Lord Arbuthnot of Edrom
Main Page: Lord Arbuthnot of Edrom (Conservative - Life peer)Department Debates - View all Lord Arbuthnot of Edrom's debates with the Ministry of Defence
(10 years, 8 months ago)
Commons ChamberGiven how long I have been in this House, I really ought to know whether I should be thanking the Backbench Business Committee, the Government, the Chair of the Liaison Committee or you, Madam Deputy Speaker, for my securing the debate. Just to be on the safe side, I will thank them all, and especially you.
I apologise for interrupting my right hon. Friend so early in his speech, but he makes a good point. In the old days, we had regular, sensible defence debates throughout the year, but they are now at the discretion of the Backbench Business Committee, which is a retrograde step.
My hon. Friend makes a good point, but it rebounds slightly on the Defence Committee because we have been told that we are responsible for applying for such debates and, I have to confess, we have not done so in recent months, so perhaps we ought to revisit that.
The Defence Committee launched an inquiry into defence and cyber-security in January 2012, as part of a series of debates and inquiries looking into emerging threats. It was the first time the Committee had investigated cyber-security as a discrete topic, although in 2009 we had looked at Georgia and Estonia, and visited Talinn, as part of another inquiry. The UK Government had identified cyber-threats as one of four tier 1 risks to national security, and in November 2013 published a UK cyber-security strategy, updating their 2009 strategy and setting out four objectives: first, to make the UK one of the most secure places in the world to do business in cyberspace; secondly, to make the UK more resilient to cyber-attack and better able to protect our interests in cyberspace; thirdly, to help to shape an open, vibrant and stable cyberspace that supports open societies; and fourthly, to build the UK’s cyber-security knowledge, skills and capability.
The programme is to be implemented via a four-year national cyber-security programme costing £650 million, and the Chancellor of the Exchequer announced an extra £210 million investment after the 2013 spending review. The funding is shared between the security and intelligence agencies, the Ministry of Defence, the Home Office, the Department for Business, Innovation and Skills, the Cabinet Office and the Foreign and Commonwealth Office, but most will be spent by the security and intelligence agencies.
During our inquiry, the Committee investigated whether the high profile given to the cyber-threat in the UK was matched by a coherent plan and a chain of command in the event of a major cyber-attack on our national infrastructure or our national interests. The complexity of the threat must be matched by an agile, many-layered response; accordingly, many different agencies are involved in the cyber-security effort, ranging across cybercrime, cyber-espionage and cyber-commerce. Cyber-security is therefore to some extent everybody’s responsibility, but we must avoid its ending up being nobody’s responsibility as a consequence. Someone has to be in charge.
It is good to see so many colleagues here to take part in the debate. If we contrast the approach taken in the United States, where there is a unified structure under CYBERCOM, with the disparate approach taken in the United Kingdom, does the right hon. Gentleman share my concern that we seem to have a number of lessons still to learn?
Well, there are pluses and minuses to having a unified structure, and there are risks in having a siloed approach. I said this is the responsibility of everyone, and so it is. I shall explain how wide that responsibility extends.
Further to that, although a number of Departments have an interest, was my right hon. Friend assured by the MOD—within his sphere of responsibility—that there is a single individual in charge? I understood from reading his Committee’s report that the Joint Forces Commander is currently responsible, but the intention is to have the Chief of Defence Intelligence involved as well, and perhaps to appoint a three-star Defence Chief Information Officer. The report did not make it clear to me where we intend to go. The Americans have a four-star in charge. Is my right hon. Friend convinced that there will be an individual clearly responsible for the MOD’s part of the spectrum?
Things have moved on since our Committee reported. There is somebody in overall command and that is my right hon. Friend the Minister for the Armed Forces, who will, I have no doubt, set out precisely how things have moved on when he responds to the debate. That is the purpose of Select Committee reports, and I am pleased about that.
The Committee was particularly concerned that the armed forces are now very dependent on information and communications technology and if those systems suffered a sustained cyber-attack, their ability to operate might be fatally compromised.
We are talking about cyber-technology, but may I use an old-fashioned phrase in warning of the danger of having all our eggs in one basket?
Yes, and I entirely agree. I have discovered a new organisation being set up in Cambridge called the centre for the study of existential risk, which is right up my street. Being a gloomy sort of person, that is precisely the sort of thing I am worried about, and the hon. Gentleman will not be surprised to hear that I am already in deep contact with the centre.
I have heard of that work at the university of Cambridge, too, and I am in favour of it, but may I take my right hon. Friend back to his point on co-ordination? Surely the bottom line of the response to any major threat to this country, whether it is flooding or rioting and so on, is the armed forces. Does he share my concern that there seems to be no mechanism for referring problems in other sectors through to the MOD and, crucially, that there are no rehearsals taking place?
