James Gray
Main Page: James Gray (Conservative - North Wiltshire)Department Debates - View all James Gray's debates with the Ministry of Defence
(10 years, 2 months ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Mr James Arbuthnot (North East Hampshire) (Con)
Given how long I have been in this House, I really ought to know whether I should be thanking the Backbench Business Committee, the Government, the Chair of the Liaison Committee or you, Madam Deputy Speaker, for my securing the debate. Just to be on the safe side, I will thank them all, and especially you.
Mr James Gray (North Wiltshire) (Con)
I apologise for interrupting my right hon. Friend so early in his speech, but he makes a good point. In the old days, we had regular, sensible defence debates throughout the year, but they are now at the discretion of the Backbench Business Committee, which is a retrograde step.
Mr Arbuthnot
My hon. Friend makes a good point, but it rebounds slightly on the Defence Committee because we have been told that we are responsible for applying for such debates and, I have to confess, we have not done so in recent months, so perhaps we ought to revisit that.
The Defence Committee launched an inquiry into defence and cyber-security in January 2012, as part of a series of debates and inquiries looking into emerging threats. It was the first time the Committee had investigated cyber-security as a discrete topic, although in 2009 we had looked at Georgia and Estonia, and visited Talinn, as part of another inquiry. The UK Government had identified cyber-threats as one of four tier 1 risks to national security, and in November 2013 published a UK cyber-security strategy, updating their 2009 strategy and setting out four objectives: first, to make the UK one of the most secure places in the world to do business in cyberspace; secondly, to make the UK more resilient to cyber-attack and better able to protect our interests in cyberspace; thirdly, to help to shape an open, vibrant and stable cyberspace that supports open societies; and fourthly, to build the UK’s cyber-security knowledge, skills and capability.
The programme is to be implemented via a four-year national cyber-security programme costing £650 million, and the Chancellor of the Exchequer announced an extra £210 million investment after the 2013 spending review. The funding is shared between the security and intelligence agencies, the Ministry of Defence, the Home Office, the Department for Business, Innovation and Skills, the Cabinet Office and the Foreign and Commonwealth Office, but most will be spent by the security and intelligence agencies.
During our inquiry, the Committee investigated whether the high profile given to the cyber-threat in the UK was matched by a coherent plan and a chain of command in the event of a major cyber-attack on our national infrastructure or our national interests. The complexity of the threat must be matched by an agile, many-layered response; accordingly, many different agencies are involved in the cyber-security effort, ranging across cybercrime, cyber-espionage and cyber-commerce. Cyber-security is therefore to some extent everybody’s responsibility, but we must avoid its ending up being nobody’s responsibility as a consequence. Someone has to be in charge.
Mr Arbuthnot
Like my hon. Friend the Member for Canterbury (Mr Brazier), the hon. Gentleman contributes effectively to the Defence Committee and makes an interesting point—one I had not heard before. That is the value of these debates. We will all have to think about that issue.
We must seek to defend ourselves, but we must also, as has been suggested, expect to develop a capability to respond to threats in cyberspace. When doing that, we face some of the same considerations as when developing conventional military capabilities. Where does the balance lie between international collaboration and sovereign capability, for example? What sort of international arrangements will best suit our aims?
My right hon. Friend the Secretary of State also talked about how the UK was developing a full spectrum military cyber-capability, including strike capability. This is an interesting and novel declaration. Everybody knows it has happened but nobody has been prepared before now to announce it. Will this declaration act as a deterrent or will it make the UK a more likely target for hacktivists and foreign states? What about the legal implications of establishing a strike capability for the personnel involved? The necessary rules of engagement for cyber-attack need to be put in place, although of course we will not be told about them.
Some maintain that cyber is just another military domain and that we can expect to do everything in cyberspace that we do in the air, on land or at sea to prevent, deter coerce or intervene. But has the distinctiveness of the cyber domain been fully grasped? It is not clear, for example, that deterrence is a concept that can apply to a domain where there are real difficulties in discovering quickly who has perpetrated an attack and for what purpose, or even that an attack has taken place. Neither is it clear that everyone has grasped how important it is to avoid a silo approach to the cyberworld. It is essential to break down the dividing lines between civilian and military, among Government Departments, between Government and the private sector, and between our country and other countries, and therefore to approach the issue in an holistic way. Paul Dwyer of Mandiant came to brief the Defence Committee and told us that it takes a network to defeat a network.
