Defence and Cyber-security Debate

Full Debate: Read Full Debate
Department: Ministry of Defence

Defence and Cyber-security

Bob Stewart Excerpts
Tuesday 4th March 2014

(10 years, 8 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Jack Lopresti Portrait Jack Lopresti
- Hansard - - - Excerpts

I thank my hon. Friend for his intervention. He is absolutely right. Within the chaos of a potential attack, I am not sure how the disparate groups would communicate with one another, how there would be a uniform chain of command and how it would work in practice. GCHQ seems to be in charge, but in other countries the matter would fall under the Ministry of Defence. It is fine that the MOD seems to be still developing its own basic cyber-security techniques with the armed forces setting up separate units, but it is the responsibly of the Centre for the Protection of National Infrastructure to take the lead in co-ordinating a UK response to a major cyber-security incident.

An extremely clear command structure will be needed to deal with a cyber-attack, which may come from a political group such as the group that claimed that the Sochi games were being held on the graves of millions of people who had been murdered and that was, according to the US Government’s computer emergency readiness team, threatening companies financing or supporting the Sochi winter games with cyber-attacks.

The response would be different if an attack was state-sponsored, but it would be extremely difficult, especially in the first day or so, to determine where the threat came from and whether it came from an individual or a country. The internet is worldwide and even if we knew where the attack came from geographically, it would be difficult to identify who was behind it.

Bob Stewart Portrait Bob Stewart (Beckenham) (Con)
- Hansard - -

I am pleased to be able to give my hon. and gallant Friend a pause to think what he is going to say next. When Mandiant briefed us last week, we were told by Paul Dwyer that 66% of our companies take about 243 days to realise that they are subject to what he called an advanced persistent threat, and that some companies have no idea that they are being attacked and will never find out.

Jack Lopresti Portrait Jack Lopresti
- Hansard - - - Excerpts

I thank my hon. Friend for his helpfully timed intervention. He is absolutely right. Sometimes it is difficult or impossible to determine that an attack has taken place.

On offensive cyber-capability and action, a recent article published by the Royal United Services Institute said that Stuxnet, the malware supposedly used to attack Iran’s nuclear weapons capability, was not successful in delaying Iran’s technical progress. With hindsight, some have seen Stuxnet as a hindrance to diplomatic solutions. I am not sure I entirely agree with that analysis, but it is interesting. Cyber-space is being described as the fifth domain of warfare, so its defence and protection from attack are integral to the operation of our nation’s defence infrastructure.

My last point is whether we are spending enough, which is not an easy subject in a time of fiscal austerity. Last week, Chuck Hagel, the US Secretary of Defence, outlined a vision for a leaner US defence posture with reductions in the US army to a pre-1942 position. However, at the same time, he rightly proposed increased spending on cyber-defence.

--- Later in debate ---
Bob Stewart Portrait Bob Stewart (Beckenham) (Con)
- Hansard - -

The greatest threat of electronic attack continues to be posed by state actors. Russia and China are suspected of carrying out the majority of assaults, but other countries—North Korea, Iran and even Syria—run very effective attacks too. The targets are in Government as well as in industry.

Let me give an example of a cyber-attack. On 23 April 2013 the American stock market dropped 1%; it lost $136.5 billion in a matter of seconds because of a false tweet posted on the Associated Press Twitter account. That tweet apparently came from Syria.

Let me give another example of a possible danger to this country, and here I will use information from a paper written for the Defence Committee by the distinguished academic Chris Donnelly. Huawei, a Chinese company strongly suspected of having close links to the Chinese Communist party and Government, is now providing crucial equipment for our national telecommunications system. The company has been debarred from doing that in the United States because it could not prove that it did not have strong links to the Chinese leadership.

