benchmarks for others to adopt”.
Continued vigilance and development will be necessary to ensure that that continues to remain the case.
There has, of course, been a change of Government since the report was concluded. While we have read their written response, I hope that we will hear more from the Minister when she responds about the views of the new Government on the report and the serious issues it raises, and the extent to which the Government do or do not agree with the stance adopted by the previous Administration in their evidence to the sub-committee. In their reply of 6 July 2010 to the report, the Government state:
“While we are in agreement that cyber security is a significant and increasing facet of national security, the present Government is in the process of reviewing whether there are things we can do better or differently to achieve the same national security goal; that this is likely to extend to the European Union”.
It would be helpful if the Minister could explain what that statement means in practical terms. When did the review start? Who is undertaking the review? When will the review be complete? Will its findings be made public? What “things”—that is the word that the Government use—are being looked at to see if they can be done better or differently to achieve what is referred to as the “same national security goal”? Finally on that paragraph, what exactly is it that is,
“likely to extend to the European Union”?
A number of UK organisations and bodies with independent expertise are referred to in the report and in the Government’s response. Will the Minister confirm that these bodies will survive the forthcoming cull?
In their response, the Government say that they will remain actively involved in the discussions under way at the European level on the role for the European Union and that they support the committee’s recommendation that this should be focused on the promotion of best practice and on reducing the gap between the most advanced and the less advanced member states. As has been said on more than one occasion today, cyber does not recognise national or European Union boundaries but is also a global threat. We need our international partnerships and alliances, since we have common interests with other responsible nations in sharing information on threats and vulnerabilities.
The Government recognise that the prevention of cyberattacks has an important international dimension. They state:
“In developing a new cyber security strategy, the Government is putting significant resource into having a strong and proactive role in this”.
What are the objectives of this new cybersecurity strategy that it is felt may not currently be being addressed or need updating? Is it part of the “process of reviewing” referred to in the third paragraph of the Government’s response, to which I referred earlier?
The importance of this debate and the importance and relevance of the committee’s report has been further enhanced in the light of the speech the other day, to which the noble Lord, Lord Jopling, referred, by the director of GCHQ on cybersecurity. He said, as did the committee in its report, that this was not solely a national security or defence issue but went to the heart of our economic well-being and national interest. The committee’s report, as the noble Lord, Lord Jopling, highlighted, gives examples of cyberattacks that have occurred which seek to strike at the heart of a country’s ability to function. The GCHQ director added further weight to this point in relation to our own country when he said that the threat of cyberattacks to disrupt seriously critical national infrastructure,
“is a real and credible one”.
He also said that:
“There are over 20,000 malicious emails on Government networks each month, 1,000 of which are deliberately targeting them ... that we have seen the use of cyber techniques by one nation on another to bring diplomatic or economic pressure to bear ... we have seen the theft of intellectual property on a massive scale, some of it not just sensitive to the commercial enterprises in question but of national security concern too ... and that the risks in all these areas are growing along with the enormous growth of the Internet. At the moment it’s expanding by about 60% a year”.
This includes growth stimulated by the Government as they seek to get services online, not least in response to an increasing public expectation that services will be available in this way. The expectation is that within the next few years, online tax and benefit payment systems could be processing over £100 billion-worth of payments at a time when the increasing cost of e-crime to the economy runs into billions of pounds and organised groups attack not just commercial targets but also online tax systems across Europe.
The GCHQ director commented that cyberspace is contested every day, every hour, every minute, every second, and that he could vouch for that from the displays in his own operations centre of minute-by-minute cyberattempts to penetrate systems around the world. He went on to say that:
“Ministers are looking, in the context of the Strategic Defence and Security Review and the Spending Review, at what capabilities the United Kingdom needs to develop further”,
and added that:
“Clearly they will also be deciding how they trade off against other spending priorities”.
Perhaps the Minister could answer the question that the director in effect posed—namely, how high a priority compared with other spending priorities does this Government give to providing the necessary resources to ensure that this country continues to be protected effectively from cyberattacks?
I conclude by congratulating the noble Lord, Lord Jopling, and his committee on a thorough, thoughtful and informative report which has rightly raised the profile of this important and, indeed, worrying issue.
My Lords, I join other Members of the House in thanking my noble friend Lord Jopling for introducing this debate and for his committee’s report. It has enabled us to have what I think has been a rather wide-ranging discussion of the issues. He rightly said that it is one of the first extensive debates we have had on cyber generally and, in particular, on cybersecurity. I join noble Lords in welcoming the two noble Lords who made their maiden speeches and say how valuable their comments have been. We look forward to further discussions, and no doubt we will be talking about this subject in the future. I think that we have a House that has a considerable contribution to make, and our new Members have certainly increased our capability.
