Baroness Smith of Newnham
Main Page: Baroness Smith of Newnham (Liberal Democrat - Life peer)(6 months, 3 weeks ago)
Lords ChamberMy Lords, I thank the Government for the opportunity to discuss this Statement again today and the noble Lord for repeating it. He will know that on these matters we are united with the Government. We cannot and must not stand for any such attacks. With the number and level of such threats increasing, we have to do all we can to make our country secure at home and strong abroad, so the news of this grave security and data breach is of real concern to us all. It is particularly alarming given that this is yet another example of an MoD data breach. It is particularly concerning as it involves our Armed Forces personnel past and present.
In the last five years, there has been a threefold increase in MoD data breaches, with 35 separate breaches reported to the Information Commissioner’s Office. Such threats—from state activity and other malign actors—are increasing across government, including attacks on prime contractors and subcontractors, as in this shocking case. Do they not present a soft underbelly to our national security?
Can the noble Lord explain when this breach took place? When did Ministers become aware of it? Reports say that these attacks took place weeks ago, but that Ministers were informed only days ago. Is that the case, or are the reports simply wrong? In these instances, who is responsible for alerting whom, how quickly, and when? Who monitors these contracts? Why did it take this appalling incident to alert officials, as the Defence Secretary said in the other place, to the potential failings of the company now named SSCL? What other potential problems are there? What other government departmental contracts are run by SSCL—or indeed by others—which could also be impacted by this breach? This itself would represent a very real threat to national security. Does any review being undertaken by the Government include all these other prime contracts and subcontracts, stretching across government?
The noble Lord and the Government say that this constraint is now offline, but I am unclear on some of the facts. Can the Minister confirm that all salaries and expenses will be paid by this Friday? Can he confirm how many service personnel, past and present, have been or may have been affected by this breach? In the other place, a figure of up to 272,000 was mentioned. How near to that figure will it be? The Government were unclear about that. What is the Government’s latest estimate of the number of Armed Forces personnel, past and present, who will be affected?
The Minister in the other place went to great lengths to say that a malign actor was responsible for the breach, but he would go no further. Why not? Can the noble Lord explain how it was briefed all over the media that sources believed it was China? Of course, evidence is needed to confirm that, but how did that occur? Has the noble Lord anything further to say about that? When will he be in a position to update us on the outcome of the Government’s own inquiries? Can he also explain how this data breach appeared in the media—presumably through a leak—meaning that Armed Forces personnel found out what had happened through the media, rather than in the proper way? How did all this happen?
This is exceptionally serious. In addition to reassuring our Armed Forces personnel, who, frankly, deserve better, our country, too, needs reassurance. The MoD, the guardian of the nation, is threatened, along with others, and its defences appear to have been breached. Time and again, we also see security undermined in other areas of government. We all hope that the eight- point plan will reassure our personnel, and their welfare must be our top priority. The Government have been warned time and again—not least by recent reports from the Intelligence and Security Committee, for example —about threats from China and others. Why have the Government not taken more urgent action? They need to adopt a more cross-cutting, far-reaching, urgent approach to cybersecurity. We all support the security of our country. We all want our country to be safe. Does this further example of a cyberattack not represent yet another wake-up call to the Government?
My Lords, I agree with the noble Lord, Lord Coaker, that His Majesty’s Government have many questions to answer. I thank the Minister for taking the hospital pass and repeating the Statement to the House this afternoon.
The wording of the Statement is interesting. The Ministry of Defence has identified indications that a malign actor gained access. Did it identify these indications only after the leak to the media, or was it aware of this and trying to deal with matters behind the scenes? It would be helpful to understand whether the MoD has a handle on the data breach.
As the noble Lord, Lord Coaker, has pointed out, there are questions about prime contractors and subcontractors, and the eight-point plan raises some concerns about what is being asked of government departments and our contractors. Point four states:
“specialist advice and guidance on data security has been shared”
and is available now on GOV.UK. This is part of the eight-point plan—after the horse has bolted. Why on earth was this advice not available before the data breach? It is not good enough for the Secretary of State to refer the other place back to his Lancaster House speech and remind us that the world is a “more dangerous” place. We know the world is a dangerous place. We know that there are cybersecurity dangers, and if the MoD and its contractors cannot ensure that we are safe and secure from data breaches, who can? Can the average citizen of the United Kingdom feel secure if the MoD is not able to deal with its own cybersecurity? Why can it not? To say that this is a contractor and therefore separate from the MoD’s HR supply is not necessarily adequate, either. Are the requirements for our prime contractors and subcontractors adequate?
