The Minister for the Armed Forces (Mr Mark Francois)
I am sure that the whole House will wish to join me in recognising and thanking those members of the armed forces, both regular and reserve, who have been engaged in preserving lives and protecting property in those communities across the United Kingdom that have been struck by the recent storms and floods. They have provided very good service and we are immensely proud of them.
May I also welcome the hon. Member for Makerfield (Yvonne Fovargue) to the Dispatch Box? Although she has been on the Opposition’s defence team for a while, this is the first time we have debated together directly, so I would like to welcome her to her post formally. I will do my best to answer at least some of the questions she asked in her speech.
I would also like to thank my right hon. Friend the Member for North East Hampshire (Mr Arbuthnot), the Chair of the Defence Committee, for introducing the debate so ably and the 11 right hon. and hon. Members who have taken part so constructively. I have read the Committee’s report, which was published early last year, and the Government’s response. I will seek to address some of the Committee’s concerns and report to the House on our recent progress in this important field.
It might interest Members to know that the term “cyberspace” is usually credited to the 1980’s science fiction writings of William Gibson. He used it as a buzzword to describe an all-pervasive virtual realm. Although there are many interpretations, we generally use the term to mean the interdependent network of IT infrastructures and the data that move therein. Cyberspace has become an essential part of most of our lives, from communications to shopping, and from life saving to war fighting. In 2013 some 21 million households in Great Britain had an internet connection. That degree of connectivity clearly has security implications that we cannot ignore.
Although the MOD runs its own cyber-defence programme—I will say more about that later—the defence of our national cyber infrastructure begins within central Government, with the Cabinet Office playing a key role, as it does with all potential crisis management situations. All public and private sector organisations have a stake in addressing the threat, across international and domestic boundaries. To co-ordinate that effort, the Government created the Office of Cyber Security and Information Assurance within the Cabinet Office, which runs our national cyber-security programme. Alongside the Cyber Security Operations Centre, OCSIA works with other lead Government Departments and agencies, such as the MOD, the Home Office and GCHQ—the hon. Member for Cheltenham (Martin Horwood) rightly paid tribute to his constituents there and the skills they have.
The national cyber-security programme is backed up by £860 million of Government investment from 2011 to 2016. That comprises an initial £650 million allocated across Government at the time of the strategic defence and security review and an additional £210 million investment announced by my right hon. Friend the Chancellor of the Exchequer following the 2013 spending review. Moreover, given the seriousness with which we treat the cyber threat, since the Committee’s report the Minister for defence equipment, support and technology, my hon. Friend the Member for Ludlow (Mr Dunne), announced in July 2013 that, on top of the money allocated to the MOD from the national cyber-security programme, the MOD has allocated a further £70 million over the next four years from within our own budget for improving our cyber-defence capabilities.
The MOD’s key priority is to keep our own networks and systems defended and operational, so that if a crisis occurs we can continue to operate with the same efficiency and professionalism required on the battlefield. That does not mean that we cannot help in other ways, but the situation prevailing at the time will dictate how, when and if military assistance would be called upon.
A number of hon. Members asked about MOD structures, as indeed did the Committee’s report, so perhaps I can provide some clarification. Since the Committee’s report was published, the Chief of the Defence Staff has issued direction to the four-star commander of Joint Forces Command to empower him as the defence authority for cyber. On a day-to-day basis, that responsibility is delegated to the three-star Chief of Defence Intelligence in his unifying role to plan and develop cyber capability. Under CDI sits the joint forces cyber group, stood up formally in May 2013 to deliver that capability. The joint forces cyber group plans and directs the activity of the joint cyber units at Cheltenham and Corsham, including the reserves.
The senior responsible owner for the defence cyber programme is the two-star director for cyber, intelligence and information integration, currently Air Vice-Marshal Jonathan Rigby, who gave evidence to the Committee’s inquiry in 2012, and remains accountable to the Chief of Defence Intelligence for those responsibilities. I hope that that helps provide absolute clarity about the chain of command.
