The Minister of State, Home Office (Baroness Neville-Jones)
My Lords, I join other Members of the House in thanking my noble friend Lord Jopling for introducing this debate and for his committee’s report. It has enabled us to have what I think has been a rather wide-ranging discussion of the issues. He rightly said that it is one of the first extensive debates we have had on cyber generally and, in particular, on cybersecurity. I join noble Lords in welcoming the two noble Lords who made their maiden speeches and say how valuable their comments have been. We look forward to further discussions, and no doubt we will be talking about this subject in the future. I think that we have a House that has a considerable contribution to make, and our new Members have certainly increased our capability.
I should also like to point out that the noble Lord, Lord Reid, set up the Office for Security and Counter-terrorism in the Home Office which continues to function to this day and plays a central role in counterterrorism generally, while cybersecurity impinges on it. As everyone knows, capabilities for cyber are located mainly in the Cabinet Office, and indeed it was my predecessor the noble Lord, Lord West, under whom the Office of Cyber Security and the Cyber Security Operations Centre came into being. They have provided a central capability in government for the first time, and the Government are building on those structures. I pay tribute to our predecessors for starting down this road; we intend to contribute and to build on it. There is no doubt that the saliency of cybersecurity is increasing greatly.
The first thing we did in the Office of Cyber Security was to make a small but significant move in joining the strategy of cybersecurity and information assurance together. It seemed to us that these were closely related subjects and that it made no sense to keep them separate. Information assurance—which is provided not only by patching but also by people—is a key element in increasing our level of security. In his speech yesterday, the director-general of GCHQ Cheltenham said that we could deal with 80 per cent of our vulnerabilities if we increased good practice. Obviously good practice, to a significant extent, comprises keeping up systems and ensuring that they remain as invulnerable as possible. This also depends upon the human element. It is extremely important that if the Government purport to take a lead in this area—which I believe they should—they should themselves be an example of good practice. So one of the things we will do is increase the emphasis inside government and preach the message of information assurance nationally as being a contribution we need.
One element which has not been mentioned, but which we regard as an integral part of national security, is that we should increase capability in the population as a whole and encourage the use of good practice by ordinary users of computers. Indeed, we should up skill our population and, in particular, the level of expertise that we will need in the future for both maintaining and developing systems. We do not have enough people. A major contribution should come from the academic community, and the Government will certainly support that. I know that the noble Lord, Lord Reid, has a strong interest in that area. It would be a valuable contribution if a good deal were to be said about these subjects; we need someone to talk about them and we should keep them in our minds all the time. This would be a way of incentivising younger people to enter what is and will remain an exciting and expanding domain.
In referring to the SDSR, I am rather constrained by the timing of the debate. In one sense it is very good because it comes at a moment when we are thinking about this subject; unfortunately it comes just before the publication of the SDSR and I am unable to say everything that I would like to. However, I should like to give an indication of the direction of our thinking.
A number of important points were made—including by the noble Lord, Lord Browne, who made the key point that the nature of conflict is changing. Although this certainly applies to the battlefield, in a sense, it also applies to society. There is no such thing as a valid distinction of any real kind between how we deal with the threats and challenges to our country abroad if we do not also deal with them at home. Conversely, in order to diminish their significance and threat to us at home, we need to act abroad—the so-called upstream. In this, cybersecurity is key to our military capabilities on the battlefield and to our navy. It is no good having your carriers protected by your frigates and your submarines if the whole shooting match has lost its communications; it is dead in the water. Similarly, at home, we will not succeed in defeating a cyber-enabled terrorist enemy if our own communications are vulnerable. We need to be able to disrupt them, not them to disrupt us. This is the new national frontier. It offers very exciting, interesting and intellectually challenging opportunities for younger people and it is of great import to the nation.
National security is a totality of security, whether at home or abroad, and cyber is a central element in it. Though I cannot unfortunately give detail, I hope that the House will agree when it sees it that we have given due prominence and priority to the cyber element of our strategy.
