(10 years, 9 months ago)
Commons ChamberI welcome the chance to debate the UK’s cyber-security defence. Cyber-security is a particularly wide-ranging subject and cyber-attacks are a growing threat. Without stating the obvious, a cyber-attack could impact on everyone’s lives in many ways. We are now all very reliant on technology and the internet; without our mobile phones or when our e-mail goes down, we almost cease to function.
A major cyber-attack on any of this country’s main utilities, such as transport, energy or the banking system, would cause chaos. It would be, at the very least, very bad for the economy; it could, in the worst-case scenario—if we did not have the means to transport food and fuel, for example—cause social breakdown in a short time. South Korea, for instance, has suffered huge jamming attacks, launched by North Korea, against its GPS systems. They affected major airports and shipping lanes. The travel of more than 1,000 ships and 250 planes was disrupted by North Korean jamming attacks in 2012.
Cyber-security needs to protect us against many threats: criminals attacking personal data, small-scale political activists—or hacktivists, as somebody said earlier—and state-sponsored hostilities. The Government’s cyber-security strategy is along the right lines and has led to the national cyber-security programme, which has clear objectives.
Cyberspace is often compared to the wild west and thought by some to be beyond the rule of law. However, our Government have made it clear that it is not and they have encouraged law enforcement teams to use the existing legal framework to prosecute. When cyber-crime emanates from overseas, the Government are working with the G8, the United Nations, NATO and the European Union to help shape the standards and norms of behaviour for cyberspace. Obviously, the solutions have not all yet been found but the discussions are ongoing and the work is slowly evolving. I am pleased that the work has started in earnest.
Part of the solution is a normal, sensible protocol for cyber-security on the domestic agenda and it can be addressed through simple best practice. There is a knowledge gap and the Government are addressing it in the long term via the development of education in cyber-security: teaching materials on cyber-security are being produced for GCSE and A-level students. Academic centres for cyber-security have been set up in 11 universities. Investment in education are far-sighted and will position the UK with experts in the cyber-security arena.
The Government have also gone some way to engaging with industry by setting up the Cyber-Security Information Sharing Partnership. Furthermore, the Centre for the Protection of National Infrastructure, or CPNI, is working with businesses to encourage them to make cyber-security a board-level responsibility. The current work on the development of an official cyber-standard will help stimulate the adoption of good cyber-practices among businesses. Given the risks to our infrastructure as a whole, the Government have highlighted the role of regulators in overseeing the adoption of robust cyber-security measures. The companies that supply essential services such as power, telecommunications, water, transport and banking, need maximum protection.
I praise the many organisations that are tasked with upholding the Government’s cyber-defence plans. However, as has been said, the threat is so great that I worry that as a nation we are not doing enough, fast enough. An industry study produced by BT last month found that British companies are lagging way behind rivals in other major countries in addressing cyber-security risks. The survey found that only 17% of UK businesses see cyber-security as a priority compared with 41% in the US. Nearly 90% of directors and decision makers in the US are given IT security training, but in the UK it is only around 37%.
On defence, our armed forces are among the most technologically advanced in the world, and I am sure we are all proud of that. In theory, that allows us to put fewer of our people in harm’s way and their lives at risk. However, as the Under-Secretary of State for Defence, the hon. Member for Ludlow (Mr Dunne) said recently, it makes every aspect of our military capability vulnerable to cyber-attack. Obviously, there is no point spending millions on developing leading-edge technology without the cyber-security to stop it being felled by a single cyber-attack.
The Defence Committee noted that the Army has between 35% and 40% too few corporals and sergeants to man its cyber-capabilities. The Government have rightly set up a joint cyber-unit for the reserve forces, which was going well towards the end of the year, and others have said that the reserve forces will play a crucial role in our future capability. The Government have instigated broadly sensible long-term solutions such as apprenticeships to fill the staff-skills gap in industry and business, but how can we attract more trained staff immediately, especially in the defence reserve?
A further concern is that the threat is so wide and imminent that the command structure is not resilient. I understand that the global operations security control centre at Corsham has been empowered to take rapid action without direction from above to defend the MOD’s own networks from attack. That is great, but with the many groups set up to implement the UK cyber-strategy, how will one section know what the others are doing when an attack has happened?
We are all pleased to see my hon. and gallant Friend back in full working order. The GOSCC is in my constituency, and does an outstanding job in providing cyber-security for the MOD. Is he not concerned, as I am, that with the plethora of Government and MOD organisations with responsibility for cyber-matters, the expertise of GOSCC is being undermined by a variety of quangos and committees whose exact function is clouded in mystery?
I thank my hon. Friend for his intervention. He is absolutely right. Within the chaos of a potential attack, I am not sure how the disparate groups would communicate with one another, how there would be a uniform chain of command and how it would work in practice. GCHQ seems to be in charge, but in other countries the matter would fall under the Ministry of Defence. It is fine that the MOD seems to be still developing its own basic cyber-security techniques with the armed forces setting up separate units, but it is the responsibly of the Centre for the Protection of National Infrastructure to take the lead in co-ordinating a UK response to a major cyber-security incident.
An extremely clear command structure will be needed to deal with a cyber-attack, which may come from a political group such as the group that claimed that the Sochi games were being held on the graves of millions of people who had been murdered and that was, according to the US Government’s computer emergency readiness team, threatening companies financing or supporting the Sochi winter games with cyber-attacks.
The response would be different if an attack was state-sponsored, but it would be extremely difficult, especially in the first day or so, to determine where the threat came from and whether it came from an individual or a country. The internet is worldwide and even if we knew where the attack came from geographically, it would be difficult to identify who was behind it.