Skip to main content

National Security Strategy

Volume 711: debated on Thursday 25 June 2009

Statement

My Lords, my right honourable friend the Minister of State for Crime, Policing and Terrorism answered an Urgent Question earlier in the other place. With the agreement of the usual channels, it is being repeated in this place as a Statement, as is the practice. The Statement is as follows:

“Mr Speaker, at 10 o’ clock this morning my right honourable friend the Prime Minister made a Written Ministerial Statement, laying before the House this year’s update to the national security strategy. Accompanying the strategy update is the first national cybersecurity strategy for the United Kingdom. Last week, the Government presented to the House the Digital Britain strategy. This country is well placed to take advantage of the opportunities of the digital age. However, we can seize these opportunities only if people are confident that they can operate safely in cyberspace.

Every day, millions of people across the UK rely on the services and information that make up cyberspace. The internet is accessible in 65 per cent of United Kingdom households, a figure that is growing by about 8 per cent per year. Plastic transactions, which depend on wired or wireless communication, make up 90 per cent of our high street purchases.

The national security strategy, published for the first time by this Government last March and updated this year, sets out an honest and transparent appraisal of the risks that we face, including the threat that organised crime poses to our country. Organised crime costs this country £20 billion per year. We have a duty to the British public, and to British industry, to take all measures to reduce dramatically this cost. The Government also need to assess the threat from terrorist organisations and other states and prepare our response to that. The public would expect no less.

All these threats can arise in cyberspace. As the director-general of the Security Service has said,

‘a number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense. They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks’.

We know the importance that terrorist groups—notably al-Qaeda and its affiliates—place on the internet and cyberspace. This is particularly important at the moment for propaganda. We know that terrorists would like to be able to operate more effectively in cyberspace. This Government are not in the business of scaremongering. We do not assess at present that terrorists have the capability to mount such an attack imminently but we must prepare as terrorists become more sophisticated.

These threats from states or terrorists could affect critical national systems. There is a real threat to millions of ordinary citizens, their transactions and the businesses that they work for. Online fraud generated £52 billion worldwide in 2007. The average cost of an information security incident for a small company is in the range of £10,000 to £20,000. For a large company, it can be more like £1 million to £2 million. As the UK’s dependence on cyberspace grows, so the security of cyberspace becomes ever more critical to the health of the nation.

So, today, the Government are publishing the first cybersecurity strategy. As a result, we will establish the office of cybersecurity in the Cabinet Office, to lead on cybersecurity issues, and a cybersecurity operations centre, a multi-agency body based alongside GCHQ in Cheltenham. This organisation will also examine the operations and technical capabilities needed.

As a result of the new strategy, we will develop a cyberindustrial strategy for critical UK cybersecurity needs, in the same way as we have a defence industrial strategy. We will develop a cybersecurity skills strategy for the UK, plugging existing gaps and creating more high-tech employment opportunities. We will make critical systems in the public and private sector more resilient and enhance our ability to detect attack. We will develop the international law and doctrines of national defence in cyberspace, working with other countries. We will better advise business and citizens about the cybersecurity risk picture and the steps that they need to take to address it. We will develop new strategies for tackling terrorists’ and criminals’ use of cyberspace with our colleagues, in line with the ACPO strategy for law enforcement on cybercrime due out shortly. We will also plan emergency response. The new centre will test the UK’s ability to respond to a major attack, as we do for terrorism, in setting up a strengthened analysis function for cyberthreats.

As with all our national security activity, it is important that government powers are used proportionately and in a way consistent with individual liberty. So we will set up an ethics advisory group to advise on this. I will update the House on its membership when it is formed. The centres will be operational in September and new funding will be announced before then, building on the existing resources allocated largely to intelligence agencies. I will report back to the House.

On the wider national security update, the Government have taken forward the good start made last year. We look across the broad range of national security threats. We have set out an updated analysis of the threats that we face and made new commitments on tackling what drives insecurity in the world. These are conflict, energy shortages, poverty and, looking to the long term, the impact of climate change.

