(13 years ago)
Grand CommitteeMy Lords, I, too, thank my noble friend Lord Lothian for obtaining this debate and for his sterling work on the committee and the report that has been produced. I declare two interests, one as president of ARTIS Europe, which is a research and risk analysis company that takes an interest in areas of politically motivated violence and terrorism, and the other as a customer of the Security Service during the past seven years as a member of the Independent Monitoring Commission. We spent a good deal of our time working with various elements of the Security Service here in the United Kingdom, the Republic of Ireland and elsewhere.
This is an extremely worthwhile report, which merits considerable study. I want to refer only to a few aspects of it. I could pick up on some of the positive remarks about, for example, the National Security Council, which seems to be an important development. I could pick up also on the concerns expressed about the BBC Monitoring service, an issue referred to in general terms in your Lordships' House but very specifically in this report. I welcome not only what the report had to say but some of the remarks in the Government’s response to it.
I note what my noble friend said about concerns about confidentiality in respect of our partners and material coming into the public domain. This is a very difficult area to put into structure and regulation. In the Independent Monitoring Commission, we found ourselves meeting at a very early stage, because it was a somewhat unusual body, as my noble friend knows from his own experience in Northern Ireland. Quite quickly, rather more because of the personnel than of the structure, we were able to build up a sense of confidence with our interlocutors. That was able to function adequately over a period in excess of seven years during which we published some 26 reports. That confidence was not maintained purely by the structures in place, though some were important, but because of the personnel and the relationships between them, which are very difficult to legislate for. It is extremely important to come to understand those things which you can, and should, properly put in the public domain and those matters which have to be dealt with in another way. Without that, it is impossible to do serious work in this area. Structures alone will not address that.
Let me come to the more specific areas that I wish to concentrate on. First, on Northern Ireland and republican terrorism, my friend the Minister of Justice in the Northern Ireland Assembly, David Ford, recently remarked to the Assembly in answer to a question that the level of attacks was not currently increasing, which was very welcome news, because, during our period, they had continued to increase. I am absolutely clear, as I think he was, too, that that is not because the level of activity has diminished but rather because of the excellent work of the security services, the police and the Garda Síochána. It is quite clear that there is still a very high level of dissident republican activity, but it is being foiled by excellent work. I take this opportunity, as other noble Lords have done, to convey my own appreciation to those involved, in so far as I can on behalf of the people of Northern Ireland, for the protection afforded to them and other people in the United Kingdom by their extraordinary work. One of the difficulties about it is that, as with good civil servants’ work, when it is successful you do not see anything publicly and people then take for granted that everything is fine. That is a little bit dangerous because people then let their security guard down and something terrible can happen. With good civil servants’ work and good security work, it looks as though everything is going swimmingly, which is only because of the quality of the work that has been undertaken.
I was gratified to note the recognition of cybersecurity as a tier-1 risk, as is recorded in the report. It is important to understand that this is not simply a question of traditional terrorists, whether domestic or international—although they are mostly international—using the modality of cyber to arrange traditional-style terrorism. In other words, cyberterrorism is not about people communicating with each other using the internet in order to plant bombs or all the other things that terrorists traditionally do. Rather, there are new ways of engaging in attacks that are mediated entirely through the internet—for example, the damaging of government infrastructure and the necessary national utilities. These are very real dangers not just in the defence field but in all aspects of life, including things such as water and electricity, not to mention all our own practical activities. That struck me very forcibly some years ago when some Taiwanese colleagues made it clear to me that, in the Taiwanese Parliament, every parliamentarian’s computer was being hacked into every single day. I think that some colleagues in your Lordships’ House and elsewhere might not be quite aware of the vulnerability of many of these things, although I know that that is not the case with noble Lords in this Room.
The whole area of cybersecurity presents an enormous difficulty and challenge, including on a number of elements that I note are mentioned in the report. First, the question of staff retention and pay, which is referred to, is a very difficult issue. In some long discussions that I had on this front, a young man who runs a company in the United States remarked to me that one of the problems with those who are most skilled in this area of work is that they are often—though this may surprise some noble Lords—not qualified with university degrees, but they are extremely skilled in this work and they have a very particular set of personality attributes and a particular way of working. When a number of small companies were established that became very effective in providing anti-hacking services—largely, setting a thief to catch a thief—a number of the large corporations saw this work as an ideal undertaking. There was clear money to be made and the expertise was available, so these large corporations bought over a number of these small firms. As far as I am aware, almost none of them survived because, brought inside a corporate structure, this was not the way that these young men—and they are almost all young men—functioned. Therefore, one of my questions for the Minister is: how are departments finding the challenge of engaging some of these young people who are not the traditional personalities for the Civil Service or the security agencies or the military or the police? In fact, these are the kind of young people who might be firmly outside these structures, yet they are exactly the kind of people that we need inside if we are to deal with this kind of problem. The report talks about this issue in terms of finance, but I really think that it is much more about other things in addition to the question of finance.
