Skip to main content

Proposed Directive (Information Systems)

Volume 522: debated on Thursday 3 February 2011

With permission, Mr Speaker, I would like to make a statement on the proposed European directive on attacks against information systems, which we have decided to opt in to.

Hon. Members will not need me to tell them how much we benefit from the services that are now available online. In 15 years, the number of global web users has jumped from 16 million in 1995 to more than 1.7 billion today. About three quarters of all British households now have an internet connection, and last year nearly two thirds of all adults in Britain bought goods or services online.

We want to build on our cultural and economic success in the online world, but with the growth of the internet has come the growth of a new type of crime and a new risk to our national security. We now face a real, ongoing and persistent threat from other states, terrorists and criminals operating online. They are stealing commercial secrets, they are trying to take sensitive Government information and they are defrauding ordinary people.

Cybercrime, often carried out by organised criminals, is now a major and growing threat to all sectors of our economy, and we should be in no doubt: online attacks can have a significant real-world impact, from people's bank accounts being emptied to industrial plants and critical infrastructure being disrupted. The risks from cyberspace are now so great that the national security strategy placed the threat as one of the top tier of risks to our national security.

Recognising the seriousness of the threat, the Government are already investing heavily in cyber-security. Following the strategic defence and security review, we committed £650 million of new investment over the next four years to transform our protective capabilities in cyberspace. Our response is led by Government, but uses the resources and knowledge of the private sector, including those parts of the private sector that own and operate large elements of our digital infrastructure. The programme explicitly depends on building strong relationships with like-minded countries around the globe, because the problem is an international one and online criminals do not respect international borders.

Here in Britain we have long-standing laws against computer misuse, but we need to be able to take action also against cyber-criminals operating overseas; it is therefore clear that we need to work across national boundaries. That means our law enforcement agencies working with their partners overseas to identify suspects, gather evidence and bring criminals to justice. The European Union directive on attacks against information systems supports those aims. The directive builds on an existing 2005 EU framework decision with which Britain was already compliant. It is also consistent with the Council of Europe convention on cybercrime, which Britain is in the final stages of ratifying. Opting in further demonstrates our commitment to internationally co-ordinated action against online threats.

The directive will ensure that there is a basic set of agreed minimum rules in relation to online crimes and penalties across the EU that member states must build into their legislation. It will also ensure that member states respond quickly to requests from other member states for assistance in cybercrime cases. Those measures will benefit Britain and other countries that have active online economies, because it will mean that cyber-criminals will not be able to hide in European countries that do not have as well-developed laws against cybercrime as we do.

The directive also seeks to address the threat from large-scale attacks on information systems by ensuring that member states have adequate legislation to allow the prosecution and punishment of those organising, committing or supporting large-scale attacks. That is not a hypothetical threat: it is a real, existing problem for the British Government and British business. Finally, the directive sensibly takes into account changes in the threat picture since the framework decision was agreed, such as tackling the creation of malicious software and other innovative tools that criminals have invented to commit offences.

It is for all of these reasons that we have decided to opt in to the directive. It fits with our approach of making Britain a tougher place for online criminals to operate in, and it will mean that the reach of our law enforcement agencies extends outside our borders. By opting in now, we do not accept that the draft directive is perfect. We will work to ensure the final text is in Britain's interests and we will seek to negotiate out any proposals we believe are unnecessary.

I pay tribute to the work done by the European Scrutiny Committees of both Houses. They do much to ensure that European legislation is right for this country. On this specific directive, both Committees agree that there is a case for further EU action in this area.

Cybercrime is a major threat to Britain. The aims of the directive are consistent with the aims of the Government in protecting our country, our economy, our businesses and our citizens from those who seek to misuse the online environment. I commend this statement to the House.

I thank the Minister for providing the Opposition with a copy of the statement in advance of the announcement to the House.

