Cyber Threats

(Limited Text - Ministerial Extracts only)

Read Full debate
Thursday 18th October 2018

(6 years, 1 month ago)

Lords Chamber
Read Hansard Text
Lord Young of Cookham Portrait Lord Young of Cookham (Con)
- Hansard - - - Excerpts

My Lords, this has been an excellent debate and I thank all the speakers who have brought a wide range and depth of experience and expertise to it, not least the mover, the noble Viscount, Lord Waverley, who made a thoughtful introduction and crammed 15 helpful suggestions into three minutes at the end of his speech. A number of themes ran through the debate, in particular the need for partnership. I hope I have not misunderstood the tone of the debate when I say there has been no fundamental disagreement about the thrust of government policy, but some severe warnings and some very helpful suggestions about how we might do better. Some of them were on a highly technical front, and some were based on broad common sense.

I say to the noble Viscount that this is a very timely debate, following the second anniversary of the National Cyber Security Centre and the publication of its 2018 annual review this week, which was launched by the Chancellor of the Duchy of Lancaster, the director of GCHQ and the CEO of the NCSC. It is one of the best annual reports I have seen as a Minister, although I have not risen to the challenge on the last page,

“Can you find the secret codeword?”


As this debate has made clear, protecting the British people, the systems that we rely upon and our very democracy itself is a central responsibility of government. As our digitally connected world has rapidly expanded, so too has the scale of vulnerabilities and the frequency of attacks that we face—a point well made by my noble friend Lord Lucas. It is for this reason that cybersecurity remains a top priority for the Government, because it impacts on our national security and our economic prosperity. I was impressed by what the noble Lord, Lord St John of Bletso, said when he outlined the cost to the economy of lax cybersecurity.

We recognised the need for a comprehensive and active response when we launched the National Cyber Security Strategy in 2016, where we defined a cyberattack—this is in response to the request from the noble Viscount, Lord Waverley, for a definition —as a,

“deliberate exploitation of computer systems, digitally-dependent enterprises and networks to cause harm”.

We set out ambitious proposals to defend our people, deter our adversaries and develop the capabilities we need to ensure that the UK remains the safest place to live and do business online. Those proposals will be supported by £1.9 billion of investment over five years, which was mentioned by many noble Lords, to drive transformation. The noble Lord, Lord Kennedy, asked whether I thought that that was enough. He will know that there is a spending review for 2020 onwards, and I am sure that the concerns expressed in this debate will be taken on board as colleagues move to a decision on future spending patterns.

One of the most visible elements of the strategy was the formation of the National Cyber Security Centre to bring together our very best intelligence and technical expertise in a world-leading authority—the noble Lord, Lord Ricketts, described it very aptly—that will be our single centre of excellence to innovate and create, to work in partnership with industry to block attacks on a scale of tens of millions per month, which was mentioned by several noble Lords, and to blend behavioural science with technical expertise to provide the best advice and guidance for people and organisations to protect themselves.

On our response when attacks get through, the NCSC brings everyone together to reduce the harm from significant incidents, whether that is an attack on Parliament, which was referred to by my noble friend Lord Borwick, or disruption to health services. On the attack on Parliament, I understand that it is unlikely to recur. I have had a note from the chief technology and security officer in Parliament that says that the correct people now get the required detail from Parliament’s Apple account manager to make sure that such a delay does not happen again. Our response is calibrated by the severity of the attack, and the National Security Council will consider the full range of security, diplomatic and economic tools at our disposal.

How we set up the National Cyber Security Centre reflects the single, clear message that underpins our strategy, which has been echoed throughout this debate, that we need not a whole of government approach but a whole of society approach, as the noble Lord, Lord Ricketts, described it. The noble Viscount, Lord Waverley, asked how we are delivering it. The national strategy binds all of government into delivering a set of cross-cutting objectives which require a collective response that reaches out to the private sector and beyond—and, indeed, to other countries, because while we can lead the way, we know that we cannot solve these problems alone. This point was made by nearly every noble Lord who took part in this debate.

On the key subject of skills, which was raised by the noble Viscount, Lord Waverley, and the noble Lords, Lord Ricketts and Lord St John of Bletso, we are already developing a pipeline of talent and inspiring and developing cybersecurity experts and entrepreneurs, whether through our programmes in schools and universities, our work with industry to figure out the best way to retrain career changers with aptitude and ambition and by promoting cyberapprentices. On the specific recommendations of the Joint Committee on the National Security Strategy—a question raised by the noble Viscount—the Government have recently submitted their response and we look forward to its publication.

