(10 years, 8 months ago)
Commons ChamberGiven how long I have been in this House, I really ought to know whether I should be thanking the Backbench Business Committee, the Government, the Chair of the Liaison Committee or you, Madam Deputy Speaker, for my securing the debate. Just to be on the safe side, I will thank them all, and especially you.
I apologise for interrupting my right hon. Friend so early in his speech, but he makes a good point. In the old days, we had regular, sensible defence debates throughout the year, but they are now at the discretion of the Backbench Business Committee, which is a retrograde step.
My hon. Friend makes a good point, but it rebounds slightly on the Defence Committee because we have been told that we are responsible for applying for such debates and, I have to confess, we have not done so in recent months, so perhaps we ought to revisit that.
The Defence Committee launched an inquiry into defence and cyber-security in January 2012, as part of a series of debates and inquiries looking into emerging threats. It was the first time the Committee had investigated cyber-security as a discrete topic, although in 2009 we had looked at Georgia and Estonia, and visited Talinn, as part of another inquiry. The UK Government had identified cyber-threats as one of four tier 1 risks to national security, and in November 2013 published a UK cyber-security strategy, updating their 2009 strategy and setting out four objectives: first, to make the UK one of the most secure places in the world to do business in cyberspace; secondly, to make the UK more resilient to cyber-attack and better able to protect our interests in cyberspace; thirdly, to help to shape an open, vibrant and stable cyberspace that supports open societies; and fourthly, to build the UK’s cyber-security knowledge, skills and capability.
The programme is to be implemented via a four-year national cyber-security programme costing £650 million, and the Chancellor of the Exchequer announced an extra £210 million investment after the 2013 spending review. The funding is shared between the security and intelligence agencies, the Ministry of Defence, the Home Office, the Department for Business, Innovation and Skills, the Cabinet Office and the Foreign and Commonwealth Office, but most will be spent by the security and intelligence agencies.
During our inquiry, the Committee investigated whether the high profile given to the cyber-threat in the UK was matched by a coherent plan and a chain of command in the event of a major cyber-attack on our national infrastructure or our national interests. The complexity of the threat must be matched by an agile, many-layered response; accordingly, many different agencies are involved in the cyber-security effort, ranging across cybercrime, cyber-espionage and cyber-commerce. Cyber-security is therefore to some extent everybody’s responsibility, but we must avoid its ending up being nobody’s responsibility as a consequence. Someone has to be in charge.
It is good to see so many colleagues here to take part in the debate. If we contrast the approach taken in the United States, where there is a unified structure under CYBERCOM, with the disparate approach taken in the United Kingdom, does the right hon. Gentleman share my concern that we seem to have a number of lessons still to learn?
Well, there are pluses and minuses to having a unified structure, and there are risks in having a siloed approach. I said this is the responsibility of everyone, and so it is. I shall explain how wide that responsibility extends.
Further to that, although a number of Departments have an interest, was my right hon. Friend assured by the MOD—within his sphere of responsibility—that there is a single individual in charge? I understood from reading his Committee’s report that the Joint Forces Commander is currently responsible, but the intention is to have the Chief of Defence Intelligence involved as well, and perhaps to appoint a three-star Defence Chief Information Officer. The report did not make it clear to me where we intend to go. The Americans have a four-star in charge. Is my right hon. Friend convinced that there will be an individual clearly responsible for the MOD’s part of the spectrum?
Things have moved on since our Committee reported. There is somebody in overall command and that is my right hon. Friend the Minister for the Armed Forces, who will, I have no doubt, set out precisely how things have moved on when he responds to the debate. That is the purpose of Select Committee reports, and I am pleased about that.
The Committee was particularly concerned that the armed forces are now very dependent on information and communications technology and if those systems suffered a sustained cyber-attack, their ability to operate might be fatally compromised.
We are talking about cyber-technology, but may I use an old-fashioned phrase in warning of the danger of having all our eggs in one basket?
Yes, and I entirely agree. I have discovered a new organisation being set up in Cambridge called the centre for the study of existential risk, which is right up my street. Being a gloomy sort of person, that is precisely the sort of thing I am worried about, and the hon. Gentleman will not be surprised to hear that I am already in deep contact with the centre.
I have heard of that work at the university of Cambridge, too, and I am in favour of it, but may I take my right hon. Friend back to his point on co-ordination? Surely the bottom line of the response to any major threat to this country, whether it is flooding or rioting and so on, is the armed forces. Does he share my concern that there seems to be no mechanism for referring problems in other sectors through to the MOD and, crucially, that there are no rehearsals taking place?
I do, and I hope that in answering the debate my right hon. Friend the Minister for the Armed Forces will take that point straight on the chin, because in many respects the armed forces are the resource of last resort, and cyber-security may be an area where the armed forces do not accept that responsibility.
There is a necessary focus within the defence world on securing the systems and networks needed by the MOD and the armed forces from cyber-threats. It is not only contemporary civil society that is utterly dependent on network technology; our armed forces are increasingly reliant on such technology for the tools of warfare, and the next step must be to ensure that the supply chain for those systems and their components is secure. That will require a trusting, transparent relationship between Government and their suppliers, with full disclosure of attacks and possible vulnerabilities, which runs all the way down the supply chain. The UK has world-class expertise and facilities on which to draw, but will the Government be able, in competition with the private sector, to keep enough of that expertise and experience in the service of the state? Are there enough such people to serve both and how should we prioritise?
The announcement by my right hon. Friend the Secretary of State for Defence in September 2013 about the establishment of a joint cyber reserve unit is a significant development, but that will rely on FTSE companies and other, smaller companies releasing key personnel to participate. Will my right hon. Friend the Minister for the Armed Forces tell us what progress has been made? According to the Government, the number of ICT and cyber-security professionals in the UK has not increased in line with the growth of the internet. Are there enough experts in industry willing to join a cyber reserve? Will technology experts—the geeks of our world—fit well within highly regimented military structures, or will a more flexible structure be required to facilitate their work?
The right hon. Gentleman is rightly raising just some of the myriad questions about the future in cyberspace. Does he agree that these questions are so wide-ranging and fluid, given the incredible acceleration in technology, as to pose the question whether in future we should have vari-speed defence and security reviews? On larger items we should look beyond the 10-year horizon, but in cyber, five years is far too long for what is happening.
Like my hon. Friend the Member for Canterbury (Mr Brazier), the hon. Gentleman contributes effectively to the Defence Committee and makes an interesting point—one I had not heard before. That is the value of these debates. We will all have to think about that issue.
We must seek to defend ourselves, but we must also, as has been suggested, expect to develop a capability to respond to threats in cyberspace. When doing that, we face some of the same considerations as when developing conventional military capabilities. Where does the balance lie between international collaboration and sovereign capability, for example? What sort of international arrangements will best suit our aims?
My right hon. Friend the Secretary of State also talked about how the UK was developing a full spectrum military cyber-capability, including strike capability. This is an interesting and novel declaration. Everybody knows it has happened but nobody has been prepared before now to announce it. Will this declaration act as a deterrent or will it make the UK a more likely target for hacktivists and foreign states? What about the legal implications of establishing a strike capability for the personnel involved? The necessary rules of engagement for cyber-attack need to be put in place, although of course we will not be told about them.
Some maintain that cyber is just another military domain and that we can expect to do everything in cyberspace that we do in the air, on land or at sea to prevent, deter coerce or intervene. But has the distinctiveness of the cyber domain been fully grasped? It is not clear, for example, that deterrence is a concept that can apply to a domain where there are real difficulties in discovering quickly who has perpetrated an attack and for what purpose, or even that an attack has taken place. Neither is it clear that everyone has grasped how important it is to avoid a silo approach to the cyberworld. It is essential to break down the dividing lines between civilian and military, among Government Departments, between Government and the private sector, and between our country and other countries, and therefore to approach the issue in an holistic way. Paul Dwyer of Mandiant came to brief the Defence Committee and told us that it takes a network to defeat a network.
Perhaps because the threat cannot be neatly categorised, it may be unrealistic to expect a neat categorisation of the responses. Everything we have been told in the UK emphasises that the armed forces have a very limited role, protecting their own systems and developing military cyber-capabilities. For other areas of activity, those in the lead are likely to be based elsewhere, particularly in the intelligence services. That is where the important point made by my hon. Friend the Member for Canterbury comes in.
My right hon. Friend makes a good point about the threat being so diverse as to be difficult to counter. None the less, the briefing we were given by Mandiant was very interesting: there are a large number of extremely serious attacks, not by a lot of people but by one or two groups. He even named Unit 61398 of the People’s Liberation Army as one of the main culprits. In other words, it would be reasonably easy for the British Government and the MOD to counter a specific attack such as that.
I am sure that my hon. Friend is right in saying that the Government are well aware of where some of these attacks are coming from. I do not agree that it would be relatively easy to counter them, because these threats are developing at a frightening speed, as the hon. Member for Barrow and Furness (John Woodcock) said. The diversity and development of these threats is changing on a second-by-second basis.
I am pleased to say that the Government are taking action to make the UK more resilient to cyber-attacks. It has established a new computer emergency response team in early 2014, CERT-UK, to improve the co-ordination of national cyber-incidents and to share technical information among countries. The Government set up a new cyber-incident response scheme in GCHQ to help organisations recover from a cyber-security attack. They have extended the remit of the Centre for the Protection of National Infrastructure—the CPNI—to work with all organisations that may have a role in protecting the UK’s critical systems and intellectual property. They have agreed with regulators in essential services a set of actions to make sure that important data and systems in our critical national infrastructure continue to be safe and resilient. As I have said, responsibility for cyber-security rests principally with companies and organisations themselves. Government agencies’ roles will be limited by available resources and national priorities.
Does the right hon. Gentleman agree that there is a difficulty in making cyber-security just a defence issue and saying that the issue lies with companies? There is a network of things that need to combine, and we have not yet developed a system to create resilience across the spectrum; there are only chimneys of responsibility.
The hon. Lady is quite right. We are groping towards it, but we are not quite there. One of the benefits of this debate, of our report and of the Government’s response is to help us move to a better place.
My right hon. Friend makes an important connection between the business community and state operations. I am concerned that state operations do not have the funds to attract the necessary expertise—geeks, my right hon. Friend called them—when they are in demand in the civilian sector. Banks and so forth pay huge sums of money to make sure they are able to fight off any cyber-security issue. Does he agree with a stance that my hon. Friend the Member for Canterbury (Mr Brazier) might take—that there is a need to make sure that those in the reserve forces who actually have such skill sets through working in businesses can work in the MOD as well?
