Baroness Stuart of Edgbaston
Main Page: Baroness Stuart of Edgbaston (Crossbench - Life peer)Department Debates - View all Baroness Stuart of Edgbaston's debates with the Ministry of Defence
(10 years, 8 months ago)
Commons ChamberI am sure that my hon. Friend is right in saying that the Government are well aware of where some of these attacks are coming from. I do not agree that it would be relatively easy to counter them, because these threats are developing at a frightening speed, as the hon. Member for Barrow and Furness (John Woodcock) said. The diversity and development of these threats is changing on a second-by-second basis.
I am pleased to say that the Government are taking action to make the UK more resilient to cyber-attacks. It has established a new computer emergency response team in early 2014, CERT-UK, to improve the co-ordination of national cyber-incidents and to share technical information among countries. The Government set up a new cyber-incident response scheme in GCHQ to help organisations recover from a cyber-security attack. They have extended the remit of the Centre for the Protection of National Infrastructure—the CPNI—to work with all organisations that may have a role in protecting the UK’s critical systems and intellectual property. They have agreed with regulators in essential services a set of actions to make sure that important data and systems in our critical national infrastructure continue to be safe and resilient. As I have said, responsibility for cyber-security rests principally with companies and organisations themselves. Government agencies’ roles will be limited by available resources and national priorities.
Does the right hon. Gentleman agree that there is a difficulty in making cyber-security just a defence issue and saying that the issue lies with companies? There is a network of things that need to combine, and we have not yet developed a system to create resilience across the spectrum; there are only chimneys of responsibility.
The hon. Lady is quite right. We are groping towards it, but we are not quite there. One of the benefits of this debate, of our report and of the Government’s response is to help us move to a better place.
The short answer is yes. The other aspect is who can be engaged to help to do such things. As the hon. Gentleman, who is on the Defence Committee, will know, the structuring of things to ensure a reserve capability is hugely important. The way in which the process is being put together is correct; there will be no monopoly on understanding in the areas we are discussing. We need as good a collaboration as possible. The delivery of the processes will not always be remote. Intelligence and knowing what is happening, where and with whom will be crucial. I shall come to that later.
The other question that comes up is about the law—I mentioned legitimacy earlier. I am helping to lead a sub-study in the Defence Committee of the military and the law. That is coloured, obviously, by Supreme Court decisions, individual cases and all the rest of it. The issue raises questions about international law, humanitarian law, extra-territorial jurisdiction and other things. An argument is being put that says, “We don’t need anything to be separate. This is a different domain, but all the current legal constructs are good enough and we do not need anything different.” I come back to my earlier point. We need to be clear about doctrine. In large part, our doctrine is public. Some, however, may not be as public as we would like, but we need to be clear about how we do things.
We seem to accept that cyber can be not just defensive, but offensive—we can use it offensively. Does my hon. Friend think that our domestic legal structure is sufficient to deal with cyber as an offensive weapon and to contain the power of the Executive to apply that weapon?
I do not know, but in the sense that I think I do know, I think that our legal structure is not sufficient and needs revision. I may be wrong, but that debate has to take place and people more qualified than I am need to comment.
It is interesting to note where our allies are. The United States has and has not made all sorts of declarations. If we believe The New York Times, there was a secret legal review that concluded:
“US military forces could legally launch an attack on digital infrastructure located in a foreign country if it found evidence of a threat against its own systems”.
A rules of engagement debate then starts. That is the other difficult bit—we will have to have rules of engagement for such activity. The more we discuss legitimacy in law for these things, the better. If we do not have such a discussion, the issue will be forced on us. That is what we are seeing now in a lot of other areas, so we should structure how we wish to have the debate rather than having a structure imposed on us.
Proportionality is at the guts of the whole business of international law, human rights and legitimacy. We have to show that proportionality is there and that we have mechanisms and systems to ensure that it is. Simply claiming that it is there will not be good enough.
We are not on our own. We need to be joined up not only internally within the United Kingdom, but internationally. We do not have time to go fully into this now, but it is interesting to see Russia’s current adventures in Ukraine. In September 2011, Russia and China said to a UN group that they wanted a code of conduct for cyberspace that would include requirements for co-operation in
“curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment”.
