Skip to main content

National Security Strategy

Volume 494: debated on Thursday 25 June 2009

(Urgent Question): To ask the Secretary of State for the Home Department if he will make a statement on updates to the national security strategy, including policy on cybersecurity.

At 10 o’clock this morning, my right hon. Friend the Prime Minister made a written ministerial statement, in which he laid before the House this year’s update to the national security strategy. Accompanying the strategy was the first national cybersecurity strategy for the United Kingdom. Last week, the Government presented to the House the Digital Britain strategy. This country is well placed to take advantage of the opportunities of the digital age, but we can seize those opportunities only if people are confident that they can operate safely in cyberspace.

Every day, millions of people across the UK—our constituents—rely on the services and information that make up cyberspace. Indeed, 65 per cent. of UK households have access to the internet, and the figure is growing by about 8 per cent. a year. The national security strategy, published for the first time by the Government last March and updated this year, sets out an honest and transparent appraisal of the risks that we face, including the threat that organised crime poses to our country. Organised crime costs us around £20 billion a year, and we have a duty to the British public and to British industry to take measures dramatically to reduce that cost.

The Government also need to assess the threats from terrorist organisations and prepare our response to them; the public would expect no less. All those threats can arise in cyberspace. As the director general of the Security Service has said, a number of nations and organisations are

“trying to obtain political and economic intelligence at our expense”

and

“increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks.”

We know the importance that terrorist groups, notably al-Qaeda and its affiliates, place on the internet and cyberspace, which are particularly important for propaganda reasons. We know that terrorists would like to be able to operate more effectively in cyberspace. I am not scaremongering, but we need to look at the issues. Our assessment at present is not that terrorists have the capability to mount attacks imminently, but that we must honourably prepare as terrorists become more sophisticated.

Such threats from states or terrorists could affect critical national systems, but there is also a real threat to millions of ordinary citizens—our constituents—as well as their transactions and the businesses for which they work. Online fraud generated some £52 billion worldwide in 2007. The average cost to companies of information security incidents is in the range of £10,000 to £20,000. For a large company, the cost can be as high as £1 million to £2 million. As the dependence on cyberspace grows, we need to ensure security, which is critical to the health of the nation.

As I mentioned, today the Government published, in a written ministerial statement made by my right hon. Friend the Prime Minister, the first cybersecurity strategy. As a result, we will establish an office of cybersecurity in the Cabinet Office to lead on cybersecurity policy issues, and a cybersecurity operations centre, a multi-agency body, based alongside GCHQ in Cheltenham. That organisation will lead on operations and technical capabilities, which we will examine.

As a result of the new strategy, we will develop a cyber industrial strategy for the UK’s critical security needs, in the same way as we have a defence industrial strategy; we will develop cybersecurity skills for the UK, plugging existing gaps and creating more high-tech employment opportunities; we will make critical systems in the public and private sectors more resilient and enhance our ability to detect attack; we will develop international law and doctrines of national defence in cyberspace, working with other countries; we will consider better advice to business and citizens about the security-risk picture and the steps that they need to take to address it; and we will develop new strategies for tackling terrorist and criminal use of cyberspace with our colleagues in the Association of Chief Police Officers and its strategy on cybercrime, which is due out shortly.

We plan emergency responses, and the new centre will test the UK’s ability to respond to major attacks, which we obviously believe that we can prevent, but which we need to consider. As with our national security, it will be important that the Government’s powers are used proportionately and in a way that is consistent with civil liberty issues, as I know the hon. Member for Reigate (Mr. Blunt) would wish. So, from today, we will establish an ethics advisory group to advise on that issue, and I shall update the House on its membership when it is formed.

The centres will be operational in September, and new funding will be announced before then to meet their obligations, building on existing resources that were allocated largely to intelligence agencies. Again, I shall report back to the House on those matters.

The wider national security debate is important, and the Government have taken forward the good start that was made last year. We look ahead to the broad range of national security threats, and we look at how we can prevent them. Today, we have set out in the documents an updated analysis of the threats that we face, made commitments on what drives insecurity in the world—on conflict, energy, poverty and the impact of climate change—and published the cybersecurity strategy, which I hope will be the subject of some debate and interest.

