Lord Reid of Cardowan

- Hansard -

Copy Link

-

My Lords, I begin by paying tribute to the young men and women of our Armed Forces who, day in and day out, protect us and our families, our country and our national interests, often risking life and limb and sometimes making the ultimate sacrifice. We owe all of them a deep debt of gratitude for what they do.

When I ask myself what is the chief characteristic of the modern world, it is difficult to escape the conclusion that it is, as the noble Lord, Lord Howell, said earlier, its networked nature. What also strikes me is that it is the predominance of this country in global networks that has led to the United Kingdom becoming known as a great power. It came about originally through exploration, then through the domination of our naval networks around the world, and then through the domination of the financial sector because of the networked nature of international finance. I want to spend a few moments talking about something that receives little attention, but I think it should because it is the central characteristic of today’s networked world, and that is cyberspace. I do this in the full belief that it is essential not only for our growth and our pre-eminence, but for our national security and our defence. I declare my registered interests in the academic and private sectors in this subject.

Cyberspace is an environment characterised by its breadth—it is transnational, across over 192 countries. It is deep, because it diffuses power downwards, now to nearly 4 billion people who have never been able to gain information, to influence or to communicate before. It is ubiquitous and now runs through politics, economics, finance and our social networks, as well as many other aspects of life. It is truly the first environment made by men and women. It is not just an amalgam of technologies anymore or a means of communication, it is an environment like the land, sea, air and space. That has enormous consequences for us in terms of our national security. It means that we now have a fifth domain of warfare potential as well as a source of great opportunity. That makes us very vulnerable if we are not alert to it, both in concept and in practice. Of course, cyberspace has been an amazing gateway of opportunity for billions in the world, but it has also seen an equal growth in virus and malware development; from the first malware inserted by floppy disk back in 1981 to the myriad threats we now see. I will not rehearse them to this House but they are extremely sophisticated.

Suffice it to say that three years ago, when I chose to raise the subject in my maiden speech, the pursuit of the study of cyberspace was regarded as a rather iconoclastic occupation of mine. We now hear of malware attacks every day, on big names such as Microsoft, Apple, Lockheed Martin, ThyssenKrupp and so on. It might astonish your Lordships to know that it is much more widespread than just those headline names. Last year, 93% of companies in the United Kingdom with more than 250 staff suffered a cyberattack on their systems. It is not just the quantity—we now face an increasingly sophisticated array of persistent attacks, sometimes lasting months or years. They are targeted, adaptive and dynamic attacks that can change as they hit the defences that have been installed for them. They can involve compromise of the supply chain and the storage of vulnerabilities—reconnaissance, if you like—in order to probe weaknesses for future use. All this is going on at the moment and that vulnerability will increase as we move to consumer technology in our workplaces: smartphones and so on, the movement to the cloud, and the “Internet of Things”, from road charging to pacemakers. All that will become more and more vulnerable.

Why does all this vulnerability from the network world matter to defence and national security? It is because our critical national infrastructure is now more vulnerable than ever before. Software systems and industrial operating systems will protect our water supplies, supply our energy distribution and generation, land our planes, run our trains, heat our homes and underpin our hospitals. They will become the infrastructure on which our lives, livelihood and morale depends. Why use an expensive platform such as a nuclear submarine to launch an expensive weapon such as an intercontinental ballistic missile when we have that platform in all our pockets and in an iPad in most of our bags?

All of them now allow the possibility of enormous damage, as can be seen through the operation of the Stuxnet virus, which, unknown to the Iranian authorities, was effectively running—or mis-running—the centrifuges that were meant to produce their enriched uranium. All that, every passing day, should alert us. I have just learnt today that there has been another wave of attacks on major US corporations, specifically aimed at energy supplies. That is the critical national infrastructure vulnerability that we face. Of course, there has been some response from the Government, for which I give them credit: £650 million has been allocated to cyber, admittedly over three years; there is now a national cybersecurity strategy; research continues at GCHQ; there is improved assistance to the private sector and sharing; and the CPNI, which protects our national infrastructure, has been trying to influence standards. The MoD has played its part: it has set up the Cyber Security Operations Centre and enhanced co-operation with GCHQ.

I welcome all of this but huge challenges and questions remain, especially in the working out of concepts, capabilities, understanding and operations. The idea of active defence is very popular. One anonymous American general, who must be very glad he remains anonymous, said that if the US was hit with a cyberattack, “We will stick a nuke down their smokestack”. That illustrates the absolute ignorance of the nature of cyber. Attribution is a major problem. It is difficult to know the culprits. There is no missile heading for you where you can retrace the route that it has taken. There are legal prohibitions on accessing computer networks without authorisation. There is a patchwork of international laws. There are normative, legal and diplomatic obstacles. There are “what ifs”. What if you pursued an attacker and encountered behind that attacker a foreign Government? What if an obscure digital trail leads to an unrelated system or it has been disguised within a hospital, as some artillery pieces have been in asymmetric warfare in the past?

Our concepts really need to be thought through. In defence, I am afraid that our experience has not helped us because the wars and conflicts in which we have been engaged have been bloody and dangerous, but they have been asymmetric. Our conventional systems on sea, in the air and on land, all of which are now based on software, have never really been tested. I warn against complacency in this area.

As I reach my conclusion, there is one point where I would criticise the Government. Historically, our intelligence services and police have depended for counterterrorism and anti-crime activity in defending the people of this country on the ability to match the technology of our enemies, particularly in communications. This capability desperately needs updating. For the third year running, the Government have equivocated and postponed. Their fear of the Deputy Prime Minister, Mr Clegg, appears to be greater than their fear of the consequences of not acting in updating our intelligence-gathering capacity to include Skype, the internet and texts. God forbid that a terrorist attack should be launched that would have been prevented if we had updated it. God help the Government if that should happen because I know from experience just how dependent we were on that capacity to save the lives of 2,500 people only six years ago in the liquid bomb plot.

I congratulate the Government on what they have done. I hope that they will go further in a number of areas. Above all, I hope that they will remember where I started: the pre-eminence of the United Kingdom over the past few centuries has depended on our dominance of a network world, whether it was exploration, the naval lanes or the financial networks of the world. If we do not capture such a pre-eminence and domination in cyber as a trusted centre of it, I am afraid that we will continue on a very long road of gradual—and perhaps not so gradual—decline.