Perhaps because the threat cannot be neatly categorised, it may be unrealistic to expect a neat categorisation of the responses. Everything we have been told in the UK emphasises that the armed forces have a very limited role, protecting their own systems and developing military cyber-capabilities. For other areas of activity, those in the lead are likely to be based elsewhere, particularly in the intelligence services. That is where the important point made by my hon. Friend the Member for Canterbury comes in.
Mr Gray
My right hon. Friend makes a good point about the threat being so diverse as to be difficult to counter. None the less, the briefing we were given by Mandiant was very interesting: there are a large number of extremely serious attacks, not by a lot of people but by one or two groups. He even named Unit 61398 of the People’s Liberation Army as one of the main culprits. In other words, it would be reasonably easy for the British Government and the MOD to counter a specific attack such as that.
Mr Arbuthnot
I am sure that my hon. Friend is right in saying that the Government are well aware of where some of these attacks are coming from. I do not agree that it would be relatively easy to counter them, because these threats are developing at a frightening speed, as the hon. Member for Barrow and Furness (John Woodcock) said. The diversity and development of these threats is changing on a second-by-second basis.
I am pleased to say that the Government are taking action to make the UK more resilient to cyber-attacks. It has established a new computer emergency response team in early 2014, CERT-UK, to improve the co-ordination of national cyber-incidents and to share technical information among countries. The Government set up a new cyber-incident response scheme in GCHQ to help organisations recover from a cyber-security attack. They have extended the remit of the Centre for the Protection of National Infrastructure—the CPNI—to work with all organisations that may have a role in protecting the UK’s critical systems and intellectual property. They have agreed with regulators in essential services a set of actions to make sure that important data and systems in our critical national infrastructure continue to be safe and resilient. As I have said, responsibility for cyber-security rests principally with companies and organisations themselves. Government agencies’ roles will be limited by available resources and national priorities.
Jack Lopresti (Filton and Bradley Stoke) (Con)
I welcome the chance to debate the UK’s cyber-security defence. Cyber-security is a particularly wide-ranging subject and cyber-attacks are a growing threat. Without stating the obvious, a cyber-attack could impact on everyone’s lives in many ways. We are now all very reliant on technology and the internet; without our mobile phones or when our e-mail goes down, we almost cease to function.
A major cyber-attack on any of this country’s main utilities, such as transport, energy or the banking system, would cause chaos. It would be, at the very least, very bad for the economy; it could, in the worst-case scenario—if we did not have the means to transport food and fuel, for example—cause social breakdown in a short time. South Korea, for instance, has suffered huge jamming attacks, launched by North Korea, against its GPS systems. They affected major airports and shipping lanes. The travel of more than 1,000 ships and 250 planes was disrupted by North Korean jamming attacks in 2012.
Cyber-security needs to protect us against many threats: criminals attacking personal data, small-scale political activists—or hacktivists, as somebody said earlier—and state-sponsored hostilities. The Government’s cyber-security strategy is along the right lines and has led to the national cyber-security programme, which has clear objectives.
Cyberspace is often compared to the wild west and thought by some to be beyond the rule of law. However, our Government have made it clear that it is not and they have encouraged law enforcement teams to use the existing legal framework to prosecute. When cyber-crime emanates from overseas, the Government are working with the G8, the United Nations, NATO and the European Union to help shape the standards and norms of behaviour for cyberspace. Obviously, the solutions have not all yet been found but the discussions are ongoing and the work is slowly evolving. I am pleased that the work has started in earnest.
Part of the solution is a normal, sensible protocol for cyber-security on the domestic agenda and it can be addressed through simple best practice. There is a knowledge gap and the Government are addressing it in the long term via the development of education in cyber-security: teaching materials on cyber-security are being produced for GCSE and A-level students. Academic centres for cyber-security have been set up in 11 universities. Investment in education are far-sighted and will position the UK with experts in the cyber-security arena.
The Government have also gone some way to engaging with industry by setting up the Cyber-Security Information Sharing Partnership. Furthermore, the Centre for the Protection of National Infrastructure, or CPNI, is working with businesses to encourage them to make cyber-security a board-level responsibility. The current work on the development of an official cyber-standard will help stimulate the adoption of good cyber-practices among businesses. Given the risks to our infrastructure as a whole, the Government have highlighted the role of regulators in overseeing the adoption of robust cyber-security measures. The companies that supply essential services such as power, telecommunications, water, transport and banking, need maximum protection.