I do, and I hope that in answering the debate my right hon. Friend the Minister for the Armed Forces will take that point straight on the chin, because in many respects the armed forces are the resource of last resort, and cyber-security may be an area where the armed forces do not accept that responsibility.
There is a necessary focus within the defence world on securing the systems and networks needed by the MOD and the armed forces from cyber-threats. It is not only contemporary civil society that is utterly dependent on network technology; our armed forces are increasingly reliant on such technology for the tools of warfare, and the next step must be to ensure that the supply chain for those systems and their components is secure. That will require a trusting, transparent relationship between Government and their suppliers, with full disclosure of attacks and possible vulnerabilities, which runs all the way down the supply chain. The UK has world-class expertise and facilities on which to draw, but will the Government be able, in competition with the private sector, to keep enough of that expertise and experience in the service of the state? Are there enough such people to serve both and how should we prioritise?
The announcement by my right hon. Friend the Secretary of State for Defence in September 2013 about the establishment of a joint cyber reserve unit is a significant development, but that will rely on FTSE companies and other, smaller companies releasing key personnel to participate. Will my right hon. Friend the Minister for the Armed Forces tell us what progress has been made? According to the Government, the number of ICT and cyber-security professionals in the UK has not increased in line with the growth of the internet. Are there enough experts in industry willing to join a cyber reserve? Will technology experts—the geeks of our world—fit well within highly regimented military structures, or will a more flexible structure be required to facilitate their work?
The right hon. Gentleman is rightly raising just some of the myriad questions about the future in cyberspace. Does he agree that these questions are so wide-ranging and fluid, given the incredible acceleration in technology, as to pose the question whether in future we should have vari-speed defence and security reviews? On larger items we should look beyond the 10-year horizon, but in cyber, five years is far too long for what is happening.
Like my hon. Friend the Member for Canterbury (Mr Brazier), the hon. Gentleman contributes effectively to the Defence Committee and makes an interesting point—one I had not heard before. That is the value of these debates. We will all have to think about that issue.
We must seek to defend ourselves, but we must also, as has been suggested, expect to develop a capability to respond to threats in cyberspace. When doing that, we face some of the same considerations as when developing conventional military capabilities. Where does the balance lie between international collaboration and sovereign capability, for example? What sort of international arrangements will best suit our aims?
My right hon. Friend the Secretary of State also talked about how the UK was developing a full spectrum military cyber-capability, including strike capability. This is an interesting and novel declaration. Everybody knows it has happened but nobody has been prepared before now to announce it. Will this declaration act as a deterrent or will it make the UK a more likely target for hacktivists and foreign states? What about the legal implications of establishing a strike capability for the personnel involved? The necessary rules of engagement for cyber-attack need to be put in place, although of course we will not be told about them.
Some maintain that cyber is just another military domain and that we can expect to do everything in cyberspace that we do in the air, on land or at sea to prevent, deter coerce or intervene. But has the distinctiveness of the cyber domain been fully grasped? It is not clear, for example, that deterrence is a concept that can apply to a domain where there are real difficulties in discovering quickly who has perpetrated an attack and for what purpose, or even that an attack has taken place. Neither is it clear that everyone has grasped how important it is to avoid a silo approach to the cyberworld. It is essential to break down the dividing lines between civilian and military, among Government Departments, between Government and the private sector, and between our country and other countries, and therefore to approach the issue in an holistic way. Paul Dwyer of Mandiant came to brief the Defence Committee and told us that it takes a network to defeat a network.
Perhaps because the threat cannot be neatly categorised, it may be unrealistic to expect a neat categorisation of the responses. Everything we have been told in the UK emphasises that the armed forces have a very limited role, protecting their own systems and developing military cyber-capabilities. For other areas of activity, those in the lead are likely to be based elsewhere, particularly in the intelligence services. That is where the important point made by my hon. Friend the Member for Canterbury comes in.
My right hon. Friend makes a good point about the threat being so diverse as to be difficult to counter. None the less, the briefing we were given by Mandiant was very interesting: there are a large number of extremely serious attacks, not by a lot of people but by one or two groups. He even named Unit 61398 of the People’s Liberation Army as one of the main culprits. In other words, it would be reasonably easy for the British Government and the MOD to counter a specific attack such as that.
I am sure that my hon. Friend is right in saying that the Government are well aware of where some of these attacks are coming from. I do not agree that it would be relatively easy to counter them, because these threats are developing at a frightening speed, as the hon. Member for Barrow and Furness (John Woodcock) said. The diversity and development of these threats is changing on a second-by-second basis.