Well, there we are—now we know. Translating that into current events will tell us a lot. That proposed code of conduct was about closing things down and giving legitimacy to the avoidance of dissent and to having systems that are less rather than more open. How we collaborate in this area will be important.
When he was Secretary of Defence in America, Bob Gates said that he could protect .mil, .gov, .org or .com, but that as the protection systems were put in, the public might not like what they saw on .com. That debate is not only to do with defence, but defence has a place in it. Whether there should be a code of conduct and the international arrangements are problematic issues, but there is a growing urgency around them.
At the end of the day, the issue can be about the collection of raw information and the sending of viruses to blow up particular equipment. That is the geeky stuff—the weaponisation and the sexy stuff that the press love. However, at the end of the day, those and other actions are only as good as the intelligence that exists to put them into effect. One area of investment that must not be lost in the question of cyber-issues is defence intelligence. In my opinion, we have the best intelligence analysts and they need to be developed.
We can collect the raw information, but if we do not understand it we will go nowhere with it and make the wrong decision. Investment discussions should please not just be about technical toys, GCHQ and all the stuff about weapons; they should also be about intelligence analysts. Let us protect the capability. The issue is about a whole force, but also about a whole community. Those people are vital in that community and investment also needs to go to them.
I thank my hon. Friend for his helpfully timed intervention. He is absolutely right. Sometimes it is difficult or impossible to determine that an attack has taken place.
On offensive cyber-capability and action, a recent article published by the Royal United Services Institute said that Stuxnet, the malware supposedly used to attack Iran’s nuclear weapons capability, was not successful in delaying Iran’s technical progress. With hindsight, some have seen Stuxnet as a hindrance to diplomatic solutions. I am not sure I entirely agree with that analysis, but it is interesting. Cyber-space is being described as the fifth domain of warfare, so its defence and protection from attack are integral to the operation of our nation’s defence infrastructure.
My last point is whether we are spending enough, which is not an easy subject in a time of fiscal austerity. Last week, Chuck Hagel, the US Secretary of Defence, outlined a vision for a leaner US defence posture with reductions in the US army to a pre-1942 position. However, at the same time, he rightly proposed increased spending on cyber-defence.
Does the hon. Gentleman share my concern that the size of the reduction in the US army is exactly the same as the size of our entire Army?
Yes, I agree, but obviously we are talking about different scales.
I am fully aware that the issues I have raised today are not easily solved, but I fully commend the Government for the progress they have made so far.
I apologise, Madam Deputy Speaker, for not standing up. I thought the hon. Member for Filton and Bradley Stoke (Jack Lopresti) had sat down to take an intervention, but slowly it came to my mind that he had finished his speech.
It is an honour to follow the hon. and gallant Gentleman. I share his concern about an attack on our national infrastructure, but we sometimes focus on things such as banking and transport when we should perhaps look at our food supplies or our hospitals. The impact of such an attack on the civilian population and the country’s morale would be huge. We must address resilience to a cyber-attack and we must engage the civilian population in understanding and preparing for that.
T he Chairman of the Defence Committee and I were given a book for holiday reading: “One Second After”. That delightful read, which probably wrecked my summer, was a description of the United States after an electro-magnetic impulse attack had taken out all its computer-based systems. Everything went. No cars could go on the road and nothing would work. It was a scary prospect and I now understand why the Defence Committee’s Chairman runs a car that does not have a computer in it. I am sure the book was a great influence in the decision to purchase that car.
The book also made me aware of the very narrow issue of who is the enemy. In traditional warfare, we tend to know who we are fighting, but in future we may be fighting criminals who are holding the country to ransom. We could be fighting terrorists, because a state is not needed to manufacture a cyber-attack, or activists or anarchists. It has been suggested that some of the attacks in Estonia were by third-party actors. At the bottom of the list is the potential for a state to attack, because states like rules and the rest do not follow rules. That is why they must be our focus, our worry and our concern.
A statement made in 2012 informed us:
“Our cyber defences blocked around 400,000 advanced, malicious cyber threats against the government’s secure intranet alone”.
On the whole, we do not know where those threats are coming from. We do know that the Government have given a commitment to having full-spectrum capability in dealing with cyber-attacks. In fact, in response to the growing number of cyber-attacks, the Secretary of State said that
“we are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK’s range of military capability. Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe.”
