§ 4.20 p.m.
§ Lord Harris of Haringey rose to ask Her Majesty's Government whether they are satisfied with the ability of the critical national infrastructure to withstand cyber-attack.
§ The noble Lord said: My Lords, I am pleased to have this opportunity to raise a matter that I believe is potentially of enormous importance to the security and well-being of this country. I should begin by declaring an interest as the Home Secretary's nominee as a member of the Metropolitan Police Authority with responsibility for the Met's national and 1064 international functions including counter-terrorism. However, I should make it clear that none of what follows has been informed by or influenced by anything that I have been briefed about or learned in that capacity.
§ Many of your Lordships will have suffered viruses on home computers or will have installed software to protect them from such attack. Indeed, some of you will no doubt have done both. Your Lordships will also recall that on 4 May 2000 the "Love Bug" virus caused the parliamentary network to be shut down. That virus crippled computers world-wide causing billions of pounds of damage.
§ Since then, in 2003 alone, we have seen the "Slammer" worm which infected more than 300,000 servers in less than 15 minutes and clogged networks across the globe, crashing bank ATMs and delaying airline flights; the "Blaster" worm that infected more than half a million PCs, attempting to hijack them for a coordinated attack on Microsoft's security web site; the "Sobig" worm that turned tens of thousands of PCs into a network sending out Spam; and the "Welchia" and "Nachi" worms that disabled many corporate networks for days on end.
§ As a nation, the systems that are essential for our health and well-being rely on computer and communications networks. Whether we are talking about the energy utilities, the water and food distribution networks, transportation, the emergency services, telephones, the banking and financial systems, indeed government and public services in general, all are vulnerable to serious disruption by cyber-attack with potentially enormous consequences. Indeed, the Coastguard Service was laid low by the "Sasser" worm in May this year.
§ The threat could come from teenage hackers with no more motivation than proving that it could he done; but even more seriously it could come from cyber-terrorists intent on bringing about the downfall of our society. Let us be clear, the destructive virus and worm attacks that I have mentioned were the result of individual uncoordinated efforts by a small handful of anti-social "electronic juvenile delinquents". They were not a systematic attack by an organised adversary, intentionally designed to disrupt our systems and services. An organised attack would be many, many times more dangerous.
§ I am not alone in these fears. General John Gordon, the White House's homeland security adviser, has said that he believes that Osama bin Laden plans to use the Internet to cause serious damage to the economies of the West; and it is well known that computers seized from those allegedly engaged in Al'Qaeda activities have demonstrated that those using them have a high level of IT skill and literacy. At the same time, the South Korean defence ministry—admittedly not the most impartial observer—has said that North Korea has trained as many as 600 computer hackers, so as to be capable of launching a cyber-war.
§ Well over 100 other nation states are reported to have some form of offensive information warfare programme. It is not inconceivable to assume that the 1065 knowledge and skills developed by such programmes represent a potential threat to the UK critical national infrastructure.
§ Over the past few months I have sought in a series of Parliamentary Questions to establish what measures are in place to ensure that the UK's critical national infrastructure is protected against such attacks. The responses have all referred to the pivotal role of the National Infrastructure Security Co-ordination Centre (NISCC), established five years ago this month. However, the same responses have made it clear that the NISCC is only an advisory body and that each element of the critical national infrastructure, whether in the public or private sector, is responsible for its own defence. The NISCC does not even know how many computer systems the UK's critical national infrastructure comprises. The advice and alerts issued by the NISCC have helped to make systems more resilient. But my core question remains: is enough being done, and is the framework of powers within which it operates sufficient for its purpose?
§ I understand that, since 20 May 2002, when records were first centralised, the Ministry of Defence has reported 71 instances when malicious programs compromised the security of its system—that is to say, 71 instances when systems were not just attacked but compromised. One of those was the LovGate virus, which affected more than 4,000 MoD computers at more than 30 sites. It took over four weeks to rid MoD computers of that malicious program.
§ I ask my noble friend Lord Bassam whether it is the case that no other government department even keeps statistics on the number and impact of security compromises of their computing networks. The MoD's experience demonstrates that there are a potentially significant number of incidents to record. Is it not a weakness if Her Majesty's Government do not even know the extent of the problem on their own systems? Moreover, most of the critical national infrastructure is privately operated. In those cases, it may well not be in the commercial interests of those owners and operators even to acknowledge to anyone outside their own organisations that they have had a problem. Is that weakness not compounded if the NISCC has merely an advisory function?
