My Lords, I move this Motion with the purpose of bringing added awareness on the crucial issue of cyber threats that face the United Kingdom. I shall bring an internal and international dimension to my remarks and in doing so, I thank those contributing.
This debate follows on the heels of a keynote speech at the National Cyber Security Centre by Mr Lidington of the Cabinet Office. The responsibility of government is to provide the first line of security and last line of defence. I therefore reference the underpinning of the UK Defence Doctrine, from which every enabling activity emanates. Scrutiny of the required outputs, matched against clearly defined intent, is essential to gain understanding of the required operating framework and ensure the supporting capacity is capable and sufficient. The complexity and scale of the interconnected world has brought benefits, but also poses immense challenges. Cyber activity, in this world of obfuscation, is a worldwide phenomenon and affects us all. The entire social infrastructure of how we communicate and live our lives has altered permanently, and so the need for mechanisms to monitor, detect, protect against and repel incursions constitutes challenges faced by all cyber experts globally.
From the use of capabilities in battlespace operations during military warfare to cybercrime, state-actor interference in other sovereign states’ critical national infrastructure and governance silos to the much-vaunted cyber interventions in national electoral processes, cyber confrontations have transformed 21st-century societies. Cybersecurity is a huge problem, and the global response is not moving at the speed needed. “Planning for the worst” should be the mantra. A major challenge is that it is hard to investigate given the non-sharing of intelligence between agencies, the inconsistency of the approach of Interpol and the lack of direct communication between banks, for example, which all compound the problem.
Another challenge is that companies often resist investing fully in their IT infrastructure and cybersecurity, believing it cheaper to clean up a mess than to prevent it in the first place. Reputational and financial damage is too often caused by not taking these threats seriously. The poor handling of breaches may also reveal deeper corporate failings. Threats will grow in volume and severity as criminal gangs gain access to more sophisticated tools and become reckless in using them. Mandatory reporting of cyber breaches has begun in some countries, but more must be done to raise awareness of the global nature of the threats. There is a call for an international outcomes-based approach to governance and regulation, to demonstrate the challenge of global cyber governance amid conflicting visions and approaches, and to set out the strategic direction of where we go and where we want to be.
The UK could lead the way. The UK’s National Cyber Security Centre is raising resilience in both corporate and government arenas and deepening its intelligence exchange. However, the task is so immense that the Government alone do not have the resources to face up to this issue. The solution lies in partnership—essential partnership between public and private sectors, and between states and agencies.
Another challenge is to agree cross-border rules of the game and the legal framework to enshrine them. There are too many gaps and inconsistencies between the way that different agencies collect, process and use evidence. Threat intelligence, for example, should not be beholden to the vagaries of political impasse. Cybercrime networks are international and have merged with organised crime covering terrorism, human trafficking, drug trafficking and child abuse. A keyword throughout should be “awareness”; government should work to ensure businesses are aware of the manifold initiatives and their contribution to them, and convince them of the need to view cybersecurity skills within businesses as a priority. Lack of skilled workers makes this harder. Can the Minister set out measures that will fill the shortage of the necessary skills and so put us in a stronger position in years ahead? The UK has become a leader in the use of outcomes-based regulation to influence the right behaviours. The approach taken with GDPR, the NIS directive and the ONR’s approach to nuclear cybersecurity suggests that the UK is creating the right environment.
While the UK has embraced and is implementing GDPR, other major states both inside and outside the European Union have been slow on the uptake. Cybercrime requires a united global response, as no single Government can act alone. As we prepare to leave the EU, we must call on international partners through groupings such as NATO, the Five Eyes, the UN and the Commonwealth to legislate more effectively. HMG should underpin international action and exert influence by investing in increased partnerships, including developing relationships with new partners to build on the levels of cybersecurity and protect UK interests overseas. The Five Eyes co-operation pledged at the end of August to make greater effort to attribute cyberattacks. This is welcome. The alliance has pledged to share more information between its cyber watch offices and, further, has plans to share risk assessments and certification practices to secure supply chain vulnerabilities.
The Commonwealth is embracing cyber development: the Commonwealth Cyber Declaration sets out a pragmatic vision for a free and open internet across the Commonwealth and a shared desire to build more resilient digital economies. The UK has an opportunity to share with Commonwealth countries the outcomes-based regulatory approaches that we are adopting to drive cyber resilience. Rwanda’s 2020 CHOGM will offer a milestone for what progress has been achieved. On a point of detail and given the increased importance of the Commonwealth in a post-Brexit world, will the Minister share an update on how the UK’s £15 million commitment to help review the national cybersecurity capacity of Commonwealth members and improve their capabilities has been spent to date, and detail what private sector innovation has been brought to bear?
It is understood that NATO formally recognises cyberspace as the new frontier in defence. The UK has offered both support and leadership to the establishment of NATO’s new cyber operations centre in Mons. This centre will not be fully operational until 2023, leaving unanswered fundamental questions regarding UK doctrine, capability and capacity in this intervening period. Can the Minister therefore outline what the UK’s position is for these gap years?
In addition, and within the military space, the UK and NATO cyber doctrine does not include a sufficiently common approach, including the underpinning doctrine that informs and directs supporting and enabling activities. It is perceived that the UK, extending to NATO, demonstrates an interoperable capability gap. It is felt that in adversarial activity we are outmatched due to being outnumbered but, more importantly, being doctrinally outmanoeuvred.
On the international front, Russia’s capabilities and techniques are well- documented. Considerable emphasis is placed on internet and related higher education. The Skolkovo Foundation in Moscow and the emerging Innopolis facility outside Kazan have active programmes further to develop internet technologies and offer a programme of start-up partnerships, which extends globally. Interestingly, the two driving forces behind the Innopolis city both attended Manchester University. In addition, the opening of a cyber school, as a centre for advanced cybersecurity education, was announced last night. The school will offer a variety of hands-on education programmes tailored for a wide range of people with different levels of cybersecurity qualifications and skills, from school and university students to cybersecurity experts. It is a useful idea that we should replicate in the UK.
As much attention has been focused on Russia in recent years, I will turn more specifically to a country that is fast assuming the mantle of world leader in cyber development: China. Its President has outlined plans to turn China into a cyber superpower. Through domestic regulations, technological innovation and foreign policy, China aims to build an impregnable cyber defence system and, increasingly, a separate government-controlled internet. State-led efforts in that country are central, with a focus on innovation in artificial intelligence, quantum computing and robotics, among other technologies. The Cyberspace Administration of China has responsibility for controlling online content, bolstering cybersecurity and developing its digital economy. Its investment in research and development now stands at 17% of global R&D spend.
However, Chinese policymakers are increasingly wary of the risk of cyberattacks on governmental and private networks, which could disrupt the control of critical services and impact economic growth. China has created an interlocking framework of laws, regulations and standards to increase cybersecurity and safeguard data in governmental and private systems, with surveillance a key feature, aided by facial and voice recognition software and artificial intelligence. It has required companies—this has become a trend—to store data within China, where the Government will have few obstacles to accessing it. Others adopt similar arrangements. It should be noted that that access compounds the potential for abuse and corruption by state interests.
Those who will lead in fundamental and applied research into quantum physics, quantum cryptography and quantum blockchain development will develop an edge. The night before last, I attended an artificial intelligence session promoted by the China APPG, together with the Chinese embassy, centred on the theme of potential partnership between our countries. The importance of the development of secure communications infrastructure by looking to the developments of quantum is the route forward and presents opportunities for the Government and the private sector to benefit from secure conferencing and secure data transfer.
That said—and this illustrates the overall environment—although quantum computers are still in their infancy, organisations such as the NIST estimate that mature quantum computers will be able to crack our public key encryption infrastructure within 15 years. So the race is now on to develop hybrid solutions to protect current and future data from the power of those quantum computers. Failure will rest with the international community if it does not come together with a collective approach to pass regulation and standards in the form of an international treaty or agreement.
So what should be done, and by whom, to rein in cyber threats? UN Secretary-General Guterres recently commented:
“I think it’s high time to have a serious discussion about the international legal framework in which cyberwars take place”.
Yet the last UN discussions by a group of experts took place in 2017, with no consensus being reached. However, the UN is the best forum to deal with this. I encourage the Secretary-General to grab the bull by the horns.
With all that as background, where should we go from here? I venture 15 specific initiatives, in no order of importance. These are: to support a call for a global move to outcomes-based regulation and legislation, as opposed to the mandating of standards, to form a regulatory framework that forces dialogue between friends and foes alike; to implement initiatives to limit inappropriate meddling that sows discord, either domestically or from abroad; to enable enhanced co-operation within the public sector and continuous dialogue with the private sector; to recognise that the private sector will play a central role in future international cyber governance; to establish a mechanism whereby financial services institutions are enabled to share information and intelligence, and work together more quickly and effectively; to encourage further development of the cyber-insurance industry to bridge the gap between the identification of liability and the lack of data consistency; to define a universal understanding of “cybercrime”, “cyberattack” and “cyber threat”; to promote Governments coming together through the United Nations to take an approach that treats cybersecurity in a sphere of its own; to strengthen the incident response functions of the NCSC and, in doing so, provide clearer guidance on what a reportable incident actually is; to promote advances in the practical application of quantum physics to achieve secure communications channels; to establish a cyber school for advanced cybersecurity education; to place maximum endeavour in technical co-ordination and information sharing; to encourage financial services to take a peer-to-peer approach to tackling cybercrime, starting with greater dialogue between major banks; to encourage international cybersecurity information-sharing partner- ships and further support sector-specific information-sharing centres; and finally, but possibly most importantly, to promote global discourse.
