Martin Horwood (Cheltenham) (LD)

- Hansard -

Copy Link

-

I should declare an obvious interest as the MP for Cheltenham, since GCHQ is based in my constituency. This is also a topical day to debate cyber-security, because this morning the Deputy Prime Minister made a speech in which he talked about the balance that needed to be struck between digital freedom and national security. He praised GCHQ for its continued expertise and its role in defending us all against cyber-attack.

Although there is currently no cold war in the old sense—I hope that is not the wrong thing to say; perhaps events in Ukraine are making us worry a little about that, but there is no active cold war in the way there used to be in the 1960s and 1970s—we are in effect at war in cyberspace. Ongoing attacks are taking place against this country and its institutions and businesses, and it is right that in 2010 the national security strategy identified cyber as a tier 1 threat alongside international terrorism, military crises and major accidents or natural hazards. Although the £650 million committed to the national cyber-security programme in 2011 sounded like a great deal of money, considering it against the billions being committed to Trident, for instance, which does not address any of those tier 1 threats, should give us some pause.

Trident addresses a theoretical and perhaps quite real future risk, and there are different views on that, but the cyber-security programme is defending us against current ongoing attacks. As hon. Members have pointed out, they are taking place at the rate of thousands an hour. It is almost like attacking an onion—Russian dolls would be the topical way of describing it. The core is the Government, the Ministry of Defence and the armed forces. We know that malicious e-mails are being blocked at the rate of 33,000 a month at the gateway to the Government secure internet. The next layer is defence contractors and the supply chain which, as other hon. Members have rightly pointed out, are just as critical to the successful operation of the armed forces and our defences as the Government core.

Critical infrastructure is the next layer. Hon. Members have rightly referred to banks and food supplies as part of that wider layer. The next layer is the wider economy and society. The threat to business is a threat to our national security; 93% of large businesses and 87% of small businesses have reported cyber-attacks in the past year, potentially costing thousands, as the hon. Member for Inverclyde (Mr McKenzie) mentioned.

The Defence Committee rang the alarm bell in 2013. It said that the risk of military operations being fatally compromised continued despite all the effort, and that we perhaps needed more resource and focus on cyber-security. It is right that we commit spending, and look at structures and process, but spreading the culture and practice of cyber-security matters at all levels, and across Government, business and society.

We have talked about the various units. I am pleased to say that GCHQ is in the lead, but the Global Operations Security Control Centre plays a vital role, as do the cyber-security information sharing partnership and various cyber-units in various places across Government. The hon. Member for Reigate (Mr Blunt) offered criticism of that proliferation of different units, but I believe the network approach is the right one. We need attention and focus in different places across Government. The last thing we want is for cyber-security to be silo-ed. We need the culture and practice of cyber-security to spread across Government.

That was brought home to me recently when I visited Bletchley Park, and the brilliant National Museum of Computing, which was celebrating 70 years since the Colossus machine, arguably the world’s first programmable computer, started breaking the Geheimschreiber codes at Bletchley Park. A lot was said about the technical expertise of the Government code and cipher school, which became GCHQ, and the genius of Alan Turing and Tommy Flowers, the great engineer who led the Colossus team—I am proud to say that my father was one of his Post Office engineers. However, it was emphasised that human error allowed many of those codes to be broken. It was not just human error in the sense of mistakes that gave away code keys, but the fatal underestimation of Bletchley Park’s capabilities on the part of Hitler and the German high command. Right up until D-day, Hitler held back Panzer divisions in the Pas de Calais because he simply did not believe that the Normandy landings were the real deal—he believed the misinformation and the false intelligence that was being fed to him. It never occurred to him that the Geheimschreiber codes were being broken and that our side had that capability.

I am pleased that GCHQ is in the lead on cyber-security and that it provides that technical expertise, but we need to spread the culture and understanding. By way of justifying the supplementary defence estimates to support that and other defence work, having that expertise has benefits for the UK economy. GCHQ has enormous links to academia, business and other parts of Government, but it supports cyber-skills at all levels, including encouraging maths, science and engineering in schools. I saw that at the Cheltenham science festival, although it encourages those subjects in many other ways. It also recognises academic departments that specialise in cyber-security. As has been said, they are now present in a large number of universities. That focus on high-tech skills, and research and development, could, and should already, make the UK a centre of global importance in cyber-security skills. In turn, that builds resilience, not just in Government but in businesses, making Britain a safer place to do business in cyberspace. All those things have economic benefits and more than justify the spending we are considering.

There is a slight sting in the tail. GCHQ and its expertise are widely recognised now, which may be one of the benefits that it has inadvertently gained as a result of Mr Snowden’s recent activities. Business recognises that expertise and skill, and is able to poach very expert people from GCHQ and, perhaps, from the Global Operations Security Control Centre as well. The Government need to value the people in GCHQ and GOSCC, and others across Government, who have those extraordinary skills, and—sometimes, I am afraid, in material terms—try to ensure that we hold on to the best people, and the real skills and expertise. We need to value those skills in all sorts of different ways, but I hope that Ministers will not take it wrongly if I say, on behalf of my constituents, that that way would also be appreciated.

We are facing a global threat. The United Kingdom is under current attack, and, while I think that the Government have got the strategy broadly right, I also think that they should not let up in defending us against this new and very 21st-century threat.