I would have entirely agreed, but the problem may be whether there are enough reserves and enough people with those skills in the country at all. Let us move on towards that.
To deal with the point made by my hon. Friend the Member for Bournemouth East (Mr Ellwood), that was one of the key factors in the strategic defence and security review of 2010. The then Secretary of State for Defence, my right hon. Friend the Member for North Somerset (Dr Fox), said that we needed to see “up arrows” and “down arrows”. Heavy armour was a down arrow but cyber was an up arrow. Some £500 million was set aside specifically for this purpose, so it has been identified as a serious and important area for investment.
Interestingly, the Prime Minister, in giving evidence to the Joint Committee on the National Security Strategy, pointed out that some of the areas had cuts but that this area was one of growth. His regret was that it had not been one of greater growth, and that that change had not been more exaggerated than it was.
I ought to bring my remarks to a close, as others want to speak. Paul Dwyer told the Committee that the willingness of companies to share information about cyber attacks with one another and with the Government is critical to allowing an effective response to be developed and implemented but, while critical, it is far from easy to achieve.
I am a little concerned that my right hon. Friend is bringing his arguments to a close, because he touched on one point that I was rather hoping he would develop. He said that the Committee visited Estonia. For people who, like me, were not part of the Committee’s study, it would be extremely helpful to know in concrete terms a little more about what it discovered on that visit about what a cyber-attack by a hostile neighbour can really mean.
The Committee visited Estonia in 2009. It has still not been conclusively established who precisely was responsible for the attacks that took down much of that country’s banking system, although we have our suspicions—they may have been marching around in unmarked uniforms. We discovered that the attack had been comparatively easy to achieve. It was a distributed denial-of-service attack that did real damage. We also discovered the international centre of excellence in Estonia, which at that stage the Government were not contributing towards in dealing with cyber-attacks. I am delighted that they have since decided, perhaps as a result of our incredibly effective report, to contribute to the centre.
I was biding my time, but the intervention from the hon. Member for New Forest East (Dr Lewis) has prompted me to intervene. Has any evidence yet come forward to suggest that what is going on in Crimea has involved cyber-security breaches either way?
If there is evidence of that, I do not yet know of it. All I can say is that before the invasion of Georgia there was an extensive cyber-attack on its computer network that was very similar to the one on Estonia. I suspect that it is now a new method of fighting wars that we must all get used to.
The need to share information is critical, as I have said, and important mechanisms for that exist, such as the cyber-security information sharing partnership, which is now open to companies beyond critical national infrastructure sectors, including small and medium-sized businesses. CISP analysts will be expected to feed into CERT once it is fully operational.
The Committee produced many recommendations, but our final conclusion was that the cyber-threat, like other emerging threats, has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation’s security. The Government need to put in place—they have not yet done so—mechanisms, people, education, skills, thinking and policies that take into account both the opportunities and the vulnerabilities that cyber presents. It is time the Government approached the subject with vigour. I am pleased to see the actions that they have taken since we issued our report. Clearly there is much more to be done—in the cyber world it is a matter of constantly playing catch-up—but I personally have the impression that the Government are, at the very least, joining in the game.
Order. It will be obvious to the House that a large number of Members wish to speak this afternoon and that the time available is limited. Rather than imposing a formal time limit, I thought that I might try an experiment. I wish to see whether Members have the ability to be courteous to one another by limiting their speeches to around 10 minutes.
I would first like to say something about the debate. I agree that the Defence Committee is perhaps remiss in not applying for debates more regularly. This debate is taking place on an estimates day. It is a really serious debate that should be taking place in the Chamber in its own right. Our report is now more than 12 months old—it was published in January 2013—which says something about how quickly these things move. The Government published their response in March 2013 and then made a series of announcements last September, but here we are today with the first opportunity to talk about it. That is an issue we need to look at.
I will not repeat what my colleague who chairs the Defence Committee, the right hon. Member for North East Hampshire (Mr Arbuthnot), said about structure, but I would like to say something about structure, about investment—we are talking about money, after all—and about accountability. The statement made in September was very interesting from two points of view. First, it set out a structure for how the Ministry of Defence, along with the Department for Business, Innovation and Skills, the Cabinet Office and others—this cannot be done in isolation—can start to look at its relationship with industry and at protecting itself through its relationships with the rest of the British community. I think that is hugely important.
There is a lot of work being done on achieving proper standards. We took evidence from industry representatives on that, and they were all over the shop, frankly. For example, they did not want standards, or they wanted their own standards. The question of standards is absolutely at the guts of the whole issue of defining cyber, and not just for the Ministry of Defence. Industry must now have a compliance process with the Ministry of Defence, and I am sure that the Minister will say something about how that is to be done. That is hugely welcome, because it is vital. How we then do that in relation to our allies, NATO, the EU, the French—with our treaty—and others is a big issue that needs proper discussion. We need to have proper compliance and assurance mechanisms, as we do with our “Five Eyes” colleagues and many others, because we are all trying to understand the process.
Most people go to Wikipedia when they do not know much about something, as I did with cyber-warfare, because the announcement in September also mentioned having some sort of offensive capability. Wikipedia states:
“Not to be confused with Electronic warfare… Cyberwarfare refers to politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare.”
Well, that is terribly helpful. What we know is that there is no clear definition, either domestically or internationally. We are all fishing for something to help us understand this properly, and we should have some humility in that. However, we recognise its interconnectivity.
Let me turn to the statement on having offensive capability. It was very brave of the UK Government to make that statement. We are the first country to come out and say that. I have spoken with some of our international allies about that, and they say, “Well, that’s a very interesting statement for the Brits to make.” How we actually do that will be a matter for discussion. I am not necessarily against the investment or the capability, but I think that we need to be very clear about what we are saying and how we are going to do things. There will need to be a doctrine and rules of engagement. If we are saying that this is a new domain, I do not think that we can run away from some of these questions. If we do and we keep it too secret, we will lose legitimacy for the activities that we wish to undertake. That is a difficult balancing act, but it is absolutely crucial.
If we are to weaponise the process, how will we do that? There is a lot of talk about countries using the Stuxnet virus in Iran. That was actually delivered physically on a memory stick. The programme then searched out the thing it wanted to destroy or debilitate. It was a hugely expensive exercise. I do not know how much it cost, because I am not supposed to know who did it. Well, we do not know who did it, or we all suspect that we know. Whoever did it, it was not a bunch of amateurs; it was someone who could put substantial investment into it. It turned out to be a one-shot weapon.
If we are to weaponise this area, we must be clear that it will cost money. This sort of activity cannot be done by a boy working in his bedroom to come up with a fancy programme. We will have to invest in the process of weaponisation alongside all the other things we are talking about. How will we procure, what will we do with regard to research and technology, and how will we keep a sovereign capability in these areas? I suspect that those are big questions that Parliament will be discussing for many years to come.
The hon. Gentleman is making an interesting speech. Does he agree that the issue is about not only the technical side but the personal side? More medieval fortresses fell through the inside touch than through outside assault. In the high-tech area, as everywhere else, people can be bought or suborned.
The short answer is yes. The other aspect is who can be engaged to help to do such things. As the hon. Gentleman, who is on the Defence Committee, will know, the structuring of things to ensure a reserve capability is hugely important. The way in which the process is being put together is correct; there will be no monopoly on understanding in the areas we are discussing. We need as good a collaboration as possible. The delivery of the processes will not always be remote. Intelligence and knowing what is happening, where and with whom will be crucial. I shall come to that later.
The other question that comes up is about the law—I mentioned legitimacy earlier. I am helping to lead a sub-study in the Defence Committee of the military and the law. That is coloured, obviously, by Supreme Court decisions, individual cases and all the rest of it. The issue raises questions about international law, humanitarian law, extra-territorial jurisdiction and other things. An argument is being put that says, “We don’t need anything to be separate. This is a different domain, but all the current legal constructs are good enough and we do not need anything different.” I come back to my earlier point. We need to be clear about doctrine. In large part, our doctrine is public. Some, however, may not be as public as we would like, but we need to be clear about how we do things.
We seem to accept that cyber can be not just defensive, but offensive—we can use it offensively. Does my hon. Friend think that our domestic legal structure is sufficient to deal with cyber as an offensive weapon and to contain the power of the Executive to apply that weapon?
I do not know, but in the sense that I think I do know, I think that our legal structure is not sufficient and needs revision. I may be wrong, but that debate has to take place and people more qualified than I am need to comment.
It is interesting to note where our allies are. The United States has and has not made all sorts of declarations. If we believe The New York Times, there was a secret legal review that concluded:
“US military forces could legally launch an attack on digital infrastructure located in a foreign country if it found evidence of a threat against its own systems”.
A rules of engagement debate then starts. That is the other difficult bit—we will have to have rules of engagement for such activity. The more we discuss legitimacy in law for these things, the better. If we do not have such a discussion, the issue will be forced on us. That is what we are seeing now in a lot of other areas, so we should structure how we wish to have the debate rather than having a structure imposed on us.
Proportionality is at the guts of the whole business of international law, human rights and legitimacy. We have to show that proportionality is there and that we have mechanisms and systems to ensure that it is. Simply claiming that it is there will not be good enough.
We are not on our own. We need to be joined up not only internally within the United Kingdom, but internationally. We do not have time to go fully into this now, but it is interesting to see Russia’s current adventures in Ukraine. In September 2011, Russia and China said to a UN group that they wanted a code of conduct for cyberspace that would include requirements for co-operation in
“curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment”.
Well, there we are—now we know. Translating that into current events will tell us a lot. That proposed code of conduct was about closing things down and giving legitimacy to the avoidance of dissent and to having systems that are less rather than more open. How we collaborate in this area will be important.
When he was Secretary of Defence in America, Bob Gates said that he could protect .mil, .gov, .org or .com, but that as the protection systems were put in, the public might not like what they saw on .com. That debate is not only to do with defence, but defence has a place in it. Whether there should be a code of conduct and the international arrangements are problematic issues, but there is a growing urgency around them.