I conclude with five questions to the Government that I shall place as Written Questions today to allow the Minister appropriate space to respond fully. For the record, they are: what is the Government’s definition of a cyberattack and who will decide on the response? What are government departments doing to achieve agreed outcomes in cyberspace? Have those departments developed robust mechanisms so that there are parallel agreed outcomes across all ministerial silos? What role should the private sector play in assisting the Government with cybersecurity? Finally, but importantly, will HMG outline their achievements to date on the recommendations of the Joint Committee on the National Security Strategy’s report Cyber Security Skills and the UK’s Critical National Infrastructure?
I end where I began: if this debate achieves little more than assisting in underpinning the essential need for acute awareness of these critical issues, I believe we will have done our duty. I beg to move.
My Lords, we face a huge challenge and, as the noble Viscount, Lord Waverley, said, collaboration and innovation are key. This is not something that can be tackled by the security services alone, although they are doing a very great deal. We need to find a way of involving all the resources that the private sector is putting into combating the cyber challenge and binding them into a national effort. That might perhaps be done by working with the insurance industry so that there is a real advantage to companies working with the Government.
This has been a theme of EURIM—the Digital Policy Alliance—for the past 15 years. It would be very nice if the Government were to choose to wake up to it now. I do not think that we have made the progress we should have made on the law as it is applies to joint teams or on the governance of mixed private and government teams to enable such teams to have a real effect in the discussions that take place internationally. This is not going to go away. This is going to be very widespread. We really need to look at ways in which we can collaborate effectively on this.
We also need to look at improving citizens’ rights so that they can have some effective bite-back on what is happening to them. The DCMS Select Committee produced a report on this which I thoroughly support. It included such suggestions as improving the redress under civil law for citizens who suffer as a result of cybersecurity breaches. We may even need to look at bringing back Sir Francis Drake—running down to Plymouth and hitting Drake’s drum—because there is now scope for his privateering activities. Indeed, there are some people out there doing it: stealing goods back from the people who have stolen them in cyberspace. It is a source of great enjoyment and profit to a limited number of people. This activity ought to be regulated in the way that it was under the previous Queen Elizabeth, with prize courts and other things so that rather than the money going only to the privateers, some of it gets back to the people from whom it was stolen.
In this area we have gone back to lawless days. The NSPCC refers to the “Wild West Web”. I think of it more as Dickensian London stuffed with pickpockets and other dangers. We do not venture on to the web on any day without several attempts being made to relieve us of money by gulling us in one way or another. That is not the way that things are in life outside the web. We dealt with that, starting with Robert Peel, some long while ago. We really need to recognise that the Government have a role in making this new cyberworld that we live in a civilised place. At the moment they fail on even the most basic things, such as recording crime. I have made two attempts to report attempted fraud on the internet. The Government refuse to record it. It is only if you are an actual victim—if you have actually lost money—that you are allowed to record a criminal attempt. This is not good enough. The Government need to get a grip on what is going on and on our responsibilities to shield our citizens from this.
Most of my involvement in cybersecurity has been on the training side of things. I am glad to see that the Government are taking effective action in this area; the Cyber Skills Immediate Impact Fund is something that I welcome. There is a lot going on too in terms of private initiatives such as Cyber Girls First, and a real interest by industry in retraining. After all, the talent is out there in older people. The opportunity was never there for 30 and 40 year-olds to work in cybersecurity, but the talent must be out there, lost in hairdressers and baristas. Industry is making a real attempt to go out there and find it, and I am very encouraged by what is going on.
I have a few suggestions in that area to make to the Government. Where training is involved, they really need to place emphasis on pastoral care. A lot of the people who have talent in cybersecurity have a lack of talent when it comes to navigating the world. They tend therefore to immerse themselves in the digital world, and in terms of being part of the world at large need help and comfort—care leavers particularly. There are also problems when children come at this from totally out-of-work families; as soon as you get an apprenticeship, your family loses benefits and therefore you are pulled off the apprenticeship. We have to solve those sorts of problems and look after the children whom we are bringing into cybersecurity work. I have been involved with a project in Plymouth run by BluescreenIT but really involving the whole of the city of Plymouth in response to this problem. It has been immensely effective and I very much hope it is something that the Government will find an opportunity to pick up and spread more widely.
We need to take a grip on the way in which we look at qualifications. Cybersecurity is an international problem. The qualifications for people working in it tend to be international—the US and ICE set, for instance—so it is no good Ofqual wandering off and saying, “Well, we’d like something a bit different for ourselves”. That results merely in delay and training not being done, and we have to recognise that. In this, as in other areas of IT, there is an international set of qualifications and we should work with them.
We need to recognise too in our training that cybersecurity professionals need a great breadth of skill. It is not just about that particular bit of the internet; they have to understand the surrounding bits of IT such as the internet of things and 5G. They even need to understand people. I was told a story the other day of a successful penetration testing exercise that had located the source of the problem in the smart kettle in the boardroom, because the way it was being used meant that it could be turned on to record what was going on and transmit it to people outside. You need to understand the way that people use IT, not just the internals of the IT.
At the moment we are drawing up our training structures in a way that makes that breadth of training very difficult. The levy and the IFA apprenticeship structures are not proving adaptable. This and other problems result from the way in which we approached apprenticeships. We were going to sweep away all pre-existing structures and build anew. Well, building anew is hard and one finds that it creates a lot of problems. I think we need to go back a bit and say, “Actually, there are some things that work and we should be relying on them because we have an immediate need”, rather than hoping that we can build something new that may be perfect in five years’ time. In this area we are meant to be working with industry; we are meant to be industry-led. The more that we can go in that direction and make that effective, the better.
My Lords, I congratulate the noble Viscount, Lord Waverley, on instigating a debate on this important topic. We have had a mention of Drake’s drum, so it would be remiss of me not to mention the Battle of Trafalgar, which took place this week, 213 years ago—no cyber there, I have to say.
I had the privilege of being the UK’s first ever Minister for Cyber Security and produced UK’s first cyber security strategy in 2009. Then, very few people acknowledged the risk. There is no such problem today, because the word cyber is on everyone’s lips. It is a huge topic, as we heard from the opening speech of the noble Viscount, and I shall raise only two points.
Cyber security has become shrouded in mystique and fear. Threat awareness is too often tilted dangerously close to scaremongering. We ignore the basic reality that cyber security is about risk management, and it is well within our capabilities to manage that risk. But it must be owned by all of us. We need to understand the risks and take simple actions to manage them.
One thing that the most sophisticated and the low-sophistication but more prolific attack have in common is that they tend to exploit basic weaknesses in defence, so the most pressing need and strategically important question is to find ways to raise the basic defences of organisations throughout our country and across the world. That is why I am delighted that the NCSC has started to implement its active cyber defence programme. The NCSC is an amazing set-up and has done incredible work. This gives a framework for UK cyber security that takes away most of the harm from most of the people most of the time. It is identifying ingenious solutions to spoofing—it has done that on a huge scale already. It involves partnerships such as threat sharing with CSPs, which already block tens of millions of attacks automatically every month.
It recognises the importance of the individual in all this, which is my first point. We have not made it easy for our people. We must be serious about understanding the human being and stop blaming humans for being the weakest link in cyber security: they are the most important. They often are weak but we should not blame them for that. Human factors techniques can maximise human performance while ensuring safety and security. We must design technology that fits a person’s physical and mental abilities: in other words, fitting the task to the human, not the other way around. There must be much wider recognition of the importance of the user.
In the active cyber defence programme, one of the drivers is that users had guidance fatigue. I am not surprised: there was always something they were doing wrong, had not done or should not have been doing. My children tell me that all the time when I am on the computer. Basically, we want to make it easy for people to do these things. That is why there was a change to the unworkable password guidance. Now, we encourage people to protect heavily what they cannot afford to lose and do what they can with everything else. My goodness me, look at these passwords! If you want to get a train ticket, go to the opera or do anything, you have to have a bloody password—sorry, you have to have a password. It is a complete nightmare.
We need to make sure that everyone using a network understands easily how to use it safely. This is just as important as investing in network security technology. Networks have users, and if users cannot do their work effectively while understanding how to do it safely, security is compromised.
My second point relates to our nation’s move towards 5G and the inherent risks in how we are moving forward. The Huawei equipment fitted in our communications systems is a perfect conduit for the exfiltration of data and, as newer systems have come into operation, updated remotely by software from China, so our experts have found it increasingly difficult to be sure that they are constantly safe for use. In view of the ease of supply, cost and quality, the decision was that Huawei equipment should be used in UK systems, and I think that that decision was correct when it was made. It is clear that Huawei is very conscious of security concerns and has tried to alleviate them by more openness and by employing UK experts, many from GCHQ, to monitor its equipment on our behalf.
However, that does not remove all my concerns, and events have moved on. Huawei is set to lead the global charge into 5G, originally in conjunction with another Chinese company, ZTE. Huawei, of course, is not owned directly by China, but ZTE is, and Huawei has signed a deal to provide the next generation of mobile broadband kit to British Telecom. Yet the Huawei Cyber Security Evaluation Centre, overseen by GCHQ, has identified issues with Huawei’s engineering processes that lead to new risks in the UK tele-communications networks. Indeed, GCHQ says it cannot guarantee their security. In addition, GCHQ has effectively banned the use of ZTE by UK firms. A letter was produced saying that we should not use it.
