My Lords, I move this Motion with the purpose of bringing added awareness on the crucial issue of cyber threats that face the United Kingdom. I shall bring an internal and international dimension to my remarks and in doing so, I thank those contributing.
This debate follows on the heels of a keynote speech at the National Cyber Security Centre by Mr Lidington of the Cabinet Office. The responsibility of government is to provide the first line of security and last line of defence. I therefore reference the underpinning of the UK Defence Doctrine, from which every enabling activity emanates. Scrutiny of the required outputs, matched against clearly defined intent, is essential to gain understanding of the required operating framework and ensure the supporting capacity is capable and sufficient. The complexity and scale of the interconnected world has brought benefits, but also poses immense challenges. Cyber activity, in this world of obfuscation, is a worldwide phenomenon and affects us all. The entire social infrastructure of how we communicate and live our lives has altered permanently, and so the need for mechanisms to monitor, detect, protect against and repel incursions constitutes challenges faced by all cyber experts globally.
From the use of capabilities in battlespace operations during military warfare to cybercrime, state-actor interference in other sovereign states’ critical national infrastructure and governance silos to the much-vaunted cyber interventions in national electoral processes, cyber confrontations have transformed 21st-century societies. Cybersecurity is a huge problem, and the global response is not moving at the speed needed. “Planning for the worst” should be the mantra. A major challenge is that it is hard to investigate given the non-sharing of intelligence between agencies, the inconsistency of the approach of Interpol and the lack of direct communication between banks, for example, which all compound the problem.
Another challenge is that companies often resist investing fully in their IT infrastructure and cybersecurity, believing it cheaper to clean up a mess than to prevent it in the first place. Reputational and financial damage is too often caused by not taking these threats seriously. The poor handling of breaches may also reveal deeper corporate failings. Threats will grow in volume and severity as criminal gangs gain access to more sophisticated tools and become reckless in using them. Mandatory reporting of cyber breaches has begun in some countries, but more must be done to raise awareness of the global nature of the threats. There is a call for an international outcomes-based approach to governance and regulation, to demonstrate the challenge of global cyber governance amid conflicting visions and approaches, and to set out the strategic direction of where we go and where we want to be.
The UK could lead the way. The UK’s National Cyber Security Centre is raising resilience in both corporate and government arenas and deepening its intelligence exchange. However, the task is so immense that the Government alone do not have the resources to face up to this issue. The solution lies in partnership—essential partnership between public and private sectors, and between states and agencies.
Another challenge is to agree cross-border rules of the game and the legal framework to enshrine them. There are too many gaps and inconsistencies between the way that different agencies collect, process and use evidence. Threat intelligence, for example, should not be beholden to the vagaries of political impasse. Cybercrime networks are international and have merged with organised crime covering terrorism, human trafficking, drug trafficking and child abuse. A keyword throughout should be “awareness”; government should work to ensure businesses are aware of the manifold initiatives and their contribution to them, and convince them of the need to view cybersecurity skills within businesses as a priority. Lack of skilled workers makes this harder. Can the Minister set out measures that will fill the shortage of the necessary skills and so put us in a stronger position in years ahead? The UK has become a leader in the use of outcomes-based regulation to influence the right behaviours. The approach taken with GDPR, the NIS directive and the ONR’s approach to nuclear cybersecurity suggests that the UK is creating the right environment.
While the UK has embraced and is implementing GDPR, other major states both inside and outside the European Union have been slow on the uptake. Cybercrime requires a united global response, as no single Government can act alone. As we prepare to leave the EU, we must call on international partners through groupings such as NATO, the Five Eyes, the UN and the Commonwealth to legislate more effectively. HMG should underpin international action and exert influence by investing in increased partnerships, including developing relationships with new partners to build on the levels of cybersecurity and protect UK interests overseas. The Five Eyes co-operation pledged at the end of August to make greater effort to attribute cyberattacks. This is welcome. The alliance has pledged to share more information between its cyber watch offices and, further, has plans to share risk assessments and certification practices to secure supply chain vulnerabilities.
The Commonwealth is embracing cyber development: the Commonwealth Cyber Declaration sets out a pragmatic vision for a free and open internet across the Commonwealth and a shared desire to build more resilient digital economies. The UK has an opportunity to share with Commonwealth countries the outcomes-based regulatory approaches that we are adopting to drive cyber resilience. Rwanda’s 2020 CHOGM will offer a milestone for what progress has been achieved. On a point of detail and given the increased importance of the Commonwealth in a post-Brexit world, will the Minister share an update on how the UK’s £15 million commitment to help review the national cybersecurity capacity of Commonwealth members and improve their capabilities has been spent to date, and detail what private sector innovation has been brought to bear?
It is understood that NATO formally recognises cyberspace as the new frontier in defence. The UK has offered both support and leadership to the establishment of NATO’s new cyber operations centre in Mons. This centre will not be fully operational until 2023, leaving unanswered fundamental questions regarding UK doctrine, capability and capacity in this intervening period. Can the Minister therefore outline what the UK’s position is for these gap years?
In addition, and within the military space, the UK and NATO cyber doctrine does not include a sufficiently common approach, including the underpinning doctrine that informs and directs supporting and enabling activities. It is perceived that the UK, extending to NATO, demonstrates an interoperable capability gap. It is felt that in adversarial activity we are outmatched due to being outnumbered but, more importantly, being doctrinally outmanoeuvred.