Iain Lobban laid out the threat—I shall not repeat what he said, because it was put extremely cogently as well as accurately. However, the threat has a number of elements. There is indeed the threat of state-led espionage, which is theft by states. They are out for our valuable intellectual property, which they can then use for their own ends and possibly turn against us. This is a serious threat. We have also the activities of the non-state actors, who use cyberspace as an enabler. It is our task to disrupt them, too. In both cases, as has been said, you have real difficulty of attribution and, correspondingly, difficulty in knowing how to respond. We need to work on the issue of attribution, because, if we do not, we will never succeed in having a sufficient volume of successful prosecutions to act as a deterrent. However, we should recognise that attribution is quite difficult and that there are other things that we need to do at least at the same time but preferably earlier because they are within our domain. That constitutes better defences, better deterrence and the capability for counterdisruption. We need to be able to patrol our frontier.
There is a feature of patrolling our frontier which is very simple but which points up some the difficulties that we face. When I visited the NSA, it was said to me that relatively few practitioners and security officers in large corporations, and even in corporations which are internet providers, know what the configuration of their system is when it is operating normally and according to the rules. So if you do not know what it should look like when it is operating according to its own rules, you are most unlikely to spot when there is anomalous behaviour. But spotting anomalous behaviour is your first line of defence. We keep on coming back to the need for those skills.
It is a feature of modern, strategic national security thinking that, very quickly, the strategic descends to the nitty-gritty of operation, because you cannot succeed in your strategy unless you go right down into the weeds. It is one of the more difficult parts of the challenges that we face and it is certainly the case in the cyber area.
Clearly, another part of our approach has to be a focus on closing our vulnerabilities. The issue of our approach to the law was raised. We need to bring in law enforcement. I am more cautious about the question of operating within legal frameworks when it comes to trying to regulate the international scene. That is not to say that we can never have a valid convention. Certainly, the idea that we could have a convention that gives us the rules of the road instead of simply codes of conduct is an extremely attractive proposition. But you have to be confident of two things. First, that those who sign conventions will actually then obey their precepts and not seek to go outside them while you observe the rules. Otherwise, you are putting yourself at a disadvantage. Secondly, in that situation, you need to be able to ensure that you can verify what they are doing. It adds to your vulnerability when you have people signing up who may not be entirely trustworthy.
With the old-fashioned, legitimate arms control that I and many noble Lords grew up with, you could go out and verify how many missiles you had because you could count them. This is more difficult. We return to the problem of attribution. I am cautious about the notion that conventions in so immature an area would serve our interests. I am keener on the notion that we seek to close our vulnerabilities and ensure that we defend ourselves adequately nationally. We must also propagate best practice among others who are linked to us and who may be less well equipped. I will come in a moment to international co-operation.
Another part of our strategy is dealing with crime. The noble Lord, Lord Harris, asked whether we are doing enough and the answer is no. We are not doing enough and we have to up our act. We heard that from Sir Paul Stephenson, in terms, a couple of days ago. We have not yet taken a decision on precisely what will happen to the e-crime unit and the position it will have in relation to the National Crime Agency. However, I can say—and I mean this—that it has to be and will be a priority. This sort of crime is theft. It is plain stealing. There is no such thing as victimless crime. People who suffer a major wipe-out through the swiping of their identities can have the greatest difficulty in getting their money back and in establishing their credentials and their financial position again. These are big issues. That is one side of things. We do not know the figures. The potential losses and the span of brackets that we have for the estimates show us that frankly we do not know the full costs because we have very little handle at the moment on the level of losses. It is certainly true that government agencies are becoming rather more conscious and getting a better handle on what they may be losing. As a matter of economic cost to the nation, we are still a long way from understanding exactly what is happening.
Focusing resources on detection and on international co-operation is a crucial part of following any crime chain and this is a classic area where there is international contact and an international link. There are few big scams and crimes that do not have a significant international dimension. An attack that takes place in the United Kingdom could originate in another country, so you cannot bring people to justice without the help of others overseas. The answer is that we are barely at the starting gate and in this whole area the House will agree that we are still doing baby steps.
Points were raised in the debate about the vulnerability of our critical national infrastructure. Our predecessors in office did a great deal of serious work in this area but there is still more to be done. The NPIA—I am not sure that I have got that acronym right, but I mean the agency with responsibility for protecting the national infrastructure, which is the office that springs from the Security Service—has a powerful relationship these days with a number of the really strategic elements in the national infrastructure and gives advice. It has helped infrastructure operators to upgrade their performance.
