Cyber Threats Debate

Full Debate: Read Full Debate
Department: Cabinet Office

Cyber Threats

Lord West of Spithead Excerpts
Thursday 18th October 2018

(6 years ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord West of Spithead Portrait Lord West of Spithead (Lab)
- Hansard - -

My Lords, I congratulate the noble Viscount, Lord Waverley, on instigating a debate on this important topic. We have had a mention of Drake’s drum, so it would be remiss of me not to mention the Battle of Trafalgar, which took place this week, 213 years ago—no cyber there, I have to say.

I had the privilege of being the UK’s first ever Minister for Cyber Security and produced UK’s first cyber security strategy in 2009. Then, very few people acknowledged the risk. There is no such problem today, because the word cyber is on everyone’s lips. It is a huge topic, as we heard from the opening speech of the noble Viscount, and I shall raise only two points.

Cyber security has become shrouded in mystique and fear. Threat awareness is too often tilted dangerously close to scaremongering. We ignore the basic reality that cyber security is about risk management, and it is well within our capabilities to manage that risk. But it must be owned by all of us. We need to understand the risks and take simple actions to manage them.

One thing that the most sophisticated and the low-sophistication but more prolific attack have in common is that they tend to exploit basic weaknesses in defence, so the most pressing need and strategically important question is to find ways to raise the basic defences of organisations throughout our country and across the world. That is why I am delighted that the NCSC has started to implement its active cyber defence programme. The NCSC is an amazing set-up and has done incredible work. This gives a framework for UK cybersecurity that takes away most of the harm from most of the people most of the time. It is identifying ingenious solutions to spoofing—it has done that on a huge scale already. It involves partnerships such as threat sharing with CSPs, which already block tens of millions of attacks automatically every month.

It recognises the importance of the individual in all this, which is my first point. We have not made it easy for our people. We must be serious about understanding the human being and stop blaming humans for being the weakest link in cybersecurity: they are the most important. They often are weak but we should not blame them for that. Human factors techniques can maximise human performance while ensuring safety and security. We must design technology that fits a person’s physical and mental abilities: in other words, fitting the task to the human, not the other way around. There must be much wider recognition of the importance of the user.

In the active cyber defence programme, one of the drivers is that users had guidance fatigue. I am not surprised: there was always something they were doing wrong, had not done or should not have been doing. My children tell me that all the time when I am on the computer. Basically, we want to make it easy for people to do these things. That is why there was a change to the unworkable password guidance. Now, we encourage people to protect heavily what they cannot afford to lose and do what they can with everything else. My goodness me, look at these passwords! If you want to get a train ticket, go to the opera or do anything, you have to have a bloody password—sorry, you have to have a password. It is a complete nightmare.

We need to make sure that everyone using a network understands easily how to use it safely. This is just as important as investing in network security technology. Networks have users, and if users cannot do their work effectively while understanding how to do it safely, security is compromised.

My second point relates to our nation’s move towards 5G and the inherent risks in how we are moving forward. The Huawei equipment fitted in our communications systems is a perfect conduit for the exfiltration of data and, as newer systems have come into operation, updated remotely by software from China, so our experts have found it increasingly difficult to be sure that they are constantly safe for use. In view of the ease of supply, cost and quality, the decision was that Huawei equipment should be used in UK systems, and I think that that decision was correct when it was made. It is clear that Huawei is very conscious of security concerns and has tried to alleviate them by more openness and by employing UK experts, many from GCHQ, to monitor its equipment on our behalf.

However, that does not remove all my concerns, and events have moved on. Huawei is set to lead the global charge into 5G, originally in conjunction with another Chinese company, ZTE. Huawei, of course, is not owned directly by China, but ZTE is, and Huawei has signed a deal to provide the next generation of mobile broadband kit to British Telecom. Yet the Huawei Cyber Security Evaluation Centre, overseen by GCHQ, has identified issues with Huawei’s engineering processes that lead to new risks in the UK tele-communications networks. Indeed, GCHQ says it cannot guarantee their security. In addition, GCHQ has effectively banned the use of ZTE by UK firms. A letter was produced saying that we should not use it.

Bearing in mind the huge impact of banning ZTE and Chinese companies in foreign policy, BEIS and trade terms, I ask the Minister: was this a Cabinet decision, or was it made by an official in GCHQ? Fifth-generation mobile services will eventually underpin the new digital landscape, as has already been mentioned. It will transform lives and economies as data analysis, artificial intelligence, the internet of things and quantum computing permeate all areas of human endeavour. We are hoping to start the move towards 5G next year—indeed, we need to. We have to get ahead of all this, particularly with Brexit. We are good at these things, and we need to get ahead.

These changes will bring huge benefits to us all. They will transform healthcare, create smart, energy-efficient cities, make work lives more productive and revolutionise the relationship between business and the consumer. But they bring risks that, if unchecked, could make us more vulnerable to terrorists, hostile states and serious criminals.