Keeping Britain safe depends on the dedicated and professional work of the Armed Forces, the intelligence services, the police and other services. I pay tribute to them all”.

That concludes the Statement.

My Lords, as always, I thank the Minister for repeating the Statement. We agree with the Government that there is no more important responsibility for government than national security, so we find it extraordinary that this Government have published the country’s first cybersecurity strategy and the 2009 update to the national security strategy by way of a Written Ministerial Statement.

These have come after the strategies had first been trailed in the press in an extraordinary way. Indeed, I understand that in another place yesterday Mr Speaker made a Statement, his first after being elected, pointing out the importance of Ministers presenting to both Houses of Parliament changes in policy on important matters before trailing them in the press. It is only as a result of an Urgent Question from our Benches in another place that the Minister is before our House today and we have this somewhat limited opportunity to debate the strategies. By using a Written Ministerial Statement, the Government were, in effect, trying to ensure that both Houses of Parliament did not have the appropriate opportunity to discuss or debate the strategies.

The Government are making much of their new cybersecurity strategy. Action in this crucial domain is due—indeed, long overdue. And what does it amount to? It includes the establishment of an office for cybersecurity in the Cabinet Office and the upgrading of an already existing unit in Cheltenham, which is to be called the cybersecurity operations centre. It is impossible to know, however, how significant these changes are, because we are not told what funding is being made available to enhance our ability to tackle cyberthreats. The Government’s special supplement on cybersecurity contains some figures as to the costs of cyberinsecurity to the nation, but we will have to wait until the autumn to know how much money the Government will devote to the tasks set out in the Statement.

The Government also tell us that they are now giving leadership to this issue. But how does that square with using the gag of a D notice to stop us knowing who the new director is? I understand that, regardless of that, the name has been leaked.

Cybercrime proceeds apace in the absence of cybersecurity. There is significant cybercrime in the United Kingdom. Many in this House will have had experience of it in relation to bank accounts, but the strategy has virtually nothing to say about the response. It simply tells us that the Association of Chief Police Officers will produce an anti-e-crime strategy later. I might say that at present the Metropolitan Police has a unit of 12 officers devoted to national e-crime. It is hardly surprising that it is difficult to get action when an e-crime is committed. We have a long way to go on this matter.

There is some confusion about the way in which these structures will work and whether or not there is overlapping and overbureaucracy in all of this. Can the Minister assure this House that the Government have not set in place structures that will duplicate existing work on cybersecurity and information assurance? There seems to be a real risk of duplication, since other units appear to continue to do work in this area without being tied properly into the new structures. There are no efficiency savings here, it would seem. What do the Government mean when they say that the office for cybersecurity will be based initially in the Cabinet Office? What are the longer-term intentions?

Clearly, the Government have missed an opportunity here to review more widely and make sense of the very muddled security structures that exist across Whitehall. The need to produce a substantial update to the national security strategy just over a year after publishing the first version is an admission that the Government’s first attempt was not actually a strategy, as it did not adequately set long-term direction for different departments and agencies.

It remains to be seen what effect this update will have in the absence of a proper national security council with a dedicated staff and a proper national security budget. Indeed, we are also left waiting for a lot of detail on organised crime, maritime security and energy security, which are promised for later. Instead of saying what will be announced later, as the Minister repeating the Statement made clear, and coming back to the House again and again on other matters, the Government should have done the work first and should have been be able to tell us now how we are to proceed. Will there perhaps be a third update next year? In particular, will the Minister be more specific on when the energy strategy will be published? Will he say when the reviews of the organised crime strategy and the maritime threat will be completed and whether they will be published?

In this House we have the opportunity by way of a Statement to have a few more minutes than were available in another place. It was regrettable that this matter could be debated in another place only by way of an Urgent Question, which is all too brief. I should be grateful if the Minister could indicate that the Government would welcome an approach from the usual channels to ensure that there is a fuller opportunity to debate these matters on another day.

