My Lords, I will make a few remarks. When I read the excellent briefing note from the Library, I was trying to think about what one could add to it and how one could think about it in some other way. I declare two interests. First, for some years I have chaired the Digital Policy Alliance—EURIM—which was referred to by the noble Lord, Lord Lucas. It looks at whether the effect of legislation and regulation on the public and companies is what we expected when we passed it in Parliament, and it also tries to think head about things that are coming in the future, which the noble Lord referred to. A lot of these things that we are worrying about now have been known about for a long time: the reports on security by design, the threats, et cetera. Secondly, I am an adviser to PRIVUS Global, which produces ultra-high secure communications for companies and people who can afford it. I declare an interest in that area as I will refer to such things later.
The report is very good on technical approaches although I was surprised that it did not mention the Five Eyes collaboration, which is probably one of the best collaborations since it works globally. A lot of our intelligence has to be global, not just with Europe and our neighbours—the internet is completely global after all.
There are two sorts of things we need to worry about. One is state action, where people try to bring down critical national infrastructure or spy. Those actions are different from the other lot, which involve fraud against companies or individuals. They can cross over a bit as one might affect the other. WannaCry was a good example of that; I always wondered whether it was a Bitcoin marketing ploy, because I seem to remember that the ransom was demanded in Bitcoin, which gave it some value at last. That is just another of my cynical looks at how these things work, and I am sure it is not quite right.
This is the trouble. I remember that very early on in my computer days—a long time ago, when we were talking about passwords and things—someone asked me: “How would you break into Fort Knox, how would you attack it?” I replied, “I don’t know”. He said, “Steal the key”. That is always the secret. It comes down to people, because to steal the key you just need to know the person with the key to the back door or whatever it might be. Some of this is about education, which is well referred to in the report. I was interested in a couple of phrases. It said, for example that we should,
“focus on aptitude, rather than high-level academic qualifications”.
This is interesting, because people who write good software are often slightly—or very—dyslexic. All my children are dyslexic. I did not think I was, but I realise now that I have the abilities of a dyslexic to visualise multi-dimensional arrays and see maps; I do not remember sequences of command but draw a map in my mind. I visualise the data I am handling. The visualisation of patterns—looking for patterns—is something that dyslexic people can supply.
When you are trying to break in and attack or something, you are looking for the pattern. When I was taking over programmes in places where programmers had left—I did quite a bit of that—I would try to work out how they thought, and then understand how to solve the problems they had left in the programmes or develop them further. That is not a thing that a procedural thinker usually has. They are trying to think in terms of process and procedure, and it is difficult to understand how someone else thinks if one does that.
Another area is teaching the teachers. This is very difficult as teachers are, by definition, not the latest generation. On the other hand they have a huge amount of knowledge and information which the student lacks, through lack of life experience. Melding the two things is very difficult, as is finding the time to keep up to date. I am no longer able to keep up to date with everything, although I understand the principles well enough to grasp the areas I want to grasp moderately quickly.
You cannot keep up with everything, so how do you decide who does what? I remember being interested in agile computing for more rapid development. I went to a lecture and the chap giving the lecture, who was a teacher, reduced the whole thing to procedural programming within about 10 minutes, by saying you had to have fixed steps and fixed everything else. I thought, “You don’t get it; you don’t think the same way”. This brings us back to the problem of how we teach the teachers.
The most important thing is to educate the general public—who include employees and everybody else—in how to spot something that looks odd. When I get an email from “Lord So-and-So” or “James Younger” or whoever, I look at it and notice the email address. The first bit with the name might be right but after the “@” it suddenly looks weird. You know immediately that it is not genuine. They have simply spoofed the name; they have not even hijacked or hacked him. If you hover over a link you can see at the bottom where it is really going. You start to spot the first slash and work backwards to see whether it is genuine, or whether someone is spoofing Barclays or whoever.
These are simple things, but I do not know how we can get it across to people to spot simple things. At home they are now very good at it as we have educated the people there. We are talking about the simplest of levels; we can stop a lot of the phishing attacks this way. You have to ask yourself whether something looks a bit odd or is too good to be true—or you should ask “Why me?”. Do noble Lords remember “ILOVEYOU”, which went round the place? When I first saw it, I thought, “I wonder who that is? It sounds nice”. But then I thought, “Hang on, five of them inside Parliament—that’s a bit unlikely”. I checked and, sure enough, there were a number of fairly senior people who thought they were God’s gift. It is very interesting because it preys on human vulnerabilities.
I want to talk about single points of failure, which takes us on to the need for surveillance of all the bad guys and questions about government back doors into stuff. That worries me. I remember someone saying, “You don’t have allies; you have interests”. People who are your allies today will not necessarily be your allies tomorrow. Things shift globally the whole time. Another challenge is that your political allies might be your trade competitors, chasing the same multibillion pound contracts elsewhere in the world. So your shared intelligence may be a vulnerability for other parts of government. If the bad guys can get into the centre of it all, you have a real single point of failure, and no one should say that it cannot happen. We have only to look at the Cambridge spy ring, or Gordievsky, or Edward Snowden and the Pentagon papers. They were all great disasters because someone centrally got access to it all. Effectively they had stolen the key—or, in the case of Gordievsky, re-stolen the key.
Secure communications are essential, particularly for trade. If you are doing multibillion-pound negotiations, you do not want that leaking anywhere. Legal firms need secure video, secure text and well-encrypted documents and so on in relation for their contracts. I was horrified by how little attention is paid—unless a large company insists on it—to the problem of hacking the contracts of some legal firms. What goes across a lawyer’s desk is highly sensitive. If someone discusses with their lawyer something that might have involved them personally and that leaks, it could have secondary effects, such as blackmail. That is how you steal the key: you can blackmail people very easily.
With regard to treaty negotiations, I am amazed at how little has leaked from Brexit. The Evening Standard says one thing one day because it is very anti-Brexit, and then the next day we hear from somewhere else that a breakthrough has been announced. It is very interesting, anyway, and I am quite impressed.
People point out that a Government lacking a back door into communications can help terrorists and criminals. That is true to a certain extent, but it is not a good idea to have a back door that you can trawl through, and we do not allow it anyway. That might give people a bit of succour, but if you have targeted surveillance you might well find that there are other ways of doing it if you do not have other clues. The ultra-secure systems could be limited to only very secure companies and individuals whom you know. Effectively, it is a case of “Know your client at a high level”. There are ways of dealing with this, but personally I feel that, for the amount of good it will do in catching criminals, having a back door into these things is much more dangerous.
My last point is that money is very often the motivator. Sometimes when lecturing on cybersecurity, I say to the security guys, “For goodness’ sake, don’t allow yourself to be bribed for too little. If you give these keys away for too little money, you will probably never work again—that’s the end of it—so you have to make enough money out of this bribe to be able to retire for the rest of your life. You will also have to buy new friends, because a lot of your old friends won’t talk to you”. So you are going to need about £200,000 a year net of tax and expenses. I am putting the figure fairly low because most people do not have high expectations. It will probably be about two to four times what they are earning at the time. I reckon that in the long term—I know this from running financial systems—you get 2% net, so you need about £10 million invested in the bank.
The next thing I know, from the way my trusts were mishandled in the 1970s, is that you can lose half their value overnight when your advisers call it wrong. So you need £20 million to start with if it is to see you through your life. I reckon you then need another £5 million to buy your new house, your new car, your yacht and all the other bits and pieces. That is £25 million. If I can persuade people of that, I will have made the world a much safer place, because most people are not going to pay that to bribe someone.