§ Legislation and regulation extend into almost every aspect of society. Earlier today, noble Lords debated the Institute of Trade Mark Attorneys Order 2004. I do not wish to suggest that it was not an important measure; yet, we regulate there but apparently ignore the need to regulate the UK's critical national infrastructure. I am not a technical expert; however, my understanding is that, where there are multiple workstations, the security of an entire system can be breached by one operator at one workstation failing to follow security procedures adequately, and that once that has happened, it would be impossible to detect whether lurking on that system was code enabling someone from outside to log on as a super-user and control the entire system.
§ Have not exercises demonstrated that even those UK government systems thought to be the most secure can be accessed in this way very easily and very 1066 quickly? Will my noble friend confirm whether such exercises have taken place, and, if so, what action has taken place as a result? If no such exercises have taken place, is it not about time that they did?
§
My noble friend Lady Scotland of Asthal, in response to one of my Questions in May, said,
the NISCC has no regulatory authority".—[Official Report, 18/5/04; col. WA 78.]
I understand that. It is in the interests of operators that they operate their systems securely. However, given the consequences to the UK, its economy and the well-being of its people if they fail to do so, should there not be safeguards to ensure that the necessary steps, which in some instances may exceed the operators' immediate commercial interests, are taken? I am told, for example, that certain UK financial institutions have advised their security departments to cease checking for computer system vulnerabilities because of the potential liabilities that may arise if vulnerabilities are identified but not corrected.
§ In all this, I am not criticising the work of the NISCC. However, it is my contention that some regulation is necessary. As a minimum, the Government should be able to establish standards for the design and operation of the components of the critical national infrastructure, and there should be some system of certification of the arrangements that each operator has in place. Even that minimum would not be sufficient; there must be some system of validation for ensuring compliance and testing the adequacy of security.
§ For those who believe that that would be an overreaction, I refer again to the way in which the Coastguard Service fell victim to the "Sasser" worm attack. I understand that Microsoft made available on 12 April a patch that would have prevented such an attack. The NISCC issued a briefing giving details the following day, at 19.15; I am not, incidentally, reassured by that timescale. That was followed by alerts and bulletins on 19, 23 and 30 April and on 1 and 3 May. That still did not prevent the Coastguard Service from failing to apply the patch and succumbing to the virus. If the Government's agencies do not comply, what reassurance can we have that those outside government will do so?
§ The NISCC is an ad hoc, inter agency group. It has no statutory basis and, as such, its funding and future cannot be assured. Even now, after five years of its existence, I remain to be convinced that it possesses sufficient resources to conduct its full mission on a 24/7 basis. Computer network attacks take place and propagate widely in a matter of minutes. UK response mechanisms must be in place and ready to respond when the problem occurs. Calling a meeting of COBRA for the next day to determine what should be done is not the answer.
§
Finally, may I ask what would happen were there to be a serious attack that severely damaged the critical national infrastructure? What powers are available to the Government to manage the national response and direct the restitution of systems as speedily as possible? I hope that in his reply, the Minister will acknowledge
1067
that those are serious concerns. A few weeks ago, the Sunday Times reported that MI5 was warning that Britain was,
four meals away from anarchy"—
in effect, that Britain could be quickly reduced to large-scale disorder, including looting and rioting, in the event of a serious disruption of the critical national infrastructure.
§ I hope that I have said enough to establish the vulnerability of the systems on which we all rely. I hope also that it is acknowledged that if the technology is well within the reach of teenage computer nerds all over the world, it is easily available to organised crime or terrorist networks. Under such circumstances, we cannot afford to be complacent—and it is complacent to rely on a system that is voluntary and powered by advice notes that can be, and indeed are, ignored. It is complacent not even to know the number of computers and communication systems that make up the critical national infrastructure, let alone to have any system of reassurance that these are adequately structured and protected. It is complacent not to have in place any recovery plan in the event of something happening that seriously damages that infrastructure. I look forward to my noble friend's reply, and I hope that I shall be reassured.
§ 4.33 p.m.
§ Lord St John of BletsoMy Lords, I am grateful to the noble Lord, Lord Harris of Haringey, for having introduced this very topical debate today. As the noble Lord said, he has through various Written Questions raised the alarm about this potential threat and been a campaigner for greater awareness of cyber attacks. The noble Lord has drawn attention to the work of the NISCC in monitoring and dealing with cyber attacks. However, he also warned that the role of the NISCC is purely as an advisory body and each element of the critical national infrastructure is really responsible as an individual entity for its own defence. I am not surprised that the NISCC does not have accurate knowledge of how many computer systems comprise the UK's CNI.