Bearing in mind the huge impact of banning ZTE and Chinese companies in foreign policy, BEIS and trade terms, I ask the Minister: was this a Cabinet decision, or was it made by an official in GCHQ? Fifth-generation mobile services will eventually underpin the new digital landscape, as has already been mentioned. It will transform lives and economies as data analysis, artificial intelligence, the internet of things and quantum computing permeate all areas of human endeavour. We are hoping to start the move towards 5G next year—indeed, we need to. We have to get ahead of all this, particularly with Brexit. We are good at these things, and we need to get ahead.
These changes will bring huge benefits to us all. They will transform healthcare, create smart, energy-efficient cities, make work lives more productive and revolutionise the relationship between business and the consumer. But they bring risks that, if unchecked, could make us more vulnerable to terrorists, hostile states and serious criminals.
I have no doubt that China’s dominance of the technology that will power the next generation of superfast mobile broadband threatens to leave the UK vulnerable to Chinese espionage. However, we probably need to use it so we must identify means of ameliorating the risks. As an aside, I am also very concerned about the spread of Chinese Hikvision equipment, thousands of pieces of which are already installed across the country and connected to our networks. They will all be enabled by 5G. There will be not only cameras, but sound as well. They will sit in every office, see everything on every desk and record everything that is going on, once 5G is linked.
Is the Minister happy that a part of the parliamentary estate is scheduled to have Hikvision installed in January next year? I believe that there is an urgent need to have a small cell set up in the Cabinet Office reporting through the National Security Adviser directly to the Prime Minister to establish what level of risk the UK is willing to accept and to advise what amelioration is required. Banning Huawei and other Chinese firms totally is not a realistic option. Resilience, not IP theft, is our major concern.
Finally, I ask the Minister: is work going on to consider early, robust and fair solutions to what is a global challenge of balancing investment, trade and security, as we will have to protect some parts of our infrastructure by exclusion?
My Lords, I too congratulate my noble friend on this very timely debate. As so often, I shall be sailing largely in the wake of the noble Lord, Lord West.
The term cyber is shorthand. As this debate has already shown, it covers an enormous spectrum of issues, which is not always helpful to clarity—all the way from crime, through manipulation of opinion, right up to active disruption of critical infrastructure, and even disabling military capabilities. Part of that spectrum is a crime and part of it is a genuine national security risk. As the first National Security Adviser in 2010, we certainly found that cyber was rising up the priority list, but since then it has become even more clear that cyber is a potential threat to national security on a scale that, for example, terrorism never was, although terrorism has dominated our national security priorities for more than a decade.
Cyber is a national security threat like no other in the sense that the Government alone, as other noble Lords have said, cannot protect the public. Defending against cyber is a whole of society response, which makes it unique in the national security domain. Britain is very fortunate to have a world-leading centre of excellence in the National Cyber Security Centre. I had the privilege of being at its second birthday party this week. It is a unique organisation, certainly among the major intelligence countries. There is nothing like it in the US. It is quite striking that the Prime Minister invited the Prime Ministers of Australia, Canada and New Zealand to visit the centre during the recent Commonwealth summit to be briefed on its work. It is very well led by one of our most impressive younger civil servants, Mr Ciaran Martin, to whom I pay a warm tribute.
Why is it unique? It is a combination of three things. First, it is a highly capable 24/7 operational centre that is there all the time detecting and responding to cyber threats wherever they arise, whatever time of day or night, drawing on the world-class capacity that this country has in GCHQ. Secondly, as others have said, it is a centre of technical excellence, seeking to understand what is happening on the internet and where the attacks are coming from. Also, importantly, it gives guidance to the technical community on what to look for in their own systems to check whether a malicious code has got into them. Thirdly, and very importantly, it is a very professional public-facing function. It is the interface between the secret world and the world of helping the public with guidance that is understandable, relevant and rapid. I will say a word about each of those.
The need for permanent vigilance has been very clearly illustrated in the last few weeks. Of course, there are constant attacks from criminals, as other speakers have said. More worryingly, there is also a growing number of threats from hostile states. These present the real national security risk that I was talking about. Ciaran Martin said in his annual report this week that the centre had dealt with more than 1,000 of these hostile-state attacks in its two years of existence. He added that at some point in the future, Britain was very likely to face what is known as a category 1 incident, and I refer my noble friend to the annual report for a categorisation definition of national security aspects of cyberattack. A category 1 incident is,
“a national emergency causing sustained disruption to essential services, leading to severe economic or social consequences or to loss of life”.
For the chief executive of our National Cyber Security Centre to say that that is likely to occur at some point is quite sobering.
The series of announcements co-ordinated by a number of Governments on
This transparency, therefore, is certainly one of our strongest weapons in responding to attacks—and I think that the GRU had a bad day on
The third area of its activity is raising awareness among all users of the internet. Clear guidance that people can understand and which small companies and charities can implement is crucial. The National Cyber Security Centre is now doing more of that and undertaking initiatives to encourage more young people, especially girls, to choose cyber as a career.
In closing, I want to touch on two broader issues. The first is the issue of how we can respond. One problem of these high-level, state-based cyberattacks is that they are very difficult to attribute with certainty. It needs the skills of an organisation such as GCHQ, but it can be done. Once it is done, it raises the issue of what do we do about it. Here, I want to underline the point that it is often said that the cyber domain is a wild west or a jungle. Actually, it is not. The former Attorney-General Jeremy Wright gave a very interesting speech in May on international law and cyber. He made clear that existing international law, including the UN charter, applies to the cyber activities of states. That was not just the British opinion; it was the conclusion of a UN group of experts in 2015, including Russia and China. It is important, because it means that states have the right, in international law, of self-defence under Article 51 of the UN charter in the case of a cyberattack that is equivalent to an armed attack. No country should feel that it has impunity in cyberspace and that it can inflict any level of damage without any risk or response. I hope that, when he responds, the Minister can underline that aspect of our response to cyber, because it is not often understood.
My last point links to what the noble Lord, Lord West, said about 5G. We can see developing now a really important competition between two models of the internet for the future. There is the model that has governed the internet so far: the western, liberal, open approach, sometimes exploited and abused, but with the necessary regulation, giving the economy and citizens a great deal of freedom online. There is also the Chinese model of the internet, which is about control, surveillance, amassing ever greater amounts of data on individual citizens in order to control their activities. Chinese dominance of 5G technology will be very important in the future. What kind of internet will we all be linking up to in the years to come? It is right that Governments should focus on this, as the noble Lord, Lord West, said. We need the closest co-operation among all the western, leading countries with the technology and expertise in play. If we neglect it, we may find that the internet of the future no longer supports the open economy and society that we all stand for.
As this Motion makes clear, the scale and complexity of cyber is growing, but it is not the case that this makes it impossible to defend against, or that it is someone else’s responsibility to do that. Debates such as this have an important role in raising awareness of these issues.
My Lords, it seems to me that cyber threats fall into two categories, which are separated by complexity: first, the highly sophisticated attacks, often those sponsored by foreign states; and, secondly, the simpler, basic attacks, often by individuals or small groups of hackers. No doubt we will hear that the large-scale, often global attacks are well fought off by our people at GCHQ, but it is clear that they have a vastly complex task to defend against this sort of problem. A large part of such defence must be deterrence, and I hope that my noble friend the Minister will be able to tell me that we have a sufficient number of people with the requisite skill sets working on this. I also believe that offensive capacity is of the utmost importance; much like nuclear capability, having it makes it unnecessary to use it.
A large number of attacks are pretty basic, such as the WannaCry attack on the NHS last year. I hope that the embarrassed senior managers who supervised the use of obsolete software that could easily be broken, but should have been updated, have been held to account—and that they have subsequently raised their game. Press reports state that some of the machines that were attacked were still using Windows 95. Of course, when faced with intense lobbying from unions and staff, it is always a challenge for the NHS to choose to spend budgets on software over wage increases. But the WannaCry attack reportedly cost the NHS £92 million, which leaves a lot less money for services and indeed future wage increases. Such consequences ought to help managers to get their priorities right.
There is a problem developing that we ought to discuss: the proliferation of passwords, a point made by the noble Lord, Lord West. On a normal day, we may be asked for about 20 passwords and PIN numbers. It is unrealistic for us to keep to the system of a different unique password for each website, service and machine. Certainly, the Californian legislature recently legislated to ban default passwords on any internet-connected device. Anything produced or sold in California that can connect to the internet will come with a unique password, or it will default to require users to make a unique password when they switch it on for the first time. I understand from last weekend’s Sunday papers that the Government are asking the same of our systems. The idea that default passwords such as “admin”, “123” or even “password” are so widespread is obviously worrying, and I have passed on to the Minister a cringingly embarrassing example of this on the parliamentary estate. However, I feel that the solution may be at hand with new password generator programs. They generate complex, unique passwords for the user, and there are even free ones, which can easily be installed.
Regularly updating software is a basic security rule. That was why it was so disappointing to receive an email from the Parliamentary Digital Service customer relations team, as we all did on
My Lords, I will make a few remarks. When I read the excellent briefing note from the Library, I was trying to think about what one could add to it and how one could think about it in some other way. I declare two interests. First, for some years I have chaired the Digital Policy Alliance—EURIM—which was referred to by the noble Lord, Lord Lucas. It looks at whether the effect of legislation and regulation on the public and companies is what we expected when we passed it in Parliament, and it also tries to think head about things that are coming in the future, which the noble Lord referred to. A lot of these things that we are worrying about now have been known about for a long time: the reports on security by design, the threats, et cetera. Secondly, I am an adviser to PRIVUS Global, which produces ultra-high secure communications for companies and people who can afford it. I declare an interest in that area as I will refer to such things later.
