Cyberattack: UK Defences — Question

– in the House of Lords at 3:13 pm on 7 December 2015.

Alert me about debates like this

Photo of Lord Giddens Lord Giddens Labour 3:13, 7 December 2015

To ask Her Majesty’s Government what is their assessment of the vulnerability of the United Kingdom to organised cyber-attack.

Photo of Lord Bridges of Headley Lord Bridges of Headley The Parliamentary Secretary, Cabinet Office, The Parliamentary Secretary, Cabinet Office

My Lords, as the Chancellor of the Exchequer said in his speech to GCHQ on 17 November, despite a huge amount of investment, effort and world-class tools and capabilities, we are not where we need to be, particularly given the pace of innovation in cyberspace. Since 2011, we have invested £860 million in a national cybersecurity programme. As announced in the national security strategy and strategic defence and security review 2015, we plan almost to double investment in cybersecurity over the next five years.

Photo of Lord Giddens Lord Giddens Labour

My Lords, I thank the Minister for that very helpful reply. One of the most serious threats we face is that of a co-ordinated cyberattack against the UK financial sector. The Bank of England has shown that individual banks, especially the large banks, are pretty well protected but there are huge vulnerabilities in the connections between the banks and the rest of the economy, which some people say could lead to panic. One quite seasoned observer described the possibility of financial Armageddon—the meltdown of the system—given that most money today is electronic and no longer held in the form of cash. This is a matter for the Government, not just for the Bank of England, so what concrete steps are the Government taking to address this issue?

Photo of Lord Bridges of Headley Lord Bridges of Headley The Parliamentary Secretary, Cabinet Office, The Parliamentary Secretary, Cabinet Office

I pay tribute to the work of the noble Lord and a number of other of your Lordships in this area. On the specific point, the financial sector, including the City of London, has undertaken a number of exercises in recent years: Waking Shark I, Waking Shark II and the Market Wide Exercise, as well as the more recent Resilient Shield exercise between the US and the UK last month. In June, the FPC agreed that the Bank, the PRA and the FCA should also establish arrangements for CBEST tests to become one component of regular cyber resilience assessment within the UK financial system.

Photo of Lord Sugar Lord Sugar Non-affiliated

My Lords, the Minister may be aware that the infrastructure in most of the exchanges of internet service providers in this country is supplied by a Chinese company, Huawei. In the previous coalition Government, Sir Malcolm Rifkind was commissioned to inquire about this country’s vulnerability to a possible instruction by the Chinese Government to shut our systems down. Does the Minister have the results of this investigation? He should also be aware that the United States does not allow that company to operate there.

Photo of Lord Bridges of Headley Lord Bridges of Headley The Parliamentary Secretary, Cabinet Office, The Parliamentary Secretary, Cabinet Office

I will write to the noble Lord about his specific point. However, we are not complacent on this issue. As the noble Lord, and other noble Lords, will know, virtually every telecommunications network in the world incorporates foreign technology. Most manufacturers have some of their equipment built in China and use technical components from a global supply chain, regardless of the location of their headquarters.

Photo of Lord Clement-Jones Lord Clement-Jones Liberal Democrat

My Lords, I should declare an interest as a former adviser to Huawei. Given that 90% of larger companies suffered a security breach last year, I welcome what the Chancellor and the Minister have said about setting up a national cyber centre. To date, the Cabinet Office has been responsible for the national cybersecurity programme. Can the Minister confirm that it will continue to be so, and to be responsible for the national cyber centre, rather than handing it over to the tender mercies of the Home Office, which is not known for its business-friendliness?

Photo of Lord Bridges of Headley Lord Bridges of Headley The Parliamentary Secretary, Cabinet Office, The Parliamentary Secretary, Cabinet Office

I can confirm that and draw the noble Lord’s attention to paragraph 7.7 on page 82 of the National Security Strategyand Strategic Defence and Security Review, which sets out a very nice organogram for who is responsible for what.

Photo of Lord West of Spithead Lord West of Spithead Labour

My Lords, will the Minister confirm that the firing chain for Trident is air-gapped in its entirety, as it certainly was until 2006, and is therefore invulnerable to cyberattack? Will he also confirm that any upgrades that may be planned for that firing chain will remain air-gapped? If not, there will clearly be a vulnerability.

Photo of Lord Bridges of Headley Lord Bridges of Headley The Parliamentary Secretary, Cabinet Office, The Parliamentary Secretary, Cabinet Office

The noble Lord speaks with immense experience in this area and I will write to him on the specific point. I cannot comment on the detail of the security arrangements for our nuclear deterrent but we can, and do, safeguard it from threats, including cyber.

Photo of Lord Hennessy of Nympsfield Lord Hennessy of Nympsfield Crossbench

My Lords, will the Minister update the figures on substantial attacks on British government institutions and businesses which last year were running at between 150 and 200 per month? Has that figure changed substantially and has there been the slightest indication that, since the Chinese leadership pledged to the Prime Minister that they would lay off, there has been an easing from that quarter?

Photo of Lord Bridges of Headley Lord Bridges of Headley The Parliamentary Secretary, Cabinet Office, The Parliamentary Secretary, Cabinet Office

I can give some figures. GCHQ typically responds to an average of 70 sophisticated attacks on government networks per quarter. In summer 2014, GCHQ responded to approximately 200 incidents and this figure doubled to nearly 400 during summer 2015.