I should at the outset declare an interest in that for the past seven years I have been managing director of a listed web-hosting company, with data centres in the United Kingdom as well as the United States. I am now merely a consultant of the organisation. But it is noted that, almost on a daily basis, customers running online gaming companies are under continuous distributed denial of service attacks—known as DDOS attacks—from what are called "botnet armies". Organised criminal gangs are using these attacks for the purposes of theft and extortion.
There is no doubt that the rising incidence of cyber crime and potential cyber terrorism is a matter of grave concern to the United Kingdom. While I fully support the work of NISCC, I question whether our Government are taking this increased threat both to our critical national infrastructure and to our businesses seriously enough.
1068 The National Hi-Tech Crime Unit has rightly warned of the threats from on-line theft and extortion but the danger is not just to business. The computer systems that support the CNI are all vulnerable to serious disruption with potentially enormous consequences for public utilities, food distribution companies and the financial services sector. As we have heard, the threat is coming not just from teenage hackers with no more motivation than proving it can be done—I believe the noble Lord. Lord Harris, used those words—but also from cyber terrorists, who are referred to by Scotland Yard as the botnet armies.
So, to what extent is our critical national infrastructure at risk from cyber attack? Thankfully our CNI is owned and operated by almost 50 different companies with their own IT security and with little or no interconnect at an electronic level. By way of example, if a botnet army were to try to bring down our national water companies, there would need to be a cyber attack on all the different water companies' computer systems in the expectation that they all had the same weaknesses and the same lack of IT security, which is, of course, very unlikely.
A far more realistic and grave threat to the water companies—this would be more of a physical attack—would be if deadly chemicals were deposited in one of the main reservoirs. As regards electronic crime, the largest threat to several of the utility companies would be an attack on their billing systems, which is easily achievable through a DDOS attack. Can the Minister when winding up this short debate tell us whether the Government are concerned about the potential for massive financial loss to CNI companies due to the generic threat of DDOS? Moreover, is the Minister able to tell us how many of the CNI companies are BS7799 security compliant?
Our National Health Service is becoming increasingly reliant on information technology. I believe that the level of investment in NHS security is potentially of more concern than the threat to our water and utility companies. There is a very real threat of attack on several of our National Health Service trusts. There are moves to push BS7799 security accreditation on to health authorities. Will the Government consider setting time-scales and budgets for all our health and education authorities to adopt BS7799 and compel the use of best practice security within these critical public services?
To my understanding, there are inadequate IT security protections for most local government IT services. I noted in the DTI's information security report of 2004 on BS7799, which it is encouraging public and private sector organisations to implement to mitigate the security threat, that there is neither overall awareness of this standard, nor for that matter have many UK businesses taken it up. I noted that most UK businesses that were canvassed in the survey thought that they would be subject to a growing threat of cyber crime.
So there certainly needs to be far more partnership with industry stakeholders in pooling resources and knowledge to fight the potential problem. In this 1069 regard, I welcome the recent launch of the Zero Tolerance Alliance, with its commitment to reducing organised and international cyber-crime.
As the noble Lord, Lord Harris, has already mentioned, cyber-criminals are hijacking our home computers via broadband accounts and using them to launch extortion attacks, DDOS attacks, spam attacks, phishing scams and virus attacks. The list of e-crimes goes on and on.
Just recently, I hosted a cyber-crime conference here in the House of Lords. The head of the Metropolitan Police Computer Crime Unit came to address us. The list of the various potential threats into which it is looking runs to two pages. Its remit is,
to prevent, disrupt and prosecute individuals or groups engaged in e-crime which affects computer users in London".In a supplementary question, I pointed out to the Minister that only 100 detectives in the United Kingdom are currently qualified to investigate computer crimes and that now is surely the time for the Metropolitan Police to give more resources to training those who could look into this growing threat. It is only a matter of time before these methods could be used by cyber-terrorists to launch against our key CNIs.It takes an average of only 15 minutes for an unprotected personal computer, attached to the Internet, to become compromised, with millions of PCs being hijacked and used against us. I was alarmed to hear at a recent e-crime seminar that up to 35 per cent of Internet credit card transactions are fraudulent and that almost 80 per cent of all Internet e-mail is spam. While anti-virus software and other tools have some benefit, they have not solved, and will not solve, the problem.
Should we not be emulating the success of Sarbanes-Oxley in the United States and encouraging organisations to focus on Internet security control and disaster recovery? What is patently clear and very alarming is that no government organisation has operational responsibility for managing defence against cyber-attacks. As we have already heard, MI5 is right to warn of such a potential attack. What is surprising is the degree of complacency in addressing the threat. Must we wait until we are victims of such an attack before we consider cyber-terrorism to be a viable threat? I hope not.
