Cyber Threats Debate

Full Debate: Read Full Debate
Department: Cabinet Office
Thursday 18th October 2018

(6 years, 2 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Fox Portrait Lord Fox (LD)
- Hansard - -

My Lords, I join other noble Lords in congratulating the noble Viscount, Lord Waverley, on securing this debate, which has been wide-ranging. It has moved from kettles to China, from spying to crime and to botnet threats. I look forward to the Minister encapsulating the debate in his response. For what it is worth, I would characterise its mood as a slightly uneasy sense that we have been doing the right things but may have to do a lot more. The degree of uneasiness has varied from noble Lord to noble Lord but I fear that I sit at the pessimistic end of that spectrum.

As the noble Viscount set out, we sit in a very complex landscape. That complexity has been deepened by the speed of change and the degree of connectivity across our lives. But we should not forget that there is also a huge political dimension to all this. The world is changing, probably faster than many of us have experienced for a long time. The move towards more autocratic leadership in some very important places fosters these kind of threats and that is why a multilateral approach is absolutely central. Many Peers have highlighted that—not least the mover of this Motion—and I will come back to it.

The other game-changer—I do not think this has been alluded to much—is the asymmetry in the possibility for one individual a long way away to take on a Government or a large national corporation, or at least think they can. I do not think we have seen that situation before, and it emboldens individuals or groups of individuals to do things hitherto not considered possible. The Government have clearly demonstrated that they are seeking to commit on this issue. It is hard to tell how successful this has been, because as the noble Lords, Lord West and Lord Ricketts, and others, have highlighted, the NCSC has been active and—we believe—successful, but we do not see its best work. That is the conundrum with those kinds of agencies; it is defending a negative. But looking forward, I would like to hear from the Minister how the Government support the NCSC and how its role will grow.

Of course, as a number of speakers have said, it is not just about government. Businesses and individuals are all involved and we all have to run very fast to keep up with changes. I had two emails today seeking to compromise my bank account—I am sure most speakers did. At a business level, the noble Lord, Lord St John, is right: it comes to the fore from time to time but very rarely flows from the IT team to the C-suite. One suggestion I would have is that if businesses were required to report—at least partially—the amount of cybercrime they were resisting, the C-suite would be confronted with it on a more systematic basis, and would perhaps do something about it by seeing the benefit of investment in that kind of technology.

This takes us to the critical national infrastructure. Again, I would be pleased to hear from the Minister how the Government believe the CNI community is reacting to the threat. Is it stepping up to the plate and actually moving fast enough? Again, it is hard to tell. Organisations such as the NHS—a part of our infrastructure in a different way—clearly were not investing in IT, and, as the noble Lord, Lord Borwick, set out, it suffered the consequences. We have rail, road, the electricity distribution networks and the other utilities. Where do the Government think we are on the road to resilience? Stepping beyond that, the Government have resolved to work with the communications service providers and industry to make the internet more secure, so what is the progress? What are the landmarks on that journey? The physical architecture of our internet providers is clearly very vulnerable; it sits in green boxes on the most of our street corners. Delivery is poorly controlled, as we know. If that is an example of resilience, I am not filled with confidence.

Of course, we have also seen how the private sector has suffered from what I would call self-inflicted problems. That serves as another interesting series of cases. One is the complex and jumbled nature of the technology that many of our largest corporations have. They have layer upon layer, with legacy technology that dates back not just years but decades. Across Britain, some of our most important institutions are built on computer technology that goes back to when I was an undergraduate at university—I have to tell you, that was some time ago.

A further point has arisen around the internet of things and the idea that the boss’s kettle will listen in on important discussions. We can challenge the culture of “Everything always on; everything always in the cloud”. That was not always the case and I do not see why it should always be what we do in the future. As the noble Lord, Lord West, said, the Government have a role in advising individuals where they should put their data and how accessible that data is—24/7 or not at all. We would not stick our entire wealth in a shed at the bottom of our garden, put a bolt on it and expect no one to steal it. So why do we put all our data into the cloud with a flimsy password and expect people not to extract value from it?

However, it is not just about Governments. As I have just alluded to, criminals innovate. International crime is a global free enterprise and an extraordinarily successful innovator. Government is not usually as good an innovator as individuals working in those ways. That innovation then spreads to state actors. We have seen how state actors can take on some of the technology that sits in the dark web and put it to their use. Regulators and government are very slow to react. We have only to look at how Russia sought to disfigure the EU referendum debate to see how slow the authorities have been to respond. We want some sense of how government is seeking to speed up the response to innovation in crime and in state ventures.

