Cyberattacks: EU Committee Report — Motion to Take Note

Part of the debate – in the House of Lords at 4:57 pm on 14 October 2010.

Alert me about debates like this

Photo of Lord Jopling Lord Jopling Conservative 4:57, 14 October 2010

My Lords, this report on protecting Europe against large-scale cyberattacks followed an inquiry by the Home Affairs Sub-Committee of the European Union Select Committee. The chairmanship of the sub-committee is now in the safe and capable hands of the noble Lord, Lord Hannay of Chiswick. However, I was the chairman during the course of that fascinating inquiry and it therefore falls to me to open this debate.

We published the report on 18 May, seven months ago, the inquiry having begun in November last year. It is a long time, with a very fast-moving subject, since we published the report, and it is unfortunate, for such a fast-moving topic, that we have been prevented-mainly, of course, by the dissolution of Parliament-from having this debate earlier. I know that this is a continuing problem for Select Committees, which spend a lot of time and put a lot of work into their reports and then have to wait for a long time before the discussion comes to the Floor of your Lordships' House.

I called this a fascinating inquiry. Certainly for me, it opened entirely new vistas. I believe that that was true of many other members of the committee. The process of educating us fell to Doctor Richard Clayton, our specialist adviser, and I pay particular tribute to his expert knowledge and helpful facility for explaining things to those less expert than him. I especially want to thank our clerk, Michael Collon, whose expertise, both in the past and in a continuing way, is of huge value to the Select Committee. The debate today brings with it two maiden speeches to which I, for one, am eagerly looking forward. They are from very distinguished experts in this field, both former Defence Secretaries, and I look forward enormously to their comments in the context of this report.

Anyone who doubts the havoc that successful cyberattacks can cause, and so the importance of protection against these attacks, needs to look no further than the opening pages of our report to see how in May 2007 Estonia virtually ground to a halt as a result not of, as it thought, activities by the Russian state, but perhaps more probably-no one is entirely sure-of activities by a number of disgruntled Russian students. More recently, noble Lords may have read about Stuxnet, a highly sophisticated virus designed to attack specific industrial infrastructure. It is so refined that many think that it could have been created only by a state. Computer systems in Iran have been particularly affected, and there is speculation that it could have been directed at one of the Iranian nuclear facilities-the Bushehr nuclear power plant or the Natanz uranium enrichment facility. There is no doubt that an appropriate virus of that sort could cause catastrophic failure at such a facility. That is a genuine example of cyberwar.

Colleagues will be aware of a speech made this week by Iain Lobban, the head of GCHQ at Cheltenham, which was reported in the Daily Telegraph yesterday. He said that cyberattacks pose a threat that,

"goes to the heart of our economic well-being and national interest".

He went on to warn of,

"the threat from terrorists, criminals and hostile states using the internet".

He said that:

"Government systems are being hit by email-borne attacks 1,000 times a month".

Finally, he spoke of GCHQ,

"detecting more than 20,000 malicious emails on government networks each month".

Those are examples of the possibilities with regard to cyberattacks.

I mention them for two reasons: first, as an illustration of the importance of protection against cyberattacks, although I am sure that noble Lords were never in any particular doubt about that; and, secondly, to make clear what our report means by cyberattack, since it is often confused with cybercrime. Cyberattacks are aimed at destroying or disabling major computer networks, such as power networks, communications or financial operations. They are obviously criminal acts. What is more accurately described as cybercrime is interference with personal internet security. By its nature, it relies on internet systems being up and running.

The trigger for our inquiry was a communication published by the European Commission in April 2009, entitled, Protecting Europe from Large Scale Cyber-attacks and Disruptions: Enhancing Preparedness, Security and Resilience. The disruptions to which the title refers are those caused by major natural disasters, such as Hurricane Katrina in 2005, or major accidental damage, such as the explosion at the Buncefield oil refinery in December 2005, which destroyed the offices of a company running a payroll system for employers of one in three Britons. In that case, the disruption was potentially severe, but the effects were not. That is an illustration of a point that witnesses made to us repeatedly; namely, that the internet is remarkably resilient. One of our witnesses said that it was designed to withstand a nuclear war. Noble Lords may find that comforting. Certainly I do. But at the same time it still means constant vigilance and absolutely no complacency.

The internet is global. Attacks are potentially global in scope and protection mechanisms must be prepared to meet global attacks. Our inquiry examined what role the European Union could play in defending the member states against attacks which would as easily come from outside the European Union as inside. Our conclusion was that much could be done only at local or at global level, but that there were also many areas where intervention at EU level could be helpful. However, the communication says little about the role of the European Union in a global context. That is unfortunate because there is no way in which any effective action can be taken at EU level without consideration of its effects at global level and the effects on it of global developments.

Network security is largely in the hands of organisations called computer emergency response teams, or CERTs. These organisations study network security to provide incident response services to victims of attacks and to publish alerts against attacks. In the UK, many large companies have their own CERT, as do organisations which have a common interest. JANET is a CERT for the academic world which protects up to 16 million people who are probably mostly unaware of its existence. The Government have their own CERT to protect the public sector, but there is no UK national CERT-nor does the committee believe that there is any need for one. The current system seems to work extremely well.