Britain depends very strongly on the dedicated work of the armed forces, the intelligence services, the police and other services in the support of those strategies. I pay tribute to them all for the courage that they display every day of the week in often very difficult circumstances. I commend the document to the House and hope that the written ministerial statement from my right hon. Friend the Prime Minister will be read with interest by right hon. and hon. Members from all parts of the House.

The Minister owes you, Mr. Speaker, and the House an apology for the public handling of this strategy. As we speak, the Prime Minister is at Detica, a cybersecurity company. Why is he not here making an oral statement? There is no more important responsibility of Government than national security, and, for a key development in the critical area of cybersecurity to be trailed as it has, leading to the first occasion that you, Mr. Speaker, have granted an urgent question, is not only disgraceful but, more alarmingly, shambolic. The Ministers directing the strategy, who are supposed to keep us safe, cannot even manage the orderly public release of new policy.

The lack of detail on cybersecurity in the national security strategy, which the Prime Minister presented last year, was an obvious area of weakness. The security industry publicly warned that the Government had severely underestimated the dangers that cyber attack poses and had accorded cybersecurity insufficient priority and budget. What has galvanised the Government into action? Has the threat from cyber attack grown in the past year, or has the swift and comprehensive response of the new American Administration made them realise that their priorities were wrong? It was an immediate priority for President Obama and, only four months into his Administration, he was reporting on the results. How can we be confident that the strategy before us reflects the proper American sense of priority, rather than being only a pale imitation?

How will the new office of cybersecurity and the new cybersecurity operations centre fit with the work of existing agencies? We already have a number of different agencies working in the area: the Centre for the Protection of National Infrastructure, the wider information assurance centre and the Communications Electronic Security Group, being the national technical authority for information assurance, which is based at GCHQ. All the above are already co-ordinated by a Cabinet Office-unit sponsor for information assurance. The Serious Organised Crime Agency and the police e-crime unit, based in the Metropolitan police, are responsible specifically for cybercrime.

The “Digital Britain” report, which the Government published last week, announced the formation of a tripartite initiative—the tripartite internet crime and security initiative—which will bring together parliamentarians, Government and business. The Government are in danger of presiding over a patchwork muddle of different agencies and mandates, to which they have now added an ethics advisory group. It is sad that Ministers now need advice on ethics. Will the new director instigate an immediate review of the mandates and achievements of all the different agencies involved in cybersecurity, to avoid overlap and ensure the best use of resources?

There is wholly insufficient time to examine the strategy through the means of an urgent question, but I am grateful to you, Mr. Speaker, for commanding the Minister here today. Will the Government commit, at the earliest opportunity, to a full debate on the strategy, led by the Prime Minister and in Government time? We need a national security council with a dedicated staff and decision-making powers at the heart of the Government. We are not there yet.

I am grateful to the hon. Gentleman for his comments. First, I assure him on behalf of my right hon. Friends the Prime Minister and the Home Secretary that we have acted entirely properly in bringing this matter before the House. You, Mr. Speaker, will know that this morning the Prime Minister issued a written ministerial statement that publishes the documents.

There has been press speculation about the issue, but I guarantee that we did not brief the press beforehand. If I can explain—[Hon. Members: “Oh!”] If I can explain to hon. Members the circumstances that have given rise to press speculation—[Interruption.]

Order. May I interrupt the right hon. Member for Delyn (Mr. Hanson) for a moment? I say to the hon. Member for Wellingborough (Mr. Bone), and others who are making quite a lot of noise that they are damaging their own chances of asking questions from the Back Benches.

At 10 o’clock this morning, the detailed documents were published. My noble Friend Lord West of Spithead has written to you, Mr. Speaker. I hope that you have received it by now; it has been copied to the hon. Member for Reigate (Mr. Blunt). His letter outlines the circumstances of a specific aspect of today’s announcement: the name of the individual who will be in charge of the said units, which was the subject of a D notice. As hon. Members will know, a D notice is a voluntary agreement under which the press agree not to publish certain details. The D notice was issued two days ago, rather than today. That was an error, and if I need to apologise to the House on behalf of the Department, I will do so. The notice was issued under embargo, but that embargo was not taken by several among the press yesterday. That is an important issue, but the details of the statement—the key thing for the hon. Member for Reigate—are before the House in the written ministerial statement today.