I have listened carefully to what the Minister said about the Government’s decision to opt in to the draft directive on attacks against information systems. It is clear that there is a growing threat of large-scale simultaneous attacks against information systems and an increased use by criminals of so-called botnets—networks of computers infected by a virus that can be activated remotely. There is clearly a real terrorist threat, as well. It is right to say that there has to be a robust and consistent approach to this problem, not only across the EU but internationally, and we know that a sensible way forward is to build on the framework decision agreed in 2005.

In a report by the Commission in July 2008, the implementation of the framework decision was found to be relatively good, but a number of new threats had been identified; the draft directive has therefore been produced. The matter was before the European Scrutiny Committee on 3 November 2010, at which time the Government still had not decided whether to opt in to the draft directive. I, too, pay tribute to the hard work that the Committees in both Houses do on behalf of us all.

I welcome the decision, but I have a number of questions for the Minister. First, why has the decision been made now to opt in to the draft directive? After the European Scrutiny Committee had considered the matter, the Minster wrote to the Chair of that Committee stating that a decision on whether to opt in had to be made by 23 December 2010, and promising to let the Committee know the decision at that point. I understand that he then wrote to the Chair of the Committee on 31 January confirming that the UK was opting in to the directive. When was the decision actually made? Was it made before 23 December? If the decision was delayed, why?

In his statement, the Minister said, “By opting in now, we do not accept that the draft directive is perfect. We will work to ensure the final text is in Britain's interests and we will seek to negotiate out any proposals we believe are unnecessary.” Would it not have been more consistent and logical to have opted in to the draft directive much earlier, to ensure that the British government could influence it and have their say? On such a matter, and given that we are building on the already well- established 2005 framework decision, was it not in our interest to have our say early on? Why wait until the end of the process?

Secondly, we understand that there will have to be changes to domestic legislation on issues such as extraterritorial jurisdiction and including all the offences set out in articles 6 and 7. Will the Minister explain the exact changes that will be required, in particular to the Computer Misuse Act 1990 and any other legislation? When will the House be asked to deal with those matters?

Thirdly, the directive sets out the need for a national contact point to provide an initial response to urgent requests for information within eight hours. With the transition from the Serious Organised Crime Agency to the National Crime Agency, what ring-fenced funding will be available for the initial response work, and how will the overall cuts to the Home Office budget affect the ability to provide that response?

Fourthly, under article 15, there is a requirement for the collection of statistical information on offences covered by the draft directive, including details of the number of offences reported, the follow-up and the number of investigations, prosecutions and convictions each year. Although the Minister has indicated previously that some of those data are already collected, what further resources will be needed to ensure that the full datasets are collected, and who will do that? What additional resources have been allocated for the purpose from the £650 million he mentioned?

Fifthly, what plans does the Minister have for dealing with the increase in penalties to a maximum term of imprisonment of not less than five years? Does he envisage creating a new offence to deal with aggravating factors, or increasing the length of existing sentences?

Finally, may press the Minister on another matter? Although we welcome the announcement of the opt-in to this directive, it is deeply disappointing that the Government have failed to opt in to the draft directive on human trafficking. We ask them to think again.

I thank the hon. Lady for her broad welcoming of this decision and the actions that the Government are taking to combat the threat of cybercrime and on cyber-security. This is probably the first time that the House has had the opportunity to debate a number of these issues and ask questions on them, so I welcome the opportunity as part of our scrutiny of EU directives.

With regard to the hon. Lady’s questions, I can assure her that the opt-in decision was made in time, so there is no issue of any harm in that sense. The negotiations and detailed consideration of the directive were started only recently, so the UK’s position has in no way been compromised by our decision. Indeed, the timing has been part of respecting the parliamentary scrutiny—allowing the three-month period so that the European Committees can do their work.

The hon. Lady raised questions about changes to legislation and made other points on how implementation might take place. I think that it would be premature to address those points directly until we see the final version of the directive, which is still subject to further discussion and consideration. We will investigate clearly and set out for the House properly how we intend to take matters forward once the directive has been finalised.