My Lords, we on these Benches, too, find the process by which this Statement has been made extremely regrettable. The Minister will remember that, on the Second Reading of the Policing and Crime Bill, I raised at some length the issue of cybercrime, because we felt that it was a very much more serious issue than those dealt with in some of the unnecessary parts of the Bill. It is particularly surprising and regrettable that, if the Minister had in mind the fact that there would be this big revelation on cybercrime, we could not have considered something in this House in a more structured way.

This Statement is a lot more about headlines, because there is actually not much action in it. I shall give the Minister a few examples of the action that we would have been pleased to see. However, perhaps he can first tell me whether we have ratified the European Convention on Cybercrime. Particularly important is Article 25, which enables us to co-operate properly, have mutual legal assistance, respond to requests for help from other countries and make the best use of all the international provisions. This is because a lot of e-crime is perpetrated in countries such as Brazil, China and so on. Without a proper co-ordinated international effort, we will not get very far. Perhaps the Minister could also confirm that, where serious e-crime is perpetrated in third countries, the extradition arrangements are satisfactory, because the tariffs have been so low for these offences that they were not extraditable.

The Minister talked of the ordinary citizen. Another enormous problem for the ordinary citizen on whom e-crime impacts heavily is that, according to a Written Answer that the Minister was kind enough to send me earlier this year, the Government do not collect central figures on e-crime in any case, so we do not know its scale. It would be interesting to know from the Minister whether the liability of banks for losses suffered by people as a result of e-crime when the banks’ security systems are not efficient is underpinned by legislation, because that area remains dependent on just the Banking Code. Will the Government look at strengthening that?

The public need a lot more help in getting safe online. Will the Government, as a result of this new effort on cybercrime, launch a much more targeted and satisfactory effort on helping the public to get safe online? They should start by running an advertising campaign, obliging retailers to offer a “get safe online” package every time they sell a new computer and encouraging colleges to offer short courses on exactly what is necessary. There is an awful lot to be done in this area. Most people who are fairly computer literate are still astonishingly illiterate when it comes to how to get safe online. I admit that it is quite difficult to know all the things that you should be doing. In the parliamentary system, we are somewhat helped by having it done for us, but that cannot be said for the ordinary citizen and that needs to be addressed.

The Minister spoke of an ethics advisory committee, which may offer some reassurance when we look at the centre that is to sit alongside GCHQ. However, a more practical step was suggested in this House last Friday, which was that there should be a Joint Committee, as recommended by the Constitution Committee of this House. However, the Government said in their response that they had no intention of pursuing that idea. That is a big gap. There is a lack of parliamentary oversight of this area. It is falling in a gap between the Home Office and other departments, so a Joint Committee—a considered suggestion from the Constitution Committee—would be a very good first step. If we are going to have a cybersecurity operations centre, doing all the data mining and interception of web traffic that that involves, we surely need proper parliamentary scrutiny, starting with the Joint Committee. Finally, will the Minister tell me whether he still feels, in the light of the new cybersecurity operations centre, whether RIPA is fit for purpose? I hope that we have the opportunity to debate this at greater length, because there are an awful lot of questions that we need to ask about it.

My Lords, first, I thank the noble Baroness, Lady Anelay, for raising a number of points. It was good to see her at the start of the debate. I have noticed that a colleague of hers has appeared on every media channel in the past two hours, talking about this national security strategy, and I must say I am impressed by the speed with which she had managed to read it and absorb it all. I apologise for the fact that there was an error in a department with a D Notice that went out quite normally. We try to protect people who have been working in very sensitive areas, but I am afraid that department put in a D Notice rather earlier than it should have done, and that led to a couple of articles. I wrote a letter to the Speaker and to the honourable Crispin Blunt in the other place, explaining that. I apologised for that having happened. The department that did it realised the error of its ways—there are some people walking on stumps—but I will not go into any more detail on that. The way we have issued this, with my right honourable friend the Prime Minister producing this as a Written Ministerial Statement, with two documents, was absolutely right.