The hon. Gentleman said that he is concerned that we in the Government have not taken the threat seriously. A considerable amount of work was done by my predecessors and by my noble Friend Lord West of Spithead. Today, we have taken the opportunity to update the national security strategy and to bring forward the key issues. Like the President of the United States, we recognise that the cyber strategy covers a growing area of concern. Governance will be performed through my noble Friend’s reporting to the Prime Minister and through the National Security, International Relations and Development Committee, a Cabinet Committee on which my right hon. Friend the Home Secretary sits and which will look at those issues.

I am genuinely happy to debate the issues at an appropriate time. As the hon. Member for Reigate will know, business questions follow shortly. Government time is not in my gift, but the hon. Gentleman can ask a question during business questions if he wishes, and we will consider it as part of our discussions.

This issue is important to citizens in our country, in respect of both business crime and international terrorism. We believe that we will get it right, but we want cross-party support on the obligations because that matters to the people of this country.

Order. I appeal to Back Benchers to ask brief questions and to the Minister to offer brief replies.

Thank you, Mr. Speaker; I shall try a question. As my right hon. Friend will know, I raised the issue of cybercrime and attack when we updated our Contest strategy earlier this year. I am deeply concerned that we not only co-ordinate correctly the organisations that can make a difference, but resource them effectively. My right hon. Friend will know that it is crucial to put resources into workstreams 3 and 5, on awareness and cultural change and on technical development, research and capability. We must also put resources into the e-crime unit, run by the Metropolitan police, which has already shown how effective it can be. As my right hon. Friend updates the House on resources in the summer, will he tell us that those specific areas will be resourced adequately so that the job can be done?

I am grateful to my right hon. Friend for his work as Home Secretary in preparing the ground for some of these issues. Several hundred million pounds are already being spent, mostly by organisations that are part of the GCHQ complex and the Centre for the Protection of National Infrastructure, which is part of the Security Service. That money comes out of a single intelligence account. With my colleague Lord West of Spithead, I will examine the funding of new organisations before we establish this process in September, and I will report back to the House on the details of the work streams that my right hon. Friend mentioned.

I support the official Opposition’s tabling of an urgent question on this matter. Without it, we would not have been able to have a timely debate on the national security strategy or an opportunity to examine its implications. That would have been a major problem for the House.

The strategy clearly has the potential to defend us, but it could also have a significant impact on our civil liberties. We have to take the Minister’s word for it that what happened was a breach of an embargo, or possibly a leak, but I am sure that Members will be concerned that there has been a leak about the cybersecurity strategy, of all things.

One reason that the Government have given for bringing forward the strategy is the growing threat posed by hostile states, terrorists and criminals. We do not deny that that threat exists and is growing, but it is described in very broad terms. What criteria have the Government used to define hostile states, terrorists and criminals? To give us an idea of the scale of the threat that is posed, can the Minister tell us anything about how many attacks there have been on our networks, for instance over the past 12 months?

This Government have a rather illiberal and invasive overarching counter-terrorism strategy that includes such Orwellian measures as control orders. Can the Minister give us some assurance that the cybersecurity operations centre will not just be used for snooping on British citizens’ internet use? In the cyber strategy, there is mention that the Government will work closely with civil liberties groups. Which groups does the Minister have in mind, and at what point are they likely to be involved in the process?

Finally, as far as I can tell, there is no impact assessment in relation to the proposals. What are the cost implications? We do not deny the need to have a cybersecurity strategy, but we need to be certain that it will not have an impact on our civil liberties. That is the reassurance that we are seeking from the Minister today.

I am grateful to the hon. Gentleman for his questions. May I give him that assurance immediately? The strategy is about defending civil liberties and ensuring that we protect people’s liberty to enjoy their lives free of crime and free of the terrorist threat. We have to have a balance between individual liberties and the issues set out in the cyber strategy. I will defend civil liberties and uphold rights, and that balance is extremely important. We will work through those issues as part of our discussions.

