HC Deb 04 November 1998 vol 318 cc985-92

Motion made, and Question proposed, That this House do now adjourn.—[Mr. Clelland.]

10.26 pm
Mrs. Jacqui Lait (Beckenham)

I am delighted that I have been able to bring up the subject of information warfare tonight. I had hoped to be able to take part in the recent debate on the strategic defence review, but was unsuccessful. However, I now have half an hour of the Minister's undivided attention, which is infinitely better.

If anybody thinks about information warfare—not many do—they think it the stuff of science fiction. Indeed, I can remember reading a novel that uses information warfare techniques for criminal purposes. Having taken an interest in the subject, the more I think about it, the more I am convinced that this country is not able to defend itself from an attack that could happen at any time.

I read the strategic defence review document to try to find out what is planned to tackle the problem, and found references to it only in paragraph 34, which defined information warfare, and paragraph 35, which merely said: "While we cannot predict the detailed impact of such changes over twenty years, we have taken a hard look at how we can seek to make the most of emerging trends in all areas of the Review, including how to adapt our requirements and procurement processes so that we are not left behind by the speed of change.

I then wrote to the Minister for Defence Procurement, who is in the other place. He quoted me paragraphs 16 and 17 of supporting essay 3, entitled "The Impact of Technology", which, frankly, was not much more enlightening. It could be described as a blizzard of words.

I am sure that Ministers and officials are concerned about the threat, and undoubtedly are working hard to counter it. My concern is that it must be countered as effectively as humanly possible, and I am not sure that the United Kingdom is doing that.

The neatest and shortest explanation of information warfare that I have found so far is contained in the review. It says: "information warfare attacks through the computer systems on which both our forces and civil society increasingly depend.

The military no longer has its own specifications for computer equipment. With the demand from civilian life far outstripping that from the military, high-tech equipment such as computers, chips, motherboards and all the paraphernalia that now make our lives so much easier is interchangeable. That could allow some person or group of evil intent, with the necessary expertise—not so difficult to come by nowadays—to attack computer systems and networks both in the military sphere and in crucial areas of civilian life.

For example, the whole of the Ministry of Defence budget, at some time or another, goes through the City of London's banking system; military planes and helicopters cannot move without civilian air traffic control; nothing can be operated without access to electricity, which is produced in the civilian sphere; and military communications use private sector-owned landlines, cables and satellites.

If only one terrorist group, pressure group, foreign intelligence service, foreign power, rogue military or criminal used only one computer buff, any one or all of those systems could be closed down and the country brought to its knees. It does not take a lot of imagination to envisage a good computer hacker getting into the chip that controls a pumping station and instructing the national electricity grid to shut down, and the mind boggles at someone getting into the air traffic control computers. The banking system and the City of London could be bled dry, and every penny sent to an offshore address, or our telecommunication and data systems could be closed down.

Those would be civilian disasters, but every scenario that I have described affects the MOD directly, and the country would lie defenceless at the mercy of whoever wished to defeat it, without a shot being fired or our forces alerted. There is no point in saying, "But it wouldn't happen." It already does. Banks have had money misappropriated by hackers, and I understand that our air traffic control system, which is regarded as robust, has already suffered from "spoofing" as someone tried to get information from it. The new system, which will be Europewide, will be even more open and, hence, much more vulnerable.

Everyone who uses computers—people in utilities, banks, telecommunications and the defence industry— uses commercial systems and commercial software. The software is written all over the world. Everyone uses subcontractors. I understand that there are about 60 microprocessors in Eurofighter alone. Does anyone know exactly where they were made and who has written the software?

Many people use subcontractors for the maintenance of their computer systems. I am told by those who know about these things that "maintenance ports" are often left open. That provides an easy way into the system.

I hope that I have made it clear that any developed country using modern technology is vulnerable to information warfare attack. The real question is, how are we going to defend ourselves? We will need to do so— we cannot escape it.

In the mid-1990s, President Yeltsin said: "While maintaining our nuclear potential at proper level, we need to devote more attention to developing the entire range and means of information warfare. The cold war may have ended, but cold war warriors are aware of the potential of this threat.

For information and ideas, I turned to the United States. Given the lack of information in the strategic defence review, I suspected that there was not much available from official sources in the United Kingdom, such as the MOD. How right I was. I searched the internet, appropriately enough. Did I find anything at all from the United Kingdom, in the new age of freedom of information? Not a dicky-bird.

The United States was different, and the entries were enlightening. There were 48, and one site explained what the United States Navy information warfare division at Port Mugu was doing to combat information warfare. Another site, which gave a good description of information warfare, has been visited 5,363 times since 14 July this year, which is an average of more than 300 visits a week. Two of them were mine. That shows that there is quite an interest in the subject.

In November 1996, the American Under-Secretary of Defence for Acquisition and Technology received a report from the Defence Science Board task force on information warfare. It is available in full on the internet and is unclassified. The report recommended a series of actions, the prime one being that the most effective defence against information warfare attack is to ensure that everyone is aware of the issue. The United States has gone public.

