Mr Iain McKenzie (Inverclyde) (Lab)

- Hansard -

Copy Link

-

The growth of the internet has, without question, transformed our everyday lives. I say that as someone who spent many years working for a multinational corporation that introduced every home to the personal computer and introduced the business world to the speed of the e-mail. The importance of the internet is underlined by the part that it plays in our economy. The internet-related market in the UK is estimated to be worth £82 billion a year.

However, with greater openness, interconnection and dependence on technology comes greater vulnerability. To put that in perspective, cyber-attacks have been categorised as a tier 1 threat to the UK’s national security, which puts them up there with international terrorism, military crises and natural disasters. The threats to our national security from cyber-attacks are therefore real and growing.

Terrorists, rogue states and cyber-criminals are among those who are targeting computer systems in the UK. That is highlighted by the fact that 93% of large corporations and 87% of small businesses have reported a cyber-breach in the past year. Performing an attack need not be expensive. With minimal equipment in the right hands, a lot of damage can be done. However, protection against such attacks does not come cheap. The cost of a cyber-security breach can be between £450,000 and £850,000 for a large business and between £35,000 and £65,000 for small and medium-sized businesses, which are not insignificant sums. The UK faces a staggering 1,000 cyber-attacks every hour, at an estimated annual cost of £27 billion.

In cyberspace, power can be exerted by states, non-state organisations or individuals, or by proxy. The boundaries are blurred between the military and the civilian, and between the physical and the virtual. The threats to security and information in the cyber-domain include state-sponsored attacks, ideological and political extremism, serious organised crime, low-level individual crime, cyber-protests, espionage and cyber-terrorism.

Some of the most sophisticated threats to the UK in cyberspace come from other states that seek to conduct espionage, and some states regard cyberspace as a way to commit hostile acts “deniably”. That is why, alongside our existing defence and security capabilities, the UK must be capable of protecting our national interests in cyberspace.

“Advanced persistent threat” is the term used most often to describe threats that are unlikely to be deterred by simple cyber-hygiene measures. Acts of aggression or malice in cyberspace differ from those in other domains. Cyberspace is regarded as an asymmetric domain, which means that even adversaries of limited means can pose a significant threat to military capabilities. We will all agree that cyberspace is a complex and rapidly changing environment.

The British Security Service estimates that at least 20 foreign intelligence services are operating to some degree against UK interests in cyberspace, and their targets are in the Government as well as in industry. The Government have pledged £650 million for cyber-security over four years—0.6% of the cost of attacks. It is therefore essential that the MOD works alongside other Departments and the Security Service to ensure that there is no duplication or inefficiency, given budget constraints. We believe that the Government must ensure that every company working with the MOD, regardless of its size or the scale of its work, signs up to a cyber-security charter. That will ensure that hackers cannot use small suppliers to get into the systems of major defence companies.

With the armed forces now so dependent on information and communications technology, should such systems suffer sustained cyber-attack, their ability to operate could be fatally compromised. Because events in cyberspace happen at great speed, there will not be time in the midst of a major international incident to develop doctrine, rules of engagement, or internationally accepted norms of behaviour. That is why the Defence Committee recommended that the MOD make the development of rules of engagement for cyber-operations an urgent priority, and ensure that the necessary intelligence, planning and co-ordination functions are properly resourced.

The rapidly changing nature of the cyber-threat demands that a premium be placed on research and development to enable the MOD to keep pace with, understand, and anticipate that threat. The Government should make it a priority to develop robust protocols for sharing information with industry to allow expertise to be pooled. A cyber-threat has the capacity to evolve with almost unimaginable speed, with serious consequences for the nation’s security.

In conclusion, I repeat our call for the Government to ensure that every company working with the Ministry of Defence, regardless of its size or the scale of its work, sign up to a cyber-security charter.