The noble Lord, Lord Lucas, highlighted the role of the private sector. The relationship between government and private sector and how technology is adopted are important elements. What do the Government think is the right balance between technology developed in the private sector and technology which government seeks to develop? Who decides what and where the focus should be in what we develop as a government or authority? How do the Government develop meaningful relationships with the private sector? In some cases, companies which have such technology are not those which want to be associated with government. How do we create those relationships?

Once we have the technology, how do we hold on to it? We have seen highly innovative players in our own sphere develop technology which has then been hoovered up by large parts of the internet oligopoly and, frankly, taken out of use for other players. If we need an example, we should look at the three main private sector global companies, which are buying up the patents in blockchain technology. They are taking it out of use for other people for their own uses. I am sure that it is the same for quantum computing as well. How do we hold on to what we have?

Of course innovation is difficult, as many noble Lords have said, but it is about having the right people. The noble Lord, Lord St John, and the noble Earl, Lord Erroll, were right about the need to bring in a broader community of individuals, not least because the sort of people coming out of university and being recruited to the cyber technology sphere are also recruited by a bunch of other people. They are being recruited to be engineers or to be the quants in big banks. They are a sought-after community of people, so we need to broaden our footprint. The noble Lord, Lord St John, talked about drawing in people from the armed services. Something worth looking at is how people are recruited to come in and take engineering degrees. The new university that is starting up in Hereford is changing the approach to recruitment for engineering, which has always been maths dominated—if you do not have a maths A-level, you cannot do it but people develop at different paces and as different sorts. Some of those initiatives are very important, because we have to deploy the full intellectual capability on our side in this country.

On accountability, I do not intend to throw stones at the Department for Digital, Culture, Media and Sport, but is it the right place to co-ordinate the skills, when other ministries hold the education and further education budgets and when we have UK Research and Innovation? Where should the skills portfolio sit? Is the Minister happy that this is the right place for that technology?

The noble Viscount was right to highlight the need for international co-operation post Brexit. The Government are right to try to maintain co-operation, assuming Brexit happens, with the EU 27, but how will it work? Will the EU network and information systems directive be replaced like for like? Will we shadow it? I am sure that the Minister has heard the same questions in respect of lots of other rules and regulations. The question is: how and when? Given that the European Union Agency for Network and Information Security is a legal organisation, how do we subscribe to it when we are not a member of the European Union? It is all very well to say that we have an aspiration for such things; I am more interested in the how and when.

On internationalism, the UK needs to continue to be a key driver in the multilateral approach to these matters. We have mentioned Five Eyes, NATO and the Commonwealth and beyond. We must not let the signals that can be interpreted from the Brexit process be seen as a withdrawing from multilateralism. I believe that the Government are committed to those institutions and working to make them more effective, but an endorsement from the Minister would be helpful.

Today, almost every warp and weft of our national fabric comprises digital communications and digital data. The implications of widespread denial of service have been seen at the very least through what WannaCry achieved in attacking the NHS and what individual businesses have managed to achieve through acts of self-harm. Those are just relatively unsophisticated examples of what can happen; we have heard predictions or worries about much more profound attacks. That is why I welcome this debate and why the contributions that we have heard today are very important. I look forward to the Minister’s response.

--- Later in debate ---
Lord Young of Cookham Portrait Lord Young of Cookham (Con)
- Hansard - - - Excerpts

My Lords, this has been an excellent debate and I thank all the speakers who have brought a wide range and depth of experience and expertise to it, not least the mover, the noble Viscount, Lord Waverley, who made a thoughtful introduction and crammed 15 helpful suggestions into three minutes at the end of his speech. A number of themes ran through the debate, in particular the need for partnership. I hope I have not misunderstood the tone of the debate when I say there has been no fundamental disagreement about the thrust of government policy, but some severe warnings and some very helpful suggestions about how we might do better. Some of them were on a highly technical front, and some were based on broad common sense.

I say to the noble Viscount that this is a very timely debate, following the second anniversary of the National Cyber Security Centre and the publication of its 2018 annual review this week, which was launched by the Chancellor of the Duchy of Lancaster, the director of GCHQ and the CEO of the NCSC. It is one of the best annual reports I have seen as a Minister, although I have not risen to the challenge on the last page,

“Can you find the secret codeword?”


As this debate has made clear, protecting the British people, the systems that we rely upon and our very democracy itself is a central responsibility of government. As our digitally connected world has rapidly expanded, so too has the scale of vulnerabilities and the frequency of attacks that we face—a point well made by my noble friend Lord Lucas. It is for this reason that cybersecurity remains a top priority for the Government, because it impacts on our national security and our economic prosperity. I was impressed by what the noble Lord, Lord St John of Bletso, said when he outlined the cost to the economy of lax cybersecurity.