I understand that the United States Department of Defence is working with all the industries most closely affected, such as the ones that I have mentioned. The Department has already sanctioned penetration tests of 12,000 supposedly secure sites. It has discovered that 90 per cent. had been penetrated and, of that 90 per cent., 95 per cent. had been undetected. Another check in 1997 showed that those already appalling statistics had become much worse.

In the light of that, what are we doing to defend ourselves in the United Kingdom? Have we made any assessment of our vulnerability? Have we put in place key point protection systems? After all, a guard and a dog at a pumping station cannot protect the chip in the pump from the computer hacker.

Does the Minister agree with the US theory that the best method of defence is wide knowledge and awareness? If he does, what is he doing about it? When will I see his policies and actions on the internet? If he does not, can he tell me and our best allies why he disagrees? It does not cost money to share information between defence and civilian industries, so the Treasury will not object. Has he invited the relevant industries to a meeting to discuss how to protect themselves and develop their awareness and education of the threat?

The resilience of our military and civilian computer systems can be enhanced at only modest cost. Has the hon. Gentleman asked for estimates? Has the Ministry of Defence developed a threat assessment that he could share with us? Has the MOD plans to create an incident report and response system? Is work going on to develop standards for information warfare and monitor their effectiveness? What is being done to ensure that protection against IW attack is a key requirement of all procurement activity? All that is defensive, so is any thought being given to developing our own attack systems? I am sure that the Minister is not complacent and will be able to reassure me that all those questions have answers that will satisfy me.

Finally, I urge the Minister, in the spirit of freedom of information and open government, to share what is happening in information warfare with the rest of the United Kingdom and with the United States—they are, I believe, happy to share their information and technology with us.

10.36 pm
The Parliamentary Under-Secretary of State for Defence (Mr. John Spellar)

I congratulate the hon. Member for Beckenham (Mrs. Lait) on her success in securing today's Adjournment debate on an issue of such importance not merely to the security of the United Kingdom, but to our ability to secure the economic and industrial benefits that new information technologies bring. I also thank her for informing me previously of the outline of her speech; I hope that our debate will be more productive as a result. I had hoped that my hon. Friend the Minister for the Armed Forces would be able to reply, as I understand that he and the hon. Lady were at the same university, but unfortunately he is on Government business elsewhere tonight.

The Government are fully alive to the threats posed by information warfare to information infrastructure in defence and in government more widely and also to the national infrastructure, which the hon. Lady highlighted. However, I must make it clear to the House that some of the wilder speculation in the media is not founded in fact.

The Government are working closely with key players in the private sector and with our allies internationally, in particular the United States, to ensure that protection of the national information infrastructure is as robust as possible.

Everyone recognises how our dependence on available information increases daily and the hon. Lady detailed some examples. That is not a unique Ministry of Defence or Government occurrence, but affects all corners of public and private life. Corporate networks, for instance, are essential to the effective management of all large organisations and, as the hon. Lady mentioned, those networks are increasingly interconnected.

In addition, the internet has emerged as a potent medium which has the potential to give every individual connected to a telephone line anywhere in the world access to information systems. The significance of that has not been overlooked by the Government.

Integrated information capabilities create a broader canvas on which to use and share information. That has tremendous benefits, not least in improving the effectiveness of our decision making. However, that wider interconnectivity also makes computer systems vulnerable to attack, as the hon. Lady rightly pointed out.

Attempts by hackers using the internet to gain access to systems are a popular subject for newspapers; they certainly make good copy and even good dramatic material for films, but we must keep them in perspective. Such attacks can originate from a wide range of adversaries, who may include terrorists and criminals as well as mischievous and malevolent individuals; they are no respecters of international boundaries. Ill-disposed insiders are also a threat to many organisations.

Unless appropriate protective measures are taken, there is a risk that information held in computers may be copied, stolen or deleted. A wide range of techniques can be used—I do not intend to discuss them here. However, it is widely known that they could include the misuse of software to transmit computer viruses or to leave small additions to existing software applications that could be activated later to damage or retransmit the information held by that computer—so-called Trojan horses. I assure the hon. Lady that such vulnerabilities in systems in all areas of government and in our national infrastructure and commerce are taken very seriously.

Hon. Members will understand why the Ministry of Defence is especially concerned with those issues, and I shall give some insight into the sort of security measures that the Government take by describing how the MOD approaches the subject.

Within the MOD, the need to guard against risks to computer systems and communications has long been recognised, and procedures and security mechanisms are in place to protect those vital assets. Those mechanisms protect secrets, they protect against damage and they authenticate recipients of information. That involves a combination of physical, people-based and technical measures.

Physical measures are part of the legacy of the United Kingdom's experience from the cold war and of our response to terrorism. We undertake regular risk and vulnerability assessments of our bases, buildings and personnel security as well as the infrastructure of our information services.

Personnel security involves training and vetting and has always been a keystone in achieving assured security. Technical measures are based on accredited security products deployed within an architecture that prevents unauthorised access to systems or to the information that they hold. We use nationally developed and approved cryptographic protection, firewalls to limit access between interconnected systems and so-called air gaps or one-way information valves around systems that hold sensitive material.

