Defence and Cyber-security Debate

Full Debate: Read Full Debate
Department: Ministry of Defence

Defence and Cyber-security

Dai Havard Excerpts
Tuesday 4th March 2014

(10 years, 8 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Dai Havard Portrait Mr Dai Havard (Merthyr Tydfil and Rhymney) (Lab)
- Hansard - -

I would first like to say something about the debate. I agree that the Defence Committee is perhaps remiss in not applying for debates more regularly. This debate is taking place on an estimates day. It is a really serious debate that should be taking place in the Chamber in its own right. Our report is now more than 12 months old—it was published in January 2013—which says something about how quickly these things move. The Government published their response in March 2013 and then made a series of announcements last September, but here we are today with the first opportunity to talk about it. That is an issue we need to look at.

I will not repeat what my colleague who chairs the Defence Committee, the right hon. Member for North East Hampshire (Mr Arbuthnot), said about structure, but I would like to say something about structure, about investment—we are talking about money, after all—and about accountability. The statement made in September was very interesting from two points of view. First, it set out a structure for how the Ministry of Defence, along with the Department for Business, Innovation and Skills, the Cabinet Office and others—this cannot be done in isolation—can start to look at its relationship with industry and at protecting itself through its relationships with the rest of the British community. I think that is hugely important.

There is a lot of work being done on achieving proper standards. We took evidence from industry representatives on that, and they were all over the shop, frankly. For example, they did not want standards, or they wanted their own standards. The question of standards is absolutely at the guts of the whole issue of defining cyber, and not just for the Ministry of Defence. Industry must now have a compliance process with the Ministry of Defence, and I am sure that the Minister will say something about how that is to be done. That is hugely welcome, because it is vital. How we then do that in relation to our allies, NATO, the EU, the French—with our treaty—and others is a big issue that needs proper discussion. We need to have proper compliance and assurance mechanisms, as we do with our “Five Eyes” colleagues and many others, because we are all trying to understand the process.

Most people go to Wikipedia when they do not know much about something, as I did with cyber-warfare, because the announcement in September also mentioned having some sort of offensive capability. Wikipedia states:

“Not to be confused with Electronic warfare… Cyberwarfare refers to politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare.”

Well, that is terribly helpful. What we know is that there is no clear definition, either domestically or internationally. We are all fishing for something to help us understand this properly, and we should have some humility in that. However, we recognise its interconnectivity.

Let me turn to the statement on having offensive capability. It was very brave of the UK Government to make that statement. We are the first country to come out and say that. I have spoken with some of our international allies about that, and they say, “Well, that’s a very interesting statement for the Brits to make.” How we actually do that will be a matter for discussion. I am not necessarily against the investment or the capability, but I think that we need to be very clear about what we are saying and how we are going to do things. There will need to be a doctrine and rules of engagement. If we are saying that this is a new domain, I do not think that we can run away from some of these questions. If we do and we keep it too secret, we will lose legitimacy for the activities that we wish to undertake. That is a difficult balancing act, but it is absolutely crucial.

If we are to weaponise the process, how will we do that? There is a lot of talk about countries using the Stuxnet virus in Iran. That was actually delivered physically on a memory stick. The programme then searched out the thing it wanted to destroy or debilitate. It was a hugely expensive exercise. I do not know how much it cost, because I am not supposed to know who did it. Well, we do not know who did it, or we all suspect that we know. Whoever did it, it was not a bunch of amateurs; it was someone who could put substantial investment into it. It turned out to be a one-shot weapon.

If we are to weaponise this area, we must be clear that it will cost money. This sort of activity cannot be done by a boy working in his bedroom to come up with a fancy programme. We will have to invest in the process of weaponisation alongside all the other things we are talking about. How will we procure, what will we do with regard to research and technology, and how will we keep a sovereign capability in these areas? I suspect that those are big questions that Parliament will be discussing for many years to come.

Julian Brazier Portrait Mr Brazier
- Hansard - - - Excerpts

The hon. Gentleman is making an interesting speech. Does he agree that the issue is about not only the technical side but the personal side? More medieval fortresses fell through the inside touch than through outside assault. In the high-tech area, as everywhere else, people can be bought or suborned.

Dai Havard Portrait Mr Havard
- Hansard - -

The short answer is yes. The other aspect is who can be engaged to help to do such things. As the hon. Gentleman, who is on the Defence Committee, will know, the structuring of things to ensure a reserve capability is hugely important. The way in which the process is being put together is correct; there will be no monopoly on understanding in the areas we are discussing. We need as good a collaboration as possible. The delivery of the processes will not always be remote. Intelligence and knowing what is happening, where and with whom will be crucial. I shall come to that later.

The other question that comes up is about the law—I mentioned legitimacy earlier. I am helping to lead a sub-study in the Defence Committee of the military and the law. That is coloured, obviously, by Supreme Court decisions, individual cases and all the rest of it. The issue raises questions about international law, humanitarian law, extra-territorial jurisdiction and other things. An argument is being put that says, “We don’t need anything to be separate. This is a different domain, but all the current legal constructs are good enough and we do not need anything different.” I come back to my earlier point. We need to be clear about doctrine. In large part, our doctrine is public. Some, however, may not be as public as we would like, but we need to be clear about how we do things.

