To ask Her Majesty’s Government what steps they are taking to protect the United Kingdom’s critical infrastructure from cyberattacks.
My Lords, ensuring that our critical national infrastructure—CNI—is secure and resilient against cyberattack is at the heart of our 2016 national cybersecurity strategy. The National Cyber Security Centre we established has improved our understanding of the threat and provided a unified source of advice and support. We have also strengthened regulatory frameworks across much of the CNI to ensure that cyber risk is managed in the national interest.
I hear what the Minister says, but I do not think he will satisfy the committee. It defined the Government’s current position as,
“long on aspiration and short on delivery”.
It says that the Government have failed to match the increasing threat with improved cyber resilience in both the public and private sectors and that it finds a lack of expertise to provide credible insurance. It would like to see a Minister appointed to ensure that there is capacity. Putting this right will require a lot more than money and good intentions. Will the Government take steps to carry out the report’s proposals?
The noble Lord will be aware that this is a substantial report published two days ago by the Joint Committee on the National Security Strategy, with 22 senior Members of both Houses. It has 10 major recommendations and the Government will want to respond to those in due course. The noble Lord quoted a little from the report and, just to add some balance, may I also quote from it? It said:
“Many of those who submitted written evidence … welcomed the step change in Government approach in the 2016 NCSS, with some describing the strategy—and the activity it underpins—as world-leading. This appears to be borne out by the notable level of international interest in the UK’s approach to cyber security”.
That gives a somewhat more balanced response than what the noble Lord quoted. There are many recommendations. One is that there should be one Minister; the committee wants what it calls a collective mind—a somewhat Orwellian concept. If we look at the building blocks of national security, we have GCHQ, which is under the Foreign Office; the Home Office, with overall responsibility for protecting the citizen if there is a cyberattack; the Ministry of Defence, which is in charge of offensive cybersecurity; and the Cabinet Office, which is in charge of CNI. It is very difficult to have a collective mind. What is important is having a collective strategy that all the Government agree to, underpinned by substantial resources and supervised by the National Security Council, chaired by the Prime Minister. That is more important than having what the committee calls a collective mind.
My Lords, in last month’s debate on cybersecurity, the noble Lord, Lord Ricketts, in an authoritative speech, mentioned that the former Attorney-General, Jeremy Wright, had made clear that existing international law, including the UN charter, covers the cyber activities of states; this was the view not just of British experts but of Chinese and Russian experts in 2015. In his reply, the Minister outlined some activities round the Commonwealth that sought to exploit this international law but was uncharacteristically undefined about which other institutions the Government are working on. Which other international institutions are the Government working with which are seeking to exploit existing international law to combat this state-sponsored cybercrime?
The noble Lord cited the noble Lord, Lord Ricketts. In that debate, he said that Britain is very fortunate to have a world-leading centre of excellence in the National Cyber Security Centre. We believe that the existing legislation is adequate. We co-operate with a range of international partners— Five Eyes and others. I hope the noble Lord will understand that the Government want to reflect on the recommendations in the report and will respond in due course, including to the legal issues that the noble Lord has just raised.
My Lords, what would be the impact of a no-deal Brexit on cybersecurity in this country?
The Government have made it absolutely clear that we want to maintain the broadest possible co-operation with our EU partners. We want to continue to share information with security institutions in the EU. We want to go on, with them, to develop cyber resilience so that we can continue to protect our collective security, values and democratic institutions. We believe that it is in their interests, as much as ours, that this should happen, irrespective of what happens to Brexit.
My Lords, the Minister will be aware that GCHQ has recently said that it can no longer guarantee the security of UK circuits that have Huawei equipment in them. How are we to take this forward now, bearing in mind that removing all Huawei gear from our systems is almost impossible, as is moving towards 5G without involving Huawei? We need a Minister in the Cabinet Office responsible for this.
The noble Lord raises an important issue: how one balances the need for inward investment and to have cutting-edge technology available without jeopardising the security of our institutions. He will know that we have a mitigation strategy to deal with Huawei, which is advised by NCSC—the National Cyber Security Centre. Our approach makes sure that, where we use equipment supplied by overseas countries, our security is not compromised. The mitigation strategy is kept under constant review.
I declare an interest as a member of the Joint Committee. Further to the noble Baroness’s question, in the event of the noble and learned Lord, Lord Mackay of Clashfern, being unsuccessful and our leaving the European Union next year, will we continue to abide by the EU network and information systems directive? If so, how will we continue to make sure that it is kept in line with the situation in Europe? Will we be part of the intelligence system associated with it?
The answer to the first question is yes. We implemented the NIS directive in May this year, one of the first countries so to do. We will continue to honour the directive after 29 March next year. On the broader question about the future relationship, I can only refer the noble Lord to what I said a few moments ago about the Government’s intention to maintain broad co-operation and that it is in the EU’s interests as much as ours that that should continue.