Chris Donnelly’s paper highlighted three areas where Huawei could present a security risk. First, the company could insert undetected malware into its equipment, either to disable the system at will or at least to monitor it. Secondly, there is a possible security risk from the Chinese managers and technicians who man the system. Thirdly, allowing Huawei to dominate the field takes away our sovereign ability to deal with matters ourselves. Recently, there has been growing concern that our national cyber-security systems might not be able to detect whether malware has been inserted into the system.

James Gray Portrait Mr Gray
- Hansard - - - Excerpts

My hon. Friend is right to be concerned about the possibility that companies of all sorts might act against the interests of this country, but it is also right to record that Huawei is a major employer in the United Kingdom and is a multi-billion-pound multinational company. The suggestion that it is, in some way or another, an agent or a foreign force in the way he describes may of course be true, but it is worth saying that there is no evidence that that is the case.

--- Later in debate ---
Bob Stewart Portrait Bob Stewart
- Hansard - -

I thank my hon. Friend for that, but I am not sure that he is right. Huawei has been involved in setting up our cyber-security evaluation centre. It offered its services at knock-down prices—no western firm could match them, and our economy was and is in a poor position to resist the temptation of accepting what looked like a very good deal. So we could be setting a thief to catch that same thief. Of course the suspicions I voice may be erroneous and our cyber-security services could be totally on top of this one, but without access to classified information I have no way of checking. Members may recall that Huawei offered to provide a mobile phone system for the London underground during the 2012 Olympics—was it not free or close to being free? If I recall it correctly, that offer was turned down on security grounds.

As Chris Donnelly highlighted, state security requirements and gaining commercial advantage are two sides of the same coin in China. We should be under no illusion about the Chinese’s willingness to put huge efforts into understanding and, if necessary, harnessing all sorts of systems in the UK to advance the Chinese national interest. Already there is a mass English learning programme in existence, which Chris Donnelly suggests involves 300 million people in China, and a similar mass programme to teach computing. In 2012, China conducted what it called its first “digital technology exercise” in Inner Mongolia, when an entire division of hackers in the uniform of the Chinese liberation army was deployed. These cyber warriors went to war across the whole spectrum of western activity, not just against western military communications. We are wasting our time calling on China to stop hacking into our systems. Of course the Chinese will deny they are doing it until they are blue in the face—

Bob Russell Portrait Sir Bob Russell
- Hansard - - - Excerpts

Red in the face, surely.

Bob Stewart Portrait Bob Stewart
- Hansard - -

Forgive me, my hon. Friend is absolutely right. He always stands up for the infantry, so he would use the word red, and I accept it; red is the colour of the infantry.

We had better wake up to the fact that systematic and state organised hacking is a massive Chinese industry. I am pretty sure that our security services are well aware of the threat, but the public must also be made aware of it. We need the funding to do what we can to counter the threat.

Let me be clear: hacking can be more deadly than a gun. Cyber-warfare, taken to its logical conclusion, could bring our society to its knees. Almost nothing works without electricity. I am talking about light, energy, traffic control—on the ground and in the air—hospitals, police and even sewerage. Undoubtedly, the national grid would be a No.1 priority target for someone wishing to reduce us to our knees. Von Clausewitz stated that war is an extension of politics by other means, but systematic hacking is also war, by new, subtle and probably very effective means.

Tobias Ellwood Portrait Mr Tobias Ellwood (Bournemouth East) (Con)
- Hansard - - - Excerpts

In a hands-free, wireless, bluetooth enabled world, how would any of us cope without access to our mobile phone or computer data for any duration of time? Our lives and livelihoods depend on those assets, and they would change fundamentally if they did not work. The recent flooding in Dorset affected electricity and caused some households to reach for the candles. What a new experience that was for a generation of people who perhaps take our world a little bit for granted. They believe that all these things that we enjoy are there and will not be challenged.

I welcome this debate, and I commend the Defence Committee and its Chair for their report. My concern is that we are debating something that is changing almost daily and yet the report was printed on 26 March 2012. In answer to my interventions at the start of the debate, the Minister made it clear that changes have been introduced, but even they will be out of date given the pace of change in this area.

