Amazon Web Services
(1 day, 23 hours ago)
Lords ChamberRead Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Harris of Haringey
To ask His Majesty’s Government what assessment they have made of the outage affecting Amazon Web Services.
Lord Harris of Haringey (Lab)
My Lords, I beg leave to ask a Question of which I have given private notice, and in so doing I refer to my interest in the register as chair of the National Preparedness Commission.
Lord in Waiting/Government Whip (Lord Leong) (Lab)
My Lords, the Department for Science, Innovation and Technology is leading the Government’s response to the Amazon Web Services outage that took place yesterday. DSIT continues to work across government and with businesses to understand the full impacts of the outage. All AWS services were restored yesterday evening, and DSIT is in contact with AWS to understand how such events can be mitigated in future.
Lord Harris of Haringey (Lab)
My Lords, I am grateful to my noble friend for that response. I notice that he did not say whether the outage was precipitated by hostile state activity. Given the impact on UK critical services, including those run by the Government, should we have more variety in cloud producers and more sovereign capability? What additional guidance are the Government intending to give to enable the public and private sectors, as well as individuals, to prepare for such disruptions in future?
Lord Leong (Lab)
My Lords, I thank my noble friend for those questions. There is no evidence that this was caused by any malicious activity, and we have to be very careful that we do not speculate otherwise. AWS has publicly stated that the outage was initially caused by an issue with its configuration of the domain name system, or DNS, and some wider related complications. Departments independently determine which suppliers to use based on their use cases. Some cloud providers are strategic suppliers, but departments make decisions on adoption based on not only reliance but cost, capability and their staff’s expertise. We are working to diversify the UK’s cloud ecosystem and encourage greater participation by UK-based and European providers, as well as promoting innovation through our digital infrastructure and cybersecurity programmes. At the same time, the NCSC offers advice and guidance on how businesses and organisations can make themselves more cyber resilient, and this advice is also broadly applicable to digital resilience issues.
As I mentioned in Oral Questions last week, businesses should also take it upon themselves to ensure that they have sufficient cyber resilience systems in place by ensuring that their software and hardware are up to date and, if they can, seeking certification so that their systems are Cyber Essentials certified. Businesses should also be encouraged to have a business continuity plan so that, if anything happens, they have a plan in place.
Viscount Stansgate (Lab)
My Lords, I congratulate my noble friend on his Question; I submitted exactly the same Question yesterday. Is it possible that some of the sites affected in the UK, including the GOV.UK portal, were not aware that the data was held in America rather than in the UK and that, therefore, when a problem arises as it did in East-1, or whatever it is called, on the east coast of America, they were not aware that we would be in this vulnerable position?
Lord Leong (Lab)
I thank my noble friend for that interesting point. I think most businesses, and government, know that AWS is a provider with significant market share—something like 30% of cloud services. The other providers—Microsoft Azure and Google Cloud—also provide such services. I am not sure what he means by people not being aware of AWS’s services.
Viscount Camrose (Con)
My Lords, I feel that I am a member of a large club, as I too submitted an identical PNQ. I note that the whole House will have been deeply concerned by this outage. Although, indeed, it does not appear to have been caused by a cyber or other malicious attack, as the Minister has said, we have to work on the assumption that it will happen again. Can officials please urgently produce a report setting out, first, the cost to the United Kingdom of this outage; secondly, the long-term policy implications for the Government as they seek to enhance our resilience; and, thirdly, the immediate mitigations that are, I trust, being devised or implemented as we speak?
Lord Leong (Lab)
My Lords, in respect of the noble Viscount’s point about cost, this happened just yesterday so, of course, we are still working it through; it will take us some time to evaluate how much it will cost the economy. I am sure that economists will be kept very busy for some time working out the costs and the impact on productivity.
We are already taking steps to strengthen the resilience of the UK’s digital infrastructure. Through the national cyber strategy and the national resilience framework, we are working with the National Cyber Security Centre to treat major cloud service providers as part of our critical national infrastructure. This includes measures to ensure that they have robust redundancy back-up and incident response capabilities in place. At the same time, we are consulting with industry on enhanced incident reporting and transparency requirements so that the Government can be alerted immediately to any service disruption that could have national impact.
Lord Clement-Jones (LD)
My Lords, at the very least, this should be a wake-up call for the Government. It is clear that the Government have been overdependent on two US cloud service providers, which, as the Competition and Markets Authority says, have 70% to 90% of the market, and restrictive practices impede competition. Of course, there is now a sovereign AI unit within DSIT. Will government procurement policy now change to encourage UK cloud service providers, which would then help to deliver sovereign AI? Will the Government also encourage the CMA to act rapidly, given this lack of competition?
Lord Leong (Lab)
I thank the noble Lord for those points. The Government are aware and are taking cybersecurity seriously. That is why we have published a number of strategies and are working with the National Cyber Security Centre, as I mentioned earlier. The noble Lord also mentioned procurement and the service providers. The three providers I just mentioned—Amazon Web Services, Microsoft Azure and Google Cloud—probably have something like 60% of the market share. Yes, we have other small, independent providers as well but, at the same time, procurement is dependent on government departments: on how they want to procure their services and from where. The basic point is that, going forward, we have to ensure that it is safe and resilient.
