Skip to main content

Cyberattack: Microsoft

Volume 814: debated on Thursday 22 July 2021

Commons Urgent Question

The following Answer to an Urgent Question was given in the House of Commons on Tuesday 20 July.

“I thank my right honourable friend for asking this important and timely question. Yesterday, on 19 July, the UK Government joined like-minded partners to confirm that Chinese state-backed actors were responsible for gaining access to computer networks around the world via Microsoft exchange servers. As the Foreign Secretary made clear in a Statement yesterday, this cyberattack by Chinese state-backed groups was reckless, but sadly a familiar pattern of behaviour. The Chinese Government must end this systematic cybersabotage and can expect to be held to account if they do not.

The attack was highly likely intended to enable large-scale espionage, including acquiring personally identifiable information and intellectual property. At the time of the attack, the UK quickly provided advice and recommended actions to those affected. Microsoft has reported that, at the end of March, 92% of customers had installed the updates that protected against the vulnerability.

As part of that announcement, the UK also attributed the Chinese Ministry of State Security as being behind activity known by cybersecurity experts as APT40 and APT31. Widespread, credible evidence demonstrates that sustained irresponsible cyberactivity emanating from China continues. The Chinese Government have ignored repeated calls to end their reckless campaign, instead allowing their state-backed actors to increase the scale of their attacks and act recklessly when caught.

Statements formally attributing Chinese responsibility for the Microsoft exchange attack and actions of APT40 and APT31 were issued by the EU, NATO, the UK, Canada, the US, Australia, New Zealand, Norway and Japan. That co-ordinated action by 39 countries sees the international community once again calling on the Chinese Government to take responsibility for their actions and respect the democratic institutions and personal commercial interests of those they seek to partner with. The UK is calling on China to reaffirm the commitment made to the UK in 2015 as part of the G20 not to conduct or support cyber-enabled theft of intellectual property or trade secrets.”

My Lords, I must admit that I share the view of Iain Duncan Smith about the seriousness of this matter and why there was not a Statement from the Government at the time. In the Commons, the Minister estimated that approximately 3,000 UK-based organisations may have been vulnerable to this attack, but there was no confirmation on whether any public bodies are included in this figure. Can the noble Lord, Lord Ahmad of Wimbledon, state whether any public bodies were compromised and what urgent steps are being taken to secure public bodies from future attacks? Also, when the Government acted with targeted sanctions against individuals involved in the Russian state-backed cyberattack on the German Parliament, why were there no sanctions in response to Chinese state-backed cyberattacks, on—among others—the Finnish Parliament?

My Lords, I agree that we need to ensure protection for all organisations. The noble Lord is correct in saying that 3,000 organisations were impacted. Obviously, we made a full evaluation when we were informed of these attacks to ensure that all the information was readily available. He asked specifically about government organisations. We do not believe that government organisations were victims. Because this was an untargeted action, it is not possible to give a credible assessment of the overall economic damage. He asked about further mitigation. As he knows, the National Cyber Security Centre is very much world beating and, together with Microsoft, we have worked to give specific and timely advice. By the end of March, 92% of all those organisations impacted had taken appropriate mitigations.

My Lords, the Answer in the House of Commons suggested that there had been a response in the form of a statement by 39 countries. That is welcome, but what action are the Government taking, beyond making statements, to ensure that the United Kingdom and her allies are no longer vulnerable to China? Statements are one thing; sanctions or other actions would surely be far more effective.

My Lords, I am sure that the noble Baroness will acknowledge that when we call out such action, as we have on this occasion, that is done in co-ordination with our key partners. The fact that 39 countries, including those of the European Union and NATO, including Norway, as well as Japan, are among those demonstrates the strong condemnation of these actions. Alongside international partners, we continue not just to call this out but to ensure that we are vigilant to these threats, wherever they come from, and ready to defend against them. As for specific sanctions, the noble Lord, Lord Collins, pointed to Russia, and the noble Baroness will be aware that we have an autonomous sanctions regime and, where necessary, we have acted in the past, although I cannot speculate on any future action that we may take in this respect.

My Lords, last year Twitter suspended more than 32,000 accounts linked to Chinese, Russian and Turkish propaganda operations and more than 170,000 state-linked bot accounts tied to China. Analysis by the Australian Strategic Policy Institute found that China’s influence operation targeted users outside the mainland, where Twitter and Facebook are blocked, aiming to manipulate opinion on issues including the Hong Kong protests, coronavirus and Taiwan. What assessment has the Government made of such state-linked propaganda campaigns targeting UK citizens and the attempts to destabilise British society?

