With permission, Mr Speaker, I will make a statement on the Government’s national cyber-security programme.
Every day, the cyber threat is growing and we face ever more sophisticated attacks. According to one survey, 81% of large businesses and 60% of small businesses suffered a breach last year. Back in 2010 the coalition Government identified cyber as one of four tier 1 national security threats, and Britain has been among the fastest adopters of the digital economy. We are a world leader in digital services, which are a key part of our long-term economic plan. We cannot let our economic progress be undermined by those who would do us harm. No national Government can tackle the cyber threat alone, and international collaboration is central to our strategy, as is the closest partnership with the business community.
In 2011 we published our cyber-security strategy and have committed £860 million of funding over five years to the national cyber-security programme. That is to ensure that Britain remains one of the safest places to do business online. Cyber-security skills are scarce, and collaboration between Government, industry and academia is essential to build the skills and expertise we need.
Despite the huge budget deficit that we inherited, we have invested in our intelligence agencies and the National Crime Agency to build our capabilities to understand cyber threats and tackle cybercrime. GCHQ—often the object of poorly informed criticism—is home to a hugely impressive and patriotic collection of public servants, and I put on record my appreciation for the dedicated and highly skilled work they do to keep Britain safe.
We have worked with business to establish the cyber essentials scheme to raise awareness of five basic measures to keep companies safe. That scheme is now mandatory for certain types of Government procurement, and today 88% of FTSE 350 companies have cyber-security firmly on their risk registers. We created the national computer emergency response team—CERT-UK—to respond to major cyber incidents, and it played a significant role in protecting the Commonwealth games and the NATO summit in Wales. Following the Prime Minister’s successful visit to the US, CERT-UK will be leading joint exercising with its American counterpart later this year. The cyber-security information sharing partnership, based within CERT-UK, provides a safe space for businesses and Government to exchange information and develop responses in real time. CiSP now has 914 members and reports on 215,000 abused IP addresses daily.
Technology moves at an astonishing pace and we cannot stand still. Today I will set out further steps to keep us safe. Our new Cyber First scheme will be an elite development programme for the next generation of UK cyber-security talent. It draws heavily on Israel’s hugely successful Talpiot programme, which I saw first-hand on a visit to Israel in November. Talpiot provides the state of Israel with formidable cyber-security skills, and is also the seedbed for a fertile array of new businesses. Partly as a result, Israel now has more start-ups per capita than any other country.
Initially we will pilot Cyber First with a few tens of students. Each will receive £4,000 funding per year to study relevant undergraduate courses in science, technology, engineering and maths. They will be required to work during summer vacations or years out, either within Government or in leading UK cyber-security companies. Participation in this elite programme will carry a commitment to work for the Government for at least three years before members start to see their financial support written down. This programme will be a vital pipeline of top-end cyber talent in the service of Britain’s national security.
Cyber First is the latest in a series of initiatives building cyber skills, including new apprenticeships, and introducing cyber-security to the National Citizen Service and ensuring that it is included in relevant courses leading to computing and digital qualifications for 16 to 19-year-olds. We sponsor cyber competitions in schools, as well as technical apprenticeships and PhDs; we are building cyber-security into computer science and computing degrees, and so far we have accredited six master’s degrees in cyber-security, created two new centres of doctoral training, three research institutes and 11 academic centres of excellence in cyber-security research. Two further universities—Kent and Surrey—have today been awarded centre of excellence status in cyber research. I can also announce the funding of three UK-Israel cyber research projects. Similar projects with Singapore will follow later this year, and I look forward to seeing the first cohort of joint UK-US Fulbright cyber-security scholars before too long.
All that builds on our much broader work to improve cyber skills, which has already seen 40,000 people enrol in the Open University cyber-security open online course. We have made good progress in developing digital and cyber skills more widely across the economy, and I warmly commend the work that my hon. Friend the Minister for Culture and the Digital Economy has done and continues to do on that.
For Government services, online safety is central. GOV.UK Verify, funded by the national cyber-security programme, is our world-leading identity assurance programme. I can announce today that we have put in place a new contractual framework for identity providers that will increase choice for citizens who wish to prove their identity online. I will announce shortly the details of the additional identity providers.
We have to worry about cyber-security because of the growth and development of the internet in the past 20 years. The internet has an amazing power to change people’s lives for the better. Cyber is a huge opportunity, as well as a threat. Britain’s cyber-security sector is worth more than £6 billion a year and employs some 40,000 people. We are on track to double cyber-security exports to £2 billion by next year. Our aim is to increase that to £4 billion by 2020, and we will promote more regional clusters to support more British cyber-businesses. We want Britain to benefit from the best digital economy in the world. Effective cyber-security is central to that success. I commend this statement to the House.