I have no doubt that China’s dominance of the technology that will power the next generation of superfast mobile broadband threatens to leave the UK vulnerable to Chinese espionage. However, we probably need to use it so we must identify means of ameliorating the risks. As an aside, I am also very concerned about the spread of Chinese Hikvision equipment, thousands of pieces of which are already installed across the country and connected to our networks. They will all be enabled by 5G. There will be not only cameras, but sound as well. They will sit in every office, see everything on every desk and record everything that is going on, once 5G is linked.

Is the Minister happy that a part of the parliamentary estate is scheduled to have Hikvision installed in January next year? I believe that there is an urgent need to have a small cell set up in the Cabinet Office reporting through the National Security Adviser directly to the Prime Minister to establish what level of risk the UK is willing to accept and to advise what amelioration is required. Banning Huawei and other Chinese firms totally is not a realistic option. Resilience, not IP theft, is our major concern.

Finally, I ask the Minister: is work going on to consider early, robust and fair solutions to what is a global challenge of balancing investment, trade and security, as we will have to protect some parts of our infrastructure by exclusion?

--- Later in debate ---
Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

I was referring to the responsibilities of the Department for Education. The relevant Minister is sitting at my side and will have heard that. We will write to the noble Lord, giving a more detailed reply on the role of that department, if that is what he wants.

The Government actively manage potential risks to UK infrastructure—a point on CNI raised by the noble Lord, Lord Fox. This includes risks related to foreign equipment used in our telecoms industry. This important issue was raised by the noble Lord, Lord West, who expressed concerns about our telecoms structures. I want to make it clear that the Government have not banned ZTE. The NCSC has raised its concerns about the ability to manage the risk of having more Chinese-supplied equipment on UK infrastructure undermining existing mitigations, including those around Huawei. The noble Lord is right that we cannot ban our way out of this, but I can confirm that the Department for Digital, Culture, Media and Sport, with the NCSC, is leading the review into the security and resilience of our telecoms supply chain.

Lord West of Spithead Portrait Lord West of Spithead
- Hansard - -

Has this been debated at Cabinet level? Bearing in mind that it has an impact on so many departments, it really needs to be looked at in the round, so I would be grateful for an answer.

Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

I am sure the noble Lord would be grateful for an answer, but I do not have one. I do not know whether it has been debated in Cabinet or in a Cabinet sub-committee. However, within the constraints of what happens within the machinery of government, which the noble Lord will be familiar with, I will see whether I can shed some light on the important issue he has raised.

The noble Lord also raised the issue of Chinese investment that meets stringent legal and regulatory standards. At the heart of this is the recognition that we need confidence in our ability to get the right balance between security in our critical infrastructure and the growth, productivity and inward investment opportunities. The findings of the review will report to the Prime Minister and the National Security Adviser. It is right that in the face of these shared threats the UK works alongside its international partners and allies to expose, confront and disrupt hostile or malicious activity.

Lord West of Spithead Portrait Lord West of Spithead
- Hansard - -

Is the Minister concerned about H1K and the fact that CCTV will now have sound and that when it is 5G enabled every one of those things will be able to take down data and pass it on? Where do we stand on this?

Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

When we discussed this yesterday, the noble Lord was concerned about the installation within the Palace of Westminster of this capacity, which could indeed read stuff that was on my desk. I think this is primarily a matter for the authorities within the parliamentary estate. I will share with them the noble Lord’s concerns and get a considered reply, possibly from the noble Lord, Lord McFall.

It is right that in the face of these shared threats the UK works alongside its international partners and allies to confront, expose and disrupt hostile or malicious activity. Noble Lords will have seen recently our attribution of a range of indiscriminate and reckless cyberattacks to the work of Russian military intelligence, and 21 other countries stood with us to call this out. That builds upon a host of cyberattacks that we and our international partners have attributed to North Korean actors, including the WannaCry incident, one of the most substantial to hit the UK in terms of scale and disruption.

We are absolutely clear that we must work together to show that states attempting to undermine the international rules-based system cannot act with impunity. The Foreign Secretary pressed this point with his counterparts at the Foreign Affairs Council earlier this week, and the Prime Minister is today encouraging the European Council to accelerate work to strengthen the EU response to malicious cyber activities, including a new regime of restrictive measures.

When necessary, we will defend ourselves. We are continuing to develop our offensive cyber capabilities as part of the toolkit that we use to deter our adversaries and deny them opportunities to attack us both in cyberspace and in the physical sphere. My noble friend Lord Borwick referred to this. If he looks at page 51 of the National Cyber Security Strategy 2016 to 2021, I hope he will be reassured by what we say about enhancing sovereign capabilities and offensive cyber, ensuring that we have at our disposal,

“appropriate offensive cyber capabilities that can be deployed at a time and place of our choosing, for both deterrence and operational purposes, in accordance with national and international law.”.