Baroness Stuart of Edgbaston Portrait Ms Gisela Stuart
- Hansard - - - Excerpts

We seem to accept that cyber can be not just defensive, but offensive—we can use it offensively. Does my hon. Friend think that our domestic legal structure is sufficient to deal with cyber as an offensive weapon and to contain the power of the Executive to apply that weapon?

Dai Havard Portrait Mr Havard
- Hansard - -

I do not know, but in the sense that I think I do know, I think that our legal structure is not sufficient and needs revision. I may be wrong, but that debate has to take place and people more qualified than I am need to comment.

It is interesting to note where our allies are. The United States has and has not made all sorts of declarations. If we believe The New York Times, there was a secret legal review that concluded:

“US military forces could legally launch an attack on digital infrastructure located in a foreign country if it found evidence of a threat against its own systems”.

A rules of engagement debate then starts. That is the other difficult bit—we will have to have rules of engagement for such activity. The more we discuss legitimacy in law for these things, the better. If we do not have such a discussion, the issue will be forced on us. That is what we are seeing now in a lot of other areas, so we should structure how we wish to have the debate rather than having a structure imposed on us.

Proportionality is at the guts of the whole business of international law, human rights and legitimacy. We have to show that proportionality is there and that we have mechanisms and systems to ensure that it is. Simply claiming that it is there will not be good enough.

We are not on our own. We need to be joined up not only internally within the United Kingdom, but internationally. We do not have time to go fully into this now, but it is interesting to see Russia’s current adventures in Ukraine. In September 2011, Russia and China said to a UN group that they wanted a code of conduct for cyberspace that would include requirements for co-operation in

“curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment”.

Well, there we are—now we know. Translating that into current events will tell us a lot. That proposed code of conduct was about closing things down and giving legitimacy to the avoidance of dissent and to having systems that are less rather than more open. How we collaborate in this area will be important.

When he was Secretary of Defence in America, Bob Gates said that he could protect .mil, .gov, .org or .com, but that as the protection systems were put in, the public might not like what they saw on .com. That debate is not only to do with defence, but defence has a place in it. Whether there should be a code of conduct and the international arrangements are problematic issues, but there is a growing urgency around them.

At the end of the day, the issue can be about the collection of raw information and the sending of viruses to blow up particular equipment. That is the geeky stuff—the weaponisation and the sexy stuff that the press love. However, at the end of the day, those and other actions are only as good as the intelligence that exists to put them into effect. One area of investment that must not be lost in the question of cyber-issues is defence intelligence. In my opinion, we have the best intelligence analysts and they need to be developed.

We can collect the raw information, but if we do not understand it we will go nowhere with it and make the wrong decision. Investment discussions should please not just be about technical toys, GCHQ and all the stuff about weapons; they should also be about intelligence analysts. Let us protect the capability. The issue is about a whole force, but also about a whole community. Those people are vital in that community and investment also needs to go to them.

--- Later in debate ---
Mark Francois Portrait Mr Francois
- Hansard - - - Excerpts

This is a wonderful opportunity to recruit IT specialists from the civilian world to the reserves, but we have learned that this is a specialised area of work and we are looking at ways of extending the careers of people who work in cyber. For example, in the military, people might normally do a tour of two or three years and then move to a different position. We are looking at options for allowing people who work in this field to do longer tours of duty so that we can fully exploit the detailed expertise that they develop. We are looking at the matter carefully.

My hon. Friend the Member for Bournemouth East (Mr Ellwood) asked about NATO co-operation. The UK is proud to be part of the NATO co-operative cyber defence centre of excellence in Tallinn, and the MOD has already seconded a member of our cyber team to work there. I should tell the Chairman of the Select Committee that the Committee cannot take all the credit for that, but it can certainly take part of it. Furthermore, we have increased our co-operation with the NATO computer incident response capability based in Brussels by joining the malware information-sharing platform and the multinational cyber-defence education and training project.

I assure the House that we are taking cyber very seriously in our defence planning. We are integrating cyber scenarios into our cross-defence exercise programme and combining it with the other domains of operations as part of full-spectrum planning, alongside land, air and sea. The cyber piece is becoming integral across the spectrum of military activity.

Dai Havard Portrait Mr Havard
- Hansard - -

Will the Minister give way?

Mark Francois Portrait Mr Francois
- Hansard - - - Excerpts

I think I should conclude because we have another debate to come.

Cyber remains a relatively young domain. Many advances will continue to come online and change the way we live our lives. While this brings new opportunities for better understanding, collaboration and innovation, we must be alert to the risks and threats as they emerge. We are striving to do both within the Ministry of Defence. It is not a task for the fainthearted, but one we must undertake none the less. The Select Committee urged us to take these threats seriously. I hope I have been able to demonstrate to the House that we do take them very seriously, in defence of the realm.

Question deferred (Standing Order No. 54).

Department for Communities and Local Government