A question asked in the other place, and which the noble Lord, Lord Coaker, has also touched on this afternoon, is: which other government departments are using Shared Services Connected Ltd and to what extent should we be concerned? My understanding is that the Home Office, the MoJ and possibly the Cabinet Office are also part of these contracts, but the Secretary of State did not appear to be able to answer the question in the other place. I hope, with the additional 24 hours, that the noble Lord, Lord Harlech, may be able to give us some answers to this question.
Point six of the eight-point plan says that His Majesty’s Government are now
“providing a commercial personal data protection service for all service personnel”.
Why is it a commercial personal data protection service? Would it not now be appropriate to learn the lessons of outsourcing and think about whether we should provide our own HR and payroll? Would it not be appropriate for His Majesty’s Government to rethink that and for personnel data to be ensured by His Majesty’s Government and not outsourced?
I have two final points to make in my last 33 seconds. Given the Border Force issues yesterday, do we suspect that the same malign actors who hacked the data impeded people entering our country? Are other malign actors damaging UK infrastructure? Is that a further security concern? My final point concerns the noble and gallant Lord, Lord Craig of Radley. During questions on the response of Israel and its iron dome a couple of weeks ago, he asked whether, if London were faced with a similar issue, we would be able to defend ourselves. Should we not be concerned that, if the MoD cannot defend its personnel against hackers and malign actors, maybe our country is not as secure as it should be?
My Lords, I thank the noble Lord, Lord Coaker, and the noble Baroness, Lady Smith of Newnham, for the points which they raise and for their ongoing support, and that of their Benches in this House, for the Armed Forces. Our people are our strongest asset and the department is committed to taking appropriate action to investigate this matter thoroughly, in terms of both the contractor and the malign actor, and to ensuring that this does not happen again.
Since yesterday, I can confirm that 100% of the backlog of travel and expenses claims held up by the data compromise have now been paid and I can give assurance, on the advice of departmental officials, that the May pay run will be unaffected. I can also confirm, further to the Statement, that public guidance for affected personnel is now live. This can be found on the GOV.UK website by searching for “pay network compromise”.
On the issue of the contractor, as the Defence Secretary confirmed in the other place, a full security review of the contractor’s operations is under way and appropriate steps will be taken if it is found to have been negligent or in dereliction of its duties under contract. This is being co-ordinated with cross-government partners as the contractor, as the noble Lord and the noble Baroness indicated, does not work solely for defence. The contractor, SSCL, holds 12 contracts across nine government departments. The incident in question, however, is isolated to defence and there is currently no evidence of any risk to any other government services provided by the company.
As the Defence Secretary stated yesterday on several occasions, it is true to say that a malign actor is involved and it is possible that it is attached to a country, or a group based in a country. But I would ask that we refrain from turning media speculation into fact before the investigation has had a chance to conclude its important work. The Ministry of Defence is not trying to avoid giving the House this information; we need to be certain before we are able to do so. The Defence Secretary committed in the other place to return when he has further information which can be disclosed, if it is in our country’s interests to do so.
On the subject of Border Force e-gates, my information is that this was a network system failure and not in any way connected to this data breach. The noble Baroness, Lady Smith, raised ongoing cybersecurity. As I hope the Statement and my follow-up remarks attest to, this is something we take incredibly seriously. On a personal level, cybersecurity threats involving bribery, fraud and corruption are all part of our ongoing soldier training, which has to be done individually and is renewed each year.
The noble Lord asked how many personnel may be affected. I am afraid I can add no further clarity, except to say that we believe that approximately 272,000 personnel may have been affected. Investigations continue to refine this number. We monitor all defence contracts and, as I say, this is an ongoing investigation. I would not want to say anything which could impede it in any way.