I praise the many organisations that are tasked with upholding the Government’s cyber-defence plans. However, as has been said, the threat is so great that I worry that as a nation we are not doing enough, fast enough. An industry study produced by BT last month found that British companies are lagging way behind rivals in other major countries in addressing cyber-security risks. The survey found that only 17% of UK businesses see cyber-security as a priority compared with 41% in the US. Nearly 90% of directors and decision makers in the US are given IT security training, but in the UK it is only around 37%.
On defence, our armed forces are among the most technologically advanced in the world, and I am sure we are all proud of that. In theory, that allows us to put fewer of our people in harm’s way and their lives at risk. However, as the Under-Secretary of State for Defence, the hon. Member for Ludlow (Mr Dunne) said recently, it makes every aspect of our military capability vulnerable to cyber-attack. Obviously, there is no point spending millions on developing leading-edge technology without the cyber-security to stop it being felled by a single cyber-attack.
The Defence Committee noted that the Army has between 35% and 40% too few corporals and sergeants to man its cyber-capabilities. The Government have rightly set up a joint cyber-unit for the reserve forces, which was going well towards the end of the year, and others have said that the reserve forces will play a crucial role in our future capability. The Government have instigated broadly sensible long-term solutions such as apprenticeships to fill the staff-skills gap in industry and business, but how can we attract more trained staff immediately, especially in the defence reserve?
A further concern is that the threat is so wide and imminent that the command structure is not resilient. I understand that the global operations security control centre at Corsham has been empowered to take rapid action without direction from above to defend the MOD’s own networks from attack. That is great, but with the many groups set up to implement the UK cyber-strategy, how will one section know what the others are doing when an attack has happened?
Mr Gray
We are all pleased to see my hon. and gallant Friend back in full working order. The GOSCC is in my constituency, and does an outstanding job in providing cyber-security for the MOD. Is he not concerned, as I am, that with the plethora of Government and MOD organisations with responsibility for cyber-matters, the expertise of GOSCC is being undermined by a variety of quangos and committees whose exact function is clouded in mystery?
Jack Lopresti
I thank my hon. Friend for his intervention. He is absolutely right. Within the chaos of a potential attack, I am not sure how the disparate groups would communicate with one another, how there would be a uniform chain of command and how it would work in practice. GCHQ seems to be in charge, but in other countries the matter would fall under the Ministry of Defence. It is fine that the MOD seems to be still developing its own basic cyber-security techniques with the armed forces setting up separate units, but it is the responsibly of the Centre for the Protection of National Infrastructure to take the lead in co-ordinating a UK response to a major cyber-security incident.
An extremely clear command structure will be needed to deal with a cyber-attack, which may come from a political group such as the group that claimed that the Sochi games were being held on the graves of millions of people who had been murdered and that was, according to the US Government’s computer emergency readiness team, threatening companies financing or supporting the Sochi winter games with cyber-attacks.
The response would be different if an attack was state-sponsored, but it would be extremely difficult, especially in the first day or so, to determine where the threat came from and whether it came from an individual or a country. The internet is worldwide and even if we knew where the attack came from geographically, it would be difficult to identify who was behind it.
Mr Crispin Blunt (Reigate) (Con)
I will do my best, Madam Deputy Speaker.
I agree with the conclusion of the hon. Member for Bridgend (Mrs Moon): this is an extremely important issue and addressing cyber-security rightly sits at the top of our national security agenda. Cybercrime and cyber-attacks are not only tomorrow’s dangers; they are a very real and growing threat today. As others have already made clear, Governments, business and members of the public come under sustained attack from cyber-criminals and foreign powers. There were an estimated 44 million incidents in 2011 alone.
As we become ever more reliant on the internet, our vulnerability increases. Cyber-threats take two primary forms—cybercrime and cyber-attack, although sometimes the distinction is blurred. Cybercrime was estimated by the Association of Chief Police Officers to have cost £57 billion globally back in 2009, while Detica estimated that the 2011 figure for the United Kingdom alone was £27 billion. It is difficult to believe that that there has not been a geometric increase since then.
Large-scale cybercrime is an issue of national security. Cyber-attack and cyber-espionage also present a serious threat both to the state and to the community, and the state should be acting to protect both. As we know, cyber-attacks have had real-world effects, as exampled by the denial-of-service attacks in Estonia in 2007 and the Stuxnet attack on Iranian nuclear development capability, although there appear to be disagreements about the degree of its effectiveness.