The hon. Lady asked questions about the national contact point and about statistics, information and funding. As I have set out, the Government take the issue of cybercrime and cyber-security very seriously, which is highlighted by the £650 million that the UK has committed as part of its national cyber-security programme. We are considering carefully how allocations will be made for that, taking account of the need to ensure that the UK continues to respond effectively to the challenges posed from the online environment.

I welcome the hon. Lady’s broad welcoming of the decision to opt in. We see positive benefits and direct advantages from the directive. On her point about the EU directive on human trafficking, we did not decide to opt in at the outset because it contained no operation or co-operation measures from which the UK would have benefited. We have said that we will review that position after implementation of the directive, at which point the UK could apply to opt in retrospectively.

The Minister may not be surprised to hear that, as Chair of the European Scrutiny Committee, I do not agree with his assertion that this has been done in accordance with due process. The former Leader of the House of Lords gave an undertaking that, in matters of opt-ins, an indication would be given to the Committee in advance of their intention. That indication has not been given. The draft is still under scrutiny and is currently deficient, as the Minister has conceded. What is the point of having a scrutiny process if it is compromised by decisions taken in advance of that consideration in full by the Committee, which would no doubt have recommended a debate?

I hear my hon. Friend’s point. We obviously reflected on the conclusion from the Committee’s initial response on the directive, which stated:

“We agree that large-scale attacks against information systems are likely to have a cross-border dimension and require close co-operation between Member States. We think that the legal base proposed is appropriate and accept that there is a case for further EU action to respond to new methods and tools for committing cyber crime.”

As he will realise, there is a three-month period in which the UK must respond to those issues. We take scrutiny very seriously. Indeed, making this statement on the Floor of the House underlines the importance that we place on allowing scrutiny to be applied. Obviously, the directive still requires more work and consideration in the negotiation, and that is precisely what the Government will do.

Does the Minister not understand that when Britain is dilatory in signing up to new directives and pieces of legislation, particularly those which have obvious cross-border relevance, it is deleterious to the British interest, because we are unable to take part in the full process of developing the policy? What he said earlier about why we are signing up to this directive but not yet to the directive on people trafficking makes absolutely no sense.

We examine the directives on a case-by-case basis, and I have set out clearly that we decided to opt in to this directive so that we could be part of the negotiations. As I said in response to the hon. Member for Kingston upon Hull North (Diana Johnson), the human trafficking directive contained no co-operational measures from which the UK would benefit, which was why we decided not to opt in, but we certainly keep the issue under review.

The motivation behind the change in the law might or might not be worth while, but there is a question about how and where we determine the legislation that governs this country. Will the Minister confirm that this directive has been agreed notwithstanding the fact that it was held under reserve by the European Scrutiny Committee and that it involves a change in the law and, apparently, the creation of new criminal offences, all of which are taking place without an opportunity for a debate in this House, let alone a vote? Has our law-making process not been bypassed altogether so that we now have a law that, whatever its merits, has simply been made in Brussels?

I simply do not agree with my hon. Friend’s analysis. We have allowed scrutiny of the approach and of the directive. I hear his point, but the implementation of the directive will take place in this country, and I think that the importance of cross-border working on an issue such as cybercrime, where close co-operation is needed, means that that work at EU level is important. We clearly keep the interests of the British people at the heart of our intentions, to ensure that the decisions made add to their protection, which is threatened by increasing levels of cybercrime and by those who wish to prey on them using computers and the internet.

Does the Minister agree that by opting in to the directive we will strengthen the UK’s leadership role in the fight against cybercrime and that, were the UK to sign up to the EU directive on human trafficking, we could provide additional leadership in that field as well?

As I have said, we keep the position on the human trafficking directive under review. I think that the directive that we are considering today has clear benefits and builds on the work of the Council of Europe’s convention on cybercrime, which, interestingly, the previous Government signed up to in 2001 but never got around to ratifying. That highlights the importance that this Government place on international co-operation when dealing with these important matters.

