My Lords, it seems to me that cyber threats fall into two categories, which are separated by complexity: first, the highly sophisticated attacks, often those sponsored by foreign states; and, secondly, the simpler, basic attacks, often by individuals or small groups of hackers. No doubt we will hear that the large-scale, often global attacks are well fought off by our people at GCHQ, but it is clear that they have a vastly complex task to defend against this sort of problem. A large part of such defence must be deterrence, and I hope that my noble friend the Minister will be able to tell me that we have a sufficient number of people with the requisite skill sets working on this. I also believe that offensive capacity is of the utmost importance; much like nuclear capability, having it makes it unnecessary to use it.
A large number of attacks are pretty basic, such as the WannaCry attack on the NHS last year. I hope that the embarrassed senior managers who supervised the use of obsolete software that could easily be broken, but should have been updated, have been held to account—and that they have subsequently raised their game. Press reports state that some of the machines that were attacked were still using Windows 95. Of course, when faced with intense lobbying from unions and staff, it is always a challenge for the NHS to choose to spend budgets on software over wage increases. But the WannaCry attack reportedly cost the NHS £92 million, which leaves a lot less money for services and indeed future wage increases. Such consequences ought to help managers to get their priorities right.
There is a problem developing that we ought to discuss: the proliferation of passwords, a point made by the noble Lord, Lord West. On a normal day, we may be asked for about 20 passwords and PIN numbers. It is unrealistic for us to keep to the system of a different unique password for each website, service and machine. Certainly, the Californian legislature recently legislated to ban default passwords on any internet-connected device. Anything produced or sold in California that can connect to the internet will come with a unique password, or it will default to require users to make a unique password when they switch it on for the first time. I understand from last weekend’s Sunday papers that the Government are asking the same of our systems. The idea that default passwords such as “admin”, “123” or even “password” are so widespread is obviously worrying, and I have passed on to the Minister a cringingly embarrassing example of this on the parliamentary estate. However, I feel that the solution may be at hand with new password generator programs. They generate complex, unique passwords for the user, and there are even free ones, which can easily be installed.
Regularly updating software is a basic security rule. That was why it was so disappointing to receive an email from the Parliamentary Digital Service customer relations team, as we all did on