Baroness McIntosh of Pickering
To ask His Majesty’s Government what is the role of the National Cyber Security Centre in monitoring and preventing cyber attacks.
The Minister of State, Foreign, Commonwealth and Development Office (Lord Ahmad of Wimbledon) (Con)
My Lords, the NCSC, as the UK’s technical authority, is the UK Government’s authoritative voice on the cyber threat, providing independent assessments and improving cybersecurity across the United Kingdom. The NCSC provides protection at scale and drives improvements to resilience and security to mitigate threats from our adversaries and reduce cyber harms in the UK. Through tailored expertise to protect citizens, businesses and organisations, the NCSC works to make the UK the safest place to live and work online.
Baroness McIntosh of Pickering (Con)
My Lords, I am grateful to my noble friend for that Answer, and for the White Paper that the centre has produced. What advice would my noble friend and the Government give to a firm in North Yorkshire that underwent a cyberattack a year ago and had its systems restored only by the payment of a rather large ransom in cryptocurrency? The White Paper focuses on prevention but, in the midst of an attack, what can a company possibly do other than pay the ransom?
Lord Ahmad of Wimbledon (Con)
My Lords, my noble friend raises a couple of important points. First, on ransom demands, as she will be aware, it is the firm position of the Government and UK law enforcement that we do not encourage, endorse or indeed condone the payment of ransom demands. For example, if you pay a ransom after your computer has been affected or your systems have been impacted, there is no guarantee that you will not be targeted in the future by criminal groups. In that regard, Lindy Cameron, the CEO of the NCSC, and the Information Commissioner have written to the Law Society and the Bar Council.
However, the Government offer specific support, including to small businesses. There are the 10 Steps to Cyber Security and the Small Business Guide; there is also a ransomware portal that provides fresh advice, as well as the NCSC’s assured cyber incident response scheme. It is ever evolving, but the Government are very robust, and we are working across departments to ensure that we give the best information and response possible.
Lord Harris of Haringey (Lab)
My Lords, of course, I refer to my interests in the register. I suspect that the excellent schemes that the Minister has outlined are very useful but that they do not address the question that the noble Baroness, Lady McIntosh, asked. If a company or organisation is subjected to a ransomware attack, can it get tailored help as to what to do in real time from the NCSC, and how do people know how to access that?
Lord Ahmad of Wimbledon (Con)
My Lords, if the noble Lord reflects on the answer that I gave, he will see that I answered the question quite directly. The first point is, “Don’t pay”, because the experience is that there is no assurance. Of course, a small company will have limited resources, and some of the portals, information and websites, as well as the response that I have outlined, are designed to help exactly those kinds of small businesses in their response. However, one thing is very clear, whether it is within my department or the Home Office: that by paying such demands there is no assurance, for a small or a large company, that a ransom attack will not happen again.
Baroness Stuart of Edgbaston (CB)
I declare an interest as the chair of Wilton Park, an executive agency of the Foreign and Commonwealth Office. Small organisations, while they are not completely part of government, nevertheless provide some back-door entrance to government by some people with malign intent, and they carry quite disproportionate costs to ensure their cybersecurity. Have the Government given any thought to how they could support ALBs and executive agencies across government more comprehensively?
Lord Ahmad of Wimbledon (Con)
My Lords, I recognise the vital insights of the noble Baroness. In working across government, we also work to ensure that government systems, structures, departments and agencies are fully protected. As I said in my Answer, this is an ever-evolving and ever-challenging threat—what is good today needs to be adapted for tomorrow’s threats. Where specific issues arise, be they for small businesses or for agencies, we seek to provide the necessary focused support.
Lord Purvis of Tweed (LD)
My Lords, I have visited the centre and greatly admire the work of the whole team. The public and the private sector should adhere to its advice. The Government have consulted on prohibiting payments to ransomware. The Minister and I well know that the source of many such attacks is Russia and, currently, Iran. Does it not sit ill that businesses are only being told not to pay ransomware, rather than having a legal prohibition, when that money will end up in Tehran or Moscow?
Lord Ahmad of Wimbledon (Con)
My Lords, the noble Lord is quite correct and we have often discussed these issues and challenges. The mitigations we have put in and the advice we provide are all part of an overall package but, as I am sure he will agree, the challenge is that we also need sharp-end sanctions against these states. As I know from my experience at the Foreign Office over the last few years, we never used to call out or challenge state actors for cyberattacks. We now do so. The two countries the noble Lord named—Russia and Iran—are very much part of our focus. I am sure he will acknowledge that we have imposed cyber sanctions on Russia.
Baroness Smith of Basildon (Lab)
My Lords, to take the Minister back to prevention, he will be aware of the increase in the number of ransomware issues—the incoming Costa Rican Government last year and the Irish healthcare system the year before were both hit by ransomware attacks. Can he tell the House more about what we are learning through international co-operation? Prevention is obviously better than having to deal with a significant problem afterwards, so I hope that we are learning something from other countries that have had to deal with this and that we can extend that to public bodies and private organisations.
Lord Ahmad of Wimbledon (Con)
I totally agree with the noble Baroness and assure her that we work very closely with our key international partners in calling out some of these cyberattacks against companies or even government websites and systems. We seek to act together and have done so. She will be aware that at the beginning of next month we will host an AI summit, which the Prime Minister is overseeing, very much aimed at exactly what she articulates—how we can learn from each other while improving our responses. I always say that, for cyber and many of the other challenges we face, as good as mitigations or mechanisms may be, those who seek to cause us harm—be it to business or directly to the Government—are looking at new ways to overcome them, so we will continue to share and co-operate with our key partners and allies on this.
Lord Clement-Jones (LD)
My Lords, a few weeks ago, the National Cyber Security Centre issued a warning about the risks of “prompt injection attacks” on the new large language models such as ChatGPT when used in the workplace, which enable them to be open to manipulation. What are the Government doing to ensure that they mitigate that risk in their own workplaces?
Lord Ahmad of Wimbledon (Con)
My Lords, as I have said, we are working across government and internationally. I think we all recognise the catch-up element with the evolution of these new methods. There are transformational elements with new innovations—that is why I referred to the AI summit, which is intended not just to avail us with the opportunities these new technologies present, as the noble Lord articulated, but to address the challenge and high risk presented to government, industry, sectors and individuals.
Noble Lords may recall the sad occasion when this very Parliament was attacked physically. I remember the emotional exchanges and statements made at the time, including by my noble friend Lady Evans. There was another attack at that time, on the parliamentary emails of many Members of this House and the other place. The knowledge base available for mitigation was limited, as was awareness. I think most Members and colleagues were concerned about getting their machines and devices up and working rather than about the data loss. The more learning, education and information we can share, the better we will be at mitigating some of these risks.
Lord McLoughlin (Con)
My Lords, a company which is the subject of a cyberattack may not wish to be publicly identified, but they may have suffered severe financial problems. How is HMRC taking this into account and giving those companies some breathing time to put right what may have happened to them? It is all very well saying it in one section, but is there a cross-government approach to this issue?
Lord Ahmad of Wimbledon (Con)
My Lords, I assure my noble friend that we do have a cross-government approach to this. He raises a very important point about both risk and the cost associated with cyberattacks, and we are very much seized of this. I have already outlined specific schemes and support. It is very important that we share this, however, so in the interests of full information, I will write to my noble friend and put on record in the Library the number of schemes that are available for information sharing and the support that can be offered to those impacted.