Skip to main content

Cyberattack: UK Defences

Volume 767: debated on Monday 7 December 2015


Asked by

To ask Her Majesty’s Government what is their assessment of the vulnerability of the United Kingdom to organised cyber-attack.

My Lords, as the Chancellor of the Exchequer said in his speech to GCHQ on 17 November, despite a huge amount of investment, effort and world-class tools and capabilities, we are not where we need to be, particularly given the pace of innovation in cyberspace. Since 2011, we have invested £860 million in a national cybersecurity programme. As announced in the national security strategy and strategic defence and security review 2015, we plan almost to double investment in cybersecurity over the next five years.

My Lords, I thank the Minister for that very helpful reply. One of the most serious threats we face is that of a co-ordinated cyberattack against the UK financial sector. The Bank of England has shown that individual banks, especially the large banks, are pretty well protected but there are huge vulnerabilities in the connections between the banks and the rest of the economy, which some people say could lead to panic. One quite seasoned observer described the possibility of financial Armageddon—the meltdown of the system—given that most money today is electronic and no longer held in the form of cash. This is a matter for the Government, not just for the Bank of England, so what concrete steps are the Government taking to address this issue?

I pay tribute to the work of the noble Lord and a number of other of your Lordships in this area. On the specific point, the financial sector, including the City of London, has undertaken a number of exercises in recent years: Waking Shark I, Waking Shark II and the Market Wide Exercise, as well as the more recent Resilient Shield exercise between the US and the UK last month. In June, the FPC agreed that the Bank, the PRA and the FCA should also establish arrangements for CBEST tests to become one component of regular cyber resilience assessment within the UK financial system.

My Lords, the Minister may be aware that the infrastructure in most of the exchanges of internet service providers in this country is supplied by a Chinese company, Huawei. In the previous coalition Government, Sir Malcolm Rifkind was commissioned to inquire about this country’s vulnerability to a possible instruction by the Chinese Government to shut our systems down. Does the Minister have the results of this investigation? He should also be aware that the United States does not allow that company to operate there.

I will write to the noble Lord about his specific point. However, we are not complacent on this issue. As the noble Lord, and other noble Lords, will know, virtually every telecommunications network in the world incorporates foreign technology. Most manufacturers have some of their equipment built in China and use technical components from a global supply chain, regardless of the location of their headquarters.

My Lords, I should declare an interest as a former adviser to Huawei. Given that 90% of larger companies suffered a security breach last year, I welcome what the Chancellor and the Minister have said about setting up a national cyber centre. To date, the Cabinet Office has been responsible for the national cybersecurity programme. Can the Minister confirm that it will continue to be so, and to be responsible for the national cyber centre, rather than handing it over to the tender mercies of the Home Office, which is not known for its business-friendliness?

I can confirm that and draw the noble Lord’s attention to paragraph 7.7 on page 82 of the National Security Strategy and Strategic Defence and Security Review, which sets out a very nice organogram for who is responsible for what.

My Lords, will the Minister confirm that the firing chain for Trident is air-gapped in its entirety, as it certainly was until 2006, and is therefore invulnerable to cyberattack? Will he also confirm that any upgrades that may be planned for that firing chain will remain air-gapped? If not, there will clearly be a vulnerability.

The noble Lord speaks with immense experience in this area and I will write to him on the specific point. I cannot comment on the detail of the security arrangements for our nuclear deterrent but we can, and do, safeguard it from threats, including cyber.

My Lords, will the Minister update the figures on substantial attacks on British government institutions and businesses which last year were running at between 150 and 200 per month? Has that figure changed substantially and has there been the slightest indication that, since the Chinese leadership pledged to the Prime Minister that they would lay off, there has been an easing from that quarter?

I can give some figures. GCHQ typically responds to an average of 70 sophisticated attacks on government networks per quarter. In summer 2014, GCHQ responded to approximately 200 incidents and this figure doubled to nearly 400 during summer 2015.