Improving Cyber Resilience
The Lord Bishop of St Albans
To ask His Majesty’s Government what steps they are taking to improve the cyber resilience of UK businesses, organisations and government systems.
Baroness in Waiting/Government Whip (Baroness Anderson of Stoke-on-Trent) (Lab)
Did noble Lords miss me? The cyber threat to the UK is significant and growing; recent attacks on retailers and the Legal Aid Agency are just the latest examples of this. This Government are introducing the cyber security and resilience Bill to ensure that critical infrastructure and the digital services that UK citizens and businesses rely on are secure. We are also working tirelessly to improve the cyber resilience of government systems and are providing more support and services from the centre, such as the Government Cyber Coordination Centre, which brings together cyber defenders to share data and respond more effectively to cyber threats, vulnerabilities and incidents.
The Lord Bishop of St Albans
My Lords, the recent CYBERUK conference reported that the number of cyberattacks had doubled in the past year. This is costing tens—indeed, hundreds—of millions of pounds to businesses and is making people very nervous about their personal data. It is having a huge effect right across society. I welcome the fact that a new Bill is coming in, but we cannot wait for that. What is the National Cyber Security Centre doing now to review its strategies to proactively get businesses to sign up? Not many—a relatively small number—have signed up. Does it have sufficient staff to deal with this growing problem?
Baroness Anderson of Stoke-on-Trent (Lab)
The right reverend Prelate makes a timely and important intervention, given recent events. Our online and offline worlds are merging, and there is no clear differential any more. This is a different frontier in that crime. This is an evolving and increasingly sophisticated threat, and we need to make sure that we are ahead of it. Candidly, as the NAO report earlier this year said, government cybersecurity practices are not yet where they need to be—but we are investing. Because of the report, the Chancellor of the Duchy of Lancaster has been clear that we will bring forward a new cybersecurity strategy this year, and the NCSC is making sure that all resources are available. I urge all noble Lords to look at its website and specifically at what tools are available through the Cyber Essentials system. Companies that sign up for Cyber Essentials controls are 80% less likely to make a claim on cyber insurance than those without certification.
Lord Holmes of Richmond (Con)
My Lords, I declare my technology interests as set out in the register. Can the Minister confirm whether the Government have any plans to update the Computer Misuse Act, mainly to protect our cybersecurity professionals and researchers, who do so much to keep us all safe? The Act is over 35 years old. Will the Government take the opportunity of the cyber security and resilience Bill to insert clauses to this effect?
Baroness Anderson of Stoke-on-Trent (Lab)
My Lords, when parliamentary time allows, there will be a cyber security and resilience Bill, and I am sure that, at that opportunity, we will discuss this in detail. I look forward to doing so with the noble Lord.
Lord Harris of Haringey (Lab)
My Lords, I refer to my interest in the register as chair of the National Preparedness Commission. Like the noble Baroness, Lady Foster, I congratulate my noble friend on her ubiquity in terms of policy today. There has been a sequence of very bad cyberattacks and, although I am sure that Marks & Spencer, the Co-op and so on address very carefully their cybersecurity expectations, it is very difficult for any organisation to withstand what may be a state-inspired, state-sponsored or state-supported attack—I do not know, and I am sure the Minister will not be able to comment on, whether these were such cases. Therefore, is it not important that the National Cyber Security Centre provides enough guidance and encouragement to support businesses in recovering after they have been hacked, providing them with, if you like, a plan B for recovering and dealing with the consequences of a successful attack?
Baroness Anderson of Stoke-on-Trent (Lab)
I thank my noble friend for the question. He is absolutely right: there is a clear role here for the National Cyber Security Centre, both during an attack and afterwards, as it works with experts. My noble friend is right that I cannot comment on the details of the current attacks. I reassure noble Lords that the NCSC has a sector-specific trust group, where 60 CEOs from the retail sector have come together, both during the attack and afterwards, to make sure that best practice and information are shared in real time, so that other retail organisations can make sure that they are not subject to similar attacks.
Lord Wallace of Saltaire (LD)
My Lords, the Minister will be aware of the NAO report in January on government systems, which says that
“departments have significant gaps in their system controls that are fundamental to their cyber resilience. The resilience of the hundreds of ageing legacy IT systems that departments still use is likely to be worse”.
Accepting that the Government have inherited a legacy of years of underinvestment in Whitehall IT, and that the cost of successful cyberattacks is very high, does it not make sense to raise the level of investment in replacing some of these legacy systems as rapidly as possible?
Baroness Anderson of Stoke-on-Trent (Lab)
The noble Lord raises an important point. The NAO report was clear in its criticisms of our structures, and we accept every recommendation of the report. We are working our way through them, which is why we will be bringing forward a government cybersecurity strategy this year—building on the work of the previous Government—to make sure that we are fit for purpose. On the updating of IT, I have just lived through the updating of the printer system in the Cabinet Office. I would suggest that we take a bit of time with the next one.
Baroness Finn (Con)
My Lords, in November last year, media reports confirmed that the GOV.UK One Login service had been adopted by 50 government services, and that was expected to reach 100 within the year. However, Computer Weekly has since reported on serious cybersecurity vulnerabilities. Given that One Login processes biometric data from millions of citizens, why have the Government refused to publish their data protection impact assessment, and can the Minister confirm whether the rollout will continue on that timescale?
Baroness Anderson of Stoke-on-Trent (Lab)
The noble Baroness raises a series of important questions. Given the detail of them, I will write to her, and make sure that I speak to relevant officials, so that she gets the answers that she seeks. On One Login, over 5 million people are currently using it to prove their identity, and the ID Check app has over 6.5 million downloads, and a 4.7 rating on all app stores. If there are questions to answer, I will make sure that we get her the answers.
Baroness Wheatcroft (CB)
My Lords, can the Minister tell the House the government advice to companies facing not just a cyberattack but a ransom demand; whether that advice tallies with the advice and, indeed, instructions from their insurers; and how much money companies have paid out in ransom demands so far?
Baroness Anderson of Stoke-on-Trent (Lab)
My Lords, the threat of ransomware and ransoms are clearly appalling crimes undertaken by cybercriminals. The Home Office—and I can speak only for the public service and Government—has concluded a consultation on world-leading proposals to strike at the heart of the ransomware business model, cutting off criminals’ funding and protecting UK business by deterring threats.
The position of the Government is that public funds will not be used to pay ransom demands made by cybercriminals. This is, however, an important issue, which is why last year the National Crime Agency led a global collaboration to disrupt one of the most dangerous cybercrime networks in the world. In February, the UK sanctioned six Russian individuals for facilitating crippling ransomware attacks. This is at the frontier of the cyber threat, and from the Government’s perspective, we highly recommend that people do not pay ransoms; there is no guarantee that their data has not already been sold on.
Baroness Blackwood of North Oxford (Con)
My Lords, when Richard Horne spoke at the CYBERUK conference this month, he stated that Britain has suffered double the number of serious cyberattacks in recent months compared with the same period last year. Nevertheless, only 35,000 SMEs have been issued with Cyber Essentials certificates in the last year. Can the Minister say what steps are being taken to increase uptake? Without it, SMEs will be critically vulnerable.
Baroness Anderson of Stoke-on-Trent (Lab)
The noble Baroness gives me the opportunity to promote Stop! Think Fraud, an active campaign that promotes the work of the NCSC and directly targets organisations. The next iteration of its campaign is to target SMEs and micro-businesses, to make sure that they are aware of the tools that are available to them.