Cyber-espionage and theft of sensitive information is another major concern, so addressing the danger of cyber-threats today is real, not academic. The Security Service estimates that at least 20 foreign intelligence agencies currently operate to some degree against British interests. That threat merits our immediate and strong attention, which is why I welcome this debate and the attention the Defence Committee has given to the subject.
Mr Blunt
Given the amount of time I have left, I hope my hon. Friend will forgive me if I do not give way to him. If I have time at the end, I will come back to him.
What is being done and developed in the strategy? In 2009, the previous Government produced Britain’s first cyber-security strategy, which, though laudable for initiating a centralised approach to cyber-security, I as the then shadow Minister critiqued as being a shallow copy of the then American strategy. I said:
“Minimal or no attention is given to key areas such as co-ordination of the new cyber-structures with existing agencies, response to a cyber incident and information sharing between government, industry”
and international action. I also said:
“There is no consideration within the strategy of how we would respond to a cyber-attack. No mention can be found of a framework for response or who would lead it. There is no discussion of issues such as back-up communications networks for security and emergency personnel.”
All of those were given coverage in the United States review at the time.
Given the severity of the threat, the then Opposition felt that the strategy was an inadequate response, so before the general election we produced our own paper on cyber-security and keeping Britain safe in the digital age. I am pleased to say that much of it found itself in the Government’s 2011 cyber-security strategy, which is currently being co-ordinated by the Office of Cyber Security and Information Assurance.
The strategy is far more detailed than its predecessor and offers a more thorough, co-ordinated and ambitious programme to enhance our cyber-security. The recent progress report from the Cabinet Office highlights the successes in implementing the strategy and the progress made towards achieving its objectives by 2015. I commend the strategy for its scope and ambition, incorporating everything from changes to law enforcement to greater co-operation and information-sharing with the private sector and enhancing our cyber-resilience. That the strategy also balances the attainment of security with civil liberties is reassuring.
Mr Gray
Everything my hon. Friend says is absolutely right. The Ministry of Defence, of course, has no responsibility whatsoever for this. Is my hon. Friend therefore proposing that the things he is describing perfectly adequately should now become part of a defence cyber-strategy, or is he talking about something other than the topic of this debate?
Mr Blunt
My hon. Friend, in his usual perspicacious way, has identified precisely what I am moving on to, but before I finish on the wider cyber-security issue, I want to recognise the contribution made by the Baroness Neville-Jones in pulling this strategy together and much improving our country’s response.
No strategy, however, is incapable of improvement and the Government still appear to preside over a patchwork muddle of agencies and mandates responsible for cyber-security. In 2011, the Intelligence and Security Committee identified 18 different actors with responsibilities for cyber-security, which raises concerns about duplication, cost-effectiveness and confusion. I note the counterpoint expressed by the Minister for the Cabinet Office and Paymaster General, who said in evidence to the Defence Committee that although the arrangement is untidy, it is effective, given the need for a cross-Government approach. I must say that, in the absence of a personality as strong as Baroness Neville-Jones, there remain issues about co-ordination and leadership, as was also mentioned by my hon. Friend the Member for Filton and Bradley Stoke (Jack Lopresti).
We must recognise that the updated cyber-security strategy is a major step forward, but, as my hon. Friend the Member for North Wiltshire (Mr Gray) has made clear, defence is only one small component of the pan-Government effort and by no means the most important. I wonder whether the bracketing of cyber-security and defence is in fact wise, given the MOD’s relatively limited role. The MOD has only two formal responsibilities: to ensure that armed forces operability is maintained both at home and abroad by securing its networks, and to enhance military operations by developing future cyber-capabilities.
Cyber-capability is immensely important for the armed forces: it is a battle-winning asset. In the same way that military operations become difficult if not impossible without air supremacy, cyber-superiority if not cyber-supremacy is required. What differentiates cyber-security is that it also applies to nearly every aspect of modem civil life. Not many businesses need to worry about the effectiveness of the F-35 and the Eurofighter in their daily operations, but the defensive cyber-capability is a daily national necessity for our financial system. Defence against most high-end cyber-threats, including those to critical national infrastructure, is the responsibility of other Departments, not least GCHQ and the Centre for Protection of National Infrastructure. Given that fact, the conflation of cyber-security with defence is possibly misleading, in that it obscures a complex and much bigger picture. However, we are debating cyber-security in the context of defence, so I shall focus on that.
