Cyber Threats - Motion to Take Note

Part of the debate – in the House of Lords at 1:04 pm on 18th October 2018.

Alert me about debates like this

Photo of Lord Fox Lord Fox Liberal Democrat Lords Spokesperson (Business, Energy and Industrial Strategy) 1:04 pm, 18th October 2018

My Lords, I join other noble Lords in congratulating the noble Viscount, Lord Waverley, on securing this debate, which has been wide-ranging. It has moved from kettles to China, from spying to crime and to botnet threats. I look forward to the Minister encapsulating the debate in his response. For what it is worth, I would characterise its mood as a slightly uneasy sense that we have been doing the right things but may have to do a lot more. The degree of uneasiness has varied from noble Lord to noble Lord but I fear that I sit at the pessimistic end of that spectrum.

As the noble Viscount set out, we sit in a very complex landscape, and that complexity has been deepened by the speed of change and the degree of complexity and connectivity across our lives. But we should not forget that there is also a huge political dimension to all this. The world is changing, probably faster than many of us have experienced for a long time. The move towards more autocratic leadership in some very important places fosters these kind of threats and that is why a multilateral approach is absolutely central. Many Peers have highlighted that—not least the mover of this Motion—and I will come back to it.

The other game-changer—I do not think this has been alluded to much—is the asymmetry in the possibility for one individual a long way away to take on a Government or a large national corporation, or at least think they can. I do not think we have seen that situation before, and it emboldens individuals or groups of individuals to do things hitherto not considered possible. The Government have clearly demonstrated that they are seeking to commit on this issue. It is hard to tell how successful this has been, because as the noble Lords, Lord West and Lord Ricketts, and others, have highlighted, the NCSC has been active and—we believe—successful, but we do not see its best work. That is the conundrum with those kinds of agencies; it is defending a negative. But looking forward, I would like to hear from the Minister how the Government support the NCSC and how its role will grow.

Of course, as a number of speakers have said, it is not just about government. Businesses and individuals are all involved and we all have to run very fast to keep up with changes. I had two emails today seeking to compromise my bank account—I am sure most speakers did. At a business level, the noble Lord, Lord St John, is right: it comes to the fore from time to time but very rarely flows from the IT team to the C-suite. One suggestion I would have is that if businesses were required to report—at least partially—the amount of cybercrime they were resisting, the C-suite would be confronted with it on a more systematic basis, and would perhaps do something about it by seeing the benefit of investment in that kind of technology.

This takes us to the critical national infrastructure. Again, I would be pleased to hear from the Minister how the Government believe the CNI community is reacting to the threat. Is it stepping up to the plate and actually moving fast enough? Again, it is hard to tell. Organisations such as the NHS—a part of our infrastructure in a different way—clearly were not investing in IT, and, as the noble Lord, Lord Borwick, set out, it suffered the consequences. We have rail, road, the electricity distribution networks and the other utilities. Where do the Government think we are on the road to resilience? Stepping beyond that, the Government have resolved to work with the communications service providers and industry to make the internet more secure, so what is the progress? What are the landmarks on that journey? The physical architecture of our internet providers is clearly very vulnerable; it sits in green boxes on the most of our street corners. Delivery is poorly controlled, as we know. If that is an example of resilience, I am not filled with confidence.

Of course, we have also seen how the private sector has suffered from what I would call self-inflicted problems. That serves as another interesting series of cases. One is the complex and jumbled nature of the technology that many of our largest corporations have. They have layer upon layer, with legacy technology that dates back not just years but decades. Across Britain, some of our most important institutions are built on computer technology that goes back to when I was an undergraduate at university—I have to tell you, that was some time ago.

A further point has arisen around the internet of things and the idea that the boss’s kettle will listen in on important discussions. We can challenge the culture of “Everything always on; everything always in the cloud”. That was not always the case and I do not see why it should always be what we do in the future. As the noble Lord, Lord West, said, the Government have a role in advising individuals where they should put their data and how accessible that data is—24/7 or not at all. We would not stick our entire wealth in a shed at the bottom of our garden, put a bolt on it and expect no one to steal it. So why do we put all our data into the cloud with a flimsy password and expect people not to extract value from it?