At the end of the day, the issue can be about the collection of raw information and the sending of viruses to blow up particular equipment. That is the geeky stuff—the weaponisation and the sexy stuff that the press love. However, at the end of the day, those and other actions are only as good as the intelligence that exists to put them into effect. One area of investment that must not be lost in the question of cyber-issues is defence intelligence. In my opinion, we have the best intelligence analysts and they need to be developed.
We can collect the raw information, but if we do not understand it we will go nowhere with it and make the wrong decision. Investment discussions should please not just be about technical toys, GCHQ and all the stuff about weapons; they should also be about intelligence analysts. Let us protect the capability. The issue is about a whole force, but also about a whole community. Those people are vital in that community and investment also needs to go to them.
I welcome the chance to debate the UK’s cyber-security defence. Cyber-security is a particularly wide-ranging subject and cyber-attacks are a growing threat. Without stating the obvious, a cyber-attack could impact on everyone’s lives in many ways. We are now all very reliant on technology and the internet; without our mobile phones or when our e-mail goes down, we almost cease to function.
A major cyber-attack on any of this country’s main utilities, such as transport, energy or the banking system, would cause chaos. It would be, at the very least, very bad for the economy; it could, in the worst-case scenario—if we did not have the means to transport food and fuel, for example—cause social breakdown in a short time. South Korea, for instance, has suffered huge jamming attacks, launched by North Korea, against its GPS systems. They affected major airports and shipping lanes. The travel of more than 1,000 ships and 250 planes was disrupted by North Korean jamming attacks in 2012.
Cyber-security needs to protect us against many threats: criminals attacking personal data, small-scale political activists—or hacktivists, as somebody said earlier—and state-sponsored hostilities. The Government’s cyber-security strategy is along the right lines and has led to the national cyber-security programme, which has clear objectives.
Cyberspace is often compared to the wild west and thought by some to be beyond the rule of law. However, our Government have made it clear that it is not and they have encouraged law enforcement teams to use the existing legal framework to prosecute. When cyber-crime emanates from overseas, the Government are working with the G8, the United Nations, NATO and the European Union to help shape the standards and norms of behaviour for cyberspace. Obviously, the solutions have not all yet been found but the discussions are ongoing and the work is slowly evolving. I am pleased that the work has started in earnest.
Part of the solution is a normal, sensible protocol for cyber-security on the domestic agenda and it can be addressed through simple best practice. There is a knowledge gap and the Government are addressing it in the long term via the development of education in cyber-security: teaching materials on cyber-security are being produced for GCSE and A-level students. Academic centres for cyber-security have been set up in 11 universities. Investment in education are far-sighted and will position the UK with experts in the cyber-security arena.
The Government have also gone some way to engaging with industry by setting up the Cyber-Security Information Sharing Partnership. Furthermore, the Centre for the Protection of National Infrastructure, or CPNI, is working with businesses to encourage them to make cyber-security a board-level responsibility. The current work on the development of an official cyber-standard will help stimulate the adoption of good cyber-practices among businesses. Given the risks to our infrastructure as a whole, the Government have highlighted the role of regulators in overseeing the adoption of robust cyber-security measures. The companies that supply essential services such as power, telecommunications, water, transport and banking, need maximum protection.
I praise the many organisations that are tasked with upholding the Government’s cyber-defence plans. However, as has been said, the threat is so great that I worry that as a nation we are not doing enough, fast enough. An industry study produced by BT last month found that British companies are lagging way behind rivals in other major countries in addressing cyber-security risks. The survey found that only 17% of UK businesses see cyber-security as a priority compared with 41% in the US. Nearly 90% of directors and decision makers in the US are given IT security training, but in the UK it is only around 37%.
On defence, our armed forces are among the most technologically advanced in the world, and I am sure we are all proud of that. In theory, that allows us to put fewer of our people in harm’s way and their lives at risk. However, as the Under-Secretary of State for Defence, the hon. Member for Ludlow (Mr Dunne) said recently, it makes every aspect of our military capability vulnerable to cyber-attack. Obviously, there is no point spending millions on developing leading-edge technology without the cyber-security to stop it being felled by a single cyber-attack.
The Defence Committee noted that the Army has between 35% and 40% too few corporals and sergeants to man its cyber-capabilities. The Government have rightly set up a joint cyber-unit for the reserve forces, which was going well towards the end of the year, and others have said that the reserve forces will play a crucial role in our future capability. The Government have instigated broadly sensible long-term solutions such as apprenticeships to fill the staff-skills gap in industry and business, but how can we attract more trained staff immediately, especially in the defence reserve?
A further concern is that the threat is so wide and imminent that the command structure is not resilient. I understand that the global operations security control centre at Corsham has been empowered to take rapid action without direction from above to defend the MOD’s own networks from attack. That is great, but with the many groups set up to implement the UK cyber-strategy, how will one section know what the others are doing when an attack has happened?
We are all pleased to see my hon. and gallant Friend back in full working order. The GOSCC is in my constituency, and does an outstanding job in providing cyber-security for the MOD. Is he not concerned, as I am, that with the plethora of Government and MOD organisations with responsibility for cyber-matters, the expertise of GOSCC is being undermined by a variety of quangos and committees whose exact function is clouded in mystery?
I thank my hon. Friend for his intervention. He is absolutely right. Within the chaos of a potential attack, I am not sure how the disparate groups would communicate with one another, how there would be a uniform chain of command and how it would work in practice. GCHQ seems to be in charge, but in other countries the matter would fall under the Ministry of Defence. It is fine that the MOD seems to be still developing its own basic cyber-security techniques with the armed forces setting up separate units, but it is the responsibly of the Centre for the Protection of National Infrastructure to take the lead in co-ordinating a UK response to a major cyber-security incident.
An extremely clear command structure will be needed to deal with a cyber-attack, which may come from a political group such as the group that claimed that the Sochi games were being held on the graves of millions of people who had been murdered and that was, according to the US Government’s computer emergency readiness team, threatening companies financing or supporting the Sochi winter games with cyber-attacks.
The response would be different if an attack was state-sponsored, but it would be extremely difficult, especially in the first day or so, to determine where the threat came from and whether it came from an individual or a country. The internet is worldwide and even if we knew where the attack came from geographically, it would be difficult to identify who was behind it.
I am pleased to be able to give my hon. and gallant Friend a pause to think what he is going to say next. When Mandiant briefed us last week, we were told by Paul Dwyer that 66% of our companies take about 243 days to realise that they are subject to what he called an advanced persistent threat, and that some companies have no idea that they are being attacked and will never find out.
I thank my hon. Friend for his helpfully timed intervention. He is absolutely right. Sometimes it is difficult or impossible to determine that an attack has taken place.
On offensive cyber-capability and action, a recent article published by the Royal United Services Institute said that Stuxnet, the malware supposedly used to attack Iran’s nuclear weapons capability, was not successful in delaying Iran’s technical progress. With hindsight, some have seen Stuxnet as a hindrance to diplomatic solutions. I am not sure I entirely agree with that analysis, but it is interesting. Cyber-space is being described as the fifth domain of warfare, so its defence and protection from attack are integral to the operation of our nation’s defence infrastructure.
My last point is whether we are spending enough, which is not an easy subject in a time of fiscal austerity. Last week, Chuck Hagel, the US Secretary of Defence, outlined a vision for a leaner US defence posture with reductions in the US army to a pre-1942 position. However, at the same time, he rightly proposed increased spending on cyber-defence.
Does the hon. Gentleman share my concern that the size of the reduction in the US army is exactly the same as the size of our entire Army?
Yes, I agree, but obviously we are talking about different scales.
I am fully aware that the issues I have raised today are not easily solved, but I fully commend the Government for the progress they have made so far.
Order. It is usual for hon. Members to stand up to indicate that they wish to speak. It makes the life of the Chair rather difficult if no one does so. I was about to draw the debate to a close.
I apologise, Madam Deputy Speaker, for not standing up. I thought the hon. Member for Filton and Bradley Stoke (Jack Lopresti) had sat down to take an intervention, but slowly it came to my mind that he had finished his speech.
It is an honour to follow the hon. and gallant Gentleman. I share his concern about an attack on our national infrastructure, but we sometimes focus on things such as banking and transport when we should perhaps look at our food supplies or our hospitals. The impact of such an attack on the civilian population and the country’s morale would be huge. We must address resilience to a cyber-attack and we must engage the civilian population in understanding and preparing for that.
T he Chairman of the Defence Committee and I were given a book for holiday reading: “One Second After”. That delightful read, which probably wrecked my summer, was a description of the United States after an electro-magnetic impulse attack had taken out all its computer-based systems. Everything went. No cars could go on the road and nothing would work. It was a scary prospect and I now understand why the Defence Committee’s Chairman runs a car that does not have a computer in it. I am sure the book was a great influence in the decision to purchase that car.
The book also made me aware of the very narrow issue of who is the enemy. In traditional warfare, we tend to know who we are fighting, but in future we may be fighting criminals who are holding the country to ransom. We could be fighting terrorists, because a state is not needed to manufacture a cyber-attack, or activists or anarchists. It has been suggested that some of the attacks in Estonia were by third-party actors. At the bottom of the list is the potential for a state to attack, because states like rules and the rest do not follow rules. That is why they must be our focus, our worry and our concern.
A statement made in 2012 informed us:
“Our cyber defences blocked around 400,000 advanced, malicious cyber threats against the government’s secure intranet alone”.
On the whole, we do not know where those threats are coming from. We do know that the Government have given a commitment to having full-spectrum capability in dealing with cyber-attacks. In fact, in response to the growing number of cyber-attacks, the Secretary of State said that
“we are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK’s range of military capability. Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe.”
I was very interested in that statement, so it sent me off on a little tangent, as such things often do.
As the Minister, who has received many of my quirky little requests for information, will know, I sent off a parliamentary question to every Department asking them how many specialist IT staff they employed who had a PhD in computer science, who had a master’s degree in computer science, and perhaps who even had just a basic bachelor’s degree in computer science. It did not bode well, I have to say. The Ministry of Defence can rest on its laurels; it came second to the Department for Work and Pensions, with 1,625 such members of staff. None of the Departments could break the information down by qualification across Departments, which could explain why Government are not very good at commissioning cyber-capability and improved computer networking capability. Only 5,088 people, in total, held a degree-level capability in computing. It was depressing to note that the Department for Culture, Media and Sport had only three people with such a qualification, so we should watch out for its contracting.
Given the logic of Government, did my hon. Friend also ask whether the people with a computing degree actually worked in such areas beforehand or did something completely different?
