Mr Crispin Blunt (Reigate) (Con)

- Hansard -

Copy Link

-

I will do my best, Madam Deputy Speaker.

I agree with the conclusion of the hon. Member for Bridgend (Mrs Moon): this is an extremely important issue and addressing cyber-security rightly sits at the top of our national security agenda. Cybercrime and cyber-attacks are not only tomorrow’s dangers; they are a very real and growing threat today. As others have already made clear, Governments, business and members of the public come under sustained attack from cyber-criminals and foreign powers. There were an estimated 44 million incidents in 2011 alone.

As we become ever more reliant on the internet, our vulnerability increases. Cyber-threats take two primary forms—cybercrime and cyber-attack, although sometimes the distinction is blurred. Cybercrime was estimated by the Association of Chief Police Officers to have cost £57 billion globally back in 2009, while Detica estimated that the 2011 figure for the United Kingdom alone was £27 billion. It is difficult to believe that that there has not been a geometric increase since then.

Large-scale cybercrime is an issue of national security. Cyber-attack and cyber-espionage also present a serious threat both to the state and to the community, and the state should be acting to protect both. As we know, cyber-attacks have had real-world effects, as exampled by the denial-of-service attacks in Estonia in 2007 and the Stuxnet attack on Iranian nuclear development capability, although there appear to be disagreements about the degree of its effectiveness.

Cyber-espionage and theft of sensitive information is another major concern, so addressing the danger of cyber-threats today is real, not academic. The Security Service estimates that at least 20 foreign intelligence agencies currently operate to some degree against British interests. That threat merits our immediate and strong attention, which is why I welcome this debate and the attention the Defence Committee has given to the subject.

Mr Blunt

- Hansard -

Copy Link

-

Given the amount of time I have left, I hope my hon. Friend will forgive me if I do not give way to him. If I have time at the end, I will come back to him.

What is being done and developed in the strategy? In 2009, the previous Government produced Britain’s first cyber-security strategy, which, though laudable for initiating a centralised approach to cyber-security, I as the then shadow Minister critiqued as being a shallow copy of the then American strategy. I said:

“Minimal or no attention is given to key areas such as co-ordination of the new cyber-structures with existing agencies, response to a cyber incident and information sharing between government, industry”

and international action. I also said:

“There is no consideration within the strategy of how we would respond to a cyber-attack. No mention can be found of a framework for response or who would lead it. There is no discussion of issues such as back-up communications networks for security and emergency personnel.”

All of those were given coverage in the United States review at the time.

Given the severity of the threat, the then Opposition felt that the strategy was an inadequate response, so before the general election we produced our own paper on cyber-security and keeping Britain safe in the digital age. I am pleased to say that much of it found itself in the Government’s 2011 cyber-security strategy, which is currently being co-ordinated by the Office of Cyber Security and Information Assurance.

The strategy is far more detailed than its predecessor and offers a more thorough, co-ordinated and ambitious programme to enhance our cyber-security. The recent progress report from the Cabinet Office highlights the successes in implementing the strategy and the progress made towards achieving its objectives by 2015. I commend the strategy for its scope and ambition, incorporating everything from changes to law enforcement to greater co-operation and information-sharing with the private sector and enhancing our cyber-resilience. That the strategy also balances the attainment of security with civil liberties is reassuring.

Mr Blunt

- Hansard -

Copy Link

-

My hon. Friend, in his usual perspicacious way, has identified precisely what I am moving on to, but before I finish on the wider cyber-security issue, I want to recognise the contribution made by the Baroness Neville-Jones in pulling this strategy together and much improving our country’s response.

No strategy, however, is incapable of improvement and the Government still appear to preside over a patchwork muddle of agencies and mandates responsible for cyber-security. In 2011, the Intelligence and Security Committee identified 18 different actors with responsibilities for cyber-security, which raises concerns about duplication, cost-effectiveness and confusion. I note the counterpoint expressed by the Minister for the Cabinet Office and Paymaster General, who said in evidence to the Defence Committee that although the arrangement is untidy, it is effective, given the need for a cross-Government approach. I must say that, in the absence of a personality as strong as Baroness Neville-Jones, there remain issues about co-ordination and leadership, as was also mentioned by my hon. Friend the Member for Filton and Bradley Stoke (Jack Lopresti).