The report is very good on technical approaches although I was surprised that it did not mention the Five Eyes collaboration, which is probably one of the best collaborations since it works globally. A lot of our intelligence has to be global, not just with Europe and our neighbours—the internet is completely global after all.
There are two sorts of things we need to worry about. One is state action, where people try to bring down critical national infrastructure or spy. Those actions are different from the other lot, which involve fraud against companies or individuals. They can cross over a bit as one might affect the other. WannaCry was a good example of that; I always wondered whether it was a Bitcoin marketing ploy, because I seem to remember that the ransom was demanded in Bitcoin, which gave it some value at last. That is just another of my cynical looks at how these things work, and I am sure it is not quite right.
This is the trouble. I remember that very early on in my computer days—a long time ago, when we were talking about passwords and things—someone asked me: “How would you break into Fort Knox, how would you attack it?” I replied, “I don’t know”. He said, “Steal the key”. That is always the secret. It comes down to people, because to steal the key you just need to know the person with the key to the back door or whatever it might be. Some of this is about education, which is well referred to in the report. I was interested in a couple of phrases. It said, for example that we should,
“focus on aptitude, rather than high-level academic qualifications”.
This is interesting, because people who write good software are often slightly—or very—dyslexic. All my children are dyslexic. I did not think I was, but I realise now that I have the abilities of a dyslexic to visualise multi-dimensional arrays and see maps; I do not remember sequences of command but draw a map in my mind. I visualise the data I am handling. The visualisation of patterns—looking for patterns—is something that dyslexic people can supply.
When you are trying to break in and attack or something, you are looking for the pattern. When I was taking over programmes in places where programmers had left—I did quite a bit of that—I would try to work out how they thought, and then understand how to solve the problems they had left in the programmes or develop them further. That is not a thing that a procedural thinker usually has. They are trying to think in terms of process and procedure, and it is difficult to understand how someone else thinks if one does that.
Another area is teaching the teachers. This is very difficult as teachers are, by definition, not the latest generation. On the other hand they have a huge amount of knowledge and information which the student lacks, through lack of life experience. Melding the two things is very difficult, as is finding the time to keep up to date. I am no longer able to keep up to date with everything, although I understand the principles well enough to grasp the areas I want to grasp moderately quickly.
You cannot keep up with everything, so how do you decide who does what? I remember being interested in agile computing for more rapid development. I went to a lecture and the chap giving the lecture, who was a teacher, reduced the whole thing to procedural programming within about 10 minutes, by saying you had to have fixed steps and fixed everything else. I thought, “You don’t get it; you don’t think the same way”. This brings us back to the problem of how we teach the teachers.
The most important thing is to educate the general public—who include employees and everybody else—in how to spot something that looks odd. When I get an email from “Lord So-and-So” or “James Younger” or whoever, I look at it and notice the email address. The first bit with the name might be right but after the “@” it suddenly looks weird. You know immediately that it is not genuine. They have simply spoofed the name; they have not even hijacked or hacked him. If you hover over a link you can see at the bottom where it is really going. You start to spot the first slash and work backwards to see whether it is genuine, or whether someone is spoofing Barclays or whoever.
These are simple things, but I do not know how we can get it across to people to spot simple things. At home they are now very good at it as we have educated the people there. We are talking about the simplest of levels; we can stop a lot of the phishing attacks this way. You have to ask yourself whether something looks a bit odd or is too good to be true—or you should ask “Why me?”. Do noble Lords remember “ILOVEYOU”, which went round the place? When I first saw it, I thought, “I wonder who that is? It sounds nice”. But then I thought, “Hang on, five of them inside Parliament—that’s a bit unlikely”. I checked and, sure enough, there were a number of fairly senior people who thought they were God’s gift. It is very interesting because it preys on human vulnerabilities.
I want to talk about single points of failure, which takes us on to the need for surveillance of all the bad guys and questions about government back doors into stuff. That worries me. I remember someone saying, “You don’t have allies; you have interests”. People who are your allies today will not necessarily be your allies tomorrow. Things shift globally the whole time. Another challenge is that your political allies might be your trade competitors, chasing the same multibillion pound contracts elsewhere in the world. So your shared intelligence may be a vulnerability for other parts of government. If the bad guys can get into the centre of it all, you have a real single point of failure, and no one should say that it cannot happen. We have only to look at the Cambridge spy ring, or Gordievsky, or Edward Snowden and the Pentagon papers. They were all great disasters because someone centrally got access to it all. Effectively they had stolen the key—or, in the case of Gordievsky, re-stolen the key.
Secure communications are essential, particularly for trade. If you are doing multibillion-pound negotiations, you do not want that leaking anywhere. Legal firms need secure video, secure text and well-encrypted documents and so on in relation for their contracts. I was horrified by how little attention is paid—unless a large company insists on it—to the problem of hacking the contracts of some legal firms. What goes across a lawyer’s desk is highly sensitive. If someone discusses with their lawyer something that might have involved them personally and that leaks, it could have secondary effects, such as blackmail. That is how you steal the key: you can blackmail people very easily.
With regard to treaty negotiations, I am amazed at how little has leaked from Brexit. The Evening Standard says one thing one day because it is very anti-Brexit, and then the next day we hear from somewhere else that a breakthrough has been announced. It is very interesting, anyway, and I am quite impressed.
People point out that a Government lacking a back door into communications can help terrorists and criminals. That is true to a certain extent, but it is not a good idea to have a back door that you can trawl through, and we do not allow it anyway. That might give people a bit of succour, but if you have targeted surveillance you might well find that there are other ways of doing it if you do not have other clues. The ultra-secure systems could be limited to only very secure companies and individuals whom you know. Effectively, it is a case of “Know your client at a high level”. There are ways of dealing with this, but personally I feel that, for the amount of good it will do in catching criminals, having a back door into these things is much more dangerous.
My last point is that money is very often the motivator. Sometimes when lecturing on cybersecurity, I say to the security guys, “For goodness’ sake, don’t allow yourself to be bribed for too little. If you give these keys away for too little money, you will probably never work again—that’s the end of it—so you have to make enough money out of this bribe to be able to retire for the rest of your life. You will also have to buy new friends, because a lot of your old friends won’t talk to you”. So you are going to need about £200,000 a year net of tax and expenses. I am putting the figure fairly low because most people do not have high expectations. It will probably be about two to four times what they are earning at the time. I reckon that in the long term—I know this from running financial systems—you get 2% net, so you need about £10 million invested in the bank.
The next thing I know, from the way my trusts were mishandled in the 1970s, is that you can lose half their value overnight when your advisers call it wrong. So you need £20 million to start with if it is to see you through your life. I reckon you then need another £5 million to buy your new house, your new car, your yacht and all the other bits and pieces. That is £25 million. If I can persuade people of that, I will have made the world a much safer place, because most people are not going to pay that to bribe someone.
My Lords, I draw your Lordships’ attention to my entry in the register of interests, particularly my association with and employment by the Nuclear Threat Initiative, a US-based think tank. I congratulate the noble Viscount, Lord Waverley, on securing this debate and commend him for corralling this massive topic into a 15-minute speech. I congratulate him also on the breadth of the Motion before your Lordships’ House. I am particularly pleased because it allows me to return specifically to a topic that is a minor obsession of mine: the scale and complexity of the cyber threat to major weapons systems, including our nuclear deterrent.
The first step in solving any problem is admitting there is one. That, of course, picks up the theme that a number of noble Lords have referred to. The value of this debate is in raising awareness, and I hope to raise awareness of some threats. It will be difficult for us to engage with them, but I have some ideas about that as well.
Although I have been aware of this threat for some time, I first tentatively raised the issue publicly in January 2013 following the report of the Defense Science Board of the US Department of Defense, Resilient Military Systems and the Advanced Cyber Threat. The top line of that report is, in short:
Critical IT systems in this context include nuclear weapons systems, and the board knew that cyber was a threat to this, because it had red teamed it in the United States. The task force went on to say that its lack of confidence applied also to the weapons systems of allies and rivals. The UK is, of course, an ally of the United States, and so that sparked my attention.
In addressing this issue, I have always been measured in my comments, mindful of my noble friend Lord West’s concern that people can get into scaremongering in this environment. But these are existential threats, and there is nothing scarier in my view. Drawing on the specific recommendations of the report, I reminded the then Ministers that they had an obligation to assure us that all parts of the nuclear deterrent had been assessed against the risk of cyberattack and that protections were in place. I explained that, if they were unable to do that, there was no guarantee that we would, in the future, have a reliable deterrent. Quite simply, a deterrent works on the basis that it is a live threat; if a rival knows that they can defeat the deterrent or prevent it being deployed, it does not work.
In 2015, in the run-up to the Trident debate, I repeated this request in the hope that cybersecurity would emerge as part of the debate on our commitment for the next 50 years, apparently, to a deterrent-based approach to nuclear weapons. The response to my reference to a 146-page report of recommendations and appendices was depressingly familiar and platitudinous. I was told publicly that Trident was safe because it was “air-gapped”. The argument appears to be that, because these weapons are deployed in submarines under the water, they cannot be threatened by cyber. This is a complete misunderstanding of the cyber threat and a misrepresentation of the facts. Most of these boats are not at sea all the time: they are hooked up to other systems for a significant period and spend three months or slightly more at sea. But that is what I was told.