I should also like to point out that the noble Lord, Lord Reid, set up the Office for Security and Counter-terrorism in the Home Office which continues to function to this day and plays a central role in counterterrorism generally, while cybersecurity impinges on it. As everyone knows, capabilities for cyber are located mainly in the Cabinet Office, and indeed it was my predecessor the noble Lord, Lord West, under whom the Office of Cyber Security and the Cyber Security Operations Centre came into being. They have provided a central capability in government for the first time, and the Government are building on those structures. I pay tribute to our predecessors for starting down this road; we intend to contribute and to build on it. There is no doubt that the saliency of cybersecurity is increasing greatly.
The first thing we did in the Office of Cyber Security was to make a small but significant move in joining the strategy of cybersecurity and information assurance together. It seemed to us that these were closely related subjects and that it made no sense to keep them separate. Information assurance—which is provided not only by patching but also by people—is a key element in increasing our level of security. In his speech yesterday, the director-general of GCHQ Cheltenham said that we could deal with 80 per cent of our vulnerabilities if we increased good practice. Obviously good practice, to a significant extent, comprises keeping up systems and ensuring that they remain as invulnerable as possible. This also depends upon the human element. It is extremely important that if the Government purport to take a lead in this area—which I believe they should—they should themselves be an example of good practice. So one of the things we will do is increase the emphasis inside government and preach the message of information assurance nationally as being a contribution we need.
One element which has not been mentioned, but which we regard as an integral part of national security, is that we should increase capability in the population as a whole and encourage the use of good practice by ordinary users of computers. Indeed, we should up skill our population and, in particular, the level of expertise that we will need in the future for both maintaining and developing systems. We do not have enough people. A major contribution should come from the academic community, and the Government will certainly support that. I know that the noble Lord, Lord Reid, has a strong interest in that area. It would be a valuable contribution if a good deal were to be said about these subjects; we need someone to talk about them and we should keep them in our minds all the time. This would be a way of incentivising younger people to enter what is and will remain an exciting and expanding domain.
In referring to the SDSR, I am rather constrained by the timing of the debate. In one sense it is very good because it comes at a moment when we are thinking about this subject; unfortunately it comes just before the publication of the SDSR and I am unable to say everything that I would like to. However, I should like to give an indication of the direction of our thinking.
A number of important points were made—including by the noble Lord, Lord Browne, who made the key point that the nature of conflict is changing. Although this certainly applies to the battlefield, in a sense, it also applies to society. There is no such thing as a valid distinction of any real kind between how we deal with the threats and challenges to our country abroad if we do not also deal with them at home. Conversely, in order to diminish their significance and threat to us at home, we need to act abroad—the so-called upstream. In this, cybersecurity is key to our military capabilities on the battlefield and to our navy. It is no good having your carriers protected by your frigates and your submarines if the whole shooting match has lost its communications; it is dead in the water. Similarly, at home, we will not succeed in defeating a cyber-enabled terrorist enemy if our own communications are vulnerable. We need to be able to disrupt them, not them to disrupt us. This is the new national frontier. It offers very exciting, interesting and intellectually challenging opportunities for younger people and it is of great import to the nation.
National security is a totality of security, whether at home or abroad, and cyber is a central element in it. Though I cannot unfortunately give detail, I hope that the House will agree when it sees it that we have given due prominence and priority to the cyber element of our strategy.
Iain Lobban laid out the threat—I shall not repeat what he said, because it was put extremely cogently as well as accurately. However, the threat has a number of elements. There is indeed the threat of state-led espionage, which is theft by states. They are out for our valuable intellectual property, which they can then use for their own ends and possibly turn against us. This is a serious threat. We have also the activities of the non-state actors, who use cyberspace as an enabler. It is our task to disrupt them, too. In both cases, as has been said, you have real difficulty of attribution and, correspondingly, difficulty in knowing how to respond. We need to work on the issue of attribution, because, if we do not, we will never succeed in having a sufficient volume of successful prosecutions to act as a deterrent. However, we should recognise that attribution is quite difficult and that there are other things that we need to do at least at the same time but preferably earlier because they are within our domain. That constitutes better defences, better deterrence and the capability for counterdisruption. We need to be able to patrol our frontier.