The hon. Gentleman asked about the threat that has occurred to date. We are not aware of any major compromise of national security or key systems to date, but that does not mean that we are complacent. We brought forward the strategy precisely to ensure that we put in place mechanisms to monitor potential threats and attacks. I hope that the hon. Gentleman will understand that it is not appropriate for me to go into the number of countries or agencies that might be involved, because I do not want them to know that we know they are involved. However, I assure him that we will balance liberties with national security.

On the cost element, as I said to my right hon. Friend the Member for Sheffield, Brightside (Mr. Blunkett), I hope to report back to the House before early October about what costs are allocated to particular projects.

I share the concern of the hon. Member for Reigate (Mr. Blunt) about the way in which the Government have handled this matter. Perhaps it would have been more appropriate if the Minister had made an oral statement. However, my right hon. Friend mentioned organised crime in his answer to the urgent question. The director and the chairman of SOCA gave evidence to the Select Committee on Home Affairs this week, but no mention was made about the urgency of the cyber threat from organised crime. Can the Minister confirm that there have been discussions with the chairman and director of SOCA and that any concerns raised with him have been taken on board?

We have had discussions across government about the implications of the strategy. We are working on crime issues in particular, given my responsibilities, and they are important issues. With regard to the oral statement, my right hon. Friend the Prime Minister laid the issues before the House this morning in a written ministerial statement. As I have mentioned, the problem with the breaches arose in relation to the D notice that was issued. Initially, our mistake was that we did not put it under embargo, as we should have. It was later put under embargo, but unfortunately the press published that D notice and made a story around it, without knowing what was in the document, which was published to the House at 10 am today.

The Minister will be aware how critical the counter-terrorism sub-committee has been, despite the slowness of establishing the new operations centre, and, similarly, how concerned we have been at the slowness of establishing the counter-terrorism units in the various regions up and down the United Kingdom. Can he assure us that there will be proper and sensible liaison between the two bodies, with effective sharing of intelligence, and that that will start not next year, but now?

Absolutely. Although I have been in this post for only two weeks and four days, I had a justice background in my previous Department, and I am urgently looking at those issues to ensure that the very things that the hon. Gentleman mentions are put in place. We need to ensure not just that Departments and the organisations within them are operating individually in their silos, but that we have co-operation across the board. Today’s cyber strategy is about establishing a unit in GCHQ under effective leadership to look at those issues across government. That is the objective.

I welcome today’s publication by my right hon. Friend the Prime Minister of a wide-ranging, cross-government and cross-agency cyber security strategy. Given the significance that the Obama Administration have placed on cyber security, will my right hon. Friend the Minister outline how we will be able to work with our closest security ally to maximise our joint capability and minimise duplication?

I suspect that my right hon. Friend has as much knowledge of the work done to date as my noble Friend Lord West, who was involved in producing today’s document, and I pay tribute to her for that. She makes a vital point. The internet and cyber security do not end at the boundaries of the United Kingdom. They are international and European issues, and ones on which we need to work closely with our allies in the American Administration. I am confident that the new unit will work closely with our colleagues in Washington and that it will have the same objectives, which are to tackle international organised crime, ensure that we are safe and try to prevent terrorist approaches to our cyber system.

I welcome the Minister’s commitment to civil liberties, but will the national security strategy include the establishment of a national database to maintain records of web page visits, e-mails and VoIP—voice over internet protocol—calls and whether the Government intend to introduce a compulsory register of all mobile phones in the country?

If I may, I would like to come back to the hon. Gentleman on the detail of that point. Let me re-emphasise, however, that the whole purpose of the ethics committee that we are establishing is to look at the liberty issues surrounding internet activity under the cyber strategy. We are working through the detail of how we will do that, but I will certainly respond to the hon. Gentleman after this statement. However, the key thing, which those in all parts of the House need to know, is that the liberty of individuals to enjoy their business, their communities and their private lives on the internet is important to the Government, as is, equally, the ability to ensure that they are not subject to crime, terrorist threats or distraction by people who have alternative methods to hand.