I thank the Minister for advance sight of his statement. It is now twice in two days that he has come to the House to make a statement. Tomorrow he will make it a hat-trick with his final Cabinet Office Questions. Clearly, he wants to see as much of us all as possible before he retires from this House.
I pay tribute to the Minister for his work in the past five years as the Minister for the Cabinet Office and in the many years he has served the public as a Member of this House. There are many things on which we disagree, for example how we should use digital government to empower people rather than cutting them off from services, but no one can doubt his dedication to public service. Nor can we doubt the dedication of those who work so hard to protect us, our nation, its citizens and businesses from cyber-attacks. I, too, would like to put on record my praise for the work done by the security services, the police and all civil servants who work in this area. They do a vital job day in, day out to protect our cyber-infrastructure and digital footprints, and I commend their work.
I am sure the Minister agrees with that sentiment. I hope, therefore, that the Government will clarify how those who protect us in cyberspace will continue to do so when the Chancellor is bent on reducing public sector spending to levels not seen since the 1930s, before there was even an NHS or a GCHQ. It is clear from the Office for Budget Responsibility and the Institute for Fiscal Studies that, after the Chancellor’s Budget last week, unprotected Departments face huge cuts to meet his spending plans and unfunded tax cuts. The Ministry of Defence, the police and social care services are under threat. Can the Minister confirm whether the budget for cyber-security will be protected, or are we to assume that because the Cabinet Office is an unprotected Department that this will not be the case?
I welcome the new Cyber First pilot. Indeed, I was privileged to launch the UK’s first MBA in cyber-security with Coventry university. The demand for cyber-security experts is growing at 12 times the rate of the overall job market, so it is vital that we train and equip more people with cyber-skills. Small firms are the victims of three quarters of all successful data breaches and are the most likely to suffer from a lack of cyber-skills. However, just as the Minister came late to the digital inclusion agenda and then chose a strategy that excludes 10% of our fellow citizens, he has come late to—indeed, neglected—cyber-security for small businesses. According to the Institution of Engineering and Technology, half of all small and medium-sized enterprises have not even heard of the Government’s cyber-security efforts. What is the Minister doing to change that and to make small businesses more cyber-aware?
Crime is changing. It increasingly happens online, but the Government do not have a strategy to tackle it. The cyber-security budget is overwhelmingly going to cyber-security and big businesses, leaving consumers to fend for themselves. The majority of the cyber-security budget goes into the single intelligence account, with the police left a tiny amount to tackle a growing tide of online crime with an overall £2 billion cut in funding. The Home Affairs Committee highlighted the black hole where low-level e-crime is committed with impunity. What is the Minister doing to ensure that the police have the resources they need in this area?
I welcome the announcement of a new contractual framework for GOV.UK Verify. However, it was only in October that the Government were predicting that hundreds of thousands would be verified by now. In fact, only
50% of people are successful the first time they use the service. The Minister says that details will be announced “shortly”. Given that there are only a few days left before Parliament is dissolved, will he tell us exactly when he plans to announce the details? Specifically, will it include a public sector provider of identity assurance, so that people can choose a provider they trust?
Finally, the statement makes no mention whatever of mobile. It has taken the Government five years not to eradicate not spots, and they have ignored the gaping hole in cyber-security which is mobile device security, particularly in the era of “bring your own” device. What is the Minister doing specifically on mobile?
I could not help but notice that the statement was somewhat light on actual policy announcements. A cynic might think that the Minister was rushing out a half-baked announcement to use up time. It is almost as if the Government are scrambling around for something to say to give the impression that they have made real progress in rising to what is one of the greatest challenges of the digital era and one of the greatest opportunities for UK business. The UK can lead in cyber-security as we do in online commerce, but it will take skills for the many—small businesses and citizens, as well as big businesses—not the few. It will take a Labour Government to ensure we have that.
I am extremely grateful to the hon. Lady for her very warm words at the beginning of her response, which I enormously appreciate. Parting is indeed such sweet sorrow, but there is life beyond.
I am afraid it tailed off a little bit after that. The hon. Lady talked about cuts and the potential for continued funding for cyber-security in the next Parliament. She made the slightly odd suggestion that the trajectory of public spending would be at a level last seen in the 1930s. A little further research shows that the last time this level of spending was seen was in 1999-2000 under a Labour Government.