I agree with both speakers so far—I absolutely hope that there will be a debate on these really important issues. However, I had hoped that we would have the debate after people had read the documents in detail, because they are highly complicated. We could then have a deep and meaningful debate. I am aware, because of happenstance and this unfortunate D Notice, that this has all happened in rather a gallop. I certainly want to have a proper debate later, and I thank the noble Baroness, Lady Anelay, very much for the noble way she has pushed this forward today. It is unfortunate that people are talking about this without actually really knowing very much about it, and I am a little disappointed about how that has been done.

The noble Baroness talked about duplicating various things, but I think the document merits considerable attention. Far from duplicating things, we are actually co-ordinating and pulling together all the work that goes on. We have been aware of these threats now for some time. When I was Chief of Defence Intelligence, back in 1997, I was aware of various threats, but of course we were not so well joined-up and so close together. When I took over this job in 2007, it became very clear to me that we needed a co-ordinated strategy. A lot of very good work was being done in the CESG in Cheltenham, in other centres of excellence, and in many of the financial institutions, but the people who were getting at us were getting cleverer and cleverer at doing it. However, we were getting more and more interconnected. There is always an extraordinary balance in which all of these lovely things we have now—these amazing computer capabilities, hand-held sets, the ability to transfer data and to use satellites—are designed to be as open as possible to let us share data. That is great for business, globalisation and for lots of things, but it is of course a huge vulnerability when there are nasty people who want to get at it. Steadily, it has got more and more complex and people have got cleverer and cleverer at actually attacking us in those areas. Therefore, it became very clear when I took over in 2007 that we needed to co-ordinate all the very good work that was going on.

The noble Baroness mentioned the amount of funding involved here, and of course we will look specifically at funding. My honourable friend in the other place gave a specific commitment to come back to Parliament to look at the funding available for training people and for another work stream, which I have forgotten at the moment. He will come back with evidence on those two areas. Lots of money is being spent, and I want to co-ordinate this better. It is too easy, and it is wrong and old-fashioned, to just try to throw money at something. We need to get it co-ordinated, use all the money that is there and get this efficiency and use it properly. That is what I am trying to do within this strategy, and I think that will be achieved.

The first national security strategy was a huge step forward—we had not done something like that before in this country. We looked at it across the board, for all threats, and we thought of it in terms of the citizen. We said we would develop and build on that, and that is what we have done. We are still building it around the citizen, so that we can relate this to the citizen in every single area. One of the great successes of the last strategy was that out of that I pulled a National Risk Register, which goes right down to the various local areas, to the local risk forums. In that, we said that pandemic flu was probably the most likely and most dangerous risk, and so we started making preparations. There is now a pandemic—although luckily it does not seem to be really virulent at the moment—and when it began the World Health Organisation said that Britain was the most prepared country in the world. That was because we had identified it in our national security strategy.

We have now covered more areas, and are working through this in a much more structured way. There is a logical sense to the way we have gone about the strategy so that people can follow it. The average citizen can read it, work it out, and say, “Oh yes they’ve done that”. The strategy looks at various domains, which is why cyber is such an instant success as a domain that we need to work in. A lot of work is going on in the maritime area, but it leapt out at me as one where there are so many fingers in the pie that we need to co-ordinate it better. That is what we will do. Within 12 months, we will actually have an answer and a proper, tied-up strategy stopping things like the attack on Mumbai coming from the sea, and piracy. We will know what is around our coast. Space was another area that we had not really addressed properly. I have said we need to co-ordinate it, and we are now doing that. However, you cannot do everything instantly—there is only limited resource in terms of brains and people. However, we have done a remarkable amount—we are delivering these things and we now know very clearly which way we are going. The cybersecurity strategy is just one chunk of that, another domain rather like maritime—it is a new domain and one we need to work in.