I was very interested in that statement, so it sent me off on a little tangent, as such things often do.
As the Minister, who has received many of my quirky little requests for information, will know, I sent off a parliamentary question to every Department asking them how many specialist IT staff they employed who had a PhD in computer science, who had a master’s degree in computer science, and perhaps who even had just a basic bachelor’s degree in computer science. It did not bode well, I have to say. The Ministry of Defence can rest on its laurels; it came second to the Department for Work and Pensions, with 1,625 such members of staff. None of the Departments could break the information down by qualification across Departments, which could explain why Government are not very good at commissioning cyber-capability and improved computer networking capability. Only 5,088 people, in total, held a degree-level capability in computing. It was depressing to note that the Department for Culture, Media and Sport had only three people with such a qualification, so we should watch out for its contracting.
Given the logic of Government, did my hon. Friend also ask whether the people with a computing degree actually worked in such areas beforehand or did something completely different?
I did, and most Departments responded that they worked in specialist teams, as we would expect.
Interestingly, the response from Her Majesty’s Treasury told us that a total of 48 people are employed within its centralised IT department, or teams. Those staff provide IT services to the Cabinet Office and to the Treasury. That compares with 57 people in 2008 who worked exclusively within the Treasury, so the numbers are going down, and that has to be a matter of concern. As people with these skills are increasingly highly valued in the marketplace, can Government stay ahead of the market in being able to recruit them?
I was worried about the budget and looked into that aspect. We have heard about the figure of £650 million over five years, which is a mere fraction of the figure for the annual economy, which is set to lose £27 billion every year to criminal activity in the cyber-realm. In contrast, the US Department of Defence has outlined a $23 billion spend on cyber operations in the financial year of 2018 alone.
I thought that I would then have a look at how well we were doing in this area. I discovered, rather alarmingly, that the Government had withdrawn from a new cyber-warfare project called Project Cipher, which was intended fully to scrutinise complex programmes to ensure that they had the potential to meet our needs. After thorough assessment, it was decided that Cipher would not meet the full defence capability required to offer long-term value for the taxpayer, and so the programme was not taken forward. The costs of the stalled project, in the assessment phase alone, had been £66 million, so we have lost a large percentage of the money set aside for cyber, and they were £47 million above the original budget. Overall, this was a major disaster. IHS Janes has said that the project was
“intended to renew the MoD’s cryptographic inventory and automate its crypto-key management systems by replacing obsolete current systems to prevent encoded communication links being compromised.”
I understood half that sentence. The important bit is that it was intended to replace obsolete current systems, because Departments are not good at replacing obsolescent systems. They tend to work things for the length of a Parliament, which is now five years, when we all know that these computers are dying on their feet after about the first two years.
IHS Janes continued:
“The delays in bringing Cipher online are creating capability risks, says the NAO, because the ministry’s existing crypto capability lacks the flexibility to deliver the flagship Network Enabled Capability project, which aims to link up a wide range of military communication networks. This means efficiency savings relating to the automation of crypto capability has been delayed, leading to increased demands on military manpower.”
It explained that the problems with Cipher’s design first emerged during an assessment phase and that they were the result of the lack of suitably qualified experienced civil servants—you will be surprised to hear that, Madam Deputy Speaker. One of the essential things that we must do if we are to be responsible in looking to the defence of this country is to find the way to employ and retain the capability that we need within government to provide the skills and oversee the systems that we operate to keep this country secure.
There has been considerable discussion about having a cyber reserve. I have had conversations with a number of companies that have told me that they are very worried about their employees joining the reserves because they fear for them when they have to travel abroad. Many international companies work around the globe, and they worry about someone who has been in our cyber reserve and transfers to work in another country, or merely travels through a country perhaps on business or on holiday, being prone to personal attack because of the information they would hold not only on their company but on the UK’s cyber-defence capability. I hope the Minister is aware of that concern and will address it.
This is perhaps one of the most urgent and pressing issues affecting this country. We have to take it seriously across every Government Department, but we also have to alert our citizens to the fact that they are now on the front line, because the attack may come from their personal computer, which could be hacked and used for an attack not only on this Government, but on other Governments.