So far as funding for cyber-security is concerned, that will be dealt with in the context of the spending review that will take place after the election, but I do not know anybody who believes there is any possibility that there will not continue to be very significant funding for cyber-security. We are acknowledged across the world as being in the lead in this area. There is always a danger when one says that of being thought to be complacent. We are not remotely complacent. This is a very fast-moving set of threats and we have to move equally fast to keep up with it. We need to be on the case all the time.
The hon. Lady talked about the resources being devoted to tackling cybercrime. The Under-Secretary of State for the Home Department, my hon. Friend Karen Bradley who has responsibility for tackling cybercrime is in her place on the Front Bench. She takes this matter immensely seriously. The National Cyber Crime Unit is based in the National Crime Agency. A good proportion of the cyber-security programme is funding for the law enforcement agencies, which do fantastic work. I obviously echo her enthusiastic support for those who work to protect and preserve our national security, and I include in that those in our armed forces active in this field.
The hon. Lady talked about digital inclusion, which she knows the Government take extremely seriously. We support the huge amount of work being done by businesses, particularly Barclays and other companies, on digital activity to enable people currently excluded to be active online, and that will continue to be the case. She also asked about mobile security on mobile devices, which is obviously a serious matter. So far as the Government are concerned, CESG, part of GCHQ, provides good guidance and is reckoned to be world leading on smart devices.
So far as citizens and consumers are concerned, she will be aware of our Cyber Streetwise campaign and Get Safe Online, which are about making sure people know the risks. GCHQ estimates that 80% of successful cyber-attacks could be thwarted or mitigated by basic internet hygiene, and for that awareness is important. I am less concerned about whether SMEs are aware of what the Government are doing; I am more concerned that they are aware of what they need to do, which is to take basic steps on internet hygiene.
There is much more to do, and there will never be any scope for a Government or businesses to rest on their laurels. I found the hon. Lady’s objection that my statement was light on policy slightly startling. Quite rightly, the Government have elevated cyber-security to one of the four tier 1 national security threats, so we take it enormously seriously. At a time when we had to cut public spending, because of the appalling public deficit inherited from the last Government, this was one of the very few areas that we decided was sufficiently important to invest further money in, and we will continue to do that.
A number of Governments are known to have invested heavily in what might be termed “offensive cyber”. Given that we must do everything we can to protect our own systems, are there any messages we can send to such Governments about the consequences that would follow for them if they were unwise enough to launch a cyber-attack against this country?
I am well aware of what my right hon. Friend says, and he is right to raise the matter. Our task is to ensure that our efforts on national security are provided with all the tools necessary for us to protect ourselves and deter attacks.
One of the aims of the 2011 cyber-security strategy was to have the UK more resilient to cyber-attacks and able to protect our interests in cyberspace. How well does the Minister feel that this has been achieved, and how does the news that 81% of firms suffered from cyber-attacks and breaches in the last year, as he said in his introduction, fit with that strategy?
Awareness in the business world is much higher than it was—it was woefully low and remains so in most parts of the world—partly as a result of the Government’s efforts. As a result, many more companies are taking active steps to treat this seriously—not as something to be delegated to the IT department but as a board-level risk to be understood and managed by the board as a major risk to the business. We shall continue to drive home this message.
I congratulate my right hon. Friend on this important update. He talked about clusters. He will know that one of the most important cyber-security clusters in the UK is in world-class Worcestershire. One business he has visited there, Titania security, told me it was benefiting from a wide range of Government help, including the apprenticeships scheme, research and development tax credits and help with exporting from UK Trade & Investment. Will he update the House on how his Department could work with the Department for Business, Innovation and Skills to ensure that our cyber-security industry is the most competitive in the world?
It is very competitive. I know that my hon. Friend has given enormous support to the cyber-cluster in Worcestershire. As a matter of historical accident almost, there are many businesses in Great Malvern. When I visited in 2012, there were 40 or so cyber-companies; there are now more than 80. This is very fast growing. We help cyber-companies with exporting, and many of them are doing it. I visited Titania, in his constituency, and was hugely impressed by how many countries this relatively small company was selling its products to.
We obviously co-ordinate as much as possible with the Scottish Government—my hon. Friend the Minister with responsibility for cybercrime could comment separately on any discussions the Home Office has with Police Scotland. The hon. Gentleman is right to imply that these matters require close co-ordination between Governments and law-enforcement agencies not just within the UK but much more widely, because cyber and the internet know no national boundaries.
Following on from my right hon. Gentleman’s comments about GCHQ staff, what did he make of the Business Secretary’s comments that The Guardian Snowden publication was entirely correct and courageous, and will he outline his assessment of the effect that has had on the morale of our public servants at GCHQ?