The noble Baroness, Lady Miller, mentioned that she has talked about cybercrime for some time. I have touched on that—it has been growing and we have been aware of it. The reason we have gone about it the way we have is that the connectivity increased and the capability of attacks got bigger. We needed to co-ordinate it more, and that is why we are where we are. However, it is a complex thing, and to get all these people to work together is complex and difficult. We are very lucky in this country—we have some remarkably capable people, and we need to grow more of them. We need to become a centre of excellence in the world, because we are ahead of anywhere else. We worked really closely with our American cousins and there are very close links between GCHQ and the NSA. But of course they are in a far worse place than us because they were connected up long before we were. They were using computers and talking to each other when we were still on quill pens—not quite, but you know what I mean. But as we came into that computer age later, our government net, for example—the gsi.gov.uk net—had a very restricted number of portals. It is quite difficult for people get in, and we know the number of attacks. The American system has more than 8,000 portals in its government network. We know from some of our pointy-headed hackers how easy it is to get into it, and therefore the Americans have a real problem to resolve. We are working very closely with them on this, and in fact we were doing this work at the same time, if not before, them. Therefore, it is rubbish when people say that President Obama has grabbed this, that he has jumped ahead of us and that we are not catching up. We have been working with the Americans and I think that we have delivered a great deal.

The noble Baroness, Lady Miller, mentioned the EU convention. We are still working on that, as there are complexities and difficulties within government. The ethics part is for individuals but aspects of law are also involved. We have to get all these things right. We are still working on that and we hope that it will be completed fairly soon.

The noble Baroness is absolutely right about individual members of the public. Although I have now been made the Minister responsible for cybersecurity, I sometimes feel like an ingénu? in this area. It is quite daunting and horrifying to see how people who want to get money out of you or cause damage can fool you into giving up data. Part of this whole package is intended to teach our people so that they are aware of the risks. Very often, the weakest link in any net is the human being. People are sent something, they open it up and are then asked a question in a clever way. They answer and—bang—every bit of their computer is suddenly available for others to use. I will not mention some of the clever things that these people do to get information because we do not want to let other people know about them, but I can say that they are quite terrifying. Our aim is to teach people about these things. We will set things up to let people know about these matters and train them, letting them know the right things to do and putting in place mechanisms within the system to make things safer.

As I said, far from this being done somewhat late and in a bit of a rush, I think that we have acted in a timely and sensible way. There is no confusion or duplication; we are tying things together. Very shortly, the Home Office will produce something on serious and organised crime. We are addressing every one of these areas and pulling them together. I think that what we have done is rather impressive, but I had better stop now and allow more questions to be asked.

My Lords, I thank the noble Lord for his Statement. However, does he agree that measures to address the threat to states from cyber attack have to be global and all-inclusive? I hope to heaven that he does agree with that. If he does, is it not quite extraordinary that the only short passage in his relatively long Statement referring to the global impact and the global measures that are needed is where it says that the Government will,

“develop international law and doctrines of national defence in cyberspace, working with other countries”?

That is only a tiny fragment dealing with the essential urgency of a global approach to these matters. One cannot help but come to the conclusion that the Government’s approach to this, once again, is all talk and no action.

The Minister has been boasting about what the Government have done but perhaps I may ask him two questions. First, if the Government regard this massive threat as urgent, why has the Council of Europe’s Draft Convention on Cyber-crime, which the United Kingdom signed seven and a half years ago in November 2001, not yet been ratified? What could the reason be for that? Secondly, NATO’s Cyber Defence Management Authority has been operative since April last year. The United States has signed up to it but the United Kingdom has not. All this adds up to the irresistible view that the Government have spent these past years half asleep in relation to these matters. What are they going to do to harness the serious threat of cybercrime on a global scale?

My Lords, we have a set of work streams and one that the office for cybersecurity will tackle relates to international engagement. We are engaged internationally. As I said, we are almost joined at the hip with the US, and that stems from the agreement signed in the late 1940s between the NSA and GCHQ. We are working very closely with the US on its huge project to sort out the problems that it has in this area. Indeed, at times the US has used us to help in finding out what some of the problems are. We are working with the US very closely, as we are with the French and a number of European allies. Therefore, an international engagement work stream is part and parcel of this whole issue.