We were concerned that the Commission proposed that all member states should have national CERTs. We were hoping to read in the Government's response that they had no intention of setting one up in the UK. In fact, we read in their response:

"The Government understands the argument that a national CERT would be of no added value to the UK, and that the current CERT network provides more effective protection. At this stage, we need to keep an open mind as to the best structures to support cyber defence and response in future".

I am all for the Government keeping an open mind, but I hope that the Minister can assure us that they will not be setting up a national CERT just to satisfy the Commission's yearning for tidiness. This is a classic example of, "If it ain't broke, don't try to fix it".

But that is not always the case elsewhere. While some member states have the same model as the UK and others have national CERTs that work well, yet other states have little or no CERT capacity and what they have is distinctly broke. In the case of these states, what the Commission proposes could be valuable. It will benefit the United Kingdom if other states have effective internet protection because we could suffer problems within the global network through ineffective protection in other member states. We suggested that in the member states where there are too few or inadequate CERTs, the Government should support this proposal. Their response did not address this and I should be most grateful if the Minister would give us that response today.

Those who in the past have listened to debates on the European Union Committee's reports on home affairs will have heard me, on a number of occasions, deploring the lack of co-operation and co-ordination between the European Union and NATO. Protection against cyberattacks is a form of civil protection and one that is increasing exponentially in importance. After the attacks on Estonia in 2007, NATO became alarmed and stepped up its work in this field. So did the EU, but not in a co-ordinated way between them. We recommended, as we have before, that the two institutions should co-operate and co-ordinate rather than proceeding on their separate, parallel ways, and we urged the Government to intervene to make this happen. In their response the Government said that greater co-operation between the EU and NATO was a priority. I should be glad to know what developments have taken place in the mean time, and how successful they have been in pushing what they describe as "their own priority".

In evidence to us, the then Minister for security, the noble Lord, Lord West of Spithead, was doubtful whether NATO had any part to play in protecting the internet, saying that he did not regard it as the appropriate body unless the security of an individual member was threatened. As his successor as Minister, does my noble friend Lady Neville-Jones share that view in the light of what I have just said?

Lastly, I turn to the European Network and Information Security Agency. The Council decided that the agency should be sited in Greece, and the Greeks decided that it should be sited in Crete at Heraklion. They do not seem to have given any consideration to the problem of recruiting and retaining specialist staff in a remote place which has no international school, nor to the fact that it can mean up to two extra days of travelling time for those attending meetings, especially in winter when flights are very limited. We recorded the criticism and frustration that this has aroused, but we accept that nothing can be done at this stage to reverse the situation. However, we welcomed the decision of the Greek Government to make office space available in Athens for meetings, eliminating the need to go to Crete. I am glad to read in the Government's response that this arrangement is working well.

At this stage I should like to suggest that in the future, when the European Union is sharing functions around the member states, the allocation should not just define the state concerned but also where that state intends to locate it. The Government say that the location does not seem to have resulted in an inability to recruit and retain staff, but in the next breath in the response they add that,

"it is clear that the location is a major factor when professional staff consider applying for posts".

This seems to imply that the persons best qualified may not be applying for jobs. I hope the Minister will say whether or not this is so. I am far from suggesting that only second-rate persons apply for these posts, but it would be unfortunate if the best are inhibited from applying. This would be particularly the case for applicants from the United Kingdom, which is about as far from Heraklion as it is possible to get within the European Union.

ENISA was originally set up with a five-year mandate. This was extended by a further three years, expiring in March 2012. We expressed the hope that agreement could be reached well before then to extend the remit of ENISA to cover matters such as police and judicial co-operation over criminal use of the internet. Within the past two weeks, the Commission has issued two proposals. The first would simply extend the mandate by a further 18 months, expiring in September 2013. The express purpose of this is to give time for consideration of a second proposal; namely, a revision of the regulation setting up ENISA.

In its Explanatory Memorandum to the regulation, the Commission said that it had considered three options. It agreed to some expansion in the tasks of ENISA, adding law enforcement and privacy protection authorities as fully-fledged stakeholders, but it decided against adding either fighting cyberattacks or the response to cyberincidents, or supporting law enforcement and judicial authorities in fighting cybercrime. This is a rather timid move and is not in accordance with the rather bolder suggestion in our report. We expect in due course to receive from the Government their own Explanatory Memorandum of their views on this, but I should be grateful if the Minister could today give the House some indication of their thinking about an extension of ENISA's role. What I would hope to hear is that they share our view and intend to press for further expansion of ENISA's remit in the course of the negotiations on this proposal.

I have come to the end of what I want to say on this fast-moving topic. The United Kingdom, the EU and, indeed, the whole civilised world must keep a step ahead of potential attackers. The previous Government seem to have recognised the importance of this and to have taken decisive steps to counter the threat. I hope the Minister can confirm that the coalition Government will continue on this path and, particularly, encourage the European institutions to play a useful part. I commend the report to the House. I beg to move.