On the international front, Russia’s capabilities and techniques are well- documented. Considerable emphasis is placed on internet and related higher education. The Skolkovo Foundation in Moscow and the emerging Innopolis facility outside Kazan have active programmes further to develop internet technologies and offer a programme of start-up partnerships, which extends globally. Interestingly, the two driving forces behind the Innopolis city both attended Manchester University. In addition, the opening of a cyber school, as a centre for advanced cybersecurity education, was announced last night. The school will offer a variety of hands-on education programmes tailored for a wide range of people with different levels of cybersecurity qualifications and skills, from school and university students to cybersecurity experts. It is a useful idea that we should replicate in the UK.
As much attention has been focused on Russia in recent years, I will turn more specifically to a country that is fast assuming the mantle of world leader in cyber development: China. Its President has outlined plans to turn China into a cyber superpower. Through domestic regulations, technological innovation and foreign policy, China aims to build an impregnable cyber defence system and, increasingly, a separate government-controlled internet. State-led efforts in that country are central, with a focus on innovation in artificial intelligence, quantum computing and robotics, among other technologies. The Cyberspace Administration of China has responsibility for controlling online content, bolstering cybersecurity and developing its digital economy. Its investment in research and development now stands at 17% of global R&D spend.
However, Chinese policymakers are increasingly wary of the risk of cyberattacks on governmental and private networks, which could disrupt the control of critical services and impact economic growth. China has created an interlocking framework of laws, regulations and standards to increase cybersecurity and safeguard data in governmental and private systems, with surveillance a key feature, aided by facial and voice recognition software and artificial intelligence. It has required companies—this has become a trend—to store data within China, where the Government will have few obstacles to accessing it. Others adopt similar arrangements. It should be noted that that access compounds the potential for abuse and corruption by state interests.
Those who will lead in fundamental and applied research into quantum physics, quantum cryptography and quantum blockchain development will develop an edge. The night before last, I attended an artificial intelligence session promoted by the China APPG, together with the Chinese embassy, centred on the theme of potential partnership between our countries. The importance of the development of secure communications infrastructure by looking to the developments of quantum is the route forward and presents opportunities for the Government and the private sector to benefit from secure conferencing and secure data transfer.
That said—and this illustrates the overall environment—although quantum computers are still in their infancy, organisations such as the NIST estimate that mature quantum computers will be able to crack our public key encryption infrastructure within 15 years. So the race is now on to develop hybrid solutions to protect current and future data from the power of those quantum computers. Failure will rest with the international community if it does not come together with a collective approach to pass regulation and standards in the form of an international treaty or agreement.
So what should be done, and by whom, to rein in cyber threats? UN Secretary-General Guterres recently commented:
“I think it’s high time to have a serious discussion about the international legal framework in which cyberwars take place”.
Yet the last UN discussions by a group of experts took place in 2017, with no consensus being reached. However, the UN is the best forum to deal with this. I encourage the Secretary-General to grab the bull by the horns.
With all that as background, where should we go from here? I venture 15 specific initiatives, in no order of importance. These are: to support a call for a global move to outcomes-based regulation and legislation, as opposed to the mandating of standards, to form a regulatory framework that forces dialogue between friends and foes alike; to implement initiatives to limit inappropriate meddling that sows discord, either domestically or from abroad; to enable enhanced co-operation within the public sector and continuous dialogue with the private sector; to recognise that the private sector will play a central role in future international cyber governance; to establish a mechanism whereby financial services institutions are enabled to share information and intelligence, and work together more quickly and effectively; to encourage further development of the cyber-insurance industry to bridge the gap between the identification of liability and the lack of data consistency; to define a universal understanding of “cybercrime”, “cyberattack” and “cyber threat”; to promote Governments coming together through the United Nations to take an approach that treats cybersecurity in a sphere of its own; to strengthen the incident response functions of the NCSC and, in doing so, provide clearer guidance on what a reportable incident actually is; to promote advances in the practical application of quantum physics to achieve secure communications channels; to establish a cyber school for advanced cybersecurity education; to place maximum endeavour in technical co-ordination and information sharing; to encourage financial services to take a peer-to-peer approach to tackling cybercrime, starting with greater dialogue between major banks; to encourage international cybersecurity information-sharing partner- ships and further support sector-specific information-sharing centres; and finally, but possibly most importantly, to promote global discourse.
I conclude with five questions to the Government that I shall place as Written Questions today to allow the Minister appropriate space to respond fully. For the record, they are: what is the Government’s definition of a cyberattack and who will decide on the response? What are government departments doing to achieve agreed outcomes in cyberspace? Have those departments developed robust mechanisms so that there are parallel agreed outcomes across all ministerial silos? What role should the private sector play in assisting the Government with cybersecurity? Finally, but importantly, will HMG outline their achievements to date on the recommendations of the Joint Committee on the National Security Strategy’s report Cyber Security Skills and the UK’s Critical National Infrastructure?
I end where I began: if this debate achieves little more than assisting in underpinning the essential need for acute awareness of these critical issues, I believe we will have done our duty. I beg to move.