As we move into an ever more digital and virtual world, we are increasingly exposed to attacks not just on personal data and intellectual property but on state operations, from air traffic control systems to electricity grids. Cyber-attacks are simpler and cheaper than a dirty bomb. We no longer see robbers running in to rob a bank; it is all done electronically. This is the world that we now need to recognise.

Two years ago, I attended a course at Harvard university on national and international security. A cyber-security expert borrowed a laptop. He then purchased and downloaded $16 of software, and managed to tap into Boston’s traffic light systems. Had he taken it one step further, he would have been traced and got into trouble. None the less, he showed how easy and quick it would have been, with just $16 of software, to cause huge disruption.

Let me place this issue in perspective. In the development of warfare, there are occasionally seismic leaps in capability as new systems are introduced, and they force all of us to adapt. Going back in history, the longbow changed the outcome of the battle of Agincourt. The introduction of the cannonball changed the way in which ships attacked one another, preventing the need to go on board. The introduction of the submarine, the tank, the plane and the aircraft carrier all changed the conduct of war. As has been said again and again in this Chamber, cyber-technology will provide a new dimension, which we all need to understand.

I am a little saddened that the Chamber is so empty. I hope that it is not because I am on my feet.

Bob Stewart Portrait Bob Stewart
- Hansard - -

I think it is actually.

Tobias Ellwood Portrait Mr Ellwood
- Hansard - - - Excerpts

Thank you! The fact is it is the usual suspects who are here today, by which I mean those who are interested in defence matters. However, as my right hon. Friend the Member for North East Hampshire (Mr Arbuthnot) said, this issue does not affect just defence. It covers the business arena, the Home Office and the Ministry of Defence, yet we are not familiarising ourselves with the structures and processes so that we are at the front end of this capability. The speed of attack, if it happens, will be phenomenal. We have not yet seen anything on a scale that would fundamentally affect our lives, but there will be no build-up to such an attack. There will be no arms, tanks or ships mustering on the border; our lives will suddenly change when our computer systems no longer work.

The UK’s military equipment is increasingly vulnerable because of the complexity of its IT. What would happen if we lost the global positioning system? How would anything operate and could we cope? When I was at Sandhurst, we were taught how to use a compass. I am not sure whether that happens any more, but if the systems go down, that is what will be required.

Today’s statement on Ukraine reminds us of our involvement in the Crimean war and the charge of the Light Brigade. That infamous event took place because of a breakdown in communications, as by the time the orders reached Lord Cardigan, he had the wrong idea of what his mission was. Goodness knows what would happen today if we had insufficient resilience to communicate using our usual systems.

Knowing a little about Joint Forces Command, I understand the logic of placing cyber-security in that domain—it is wise that it is fed into the command—but cyber-security should have its own distinct command with its own expertise, as is advocated by some in the United States. Additionally, the relationship between the Global Operations Security Control Centre and the defence cyber operations group needs to be clarified for those of us who were unable to participate in the Committee’s inquiry. Will the Minister update us on bringing together disparate groupings and organisations within various Ministries through the GOSCC?

I support the call for the use of reservists. Banks and other financial services businesses are at the high end of ensuring that they protect their capabilities, so we need to determine how we attract people with the skill sets to do that job to work in the Ministry of Defence as well. Will the Minister tell us what is being done to encourage our NATO allies to improve joint capabilities? That subject might be suitable for discussion at the 2014 NATO summit, which will take place in this country. Given the damage and disruption that a cyber-attack might inflict, would a full-scale attack on another country be subject to article 5 of the North Atlantic treaty? Have rules of engagement been determined for offensive and defence cyber-operations?

I welcome this debate and I agree with my hon. Friend the Member for North Wiltshire (Mr Gray) that we should have defence debates more regularly. The House needs to understand this emerging threat that faces us all, as it is only a matter of time before a major strike takes place. I welcome the huge progress that the Government are making, but there is clearly much more to do.

