Cyber Threats Debate

Full Debate: Read Full Debate
Department: Cabinet Office

Cyber Threats

Lord Borwick Excerpts
Thursday 18th October 2018

(6 years, 1 month ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Borwick Portrait Lord Borwick (Con)
- Hansard - -

My Lords, it seems to me that cyber threats fall into two categories, which are separated by complexity: first, the highly sophisticated attacks, often those sponsored by foreign states; and, secondly, the simpler, basic attacks, often by individuals or small groups of hackers. No doubt we will hear that the large-scale, often global attacks are well fought off by our people at GCHQ, but it is clear that they have a vastly complex task to defend against this sort of problem. A large part of such defence must be deterrence, and I hope that my noble friend the Minister will be able to tell me that we have a sufficient number of people with the requisite skill sets working on this. I also believe that offensive capacity is of the utmost importance; much like nuclear capability, having it makes it unnecessary to use it.

A large number of attacks are pretty basic, such as the WannaCry attack on the NHS last year. I hope that the embarrassed senior managers who supervised the use of obsolete software that could easily be broken, but should have been updated, have been held to account—and that they have subsequently raisedtheir game. Press reports state that some of the machines that were attacked were still using Windows 95. Of course, when faced with intense lobbying from unions and staff, it is always a challenge for the NHS to choose to spend budgets on software over wage increases. But the WannaCry attack reportedly cost the NHS £92 million, which leaves a lot less money for services and indeed future wage increases. Such consequences ought to help managers to get their priorities right.

There is a problem developing that we ought to discuss: the proliferation of passwords, a point made by the noble Lord, Lord West. On a normal day, we may be asked for about 20 passwords and PIN numbers. It is unrealistic for us to keep to the system of a different unique password for each website, service and machine. Certainly, the Californian legislature recently legislated to ban default passwords on any internet-connected device. Anything produced or sold in California that can connect to the internet will come with a unique password, or it will default to require users to make a unique password when they switch it on for the first time. I understand from last weekend’s Sunday papers that the Government are asking the same of our systems. The idea that default passwords such as “admin”, “123” or even “password” are so widespread is obviously worrying, and I have passed on to the Minister a cringingly embarrassing example of this on the parliamentary estate. However, I feel that the solution may be at hand with new password generator programs. They generate complex, unique passwords for the user, and there are even free ones, which can easily be installed.

Regularly updating software is a basic security rule. That was why it was so disappointing to receive an email from the Parliamentary Digital Service customer relations team, as we all did on 21 September 2018, telling us not to update to the new Apple operating system. All that told me was that our people did not have enough time to test our parliamentary programs against the new standard, using the widely available beta programs provided for all other uses. Did we not try them out before the release of iOS 12, as everybody else did? Our digital team did a great job when the whole Palace of Westminster was attacked a few months ago, but such an email just says, “We’ve failed you”. In the future, I understand that the vast majority of updates will be done automatically overnight. Soon, advice not to update will be as silly as the advice to a car driver, “Don’t forget to count the number of tyres on your car before driving away”. Certainly, updates should be under the control of the user, not the manufacturer of the software. For a user, the very best defence against cyberattacks is to update the software when that is possible.