I happened to be visiting GCHQ shortly after my right hon. Friend made those remarks. The people who work at GCHQ do fantastic work—it is a centre of brilliant expertise and knowledge; they do difficult work away from the public gaze, and any comments that seem to undermine what they do in the service of national security has to be strongly deprecated.
The Minister is right to pay tribute to the work of GCHQ and to prioritise cyber-security, which is very important for all of us. He will be aware that a fundamental part of that is good encryption, so will he encourage individuals and companies alike to push ahead with strong end-to-end encryption, wherever possible?
Encryption is obviously important, but it is for businesses to decide what level of encryption they want to operate. These are obviously delicate matters, but there is a lot of technology here, and I am happy to say that Britain is very good at it.
It has been an enormous privilege in this Parliament for me to serve with my right hon. Friend in his team at the Cabinet Office doing exactly this work. Will he update the House further on what he continues to do to keep our critical national infrastructure safe?
I am hugely grateful to my hon. Friend both for what she says and for the incredibly important work she did, particularly in taking the message about the need to strengthen cyber-security defences out to the business community, which she did with her characteristic energy and clarity. So far as the critical national infrastructure is concerned, a huge amount of work is already under way to continue to ensure that we understand the vulnerabilities. Obviously, the critical national infrastructure is not primarily owned by the state—it is in private sector hands—so we need to understand the vulnerabilities and work with the owners of that infrastructure to ensure that the defences are as good as they can be.
I thank my right hon. Friend for agreeing to meet Training 2000 and me last October to discuss its plans to create an institute for cyber-security in Pendle. Following that meeting, it has followed up the leads he provided, and I am delighted to say that it is now progressing with its ambitious plans to create the institute later this year, to improve local cyber-skills and apprenticeships in the area. Given the importance of this issue to many Lancashire SMEs, what more can his Department do to support such proposals?
Let me first pay tribute to the work my hon. Friend has done in this area. When I recently visited Pendle, I had the opportunity to discuss the matter with him. There has been no stronger champion of our potential to work with businesses to build the companies, the skills and the kind of centres for training that he mentions. I am confident that he will be in a position to take this work forward over the coming five years.
Does the Paymaster General agree that the excellent news about a new university technical college at Berkeley Green in my constituency, providing skills and training in cyber, is perfectly timely in view of his statement and that it is likely to bring a real benefit to the Government Communications Headquarters?
My hon. Friend is exactly right to draw attention to that. We need to build these skills—and build them early. The kind of college he mentions can play an incredibly important role in that, particularly, as he says, in view of its proximity to Cheltenham and GCHQ. We need to get to children earlier so that we can encourage more of them to specialise in these subjects. Under our Cyber First scheme, which I referred to in my statement, and in pursuit of the most gifted students, we will absolutely look to find really gifted students at a much younger age.
I welcome yesterday’s launch by the Cabinet Office of the report into cyber-insurance, which hopes to make the UK the world capital of cyber-insurance in the marketplace. It will not only give the UK insurance market the leading edge in order to become the world leader, but will encourage our small and medium-sized enterprises to take up cyber-insurance through the terms and conditions of their insurance policy.
My hon. Friend is absolutely right to draw attention to this. We have, I think, got ahead of the game by commissioning the work we have done jointly with the insurance industry. Cyber-insurance is a market in its infancy. Many businesses do not know whether they are covered for damage and loss caused by cyber-attacks. The fact that Britain excels in the insurance market—London is the world’s centre of insurance—and that Britain is very good at cyber-security will enable us to become world leaders in this important area. The sophisticated pricing of cyber-risk will be a huge stimulus, particularly to smaller businesses, to ensure that they have done what they can to protect themselves. I welcome the industry’s support, particularly for smaller businesses and SMEs, of the Cyber Essentials scheme as a kitemark for taking the right steps to protect themselves.
Thank you, Madam Deputy Speaker.
I congratulate the Minister for the Cabinet Office on both his statement and his strong commitment to a quiet revolution on our nation’s understanding of, and support for, the cyber-industry. My right hon. Friend knows the important cluster in Worcestershire and Gloucestershire, which now includes the future training centre rightly mentioned by my hon. Friend Neil Carmichael. Does my right hon. Friend agree that places such as the new cyber-centre in Gloucester, led by Raytheon with innovative partners employing between 9,000 and 90,000 employees should encourage local universities such as the university of Gloucestershire to play an important role in developing appropriate courses for future skills in this sector?
My hon. Friend is completely right to draw attention to that and to emphasise the need for us to develop these skills early. These are scarce skills at the moment, but they do not need to be. We took steps early in the course of the coalition Government to start the process of building skills, and the kind of developments to which my hon. Friend refers are a crucial part of that.