What a great shame it is that the hon. Member for Reigate (Mr. Blunt) has squandered his opportunity to hold the Government to account. Is not the key issue that there is state-sponsored hacking of key UK information networks on an industrial scale and that we have to transform GCHQ into a spy school for geeks who are more cunning than their Chinese counterparts?

My hon. Friend puts his finger on a key issue. Today’s document is about the protection of the public and the protection of UK interests in the UK. It is about ensuring that we are prepared to assess and examine the threat, that people understand that threat and that people are supported in their businesses, in their private lives and in government to take steps to prevent that threat from arising. The protection of the public is the key element of today’s document. Without wishing to burden the hon. Member for Reigate, let me say that my hon. Friend puts his finger on an issue on which there is, I hope, cross-government and cross-party agreement.

Contrary to the Minister’s statement that the D notice and the information about the individual appointment were the only things in the public domain, on 15 June more details were put into the public domain, both online and in The Guardian, about the statement that the Government would set up an agency. Given the importance of information security and the Cabinet Office’s role in that, will the Minister initiate a leak inquiry into how the information got into the public domain, unless, of course, that is done deliberately by the Government in the next 14 days?

I am grateful to the hon. Gentleman for his question. Let me say again that the detail of the announcement has been made public only this morning, in the ministerial statement by my right hon. Friend the Prime Minister. My noble Friend Lord West of Spithead has written a letter to Mr. Speaker and the hon. Member for Reigate in confidence to explain the background to the D notice. I have given the House an account of that, and I hope that hon. Members will be satisfied with it.

For some years I have had the privilege to work with the Information Assurance Advisory Council, which brings together government officials and the private sector on the important issue of information assurance. May I seek an assurance from my right hon. Friend that the new body will reach deep into the private sector and ensure a proper sharing of expertise? After all, the most likely areas for attack are probably in the City of London and other areas where we need proper sharing of our intelligence and the intelligence that the private sector gathers.

I am grateful to my hon. Friend for his question. In today’s document, which is clear and public, we have established eight work streams. One of the key work streams deals with skills, education, training and capability. The new unit will need to look at those issues and ask where the skills shortages are, where good practice is, which issues it will need to share and develop, and how it can do that in a way that helps businesses in particular, but also the general public and Departments, to protect and maintain the integrity of their cyber networks.

Will the Minister at least take back to his ministerial colleagues in other Departments the message that, whether it is deliberate or inadvertent, when advance news about matters that ought to be announced in this House leaks into the press, Ministers can expect to be summoned straight away to this House to answer urgent questions?

I think that you have made clear to my ministerial colleagues across the board the regime that you intend to operate, Mr. Speaker. I have no doubt that both my right hon. and learned Friend the Leader of the House and other colleagues will help to support you in that objective.

Given that Estonia was the first country to experience the devastating effect of a cyber attack, can the Minister say a bit more about how we are working with our European partners, especially the Baltic states, which are probably on the front line of the threat?

I am grateful to my hon. Friend. One of the key things in the document, in work stream 7, is international engagement. One of the office’s new tasks will be to bring together the UK’s work with that of overseas partners and international organisations. Self-evidently, the European Union is one of the biggest local organisations in which we can get cross-governmental co-operation on some of the issues. That is important, and we will be commissioning working groups to take forward work across the board in the next few weeks and months.

There is a serious security concern for citizens, because, after all, the Government have shown themselves to be somewhat ineffective in preventing confidential information from falling into the wrong hands.

Further to the point about Estonia, is the Minister aware of the devastating effect of the first organised cyber war ever launched against a country—namely, Estonia—not only on businesses but on private citizens? May I suggest that he recommend that the individuals responsible for developing the strategy here work directly with the Estonian authorities, which have not only experience of what happens when things go wrong but coping strategies to prevent it from happening again? I am sure that that would be useful for my constituents and all constituents across the United Kingdom.

We will certainly look at the experience of Estonia and at how we can learn from it. The hon. Gentleman’s key point is that everyone needs to have confidence in the use of the cyber network. People need to have confidence that their information is not being hacked into or copied, and that it will not be used for criminal or terrorist purposes. The key objective of the document is to ensure that we help to develop that confidence still further.