We also are building on our world-class universities and ground-breaking research to establish a pipeline of cutting-edge cybersecurity companies with a range of interventions to incubate and accelerate and to support our innovative companies to export overseas, turning many great ideas into global businesses. This in turn will help other countries to become more secure and will boost the UK cybersecurity industry, which is now generating more than £5 billion for the economy.

Lord Fox Portrait Lord Fox
- Hansard - - - Excerpts

Before the Minister moves on from skills, I asked whether the right ministry was carrying accountability for skills at a national level. All the examples he gave referred to ministries other than the department that has it.

Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

I was referring to the responsibilities of the Department for Education. The relevant Minister is sitting at my side and will have heard that. We will write to the noble Lord, giving a more detailed reply on the role of that department, if that is what he wants.

The Government actively manage potential risks to UK infrastructure—a point on CNI raised by the noble Lord, Lord Fox. This includes risks related to foreign equipment used in our telecoms industry. This important issue was raised by the noble Lord, Lord West, who expressed concerns about our telecoms structures. I want to make it clear that the Government have not banned ZTE. The NCSC has raised its concerns about the ability to manage the risk of having more Chinese-supplied equipment on UK infrastructure undermining existing mitigations, including those around Huawei. The noble Lord is right that we cannot ban our way out of this, but I can confirm that the Department for Digital, Culture, Media and Sport, with the NCSC, is leading the review into the security and resilience of our telecoms supply chain.

Lord West of Spithead Portrait Lord West of Spithead
- Hansard - - - Excerpts

Has this been debated at Cabinet level? Bearing in mind that it has an impact on so many departments, it really needs to be looked at in the round, so I would be grateful for an answer.

Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

I am sure the noble Lord would be grateful for an answer, but I do not have one. I do not know whether it has been debated in Cabinet or in a Cabinet sub-committee. However, within the constraints of what happens within the machinery of government, which the noble Lord will be familiar with, I will see whether I can shed some light on the important issue he has raised.

The noble Lord also raised the issue of Chinese investment that meets stringent legal and regulatory standards. At the heart of this is the recognition that we need confidence in our ability to get the right balance between security in our critical infrastructure and the growth, productivity and inward investment opportunities. The findings of the review will report to the Prime Minister and the National Security Adviser. It is right that in the face of these shared threats the UK works alongside its international partners and allies to expose, confront and disrupt hostile or malicious activity.

Lord West of Spithead Portrait Lord West of Spithead
- Hansard - - - Excerpts

Is the Minister concerned about H1K and the fact that CCTV will now have sound and that when it is 5G enabled every one of those things will be able to take down data and pass it on? Where do we stand on this?

Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

When we discussed this yesterday, the noble Lord was concerned about the installation within the Palace of Westminster of this capacity, which could indeed read stuff that was on my desk. I think this is primarily a matter for the authorities within the parliamentary estate. I will share with them the noble Lord’s concerns and get a considered reply, possibly from the noble Lord, Lord McFall.

It is right that in the face of these shared threats the UK works alongside its international partners and allies to confront, expose and disrupt hostile or malicious activity. Noble Lords will have seen recently our attribution of a range of indiscriminate and reckless cyberattacks to the work of Russian military intelligence, and 21 other countries stood with us to call this out. That builds upon a host of cyberattacks that we and our international partners have attributed to North Korean actors, including the WannaCry incident, one of the most substantial to hit the UK in terms of scale and disruption.

We are absolutely clear that we must work together to show that states attempting to undermine the international rules-based system cannot act with impunity. The Foreign Secretary pressed this point with his counterparts at the Foreign Affairs Council earlier this week, and the Prime Minister is today encouraging the European Council to accelerate work to strengthen the EU response to malicious cyber activities, including a new regime of restrictive measures.

When necessary, we will defend ourselves. We are continuing to develop our offensive cyber capabilities as part of the toolkit that we use to deter our adversaries and deny them opportunities to attack us both in cyberspace and in the physical sphere. My noble friend Lord Borwick referred to this. If he looks at page 51 of the National Cyber Security Strategy 2016 to 2021, I hope he will be reassured by what we say about enhancing sovereign capabilities and offensive cyber, ensuring that we have at our disposal,

“appropriate offensive cyber capabilities that can be deployed at a time and place of our choosing, for both deterrence and operational purposes, in accordance with national and international law.”.