My Lords, my noble friend makes an important point and I assure her and your Lordships’ House that we work in co-ordination with international partners, as well as through the National Cyber Security Centre, to ensure that those who may be targeted and, indeed, those who have been targeted are properly supported. Equally, we share information which allows further mitigation of risk. We must close down this space. Cyberspace is a force for good for many, in the opportunities that it offers, but any use of cyber must be legal, responsible and proportionate. The actions taken on this occasion, supported by the Chinese state, fall foul of that. It is right that we work with international partners in condemning such action.

My Lords, do the Government systematically seek to identify all businesses and individuals who may have been targets for cyberattacks, whether from China or elsewhere? If so, do the Government, as a matter of policy, advise all such businesses and individuals of their potential vulnerability? Do they offer help in how to avoid or minimise the deleterious consequences of such exposure?

My Lords, the noble Lord makes an important point and I shall answer it on two bases. We have worked consistently with other countries, particularly those that do not have the technical capacity to take appropriate mitigation against cyberattacks. We have invested a great deal, including through the Commonwealth, on issues of cybersecurity. Working through the NCSC, we also recommend that, where possible, organisations update to the latest version of software and patch frequently to protect against cyberthreats. On this occasion, both the NCSC and Microsoft have published actionable advice for network defenders. As we improve our capacity to defend, we continue to work with key partners to further mitigate risks to any individual or organisation within the UK.

My Lords, the widespread nature of this attack shows that cybersecurity is a global issue which needs global co-operation. What steps are the Government taking to play a greater role in the United Nations innovation agencies to help to make future technologies more cyberspace-secure?

My Lords, the noble Baroness points to multilateral action. Cybersecurity and cyber more generally remain a point of discussion within the context of the United Nations, as well as other multilateral organisations. It is worth reflecting that, when I mentioned 39 countries earlier, that demonstrates that this is an international challenge that, as the noble Baroness rightly recognises, requires international action, as on this occasion. Working with international partners and organisations, we have illustrated the need for uniform action and calling out those who seek to use cyberspace to attack other countries, organisations or individuals.

My Lords, cyberattacks are part of the low-intensity warfare being waged by President Xi with the aim of securing global domination. Other weapons are terror in Xinjiang, Tibet and Hong Kong and the illegal occupation of neighbouring countries’ territories. Is it not now the time for the Government to impose trade sanctions and a ban on Chinese products and investment?

My Lords, the Government have been at the forefront in the broader challenges. Indeed, as the UK Human Rights Minister, I am at the forefront of the work that we have done at the Human Rights Council, for example, in calling out the systematic detention and abuse of the Uighur community in particular. Most recently, we backed the Canadian statement and worked with our Canadian partners to ensure that more than 40 members at the Human Rights Council called out the situation of the Uighurs and to ensure the access of the human rights commissioner to Xinjiang. We have taken action. The noble Lord talks about sanctions, and the noble Lord, Lord Collins, mentioned them too. Back in 2018, the UK, along with 14 partners, called out, on the basis of APT 10, the action that China had taken. We work systematically and will continue to focus our activities on calling out human rights abuses wherever they occur.

My Lords, notwithstanding the focus on any Chinese or Russian interference in our security and civil liberties, in light of the Guardian investigation and reports, and given the Statement made to this House by the Minister, the noble Lord, Lord True, that our Government are fully aware and made representations about potentially illegal surveillance of British citizens and institutions, will the noble Lord say if he is aware to whom representations have been made? What assurance can he provide that such security breaches have been stopped as a result of our Government’s work and that the Government are not failing to protect our citizens and institutions against any further attacks from seemingly friendly countries and partners?

My Lords, I assure the noble Baroness, that it is essential—I say this very clearly—that all cyber actors use their capabilities, as I said earlier, in a legal, proportionate and responsible way. On the issue that she highlighted, which has been the cause of media reporting, I assure her that we make representations to all appropriate Governments. We work closely with our allies on this important issue and, ultimately, to tackle cyberthreats and improve resilience. That is what we have done in the case of China. We will continue to act responsibly to ensure that citizens and organisations in the UK and, indeed, across the world are protected in the best way possible. We will continue to work to mitigate such actions.

My Lords, the time allowed for this Question has elapsed and I apologise to the noble Lord, Lord Foulkes of Cumnock, who was not able to ask his question.