That brings me to one of the major points that I wish to make. I was asked whether we are doing well enough in these areas. I do not think that we are doing badly, but there is clearly more to do. One thing that absolutely stands out when you start to think about cyber is, while the Government must take the lead, where the responsibility will lie. It will lie with the Government, including ensuring that we retain our national capabilities. But we are clearly not going to be able to have an effective national platform, which not only protects the operation of our society but gives us economic advantage internationally, so people decide to invest in the United Kingdom because they know that it has secure communications that they can trust, except in partnership with the private sector. By that I mean not simply getting the private sector to pay or do what we want; I mean a partnership, and developing policy with the private sector. We need to do it at the strategic level, with the direction in which we need to go, and we need both a general and a sectoral approach. We go back to the fact that the strategic level descends extremely quickly to the operation consequence. We need to have a partnership that does both strategy and operational co-operation, whereby the Government’s technical expertise can be brought to bear to help to ensure that private sector operators and companies have the cybersecurity that they and the nation needs for business continuity.
I am trying to paint an approach on the part of Government that is perhaps holistic and which takes all the issues and tries to put them together. We are further ahead in some aspects than others, and when we are not so far ahead we need to catch up. I hope that we have at least analysed what we need to do. There is a significant road to go down.
The noble Baroness, Lady Hamwee, asked about the role of the media, which gives me the opportunity to say something about an important aspect. The media are important as they are our means of communication in these issues. They are also absolutely vital to government in an emergency. One thing that we need to be able to do and which we will do is to exercise—and everybody who has been in government knows just how important exercising is. That goes right across the board. One thing that you come across when you start is that you can conduct very few exercises without the electronic and cyber element being an extraordinarily important part of getting through. Making sure that in and of itself we are testing our cyber capabilities and our vulnerabilities is an important part of underpinning other forms of exercising that we do for emergency prevention and preparation.
I was asked about the role of ENISA and the Government’s attitude to it. There is no doubt about the Government’s support for the continuing operation of ENISA. Its life has not been made easy by putting it in Heraklion, and one could perhaps wish otherwise. I gather that the Greek Government are putting in place some facilities in Athens, which will make it a bit easier for people to get there. It is probably fair to say that they have managed to recruit the staff, although they have not made it easy for ENISA staff to travel. But those who know the Union do not think that it is likely that we will be able to change that, so I think that the fact that there are some offices in Athens is probably the way to build. As for its role, we agree that it has done good work. It is a very small agency with a not very big budget. It is being proposed now that it should have quite a significant increase in its budget. Our view of that is: “Give us the reasons why—a justification. We actually want to see what you think you would do with it”. We agree that it potentially has useful roles in the area of crime prevention and of linking up, in the cyberarea, the role of other enforcement agencies such as Europol, and of making them more powerful and effective.
ENISA can do what we hope to do in the national security strategy, which is to bring the elements together. That is a classic co-ordination role and an important and valuable one in this area, given that the elements at the moment are so dispersed and that the performance between member states is so highly variable. The whole notion of bringing others up, who are not as operational but who can represent a weakness in the system, is an important part of what can be done for us. Your Lordships may be assured that we take ENISA seriously.
Similarly, we take NATO seriously. NATO is developing its concept and there is quite a debate going on, as I understand it, about all those things that might fall under the heading of Article 4—the solidarity article, if I can put it that way. To some extent, cyber falls in that area. Personally, I take the view that I would very much like to see NATO active in this area. I gather that the military committee is now beginning a discussion of what NATO might be doing. That is wholly to be welcomed, as is the possibility of NATO-EU co-operation in this area. We all know that there are bigger issues—or, at any rate, other issues—that prevent that from happening, which are wholly contrary to the interests of the member states of both organisations and the organisations themselves. That is one thing that we have not yet succeeded in cracking.
There is also almost certainly a division of responsibility to be found between the two organisations. Your Lordships will be aware that—and we are not alone in this—we do not particularly wish to see the EU get into things labelled “national security”, although I have taken the view that national security is, rightly, rather a big term and that there will be things that the EU can undoubtedly do to contribute to the success of our collective national security. I believe that NATO will also have a role, which I hope it will seize, because I believe that there are important things to be done, particularly in Europe. That will also strengthen the collective approach.
I am told that time is up. Indeed, I have come to the end. Implicit in all that I have been saying is what a number of noble Lords have mentioned: we need strong international co-operation in international organisations, just as we need bilateral co-operation between the competent agencies.