Yvonne Fovargue Portrait Yvonne Fovargue (Makerfield) (Lab)
- Hansard - - - Excerpts

Labour Members welcome the increased focus that cyber-defence is receiving. The report by the Defence Committee is evidence of that focus, so I congratulate its members on their excellent work. Cyber-attacks are at last properly acknowledged as a serious threat to our national security and are rightly prioritised as a tier 1 risk in the Government’s 2010 national security document. As the Committee’s report says, the threat is liable to grow and evolve at “almost unimaginable speed”. Indeed, the pace of technological change is faster than traditional Government structures and time lines can cope with. As my hon. Friend the Member for Barrow and Furness (John Woodcock) said, five years is a long time in the cyber-world and the threat from cyber-attack is rising exponentially. The number of global web users in 1995 was 16 million; it is estimated that by 2015, there will be more interconnected devices on the planet than there are human beings.

As communications technologies spread and as the UK critical infrastructure networks become even more heavily based on IT networks, cyber-defence becomes an increasingly pressing security concern. There will be even more attacks. According to the Government’s own national security strategy document, the UK faces up to 1,000 cyber-attacks every hour, which is estimated to cost the UK £27 billion a year. Cyber-attacks are now a constant reality, with the Government, the private sector and private citizens all under sustained cyber-attack from both hostile states and criminals, as my hon. Friend the Member for Bridgend (Mrs Moon) articulated so well.

I have no doubt that the Government take the threat of cyber-attack seriously, although perhaps not seriously enough. The report makes it clear that Ministers have not yet put in place the infrastructure to deal with that real threat properly, or approached the problem with vigour or sufficient robustness. As the right hon. Member for North East Hampshire (Mr Arbuthnot) said, the problem is agile and many-layered—I think it has been likened to an onion, and the Opposition would agree with that.

Bob Stewart Portrait Bob Stewart
- Hansard - -

It is not an onion, because that implies that one peels away a layer to get at it; actually, it is an attack on all institutions—every single part of our society—simultaneously. I therefore disagree with the onion analogy.

Yvonne Fovargue Portrait Yvonne Fovargue
- Hansard - - - Excerpts

I will not be tempted to go further into vegetable analogies. I think the multi-layered approach is the one we are dealing with here.

The Government have committed £650 million over four years to the cyber-security programme, which seems like a significant sum, but only 14% of that was allocated to the Ministry of Defence, while the total investment equates to only 0.6% of the £27 billion that the UK loses through cybercrime every year. In its report, the Defence Committee questioned whether enough was being done to secure the supply chain and the industrial base. We know that supplies of armed forces’ equipment are increasingly being targeted, and are especially vulnerable to cyber-attack. In their response, the Government say they are working closely with industry on matters such as information sharing and incident reporting, but give precious little detail. The Government need to go further, and Labour is calling on them to ensure that every company working with the Ministry of Defence, regardless of its size or the scale of its work, signs up to a cyber-security charter. That will ensure that hackers cannot use the small suppliers to get into the systems of the major defence companies. As my hon. Friend the Member for Inverclyde (Mr McKenzie) said, the risks from cyber-attacks are huge and growing; we need to do everything we can to protect against them, and the MOD and its contractors should lead by example.

The Government also refer to progress on the joint cyber reserve—an initiative to involve reservists in the delivery of cyber-security—but give little detail. Will the Minister say what progress has been made in that important matter? I would particularly like to hear his thoughts on recruitment. The cyber reserves are not likely to be a traditional military outfit: the skills are entirely different. Is it essential that those reservists meet the usual fitness standards of the armed forces? A senior US officer said it was not essential that they were able to march 3 miles with a pack on their back, and I think most people would agree. It would be interesting to hear the Minister’s thoughts on the requirements for the new force and how its personnel will fit into the military model.

