Skip to main content

National Security: Electronic Attacks

Volume 702: debated on Monday 16 June 2008

asked Her Majesty’s Government:

What is their assessment of the electronic attacks against the United Kingdom’s critical national infrastructure and the countries from which these attacks originate.

My Lords, electronic attacks have been directed at various organisations globally, including elements of our national infrastructure, for criminal and other purposes. They may emanate from many parts of the world, and it can be unclear where responsibility lies. Such attacks involve unauthorised access to computers and networks with the intent of stealing data or disrupting services. It is not in the interests of our national security to confirm or deny attacks against specific organisations.

My Lords, I am grateful for that reply. As my noble friend knows, it is a complex area, but I understand that there have been attacks on some legislative bodies around the world. Whether they come from organisations or nation states is hard to know. Should we be discussing an international treaty or legislation to deal with this when it is done by Governments as opposed to organisations?

My Lords, some interesting points have been raised on this important and dangerous area. There is no doubt that as we become more interconnected—as we are in terms of links to the internet, webs, and so on—we become more vulnerable. In a funny way when one is no good with computers and they are not linked, there are air gaps.

There are a large number of attacks but it is not in the interests of national security to be specific about who has been attacked or when because that would give away techniques and skills. We talk internationally about this. I was in Canada and the United States two weeks ago, and cybersecurity and e-crime—identity theft—were discussed at length. They were also discussed last week at the G8 in Tokyo. The G8 sponsors the Meridian process, where we discuss all these issues. It is something that worries other nations particularly. We were more aware before and they are now much more so. There was an attack in Estonia. It is an issue we should be worried about and we give lots of advice on it.

My Lords, the Government are on record as saying:

“The integrity of electronic communications networks and services is a matter for communications services providers”.—[Official Report, Commons, 31/1/07; col.316W.]

Is that not a bit of a laissez-faire attitude? Will the Minister say whether there has been an increase in personnel since the National Infrastructure Security Co-ordination Centre merged with the National Security Advice Centre last year?

My Lords, the noble Baroness raises an important point. We give a lot of direct support. We have computer emergency response teams for government and the public sector. We have GovCertUK, which is based on GCHQ, and the CESG. For the private side CPNI has a combined security incident response team which gives advice. We give guidance on the Security Service, CPNI, GCHQ and Get Safe Online websites. The message I want to get out to everyone, to big industrial firms, SMEs and private individuals, is that they need to think very hard about this. If you are connected to the web, people can get into your computer. The only sure ways of stopping that are air gaps, firewalls and having things enciphered. All these things help and all of us need to do them. We are very joined up now and a lot of data are given away if we are not careful. That is why we are taking this so seriously. An awful lot has been done since last June. I focused on this particularly when I came into post. We discussed it in a Cabinet meeting two months ago and I think we are going in the right direction.

My Lords, the Minister has reeled off a whole galaxy of organisations, bodies and committees which are interested in this. Who has ministerial responsibility for this and what central point in Government is co-ordinating all this effort so that it makes sense and has effect?

My Lords, I am sorry I banged on a little long, but I get quite excited about this subject. The Central Sponsor for Information Assurance lies within the Cabinet Office. But since my appointment last June, this has been an area that I am particularly interested in. Many nations are very vulnerable and we need to look at it very closely.

My Lords, can the Minister assure us with absolute confidence that the national identity register, the National Health Service register and particularly the children’s register will be totally secure from people who want to crash into those networks?

My Lords, without knowing the exact detail, hand on heart, the only way you can be totally sure that no one with remarkable skills can get into a system is if there is an air gap. I do not know the situation regarding those registers but I will get back to the noble Countess in writing. If there is an air gap, it is impossible to get into a system. If you are connected, I am afraid, and if you have real capabilities, at the end of the day it is possible.

My Lords, I appreciate that this is probably a very difficult area for legislation, but is the Minister satisfied that, if anybody is caught carrying out either cybercrime or cyberterrorism, there is suitable legislation under which they may be prosecuted?

My Lords, one of the problems is that this comes from all parts of the world and it is quite difficult to achieve what the noble Baroness suggests. Certainly our discussions with the G8 and internationally are aimed at making sure we can grab these people who range from individual hackers, who sometimes just want to cause damage—they have done some quite nasty things in the past to various countries—through to state-sponsored issues. For the purpose of national security one cannot talk about those at the moment, but we are taking action on them. It would be extremely difficult to put a lot of people on trial, where they deserve to be.

My Lords, many new databases have been established, such as the national dismissal register. What do we have to monitor the various independent databases to make sure that they come within the Data Protection Act and other legal requirements?

My Lords, in terms of those databases coming within the Data Protection Act, they are monitored. If those systems are attacked, we give advice, and if someone believes they are being attacked, we will look into it. I would not want to go any further into what we can achieve in knowing whether something has been attacked and penetrated.

My Lords, is the Minister satisfied that advisories and patches issued by the likes of CPNI and UKCERT are issued in an adequately timely and proactive way, as, for example, with the current vulnerabilities relating to SCADA—the Supervisory Control and Data Acquisition system—and certain elements of the CNI?

My Lords, in the past we perhaps have not been as timely as we should have been. That has now rapidly been caught up. We had a Cabinet meeting only recently. It is an issue that I have taken a lot of interest in and we are gaining ground. It is important that that information is given in a timely way and it is my intention that that should be done. But this is a very difficult and complex area and the more joined up and capable we become at talking to each other on all these systems, the more vulnerable we become, which is why one has to put in place very strict rules, monitor them, and do all the other things necessary to protect them.