We must recognise that the updated cyber-security strategy is a major step forward, but, as my hon. Friend the Member for North Wiltshire (Mr Gray) has made clear, defence is only one small component of the pan-Government effort and by no means the most important. I wonder whether the bracketing of cyber-security and defence is in fact wise, given the MOD’s relatively limited role. The MOD has only two formal responsibilities: to ensure that armed forces operability is maintained both at home and abroad by securing its networks, and to enhance military operations by developing future cyber-capabilities.

Cyber-capability is immensely important for the armed forces: it is a battle-winning asset. In the same way that military operations become difficult if not impossible without air supremacy, cyber-superiority if not cyber-supremacy is required. What differentiates cyber-security is that it also applies to nearly every aspect of modem civil life. Not many businesses need to worry about the effectiveness of the F-35 and the Eurofighter in their daily operations, but the defensive cyber-capability is a daily national necessity for our financial system. Defence against most high-end cyber-threats, including those to critical national infrastructure, is the responsibility of other Departments, not least GCHQ and the Centre for Protection of National Infrastructure. Given that fact, the conflation of cyber-security with defence is possibly misleading, in that it obscures a complex and much bigger picture. However, we are debating cyber-security in the context of defence, so I shall focus on that.

Other hon. Members have outlined the threat, so I simply want to say that the armed forces are increasingly vulnerable to highly targeted forms of cyber-attack, given the networked nature of modern military systems and the increased use of unmanned aerial vehicles and robots on the battlefield. Adversaries may seek signals interception to distort intelligence, disrupt logistical supply chains or, most worryingly, render major platforms and systems, such as ships and aircraft, dysfunctional. If we now regard cyber as a fifth domain of warfare, we must expect other countries to do so too. Britain is a world leader in defence technology, but we must expect emerging powers to be keen to shrink the development gap by stealing what they cannot easily or quickly develop for themselves. The need to protect the operability of our armed forces and the integrity of our defence establishment is thus abundantly clear.

Of the £650 million set aside to transform Britain’s national cyber-security capabilities over the next four years, the MOD will receive £90 million. That funding is not intended to secure MOD networks, because that is assumed to be business as usual, but I know that the Department is securing its supply chain against cyber-attack. The point has already been made about the importance of the need for a resilient industrial base, which must form part of the goal of the national cyber-security strategy. The MOD has responsibility to help to manage the security of its suppliers, and I note the work that has been done to that effect.

I also note the emphasis on reserve forces, which other hon. Members have mentioned, and I welcome the establishment of a joint cyber reserve unit. That is exactly the sort of imaginative use of civilian-qualified reservists in the armed forces that we will want in times of need, but we must bear it in mind that if the armed forces need them at a time of crisis, so will their host employers. On a separate point, I am encouraged by the assurance that spending on cyber will automatically be increased in the budgets of future programmes.

Cyber is part of how our armed forces will wage war in future, so the Department must be able to continue to enhance its military cyber-capabilities. I therefore want to touch briefly on cyber-attack. Inevitably, developments in technology will always be highly classified because the possessor of the latest technological advance is likely to have a battle-winning capability. I therefore understand why information in this area is restricted. However, I emphasise to the Minister that the military should understand that this House expects them to possess cyber-attack capability alongside the ability to defend their own networks from cyber-attack.

This area is highly sensitive because such technology can be applied against other states’ non-military assets in a way that makes it difficult to be clear about whether the laws of war apply. I will finish by discussing this international aspect. This area sits in the grey area between espionage and conflict. That is why, in 2009, I called for us to co-operate internationally on cyber issues to regulate the relations between states in respect of cyber-conflict. I am delighted that that is recognised in the 2013 statement on aspects of state behaviour in cyberspace. We must try to identify the future international rules of the road that will govern relations between states in this area.

I will end by reiterating three questions. First, by bracketing cyber-security with defence, are we in danger of misleading ourselves about where the main effort needs to be? Secondly, can the lead responsibility for cyber-security be made clearer? Thirdly, are we affording enough resources to research and development in this vital area?