It is also vital that we continue to reaffirm our shared vision for an open, peaceful and secure digital world based on the rule of law and norms of behaviour. The noble Lord, Lord Ricketts, was right to refer to the speech by the previous Attorney-General saying that international law applied to cyberspace. It seems to me that if a foreign state were to drop a bomb on our airports we would have a right to reply, and likewise if our airports are immobilised through cyber we should equally have such a right, though of course that should be proportionate and legal. We do not concede ground to those who believe that existing international law does not apply, or who seek to impose controls through international fora as a means of restricting basic human rights.

Our work with international partners goes beyond joint operations and influencing. For example, the noble Viscount, Lord Waverley, asked about the work that we are doing with the Commonwealth. We have been scoping and piloting projects to date, but we are now accelerating delivery and expect to have spent £2.3 million by the end of this financial year. Much of this is in partnership with the private sector—for example, we are working with Citibank, an American bank, to build resilience in the Commonwealth finance sector.

I did not think we would get through the debate without Brexit being raised by the noble Lords, Lord Fox and Lord St John of Bletso. The cyber threat that the UK and its European allies face from state actors and cybercriminals remains significant and, as the noble Lord, Lord Kennedy, says, it knows no international boundaries. That is why the UK is seeking to maintain the broadest possible co-operation with our EU partners so that we can continue to share information with EU security institutions, deepen industrial collaboration and work together to develop cyber resilience in support of our collective security, values and democratic processes. Continued co-operation with the EU is not only in our interest; it is firmly in the interest of the EU as we look to respond to hostile state and non-state actors in cyberspace.

At this halfway point in the delivery of our national cyber security strategy, we have put in place many of the building blocks to transform the UK’s cybersecurity and resilience, already demonstrating results. However, we can never become complacent. Just as the threat from cyber criminals and nation states continues to evolve, so too must we continue to innovate and respond at scale and pace. We are therefore stepping up our protection of government systems, from the NCSC’s excellent active cyber defence measures to models adapted from those used by the finance sector to test the security of public services.

On the subject of defence, the noble Lord, Lord Browne, a previous Secretary of State, raised some important issues about the security of our defence systems. We have well-established processes in place to address cybersecurity and the protection of our weapons systems. We are continuing to invest—for example, through our £265 million programme of cyber vulnerability investigations for military equipment. On the specifics of responding to the report published in the US, I will happily write to the noble Lord. To allay his concerns on the UK’s use of equipment supplied by the United States, I refer him to the details of the NCSC’s support of the MoD’s Modernising Defence programme in its recent annual review, where examples include stringent testing of the new F35B fighter planes.

Lord West of Spithead Portrait Lord West of Spithead
- Hansard - - - Excerpts

My Lords, I am sorry to ask the Minister to give way again. I do not always share the views of my noble friend Lord Browne on some of these issues, but on the Dreadnought programme, which is crucial, could the Minister maybe go back to the Secretary of State for Defence and say, “There really is a need for red-teaming regarding the threat of cyber to the Dreadnought programme, as it is in-build”?

Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

I take very seriously such a warning coming from the noble Lord. I will share of course his concerns with my right honourable friend the Secretary of State for Defence and get him to write to him.

While it is difficult to avoid headlines about attacks and breaches, doing something about it is still often seen as too technical, too difficult or someone else’s problem. However, one of the themes that has emerged from our debate is that cybersecurity is everyone’s responsibility. We consider it vital that all organisations embrace and embed cybersecurity, from the boardroom down. That is why we have targeted efforts at driving long-term change, starting with helping boards to better understand the risks they face and to invest appropriately. This year’s cybersecurity breaches survey revealed that only 30% of businesses have a board member with responsibility for cybersecurity, and that is not good enough. We must ensure that boardrooms provide active leadership to ensure that cybersecurity is ingrained into organisational cultures and mindsets—a point well made by the noble Lord, Lord St John of Bletso, who also drew attention to the substantial fines that companies are now exposed to under GDPR if they do not comply with the new legislation. As the noble Lord, Lord Fox, highlighted, understanding exactly how secure data and systems are in complex organisations has never been more important.

I am conscious that I am not going to be able to get through all the points that have been raised within the allocated 20 minutes, so I will write to noble Lords to deal with the issues that I have not been able to address today. In conclusion, I hope I have been able to demonstrate not just that we understand the scale of the challenge that we face but that we are seeking to create the environment for everyone to be at their most collaborative and agile to respond, a point well made by the noble Earl, Lord Erroll. As we face new challenges in the year ahead, we need to ensure that we remain focused on reaching across organisational, political and geographical boundaries. As we face those challenges, I will ensure that we take on board the valuable suggestions that noble Lords have made in today’s debate so that we can continue to protect the economic and individual freedoms that make us stronger together.