I mentioned to the noble Baroness, Lady Miller, that we are working on the agreement with Europe, which we hope to have ready soon, although there are complexities in these matters. I agree entirely about NATO, and I think that we will have to put in more effort there. That is why I want an international engagement stream, because I believe that we need to be closely involved. It is a global issue, although I think that there is a difference of equity among people. We have a greater understanding with the US by a quantum amount than we do with almost any other country. However, that does not mean that we do not need an international work stream, and that work will be done.

My Lords, my locus in this is that, when I was in the position of my noble friend Lady Miller, I worked on the pre-legislative scrutiny of the Communications Bill and the RIPA legislation. I listened to the Minister and heard his passion for co-ordination. Perhaps I may ask him to think again and not just to give an off-the-cuff reaction to the idea put forward by the Constitution Committee and my noble friend for a Joint Committee to look at these issues. The more he spoke, and the more enthusiasm he expressed, it seemed that the bit of co-ordination missing from the puzzle was parliamentary oversight. Therefore, that suggestion for such a committee bears re-examination.

When we carried out pre-legislative scrutiny of the Communications Bill, we took a conscious decision to leave the internet out of the scope of parliamentary legislation. It was felt that it was such a wonderfully dynamic opportunity that it was wrong to encumber it with legislation. However, should the amazing growth of technology be revisited or should the internet still be free?

Linked to that, I also worked on the RIPA legislation, where it was often a case of the blind leading the blind. I make no comment about the noble Lord, Lord Bassam, but certainly some of the technology went way above my head. I remember that we built in quite strong safeguards for civil liberties. My noble friend asked whether the RIPA legislation was still fit for purpose in term of developments in technology.

Finally, I went to a very interesting briefing by Vodafone the other evening, where, again, the convergence of technologies was explained—the phone as a computer with access to the internet and so on. To make this work, we will have to have an active buy-in by private companies with commercial considerations as well as national and international obligations. Is the Minister sure that we can get the buy-in from the private sector for the objectives that he has set out?

My Lords, the noble Lord raises a number of very important issues. As noble Lords will know, we are looking at the RIPA legislation because we are not convinced that it is being used by, for example, local councils in the right way. That was never intended and we want to ensure that that is resolved and that there is proper guidance. Without a doubt, we need to look at the legislation in that context.

As regards ethics and the Joint Committee and the question of parliamentary oversight, there is of course the committee for the national security strategy. I thought that it would have been named already, as I know that it is being talked about in the other place with the Speaker and so on. It will have some oversight of the national security strategy. I undertake to look at cybersecurity on its own and see whether the committee will cover that, or whether we need, with the ethics committee, some other joint aspect. So I commit to that, but I would not want to give an off-the-cuff answer on it. The matter is too complicated; some of it will be the business of people within the other place as well as here, and to say more would be beyond my remit.

One feels at times that the internet is a bit of an ungoverned space. The noble Baroness, Lady Miller, has often mentioned the issue of deep packet inspections and the like, and I have some concern about that. We have managed to get a lot of voluntary agreement on things such as child pornography, which is super, and I am pleased that we have achieved that. However, it proves more difficult in some other areas, and the internet is now so all-pervasive that we will have to think about this. At the moment, though, there is nothing planned, and we would have to think about how to move forward in a very broad, all-party context. So we are not doing anything, but it is a nagging concern at the back of my mind.

Some of the CSPs and ISPs have been very good about working with us. BT, for example, has been fantastic: it has engaged with us and helped us in saying, “We’ve had this many attacks; this is happening; what about trying this?”. It works closely with us, as generally these companies do, but some are better than others. All of them, though, are beginning to understand that, given the state threats, the threats from serious and organised crime—£50 billion a year or so is lost around the world, and that amount is getting bigger all the time—and the threat to each individual, such as identity theft or bank account attacks, it is in all our interests to work together, and I think that generally they will.