In the reporting of my comments by the BBC, a Ministry of Defence spokesperson, while understandably refusing to comment on the details of security for the nuclear deterrent, assured the country that,
“we can and will safeguard it from any cyber threat”.
I know of no expert who would ever give such a comprehensive assurance about anything, but that is what was publicly stated. The spokesperson went on to say:
“We are investing more than ever before on the UK’s defensive and offensive cyber capabilities. Last week the Chancellor outlined a plan for £1.9bn in cyber investment”.
So, essentially, “Move on, there is nothing to see here”.
Thankfully, that is not the US attitude to this. The United States is a much more open society than we are in relation to these issues. I know that is to do with its constitution and the accountability of the Administration to Congress, but the irony of my interest in this is that I can find out much more about these issues in publications in the United States than I can here. That is not proper accountability, but that is an argument for another day.
The Defense Science Board task force on cyber continued its work and produced a final report in December 2017. I do not have time today, even with the 12 minutes that I have, to go into it in any detail but, four years on, the report continues to challenge UK complacency, concluding that Russia and China had significant and increasing ability to hold US critical infrastructure at risk and growing capability through cyber-attack to thwart military response—in other words, to defeat deterrence.
In July 2015, the other place debated the renewal of Trident, but cybersecurity was virtually absent from the debate. Since then, in updates to Parliament by the Government on the renewal programme, no mention has ever been made of cybersecurity and it has never been fully debated in Parliament or even engaged the Defence Select Committee’s attention. I cannot find any statement by a member of the Cabinet on this issue and, shamefully, Parliament has also been broadly silent on this issue.
External reports continue to be published identifying this and they are always met with the same bland assurances and comments. For example, in 2018 Chatham House published a report, Cybersecurity of Nuclear Weapons Systems: Threats Vulnerabilities and Consequences. Again, the Ministry of Defence response came in the form of a statement from an anonymous spokesperson. Apparently, the MoD has,
“absolute confidence in our robust measures to keep the nuclear deterrent safe and secure”,
invests significant resources into regularly assuring its protection against cyberattacks and other threats, and again we were reminded that the UK,
“takes cyber security very seriously across the board, doubling its investment in the area to £1.9bn”.
In every case where this £1.9 billion is quoted, it is never said by any of the anonymous spokespersons that this money was committed in 2015 for five years of cybersecurity for every aspect of government. I am assured by experts with whom I worked closely during my time in the United States that is an inadequate amount of investment given the scale of the challenge to our weapons systems.
Until April last year, for three years I lived and worked for the NTI in the US. There I found in government, Congress and the expert community more awareness of the threat to our military systems than here in the UK. In the US, NTI brought together high-level former senior military and government officials, policy experts and cybersecurity experts to form a cyber nuclear weapons study group. I co-chaired this group with former Senator Sam Nunn and former Secretary Ernest Moniz. The group examined the implications of cyber threats to nuclear weapons and related systems and developed a set of options for policies, postures and doctrines that will reduce this risk.
The NTI study group report was published last month. The ink was not long dry on it when, on
The report concludes that the department,
“likely has an entire generation of systems that were designed and built without adequately considering cybersecurity”.
Specifically, the report states that:
“from 2012 to 2017, DOD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development. Using relatively simple tools and techniques, testers were able to take control of these systems and largely operate undetected”.
They were able to guess a password on a weapons system in nine seconds, access weapon systems where open source or commercial software had been installed and the installer failed to change the default passwords, partially shut down a weapons system simply by scanning it—a technique so basic that it apparently “requires little knowledge or expertise”—and take control of some weapons. In one case, a two-person team took just one hour to gain initial access to a weapon system and one day to gain full control of the system. They could also access and stay in a weapons system for weeks, during which time the DoD never found them despite the testers being intentionally “noisy”. In other cases, automated systems detected the testers, but the humans responsible for monitoring those systems did not understand what the system was trying to tell them.
The GAO estimates that the vulnerabilities the DoD knows about likely comprise a small proportion of the risks in their systems. The tests leave out whole categories of potential problem areas such as industrial control systems, devices that do not connect to the internet and counterfeit parts. This unclassified report is about a classified matter and consequently refers to various systems without identifying them. I will come back to that important point in a moment.
Further, the report underscores a troubling disconnect between how vulnerable DoD weapons systems are and how secure DoD officials believe they are. This echoes what I am told in the United Kingdom. The officials who oversee the systems appear dismissive of the results, not understanding that when they dismiss these results, they are dismissing testing from their own department. The GAO did not conduct any tests; it audited the assessments of DoD testing teams. In some cases, officials indicated that their systems were secure, including systems that had not had a cybersecurity assessment.
In its findings, the GAO describes the DoD as only “beginning to grapple” with the importance of cybersecurity and the scale of vulnerabilities in its weapons systems. Public reporting of this report describes this as a “wake-up call” for the DoD. It should be a wake-up call for us too. We have almost certainly bought and deployed some of these weapons systems. We have certainly bought and installed in our weapons systems software programmes, the testing of which has informed this report.
Essentially, I have two questions for the Government. When are we going to have a proper debate, in government time, on the cyber threat to and cybersecurity of our weapons systems, including the deterrent? Now that this GAO report has been published, what steps are the Government taking to follow up on the implications of this report for our military capabilities with the US Government and the DoD in particular?
My Lords, I too thank my noble friend Lord Waverley for introducing this topical and important subject. I declare my interests in cybersecurity as listed in the register. Unlike other noble Lords, I wish to devote almost all my remarks to the impact of cyber threats on the economy, in particular on small and medium-sized enterprises.
I first became aware of the growing threat of cybercrime back in 2001 when I managed a few data centres for a large data provider, an ISP, here in London. Our clients, most of which were SMEs, required reliable, 24/7, secure web hosting with high-speed broadband. Many of them were being targeted by what were then referred to as “botnet cyber threats”. For noble Lords who are unaware of what a botnet threat is, it is otherwise known as a distributed denial of service attack. I built a team of tech experts to engineer DDoS mitigation tools, which countered the threat at the time. Since then, however, cybercrime against businesses and individuals has become significantly more intrusive and dangerous over the years.
SMEs make up 60% of all employment in the United Kingdom. Last year, it was reliably reported that 45% of all SMEs identified cyber breaches, costing many hundreds of millions in financial and reputation costs. Sadly, far too few SMEs have effective security measures in place, nor do they carry out regular effective cybersecurity training—a point mentioned by the noble Lord, Lord Lucas, and a few others. Therefore, they are particularly vulnerable to even the most basic cyberattacks.
As we know, cybercriminals are increasingly targeting individuals for their credit cards and in other frauds. According to a report by Thales, the United Kingdom is the most breached country in the EU, but most UK businesses are blissfully naive and complacent about the increasing threat. The noble Lord, Lord Browne, drew attention to the Government’s five-year National Cyber Security Strategy, which they published in November 2016 when committing to invest £1.9 billion in cybersecurity. While I respect that the National Cyber Security Centre has provided excellent guidelines and advice to SMEs, many would argue that the laudable commitments are targeted more at big businesses and critical national infrastructure, with insufficient focus on SMEs.
We are living through a digital revolution. We have artificial intelligence, autonomous vehicles, drones, biotech, blockchain, the cloud and the internet of things, which has resulted in an ever more interconnected world. It is forecast that, by 2020, 50 billion devices will be interconnected around the world as a result of the internet of things. Technology is ever more critical to the UK and our digital economy has grown 2.5 times faster than the rest of the economy over the last 10 years. The digital tech sector is worth nearly £184 billion to the UK economy. But I stress that our dependence on technology has come at a cost. It was recently reported by CNBC, from a reliable global survey, that the cost of cybercrime to the world today has reached as much as $600 billion a year, which is 0.8% of global GDP. In this country we have seen attacks on our critical national infrastructure and we need to be increasingly vigilant of this increased threat. We should be cognisant of what my noble friend Lord Ricketts mentioned: the risk of a category 1 incident.
I mentioned that individuals are increasingly being targeted by cybercriminals. I understand that 91% of cyberattacks are delivered by email, putting anyone with an email account in the firing line of cybercriminals. I entirely agree with the comments by the noble Lord, Lord West: cybersecurity is about risk management. In this regard, it is increasingly important that individuals are better informed about simple IT housekeeping, such as regularly changing their email account passwords—a point made by the noble Lord, Lord Borwick—downloading basic security software and regularly backing up their data. This alone would substantially reduce the risk from most cybersecurity breaches.
Online data has pushed identity theft to a record high in the UK. The anti-fraud agency CIFAS has said that ID theft cases rose by 1% last year to almost 175,000, with eight out of 10 cases using information found online. This represents a 125% rise over the last 10 years. Phishing remains the number one threat action. Almost half of UK manufacturers have fallen victim to cyberattacks and many more attacks go unreported or unrecorded, according to the manufacturing trade association EEF.
Under GDPR, introduced in May this year, the fines businesses can face for data security breaches are crippling. Two years ago, following the TalkTalk hack, the company was fined £400,000; under the new GDPR fines schedule, this would be nearer to £60 million. Last year, Lloyd’s of London estimated that a major global cyberattack on a cloud provider could lead to losses of around £40 billion. The majority of these losses are not currently insured. The police and the security services are implementing the Prevent strategy to increase awareness across businesses.