That leads me to the issue of psychological research in these areas. I have been to a number of conferences recently where it has become clear that huge amounts of money are being spent on hardware and on software, but very little is being spent on understanding the psychology of the kind of people who get involved in these sorts of activities. This was commented on in a recent conference that was promoted by the right honourable Foreign Secretary, at which Misha Glenney—a former BBC journalist who has recently published an excellent book on the subject—pointed out that almost no work has been done in this area. For me, that is reflected in the report, which highlights key themes as: “Organised crime”; “Hostile foreign activity” coming from Governments and so on, which is absolutely true; and “Terrorism”. However, the report does not refer at all to what is commonly known as “hacktivism”, whereby young people become involved in activities that become crime, because they break the law, but their intent is not that of traditional organised crime to make a lot of money; much of it is about gaining respect for themselves as serious operators on the internet. However, they then get themselves in trouble and find themselves on the wrong side of the tracks and on the wrong side of the law. I was struck by the fact that that is not identified in the report as a fourth area. This is not organised crime, or terrorism per se, or foreign activity in terms of Government and armies and so on, but it causes us a great deal of problems. That suggests to me that there is something about the whole psychology of this new space that has been created—as well as land, sea, air and space, we now have a new context for engagement and, indeed, for war.
That leads me to another question about legal research. I submit that if the Stuxnet attack had happened in an equivalent way on land, at sea, in the air or even in space, it would have been regarded as a declaration of war. However, despite the great problems that it obviously caused for Iran, it does not seem to have been regarded in that way. At this stage, without waiting for something to happen, a serious piece of work needs to be done in international law to explore at what point such a thing becomes a declaration of war, at what point can it be responded to only by cyber-response and at what point by other kinds of response. There is a lot of work to be done in that area.
On that point, this is an important question and the real problem in this area is one of attribution. All the evidence that we have taken suggests that it is very difficult, when you get a worm of the type that Stuxnet was, to find out where it has come from.
My Lords, my noble friend is absolutely right. That is why there is a problem, to which there is no simple answer. Great damage is done whether the attribution can be established or not. Sometimes in the past people have not waited to establish the attribution. A doctrine of pre-emption, which I do not in any way recommend or commend, was created by a previous American Administration. The point is that sometimes we have to find a way of dealing with these things. I simply seek reassurance from the Minister that it is being actively looked at by those with the experience and legal expertise to address the question.
To some extent, that leads me to the question of attribution more generally and in regard to research. Some comments were made about the threat of al-Qaeda, including that in the Arabian Peninsula and other places. In looking at it, it seemed to me that there was rather a surface view of the thing. For example, many of those who get involved in Yemen in support of al-Qaeda in the Arabian Peninsula are concerned about their local situation, as was the case in Afghanistan. There are a small number at the top who have all these notions about the caliphate and so on, but they are not necessarily carried forward because everyone who is involved on the ground believes that. That is extremely important in understanding how to deal with it.
Let me give a specific example from our own country. There are those who have looked at the way of thinking of young people who are potentially vulnerable to being involved in terrorism in this country. I commend the noble Lord, Lord Foulkes, for pointing out that this is not always a question for foreign policy; it is very much a domestic issue. The view has been taken that it is about fundamentalist views. The job is to persuade young people not to have these hard-line, extreme, fundamentalist religious views. I have always had some doubt that it is possible to persuade young people of anything of the kind. Indeed, the more adults try to do it, the less likely young people are to go along with it. However, research has recently suggested that that is not the best way to deal with it anyway. Even if these people have very fundamentalist views and, at the same time, accept that democracy and the rule of law is the only proper way to change and govern society, they are not vulnerable to becoming terrorists.
That is an extremely important question to be explored, so I seek some assurance from the Minister that research is not necessarily being done only by those inside the services, who may have a particular expectation of research. Those of us with any passing understanding of academic research know that it is extremely important that people do not come with preconceived ideas. Those inside the services cannot but have preconceived ideas. Is there any role for research that is being done externally, on a more objective basis, to inform the work of the security services?
On the issue of being up-to-date with difficult questions, we have had a strategic defence and security review, but we have just come from the Chamber where we have been looking at the dramatic and disturbing changes taking place in our own continent of Europe. Only a couple of days ago, General Martin Dempsey, chairman of the United States Joint Chiefs of Staff, said that he was “extraordinarily concerned” about euro survival, civil unrest and the break-up of the EU. Again, this is not a question of distant places but of our own part of Europe. I seek reassurance— I do not ask for anything more—that our intelligence services are paying attention to the real and present danger of unrest in Europe over the next few years as the weight of financial difficulty and political disjunction begins to bear down. That may be, sadly, a substantial part of the work of our security services which is not, as yet—I understand why because the report is now a few months old—focused on in the report.