I did, and most Departments responded that they worked in specialist teams, as we would expect.
Interestingly, the response from Her Majesty’s Treasury told us that a total of 48 people are employed within its centralised IT department, or teams. Those staff provide IT services to the Cabinet Office and to the Treasury. That compares with 57 people in 2008 who worked exclusively within the Treasury, so the numbers are going down, and that has to be a matter of concern. As people with these skills are increasingly highly valued in the marketplace, can Government stay ahead of the market in being able to recruit them?
I was worried about the budget and looked into that aspect. We have heard about the figure of £650 million over five years, which is a mere fraction of the figure for the annual economy, which is set to lose £27 billion every year to criminal activity in the cyber-realm. In contrast, the US Department of Defence has outlined a $23 billion spend on cyber operations in the financial year of 2018 alone.
I thought that I would then have a look at how well we were doing in this area. I discovered, rather alarmingly, that the Government had withdrawn from a new cyber-warfare project called Project Cipher, which was intended fully to scrutinise complex programmes to ensure that they had the potential to meet our needs. After thorough assessment, it was decided that Cipher would not meet the full defence capability required to offer long-term value for the taxpayer, and so the programme was not taken forward. The costs of the stalled project, in the assessment phase alone, had been £66 million, so we have lost a large percentage of the money set aside for cyber, and they were £47 million above the original budget. Overall, this was a major disaster. IHS Janes has said that the project was
“intended to renew the MoD’s cryptographic inventory and automate its crypto-key management systems by replacing obsolete current systems to prevent encoded communication links being compromised.”
I understood half that sentence. The important bit is that it was intended to replace obsolete current systems, because Departments are not good at replacing obsolescent systems. They tend to work things for the length of a Parliament, which is now five years, when we all know that these computers are dying on their feet after about the first two years.
IHS Janes continued:
“The delays in bringing Cipher online are creating capability risks, says the NAO, because the ministry’s existing crypto capability lacks the flexibility to deliver the flagship Network Enabled Capability project, which aims to link up a wide range of military communication networks. This means efficiency savings relating to the automation of crypto capability has been delayed, leading to increased demands on military manpower.”
It explained that the problems with Cipher’s design first emerged during an assessment phase and that they were the result of the lack of suitably qualified experienced civil servants—you will be surprised to hear that, Madam Deputy Speaker. One of the essential things that we must do if we are to be responsible in looking to the defence of this country is to find the way to employ and retain the capability that we need within government to provide the skills and oversee the systems that we operate to keep this country secure.
There has been considerable discussion about having a cyber reserve. I have had conversations with a number of companies that have told me that they are very worried about their employees joining the reserves because they fear for them when they have to travel abroad. Many international companies work around the globe, and they worry about someone who has been in our cyber reserve and transfers to work in another country, or merely travels through a country perhaps on business or on holiday, being prone to personal attack because of the information they would hold not only on their company but on the UK’s cyber-defence capability. I hope the Minister is aware of that concern and will address it.
This is perhaps one of the most urgent and pressing issues affecting this country. We have to take it seriously across every Government Department, but we also have to alert our citizens to the fact that they are now on the front line, because the attack may come from their personal computer, which could be hacked and used for an attack not only on this Government, but on other Governments.
Order. Hon. Members are not doing terribly well on the supposedly self-imposed 10-minute time limit. Perhaps if they were to aim for nine or eight and a half minutes, we might be more on target.
I will do my best, Madam Deputy Speaker.
I agree with the conclusion of the hon. Member for Bridgend (Mrs Moon): this is an extremely important issue and addressing cyber-security rightly sits at the top of our national security agenda. Cybercrime and cyber-attacks are not only tomorrow’s dangers; they are a very real and growing threat today. As others have already made clear, Governments, business and members of the public come under sustained attack from cyber-criminals and foreign powers. There were an estimated 44 million incidents in 2011 alone.
As we become ever more reliant on the internet, our vulnerability increases. Cyber-threats take two primary forms—cybercrime and cyber-attack, although sometimes the distinction is blurred. Cybercrime was estimated by the Association of Chief Police Officers to have cost £57 billion globally back in 2009, while Detica estimated that the 2011 figure for the United Kingdom alone was £27 billion. It is difficult to believe that that there has not been a geometric increase since then.
Large-scale cybercrime is an issue of national security. Cyber-attack and cyber-espionage also present a serious threat both to the state and to the community, and the state should be acting to protect both. As we know, cyber-attacks have had real-world effects, as exampled by the denial-of-service attacks in Estonia in 2007 and the Stuxnet attack on Iranian nuclear development capability, although there appear to be disagreements about the degree of its effectiveness.
Cyber-espionage and theft of sensitive information is another major concern, so addressing the danger of cyber-threats today is real, not academic. The Security Service estimates that at least 20 foreign intelligence agencies currently operate to some degree against British interests. That threat merits our immediate and strong attention, which is why I welcome this debate and the attention the Defence Committee has given to the subject.
Given the amount of time I have left, I hope my hon. Friend will forgive me if I do not give way to him. If I have time at the end, I will come back to him.
What is being done and developed in the strategy? In 2009, the previous Government produced Britain’s first cyber-security strategy, which, though laudable for initiating a centralised approach to cyber-security, I as the then shadow Minister critiqued as being a shallow copy of the then American strategy. I said:
“Minimal or no attention is given to key areas such as co-ordination of the new cyber-structures with existing agencies, response to a cyber incident and information sharing between government, industry”
and international action. I also said:
“There is no consideration within the strategy of how we would respond to a cyber-attack. No mention can be found of a framework for response or who would lead it. There is no discussion of issues such as back-up communications networks for security and emergency personnel.”
All of those were given coverage in the United States review at the time.
Given the severity of the threat, the then Opposition felt that the strategy was an inadequate response, so before the general election we produced our own paper on cyber-security and keeping Britain safe in the digital age. I am pleased to say that much of it found itself in the Government’s 2011 cyber-security strategy, which is currently being co-ordinated by the Office of Cyber Security and Information Assurance.
The strategy is far more detailed than its predecessor and offers a more thorough, co-ordinated and ambitious programme to enhance our cyber-security. The recent progress report from the Cabinet Office highlights the successes in implementing the strategy and the progress made towards achieving its objectives by 2015. I commend the strategy for its scope and ambition, incorporating everything from changes to law enforcement to greater co-operation and information-sharing with the private sector and enhancing our cyber-resilience. That the strategy also balances the attainment of security with civil liberties is reassuring.
Everything my hon. Friend says is absolutely right. The Ministry of Defence, of course, has no responsibility whatsoever for this. Is my hon. Friend therefore proposing that the things he is describing perfectly adequately should now become part of a defence cyber-strategy, or is he talking about something other than the topic of this debate?
My hon. Friend, in his usual perspicacious way, has identified precisely what I am moving on to, but before I finish on the wider cyber-security issue, I want to recognise the contribution made by the Baroness Neville-Jones in pulling this strategy together and much improving our country’s response.
No strategy, however, is incapable of improvement and the Government still appear to preside over a patchwork muddle of agencies and mandates responsible for cyber-security. In 2011, the Intelligence and Security Committee identified 18 different actors with responsibilities for cyber-security, which raises concerns about duplication, cost-effectiveness and confusion. I note the counterpoint expressed by the Minister for the Cabinet Office and Paymaster General, who said in evidence to the Defence Committee that although the arrangement is untidy, it is effective, given the need for a cross-Government approach. I must say that, in the absence of a personality as strong as Baroness Neville-Jones, there remain issues about co-ordination and leadership, as was also mentioned by my hon. Friend the Member for Filton and Bradley Stoke (Jack Lopresti).
We must recognise that the updated cyber-security strategy is a major step forward, but, as my hon. Friend the Member for North Wiltshire (Mr Gray) has made clear, defence is only one small component of the pan-Government effort and by no means the most important. I wonder whether the bracketing of cyber-security and defence is in fact wise, given the MOD’s relatively limited role. The MOD has only two formal responsibilities: to ensure that armed forces operability is maintained both at home and abroad by securing its networks, and to enhance military operations by developing future cyber-capabilities.
Cyber-capability is immensely important for the armed forces: it is a battle-winning asset. In the same way that military operations become difficult if not impossible without air supremacy, cyber-superiority if not cyber-supremacy is required. What differentiates cyber-security is that it also applies to nearly every aspect of modem civil life. Not many businesses need to worry about the effectiveness of the F-35 and the Eurofighter in their daily operations, but the defensive cyber-capability is a daily national necessity for our financial system. Defence against most high-end cyber-threats, including those to critical national infrastructure, is the responsibility of other Departments, not least GCHQ and the Centre for Protection of National Infrastructure. Given that fact, the conflation of cyber-security with defence is possibly misleading, in that it obscures a complex and much bigger picture. However, we are debating cyber-security in the context of defence, so I shall focus on that.
Other hon. Members have outlined the threat, so I simply want to say that the armed forces are increasingly vulnerable to highly targeted forms of cyber-attack, given the networked nature of modern military systems and the increased use of unmanned aerial vehicles and robots on the battlefield. Adversaries may seek signals interception to distort intelligence, disrupt logistical supply chains or, most worryingly, render major platforms and systems, such as ships and aircraft, dysfunctional. If we now regard cyber as a fifth domain of warfare, we must expect other countries to do so too. Britain is a world leader in defence technology, but we must expect emerging powers to be keen to shrink the development gap by stealing what they cannot easily or quickly develop for themselves. The need to protect the operability of our armed forces and the integrity of our defence establishment is thus abundantly clear.
Of the £650 million set aside to transform Britain’s national cyber-security capabilities over the next four years, the MOD will receive £90 million. That funding is not intended to secure MOD networks, because that is assumed to be business as usual, but I know that the Department is securing its supply chain against cyber-attack. The point has already been made about the importance of the need for a resilient industrial base, which must form part of the goal of the national cyber-security strategy. The MOD has responsibility to help to manage the security of its suppliers, and I note the work that has been done to that effect.
I also note the emphasis on reserve forces, which other hon. Members have mentioned, and I welcome the establishment of a joint cyber reserve unit. That is exactly the sort of imaginative use of civilian-qualified reservists in the armed forces that we will want in times of need, but we must bear it in mind that if the armed forces need them at a time of crisis, so will their host employers. On a separate point, I am encouraged by the assurance that spending on cyber will automatically be increased in the budgets of future programmes.