Other hon. Members have outlined the threat, so I simply want to say that the armed forces are increasingly vulnerable to highly targeted forms of cyber-attack, given the networked nature of modern military systems and the increased use of unmanned aerial vehicles and robots on the battlefield. Adversaries may seek signals interception to distort intelligence, disrupt logistical supply chains or, most worryingly, render major platforms and systems, such as ships and aircraft, dysfunctional. If we now regard cyber as a fifth domain of warfare, we must expect other countries to do so too. Britain is a world leader in defence technology, but we must expect emerging powers to be keen to shrink the development gap by stealing what they cannot easily or quickly develop for themselves. The need to protect the operability of our armed forces and the integrity of our defence establishment is thus abundantly clear.
Of the £650 million set aside to transform Britain’s national cyber-security capabilities over the next four years, the MOD will receive £90 million. That funding is not intended to secure MOD networks, because that is assumed to be business as usual, but I know that the Department is securing its supply chain against cyber-attack. The point has already been made about the importance of the need for a resilient industrial base, which must form part of the goal of the national cyber-security strategy. The MOD has responsibility to help to manage the security of its suppliers, and I note the work that has been done to that effect.
I also note the emphasis on reserve forces, which other hon. Members have mentioned, and I welcome the establishment of a joint cyber reserve unit. That is exactly the sort of imaginative use of civilian-qualified reservists in the armed forces that we will want in times of need, but we must bear it in mind that if the armed forces need them at a time of crisis, so will their host employers. On a separate point, I am encouraged by the assurance that spending on cyber will automatically be increased in the budgets of future programmes.
Cyber is part of how our armed forces will wage war in future, so the Department must be able to continue to enhance its military cyber-capabilities. I therefore want to touch briefly on cyber-attack. Inevitably, developments in technology will always be highly classified because the possessor of the latest technological advance is likely to have a battle-winning capability. I therefore understand why information in this area is restricted. However, I emphasise to the Minister that the military should understand that this House expects them to possess cyber-attack capability alongside the ability to defend their own networks from cyber-attack.
This area is highly sensitive because such technology can be applied against other states’ non-military assets in a way that makes it difficult to be clear about whether the laws of war apply. I will finish by discussing this international aspect. This area sits in the grey area between espionage and conflict. That is why, in 2009, I called for us to co-operate internationally on cyber issues to regulate the relations between states in respect of cyber-conflict. I am delighted that that is recognised in the 2013 statement on aspects of state behaviour in cyberspace. We must try to identify the future international rules of the road that will govern relations between states in this area.
I will end by reiterating three questions. First, by bracketing cyber-security with defence, are we in danger of misleading ourselves about where the main effort needs to be? Secondly, can the lead responsibility for cyber-security be made clearer? Thirdly, are we affording enough resources to research and development in this vital area?
Bob Stewart (Beckenham) (Con)
The greatest threat of electronic attack continues to be posed by state actors. Russia and China are suspected of carrying out the majority of assaults, but other countries—North Korea, Iran and even Syria—run very effective attacks too. The targets are in Government as well as in industry.
Let me give an example of a cyber-attack. On 23 April 2013 the American stock market dropped 1%; it lost $136.5 billion in a matter of seconds because of a false tweet posted on the Associated Press Twitter account. That tweet apparently came from Syria.
Let me give another example of a possible danger to this country, and here I will use information from a paper written for the Defence Committee by the distinguished academic Chris Donnelly. Huawei, a Chinese company strongly suspected of having close links to the Chinese Communist party and Government, is now providing crucial equipment for our national telecommunications system. The company has been debarred from doing that in the United States because it could not prove that it did not have strong links to the Chinese leadership.
Chris Donnelly’s paper highlighted three areas where Huawei could present a security risk. First, the company could insert undetected malware into its equipment, either to disable the system at will or at least to monitor it. Secondly, there is a possible security risk from the Chinese managers and technicians who man the system. Thirdly, allowing Huawei to dominate the field takes away our sovereign ability to deal with matters ourselves. Recently, there has been growing concern that our national cyber-security systems might not be able to detect whether malware has been inserted into the system.