Lord Naseby (Con)
Did the outage affect His Majesty’s defence forces? If it did, what lessons will we take from that?
Lord Leong (Lab)
My Lords, the departments impacted were HMRC, the Home Office, the DVLA and the DWP. I am not aware that the Ministry of Defence was impacted, but I will write to the noble Lord if it was.
Lord Markham (Con)
Unfortunately, as Health Minister I saw at first hand instances of lack of resilience in the health systems, not just in the NHS but among a lot of its suppliers. Many noble Lords will recall the cyberattacks on the blood testing services in summer 2024. I did not quite hear in the noble Lord’s response to the question from the noble Viscount, Lord Camrose, that we will make sure we can really understand the costs and the lessons learned from all this. Given the nature of these sorts of incidents, is the Minister willing to do this?
Lord Leong (Lab)
I thank the noble Lord for reminding me. Yes, of course we have learned from what happened last year with CrowdStrike. As we know, in July 2024 the Government committed to a review of the lessons learned from the CrowdStrike incident, which was co-drafted between DSIT and the Cabinet Office. The Government have made a number of changes since that incident, including announcing a forthcoming cybersecurity and resilience Bill and bringing the Government Digital Service, including the newly formed government cyber unit, into DSIT as part of the digital centre of government.
Lord Mackenzie of Framwellgate (Non-Afl)
My Lords, if such an act was proven to be carried out by another state, would that amount to an act of war?
Lord Leong (Lab)
My Lords, as I said earlier, we have to be very careful that we do not speculate. AWS reported that this was not a cybersecurity incident but very much a technical incident to do with DNS.
Baroness McIntosh of Hudnall (Lab)
My Lords, the outage that occurred yesterday was obviously very serious, and let us hope that it was not a foreign actor intervening. However, the assumption that underpinned the way it was responded to was that it would be fixed, and fixed quickly. But we know that these kinds of attacks recently have not been fixed quickly and sometimes it has been necessary for organisations to use pretty basic skills, even going back to pen and paper. Can the noble Lord tell the House whether he feels that in general those very fundamental skills, which need to underpin people’s understanding of advanced technologies, are still there and can be reverted to if necessary in a crisis?
Lord Leong (Lab)
I thank my noble friend for that point. The Government are obviously aware that we need to give guidance to businesses as well as to people working within government. The NCSC has published a lot of guidance and toolkits, and I encourage my noble friend to look at its website and at all the various guidance and toolkits available to individuals, schools, businesses and other stakeholders.
Baroness Neville-Rolfe (Con)
I think the Minister can hear that everybody is rather concerned about this development and the related developments on things such as mobile. I wonder whether it is time for a debate in this House on this and on cyber in advance of the Bill, which is most welcome.
Lord Leong (Lab)
I thank the noble Baroness for that. As for a debate, I leave it to Members of the House to table it accordingly. I would welcome a debate to look at this in further detail. As far as the Bill is concerned, we have been working on it for some time, as most noble Lords know. The Bill itself will ensure that the UK economy and information systems relied on by most important digital services and suppliers are better protected. As a result, businesses and public services that rely on them will also benefit. The Bill will include powers for the Secretary of State to update the security requirements that companies in scope of the regime must have in place to protect their systems from any further disruption, whether because of a cyberattack or for other reasons, even simple things such as human error, system outage or physical damage.
Lord Harris of Haringey (Lab)
My Lords, if it is not hostile activity, is that not possibly slightly more concerning in that we are putting our faith in these very large companies and the amount that they can invest because they are secure and less likely to fall over? The noble Lord has just talked about the cybersecurity and resilience Bill. Can he tell us when it will come forward? Will its provisions apply more generally—broader than the critical national infrastructure—to all the key suppliers, some of which will not be at the level of critical national infrastructure, and require that they invest more in their resilience and their cyber capacity?
Lord Leong (Lab)
I refer my noble friend to what I said in last week’s Oral Question. I hope the Bill will be published very soon, before the end of the year. At this stage I cannot go into too much detail as to what is in the Bill, but I hope to soon be able to share the Bill itself with noble Lords.
Earl Russell (LD)
My Lords, I noticed yesterday that the Amazon share price did not move at all as a result of this incident. Is it the Government and us as consumers who are meeting the cost of this, and is that unacceptable?
Lord Leong (Lab)
The noble Earl poses an interesting point. At the end of the day, businesses have to take upon themselves their responsibilities towards future cyberattacks and whether, as I said, their infrastructure and digital framework are secured from any such attacks. I am a firm believer in that. Before I came to this House, when I was running various businesses, the first thing I did was ensure that we had a comprehensive risk assessment as to whether our system might be attacked. We also ensured that our website and software source codes were lodged with an escrow account to protect them further, so that if anything happened we could get access to those source codes. I urge businesses to ensure that their systems are compliant with the latest security patches and, if possible, to get Cyber Essentials certified so that they can have confidence that their systems are protected from any such attacks.