§ 4.43 p.m.
§ Lord BradshawMy Lords, we would all like to congratulate the noble Lord, Lord Harris, on raising the issue that is before us today. I should declare an interest as a member of the Thames Valley Police Authority. In preparation for this debate, I made some inquiries into this subject and was really rather surprised to find that very little is being done to cope with this threat.
There is some activity, but it is not on the scale appropriate to the threat which either the noble Lord, Lord Harris, or the noble Lord, Lord St John of Bletso, indicated. They described a very serious threat. I certainly do not detect that the preparations in the police force match the threat which has been described to us.
1070 I might be wrong, because one is obviously talking about an area of high security and people do not talk much about it, but perhaps the Minister might be able to reassure us that the level of preparation is higher than it appears to be.
We should not be panicked into draconian measures and should always be alert to our civil liberties, which can easily be sacrificed in a rather ill thought-out rush towards a remedy. We should safeguard the right of free speech but recognise that people are entitled to protection in their home and workplace. Their computers are entitled to some protection, as are their employees. They are obviously entitled to that protection from physical and verbal harassment as much as they are from having their computers tapped.
I am concerned about whether the present law allows a sufficient degree of investigation and surveillance of computer systems as we imagine. It has been suggested to me by some police officers that the levels of surveillance that they are able to undertake are circumscribed by the law. I would like the Minister specifically to deal with that when he answers the debate.
I did not hear or read the Questions of the noble Lord, Lord Harris, in the past. However, when I have been present in the House for replies to Questions about the likes of spam, I have detected a rather laissez-faire attitude on the part of the Government. Their attitude implies, "It's a nuisance but we'll get round to it some time". In fact, it is an extremely serious and fast-growing problem, as are all other sorts of intrusion to which we are subjected such as telephone calls from people selling us things that we do not want. There appears to be very little that one can do about that. My present wife was widowed six years ago, but almost every day we still get calls for her husband. There seem to be ways into systems—I certainly do not know about them—that indicate that, if there is a firewall, it has lots of holes in it.
I am aware that police forces around the country undertake a lot of exercises to test their readiness to deal with all sorts of attack that would have catastrophic consequences on those affected—shooting down airliners and so on. Those exercises are hugely expensive; they involve the police, the ambulance service, the fire service, the military and all sorts of other people. They can cost millions of pounds, but they are necessary to test the readiness of this country to deal with such attacks. Particularly in times of tremendous financial stringency, many police authorities take such threats seriously but are unable to undertake the exercises to prepare themselves for such eventualities. Perhaps the Minister will say something about that when he replies.
§ 4.49 p.m.
§ Baroness Miller of HendonMy Lords, we should all be grateful to the noble Lord, Lord Harris of Haringey, for having initiated this most timely debate, and for sharing his expertise with the House.
There are three kinds of cyber-attack, the first of which are the so-called viruses and worms which are intended to disrupt individual personal computers. 1071 Almost 13 million United Kingdom households have access to the Internet, and it is probably fair to say that a large proportion of those have already been subjected to such an attack. They are mischievous and malicious attacks often perpetrated by vain young men simply to prove their own computer skills, to use slightly different words from those used by the noble Lord, Lord Harris. They are no different from any other acts of vandalism. Sometimes these young men are situated in remote places and are very difficult to track down, especially when they are careful enough to launch their attacks via a series of different, but connected, telephone links. I believe that one such young man was found recently in a remote part of Thailand.
Secondly, moving one step up the scale, there are the activities of criminals. We recently saw the publicity about attempts at identity theft in the form of requests for banking information, including passwords, from bogus banking websites. That is done by sending out thousands—perhaps hundreds of thousands—of e-mails in the hope of finding a customer of the bank concerned and, in addition, one who is gullible enough to respond by providing the confidential information requested, enabling the victim's account to be looted before the fraud is discovered.
Before I comment on this aspect further, I want to mention another form of cyber gangster—one who, for political reasons, deliberately tries to sabotage mail order companies and other concerns which are conducting legitimate business via the Internet or which are trying to provide legitimate information on their websites. This sabotage is carried out by overwhelming the website with multiple simultaneous hits until the site simply breaks down. Often such sabotage is conducted by self-appointed, answerable-to-no-one, so-called anti-globalism activists.
The further comment that I was intending to make was as follows. There is a duty on several fronts to guard against this criminal activity and, first and foremost, it is on the users of the Internet—you and me, my Lords. We must ensure that we do not give out sensitive information over the net or even to some anonymous person who asks us to confirm our details over the telephone when we have not even initiated the call.