Despite the massive need to sustain our digital economy there is a huge skills gap, which seems to be widening. In a recent poll, nearly half of all organisations admitted they had a chronic shortage of IT security professionals, and 70% thought this had a significant impact on their business. An uncertainty over Brexit is also exacerbating the lack of digital skills in the domestic economy, with a lot of IT talent looking to move elsewhere. We need a far more innovative approach to bridge the cyber skills gap, and I wholeheartedly agree with the noble Lord, Lord Lucas, on the need for more training. Wide-ranging training is key for businesses of any size attempting to counteract cyber threats. It is the responsibility of everyone within a company to protect not only the company but its data. All staff, not just IT or security staff, need to be aware of what to do—and what not to do—to make sure that breaches do not happen either accidentally or on purpose.
In my opinion, within the business community there should be company-wide strategies, from the chief executive down, for dealing with and in readiness for the outcomes of a cyberattack, should the worst happen. Equally, despite the national cybersecurity initiative, a lot more should be done in both the private and public sectors to promote cyber awareness, enhance the cyber skills gap and invest more in measures to protect the critical national infrastructure. Initiatives such as TechVets, which helps military veterans into technology and cybersecurity roles, are a great way to harness unrealised pools of human resource potential.
I noticed in the very useful briefing from the House of Lords Library that the UK has committed to working in close collaboration with its international allies, including—as a member of the EU—its partners in NATO, to improve cybersecurity. Can the Minister give a reassurance that after our exit from the EU, our Government will continue their cyber co-operation with our counterparts across Europe? In conclusion, I am not trying to be a doomsayer; I am simply advocating being proactive rather than reactive.
My Lords, I join other noble Lords in congratulating the noble Viscount, Lord Waverley, on securing this debate, which has been wide-ranging. It has moved from kettles to China, from spying to crime and to botnet threats. I look forward to the Minister encapsulating the debate in his response. For what it is worth, I would characterise its mood as a slightly uneasy sense that we have been doing the right things but may have to do a lot more. The degree of uneasiness has varied from noble Lord to noble Lord but I fear that I sit at the pessimistic end of that spectrum.
As the noble Viscount set out, we sit in a very complex landscape, and that complexity has been deepened by the speed of change and the degree of complexity and connectivity across our lives. But we should not forget that there is also a huge political dimension to all this. The world is changing, probably faster than many of us have experienced for a long time. The move towards more autocratic leadership in some very important places fosters these kind of threats and that is why a multilateral approach is absolutely central. Many Peers have highlighted that—not least the mover of this Motion—and I will come back to it.
The other game-changer—I do not think this has been alluded to much—is the asymmetry in the possibility for one individual a long way away to take on a Government or a large national corporation, or at least think they can. I do not think we have seen that situation before, and it emboldens individuals or groups of individuals to do things hitherto not considered possible. The Government have clearly demonstrated that they are seeking to commit on this issue. It is hard to tell how successful this has been, because as the noble Lords, Lord West and Lord Ricketts, and others, have highlighted, the NCSC has been active and—we believe—successful, but we do not see its best work. That is the conundrum with those kinds of agencies; it is defending a negative. But looking forward, I would like to hear from the Minister how the Government support the NCSC and how its role will grow.
Of course, as a number of speakers have said, it is not just about government. Businesses and individuals are all involved and we all have to run very fast to keep up with changes. I had two emails today seeking to compromise my bank account—I am sure most speakers did. At a business level, the noble Lord, Lord St John, is right: it comes to the fore from time to time but very rarely flows from the IT team to the C-suite. One suggestion I would have is that if businesses were required to report—at least partially—the amount of cybercrime they were resisting, the C-suite would be confronted with it on a more systematic basis, and would perhaps do something about it by seeing the benefit of investment in that kind of technology.
This takes us to the critical national infrastructure. Again, I would be pleased to hear from the Minister how the Government believe the CNI community is reacting to the threat. Is it stepping up to the plate and actually moving fast enough? Again, it is hard to tell. Organisations such as the NHS—a part of our infrastructure in a different way—clearly were not investing in IT, and, as the noble Lord, Lord Borwick, set out, it suffered the consequences. We have rail, road, the electricity distribution networks and the other utilities. Where do the Government think we are on the road to resilience? Stepping beyond that, the Government have resolved to work with the communications service providers and industry to make the internet more secure, so what is the progress? What are the landmarks on that journey? The physical architecture of our internet providers is clearly very vulnerable; it sits in green boxes on the most of our street corners. Delivery is poorly controlled, as we know. If that is an example of resilience, I am not filled with confidence.
Of course, we have also seen how the private sector has suffered from what I would call self-inflicted problems. That serves as another interesting series of cases. One is the complex and jumbled nature of the technology that many of our largest corporations have. They have layer upon layer, with legacy technology that dates back not just years but decades. Across Britain, some of our most important institutions are built on computer technology that goes back to when I was an undergraduate at university—I have to tell you, that was some time ago.
A further point has arisen around the internet of things and the idea that the boss’s kettle will listen in on important discussions. We can challenge the culture of “Everything always on; everything always in the cloud”. That was not always the case and I do not see why it should always be what we do in the future. As the noble Lord, Lord West, said, the Government have a role in advising individuals where they should put their data and how accessible that data is—24/7 or not at all. We would not stick our entire wealth in a shed at the bottom of our garden, put a bolt on it and expect no one to steal it. So why do we put all our data into the cloud with a flimsy password and expect people not to extract value from it?
However, it is not just about Governments. As I have just alluded to, criminals innovate. International crime is a global free enterprise and an extraordinarily successful innovator. Government is not usually as good an innovator as individuals working in those ways. That innovation then spreads to state actors. We have seen how state actors can take on some of the technology that sits in the dark web and put it to their use. Regulators and government are very slow to react. We have only to look at how Russia sought to disfigure the EU referendum debate to see how slow the authorities have been to respond. We want some sense of how government is seeking to speed up the response to innovation in crime and in state ventures.
The noble Lord, Lord Lucas, highlighted the role of the private sector. The relationship between government and private sector and how technology is adopted are important elements. What do the Government think is the right balance between technology developed in the private sector and technology which government seeks to develop? Who decides what and where the focus should be in what we develop as a government or authority? How do the Government develop meaningful relationships with the private sector? In some cases, companies which have such technology are not those which want to be associated with government. How do we create those relationships?
Once we have the technology, how do we hold on to it? We have seen highly innovative players in our own sphere develop technology which has then been hoovered up by large parts of the internet oligopoly and, frankly, taken out of use for other players. If we need an example, we should look at the three main private sector global companies, which are buying up the patents in blockchain technology. They are taking it out of use for other people for their own uses. I am sure that it is the same for quantum computing as well. How do we hold on to what we have?
Of course innovation is difficult, as many noble Lords have said, but it is about having the right people. The noble Lord, Lord St John, and the noble Earl, Lord Erroll, were right about the need to bring in a broader community of individuals, not least because the sort of people coming out of university and being recruited to the cyber technology sphere are also recruited by a bunch of other people. They are being recruited to be engineers or to be the quants in big banks. They are a sought-after community of people, so we need to broaden our footprint. The noble Lord, Lord St John, talked about drawing in people from the armed services. Something worth looking at is how people are recruited to come in and take engineering degrees. The new university that is starting up in Hereford is changing the approach to recruitment for engineering, which has always been maths dominated—if you do not have a maths A-level, you cannot do it but people develop at different paces and as different sorts. Some of those initiatives are very important, because we have to deploy the full intellectual capability on our side in this country.
On accountability, I do not intend to throw stones at the Department for Digital, Culture, Media and Sport, but is it the right place to co-ordinate the skills, when other ministries hold the education and further education budgets and when we have UK Research and Innovation? Where should the skills portfolio sit? Is the Minister happy that this is the right place for that technology?
The noble Viscount was right to highlight the need for international co-operation post Brexit. The Government are right to try to maintain co-operation, assuming Brexit happens, with the EU 27, but how will it work? Will the EU network and information systems directive be replaced like for like? Will we shadow it? I am sure that the Minister has heard the same questions in respect of lots of other rules and regulations. The question is: how and when? Given that the European Union Agency for Network and Information Security is a legal organisation, how do we subscribe to it when we are not a member of the European Union? It is all very well to say that we have an aspiration for such things; I am more interested in the how and when.
On internationalism, the UK needs to continue to be a key driver in the multilateral approach to these matters. We have mentioned Five Eyes, NATO and the Commonwealth and beyond. We must not let the signals that can be interpreted from the Brexit process be seen as a withdrawing from multilateralism. I believe that the Government are committed to those institutions and working to make them more effective, but an endorsement from the Minister would be helpful.
Today, almost every warp and weft of our national fabric comprises digital communications and digital data. The implications of widespread denial of service have been seen at the very least through what WannaCry achieved in attacking the NHS and what individual businesses have managed to achieve through acts of self-harm. Those are just relatively unsophisticated examples of what can happen; we have had heard predictions or worries about much more profound attacks. That is why I welcome this debate and why the contributions that we have heard today are very important. I look forward to the Minister’s response.
My Lords, as other noble Lords have done, I congratulate the noble Viscount, Lord Waverley, on securing this debate. I thank him for giving the House the opportunity to debate issues of immense importance to the country.
I am sure everyone agrees that the threats posed and the risks involved mean that solutions have to be global to tackle the scale, the risk and the complexity of the challenge. There are no borders in cyberspace, no visas and no checkpoints. To meet the challenge, we have to work with partners locally, nationally and internationally, and government has to ensure that by working together we protect the United Kingdom and, with partners, protect the world from the real dangers that it faces.
