Skip to main content

Cybersecurity: Encryption

Volume 765: debated on Tuesday 27 October 2015


Asked by

To ask Her Majesty’s Government what assessment they have made of the case for the use of the strongest encryption standards online, with no back door access, in order to protect the integrity of the global digital infrastructure for all organisations and citizens who rely on it.

My Lords, the Government recognise the essential role that strong encryption plays in enabling the protection of sensitive personal data and securing online communications and transactions. The Government do not advocate or require the provision of a back-door key or support arbitrarily weakening the security of internet applications and services in such a way. Such tools threaten the integrity of the internet itself. Current law requires that companies must be able to provide targeted access, subject to warrant, to the communications of those who seek to commit crimes or do serious harm in the UK or to its citizens.

My Lords, I am reassured that the noble Baroness understands how absolutely essential strong encryption is for the integrity of everyday online activities such as banking, retailing, financial trading and also the conduct of government business. Strangely, Mr Cameron does not seem to get it yet, having three times said that he intends to ban any communication “we cannot read”, which can only mean weakening encryption. Will the Minister bring the Prime Minister up to speed with the realities of the digital world?

The Prime Minister did not advocate banning encryption; he expressed concern that many companies are building end-to-end encrypted applications and services and not retaining the keys. The Prime Minister has repeatedly said that there cannot be a safe place for terrorists, criminals and paedophiles to operate freely, with impunity and beyond the reach of law. This is not about creating back doors; this is about companies being able to access communications on their network when presented with a warrant.

My Lords, recently, ISIL has been using WhatsApp as part of attacks in Iraq and we have seen terrorists get more on to the net than ever in the past. I understand the point made by the noble Lord, Lord Strasburger, but is it not absolutely essential that we have the law enforcement capability, legally controlled, to be able to get access so that no enemies of the state who wish to destroy us and kill our people are able to operate in an environment where they know that they will never be monitored by law enforcement?

The noble Lord raises a very important point. There is an alarming movement towards end-to-end encrypted applications, such as those that he mentioned. It is absolutely essential that these companies which understand and build those stacks of technology are able to decrypt that information and provide it to law enforcement in extremis.

We have all seen reports of the recent events at TalkTalk, a commercial organisation that has every interest in maintaining its own security. How confident are the Government and the Minister on the protection of that part of our infrastructure that is based on industrial operating systems—in other words, software systems—including, but not exclusively, our future nuclear power stations?

My Lords, the events of the past week demonstrate the importance of robust cybersecurity plans and encryption to protect our citizens and our national infrastructure. As Minister Vaizey said yesterday in the other place, the Government—and, indeed, the previous coalition Government—have worked to ensure that companies have the tools they need to protect themselves against cyberattack. We have invested £860 million in a five-year national cybersecurity programme and set up the National Cyber Crime Unit inside the National Crime Agency. Our Cyber Essentials scheme sets out basic controls for all organisations, including the national grid, which they must have in place to protect against cyberattacks.

My Lords, I welcome much of what the Minister has said. Can she absolutely confirm that there is no intention in forthcoming legislation either to weaken encryption or provide back doors to it?

Perhaps the Minister might comment on the fact that the Select Committee on Science and Technology has recently heard evidence about the national grid. Since it has been privatised, the national grid is now split into lots of different agencies and there is a serious problem, not only with nuclear power stations but with the potential of cyberattack on our power supply in Britain as a whole. One can see how that could be disastrous. Can she explain what the Government intend to do about that?

I thank the noble Lord for the question. It is beyond my area of expertise and knowledge at this stage, but I will find out that information and come back to him.

My Lords, I have noticed that when my wife gets communications from local authorities, they start quite correctly with the words “official-sensitive”, which is a security classification for documents to encrypt them. However, they are using a particularly complicated method of doing it. Will the Minister please urge the Government—where they, very sensibly, are going to start sending out sensitive communications in this way—to look at using the easier and simpler forms of encryption that exist?

The noble Earl raises a very important point. Fortunately, encryption technology is moving on to the point at which even military-grade encryption is available in easy format. We will look into that and make those recommendations in the guidelines.

My Lords, it is universally acknowledged that UK banks’ infrastructure is in a very poor state; some 90% of their IT spending is on legacy issues—namely, keeping the old systems going. One consequence is that there is an incomplete view of the customer. There was a dramatic example of that last week when Deutsche Bank put £6 billion into a single customer’s account. For the sake of clarity I should inform the House that that was not my account, but something needs to be done.

I am not familiar with that particular case but I wish I were. It is important to acknowledge that substantial mistakes can be made and that cybersecurity is at that level of risk. Day-to-day operation is very important to consider.

The noble Baroness mentioned resilience, which is very important as we face the extraordinarily large scale of cybercrime, but the resources seem to be pouring into the criminal gangs, not into the agencies that are trying to protect citizens. What can the noble Baroness tell us about the CSR coming up, and will it be able to protect and enhance those law enforcement agencies that are seeking to stamp out this crime?

The noble Baroness does not understand my terminology. The CSR is forthcoming, involving public expenditure for the whole of the public sector.

I thank the noble Lord for bringing the comprehensive spending review to my attention, and I will look into it.