Skip to main content

SolarWinds Cyberattack

Volume 809: debated on Monday 25 January 2021


Asked by

To ask Her Majesty’s Government what assessment they have made of the SolarWinds cyberattack, first reported on 13 December 2020; and what action they are taking in response.

My Lords, this is a complex and global cyber incident. There is an ongoing, cross-government response and we are working with international partners to fully understand its scale and any UK impact.

My Lords, the Minister has pretty much repeated what the NCSC said back in December. This was one of the largest and most sophisticated cloud and software cyberattacks ever. SolarWinds’ customers included the Home Office, the MoD, the NHS, the Royal Navy, the Cabinet Office and several local authorities. Surely there has been time to evaluate and at least start countering the impact, identify the source and communicate with those potentially affected? Microsoft has been very transparent in its communications. Is it not time that the Government did likewise?

My Lords, the noble Lord will understand the sensitivities of these questions. I beg him to understand that work is ongoing and will take some time. However, we are already well placed to respond, thanks to our national cybersecurity strategy. Simply having SolarWinds does not automatically make an organisation vulnerable. The National Cyber Security Centre is working to mitigate any potential risk and guidance has been published on its website.

My Lords, the Government have a very impressive record on cybersecurity, but I note that our current public strategy is dated 2016-21. Can my noble friend set out when the Government plan to publish their forward strategy, 2021-25? Will that include the important role that the UK can play internationally in establishing cyber norms?

I thank my noble friend for his comments. He is, of course, right that the current five-year strategy expires this year. The next iteration of the strategy is being developed and is expected to be published this year. This will set out the direction and ambition for the UK to be a continuing leader in cybersecurity, in line with the priorities of the integrated review. It will also set out how the UK will step up its efforts to shape the global rules, as my noble friend commented.

My Lords, I refer to my interests as set out in the register. The response from the noble Lord has been complacent. A large number of systems in the national infrastructure use SolarWinds software and have been compromised. The House has not been told how many. Will the Intelligence and Security Committee be briefed on the full extent and implications? There is a wider question: does reliance on such commercial software solutions not create a single point of failure for our security and economy, as multiple systems—otherwise unrelated—can be penetrated simultaneously, potentially leading to a catastrophic collapse?

My Lords, the Government’s response is anything but complacent. I had hoped that I had made that clear, but I will say it again. The Government’s response is not complacent. The NCSC is working to mitigate any potential risk. Actionable guidance has been published through its website. We urge organisations to take immediate steps to protect their networks. We will continue to update as we learn more.

A congressional commission has given President Biden a 15-point list of priorities for reducing the probability of, and addressing recovery from, cyberattacks. Will the Government be referencing that plan as part of assessing UK preparedness, and discussing measures similarly with Parliament?

The noble Baroness makes an important point about international co-operation. She is quite right to say that malicious activity knows no boundaries. We regularly discuss cybersecurity with a range of international partners, including the G7, sharing our analysis of threats and our experience. I can give an assurance that we will continue to do so.

FireEye, which uncovered the attack, judged that the tradecraft involved was consistent with state-sponsored actors. Microsoft’s Brad Smith described it as “a moment of reckoning”; it was “not ‘espionage as usual’” but

“an act of recklessness that created a serious technological vulnerability for the United States”

and beyond. Joe Biden has now promised to make cyber-security a top priority given the recent digital espionage. How have the Government responded to President Biden, since this does not appear to have been covered in the phone call that he had with the Prime Minister?

My Lords, perhaps the noble Baroness has better information than I do on the call between the President and the Prime Minister. The Government are certain that cybersecurity is absolutely at the heart of our overall defence need and defence capability. I repeat: we will work with all friendly allies in that area. The UK considers attribution on a case-by-case basis, but I do not have anything further for the House at this stage.

My Lords, does my noble friend agree that one of the greatest lessons from SolarWinds is that the basics need to be right—password management, multifactor authentication and so on? Can he confirm that this is understood across the public sector and in all arm’s-length bodies, and that securing the supply chain is a constant and urgent need? Further, would he agree that in the UK we have an excellent cyber community, with private firms such as NCC and world-leading public institutions such as the NCSC? The Government should do everything to support this cyber industry so that it can do everything to protect us.

My noble friend makes some important points. Obviously recognising the increasing importance of this area, the government security group is leading the development of a government cybersecurity strategy—which will sit underneath the national strategy —to deal with some of the issues my noble friend refers to. We also have a wide range of advice and support to help private sector organisations protect themselves.

My Lords, my question follows on from that of the noble Lord, Lord Harris of Haringey, and concerns resilience and the impact on operational technology, rather than simply IT, where experts say it may take months for difficulties to appear. Credible analyses suggest that the simple network management protocol—SNMP—fails to meet the tests of confidentiality, integrity and availability. It is not going to be replaced quickly, but are the Government at least looking at ways in which it can be reinforced across their own systems, while ensuring that that happens right across vital private systems in our country?

My Lords, I apologise; I found it quite hard to catch every part of the noble Baroness’s question. I hope this is not an inadequate answer, but I am unable to comment on operational detail at this stage. However, as I have assured the House, the NCSC is working to mitigate all potential risks, and this work is ongoing.

My Lords, SolarWinds highlights concerns about the growing privatisation of cybersecurity attacks through a new generation of private companies, described in a recent Microsoft blog as

“akin to 21st-century mercenaries”

who offer

“the option for nation-states to either build or buy the tools needed for sophisticated cyberattacks.”

Already the US is battling one such company in their courts. Can we be assured that the Government’s review will consider whether our cyber capability and regulatory infrastructure is fit for purpose in the face of this emerging threat?

I agree with the noble Lord on the importance of sustaining and improving that capability. The Government are certainly giving attention to that—seeking to promote cyber skills and to encourage a sustainable pipeline of homegrown cybersecurity talent, and protecting our critical infrastructure. That is a key part of the strategy going forward. The noble Lord is quite right that, currently, the demand for cybersecurity skills outstrips supply. We must mend that issue.

My Lords, I used to write encryption software. Why does the trade and co-operation agreement recommend using encryption and hashing algorithms, which are both outdated and vulnerable to cyberattacks? It makes us look silly in the eyes of the technology world and just encourages hackers.

My Lords, sadly I do not share the technical capacity of the noble Lord, but I will ensure that he has a reply adequate to the level of his much higher understanding.