Cyber is part of how our armed forces will wage war in future, so the Department must be able to continue to enhance its military cyber-capabilities. I therefore want to touch briefly on cyber-attack. Inevitably, developments in technology will always be highly classified because the possessor of the latest technological advance is likely to have a battle-winning capability. I therefore understand why information in this area is restricted. However, I emphasise to the Minister that the military should understand that this House expects them to possess cyber-attack capability alongside the ability to defend their own networks from cyber-attack.
This area is highly sensitive because such technology can be applied against other states’ non-military assets in a way that makes it difficult to be clear about whether the laws of war apply. I will finish by discussing this international aspect. This area sits in the grey area between espionage and conflict. That is why, in 2009, I called for us to co-operate internationally on cyber issues to regulate the relations between states in respect of cyber-conflict. I am delighted that that is recognised in the 2013 statement on aspects of state behaviour in cyberspace. We must try to identify the future international rules of the road that will govern relations between states in this area.
I will end by reiterating three questions. First, by bracketing cyber-security with defence, are we in danger of misleading ourselves about where the main effort needs to be? Secondly, can the lead responsibility for cyber-security be made clearer? Thirdly, are we affording enough resources to research and development in this vital area?
Order. Despite the presence of the new clocks to aid Members in calculating how long they have been speaking, and despite the fact that Members have been asked to keep their speeches to 10 minutes or less, we are left with six speakers and only 40 minutes to go. There is now an eight-minute time limit and the clock will count it down for Members. It might be necessary to revisit the limit to ensure that every Member who has been sitting in the Chamber patiently is able to participate.
The growth of the internet has, without question, transformed our everyday lives. I say that as someone who spent many years working for a multinational corporation that introduced every home to the personal computer and introduced the business world to the speed of the e-mail. The importance of the internet is underlined by the part that it plays in our economy. The internet-related market in the UK is estimated to be worth £82 billion a year.
However, with greater openness, interconnection and dependence on technology comes greater vulnerability. To put that in perspective, cyber-attacks have been categorised as a tier 1 threat to the UK’s national security, which puts them up there with international terrorism, military crises and natural disasters. The threats to our national security from cyber-attacks are therefore real and growing.
Terrorists, rogue states and cyber-criminals are among those who are targeting computer systems in the UK. That is highlighted by the fact that 93% of large corporations and 87% of small businesses have reported a cyber-breach in the past year. Performing an attack need not be expensive. With minimal equipment in the right hands, a lot of damage can be done. However, protection against such attacks does not come cheap. The cost of a cyber-security breach can be between £450,000 and £850,000 for a large business and between £35,000 and £65,000 for small and medium-sized businesses, which are not insignificant sums. The UK faces a staggering 1,000 cyber-attacks every hour, at an estimated annual cost of £27 billion.
In cyberspace, power can be exerted by states, non-state organisations or individuals, or by proxy. The boundaries are blurred between the military and the civilian, and between the physical and the virtual. The threats to security and information in the cyber-domain include state-sponsored attacks, ideological and political extremism, serious organised crime, low-level individual crime, cyber-protests, espionage and cyber-terrorism.
Some of the most sophisticated threats to the UK in cyberspace come from other states that seek to conduct espionage, and some states regard cyberspace as a way to commit hostile acts “deniably”. That is why, alongside our existing defence and security capabilities, the UK must be capable of protecting our national interests in cyberspace.
“Advanced persistent threat” is the term used most often to describe threats that are unlikely to be deterred by simple cyber-hygiene measures. Acts of aggression or malice in cyberspace differ from those in other domains. Cyberspace is regarded as an asymmetric domain, which means that even adversaries of limited means can pose a significant threat to military capabilities. We will all agree that cyberspace is a complex and rapidly changing environment.
The British Security Service estimates that at least 20 foreign intelligence services are operating to some degree against UK interests in cyberspace, and their targets are in the Government as well as in industry. The Government have pledged £650 million for cyber-security over four years—0.6% of the cost of attacks. It is therefore essential that the MOD works alongside other Departments and the Security Service to ensure that there is no duplication or inefficiency, given budget constraints. We believe that the Government must ensure that every company working with the MOD, regardless of its size or the scale of its work, signs up to a cyber-security charter. That will ensure that hackers cannot use small suppliers to get into the systems of major defence companies.
With the armed forces now so dependent on information and communications technology, should such systems suffer sustained cyber-attack, their ability to operate could be fatally compromised. Because events in cyberspace happen at great speed, there will not be time in the midst of a major international incident to develop doctrine, rules of engagement, or internationally accepted norms of behaviour. That is why the Defence Committee recommended that the MOD make the development of rules of engagement for cyber-operations an urgent priority, and ensure that the necessary intelligence, planning and co-ordination functions are properly resourced.
The rapidly changing nature of the cyber-threat demands that a premium be placed on research and development to enable the MOD to keep pace with, understand, and anticipate that threat. The Government should make it a priority to develop robust protocols for sharing information with industry to allow expertise to be pooled. A cyber-threat has the capacity to evolve with almost unimaginable speed, with serious consequences for the nation’s security.
In conclusion, I repeat our call for the Government to ensure that every company working with the Ministry of Defence, regardless of its size or the scale of its work, sign up to a cyber-security charter.
I should declare an obvious interest as the MP for Cheltenham, since GCHQ is based in my constituency. This is also a topical day to debate cyber-security, because this morning the Deputy Prime Minister made a speech in which he talked about the balance that needed to be struck between digital freedom and national security. He praised GCHQ for its continued expertise and its role in defending us all against cyber-attack.
Although there is currently no cold war in the old sense—I hope that is not the wrong thing to say; perhaps events in Ukraine are making us worry a little about that, but there is no active cold war in the way there used to be in the 1960s and 1970s—we are in effect at war in cyberspace. Ongoing attacks are taking place against this country and its institutions and businesses, and it is right that in 2010 the national security strategy identified cyber as a tier 1 threat alongside international terrorism, military crises and major accidents or natural hazards. Although the £650 million committed to the national cyber-security programme in 2011 sounded like a great deal of money, considering it against the billions being committed to Trident, for instance, which does not address any of those tier 1 threats, should give us some pause.
Trident addresses a theoretical and perhaps quite real future risk, and there are different views on that, but the cyber-security programme is defending us against current ongoing attacks. As hon. Members have pointed out, they are taking place at the rate of thousands an hour. It is almost like attacking an onion—Russian dolls would be the topical way of describing it. The core is the Government, the Ministry of Defence and the armed forces. We know that malicious e-mails are being blocked at the rate of 33,000 a month at the gateway to the Government secure internet. The next layer is defence contractors and the supply chain which, as other hon. Members have rightly pointed out, are just as critical to the successful operation of the armed forces and our defences as the Government core.
Critical infrastructure is the next layer. Hon. Members have rightly referred to banks and food supplies as part of that wider layer. The next layer is the wider economy and society. The threat to business is a threat to our national security; 93% of large businesses and 87% of small businesses have reported cyber-attacks in the past year, potentially costing thousands, as the hon. Member for Inverclyde (Mr McKenzie) mentioned.
The Defence Committee rang the alarm bell in 2013. It said that the risk of military operations being fatally compromised continued despite all the effort, and that we perhaps needed more resource and focus on cyber-security. It is right that we commit spending, and look at structures and process, but spreading the culture and practice of cyber-security matters at all levels, and across Government, business and society.
We have talked about the various units. I am pleased to say that GCHQ is in the lead, but the Global Operations Security Control Centre plays a vital role, as do the cyber-security information sharing partnership and various cyber-units in various places across Government. The hon. Member for Reigate (Mr Blunt) offered criticism of that proliferation of different units, but I believe the network approach is the right one. We need attention and focus in different places across Government. The last thing we want is for cyber-security to be silo-ed. We need the culture and practice of cyber-security to spread across Government.
That was brought home to me recently when I visited Bletchley Park, and the brilliant National Museum of Computing, which was celebrating 70 years since the Colossus machine, arguably the world’s first programmable computer, started breaking the Geheimschreiber codes at Bletchley Park. A lot was said about the technical expertise of the Government code and cipher school, which became GCHQ, and the genius of Alan Turing and Tommy Flowers, the great engineer who led the Colossus team—I am proud to say that my father was one of his Post Office engineers. However, it was emphasised that human error allowed many of those codes to be broken. It was not just human error in the sense of mistakes that gave away code keys, but the fatal underestimation of Bletchley Park’s capabilities on the part of Hitler and the German high command. Right up until D-day, Hitler held back Panzer divisions in the Pas de Calais because he simply did not believe that the Normandy landings were the real deal—he believed the misinformation and the false intelligence that was being fed to him. It never occurred to him that the Geheimschreiber codes were being broken and that our side had that capability.
I am pleased that GCHQ is in the lead on cyber-security and that it provides that technical expertise, but we need to spread the culture and understanding. By way of justifying the supplementary defence estimates to support that and other defence work, having that expertise has benefits for the UK economy. GCHQ has enormous links to academia, business and other parts of Government, but it supports cyber-skills at all levels, including encouraging maths, science and engineering in schools. I saw that at the Cheltenham science festival, although it encourages those subjects in many other ways. It also recognises academic departments that specialise in cyber-security. As has been said, they are now present in a large number of universities. That focus on high-tech skills, and research and development, could, and should already, make the UK a centre of global importance in cyber-security skills. In turn, that builds resilience, not just in Government but in businesses, making Britain a safer place to do business in cyberspace. All those things have economic benefits and more than justify the spending we are considering.
There is a slight sting in the tail. GCHQ and its expertise are widely recognised now, which may be one of the benefits that it has inadvertently gained as a result of Mr Snowden’s recent activities. Business recognises that expertise and skill, and is able to poach very expert people from GCHQ and, perhaps, from the Global Operations Security Control Centre as well. The Government need to value the people in GCHQ and GOSCC, and others across Government, who have those extraordinary skills, and—sometimes, I am afraid, in material terms—try to ensure that we hold on to the best people, and the real skills and expertise. We need to value those skills in all sorts of different ways, but I hope that Ministers will not take it wrongly if I say, on behalf of my constituents, that that way would also be appreciated.
We are facing a global threat. The United Kingdom is under current attack, and, while I think that the Government have got the strategy broadly right, I also think that they should not let up in defending us against this new and very 21st-century threat.
