Shadow Defence Minister, Yvonne Fovargue, speaking in the Chamber yesterday on defence and cyber security.
Yvonne Fovargue (Shadow Minister (Defence); Makerfield, Labour)
Labour Members welcome the increased focus that cyber-defence is receiving. The report by the Defence Committee is evidence of that focus, so I congratulate its members on their excellent work. Cyber-attacks are at last properly acknowledged as a serious threat to our national security and are rightly prioritised as a tier 1 risk in the Government’s 2010 national security document. As the Committee’s report says, the threat is liable to grow and evolve at “almost unimaginable speed”. Indeed, the pace of technological change is faster than traditional Government structures and time lines can cope with. As my hon. Friend John Woodcock said, five years is a long time in the cyber-world
and the threat from cyber-attack is rising exponentially. The number of global web users in 1995 was 16 million; it is estimated that by 2015, there will be more interconnected devices on the planet than there are human beings.
The Government have committed £650 million over four years to the cyber-security programme, which seems like a significant sum, but only 14% of that was allocated to the Ministry of Defence, while the total investment equates to only 0.6% of the £27 billion that the UK loses through cybercrime every year. In its report, the Defence Committee questioned whether enough was being done to secure the supply chain and the industrial base. We know that supplies of armed forces’ equipment are increasingly being targeted, and are especially vulnerable to cyber-attack. In their response, the Government say they are working closely with industry on matters such as information sharing and incident reporting, but give precious little detail. The Government need to go further, and Labour is calling on them to ensure that every company working with the Ministry of Defence, regardless of its size or the scale of its work, signs up to a cyber-security charter. That will ensure that hackers cannot use the small suppliers to get into the systems of the major defence companies. As my hon. Friend Mr McKenzie said, the risks from cyber-attacks are huge and growing; we need to do everything we can to protect against them, and the MOD and its contractors should lead by example.
The Government also refer to progress on the joint cyber reserve—an initiative to involve reservists in the delivery of cyber-security—but give little detail. Will
the Minister say what progress has been made in that important matter? I would particularly like to hear his thoughts on recruitment. The cyber reserves are not likely to be a traditional military outfit: the skills are entirely different. Is it essential that those reservists meet the usual fitness standards of the armed forces? A senior US officer said it was not essential that they were able to march 3 miles with a pack on their back, and I think most people would agree. It would be interesting to hear the Minister’s thoughts on the requirements for the new force and how its personnel will fit into the military model.
What is the Minister doing to attract recruits? We have heard that a lot of the top universities are running cyber programmes with top computing graduates. Is the Minister attending those events or approaching careers fairs? Is there a career path that will be attractive to young graduates—we need not only to recruit but to retain those graduates. A recent study by the Army Families Federation shows that large numbers of married Army personnel want to leave the service. That will be all the more problematic with cyber personnel, as there are many lucrative private sector jobs tempting them away. But of course many of the skills and experiences required for this are prevalent in the defence industry. What steps is the Minister taking to encourage firms involved in Government contract work—not just in the defence but throughout Government—to encourage their staff to become reservists? What responses are there from such firms?
The new joint cyber-force is described by the Secretary of State in terms of its offensive rather than defensive capabilities, enhancing our ability to strike back in cyberspace against enemies who attack us. But as my hon. Friend Mr Havard said, what are the rules of engagement? Land, sea and air have been the traditional theatres of war. Cyberspace is new and untested. What constitutes a cyber act of war and, equally important, what would be a proportionate response to an act of aggression? For example, if all London’s systems were knocked out by an electromagnetic pulse device, would that be an act of war? What would we do about it? As my hon. Friend the Member for Bridgend said, how would we know who did it? In short, what are the rules of engagement?
It would also be interesting to hear whether the Minister believes that the concept of deterrence applies to cyber-defence as it does to conventional defence as perhaps those with the most ability to attack our cyber-capabilities have the least reliance on their own cyber-capabilities. What role does he envisage offensive cyber-capabilities playing in this? Do we work alone or in concert with others? The Secretary of State has made much of cyber-security being a sovereign capability but we have been working with other nations in supranational bodies for some time; for example we are a member of the “Five Eyes” group, which includes the USA, Canada, Australia and New Zealand, and we have also been working with NATO. The report cites the important work of the NATO cyber-defence centre of excellence. Of course this is based in Estonia and was created as a direct consequence of the cyber-attacks on that country in 2007. There is excellent work undertaken there and I am glad that the Government are committed to participation in the centre, although some may doubt whether the contribution of £20,000 per annum will
have much impact. But the lesson to be learned here is that we cannot afford to wait until an attack happens before we act. We have to be proactive.
Since the publication of the report, we have seen developments within the EU’s common security and defence policy. The European Council meeting on 19 and 20 December last year led to a call for the development of an EU cyber-defence policy framework in 2014. I would be interested to hear what talks have been taking place about this. Working with, and within, bodies such as the “Five Eyes”, NATO and the EU is vital, not only for intelligence sharing but for developing common rules of engagement. We must be aware of the threat and how best to counter it. That is why we need all the organisations to work together.
A further point is public trust. The public have to have trust in what we are doing to protect them and that is why accountability is so important. The USA has FISMA,the Federal Information Security Management Act,of course. What research has been done into how this might translate into our own system? We must also ask what role should Parliament and the Intelligence and Security Oversight Committee have in this new era of cyber-defence.
Currently we are accustomed to thinking of security in terms of three forces; army, navy and air force. But in many ways cyber does add a fourth strand. Just as the creation of the RAF in 1918 demanded a whole new way of thinking about defence and war, the increasing cyber threat means that we need to do some fresh thinking now. We have to think seriously about how we can combat this new threat because one thing is certain; it can only grow. Conventional borders will have less and less impact but the impact on civilians and the military will be greater and greater.
When the internet and electronic communications were first devised it was thought that they would impact only on academics in ivory towers. They have developed in ways that were never imagined then and have become an everyday part of our lives. Imagine a world without banking, power, communications systems, computers, control of our weapons. It absolutely does not bear thinking about, which is why we have to think about it and ensure that the MOD and the military are ready to take on this threat, and that they know their part, and play their part, in protecting our country and its citizens from this new and fast-evolving threat.
As communications technologies spread and as the UK critical infrastructure networks become even more heavily based on IT networks, cyber-defence becomes an increasingly pressing security concern. There will be even more attacks. According to the Government’s own national security strategy document, the UK faces up to 1,000 cyber-attacks every hour, which is estimated to cost the UK £27 billion a year. Cyber-attacks are now a constant reality, with the Government, the private sector and private citizens all under sustained cyber-attack from both hostile states and criminals, as my hon. Friend Mrs Moon articulated so well.
I have no doubt that the Government take the threat of cyber-attack seriously, although perhaps not seriously enough. The report makes it clear that Ministers have not yet put in place the infrastructure to deal with that real threat properly, or approached the problem with vigour or sufficient robustness. As Mr Arbuthnot said, the problem is agile and many-layered—I think it has been likened to an onion, and the Opposition would agree with that.
View the full debate: http://www.theyworkforyou.com/debates/?id=2014-03-04a.787.2&s=yvonne+fovargue#g817.0