What is the Minister doing to attract recruits? We have heard that a lot of the top universities are running cyber programmes with top computing graduates. Is the Minister attending those events or approaching careers fairs? Is there a career path that will be attractive to young graduates—we need not only to recruit but to retain those graduates. A recent study by the Army Families Federation shows that large numbers of married Army personnel want to leave the service. That will be all the more problematic with cyber personnel, as there are many lucrative private sector jobs tempting them away. But of course many of the skills and experiences required for this are prevalent in the defence industry. What steps is the Minister taking to encourage firms involved in Government contract work—not just in the defence but throughout Government—to encourage their staff to become reservists? What responses are there from such firms?

The new joint cyber-force is described by the Secretary of State in terms of its offensive rather than defensive capabilities, enhancing our ability to strike back in cyberspace against enemies who attack us. But as my hon. Friend the Member for Merthyr Tydfil and Rhymney (Mr Havard) said, what are the rules of engagement? Land, sea and air have been the traditional theatres of war. Cyberspace is new and untested. What constitutes a cyber act of war and, equally important, what would be a proportionate response to an act of aggression? For example, if all London’s systems were knocked out by an electromagnetic pulse device, would that be an act of war? What would we do about it? As my hon. Friend the Member for Bridgend said, how would we know who did it? In short, what are the rules of engagement?

It would also be interesting to hear whether the Minister believes that the concept of deterrence applies to cyber-defence as it does to conventional defence as perhaps those with the most ability to attack our cyber-capabilities have the least reliance on their own cyber-capabilities. What role does he envisage offensive cyber-capabilities playing in this? Do we work alone or in concert with others? The Secretary of State has made much of cyber-security being a sovereign capability but we have been working with other nations in supranational bodies for some time; for example we are a member of the “Five Eyes” group, which includes the USA, Canada, Australia and New Zealand, and we have also been working with NATO. The report cites the important work of the NATO cyber-defence centre of excellence. Of course this is based in Estonia and was created as a direct consequence of the cyber-attacks on that country in 2007. There is excellent work undertaken there and I am glad that the Government are committed to participation in the centre, although some may doubt whether the contribution of £20,000 per annum will have much impact. But the lesson to be learned here is that we cannot afford to wait until an attack happens before we act. We have to be proactive.

Since the publication of the report, we have seen developments within the EU’s common security and defence policy. The European Council meeting on 19 and 20 December last year led to a call for the development of an EU cyber-defence policy framework in 2014. I would be interested to hear what talks have been taking place about this. Working with, and within, bodies such as the “Five Eyes”, NATO and the EU is vital, not only for intelligence sharing but for developing common rules of engagement. We must be aware of the threat and how best to counter it. That is why we need all the organisations to work together.

A further point is public trust. The public have to have trust in what we are doing to protect them and that is why accountability is so important. The USA has FISMA, the Federal Information Security Management Act, of course. What research has been done into how this might translate into our own system? We must also ask what role Parliament and the Intelligence and Security Oversight Committee should have in this new era of cyber-defence.

Currently we are accustomed to thinking of security in terms of three forces; army, navy and air force. But in many ways cyber does add a fourth strand. Just as the creation of the RAF in 1918 demanded a whole new way of thinking about defence and war, the increasing cyber threat means that we need to do some fresh thinking now. We have to think seriously about how we can combat this new threat because one thing is certain; it can only grow. Conventional borders will have less and less impact but the impact on civilians and the military will be greater and greater.

When the internet and electronic communications were first devised it was thought that they would impact only on academics in ivory towers. They have developed in ways that were never imagined then and have become an everyday part of our lives. Imagine a world without banking, power, communications systems, computers, control of our weapons. It absolutely does not bear thinking about, which is why we have to think about it and ensure that the MOD and the military are ready to take on this threat, and that they know their part, and play their part, in protecting our country and its citizens from this new and fast-evolving threat.