I am pleased to say that the Government are taking action to make the UK more resilient to cyber-attacks. It has established a new computer emergency response team in early 2014, CERT-UK, to improve the co-ordination of national cyber-incidents and to share technical information among countries. The Government set up a new cyber-incident response scheme in GCHQ to help organisations recover from a cyber-security attack. They have extended the remit of the Centre for the Protection of National Infrastructure—the CPNI—to work with all organisations that may have a role in protecting the UK’s critical systems and intellectual property. They have agreed with regulators in essential services a set of actions to make sure that important data and systems in our critical national infrastructure continue to be safe and resilient. As I have said, responsibility for cyber-security rests principally with companies and organisations themselves. Government agencies’ roles will be limited by available resources and national priorities.
Does the right hon. Gentleman agree that there is a difficulty in making cyber-security just a defence issue and saying that the issue lies with companies? There is a network of things that need to combine, and we have not yet developed a system to create resilience across the spectrum; there are only chimneys of responsibility.
The hon. Lady is quite right. We are groping towards it, but we are not quite there. One of the benefits of this debate, of our report and of the Government’s response is to help us move to a better place.
My right hon. Friend makes an important connection between the business community and state operations. I am concerned that state operations do not have the funds to attract the necessary expertise—geeks, my right hon. Friend called them—when they are in demand in the civilian sector. Banks and so forth pay huge sums of money to make sure they are able to fight off any cyber-security issue. Does he agree with a stance that my hon. Friend the Member for Canterbury (Mr Brazier) might take—that there is a need to make sure that those in the reserve forces who actually have such skill sets through working in businesses can work in the MOD as well?
I would have entirely agreed, but the problem may be whether there are enough reserves and enough people with those skills in the country at all. Let us move on towards that.
To deal with the point made by my hon. Friend the Member for Bournemouth East (Mr Ellwood), that was one of the key factors in the strategic defence and security review of 2010. The then Secretary of State for Defence, my right hon. Friend the Member for North Somerset (Dr Fox), said that we needed to see “up arrows” and “down arrows”. Heavy armour was a down arrow but cyber was an up arrow. Some £500 million was set aside specifically for this purpose, so it has been identified as a serious and important area for investment.
Interestingly, the Prime Minister, in giving evidence to the Joint Committee on the National Security Strategy, pointed out that some of the areas had cuts but that this area was one of growth. His regret was that it had not been one of greater growth, and that that change had not been more exaggerated than it was.
I ought to bring my remarks to a close, as others want to speak. Paul Dwyer told the Committee that the willingness of companies to share information about cyber attacks with one another and with the Government is critical to allowing an effective response to be developed and implemented but, while critical, it is far from easy to achieve.
I am a little concerned that my right hon. Friend is bringing his arguments to a close, because he touched on one point that I was rather hoping he would develop. He said that the Committee visited Estonia. For people who, like me, were not part of the Committee’s study, it would be extremely helpful to know in concrete terms a little more about what it discovered on that visit about what a cyber-attack by a hostile neighbour can really mean.
The Committee visited Estonia in 2009. It has still not been conclusively established who precisely was responsible for the attacks that took down much of that country’s banking system, although we have our suspicions—they may have been marching around in unmarked uniforms. We discovered that the attack had been comparatively easy to achieve. It was a distributed denial-of-service attack that did real damage. We also discovered the international centre of excellence in Estonia, which at that stage the Government were not contributing towards in dealing with cyber-attacks. I am delighted that they have since decided, perhaps as a result of our incredibly effective report, to contribute to the centre.
I was biding my time, but the intervention from the hon. Member for New Forest East (Dr Lewis) has prompted me to intervene. Has any evidence yet come forward to suggest that what is going on in Crimea has involved cyber-security breaches either way?
If there is evidence of that, I do not yet know of it. All I can say is that before the invasion of Georgia there was an extensive cyber-attack on its computer network that was very similar to the one on Estonia. I suspect that it is now a new method of fighting wars that we must all get used to.
The need to share information is critical, as I have said, and important mechanisms for that exist, such as the cyber-security information sharing partnership, which is now open to companies beyond critical national infrastructure sectors, including small and medium-sized businesses. CISP analysts will be expected to feed into CERT once it is fully operational.
The Committee produced many recommendations, but our final conclusion was that the cyber-threat, like other emerging threats, has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation’s security. The Government need to put in place—they have not yet done so—mechanisms, people, education, skills, thinking and policies that take into account both the opportunities and the vulnerabilities that cyber presents. It is time the Government approached the subject with vigour. I am pleased to see the actions that they have taken since we issued our report. Clearly there is much more to be done—in the cyber world it is a matter of constantly playing catch-up—but I personally have the impression that the Government are, at the very least, joining in the game.