We recognised the need for a comprehensive and active response when we launched the National Cyber Security Strategy in 2016, where we defined a cyberattack—this is in response to the request from the noble Viscount, Lord Waverley, for a definition —as a,

“deliberate exploitation of computer systems, digitally-dependent enterprises and networks to cause harm”.

We set out ambitious proposals to defend our people, deter our adversaries and develop the capabilities we need to ensure that the UK remains the safest place to live and do business online. Those proposals will be supported by £1.9 billion of investment over five years, which was mentioned by many noble Lords, to drive transformation. The noble Lord, Lord Kennedy, asked whether I thought that that was enough. He will know that there is a spending review for 2020 onwards, and I am sure that the concerns expressed in this debate will be taken on board as colleagues move to a decision on future spending patterns.

One of the most visible elements of the strategy was the formation of the National Cyber Security Centre to bring together our very best intelligence and technical expertise in a world-leading authority—the noble Lord, Lord Ricketts, described it very aptly—that will be our single centre of excellence to innovate and create, to work in partnership with industry to block attacks on a scale of tens of millions per month, which was mentioned by several noble Lords, and to blend behavioural science with technical expertise to provide the best advice and guidance for people and organisations to protect themselves.

On our response when attacks get through, the NCSC brings everyone together to reduce the harm from significant incidents, whether that is an attack on Parliament, which was referred to by my noble friend Lord Borwick, or disruption to health services. On the attack on Parliament, I understand that it is unlikely to recur. I have had a note from the chief technology and security officer in Parliament that says that the correct people now get the required detail from Parliament’s Apple account manager to make sure that such a delay does not happen again. Our response is calibrated by the severity of the attack, and the National Security Council will consider the full range of security, diplomatic and economic tools at our disposal.

How we set up the National Cyber Security Centre reflects the single, clear message that underpins our strategy, which has been echoed throughout this debate, that we need not a whole of government approach but a whole of society approach, as the noble Lord, Lord Ricketts, described it. The noble Viscount, Lord Waverley, asked how we are delivering it. The national strategy binds all of government into delivering a set of cross-cutting objectives which require a collective response that reaches out to the private sector and beyond—and, indeed, to other countries, because while we can lead the way, we know that we cannot solve these problems alone. This point was made by nearly every noble Lord who took part in this debate.

On the key subject of skills, which was raised by the noble Viscount, Lord Waverley, and the noble Lords, Lord Ricketts and Lord St John of Bletso, we are already developing a pipeline of talent and inspiring and developing cybersecurity experts and entrepreneurs, whether through our programmes in schools and universities, our work with industry to figure out the best way to retrain career changers with aptitude and ambition and by promoting cyberapprentices. On the specific recommendations of the Joint Committee on the National Security Strategy—a question raised by the noble Viscount—the Government have recently submitted their response and we look forward to its publication.

We also are building on our world-class universities and ground-breaking research to establish a pipeline of cutting-edge cybersecurity companies with a range of interventions to incubate and accelerate and to support our innovative companies to export overseas, turning many great ideas into global businesses. This in turn will help other countries to become more secure and will boost the UK cybersecurity industry, which is now generating more than £5 billion for the economy.

Lord Fox Portrait Lord Fox
- Hansard - -

Before the Minister moves on from skills, I asked whether the right ministry was carrying accountability for skills at a national level. All the examples he gave referred to ministries other than the department that has it.

Lord Young of Cookham Portrait Lord Young of Cookham
- Hansard - - - Excerpts

I was referring to the responsibilities of the Department for Education. The relevant Minister is sitting at my side and will have heard that. We will write to the noble Lord, giving a more detailed reply on the role of that department, if that is what he wants.

The Government actively manage potential risks to UK infrastructure—a point on CNI raised by the noble Lord, Lord Fox. This includes risks related to foreign equipment used in our telecoms industry. This important issue was raised by the noble Lord, Lord West, who expressed concerns about our telecoms structures. I want to make it clear that the Government have not banned ZTE. The NCSC has raised its concerns about the ability to manage the risk of having more Chinese-supplied equipment on UK infrastructure undermining existing mitigations, including those around Huawei. The noble Lord is right that we cannot ban our way out of this, but I can confirm that the Department for Digital, Culture, Media and Sport, with the NCSC, is leading the review into the security and resilience of our telecoms supply chain.