Protective measures are built into systems during their design and are accredited through a central process within the MOD. Audits of systems and procedures are conducted, and penetration testing is routinely undertaken to check for any previously unrecognised vulnerability.

As the hon. Lady said, the MOD, like all Departments and users, needs to use commercial products in many of its systems. The functionality provided by the commercial market cannot be rivalled through bespoke MOD development. The MOD has a policy to use commercial products wherever possible; that brings economy of scale and ensures that the MOD obtains maximum value for money. As she also rightly said, however, that brings its own risks.

Procedures and techniques are in place to minimise the risk associated with a commercial procurement strategy. First, many defence systems stand alone; they are not connected to the outside world because they do not need to be. Secondly, we have a requirement that key commercial applications be approved by independent UK accreditors before they can be used in any sensitive context.

The MOD supports a substantial research programme, which looks ahead and analyses the potential impact of new techniques in information technology, assessing their utility to military operations as well as any risk that they represent to existing and future defence systems.

The MOD takes an active stance, along with industry, in involving itself with the industrial standards bodies to ensure that the security standards set for the next generation of information technology can be applied with minimum further investment by the MOD.

To protect against possible information warfare incidents against the United Kingdom, there is a Government-wide unified incident reporting and alert scheme—UNIRAS—which collates all anomalies that are reported to it by those in the Government. It must be appreciated that UNIRAS attracts real incidents, false alarms and accidents, as well as physical events such as theft and destruction.

On 11 May, I answered a question on incidents involving the MOD from the hon. Member for Truro and St. Austell (Mr. Taylor), saying that, up to that time, there was no evidence of a successful intrusion from an external source to any MOD computer system. I stand by that answer today.

Mrs. Lait

Is there any evidence of key protection points being penetrated, and has that been registered on UNIRAS? The Americans have some very worrying statistics about the penetration of key protection points.

Mr. Spellar

I will seek more information, as I did not have notice of that question, and write to the hon. Lady, subject to the usual constraints.

The United Kingdom is routinely involved in military operations with coalition partners. The strategic defence review reflected the fact that this trend is likely to be accentuated. There are special issues of information protection when our national systems need to work with those of our allies. Again, we exploit the full range of physical, people-based and technical measures to ensure that we are not exposed to new risks. We also endeavour to provide good protection across shared systems and their associated multinational infrastructures.

The MOD places a high priority on maintaining strong working relationships with our allies through forums where security standards and operating procedures are developed, as well as through a network of bilateral arrangements.

A discussion of defence against information warfare cannot be complete without reference to the wider implications to Government and commercial infrastructures. United Kingdom Governments have a good record of protecting our assets against both traditional and unconventional threats. The UK has had to deal over many years with a terrorist threat that has targeted Government, commerce and infrastructure. Information warfare is equivalent in its potential.

The knowledge and lessons learned from our experience of counter-terrorism stand us in good stead for the new threat that information warfare might pose. In particular, our experience makes it easier for the Government to work closely with key private sector players who are also well aware of the possible dangers to their own information systems.

The Government's record of maintaining a high standard of computer security is good, and we have been justifiably cautious about interconnection, but we shall look hard at existing arrangements for protecting information and information systems. We need to ensure that our policies and procedures keep pace with the fast-moving environment of information technology and we hope to announce new initiatives shortly, designed to ensure that the critical national infrastructure is adequately defended.

Protecting against information warfare is not the province of one country alone but, as I hope that I have shown, affects all who want to benefit from the advantages of greater interconnectivity. Threats from attacks on information systems are not bounded by traditional territorial boundaries. It is imperative that international co-operation and co-ordination are actively pursued.

The Government are actively addressing the threat of information warfare and the risks posed by the wider exploitation of new information technologies and greater interconnectivity of computers; we are doing so robustly, in close co-operation with our allies, with the private sector and across government.

The UK is well placed in its understanding of the risks and how those can be controlled in the emerging world where interconnectivity is as vital to defence as it is to national infrastructure, commerce and the "knowledge economy". We cannot be complacent. if only because this is such a fast-moving subject, but I can assure hon. Members that we are taking all possible measures to ensure that our information is secure.

The MOD, and Government more generally, are addressing the risks posed by the greater exploitation of new information technology, and they are doing so from the bedrock of tried and tested security policies and procedures.

The United Kingdom has a history and wealth of experience in dealing with unconventional threats, to which information warfare is a successor. Protection against attack by information warfare is not the sole domain of the MOD. We are active in the national and international, commercial and industrial arena, particularly in regard to the close relationship that the UK enjoys with the United States, in exchanging and discussing current information warfare issues.

In addition, the Government hope to announce shortly a package of measures that will further ensure that key IT systems in government and in the critical national infrastructure are adequately defended against the threat posed by information warfare.

I hope that I have demonstrated that the Government have been concerned to strike the right balance on this relatively new but, as the hon. Lady rightly said, extremely important subject.

There is a good level of defence in place to protect key systems in the MOD and more widely in government. I thank the hon. Lady for introducing the debate. I expect that this is not the last that we have heard of the topic, but she can be assured that we are taking effective action.

Question put and agreed to.

Adjourned accordingly at ten minutes to Eleven o 'clock.