Our armed forces use some of the most sophisticated equipment in the world. The downside of the capability we possess is the potential exposure to emerging threats from our adversaries. We have to see those as an intrinsic part of modern military operations and put measures in place to mitigate or deal with them. The Global Operations and Security Control Centre, or GOSCC, is a key part of that protection, with its mission to ensure that we can operate and defend our networks.
I was pleased to read in the report that the GOSCC’s performance impressed the Defence Committee, which said that it should be held up as “a centre of excellence.” I agree. I visited the centre recently and was struck both by the ability of the personnel and the interplay with the embedded industry professionals whom they work alongside.
The Committee also rightly identified the importance of promoting good cyber-security practice. I fully accept that technology is only one part of the equation; we need the right people to do the right things. As cyber professionals often say, the majority of the threat that we face could be overcome by good practice on the part of our people. That point was well made by my hon. Friend the Member for Filton and Bradley Stoke (Jack Lopresti); we Front Benchers are also pleased to see him back here on good form.
At the time of the Government response to the Committee’s report, we had already recognised the need for good practice and had included a specific cyber module in our mandatory training for defence personnel. Since then, we have gone further and developed a cyber primer—an easy-to-read, unclassified book that introduces personnel to the subject of cyber, particularly in a defence context, and is provided for all defence personnel to use.
In its report, the Committee noted the importance of exploring options to develop military capabilities. Since then, the Secretary of State for Defence has announced, on 29 September 2013, that Britain will build a dedicated capability to counter-attack in cyberspace as part of our full-spectrum military capability. As we set out in the strategic defence and security review, the UK views cyberspace as a domain in which we can carry out military operations to support national objectives, as we would on land, at sea or in the air. The hon. Member for Merthyr Tydfil and Rhymney (Mr Havard) asked questions about the legality of that. I reassure him and the House that we are looking to develop a range of cyber capabilities that would be used in accordance with the well-understood laws of armed conflict and, more generally, would comply with domestic and international law. Any capability that we develop must be used legally. We are mindful of that.
Mr Gray
The Minister is making an extremely interesting and useful speech. In the context of the offensive use of cyber, does he believe that there can be such a thing as deterrence in the cyber world? Is there a way of finding out who the enemy is and deterring them by threatening the use of cyber-warfare ourselves?
Mr Francois
A complicating factor is that it is not always immediately apparent where an attack may have come from. Sometimes it is possible to establish that a little later, but it cannot always be done instantly. That needs to be taken into account. However, I believe that the possession of a cyber capability that allows us to strike back could act as a deterrent to potential adversaries—not only in cyberspace but potentially against more traditional threats.
A number of Members have asked about how industry fits in, including my hon. Friend the Member for Reigate (Mr Blunt) and the hon. Member for Inverclyde (Mr McKenzie). Private industry is and will remain a key partner in cyber-security. A secure supply chain is vital for the business of all public sector delivery, and that is no less the case in defence. Our armed forces depend on a wide range of equipment and services provided by industry. As part of the NCSP, the Government are working closely with industry to ensure that it is aware of the changing nature of the threat and has effective counters in place.
The hon. Member for Makerfield asked for something specific to the Ministry of Defence. I am pleased to say that in addition, in July 2013, the MOD launched the defence cyber-protection partnership. That bespoke initiative aims to meet the emerging threat to the UK defence supply chain by increasing awareness of cyber-risks among our contractors and suppliers, sharing threat intelligence, and defining risk-driven approaches to applying cyber-security standards. In short, we already have something that is designed specifically for military and defence contractors and they are entering that programme.
Technology is only one part of the equation. People are essential. We know that the number of deep specialists and experts in this field is limited, and that all organisations, both public and private, are looking to recruit from that supply. However, defence can offer an exciting opportunity for experts to put their skills to use for the nation through the formation of the joint cyber reserve. Some hon. Members asked about that, and I will provide an update.