Our society relies more and more on cyberspace in activities ranging from internet shopping to internet banking. More and more of our lives, and consequently our details, are online, and our constituents are affected by that every day. It is only right that the Ministry of Defence has a cyber-system that provides security, can be updated, and can be foolproof.
The national cyber-security programme puts in place £650 million over four years to transform the United Kingdom’s cyber-security capability, of which the MOD’s defence cyber-security programme is part. The cyber-threat has a capacity for almost unimaginable speed, which could have serious consequences for the nation’s security. The nation therefore needs to do what it has not yet fully done, and provide the mechanisms, people, education, skills, thinking and policies that will make it possible to take into account both the opportunities and the vulnerabilities that cyber presents. If a reason for action were ever needed, that would be a very clear reason.
All of us, both inside and outside the House, will have watched films on television in which Governments are brought down by computer networks. I remember thinking that that was science fiction and that it could never actually happen, but all of a sudden, in our own lives as elected representatives dealing with constituents, we have found ourselves relating to some of the issues with which they have had to deal in connection with, for instance, banks. There is a real, definite possibility, for which we must be prepared.
We have heard more and more about hacking skills. Businesses and livelihoods now depend on cyber-security for protection, and we have a duty to protect ourselves, to protect Government Departments, and to protect our constituents. Currently, 91% of UK businesses and 73% of UK households have internet access, and £47.2 billion was spent online in the UK alone in 2009. The Minister has said that exact figures are hard to pin down, but a recent study by the Cabinet Office suggests that cybercrime now costs the UK £27 billion a year, with a cost of £2.2 billion to the Government, £3.1 billion to individuals in the form of fraud and identity theft, and by far the largest proportion—£21 billion—to industry.
Cyberspace is a continually evolving environment, and if we are to defend ourselves from the threats that emanate from it, we must keep pace with that change. However quickly a threat is identified, 10 more will have been dreamt up by those who have the capability to do so. We must ensure that our constituents are protected, and, if necessary and if possible, educated as well. One cyber-security chief has pointed out in one of the national papers that even a simple password is better than no password at all, and that many people are frightened of terminology.
I was pleased to learn that the new cyber-security programme essentially seeks to build on the centralised approach established by the last Government, and to tackle some of the emerging gaps. It seeks to establish new cyber-security institutions and education and skills initiatives, with the aim of locating and addressing the weaknesses in existing cyber-measures, anticipating future threats, and building good working relationships across UK sectors, both public and private, as well as within nations. That certainly requires, and is worthy of, the funding support proposed in the motion. I hope that the Minister will be able to give us some indication of how, while the investment is taking place, all the regions of the United Kingdom—including Northern Ireland—can benefit from it. I am keen to understand how we in Northern Ireland can gain some direct advantage.
I understand that protection and security are essential for individuals and also for the Government and the Ministry of Defence, and the money must be used to maximise protection and education. The information provided by the Commons briefing stated the following, which determined my support for what has been proposed here today, because these facts and figures are horrendous. Some Members have mentioned them already. The director of GCHQ has described how cyberspace is contested around the clock. In the United Kingdom there are over 20,000 malicious e-mails on Government networks each month, 1,000 of which deliberately target that very department. The Security Service estimates that at least 20 foreign intelligence services are operating to some degree against UK interests in cyberspace. Again, that illustrates the scale of the problem.
The US estimates that the Pentagon’s computer systems are probed 250,000 times an hour, with more than 140 foreign spy organisations trying to infiltrate US networks. During the 2008 Olympic games, Beijing alone experienced 12 million cyber-attacks per day. That underlines the magnitude of this problem and the importance of our being prepared and ready to combat it. I again ask the Minister to comment on the collaboration aspect of that. The report mentions our collaboration with the United States, as other Members have. Can the Minister explain exactly what that entails, and can he assure us that we will not be exploited by the United States of America and its Government?
On the NATO Cooperative Cyber Defence Centre of Excellence, will Parliament be fully apprised of any decisions regarding participation in that and other international co-operative arrangements? It is important that everyone understands exactly what is proposed and what will happen.
These attacks are happening around the world and in the UK and we must protect ourselves. I am therefore very happy to support the proposals, and I ask the House to support them too, while also ensuring that every pound is spent effectively and enhances the skills of those in Government dealing with these threats. Other Members have stressed the importance of having skills in the MOD at corporal, sergeant and private level, so we can address the many pitfalls that may arise.
While cyber-terrorism may not be physical terrorism of the sort that some of us in this Chamber have faced personally, and whose effects can be seen in blood and tears, the effects of cyber-terrorism can bring a nation to its knees and we must ensure we are not the ones who are brought to our knees, but are instead able to withstand any such attack.
The greatest threat of electronic attack continues to be posed by state actors. Russia and China are suspected of carrying out the majority of assaults, but other countries—North Korea, Iran and even Syria—run very effective attacks too. The targets are in Government as well as in industry.
Let me give an example of a cyber-attack. On 23 April 2013 the American stock market dropped 1%; it lost $136.5 billion in a matter of seconds because of a false tweet posted on the Associated Press Twitter account. That tweet apparently came from Syria.
Let me give another example of a possible danger to this country, and here I will use information from a paper written for the Defence Committee by the distinguished academic Chris Donnelly. Huawei, a Chinese company strongly suspected of having close links to the Chinese Communist party and Government, is now providing crucial equipment for our national telecommunications system. The company has been debarred from doing that in the United States because it could not prove that it did not have strong links to the Chinese leadership.
Chris Donnelly’s paper highlighted three areas where Huawei could present a security risk. First, the company could insert undetected malware into its equipment, either to disable the system at will or at least to monitor it. Secondly, there is a possible security risk from the Chinese managers and technicians who man the system. Thirdly, allowing Huawei to dominate the field takes away our sovereign ability to deal with matters ourselves. Recently, there has been growing concern that our national cyber-security systems might not be able to detect whether malware has been inserted into the system.
My hon. Friend is right to be concerned about the possibility that companies of all sorts might act against the interests of this country, but it is also right to record that Huawei is a major employer in the United Kingdom and is a multi-billion-pound multinational company. The suggestion that it is, in some way or another, an agent or a foreign force in the way he describes may of course be true, but it is worth saying that there is no evidence that that is the case.
I thank my hon. Friend for that, but I am not sure that he is right. Huawei has been involved in setting up our cyber-security evaluation centre. It offered its services at knock-down prices—no western firm could match them, and our economy was and is in a poor position to resist the temptation of accepting what looked like a very good deal. So we could be setting a thief to catch that same thief. Of course the suspicions I voice may be erroneous and our cyber-security services could be totally on top of this one, but without access to classified information I have no way of checking. Members may recall that Huawei offered to provide a mobile phone system for the London underground during the 2012 Olympics—was it not free or close to being free? If I recall it correctly, that offer was turned down on security grounds.
As Chris Donnelly highlighted, state security requirements and gaining commercial advantage are two sides of the same coin in China. We should be under no illusion about the Chinese’s willingness to put huge efforts into understanding and, if necessary, harnessing all sorts of systems in the UK to advance the Chinese national interest. Already there is a mass English learning programme in existence, which Chris Donnelly suggests involves 300 million people in China, and a similar mass programme to teach computing. In 2012, China conducted what it called its first “digital technology exercise” in Inner Mongolia, when an entire division of hackers in the uniform of the Chinese liberation army was deployed. These cyber warriors went to war across the whole spectrum of western activity, not just against western military communications. We are wasting our time calling on China to stop hacking into our systems. Of course the Chinese will deny they are doing it until they are blue in the face—
Forgive me, my hon. Friend is absolutely right. He always stands up for the infantry, so he would use the word red, and I accept it; red is the colour of the infantry.
We had better wake up to the fact that systematic and state organised hacking is a massive Chinese industry. I am pretty sure that our security services are well aware of the threat, but the public must also be made aware of it. We need the funding to do what we can to counter the threat.
Let me be clear: hacking can be more deadly than a gun. Cyber-warfare, taken to its logical conclusion, could bring our society to its knees. Almost nothing works without electricity. I am talking about light, energy, traffic control—on the ground and in the air—hospitals, police and even sewerage. Undoubtedly, the national grid would be a No.1 priority target for someone wishing to reduce us to our knees. Von Clausewitz stated that war is an extension of politics by other means, but systematic hacking is also war, by new, subtle and probably very effective means.
In a hands-free, wireless, bluetooth enabled world, how would any of us cope without access to our mobile phone or computer data for any duration of time? Our lives and livelihoods depend on those assets, and they would change fundamentally if they did not work. The recent flooding in Dorset affected electricity and caused some households to reach for the candles. What a new experience that was for a generation of people who perhaps take our world a little bit for granted. They believe that all these things that we enjoy are there and will not be challenged.
I welcome this debate, and I commend the Defence Committee and its Chair for their report. My concern is that we are debating something that is changing almost daily and yet the report was printed on 26 March 2012. In answer to my interventions at the start of the debate, the Minister made it clear that changes have been introduced, but even they will be out of date given the pace of change in this area.
As we move into an ever more digital and virtual world, we are increasingly exposed to attacks not just on personal data and intellectual property but on state operations, from air traffic control systems to electricity grids. Cyber-attacks are simpler and cheaper than a dirty bomb. We no longer see robbers running in to rob a bank; it is all done electronically. This is the world that we now need to recognise.
Two years ago, I attended a course at Harvard university on national and international security. A cyber-security expert borrowed a laptop. He then purchased and downloaded $16 of software, and managed to tap into Boston’s traffic light systems. Had he taken it one step further, he would have been traced and got into trouble. None the less, he showed how easy and quick it would have been, with just $16 of software, to cause huge disruption.
Let me place this issue in perspective. In the development of warfare, there are occasionally seismic leaps in capability as new systems are introduced, and they force all of us to adapt. Going back in history, the longbow changed the outcome of the battle of Agincourt. The introduction of the cannonball changed the way in which ships attacked one another, preventing the need to go on board. The introduction of the submarine, the tank, the plane and the aircraft carrier all changed the conduct of war. As has been said again and again in this Chamber, cyber-technology will provide a new dimension, which we all need to understand.
I am a little saddened that the Chamber is so empty. I hope that it is not because I am on my feet.