It is also vital that we continue to reaffirm our shared vision for an open, peaceful and secure digital world based on the rule of law and norms of behaviour. The noble Lord, Lord Ricketts, was right to refer to the speech by the previous Attorney-General saying that international law applied to cyberspace. It seems to me that if a foreign state were to drop a bomb on our airports we would have a right to reply, and likewise if our airports are immobilised through cyber we should equally have such a right, though of course that should be proportionate and legal. We do not concede ground to those who believe that existing international law does not apply, or who seek to impose controls through international fora as a means of restricting basic human rights.

Our work with international partners goes beyond joint operations and influencing. For example, the noble Viscount, Lord Waverley, asked about the work that we are doing with the Commonwealth. We have been scoping and piloting projects to date, but we are now accelerating delivery and expect to have spent £2.3 million by the end of this financial year. Much of this is in partnership with the private sector—for example, we are working with Citibank, an American bank, to build resilience in the Commonwealth finance sector.

I did not think we would get through the debate without Brexit being raised by the noble Lords, Lord Fox and Lord St John of Bletso. The cyber threat that the UK and its European allies face from state actors and cybercriminals remains significant and, as the noble Lord, Lord Kennedy, says, it knows no international boundaries. That is why the UK is seeking to maintain the broadest possible co-operation with our EU partners so that we can continue to share information with EU security institutions, deepen industrial collaboration and work together to develop cyber resilience in support of our collective security, values and democratic processes. Continued co-operation with the EU is not only in our interest; it is firmly in the interest of the EU as we look to respond to hostile state and non-state actors in cyberspace.

At this halfway point in the delivery of our national cyber security strategy, we have put in place many of the building blocks to transform the UK’s cybersecurity and resilience, already demonstrating results. However, we can never become complacent. Just as the threat from cyber criminals and nation states continues to evolve, so too must we continue to innovate and respond at scale and pace. We are therefore stepping up our protection of government systems, from the NCSC’s excellent active cyber defence measures to models adapted from those used by the finance sector to test the security of public services.

On the subject of defence, the noble Lord, Lord Browne, a previous Secretary of State, raised some important issues about the security of our defence systems. We have well-established processes in place to address cybersecurity and the protection of our weapons systems. We are continuing to invest—for example, through our £265 million programme of cyber vulnerability investigations for military equipment. On the specifics of responding to the report published in the US, I will happily write to the noble Lord. To allay his concerns on the UK’s use of equipment supplied by the United States, I refer him to the details of the NCSC’s support of the MoD’s Modernising Defence programme in its recent annual review, where examples include stringent testing of the new F35B fighter planes.

Lord West of Spithead Portrait Lord West of Spithead
- Hansard - -

My Lords, I am sorry to ask the Minister to give way again. I do not always share the views of my noble friend Lord Browne on some of these issues, but on the Dreadnought programme, which is crucial, could the Minister maybe go back to the Secretary of State for Defence and say, “There really is a need for red-teaming regarding the threat of cyber to the Dreadnought programme, as it is in-build”?

Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

I take very seriously such a warning coming from the noble Lord. I will share of course his concerns with my right honourable friend the Secretary of State for Defence and get him to write to him.

While it is difficult to avoid headlines about attacks and breaches, doing something about it is still often seen as too technical, too difficult or someone else’s problem. However, one of the themes that has emerged from our debate is that cybersecurity is everyone’s responsibility. We consider it vital that all organisations embrace and embed cybersecurity, from the boardroom down. That is why we have targeted efforts at driving long-term change, starting with helping boards to better understand the risks they face and to invest appropriately. This year’s cybersecurity breaches survey revealed that only 30% of businesses have a board member with responsibility for cybersecurity, and that is not good enough. We must ensure that boardrooms provide active leadership to ensure that cybersecurity is ingrained into organisational cultures and mindsets—a point well made by the noble Lord, Lord St John of Bletso, who also drew attention to the substantial fines that companies are now exposed to under GDPR if they do not comply with the new legislation. As the noble Lord, Lord Fox, highlighted, understanding exactly how secure data and systems are in complex organisations has never been more important.

I am conscious that I am not going to be able to get through all the points that have been raised within the allocated 20 minutes, so I will write to noble Lords to deal with the issues that I have not been able to address today. In conclusion, I hope I have been able to demonstrate not just that we understand the scale of the challenge that we face but that we are seeking to create the environment for everyone to be at their most collaborative and agile to respond, a point well made by the noble Earl, Lord Erroll. As we face new challenges in the year ahead, we need to ensure that we remain focused on reaching across organisational, political and geographical boundaries. As we face those challenges, I will ensure that we take on board the valuable suggestions that noble Lords have made in today’s debate so that we can continue to protect the economic and individual freedoms that make us stronger together.