Recruitment to the joint cyber reserve commenced in October 2013, and there has been healthy interest. I cannot tell the hon. Member for Bridgend (Mrs Moon) how many of the applicants come from the Department for Work and Pensions, but I respect her assiduous work, as ever, in collecting statistics, and I have often been on the receiving end. I assure her and the House that we have recruited the first cohort of cyber reservists, and their training will commence in the spring.
On the basis of the healthy interest so far, we believe that within the next two years the cyber reserve will be fully operational with reserve personnel recruited, trained and operating alongside their regular military and civilian colleagues in the joint cyber-units at Corsham and Cheltenham, and in the information assurance units.
Mr Brazier
I am sorry that I have had to be out of the Chamber for a long-standing engagement. Will my right hon. Friend confirm that the cyber reserve includes two long-standing squadrons that have been around for six or seven years and were part of the specialist group, the Royal Signals, and that those squadrons will go intact into the new set-up?
Mr Francois
My hon. Friend has raised this issue with me before. He asks a specific question about two specific squadrons. I believe that what he asks is the case, but I will write to him to confirm it. The House knows that he is the world’s greatest living expert on this matter, and I do not want to be the man to give him a wrong steer.
The cyber reserve offers individuals the opportunity to be part of the proud history and ethos of our reserves while working in a cutting-edge, technological field. The hon. Member for Bridgend asked about the effect on reservists if they travel to other countries. I will look into the good point she raised, and will return to her on that.
Cyber crosses national boundaries, a point that my hon. Friend the Member for Beckenham (Bob Stewart) made clearly, and so too must our view of this new domain. It is, therefore, essential that we work with our allies to ensure that we are not only able to operate with one another, but are aware of common threats. We are already working closely on cyber with our long-standing international partners, particularly through a defence cyber-contact group that includes the US, Australia, Canada, New Zealand and ourselves—the traditional “Five Eyes” partners.
Thomas Docherty
Before the Minister moves away from personnel, what lessons are being learned about recruiting regulars and reservists from the IT world? He seemed to skip over that.
Mr Francois
This is a wonderful opportunity to recruit IT specialists from the civilian world to the reserves, but we have learned that this is a specialised area of work and we are looking at ways of extending the careers of people who work in cyber. For example, in the military, people might normally do a tour of two or three years and then move to a different position. We are looking at options for allowing people who work in this field to do longer tours of duty so that we can fully exploit the detailed expertise that they develop. We are looking at the matter carefully.
My hon. Friend the Member for Bournemouth East (Mr Ellwood) asked about NATO co-operation. The UK is proud to be part of the NATO co-operative cyber defence centre of excellence in Tallinn, and the MOD has already seconded a member of our cyber team to work there. I should tell the Chairman of the Select Committee that the Committee cannot take all the credit for that, but it can certainly take part of it. Furthermore, we have increased our co-operation with the NATO computer incident response capability based in Brussels by joining the malware information-sharing platform and the multinational cyber-defence education and training project.
I assure the House that we are taking cyber very seriously in our defence planning. We are integrating cyber scenarios into our cross-defence exercise programme and combining it with the other domains of operations as part of full-spectrum planning, alongside land, air and sea. The cyber piece is becoming integral across the spectrum of military activity.
Mr Francois
I think I should conclude because we have another debate to come.
Cyber remains a relatively young domain. Many advances will continue to come online and change the way we live our lives. While this brings new opportunities for better understanding, collaboration and innovation, we must be alert to the risks and threats as they emerge. We are striving to do both within the Ministry of Defence. It is not a task for the fainthearted, but one we must undertake none the less. The Select Committee urged us to take these threats seriously. I hope I have been able to demonstrate to the House that we do take them very seriously, in defence of the realm.
Question deferred (Standing Order No. 54).
Department for Communities and Local Government