Thank you! The fact is it is the usual suspects who are here today, by which I mean those who are interested in defence matters. However, as my right hon. Friend the Member for North East Hampshire (Mr Arbuthnot) said, this issue does not affect just defence. It covers the business arena, the Home Office and the Ministry of Defence, yet we are not familiarising ourselves with the structures and processes so that we are at the front end of this capability. The speed of attack, if it happens, will be phenomenal. We have not yet seen anything on a scale that would fundamentally affect our lives, but there will be no build-up to such an attack. There will be no arms, tanks or ships mustering on the border; our lives will suddenly change when our computer systems no longer work.
The UK’s military equipment is increasingly vulnerable because of the complexity of its IT. What would happen if we lost the global positioning system? How would anything operate and could we cope? When I was at Sandhurst, we were taught how to use a compass. I am not sure whether that happens any more, but if the systems go down, that is what will be required.
Today’s statement on Ukraine reminds us of our involvement in the Crimean war and the charge of the Light Brigade. That infamous event took place because of a breakdown in communications, as by the time the orders reached Lord Cardigan, he had the wrong idea of what his mission was. Goodness knows what would happen today if we had insufficient resilience to communicate using our usual systems.
Knowing a little about Joint Forces Command, I understand the logic of placing cyber-security in that domain—it is wise that it is fed into the command—but cyber-security should have its own distinct command with its own expertise, as is advocated by some in the United States. Additionally, the relationship between the Global Operations Security Control Centre and the defence cyber operations group needs to be clarified for those of us who were unable to participate in the Committee’s inquiry. Will the Minister update us on bringing together disparate groupings and organisations within various Ministries through the GOSCC?
I support the call for the use of reservists. Banks and other financial services businesses are at the high end of ensuring that they protect their capabilities, so we need to determine how we attract people with the skill sets to do that job to work in the Ministry of Defence as well. Will the Minister tell us what is being done to encourage our NATO allies to improve joint capabilities? That subject might be suitable for discussion at the 2014 NATO summit, which will take place in this country. Given the damage and disruption that a cyber-attack might inflict, would a full-scale attack on another country be subject to article 5 of the North Atlantic treaty? Have rules of engagement been determined for offensive and defence cyber-operations?
I welcome this debate and I agree with my hon. Friend the Member for North Wiltshire (Mr Gray) that we should have defence debates more regularly. The House needs to understand this emerging threat that faces us all, as it is only a matter of time before a major strike takes place. I welcome the huge progress that the Government are making, but there is clearly much more to do.
Labour Members welcome the increased focus that cyber-defence is receiving. The report by the Defence Committee is evidence of that focus, so I congratulate its members on their excellent work. Cyber-attacks are at last properly acknowledged as a serious threat to our national security and are rightly prioritised as a tier 1 risk in the Government’s 2010 national security document. As the Committee’s report says, the threat is liable to grow and evolve at “almost unimaginable speed”. Indeed, the pace of technological change is faster than traditional Government structures and time lines can cope with. As my hon. Friend the Member for Barrow and Furness (John Woodcock) said, five years is a long time in the cyber-world and the threat from cyber-attack is rising exponentially. The number of global web users in 1995 was 16 million; it is estimated that by 2015, there will be more interconnected devices on the planet than there are human beings.
As communications technologies spread and as the UK critical infrastructure networks become even more heavily based on IT networks, cyber-defence becomes an increasingly pressing security concern. There will be even more attacks. According to the Government’s own national security strategy document, the UK faces up to 1,000 cyber-attacks every hour, which is estimated to cost the UK £27 billion a year. Cyber-attacks are now a constant reality, with the Government, the private sector and private citizens all under sustained cyber-attack from both hostile states and criminals, as my hon. Friend the Member for Bridgend (Mrs Moon) articulated so well.
I have no doubt that the Government take the threat of cyber-attack seriously, although perhaps not seriously enough. The report makes it clear that Ministers have not yet put in place the infrastructure to deal with that real threat properly, or approached the problem with vigour or sufficient robustness. As the right hon. Member for North East Hampshire (Mr Arbuthnot) said, the problem is agile and many-layered—I think it has been likened to an onion, and the Opposition would agree with that.
It is not an onion, because that implies that one peels away a layer to get at it; actually, it is an attack on all institutions—every single part of our society—simultaneously. I therefore disagree with the onion analogy.
I will not be tempted to go further into vegetable analogies. I think the multi-layered approach is the one we are dealing with here.
The Government have committed £650 million over four years to the cyber-security programme, which seems like a significant sum, but only 14% of that was allocated to the Ministry of Defence, while the total investment equates to only 0.6% of the £27 billion that the UK loses through cybercrime every year. In its report, the Defence Committee questioned whether enough was being done to secure the supply chain and the industrial base. We know that supplies of armed forces’ equipment are increasingly being targeted, and are especially vulnerable to cyber-attack. In their response, the Government say they are working closely with industry on matters such as information sharing and incident reporting, but give precious little detail. The Government need to go further, and Labour is calling on them to ensure that every company working with the Ministry of Defence, regardless of its size or the scale of its work, signs up to a cyber-security charter. That will ensure that hackers cannot use the small suppliers to get into the systems of the major defence companies. As my hon. Friend the Member for Inverclyde (Mr McKenzie) said, the risks from cyber-attacks are huge and growing; we need to do everything we can to protect against them, and the MOD and its contractors should lead by example.
The Government also refer to progress on the joint cyber reserve—an initiative to involve reservists in the delivery of cyber-security—but give little detail. Will the Minister say what progress has been made in that important matter? I would particularly like to hear his thoughts on recruitment. The cyber reserves are not likely to be a traditional military outfit: the skills are entirely different. Is it essential that those reservists meet the usual fitness standards of the armed forces? A senior US officer said it was not essential that they were able to march 3 miles with a pack on their back, and I think most people would agree. It would be interesting to hear the Minister’s thoughts on the requirements for the new force and how its personnel will fit into the military model.
What is the Minister doing to attract recruits? We have heard that a lot of the top universities are running cyber programmes with top computing graduates. Is the Minister attending those events or approaching careers fairs? Is there a career path that will be attractive to young graduates—we need not only to recruit but to retain those graduates. A recent study by the Army Families Federation shows that large numbers of married Army personnel want to leave the service. That will be all the more problematic with cyber personnel, as there are many lucrative private sector jobs tempting them away. But of course many of the skills and experiences required for this are prevalent in the defence industry. What steps is the Minister taking to encourage firms involved in Government contract work—not just in the defence but throughout Government—to encourage their staff to become reservists? What responses are there from such firms?
The new joint cyber-force is described by the Secretary of State in terms of its offensive rather than defensive capabilities, enhancing our ability to strike back in cyberspace against enemies who attack us. But as my hon. Friend the Member for Merthyr Tydfil and Rhymney (Mr Havard) said, what are the rules of engagement? Land, sea and air have been the traditional theatres of war. Cyberspace is new and untested. What constitutes a cyber act of war and, equally important, what would be a proportionate response to an act of aggression? For example, if all London’s systems were knocked out by an electromagnetic pulse device, would that be an act of war? What would we do about it? As my hon. Friend the Member for Bridgend said, how would we know who did it? In short, what are the rules of engagement?
It would also be interesting to hear whether the Minister believes that the concept of deterrence applies to cyber-defence as it does to conventional defence as perhaps those with the most ability to attack our cyber-capabilities have the least reliance on their own cyber-capabilities. What role does he envisage offensive cyber-capabilities playing in this? Do we work alone or in concert with others? The Secretary of State has made much of cyber-security being a sovereign capability but we have been working with other nations in supranational bodies for some time; for example we are a member of the “Five Eyes” group, which includes the USA, Canada, Australia and New Zealand, and we have also been working with NATO. The report cites the important work of the NATO cyber-defence centre of excellence. Of course this is based in Estonia and was created as a direct consequence of the cyber-attacks on that country in 2007. There is excellent work undertaken there and I am glad that the Government are committed to participation in the centre, although some may doubt whether the contribution of £20,000 per annum will have much impact. But the lesson to be learned here is that we cannot afford to wait until an attack happens before we act. We have to be proactive.
Since the publication of the report, we have seen developments within the EU’s common security and defence policy. The European Council meeting on 19 and 20 December last year led to a call for the development of an EU cyber-defence policy framework in 2014. I would be interested to hear what talks have been taking place about this. Working with, and within, bodies such as the “Five Eyes”, NATO and the EU is vital, not only for intelligence sharing but for developing common rules of engagement. We must be aware of the threat and how best to counter it. That is why we need all the organisations to work together.
A further point is public trust. The public have to have trust in what we are doing to protect them and that is why accountability is so important. The USA has FISMA, the Federal Information Security Management Act, of course. What research has been done into how this might translate into our own system? We must also ask what role Parliament and the Intelligence and Security Oversight Committee should have in this new era of cyber-defence.
Currently we are accustomed to thinking of security in terms of three forces; army, navy and air force. But in many ways cyber does add a fourth strand. Just as the creation of the RAF in 1918 demanded a whole new way of thinking about defence and war, the increasing cyber threat means that we need to do some fresh thinking now. We have to think seriously about how we can combat this new threat because one thing is certain; it can only grow. Conventional borders will have less and less impact but the impact on civilians and the military will be greater and greater.
When the internet and electronic communications were first devised it was thought that they would impact only on academics in ivory towers. They have developed in ways that were never imagined then and have become an everyday part of our lives. Imagine a world without banking, power, communications systems, computers, control of our weapons. It absolutely does not bear thinking about, which is why we have to think about it and ensure that the MOD and the military are ready to take on this threat, and that they know their part, and play their part, in protecting our country and its citizens from this new and fast-evolving threat.
I am sure that the whole House will wish to join me in recognising and thanking those members of the armed forces, both regular and reserve, who have been engaged in preserving lives and protecting property in those communities across the United Kingdom that have been struck by the recent storms and floods. They have provided very good service and we are immensely proud of them.
May I also welcome the hon. Member for Makerfield (Yvonne Fovargue) to the Dispatch Box? Although she has been on the Opposition’s defence team for a while, this is the first time we have debated together directly, so I would like to welcome her to her post formally. I will do my best to answer at least some of the questions she asked in her speech.
I would also like to thank my right hon. Friend the Member for North East Hampshire (Mr Arbuthnot), the Chair of the Defence Committee, for introducing the debate so ably and the 11 right hon. and hon. Members who have taken part so constructively. I have read the Committee’s report, which was published early last year, and the Government’s response. I will seek to address some of the Committee’s concerns and report to the House on our recent progress in this important field.
