Tobias Ellwood
Main Page: Tobias Ellwood (Conservative - Bournemouth East)Department Debates - View all Tobias Ellwood's debates with the Ministry of Defence
(7 months, 2 weeks ago)
Commons ChamberIn answer to the first point, no, there is no indication. On the second point, our regular approach—I speak as someone with an MOD account—is that passwords have to be changed regularly in order to continue to use the system, so those security measures are in place. People do not need to change their bank accounts as a result of this incident. Apart from anything else, using someone’s bank details to make a payment somewhere else would be technically difficult, as a new account would need two-factor authentication, so it is not necessary for people to change their accounts. The monitoring service will provide an overlay of additional reassurance to them.
I welcome the Defence Secretary’s statement in qualifying the scale of the breach and the operational changes he is going to introduce. More strategically, it illustrates how the changing character of conflict is impacting our world, with the digital terrain being as important as the physical terrain. That said, had this been a physical, kinetic attack on MOD main building, the House would be demanding some form of proportionate response. Indeed, it could be argued that it would be a NATO article 5 situation. Will the Secretary of State consider the bigger picture, because the rules of engagement and the Geneva conventions are out of date? The Secretary of State is right to say that threats are rising and evolving, but we need to address how errant nations are held to account and what constitutes a proportionate response to a cyber-attack.
It is certainly true to say that a malign actor is involved—we know that. It is possible, and I cannot rule it out, that it is attached to a country, but as soon as I say that everyone assumes it therefore is attached to a country. I am not in a position to confirm that at this point, simply because incredibly detailed forensic work is required to get to that point. My right hon. Friend is right that people differentiate, in some senses, between physical attacks and cyber-attacks, but both can be incredibly serious and have enormous consequences. Again, because we do not believe that the information has, in fact, been stolen and because we are monitoring it very carefully through the eight different measures, I stress that in this case there is a degree of feeling that we have caught it and we are controlling it. However, my right hon. Friend’s wider point is absolutely correct.