(9 months, 2 weeks ago)
Lords ChamberMy Lords, I am not quite sure where the bells and whistles come from. As I said, we are just considering all the potential implications. However, part of the Criminal Justice Bill introduces a new power for law enforcement and other investigative agencies to suspend IP addresses and domain names where they are being used to facilitate serious crime. So the answer is partially yes, but the other situation that the noble Lord described is very complicated.
My Lords, the prosecutorial guidance referred to just now by my noble friend leaves computer professionals in a position of uncertainty. Do they not need certainty as to the shape of the law?
Well, yes, and as I said, the working group that was set up to look into this, which included the cybersecurity industry, law enforcement, prosecutors and others, could not reach consensus on this subject. Certain cybersecurity professionals are in favour of defences but other industry experts are not—so we have to continue to consider these responses.
(1 year, 4 months ago)
Lords ChamberMy Lords, I agree that there is an enormous necessity to get this right, but that is part of the problem of why things are perhaps not happening as fast as the noble Lord would like—progress is far from glacial. These issues are incredibly complicated because, as the noble Lord noted, the proposals would potentially allow a defence for the unauthorised access by a person to another’s property, and in this case their computer systems and data, without their knowledge and consent. We therefore need to define what constitutes legitimate cybersecurity activity, where a defence might be applicable and under what circumstances, and how such unauthorised access can be kept to a minimum. We also need to consider who should be allowed to undertake such activity, what professional standards they will need to comply with, and what reporting or oversight will be needed. In short, these are complex matters, and it is entirely right to try to seek a consensus among the agencies I mentioned earlier.
My Lords, I declare my interests as set out on the register. Does my noble friend accept that it is very difficult for Governments to keep up with the speed of change of technology in their legislation? The Computer Misuse Act is now 33 years old. If progress is not glacial, please could we have an injection of urgency into the changes to it that we need?
(2 years ago)
Lords ChamberMy Lords, I cannot answer that specifically. I have seen that report and have read a variety of newspaper reports with mounting alarm, as I am sure the noble Lord has. I think the task force will address a good deal of the noble Lord’s concerns, and I look forward to hearing what it has to say.
My Lords, I echo the question asked by the noble Lord, Lord Browne, but in relation to the report of this House’s risk committee, in which we found that there were real, critical vulnerabilities in our critical national infrastructure. The urgency of the Government producing the resilience report cannot be overstated. It is surely time for the Government to recognise that the front lines of battles that we face now are no longer in other countries but in our computers, our water systems and our electricity systems. They need to be taken really seriously.
I thank my noble friend for that question. I am afraid I will again answer at some length, because the subject of cyber resilience is at the heart of what he, and indeed the noble Lord, Lord Browne, asked me. The current state of UK resilience to cyberattack is an interesting subject, and we are making significant progress in bolstering the UK’s resilience. We stop hundreds of thousands of attacks up stream while bolstering preparedness and helping UK institutions and organisations better understand the nature of cyber threats, risks and vulnerabilities down stream.
Despite this, there remain serious gaps in the nation’s defences, as both noble Lords have pointed out, and the collective resilience-building effort must continue apace. Poor organisational practices, processes and systems, and a lack of awareness of risks and mitigations, all contribute to attacks getting through. Taking some practical and cost-effective steps, such as improving the use of account authentication, could have prevented a lot of damage. I could go on, but at this point I reiterate my praise for the work of the security services. I have seen some of their work in this area, and it is incredible.