It might interest Members to know that the term “cyberspace” is usually credited to the 1980’s science fiction writings of William Gibson. He used it as a buzzword to describe an all-pervasive virtual realm. Although there are many interpretations, we generally use the term to mean the interdependent network of IT infrastructures and the data that move therein. Cyberspace has become an essential part of most of our lives, from communications to shopping, and from life saving to war fighting. In 2013 some 21 million households in Great Britain had an internet connection. That degree of connectivity clearly has security implications that we cannot ignore.
Although the MOD runs its own cyber-defence programme—I will say more about that later—the defence of our national cyber infrastructure begins within central Government, with the Cabinet Office playing a key role, as it does with all potential crisis management situations. All public and private sector organisations have a stake in addressing the threat, across international and domestic boundaries. To co-ordinate that effort, the Government created the Office of Cyber Security and Information Assurance within the Cabinet Office, which runs our national cyber-security programme. Alongside the Cyber Security Operations Centre, OCSIA works with other lead Government Departments and agencies, such as the MOD, the Home Office and GCHQ—the hon. Member for Cheltenham (Martin Horwood) rightly paid tribute to his constituents there and the skills they have.
The national cyber-security programme is backed up by £860 million of Government investment from 2011 to 2016. That comprises an initial £650 million allocated across Government at the time of the strategic defence and security review and an additional £210 million investment announced by my right hon. Friend the Chancellor of the Exchequer following the 2013 spending review. Moreover, given the seriousness with which we treat the cyber threat, since the Committee’s report the Minister for defence equipment, support and technology, my hon. Friend the Member for Ludlow (Mr Dunne), announced in July 2013 that, on top of the money allocated to the MOD from the national cyber-security programme, the MOD has allocated a further £70 million over the next four years from within our own budget for improving our cyber-defence capabilities.
The MOD’s key priority is to keep our own networks and systems defended and operational, so that if a crisis occurs we can continue to operate with the same efficiency and professionalism required on the battlefield. That does not mean that we cannot help in other ways, but the situation prevailing at the time will dictate how, when and if military assistance would be called upon.
A number of hon. Members asked about MOD structures, as indeed did the Committee’s report, so perhaps I can provide some clarification. Since the Committee’s report was published, the Chief of the Defence Staff has issued direction to the four-star commander of Joint Forces Command to empower him as the defence authority for cyber. On a day-to-day basis, that responsibility is delegated to the three-star Chief of Defence Intelligence in his unifying role to plan and develop cyber capability. Under CDI sits the joint forces cyber group, stood up formally in May 2013 to deliver that capability. The joint forces cyber group plans and directs the activity of the joint cyber units at Cheltenham and Corsham, including the reserves.
The senior responsible owner for the defence cyber programme is the two-star director for cyber, intelligence and information integration, currently Air Vice-Marshal Jonathan Rigby, who gave evidence to the Committee’s inquiry in 2012, and remains accountable to the Chief of Defence Intelligence for those responsibilities. I hope that that helps provide absolute clarity about the chain of command.
Our armed forces use some of the most sophisticated equipment in the world. The downside of the capability we possess is the potential exposure to emerging threats from our adversaries. We have to see those as an intrinsic part of modern military operations and put measures in place to mitigate or deal with them. The Global Operations and Security Control Centre, or GOSCC, is a key part of that protection, with its mission to ensure that we can operate and defend our networks.
I was pleased to read in the report that the GOSCC’s performance impressed the Defence Committee, which said that it should be held up as “a centre of excellence.” I agree. I visited the centre recently and was struck both by the ability of the personnel and the interplay with the embedded industry professionals whom they work alongside.
The Committee also rightly identified the importance of promoting good cyber-security practice. I fully accept that technology is only one part of the equation; we need the right people to do the right things. As cyber professionals often say, the majority of the threat that we face could be overcome by good practice on the part of our people. That point was well made by my hon. Friend the Member for Filton and Bradley Stoke (Jack Lopresti); we Front Benchers are also pleased to see him back here on good form.
At the time of the Government response to the Committee’s report, we had already recognised the need for good practice and had included a specific cyber module in our mandatory training for defence personnel. Since then, we have gone further and developed a cyber primer—an easy-to-read, unclassified book that introduces personnel to the subject of cyber, particularly in a defence context, and is provided for all defence personnel to use.
In its report, the Committee noted the importance of exploring options to develop military capabilities. Since then, the Secretary of State for Defence has announced, on 29 September 2013, that Britain will build a dedicated capability to counter-attack in cyberspace as part of our full-spectrum military capability. As we set out in the strategic defence and security review, the UK views cyberspace as a domain in which we can carry out military operations to support national objectives, as we would on land, at sea or in the air. The hon. Member for Merthyr Tydfil and Rhymney (Mr Havard) asked questions about the legality of that. I reassure him and the House that we are looking to develop a range of cyber capabilities that would be used in accordance with the well-understood laws of armed conflict and, more generally, would comply with domestic and international law. Any capability that we develop must be used legally. We are mindful of that.
The Minister is making an extremely interesting and useful speech. In the context of the offensive use of cyber, does he believe that there can be such a thing as deterrence in the cyber world? Is there a way of finding out who the enemy is and deterring them by threatening the use of cyber-warfare ourselves?
A complicating factor is that it is not always immediately apparent where an attack may have come from. Sometimes it is possible to establish that a little later, but it cannot always be done instantly. That needs to be taken into account. However, I believe that the possession of a cyber capability that allows us to strike back could act as a deterrent to potential adversaries—not only in cyberspace but potentially against more traditional threats.
A number of Members have asked about how industry fits in, including my hon. Friend the Member for Reigate (Mr Blunt) and the hon. Member for Inverclyde (Mr McKenzie). Private industry is and will remain a key partner in cyber-security. A secure supply chain is vital for the business of all public sector delivery, and that is no less the case in defence. Our armed forces depend on a wide range of equipment and services provided by industry. As part of the NCSP, the Government are working closely with industry to ensure that it is aware of the changing nature of the threat and has effective counters in place.
The hon. Member for Makerfield asked for something specific to the Ministry of Defence. I am pleased to say that in addition, in July 2013, the MOD launched the defence cyber-protection partnership. That bespoke initiative aims to meet the emerging threat to the UK defence supply chain by increasing awareness of cyber-risks among our contractors and suppliers, sharing threat intelligence, and defining risk-driven approaches to applying cyber-security standards. In short, we already have something that is designed specifically for military and defence contractors and they are entering that programme.
Technology is only one part of the equation. People are essential. We know that the number of deep specialists and experts in this field is limited, and that all organisations, both public and private, are looking to recruit from that supply. However, defence can offer an exciting opportunity for experts to put their skills to use for the nation through the formation of the joint cyber reserve. Some hon. Members asked about that, and I will provide an update.
Recruitment to the joint cyber reserve commenced in October 2013, and there has been healthy interest. I cannot tell the hon. Member for Bridgend (Mrs Moon) how many of the applicants come from the Department for Work and Pensions, but I respect her assiduous work, as ever, in collecting statistics, and I have often been on the receiving end. I assure her and the House that we have recruited the first cohort of cyber reservists, and their training will commence in the spring.
On the basis of the healthy interest so far, we believe that within the next two years the cyber reserve will be fully operational with reserve personnel recruited, trained and operating alongside their regular military and civilian colleagues in the joint cyber-units at Corsham and Cheltenham, and in the information assurance units.
I am sorry that I have had to be out of the Chamber for a long-standing engagement. Will my right hon. Friend confirm that the cyber reserve includes two long-standing squadrons that have been around for six or seven years and were part of the specialist group, the Royal Signals, and that those squadrons will go intact into the new set-up?
My hon. Friend has raised this issue with me before. He asks a specific question about two specific squadrons. I believe that what he asks is the case, but I will write to him to confirm it. The House knows that he is the world’s greatest living expert on this matter, and I do not want to be the man to give him a wrong steer.
The cyber reserve offers individuals the opportunity to be part of the proud history and ethos of our reserves while working in a cutting-edge, technological field. The hon. Member for Bridgend asked about the effect on reservists if they travel to other countries. I will look into the good point she raised, and will return to her on that.
Cyber crosses national boundaries, a point that my hon. Friend the Member for Beckenham (Bob Stewart) made clearly, and so too must our view of this new domain. It is, therefore, essential that we work with our allies to ensure that we are not only able to operate with one another, but are aware of common threats. We are already working closely on cyber with our long-standing international partners, particularly through a defence cyber-contact group that includes the US, Australia, Canada, New Zealand and ourselves—the traditional “Five Eyes” partners.
Before the Minister moves away from personnel, what lessons are being learned about recruiting regulars and reservists from the IT world? He seemed to skip over that.
This is a wonderful opportunity to recruit IT specialists from the civilian world to the reserves, but we have learned that this is a specialised area of work and we are looking at ways of extending the careers of people who work in cyber. For example, in the military, people might normally do a tour of two or three years and then move to a different position. We are looking at options for allowing people who work in this field to do longer tours of duty so that we can fully exploit the detailed expertise that they develop. We are looking at the matter carefully.
My hon. Friend the Member for Bournemouth East (Mr Ellwood) asked about NATO co-operation. The UK is proud to be part of the NATO co-operative cyber defence centre of excellence in Tallinn, and the MOD has already seconded a member of our cyber team to work there. I should tell the Chairman of the Select Committee that the Committee cannot take all the credit for that, but it can certainly take part of it. Furthermore, we have increased our co-operation with the NATO computer incident response capability based in Brussels by joining the malware information-sharing platform and the multinational cyber-defence education and training project.
I assure the House that we are taking cyber very seriously in our defence planning. We are integrating cyber scenarios into our cross-defence exercise programme and combining it with the other domains of operations as part of full-spectrum planning, alongside land, air and sea. The cyber piece is becoming integral across the spectrum of military activity.
I think I should conclude because we have another debate to come.
Cyber remains a relatively young domain. Many advances will continue to come online and change the way we live our lives. While this brings new opportunities for better understanding, collaboration and innovation, we must be alert to the risks and threats as they emerge. We are striving to do both within the Ministry of Defence. It is not a task for the fainthearted, but one we must undertake none the less. The Select Committee urged us to take these threats seriously. I hope I have been able to demonstrate to the House that we do take them very seriously, in defence of the realm.
Question deferred (Standing Order No. 54).
Department for Communities and Local Government