We have heard in this debate about some of the threats to every part of our life: everything from the stealing of our own personal data to attacks on businesses through ransomware and other forms of cybercrime, terrorism, state-sponsored attacks on other countries’ interests and the threat of military capabilities being taken over, with devastating consequences.
It is good that the Government have developed the National Cyber Security Strategy, have made a commitment to invest nearly £2 billion in cybersecurity and created the National Cyber Security Centre, which has done so much to protect everyone already. However, I wonder whether this large sum of money—and it is large—will be enough to deliver all the protections we will need.
To meet the challenge, we have to work with our partners at the United Nations, NATO, Interpol, the Commonwealth, other organisations we are not members of, such as the African Union, and those we are members of, including the European Union. This further highlights the madness of Brexit when the world is getting smaller and more interdependent, with greater risks, and we risk huge damage in areas of security, as we do in every other part of our life as a progressive, free, liberal, fair-minded trading nation. The Government have identified, quite rightly, that cyber is a tier 1 threat to national security, based on both the high likelihood and the high impact of such an attack. The scope of cyber risks is part of the problem as our world relies on digital technologies in every sense to deliver almost everything we need.
The noble Lord, Lord Ricketts, has huge knowledge of these issues, as the first National Security Adviser. As he said, cyber threats need a whole-society response, across the whole range of threats to the United Kingdom. The noble Lord, Lord Borwick, made important points about passwords and the basic protections we all need to be aware of in order to take proper action to protect ourselves. The noble Earl, Lord Erroll, made valuable points about having the aptitude to see complex patterns and about educating the general public to spot when things go wrong. Often these are things that the general public are not aware of. Too quickly they are drawn into giving up their data, passwords and access—and have their money and data stolen, doing much harm. The noble Lord, Lord St John of Bletso, referred to the dangers posed by weaknesses in the systems and the importance of protecting SMEs from these threats. I also agree with the points he made about simple passwords and other basic security checks, which echoed those made by the noble Lord, Lord Borwick.
My first point is about the scale and complexity of the challenge faced by the world, which I fear is not understood by many. I agree with the noble Viscount, Lord Waverley, about the need for an international, outcomes-based approach to governance. I also agree with the points he made about the need for partnership between the public and private sectors, in addition to partnerships between states, agencies and international organisations. One of the most disappointing things we have witnessed as the internet has developed and changed our lives so completely is the attitude of so many technology platforms, which have so often failed individuals, communities and nations in not protecting people’s data through either poor security or reckless practice. People’s data is entrusted to them but so often making money from the data has been much more important than security or data protection.
The noble Lord, Lord Lucas, made the point that there needs to be proper redress for citizens who have suffered as a result of data breaches. I agree with him. Of course, individuals have a responsibility to protect their own data and to be their own first line of defence—their own first guardians when they go online—just as people have to do when they go about their lives generally, taking simple precautions to protect themselves. But that does not excuse poor practice by technology platforms, or companies involved in information or communications not working together and not working with Governments and agencies, nationally and internationally. They need to play their full role without excuses, helping to deliver the security we all need.
With regard to allegations concerning foreign powers, it is suggested that Russia is one of the main proponents of these cyberattacks that seek to interfere with and undermine elections and referendums here and in the United States and other countries. That is totally unacceptable. The reluctance to look at the referendum on leaving the EU is staggering when you consider the enormity of the decision, and if that decision has been stolen that surely is a matter of grave concern to every democrat. We have to ensure that our elections and referendums are safe, secure and free from unwarranted interference.
There are huge risks to business and our prosperity from cyberattacks. An organisation that I am involved in recently had its whole website cloned as thieves tried to steal information. The thieves were outside the European Union. We have taken measures and boosted our protections to stop this happening again. We are a small organisation and have been able to recover from this, but for a business this can be devastating, not only in the loss of money and income but in reputational damage and potentially the complete destruction of the business as customers lose confidence in its ability to deliver products or services safely. Who will buy products and services from a company that has developed a reputation for serious lapses in security and the protection of other people’s data? The mandatory data-breach reporting under the GDPR is a very good thing and the data generated by this will help the Information Commissioner and the Government to have greater understanding of the scale of the problem.
The large hacks and breaches in companies such as TalkTalk are the ones that get the media attention but, as I said, in much smaller organisations the disruption to operations can be just as damaging. Figures I have seen suggest that cyberattacks cost UK business £34 billion in 2016. But we have to ask: how much is business putting into resilience and preparedness? Is all the effort going into building cyber defences? If you have not prepared well and built a robust structure for the day you get a breach, you have seriously weakened your operation. This leads me back to the point I made earlier about the money the Government are putting into cybersecurity. Is the Minister satisfied that the funds being made available are adequate?
The noble Viscount, Lord Waverley, told us that NATO has formally recognised cyberspace as a new frontier in defence and I hope the British Government have done that as well. My noble friends Lord Browne of Ladyton and Lord West of Spithead have considerable experience in these matters from their previous roles. My noble friend Lord West made the important point about risk management: our weaknesses in basic protections are a huge risk and need to be improved. He also referred to the move to 5G and the decision about ZTE. I hope the Minister will respond to that point when he replies shortly. My noble friend Lord Browne spoke about the threat to our weapons systems and nuclear capabilities. He referred to the report from the United States. He is right to question whether we have the protections in place to ensure that our nuclear deterrent is actually a deterrent. Are we taking the military cyber threat seriously enough? My noble friend’s comments about the risk of hostile forces being able to hack into and take control of our systems deserve a specific response today but also outside the Chamber.
Will the Minister also say something about the ministerial and Cabinet-level response to these threats? Does he think that the National Security Council is nimble enough and able to provide the consideration of these important matters in a proper strategic way? Is he satisfied that we have got this right at the present time and what is the process of review to ensure that we keep up with new developments and potential new attacks? That leads me on to the issue of critical national infrastructure—not only the police and military capabilities but our NHS functions, our transport services and the delivery of food, medicines and power. Can the Minister say something about the ability to repel a cyber threat to critical infrastructure and, as with business, the resilience plans in place to deal with a successful cyberattack?
Finally, this has been an excellent debate. I thank the noble Viscount for tabling this Motion, which has enabled the House to debate an important issue, which I am sure we will return to again and again.
My Lords, this has been an excellent debate and I thank all the speakers who have brought a wide range and depth of experience and expertise to it, not least the mover, the noble Viscount, Lord Waverley, who made a thoughtful introduction and crammed 15 helpful suggestions into three minutes at the end of his speech. A number of themes ran through the debate, in particular the need for partnership. I hope I have not misunderstood the tone of the debate when I say there has been no fundamental disagreement about the thrust of government policy, but some severe warnings and some very helpful suggestions about how we might do better. Some of them were on a highly technical front, and some were based on broad common sense.
I say to the noble Viscount that this is a very timely debate, following the second anniversary of the National Cyber Security Centre and the publication of its 2018 annual review this week, which was launched by the Chancellor of the Duchy of Lancaster, the director of GCHQ and the CEO of the NCSC. It is one of the best annual reports I have seen as a Minister, although I have not risen to the challenge on the last page,
“Can you find the secret codeword?”
As this debate has made clear, protecting the British people, the systems that we rely upon and our very democracy itself is a central responsibility of government. As our digitally connected world has rapidly expanded, so too has the scale of vulnerabilities and the frequency of attacks that we face—a point well made by my noble friend Lord Lucas. It is for this reason that cybersecurity remains a top priority for the Government, because it impacts on our national security and our economic prosperity. I was impressed by what the noble Lord, Lord St John of Bletso, said when he outlined the cost to the economy of lax cybersecurity.
We recognised the need for a comprehensive and active response when we launched the National Cyber Security Strategy in 2016, where we defined a cyberattack—this is in response to the request from the noble Viscount, Lord Waverley, for a definition —as a,
“deliberate exploitation of computer systems, digitally-dependent enterprises and networks to cause harm”.
We set out ambitious proposals to defend our people, deter our adversaries and develop the capabilities we need to ensure that the UK remains the safest place to live and do business online. Those proposals will be supported by £1.9 billion of investment over five years, which was mentioned by many noble Lords, to drive transformation. The noble Lord, Lord Kennedy, asked whether I thought that that was enough. He will know that there is a spending review for 2020 onwards, and I am sure that the concerns expressed in this debate will be taken on board as colleagues move to a decision on future spending patterns.
One of the most visible elements of the strategy was the formation of the National Cyber Security Centre to bring together our very best intelligence and technical expertise in a world-leading authority—the noble Lord, Lord Ricketts, described it very aptly—that will be our single centre of excellence to innovate and create, to work in partnership with industry to block attacks on a scale of tens of millions per month, which was mentioned by several noble Lords, and to blend behavioural science with technical expertise to provide the best advice and guidance for people and organisations to protect themselves.
On our response when attacks get through, the NCSC brings everyone together to reduce the harm from significant incidents, whether that is an attack on Parliament, which was referred to by my noble friend Lord Borwick, or disruption to health services. On the attack on Parliament, I understand that it is unlikely to recur. I have had a note from the chief technology and security officer in Parliament that says that the correct people now get the required detail from Parliament’s Apple account manager to make sure that such a delay does not happen again. Our response is calibrated by the severity of the attack, and the National Security Council will consider the full range of security, diplomatic and economic tools at our disposal.
