My Lords, this has been an excellent debate and I thank all the speakers who have brought a wide range and depth of experience and expertise to it, not least the mover, the noble Viscount, Lord Waverley, who made a thoughtful introduction and crammed 15 helpful suggestions into three minutes at the end of his speech. A number of themes ran through the debate, in particular the need for partnership. I hope I have not misunderstood the tone of the debate when I say there has been no fundamental disagreement about the thrust of government policy, but some severe warnings and some very helpful suggestions about how we might do better. Some of them were on a highly technical front, and some were based on broad common sense.
I say to the noble Viscount that this is a very timely debate, following the second anniversary of the National Cyber Security Centre and the publication of its 2018 annual review this week, which was launched by the Chancellor of the Duchy of Lancaster, the director of GCHQ and the CEO of the NCSC. It is one of the best annual reports I have seen as a Minister, although I have not risen to the challenge on the last page,
“Can you find the secret codeword?”
As this debate has made clear, protecting the British people, the systems that we rely upon and our very democracy itself is a central responsibility of government. As our digitally connected world has rapidly expanded, so too has the scale of vulnerabilities and the frequency of attacks that we face—a point well made by my noble friend Lord Lucas. It is for this reason that cybersecurity remains a top priority for the Government, because it impacts on our national security and our economic prosperity. I was impressed by what the noble Lord, Lord St John of Bletso, said when he outlined the cost to the economy of lax cybersecurity.
We recognised the need for a comprehensive and active response when we launched the National Cyber Security Strategy in 2016, where we defined a cyberattack—this is in response to the request from the noble Viscount, Lord Waverley, for a definition —as a,
“deliberate exploitation of computer systems, digitally-dependent enterprises and networks to cause harm”.
We set out ambitious proposals to defend our people, deter our adversaries and develop the capabilities we need to ensure that the UK remains the safest place to live and do business online. Those proposals will be supported by £1.9 billion of investment over five years, which was mentioned by many noble Lords, to drive transformation. The noble Lord, Lord Kennedy, asked whether I thought that that was enough. He will know that there is a spending review for 2020 onwards, and I am sure that the concerns expressed in this debate will be taken on board as colleagues move to a decision on future spending patterns.
One of the most visible elements of the strategy was the formation of the National Cyber Security Centre to bring together our very best intelligence and technical expertise in a world-leading authority—the noble Lord, Lord Ricketts, described it very aptly—that will be our single centre of excellence to innovate and create, to work in partnership with industry to block attacks on a scale of tens of millions per month, which was mentioned by several noble Lords, and to blend behavioural science with technical expertise to provide the best advice and guidance for people and organisations to protect themselves.
On our response when attacks get through, the NCSC brings everyone together to reduce the harm from significant incidents, whether that is an attack on Parliament, which was referred to by my noble friend Lord Borwick, or disruption to health services. On the attack on Parliament, I understand that it is unlikely to recur. I have had a note from the chief technology and security officer in Parliament that says that the correct people now get the required detail from Parliament’s Apple account manager to make sure that such a delay does not happen again. Our response is calibrated by the severity of the attack, and the National Security Council will consider the full range of security, diplomatic and economic tools at our disposal.
How we set up the National Cyber Security Centre reflects the single, clear message that underpins our strategy, which has been echoed throughout this debate, that we need not a whole of government approach but a whole of society approach, as the noble Lord, Lord Ricketts, described it. The noble Viscount, Lord Waverley, asked how we are delivering it. The national strategy binds all of government into delivering a set of cross-cutting objectives which require a collective response that reaches out to the private sector and beyond—and, indeed, to other countries, because while we can lead the way, we know that we cannot solve these problems alone. This point was made by nearly every noble Lord who took part in this debate.
On the key subject of skills, which was raised by the noble Viscount, Lord Waverley, and the noble Lords, Lord Ricketts and Lord St John of Bletso, we are already developing a pipeline of talent and inspiring and developing cybersecurity experts and entrepreneurs, whether through our programmes in schools and universities, our work with industry to figure out the best way to retrain career changers with aptitude and ambition and by promoting cyberapprentices. On the specific recommendations of the Joint Committee on National Security Strategy—a question raised by the noble Viscount—the Government have recently submitted their response and we look forward to its publication.
We also are building on our world-class universities and ground-breaking research to establish a pipeline of cutting-edge cybersecurity companies with a range of interventions to incubate and accelerate and to support our innovative companies to export overseas, turning many great ideas into global businesses. This in turn will help other countries to become more secure and will boost the UK cybersecurity industry, which is now generating more than £5 billion for the economy.