Mr Gray
My hon. Friend is right to be concerned about the possibility that companies of all sorts might act against the interests of this country, but it is also right to record that Huawei is a major employer in the United Kingdom and is a multi-billion-pound multinational company. The suggestion that it is, in some way or another, an agent or a foreign force in the way he describes may of course be true, but it is worth saying that there is no evidence that that is the case.
The Minister for the Armed Forces (Mr Mark Francois)
I am sure that the whole House will wish to join me in recognising and thanking those members of the armed forces, both regular and reserve, who have been engaged in preserving lives and protecting property in those communities across the United Kingdom that have been struck by the recent storms and floods. They have provided very good service and we are immensely proud of them.
May I also welcome the hon. Member for Makerfield (Yvonne Fovargue) to the Dispatch Box? Although she has been on the Opposition’s defence team for a while, this is the first time we have debated together directly, so I would like to welcome her to her post formally. I will do my best to answer at least some of the questions she asked in her speech.
I would also like to thank my right hon. Friend the Member for North East Hampshire (Mr Arbuthnot), the Chair of the Defence Committee, for introducing the debate so ably and the 11 right hon. and hon. Members who have taken part so constructively. I have read the Committee’s report, which was published early last year, and the Government’s response. I will seek to address some of the Committee’s concerns and report to the House on our recent progress in this important field.
It might interest Members to know that the term “cyberspace” is usually credited to the 1980’s science fiction writings of William Gibson. He used it as a buzzword to describe an all-pervasive virtual realm. Although there are many interpretations, we generally use the term to mean the interdependent network of IT infrastructures and the data that move therein. Cyberspace has become an essential part of most of our lives, from communications to shopping, and from life saving to war fighting. In 2013 some 21 million households in Great Britain had an internet connection. That degree of connectivity clearly has security implications that we cannot ignore.
Although the MOD runs its own cyber-defence programme—I will say more about that later—the defence of our national cyber infrastructure begins within central Government, with the Cabinet Office playing a key role, as it does with all potential crisis management situations. All public and private sector organisations have a stake in addressing the threat, across international and domestic boundaries. To co-ordinate that effort, the Government created the Office of Cyber Security and Information Assurance within the Cabinet Office, which runs our national cyber-security programme. Alongside the Cyber Security Operations Centre, OCSIA works with other lead Government Departments and agencies, such as the MOD, the Home Office and GCHQ—the hon. Member for Cheltenham (Martin Horwood) rightly paid tribute to his constituents there and the skills they have.
The national cyber-security programme is backed up by £860 million of Government investment from 2011 to 2016. That comprises an initial £650 million allocated across Government at the time of the strategic defence and security review and an additional £210 million investment announced by my right hon. Friend the Chancellor of the Exchequer following the 2013 spending review. Moreover, given the seriousness with which we treat the cyber threat, since the Committee’s report the Minister for defence equipment, support and technology, my hon. Friend the Member for Ludlow (Mr Dunne), announced in July 2013 that, on top of the money allocated to the MOD from the national cyber-security programme, the MOD has allocated a further £70 million over the next four years from within our own budget for improving our cyber-defence capabilities.
The MOD’s key priority is to keep our own networks and systems defended and operational, so that if a crisis occurs we can continue to operate with the same efficiency and professionalism required on the battlefield. That does not mean that we cannot help in other ways, but the situation prevailing at the time will dictate how, when and if military assistance would be called upon.
A number of hon. Members asked about MOD structures, as indeed did the Committee’s report, so perhaps I can provide some clarification. Since the Committee’s report was published, the Chief of the Defence Staff has issued direction to the four-star commander of Joint Forces Command to empower him as the defence authority for cyber. On a day-to-day basis, that responsibility is delegated to the three-star Chief of Defence Intelligence in his unifying role to plan and develop cyber capability. Under CDI sits the joint forces cyber group, stood up formally in May 2013 to deliver that capability. The joint forces cyber group plans and directs the activity of the joint cyber units at Cheltenham and Corsham, including the reserves.
The senior responsible owner for the defence cyber programme is the two-star director for cyber, intelligence and information integration, currently Air Vice-Marshal Jonathan Rigby, who gave evidence to the Committee’s inquiry in 2012, and remains accountable to the Chief of Defence Intelligence for those responsibilities. I hope that that helps provide absolute clarity about the chain of command.