I welcome the statement, but cybercrime does not recognise international or EU boundaries, as my hon. Friend recognises, so will he confirm that there is nothing in the directive that will prevent us from seeking to co-operate with other Commonwealth countries, our friends in the United States and other like-minded countries to combat that menace?

My hon. Friend makes an important point about the need for international co-operation. It is one of the reasons that we have ratified the European convention on cybercrime, which has in fact been signed up to by a number of countries outside Europe, including the United States. We take the important issue of international co-operation very seriously, and the directive we have decided to opt in to underlines and telegraphs that commitment, but clearly there is work to do with countries outside the EU as well.

Nowadays, investigators need access to current and historical data in order to achieve a successful prosecution in cybercrime and other internet crimes. In the past, the United Kingdom wanted seven years to be the key measure throughout Europe of the time that IT providers, banks and so on held back-data, so that we could get proper investigations going. Does the directive set a limit and require all EU Governments to place a duty on IT providers to hold data for the same time?

The directive is focused on the criminality and on cyber-attacks. It includes provisions on mutual co-operation, but it does not set the sort of framework to which my hon. Friend refers.

Will the Minister confirm that the measure is not about sovereignty, but about practical co-operation that is vital to our national interests?

My hon. Friend sums up the measure very well. It is very much focused on practical co-operation and on ensuring common standards, which, building on co-operation, better information and mutual assurance, provide practical benefits for the United Kingdom, given the challenges that we face from cybercrime committed not only in this country, but in other EU countries.

The Minister refers to the Council of Europe convention, which covers 47 countries plus the United States and other countries, but what added value does the directive have when compared with that convention? If the directive is inadequately drafted, as my hon. Friend the Member for Stone (Mr Cash) says it is, why do we not wait to see whether it can be correctly drafted before we sign up to it?

The directive builds on the convention and deals with certain additional issues, such as the response that other EU countries provide to requests for information on cyber-related attacks and cybercrimes, so we think that it has important benefits. It is precisely because of those practical benefits that we think it appropriate to opt in at this point and to negotiate on and change the drafting where it requires further work. We believe that, because of the directive’s practical and direct benefits, it is important to be there and do that.

Will the Minister help me on a technical point? I understand that the directive is a repeal-and-replace measure; it repeals a directive to which the UK is party and replaces it with a new version. If the UK had opted out of the directive—I am glad that it has not—would it have still considered itself bound by the original 2005 framework decision? If not, what would the implications have been for UK cyber-security, given that that framework decision provides for police and judicial co-operation on cross-border cyber-threats?

I am very grateful for the hon. Gentleman’s question, which transcends this directive, which is a Title V measure, as contrasted with the third pillar measures that are subject to the potential block opt-out in 2014. I hesitate to go into the technicalities, but we have clearly opted in to the directive, so it falls within the Title V base rather than the third pillar base. It was a technical question, and I am sorry for that rather technical response.

In Dover, we see human trafficking and all too often the evil perpetrated by international gangs in the physical sphere. We should sign up to directives only when we get information-sharing and international assistance, because crime knows no borders, but can the Minister reassure the House that there will be no mission creep from cybercrime to the snooping that we have seen under the Regulation of Investigatory Powers Act 2000?

My hon. Friend makes a very important point, and, in striking the right balance, we approach those issues with the rights of the individual’s freedoms and liberties very much at the forefront of this Government’s mind. We believe that the directive is important and will add value, but we will approach those issues with liberty and freedom at the forefront of our mind.

I have been a victim of mobile telephone fraud, so will the directive have the scope to deal with cybercrime in connection with such fraud?

The directive is very much focused on computers and computer systems, rather than on telephones and mobiles, but, as telephone calls and Skype add to computers’ ability to facilitate contact, such communication might be brought within the scope of the directive.