There is a feature of patrolling our frontier which is very simple but which points up some the difficulties that we face. When I visited the NSA, it was said to me that relatively few practitioners and security officers in large corporations, and even in corporations which are internet providers, know what the configuration of their system is when it is operating normally and according to the rules. So if you do not know what it should look like when it is operating according to its own rules, you are most unlikely to spot when there is anomalous behaviour. But spotting anomalous behaviour is your first line of defence. We keep on coming back to the need for those skills.
It is a feature of modern, strategic national security thinking that, very quickly, the strategic descends to the nitty-gritty of operation, because you cannot succeed in your strategy unless you go right down into the weeds. It is one of the more difficult parts of the challenges that we face and it is certainly the case in the cyber area.
Clearly, another part of our approach has to be a focus on closing our vulnerabilities. The issue of our approach to the law was raised. We need to bring in law enforcement. I am more cautious about the question of operating within legal frameworks when it comes to trying to regulate the international scene. That is not to say that we can never have a valid convention. Certainly, the idea that we could have a convention that gives us the rules of the road instead of simply codes of conduct is an extremely attractive proposition. But you have to be confident of two things. First, that those who sign conventions will actually then obey their precepts and not seek to go outside them while you observe the rules. Otherwise, you are putting yourself at a disadvantage. Secondly, in that situation, you need to be able to ensure that you can verify what they are doing. It adds to your vulnerability when you have people signing up who may not be entirely trustworthy.
With the old-fashioned, legitimate arms control that I and many noble Lords grew up with, you could go out and verify how many missiles you had because you could count them. This is more difficult. We return to the problem of attribution. I am cautious about the notion that conventions in so immature an area would serve our interests. I am keener on the notion that we seek to close our vulnerabilities and ensure that we defend ourselves adequately nationally. We must also propagate best practice among others who are linked to us and who may be less well equipped. I will come in a moment to international co-operation.
Another part of our strategy is dealing with crime. The noble Lord, Lord Harris, asked whether we are doing enough and the answer is no. We are not doing enough and we have to up our act. We heard that from Sir Paul Stephenson, in terms, a couple of days ago. We have not yet taken a decision on precisely what will happen to the e-crime unit and the position it will have in relation to the National Crime Agency. However, I can say—and I mean this—that it has to be and will be a priority. This sort of crime is theft. It is plain stealing. There is no such thing as victimless crime. People who suffer a major wipe-out through the swiping of their identities can have the greatest difficulty in getting their money back and in establishing their credentials and their financial position again. These are big issues. That is one side of things. We do not know the figures. The potential losses and the span of brackets that we have for the estimates show us that frankly we do not know the full costs because we have very little handle at the moment on the level of losses. It is certainly true that government agencies are becoming rather more conscious and getting a better handle on what they may be losing. As a matter of economic cost to the nation, we are still a long way from understanding exactly what is happening.
Focusing resources on detection and on international co-operation is a crucial part of following any crime chain and this is a classic area where there is international contact and an international link. There are few big scams and crimes that do not have a significant international dimension. An attack that takes place in the United Kingdom could originate in another country, so you cannot bring people to justice without the help of others overseas. The answer is that we are barely at the starting gate and in this whole area the House will agree that we are still doing baby steps.
Points were raised in the debate about the vulnerability of our critical national infrastructure. Our predecessors in office did a great deal of serious work in this area but there is still more to be done. The NPIA—I am not sure that I have got that acronym right, but I mean the agency with responsibility for protecting the national infrastructure, which is the office that springs from the Security Service—has a powerful relationship these days with a number of the really strategic elements in the national infrastructure and gives advice. It has helped infrastructure operators to upgrade their performance.
That brings me to one of the major points that I wish to make. I was asked whether we are doing well enough in these areas. I do not think that we are doing badly, but there is clearly more to do. One thing that absolutely stands out when you start to think about cyber is, while the Government must take the lead, where the responsibility will lie. It will lie with the Government, including ensuring that we retain our national capabilities. But we are clearly not going to be able to have an effective national platform, which not only protects the operation of our society but gives us economic advantage internationally, so people decide to invest in the United Kingdom because they know that it has secure communications that they can trust, except in partnership with the private sector. By that I mean not simply getting the private sector to pay or do what we want; I mean a partnership, and developing policy with the private sector. We need to do it at the strategic level, with the direction in which we need to go, and we need both a general and a sectoral approach. We go back to the fact that the strategic level descends extremely quickly to the operation consequence. We need to have a partnership that does both strategy and operational co-operation, whereby the Government’s technical expertise can be brought to bear to help to ensure that private sector operators and companies have the cybersecurity that they and the nation needs for business continuity.