However, it is not just about Governments. As I have just alluded to, criminals innovate. International crime is a global free enterprise and an extraordinarily successful innovator. Government is not usually as good an innovator as individuals working in those ways. That innovation then spreads to state actors. We have seen how state actors can take on some of the technology that sits in the dark web and put it to their use. Regulators and government are very slow to react. We have only to look at how Russia sought to disfigure the EU referendum debate to see how slow the authorities have been to respond. We want some sense of how government is seeking to speed up the response to innovation in crime and in state ventures.

The noble Lord, Lord Lucas, highlighted the role of the private sector. The relationship between government and private sector and how technology is adopted are important elements. What do the Government think is the right balance between technology developed in the private sector and technology which government seeks to develop? Who decides what and where the focus should be in what we develop as a government or authority? How do the Government develop meaningful relationships with the private sector? In some cases, companies which have such technology are not those which want to be associated with government. How do we create those relationships?

Once we have the technology, how do we hold on to it? We have seen highly innovative players in our own sphere develop technology which has then been hoovered up by large parts of the internet oligopoly and, frankly, taken out of use for other players. If we need an example, we should look at the three main private sector global companies, which are buying up the patents in blockchain technology. They are taking it out of use for other people for their own uses. I am sure that it is the same for quantum computing as well. How do we hold on to what we have?

Of course innovation is difficult, as many noble Lords have said, but it is about having the right people. The noble Lord, Lord St John, and the noble Earl, Lord Erroll, were right about the need to bring in a broader community of individuals, not least because the sort of people coming out of university and being recruited to the cyber technology sphere are also recruited by a bunch of other people. They are being recruited to be engineers or to be the quants in big banks. They are a sought-after community of people, so we need to broaden our footprint. The noble Lord, Lord St John, talked about drawing in people from the armed services. Something worth looking at is how people are recruited to come in and take engineering degrees. The new university that is starting up in Hereford is changing the approach to recruitment for engineering, which has always been maths dominated—if you do not have a maths A-level, you cannot do it but people develop at different paces and as different sorts. Some of those initiatives are very important, because we have to deploy the full intellectual capability on our side in this country.

On accountability, I do not intend to throw stones at the Department for Digital, Culture, Media and Sport, but is it the right place to co-ordinate the skills, when other ministries hold the education and further education budgets and when we have UK Research and Innovation? Where should the skills portfolio sit? Is the Minister happy that this is the right place for that technology?

The noble Viscount was right to highlight the need for international co-operation post Brexit. The Government are right to try to maintain co-operation, assuming Brexit happens, with the EU 27, but how will it work? Will the EU network and information systems directive be replaced like for like? Will we shadow it? I am sure that the Minister has heard the same questions in respect of lots of other rules and regulations. The question is: how and when? Given that the European Union Agency for Network and Information Security is a legal organisation, how do we subscribe to it when we are not a member of the European Union? It is all very well to say that we have an aspiration for such things; I am more interested in the how and when.

On internationalism, the UK needs to continue to be a key driver in the multilateral approach to these matters. We have mentioned Five Eyes, NATO and the Commonwealth and beyond. We must not let the signals that can be interpreted from the Brexit process be seen as a withdrawing from multilateralism. I believe that the Government are committed to those institutions and working to make them more effective, but an endorsement from the Minister would be helpful.

Today, almost every warp and weft of our national fabric comprises digital communications and digital data. The implications of widespread denial of service have been seen at the very least through what WannaCry achieved in attacking the NHS and what individual businesses have managed to achieve through acts of self-harm. Those are just relatively unsophisticated examples of what can happen; we have had heard predictions or worries about much more profound attacks. That is why I welcome this debate and why the contributions that we have heard today are very important. I look forward to the Minister’s response.