(3 months, 1 week ago)
Lords ChamberTo ask His Majesty’s Government what assessment they have made of the recent global IT outage.
My Lords, in begging leave to ask the Question standing in my name, I refer to my interests as an adviser to Performanta and as chair of the National Preparedness Commission.
The CrowdStrike software update caused an IT outage affecting millions of devices around the world. In the UK, while government emergency and security systems remained operational, our retail, transport and healthcare sectors were disrupted. I have huge sympathy for all those affected. COBRA officials’ meetings were convened and officials from across government and the devolved Administrations met throughout to monitor impacts and recovery and to update Ministers as appropriate. UK sectors have now returned to normal operations, and the Cabinet Office will work with partners to review the lessons learned.
My Lords, I am grateful to my noble friend for that reply. It highlights the vulnerability of all the systems on which the public and the private sectors rely, and how much they depend on the software and so on. Software manufacture is largely unregulated. Can the Government look at how they can strengthen the requirements for software providers to ensure the safety and security of what they supply to the public and private sectors? At the same time, will the Government remind all operators that they should plan for failure and for when something does not work? What are their back-up arrangements in the event of their software failing?
I thank my noble friend for that question and for his huge support for me in my previous role as chair of the London Resilience Forum. Although the outage is not assessed to be a security incident or cyberattack, the issues that he raises will be covered in the cybersecurity and resilience Bill included in the King’s Speech. This will strengthen our defences and ensure that more essential digital services than ever before are protected. For example, it will look at expanding the remit of the existing regulation, putting regulators on a stronger footing and increasing the reporting requirements to build a better picture in government of cyber threats.
My Lords, among the companies most adversely affected in this country were airlines. Many thousands of passengers were hugely inconvenienced. How should they be compensated, and should CrowdStrike be held accountable?
I think we all have huge sympathy for those affected. As the noble Lord rightly says, thousands of people were affected on the day. However, compensation is a matter for the individual operators and subject to consumer rules, which would cover any entitlement to compensation or refunds.
My Lords, in the light of recent events, we are clearly talking not just about bad actors. Does the Minister agree that there needs to be a rethink about critical national infrastructure and our dependence on a few overly dominant major tech companies for cloud services and software, which are now effectively essential public utilities? Will the Government reconsider how we are wholesale replacing reliable analogue communications with digital systems without any back-up?
The noble Lord raises critical issues, a number of which will be covered by the cybersecurity and resilience Bill. I would welcome the opportunity to discuss these issues with him further.
I warmly welcome the noble Baroness to her new role and look forward to working with her on the Bill she mentioned. This serious incident affected operations not only in the UK but right around the world. It appears that the system we had set up—co-ordination, monitoring, business continuity and back-up, which we heard about from the noble Lord, Lord Harris—worked well. Does the Minister agree that this area is about defending national assets and is likely to be increasingly important as the cyber and tech threat grows? Should it not therefore be a government priority?
I thank the noble Baroness for her question and her openness and engagement with me when she was a Minister. Her passion for improving resilience was clear in how she carried out the role. This is definitely a central concern of the incoming Government, which is why we introduced the cybersecurity and resilience Bill in the King’s Speech. I look forward to discussing that further with her and other noble Lords from around the House as it progresses through the legislative process.
My Lords, as the Government continue to consider the issues arising from this serious outage, I invite my noble friend the Minister to consider seriously the reports issued by the Joint Committee on the National Security Strategy, of which I have been a member, which deal with issues such as ransomware, against which the software was designed to protect us. These issues will only become more important in the years ahead.
My noble friend raises similar points to other noble Lords; Members across the House are quite rightly concerned about this. As part of the process of developing and taking the cybersecurity and resilience Bill through this House and the other place, all learning from a range of reviews, including some of the public inquiries that have reported and are yet to report, will be key to improving our country’s resilience.
My Lords, I welcome the noble Baroness to her place and will pick up on a point made by the noble Lord, Lord Clement-Jones. The noble Baroness is right to say that millions of devices throughout the country were affected, but they were, as I understand it, all devices using the Microsoft operating system. Is it not the case that the dominance that the Microsoft operating system has achieved in this country, reinforced by cautious corporate IT managers who always recommend it, has potentially become a threat to our security? I hope the Government are able to recommend that the Competition Commission or some other competent authority should look at this, with a view to reducing the dominance of Microsoft and increasing our resilience.
I thank the noble Lord for his question, which packed a lot in. I agree that the dominance of any particular software company or IT system is a risk to resilience, as government has known for some time. But we need to look at this as a whole and—I do not want to sound like a broken record—this will be covered by the cybersecurity and resilience Bill as it proceeds through the House.
My Lords, one of the public services specifically hit was the NHS, so why are systematic back-up systems not in place in the NHS for primary care and pharmacy? Who has been asked to take this forward to ensure that such systems are in place as a matter of urgency for those who are ill?
All relevant departments will take part in the review, and I will feed back the specific points made to the Cabinet Office and colleagues in the Department of Health. Going back to the previous point about the widespread use of specific software systems, this needs to be taken seriously as we move forward with the proposed legislation.
My Lords, one area of weakness is PNT, so how will we ensure that we still have traditional navigational and time signals of the correct type to enable all our systems to work? Will we maintain a task group to work in this area to try to resolve it by next year?
I will discuss my noble friend’s point with colleagues and will write back to him as soon as possible.
My Lords, a member of my family returning to the United States in the last few days has been very inconvenienced by what occurred. I ask the Minister to adequately look at the question of redress in any legislation that we now pursue in relation to data protection generally, and to AI for that matter. It is a vital component of the GDPR. I therefore ask her to look carefully at this and make sure that adequate redress is available across all these matters.
The Government are reviewing what happened and will implement any lessons learned as a matter of urgency. We appreciate the significant inconvenience caused to those affected, but it is a matter for individual operators. The consumer rules cover specific compensation entitlement. From my view, the essential point arising from the issues caused by CrowdStrike is the need to strengthen our resilience, which is what this Government intend to do.