Proposed Directive (Information Systems) Debate

Full Debate: Read Full Debate
Department: Home Office

Proposed Directive (Information Systems)

Diana Johnson Excerpts
Thursday 3rd February 2011

(13 years, 9 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
James Brokenshire Portrait The Parliamentary Under-Secretary of State for the Home Department (James Brokenshire)
- Hansard - - - Excerpts

With permission, Mr Speaker, I would like to make a statement on the proposed European directive on attacks against information systems, which we have decided to opt in to.

Hon. Members will not need me to tell them how much we benefit from the services that are now available online. In 15 years, the number of global web users has jumped from 16 million in 1995 to more than 1.7 billion today. About three quarters of all British households now have an internet connection, and last year nearly two thirds of all adults in Britain bought goods or services online.

We want to build on our cultural and economic success in the online world, but with the growth of the internet has come the growth of a new type of crime and a new risk to our national security. We now face a real, ongoing and persistent threat from other states, terrorists and criminals operating online. They are stealing commercial secrets, they are trying to take sensitive Government information and they are defrauding ordinary people.

Cybercrime, often carried out by organised criminals, is now a major and growing threat to all sectors of our economy, and we should be in no doubt: online attacks can have a significant real-world impact, from people's bank accounts being emptied to industrial plants and critical infrastructure being disrupted. The risks from cyberspace are now so great that the national security strategy placed the threat as one of the top tier of risks to our national security.

Recognising the seriousness of the threat, the Government are already investing heavily in cyber-security. Following the strategic defence and security review, we committed £650 million of new investment over the next four years to transform our protective capabilities in cyberspace. Our response is led by Government, but uses the resources and knowledge of the private sector, including those parts of the private sector that own and operate large elements of our digital infrastructure. The programme explicitly depends on building strong relationships with like-minded countries around the globe, because the problem is an international one and online criminals do not respect international borders.

Here in Britain we have long-standing laws against computer misuse, but we need to be able to take action also against cyber-criminals operating overseas; it is therefore clear that we need to work across national boundaries. That means our law enforcement agencies working with their partners overseas to identify suspects, gather evidence and bring criminals to justice. The European Union directive on attacks against information systems supports those aims. The directive builds on an existing 2005 EU framework decision with which Britain was already compliant. It is also consistent with the Council of Europe convention on cybercrime, which Britain is in the final stages of ratifying. Opting in further demonstrates our commitment to internationally co-ordinated action against online threats.

The directive will ensure that there is a basic set of agreed minimum rules in relation to online crimes and penalties across the EU that member states must build into their legislation. It will also ensure that member states respond quickly to requests from other member states for assistance in cybercrime cases. Those measures will benefit Britain and other countries that have active online economies, because it will mean that cyber-criminals will not be able to hide in European countries that do not have as well-developed laws against cybercrime as we do.

The directive also seeks to address the threat from large-scale attacks on information systems by ensuring that member states have adequate legislation to allow the prosecution and punishment of those organising, committing or supporting large-scale attacks. That is not a hypothetical threat: it is a real, existing problem for the British Government and British business. Finally, the directive sensibly takes into account changes in the threat picture since the framework decision was agreed, such as tackling the creation of malicious software and other innovative tools that criminals have invented to commit offences.

It is for all of these reasons that we have decided to opt in to the directive. It fits with our approach of making Britain a tougher place for online criminals to operate in, and it will mean that the reach of our law enforcement agencies extends outside our borders. By opting in now, we do not accept that the draft directive is perfect. We will work to ensure the final text is in Britain's interests and we will seek to negotiate out any proposals we believe are unnecessary.

I pay tribute to the work done by the European Scrutiny Committees of both Houses. They do much to ensure that European legislation is right for this country. On this specific directive, both Committees agree that there is a case for further EU action in this area.

Cybercrime is a major threat to Britain. The aims of the directive are consistent with the aims of the Government in protecting our country, our economy, our businesses and our citizens from those who seek to misuse the online environment. I commend this statement to the House.

Diana Johnson Portrait Diana Johnson (Kingston upon Hull North) (Lab)
- Hansard - -

I thank the Minister for providing the Opposition with a copy of the statement in advance of the announcement to the House.

I have listened carefully to what the Minister said about the Government’s decision to opt in to the draft directive on attacks against information systems. It is clear that there is a growing threat of large-scale simultaneous attacks against information systems and an increased use by criminals of so-called botnets—networks of computers infected by a virus that can be activated remotely. There is clearly a real terrorist threat, as well. It is right to say that there has to be a robust and consistent approach to this problem, not only across the EU but internationally, and we know that a sensible way forward is to build on the framework decision agreed in 2005.

In a report by the Commission in July 2008, the implementation of the framework decision was found to be relatively good, but a number of new threats had been identified; the draft directive has therefore been produced. The matter was before the European Scrutiny Committee on 3 November 2010, at which time the Government still had not decided whether to opt in to the draft directive. I, too, pay tribute to the hard work that the Committees in both Houses do on behalf of us all.

I welcome the decision, but I have a number of questions for the Minister. First, why has the decision been made now to opt in to the draft directive? After the European Scrutiny Committee had considered the matter, the Minster wrote to the Chair of that Committee stating that a decision on whether to opt in had to be made by 23 December 2010, and promising to let the Committee know the decision at that point. I understand that he then wrote to the Chair of the Committee on 31 January confirming that the UK was opting in to the directive. When was the decision actually made? Was it made before 23 December? If the decision was delayed, why?

In his statement, the Minister said, “By opting in now, we do not accept that the draft directive is perfect. We will work to ensure the final text is in Britain's interests and we will seek to negotiate out any proposals we believe are unnecessary.” Would it not have been more consistent and logical to have opted in to the draft directive much earlier, to ensure that the British government could influence it and have their say? On such a matter, and given that we are building on the already well- established 2005 framework decision, was it not in our interest to have our say early on? Why wait until the end of the process?

Secondly, we understand that there will have to be changes to domestic legislation on issues such as extraterritorial jurisdiction and including all the offences set out in articles 6 and 7. Will the Minister explain the exact changes that will be required, in particular to the Computer Misuse Act 1990 and any other legislation? When will the House be asked to deal with those matters?

Thirdly, the directive sets out the need for a national contact point to provide an initial response to urgent requests for information within eight hours. With the transition from the Serious Organised Crime Agency to the National Crime Agency, what ring-fenced funding will be available for the initial response work, and how will the overall cuts to the Home Office budget affect the ability to provide that response?

Fourthly, under article 15, there is a requirement for the collection of statistical information on offences covered by the draft directive, including details of the number of offences reported, the follow-up and the number of investigations, prosecutions and convictions each year. Although the Minister has indicated previously that some of those data are already collected, what further resources will be needed to ensure that the full datasets are collected, and who will do that? What additional resources have been allocated for the purpose from the £650 million he mentioned?

Fifthly, what plans does the Minister have for dealing with the increase in penalties to a maximum term of imprisonment of not less than five years? Does he envisage creating a new offence to deal with aggravating factors, or increasing the length of existing sentences?

Finally, may press the Minister on another matter? Although we welcome the announcement of the opt-in to this directive, it is deeply disappointing that the Government have failed to opt in to the draft directive on human trafficking. We ask them to think again.