How we set up the National Cyber Security Centre reflects the single, clear message that underpins our strategy, which has been echoed throughout this debate, that we need not a whole of government approach but a whole of society approach, as the noble Lord, Lord Ricketts, described it. The noble Viscount, Lord Waverley, asked how we are delivering it. The national strategy binds all of government into delivering a set of cross-cutting objectives which require a collective response that reaches out to the private sector and beyond—and, indeed, to other countries, because while we can lead the way, we know that we cannot solve these problems alone. This point was made by nearly every noble Lord who took part in this debate.
On the key subject of skills, which was raised by the noble Viscount, Lord Waverley, and the noble Lords, Lord Ricketts and Lord St John of Bletso, we are already developing a pipeline of talent and inspiring and developing cybersecurity experts and entrepreneurs, whether through our programmes in schools and universities, our work with industry to figure out the best way to retrain career changers with aptitude and ambition and by promoting cyberapprentices. On the specific recommendations of the Joint Committee on National Security Strategy—a question raised by the noble Viscount—the Government have recently submitted their response and we look forward to its publication.
We also are building on our world-class universities and ground-breaking research to establish a pipeline of cutting-edge cybersecurity companies with a range of interventions to incubate and accelerate and to support our innovative companies to export overseas, turning many great ideas into global businesses. This in turn will help other countries to become more secure and will boost the UK cybersecurity industry, which is now generating more than £5 billion for the economy.
Before the Minister moves on from skills, I asked whether the right ministry was carrying accountability for skills at a national level. All the examples he gave referred to ministries other than the department that has it.
I was referring to the responsibilities of the Department for Education. The relevant Minister is sitting at my side and will have heard that. We will write to the noble Lord, giving a more detailed reply on the role of that department, if that is what he wants.
The Government actively manage potential risks to UK infrastructure—a point on CNI raised by the noble Lord, Lord Fox. This includes risks related to foreign equipment used in our telecoms industry. This important issue was raised by the noble Lord, Lord West, who expressed concerns about our telecoms structures. I want to make it clear that the Government have not banned ZTE. The NCSC has raised its concerns about the ability to manage the risk of having more Chinese-supplied equipment on UK infrastructure undermining existing mitigations, including those around Huawei. The noble Lord is right that we cannot ban our way out of this, but I can confirm that the Department for Digital, Culture, Media and Sport, with the NCSC, is leading the review into the security and resilience of our telecoms supply chain.
I am sure the noble Lord would be grateful for an answer, but I do not have one. I do not know whether it has been debated in Cabinet or in a Cabinet sub-committee. However, within the constraints of what happens within the machinery of government, which the noble Lord will be familiar with, I will see whether I can shed some light on the important issue he has raised.
The noble Lord also raised the issue of Chinese investment that meets stringent legal and regulatory standards. At the heart of this is the recognition that we need confidence in our ability to get the right balance between security in our critical infrastructure and the growth, productivity and inward investment opportunities. The findings of the review will report to the Prime Minister and the National Security Adviser. It is right that in the face of these shared threats the UK works alongside its international partners and allies to expose, confront and disrupt hostile or malicious activity.
When we discussed this yesterday, the noble Lord was concerned about the installation within the Palace of Westminster of this capacity, which could indeed read stuff that was on my desk. I think this is primarily a matter for the authorities within the parliamentary estate. I will share with them the noble Lord’s concerns and get a considered reply, possibly from the noble Lord, Lord McFall.
It is right that in the face of these shared threats the UK works alongside its international partners and allies to confront, expose and disrupt hostile or malicious activity. Noble Lords will have seen recently our attribution of a range of indiscriminate and reckless cyberattacks to the work of Russian military intelligence, and 21 other countries stood with us to call this out. That builds upon a host of cyberattacks that we and our international partners have attributed to North Korean actors, including the WannaCry incident, one of the most substantial to hit the UK in terms of scale and disruption.
We are absolutely clear that we must work together to show that states attempting to undermine the international rules-based system cannot act with impunity. The Foreign Secretary pressed this point with his counterparts at the Foreign Affairs Council earlier this week, and the Prime Minister is today encouraging the European Council to accelerate work to strengthen the EU response to malicious cyber activities, including a new regime of restrictive measures.
When necessary, we will defend ourselves. We are continuing to develop our offensive cyber capabilities as part of the toolkit that we use to deter our adversaries and deny them opportunities to attack us both in cyberspace and in the physical sphere. My noble friend Lord Borwick referred to this. If he looks at page 51 of the National Cyber Security Strategy 2016 to 2021, I hope he will be reassured by what we say about enhancing sovereign capabilities and offensive cyber, ensuring that we have at our disposal,
“appropriate offensive cyber capabilities that can be deployed at a time and place of our choosing, for both deterrence and operational purposes, in accordance with national and international law.”.
It is also vital that we continue to reaffirm our shared vision for an open, peaceful and secure digital world based on the rule of law and norms of behaviour. The noble Lord, Lord Ricketts, was right to refer to the speech by the previous Attorney-General saying that international law applied to cyberspace. It seems to me that if a foreign state were to drop a bomb on our airports we would have a right to reply, and likewise if our airports are immobilised through cyber we should equally have such a right, though of course that should be proportionate and legal. We do not concede ground to those who believe that existing international law does not apply, or who seek to impose controls through international fora as a means of restricting basic human rights.
Our work with international partners goes beyond joint operations and influencing. For example, the noble Viscount, Lord Waverley, asked about the work that we are doing with the Commonwealth. We have been scoping and piloting projects to date, but we are now accelerating delivery and expect to have spent £2.3 million by the end of this financial year. Much of this is in partnership with the private sector—for example, we are working with Citibank, an American bank, to build resilience in the Commonwealth finance sector.
I did not think we would get through the debate without Brexit being raised by the noble Lords, Lord Fox and Lord St John of Bletso. The cyber threat that the UK and its European allies face from state actors and cybercriminals remains significant and, as the noble Lord, Lord Kennedy, says, it knows no international boundaries. That is why the UK is seeking to maintain the broadest possible co-operation with our EU partners so that we can continue to share information with EU security institutions, deepen industrial collaboration and work together to develop cyber resilience in support of our collective security, values and democratic processes. Continued co-operation with the EU is not only in our interest; it is firmly in the interest of the EU as we look to respond to hostile state and non-state actors in cyberspace.
At this halfway point in the delivery of our national cyber security strategy, we have put in place many of the building blocks to transform the UK’s cybersecurity and resilience, already demonstrating results. However, we can never become complacent. Just as the threat from cyber criminals and nation states continues to evolve, so too must we continue to innovate and respond at scale and pace. We are therefore stepping up our protection of government systems, from the NCSC’s excellent active cyber defence measures to models adapted from those used by the finance sector to test the security of public services.
On the subject of defence, the noble Lord, Lord Browne, a previous Secretary of State, raised some important issues about the security of our defence systems. We have well-established processes in place to address cybersecurity and the protection of our weapons systems. We are continuing to invest—for example, through our £265 million programme of cyber vulnerability investigations for military equipment. On the specifics of responding to the report published in the US, I will happily write to the noble Lord. To allay his concerns on the UK’s use of equipment supplied by the United States, I refer him to the details of the NCSC’s support of the MoD’s Modernising Defence programme in its recent annual review, where examples include stringent testing of the new F35B fighter planes.
My Lords, I am sorry to ask the Minister to give way again. I do not always share the views of my noble friend Lord Browne on some of these issues, but on the Dreadnought programme, which is crucial, could the Minister maybe go back to the Secretary of State for Defence and say, “There really is a need for red-teaming regarding the threat of cyber to the Dreadnought programme, as it is in-build”?
While it is difficult to avoid headlines about attacks and breaches, doing something about it is still often seen as too technical, too difficult or someone else’s problem. However, one of the themes that has emerged from our debate is that cybersecurity is everyone’s responsibility. We consider it vital that all organisations embrace and embed cybersecurity, from the boardroom down. That is why we have targeted efforts at driving long-term change, starting with helping boards to better understand the risks they face and to invest appropriately. This year’s cybersecurity breaches survey revealed that only 30% of businesses have a board member with responsibility for cybersecurity, and that is not good enough. We must ensure that boardrooms provide active leadership to ensure that cybersecurity is ingrained into organisational cultures and mindsets—a point well made by the noble Lord, Lord St John of Bletso, who also drew attention to the substantial fines that companies are now exposed to under GDPR if they do not comply with the new legislation. As the noble Lord, Lord Fox, highlighted, understanding exactly how secure data and systems are in complex organisations has never been more important.
I am conscious that I am not going to be able to get through all the points that have been raised within the allocated 20 minutes, so I will write to noble Lords to deal with the issues that I have not been able to address today. In conclusion, I hope I have been able to demonstrate not just that we understand the scale of the challenge that we face but that we are seeking to create the environment for everyone to be at their most collaborative and agile to respond, a point well made by the noble Earl, Lord Erroll. As we face new challenges in the year ahead, we need to ensure that we remain focused on reaching across organisational, political and geographical boundaries. As we face those challenges, I will ensure that we take on board the valuable suggestions that noble Lords have made in today’s debate so that we can continue to protect the economic and individual freedoms that make us stronger together.
My Lords, I hope that noble Lords will agree that this debate has achieved a practical purpose. I thank them for the scope of points that have been covered. Among the many observations that have come to light, the sharing of concerns regarding 5G has relevance, and we must pay attention to it as it develops.
It has been highlighted that we must encourage companies to invest fully in their infrastructure and cybersecurity. It is through education and clarification that we ask citizens to take the necessary steps to make our country and them more resilient. I underline again that cybercrime requires a global response, and no Government can act alone. With that said, I commend the Motion.