Our armed forces use some of the most sophisticated equipment in the world. The downside of the capability we possess is the potential exposure to emerging threats from our adversaries. We have to see those as an intrinsic part of modern military operations and put measures in place to mitigate or deal with them. The Global Operations and Security Control Centre, or GOSCC, is a key part of that protection, with its mission to ensure that we can operate and defend our networks.
I was pleased to read in the report that the GOSCC’s performance impressed the Defence Committee, which said that it should be held up as “a centre of excellence.” I agree. I visited the centre recently and was struck both by the ability of the personnel and the interplay with the embedded industry professionals whom they work alongside.
The Committee also rightly identified the importance of promoting good cyber-security practice. I fully accept that technology is only one part of the equation; we need the right people to do the right things. As cyber professionals often say, the majority of the threat that we face could be overcome by good practice on the part of our people. That point was well made by my hon. Friend the Member for Filton and Bradley Stoke (Jack Lopresti); we Front Benchers are also pleased to see him back here on good form.
At the time of the Government response to the Committee’s report, we had already recognised the need for good practice and had included a specific cyber module in our mandatory training for defence personnel. Since then, we have gone further and developed a cyber primer—an easy-to-read, unclassified book that introduces personnel to the subject of cyber, particularly in a defence context, and is provided for all defence personnel to use.
In its report, the Committee noted the importance of exploring options to develop military capabilities. Since then, the Secretary of State for Defence has announced, on 29 September 2013, that Britain will build a dedicated capability to counter-attack in cyberspace as part of our full-spectrum military capability. As we set out in the strategic defence and security review, the UK views cyberspace as a domain in which we can carry out military operations to support national objectives, as we would on land, at sea or in the air. The hon. Member for Merthyr Tydfil and Rhymney (Mr Havard) asked questions about the legality of that. I reassure him and the House that we are looking to develop a range of cyber capabilities that would be used in accordance with the well-understood laws of armed conflict and, more generally, would comply with domestic and international law. Any capability that we develop must be used legally. We are mindful of that.
Mr Gray
The Minister is making an extremely interesting and useful speech. In the context of the offensive use of cyber, does he believe that there can be such a thing as deterrence in the cyber world? Is there a way of finding out who the enemy is and deterring them by threatening the use of cyber-warfare ourselves?
Mr Francois
A complicating factor is that it is not always immediately apparent where an attack may have come from. Sometimes it is possible to establish that a little later, but it cannot always be done instantly. That needs to be taken into account. However, I believe that the possession of a cyber capability that allows us to strike back could act as a deterrent to potential adversaries—not only in cyberspace but potentially against more traditional threats.
A number of Members have asked about how industry fits in, including my hon. Friend the Member for Reigate (Mr Blunt) and the hon. Member for Inverclyde (Mr McKenzie). Private industry is and will remain a key partner in cyber-security. A secure supply chain is vital for the business of all public sector delivery, and that is no less the case in defence. Our armed forces depend on a wide range of equipment and services provided by industry. As part of the NCSP, the Government are working closely with industry to ensure that it is aware of the changing nature of the threat and has effective counters in place.
The hon. Member for Makerfield asked for something specific to the Ministry of Defence. I am pleased to say that in addition, in July 2013, the MOD launched the defence cyber-protection partnership. That bespoke initiative aims to meet the emerging threat to the UK defence supply chain by increasing awareness of cyber-risks among our contractors and suppliers, sharing threat intelligence, and defining risk-driven approaches to applying cyber-security standards. In short, we already have something that is designed specifically for military and defence contractors and they are entering that programme.
Technology is only one part of the equation. People are essential. We know that the number of deep specialists and experts in this field is limited, and that all organisations, both public and private, are looking to recruit from that supply. However, defence can offer an exciting opportunity for experts to put their skills to use for the nation through the formation of the joint cyber reserve. Some hon. Members asked about that, and I will provide an update.
Recruitment to the joint cyber reserve commenced in October 2013, and there has been healthy interest. I cannot tell the hon. Member for Bridgend (Mrs Moon) how many of the applicants come from the Department for Work and Pensions, but I respect her assiduous work, as ever, in collecting statistics, and I have often been on the receiving end. I assure her and the House that we have recruited the first cohort of cyber reservists, and their training will commence in the spring.
On the basis of the healthy interest so far, we believe that within the next two years the cyber reserve will be fully operational with reserve personnel recruited, trained and operating alongside their regular military and civilian colleagues in the joint cyber-units at Corsham and Cheltenham, and in the information assurance units.