I am trying to paint an approach on the part of Government that is perhaps holistic and which takes all the issues and tries to put them together. We are further ahead in some aspects than others, and when we are not so far ahead we need to catch up. I hope that we have at least analysed what we need to do. There is a significant road to go down.
The noble Baroness, Lady Hamwee, asked about the role of the media, which gives me the opportunity to say something about an important aspect. The media are important as they are our means of communication in these issues. They are also absolutely vital to government in an emergency. One thing that we need to be able to do and which we will do is to exercise—and everybody who has been in government knows just how important exercising is. That goes right across the board. One thing that you come across when you start is that you can conduct very few exercises without the electronic and cyber element being an extraordinarily important part of getting through. Making sure that in and of itself we are testing our cyber capabilities and our vulnerabilities is an important part of underpinning other forms of exercising that we do for emergency prevention and preparation.
I was asked about the role of ENISA and the Government’s attitude to it. There is no doubt about the Government’s support for the continuing operation of ENISA. Its life has not been made easy by putting it in Heraklion, and one could perhaps wish otherwise. I gather that the Greek Government are putting in place some facilities in Athens, which will make it a bit easier for people to get there. It is probably fair to say that they have managed to recruit the staff, although they have not made it easy for ENISA staff to travel. But those who know the Union do not think that it is likely that we will be able to change that, so I think that the fact that there are some offices in Athens is probably the way to build. As for its role, we agree that it has done good work. It is a very small agency with a not very big budget. It is being proposed now that it should have quite a significant increase in its budget. Our view of that is: “Give us the reasons why—a justification. We actually want to see what you think you would do with it”. We agree that it potentially has useful roles in the area of crime prevention and of linking up, in the cyberarea, the role of other enforcement agencies such as Europol, and of making them more powerful and effective.
ENISA can do what we hope to do in the national security strategy, which is to bring the elements together. That is a classic co-ordination role and an important and valuable one in this area, given that the elements at the moment are so dispersed and that the performance between member states is so highly variable. The whole notion of bringing others up, who are not as operational but who can represent a weakness in the system, is an important part of what can be done for us. Your Lordships may be assured that we take ENISA seriously.
Similarly, we take NATO seriously. NATO is developing its concept and there is quite a debate going on, as I understand it, about all those things that might fall under the heading of Article 4—the solidarity article, if I can put it that way. To some extent, cyber falls in that area. Personally, I take the view that I would very much like to see NATO active in this area. I gather that the military committee is now beginning a discussion of what NATO might be doing. That is wholly to be welcomed, as is the possibility of NATO-EU co-operation in this area. We all know that there are bigger issues—or, at any rate, other issues—that prevent that from happening, which are wholly contrary to the interests of the member states of both organisations and the organisations themselves. That is one thing that we have not yet succeeded in cracking.
There is also almost certainly a division of responsibility to be found between the two organisations. Your Lordships will be aware that—and we are not alone in this—we do not particularly wish to see the EU get into things labelled “national security”, although I have taken the view that national security is, rightly, rather a big term and that there will be things that the EU can undoubtedly do to contribute to the success of our collective national security. I believe that NATO will also have a role, which I hope it will seize, because I believe that there are important things to be done, particularly in Europe. That will also strengthen the collective approach.
I am told that time is up. Indeed, I have come to the end. Implicit in all that I have been saying is what a number of noble Lords have mentioned: we need strong international co-operation in international organisations, just as we need bilateral co-operation between the competent agencies.
My Lords, as we come to the end of the week’s business, I shall delay the House for only a very short time. First, let me say how grateful I am, as I am sure the committee will be, for the kind and generous remarks made to me and about the committee’s report. I think that I have heard no criticism at all of the report; indeed, there has been generous approval of it. There is no doubt in my mind that this topic—cyberwar or cybercrime, whatever it be—will recur fairly regularly in our discussions in this House. I was particularly glad to hear the Minister saying that we need to talk about it and I hope that we shall.
The contributions today demonstrate that there is a good deal of expertise on this issue lurking within the House. That brings me particularly to the two maiden speakers, the noble Lords, Lord Reid of Cardowan and Lord Browne of Ladyton. I spoke earlier about our anticipation of their speeches. They have given us an example both of the broad view of this problem and of their great expertise, having been Defence Secretaries in the past. We are most grateful to them and we look forward to hearing them both regularly on this and other issues in future.
I thank the Minister for her comprehensive summing up. I was particularly pleased to hear, in the latter part of her speech, what she said about ENISA and NATO. I have probably said enough at the end of this debate, except to say that I beg to move.