My Lords, I congratulate the noble Viscount, Lord Waverley, on instigating a debate on this important topic. We have had a mention of Drake’s drum, so it would be remiss of me not to mention the Battle of Trafalgar, which took place this week, 213 years ago—no cyber there, I have to say.
I had the privilege of being the UK’s first ever Minister for Cyber Security and produced UK’s first cyber security strategy in 2009. Then, very few people acknowledged the risk. There is no such problem today, because the word cyber is on everyone’s lips. It is a huge topic, as we heard from the opening speech of the noble Viscount, and I shall raise only two points.
Cyber security has become shrouded in mystique and fear. Threat awareness is too often tilted dangerously close to scaremongering. We ignore the basic reality that cyber security is about risk management, and it is well within our capabilities to manage that risk. But it must be owned by all of us. We need to understand the risks and take simple actions to manage them.
One thing that the most sophisticated and the low-sophistication but more prolific attack have in common is that they tend to exploit basic weaknesses in defence, so the most pressing need and strategically important question is to find ways to raise the basic defences of organisations throughout our country and across the world. That is why I am delighted that the NCSC has started to implement its active cyber defence programme. The NCSC is an amazing set-up and has done incredible work. This gives a framework for UK cyber security that takes away most of the harm from most of the people most of the time. It is identifying ingenious solutions to spoofing—it has done that on a huge scale already. It involves partnerships such as threat sharing with CSPs, which already block tens of millions of attacks automatically every month.
It recognises the importance of the individual in all this, which is my first point. We have not made it easy for our people. We must be serious about understanding the human being and stop blaming humans for being the weakest link in cyber security: they are the most important. They often are weak but we should not blame them for that. Human factors techniques can maximise human performance while ensuring safety and security. We must design technology that fits a person’s physical and mental abilities: in other words, fitting the task to the human, not the other way around. There must be much wider recognition of the importance of the user.
In the active cyber defence programme, one of the drivers is that users had guidance fatigue. I am not surprised: there was always something they were doing wrong, had not done or should not have been doing. My children tell me that all the time when I am on the computer. Basically, we want to make it easy for people to do these things. That is why there was a change to the unworkable password guidance. Now, we encourage people to protect heavily what they cannot afford to lose and do what they can with everything else. My goodness me, look at these passwords! If you want to get a train ticket, go to the opera or do anything, you have to have a bloody password—sorry, you have to have a password. It is a complete nightmare.
We need to make sure that everyone using a network understands easily how to use it safely. This is just as important as investing in network security technology. Networks have users, and if users cannot do their work effectively while understanding how to do it safely, security is compromised.
My second point relates to our nation’s move towards 5G and the inherent risks in how we are moving forward. The Huawei equipment fitted in our communications systems is a perfect conduit for the exfiltration of data and, as newer systems have come into operation, updated remotely by software from China, so our experts have found it increasingly difficult to be sure that they are constantly safe for use. In view of the ease of supply, cost and quality, the decision was that Huawei equipment should be used in UK systems, and I think that that decision was correct when it was made. It is clear that Huawei is very conscious of security concerns and has tried to alleviate them by more openness and by employing UK experts, many from GCHQ, to monitor its equipment on our behalf.
However, that does not remove all my concerns, and events have moved on. Huawei is set to lead the global charge into 5G, originally in conjunction with another Chinese company, ZTE. Huawei, of course, is not owned directly by China, but ZTE is, and Huawei has signed a deal to provide the next generation of mobile broadband kit to British Telecom. Yet the Huawei Cyber Security Evaluation Centre, overseen by GCHQ, has identified issues with Huawei’s engineering processes that lead to new risks in the UK tele-communications networks. Indeed, GCHQ says it cannot guarantee their security. In addition, GCHQ has effectively banned the use of ZTE by UK firms. A letter was produced saying that we should not use it.
Bearing in mind the huge impact of banning ZTE and Chinese companies in foreign policy, BEIS and trade terms, I ask the Minister: was this a Cabinet decision, or was it made by an official in GCHQ? Fifth-generation mobile services will eventually underpin the new digital landscape, as has already been mentioned. It will transform lives and economies as data analysis, artificial intelligence, the internet of things and quantum computing permeate all areas of human endeavour. We are hoping to start the move towards 5G next year—indeed, we need to. We have to get ahead of all this, particularly with Brexit. We are good at these things, and we need to get ahead.
These changes will bring huge benefits to us all. They will transform healthcare, create smart, energy-efficient cities, make work lives more productive and revolutionise the relationship between business and the consumer. But they bring risks that, if unchecked, could make us more vulnerable to terrorists, hostile states and serious criminals.
I have no doubt that China’s dominance of the technology that will power the next generation of superfast mobile broadband threatens to leave the UK vulnerable to Chinese espionage. However, we probably need to use it so we must identify means of ameliorating the risks. As an aside, I am also very concerned about the spread of Chinese Hikvision equipment, thousands of pieces of which are already installed across the country and connected to our networks. They will all be enabled by 5G. There will be not only cameras, but sound as well. They will sit in every office, see everything on every desk and record everything that is going on, once 5G is linked.
Is the Minister happy that a part of the parliamentary estate is scheduled to have Hikvision installed in January next year? I believe that there is an urgent need to have a small cell set up in the Cabinet Office reporting through the National Security Adviser directly to the Prime Minister to establish what level of risk the UK is willing to accept and to advise what amelioration is required. Banning Huawei and other Chinese firms totally is not a realistic option. Resilience, not IP theft, is our major concern.
Finally, I ask the Minister: is work going on to consider early, robust and fair solutions to what is a global challenge of balancing investment, trade and security, as we will have to protect some parts of our infrastructure by exclusion?