Defence and Cyber-security Debate

Full Debate: Read Full Debate
Department: Ministry of Defence

Defence and Cyber-security

Lord Walney Excerpts
Tuesday 4th March 2014

(10 years, 8 months ago)

Commons Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Arbuthnot of Edrom Portrait Mr Arbuthnot
- Hansard - - - Excerpts

I do, and I hope that in answering the debate my right hon. Friend the Minister for the Armed Forces will take that point straight on the chin, because in many respects the armed forces are the resource of last resort, and cyber-security may be an area where the armed forces do not accept that responsibility.

There is a necessary focus within the defence world on securing the systems and networks needed by the MOD and the armed forces from cyber-threats. It is not only contemporary civil society that is utterly dependent on network technology; our armed forces are increasingly reliant on such technology for the tools of warfare, and the next step must be to ensure that the supply chain for those systems and their components is secure. That will require a trusting, transparent relationship between Government and their suppliers, with full disclosure of attacks and possible vulnerabilities, which runs all the way down the supply chain. The UK has world-class expertise and facilities on which to draw, but will the Government be able, in competition with the private sector, to keep enough of that expertise and experience in the service of the state? Are there enough such people to serve both and how should we prioritise?

The announcement by my right hon. Friend the Secretary of State for Defence in September 2013 about the establishment of a joint cyber reserve unit is a significant development, but that will rely on FTSE companies and other, smaller companies releasing key personnel to participate. Will my right hon. Friend the Minister for the Armed Forces tell us what progress has been made? According to the Government, the number of ICT and cyber-security professionals in the UK has not increased in line with the growth of the internet. Are there enough experts in industry willing to join a cyber reserve? Will technology experts—the geeks of our world—fit well within highly regimented military structures, or will a more flexible structure be required to facilitate their work?

Lord Walney Portrait John Woodcock (Barrow and Furness) (Lab/Co-op)
- Hansard - -

The right hon. Gentleman is rightly raising just some of the myriad questions about the future in cyberspace. Does he agree that these questions are so wide-ranging and fluid, given the incredible acceleration in technology, as to pose the question whether in future we should have vari-speed defence and security reviews? On larger items we should look beyond the 10-year horizon, but in cyber, five years is far too long for what is happening.

Lord Arbuthnot of Edrom Portrait Mr Arbuthnot
- Hansard - - - Excerpts

Like my hon. Friend the Member for Canterbury (Mr Brazier), the hon. Gentleman contributes effectively to the Defence Committee and makes an interesting point—one I had not heard before. That is the value of these debates. We will all have to think about that issue.

We must seek to defend ourselves, but we must also, as has been suggested, expect to develop a capability to respond to threats in cyberspace. When doing that, we face some of the same considerations as when developing conventional military capabilities. Where does the balance lie between international collaboration and sovereign capability, for example? What sort of international arrangements will best suit our aims?

My right hon. Friend the Secretary of State also talked about how the UK was developing a full spectrum military cyber-capability, including strike capability. This is an interesting and novel declaration. Everybody knows it has happened but nobody has been prepared before now to announce it. Will this declaration act as a deterrent or will it make the UK a more likely target for hacktivists and foreign states? What about the legal implications of establishing a strike capability for the personnel involved? The necessary rules of engagement for cyber-attack need to be put in place, although of course we will not be told about them.

Some maintain that cyber is just another military domain and that we can expect to do everything in cyberspace that we do in the air, on land or at sea to prevent, deter coerce or intervene. But has the distinctiveness of the cyber domain been fully grasped? It is not clear, for example, that deterrence is a concept that can apply to a domain where there are real difficulties in discovering quickly who has perpetrated an attack and for what purpose, or even that an attack has taken place. Neither is it clear that everyone has grasped how important it is to avoid a silo approach to the cyberworld. It is essential to break down the dividing lines between civilian and military, among Government Departments, between Government and the private sector, and between our country and other countries, and therefore to approach the issue in an holistic way. Paul Dwyer of Mandiant came to brief the Defence Committee and told us that it takes a network to defeat a network.

Perhaps because the threat cannot be neatly categorised, it may be unrealistic to expect a neat categorisation of the responses. Everything we have been told in the UK emphasises that the armed forces have a very limited role, protecting their own systems and developing military cyber-capabilities. For other areas of activity, those in the lead are likely to be based elsewhere, particularly in the intelligence services. That is where the important point made by my hon. Friend the Member for Canterbury comes in.