My Lords, as other noble Lords have done, I congratulate the noble Viscount, Lord Waverley, on securing this debate. I thank him for giving the House the opportunity to debate issues of immense importance to the country.
I am sure everyone agrees that the threats posed and the risks involved mean that solutions have to be global to tackle the scale, the risk and the complexity of the challenge. There are no borders in cyberspace, no visas and no checkpoints. To meet the challenge, we have to work with partners locally, nationally and internationally, and government has to ensure that by working together we protect the United Kingdom and, with partners, protect the world from the real dangers that it faces.
We have heard in this debate about some of the threats to every part of our life: everything from the stealing of our own personal data to attacks on businesses through ransomware and other forms of cybercrime, terrorism, state-sponsored attacks on other countries’ interests and the threat of military capabilities being taken over, with devastating consequences.
It is good that the Government have developed the National Cyber Security Strategy, have made a commitment to invest nearly £2 billion in cybersecurity and created the National Cyber Security Centre, which has done so much to protect everyone already. However, I wonder whether this large sum of money—and it is large—will be enough to deliver all the protections we will need.
To meet the challenge, we have to work with our partners at the United Nations, NATO, Interpol, the Commonwealth, other organisations we are not members of, such as the African Union, and those we are members of, including the European Union. This further highlights the madness of Brexit when the world is getting smaller and more interdependent, with greater risks, and we risk huge damage in areas of security, as we do in every other part of our life as a progressive, free, liberal, fair-minded trading nation. The Government have identified, quite rightly, that cyber is a tier 1 threat to national security, based on both the high likelihood and the high impact of such an attack. The scope of cyber risks is part of the problem as our world relies on digital technologies in every sense to deliver almost everything we need.
The noble Lord, Lord Ricketts, has huge knowledge of these issues, as the first National Security Adviser. As he said, cyber threats need a whole-society response, across the whole range of threats to the United Kingdom. The noble Lord, Lord Borwick, made important points about passwords and the basic protections we all need to be aware of in order to take proper action to protect ourselves. The noble Earl, Lord Erroll, made valuable points about having the aptitude to see complex patterns and about educating the general public to spot when things go wrong. Often these are things that the general public are not aware of. Too quickly they are drawn into giving up their data, passwords and access—and have their money and data stolen, doing much harm. The noble Lord, Lord St John of Bletso, referred to the dangers posed by weaknesses in the systems and the importance of protecting SMEs from these threats. I also agree with the points he made about simple passwords and other basic security checks, which echoed those made by the noble Lord, Lord Borwick.
My first point is about the scale and complexity of the challenge faced by the world, which I fear is not understood by many. I agree with the noble Viscount, Lord Waverley, about the need for an international, outcomes-based approach to governance. I also agree with the points he made about the need for partnership between the public and private sectors, in addition to partnerships between states, agencies and international organisations. One of the most disappointing things we have witnessed as the internet has developed and changed our lives so completely is the attitude of so many technology platforms, which have so often failed individuals, communities and nations in not protecting people’s data through either poor security or reckless practice. People’s data is entrusted to them but so often making money from the data has been much more important than security or data protection.
The noble Lord, Lord Lucas, made the point that there needs to be proper redress for citizens who have suffered as a result of data breaches. I agree with him. Of course, individuals have a responsibility to protect their own data and to be their own first line of defence—their own first guardians when they go online—just as people have to do when they go about their lives generally, taking simple precautions to protect themselves. But that does not excuse poor practice by technology platforms, or companies involved in information or communications not working together and not working with Governments and agencies, nationally and internationally. They need to play their full role without excuses, helping to deliver the security we all need.
With regard to allegations concerning foreign powers, it is suggested that Russia is one of the main proponents of these cyberattacks that seek to interfere with and undermine elections and referendums here and in the United States and other countries. That is totally unacceptable. The reluctance to look at the referendum on leaving the EU is staggering when you consider the enormity of the decision, and if that decision has been stolen that surely is a matter of grave concern to every democrat. We have to ensure that our elections and referendums are safe, secure and free from unwarranted interference.
There are huge risks to business and our prosperity from cyberattacks. An organisation that I am involved in recently had its whole website cloned as thieves tried to steal information. The thieves were outside the European Union. We have taken measures and boosted our protections to stop this happening again. We are a small organisation and have been able to recover from this, but for a business this can be devastating, not only in the loss of money and income but in reputational damage and potentially the complete destruction of the business as customers lose confidence in its ability to deliver products or services safely. Who will buy products and services from a company that has developed a reputation for serious lapses in security and the protection of other people’s data? The mandatory data-breach reporting under the GDPR is a very good thing and the data generated by this will help the Information Commissioner and the Government to have greater understanding of the scale of the problem.
The large hacks and breaches in companies such as TalkTalk are the ones that get the media attention but, as I said, in much smaller organisations the disruption to operations can be just as damaging. Figures I have seen suggest that cyberattacks cost UK business £34 billion in 2016. But we have to ask: how much is business putting into resilience and preparedness? Is all the effort going into building cyber defences? If you have not prepared well and built a robust structure for the day you get a breach, you have seriously weakened your operation. This leads me back to the point I made earlier about the money the Government are putting into cybersecurity. Is the Minister satisfied that the funds being made available are adequate?
The noble Viscount, Lord Waverley, told us that NATO has formally recognised cyberspace as a new frontier in defence and I hope the British Government have done that as well. My noble friends Lord Browne of Ladyton and Lord West of Spithead have considerable experience in these matters from their previous roles. My noble friend Lord West made the important point about risk management: our weaknesses in basic protections are a huge risk and need to be improved. He also referred to the move to 5G and the decision about ZTE. I hope the Minister will respond to that point when he replies shortly. My noble friend Lord Browne spoke about the threat to our weapons systems and nuclear capabilities. He referred to the report from the United States. He is right to question whether we have the protections in place to ensure that our nuclear deterrent is actually a deterrent. Are we taking the military cyber threat seriously enough? My noble friend’s comments about the risk of hostile forces being able to hack into and take control of our systems deserve a specific response today but also outside the Chamber.
Will the Minister also say something about the ministerial and Cabinet-level response to these threats? Does he think that the National Security Council is nimble enough and able to provide the consideration of these important matters in a proper strategic way? Is he satisfied that we have got this right at the present time and what is the process of review to ensure that we keep up with new developments and potential new attacks? That leads me on to the issue of critical national infrastructure—not only the police and military capabilities but our NHS functions, our transport services and the delivery of food, medicines and power. Can the Minister say something about the ability to repel a cyber threat to critical infrastructure and, as with business, the resilience plans in place to deal with a successful cyberattack?
Finally, this has been an excellent debate. I thank the noble Viscount for tabling this Motion, which has enabled the House to debate an important issue, which I am sure we will return to again and again.