Cyber Threats - Motion to Take Note

Part of the debate – in the House of Lords at 11:55 am on 18th October 2018.

Alert me about debates like this

Photo of Lord Lucas Lord Lucas Conservative 11:55 am, 18th October 2018

My Lords, we face a huge challenge and, as the noble Viscount, Lord Waverley, said, collaboration and innovation are key. This is not something that can be tackled by the security services alone, although they are doing a very great deal. We need to find a way of involving all the resources that the private sector is putting into combating the cyber challenge and binding them into a national effort. That might perhaps be done by working with the insurance industry so that there is a real advantage to companies working with the Government.

This has been a theme of EURIM—the Digital Policy Alliance—for the past 15 years. It would be very nice if the Government were to choose to wake up to it now. I do not think that we have made the progress we should have made on the law as it is applies to joint teams or on the governance of mixed private and government teams to enable such teams to have a real effect in the discussions that take place internationally. This is not going to go away. This is going to be very widespread. We really need to look at ways in which we can collaborate effectively on this.

We also need to look at improving citizens’ rights so that they can have some effective bite-back on what is happening to them. The DCMS Select Committee produced a report on this which I thoroughly support. It included such suggestions as improving the redress under civil law for citizens who suffer as a result of cybersecurity breaches. We may even need to look at bringing back Sir Francis Drake—running down to Plymouth and hitting Drake’s drum—because there is now scope for his privateering activities. Indeed, there are some people out there doing it: stealing goods back from the people who have stolen them in cyberspace. It is a source of great enjoyment and profit to a limited number of people. This activity ought to be regulated in the way that it was under the previous Queen Elizabeth, with prize courts and other things so that rather than the money going only to the privateers, some of it gets back to the people from whom it was stolen.

In this area we have gone back to lawless days. The NSPCC refers to the “Wild West Web”. I think of it more as Dickensian London stuffed with pickpockets and other dangers. We do not venture on to the web on any day without several attempts being made to relieve us of money by gulling us in one way or another. That is not the way that things are in life outside the web. We dealt with that, starting with Robert Peel, some long while ago. We really need to recognise that the Government have a role in making this new cyberworld that we live in a civilised place. At the moment they fail on even the most basic things, such as recording crime. I have made two attempts to report attempted fraud on the internet. The Government refuse to record it. It is only if you are an actual victim—if you have actually lost money—that you are allowed to record a criminal attempt. This is not good enough. The Government need to get a grip on what is going on and on our responsibilities to shield our citizens from this.

Most of my involvement in cybersecurity has been on the training side of things. I am glad to see that the Government are taking effective action in this area; the Cyber Skills Immediate Impact Fund is something that I welcome. There is a lot going on too in terms of private initiatives such as Cyber Girls First, and a real interest by industry in retraining. After all, the talent is out there in older people. The opportunity was never there for 30 and 40 year-olds to work in cybersecurity, but the talent must be out there, lost in hairdressers and baristas. Industry is making a real attempt to go out there and find it, and I am very encouraged by what is going on.

I have a few suggestions in that area to make to the Government. Where training is involved, they really need to place emphasis on pastoral care. A lot of the people who have talent in cybersecurity have a lack of talent when it comes to navigating the world. They tend therefore to immerse themselves in the digital world, and in terms of being part of the world at large need help and comfort—care leavers particularly. There are also problems when children come at this from totally out-of-work families; as soon as you get an apprenticeship, your family loses benefits and therefore you are pulled off the apprenticeship. We have to solve those sorts of problems and look after the children whom we are bringing into cybersecurity work. I have been involved with a project in Plymouth run by BluescreenIT but really involving the whole of the city of Plymouth in response to this problem. It has been immensely effective and I very much hope it is something that the Government will find an opportunity to pick up and spread more widely.

We need to take a grip on the way in which we look at qualifications. Cybersecurity is an international problem. The qualifications for people working in it tend to be international—the US and ICE set, for instance—so it is no good Ofqual wandering off and saying, “Well, we’d like something a bit different for ourselves”. That results merely in delay and training not being done, and we have to recognise that. In this, as in other areas of IT, there is an international set of qualifications and we should work with them.

We need to recognise too in our training that cybersecurity professionals need a great breadth of skill. It is not just about that particular bit of the internet; they have to understand the surrounding bits of IT such as the internet of things and 5G. They even need to understand people. I was told a story the other day of a successful penetration testing exercise that had located the source of the problem in the smart kettle in the boardroom, because the way it was being used meant that it could be turned on to record what was going on and transmit it to people outside. You need to understand the way that people use IT, not just the internals of the IT.

At the moment we are drawing up our training structures in a way that makes that breadth of training very difficult. The levy and the IFA apprenticeship structures are not proving adaptable. This and other problems result from the way in which we approached apprenticeships. We were going to sweep away all pre-existing structures and build anew. Well, building anew is hard and one finds that it creates a lot of problems. I think we need to go back a bit and say, “Actually, there are some things that work and we should be relying on them because we have an immediate need”, rather than hoping that we can build something new that may be perfect in five years’ time. In this area we are meant to be working with industry; we are meant to be industry-led. The more that we can go in that direction and make that effective, the better.