Then there is a responsibility on the so-called service providers—those who run the systems on which the fraudulent websites exist. Of course, I concede that it is impossible for service providers to monitor the activities of each and every one of their customers all the time. But, as commercial concerns receiving fees from those criminals, they do have a duty to cut them off as soon as suspicious activities are detected, in the same way as they do when they discover objectionable material being disseminated by racists and other similar sources.
Then there is the responsibility of those who run search engines. A search engine is just an index which leads the searcher to a site in which he may be interested. Those running search engines cannot possibly control the millions—I have heard it suggested that it may be 1072 hundreds of millions—of websites that can be found on their lists. But they can continue to delete fraudulent, racist and terrorist sites from their systems as soon as they are detected.
In addition, there are the manufacturers of the computer operating systems. Obviously we must respect matters of commercial confidentiality, but there must be some degree of co-operation among the handful of giant concerns which each generate vast amounts of profit by exchanging information about potential loopholes in their systems. Also, individually, whatever the commercial pressures, they should never launch a new product on to the market, or upgrade an old one, until they have taken the additional time to see that it is not vulnerable to an attack.
The problems that I have just mentioned are only on the periphery of the concerns raised by the noble Lord, Lord Harris. But cyber vandalism, in the form of launching destructive viruses and worms, is just as much a crime as vandalising someone's house, and cyber crime in the form of identity theft or fraud is just as much robbery as housebreaking or mugging. Spreading racism or incitement to terrorism is no less objectionable or criminal than any piece of street-corner demagoguery—in fact, it is worse because of the worldwide audience that it can reach.
The state has a duty to protect its citizens against all these crimes, just as it has a duty to protect them against any other crime. But, in addition to these cyber crimes against individuals, there is also a far greater potential crime: it is what may properly be described as the weapon of mass destruction of cyber space. This is not mere hyperbole. What else is a weapon that can disrupt water supplies without poisoning a single reservoir, that can disrupt communication and transport networks without bombing a single building, or that can cause chaos to social services without killing a single pensioner? It is not a weapon dependent on the production of nuclear, chemical or biological weapons, and it is not dependent on the attacker breaching the frontiers of our country or evading biometric passport controls. All that is needed is a source of electricity and a telephone line.
The entire industrial world and, indeed, most countries are now entirely dependent on computer systems for banking, finance and other commercial interests, telecommunications, transport systems, including air traffic control, water systems, energy and emergency services. There is no doubt that a determined attack on any of those could wreak havoc, at least for a short time, and could possibly cost lives.
I hope that the Minister will tell us what the Government are doing to protect us against such a situation. I shall tell him what we on these Benches would like to see in place. First and foremost, we would like there to be a Minister for homeland security, such as now exists in the United States of America. It is no use such a responsibility simply being a part of the duties of the Home Office. The Home Secretary has more than enough to preoccupy him. We 1073 need a single Minister with the single duty of protecting us and our commercial interests from attack within our shores.
I hesitate to reopen old battles, but I would like to remind the Minister of the efforts that I had to make in the interests of academic freedom during the passage of the Export Control Act 2002 to permit the continued exchange of information between scientists, particularly in the area of encryption of computer data, which is an essential tool in the protection of communication systems.
In 1998, President Clinton issued a presidential directive requiring,
a goal of a reliable interconnected and secure information system infrastructure by the year 2003".The directive goes on to require policies that,address the cyber and physical infrastructure of the … Government by requiring each department and agency to work to reduce its exposure to new threats".Those objectives will be achieved by setting up a national co-ordinator whose scope,includes critical infrastructure, foreign terrorism, and threats of domestic mass destruction".The National Infrastructure Protection Center, set up by the FBI, fuses a whole alphabet soup of government agencies. The presidential directive calls for the setting up of an information sharing and analysis centre by the private sector.I would be the last person to advocate the setting up of any more quangos in the United Kingdom, but it is clear that national and local government have neither the time nor the expertise to handle that very critical problem on their own, to say nothing of the waste of time caused by duplicated effort and interdepartmental rivalry and secrecy.
As long ago as February 2003 the Government announced the setting up of an organisation called the Central Sponsor for Information Assurance to,
bring together information technology expertise from across government and to work with the public and private sectors to ensure that risks to the national information infrastructure are appropriately managed".It would be most helpful if the Minister could define the word "appropriately" so that we can judge the adequacy of those plans.This debate gives the Minister the opportunity to tell your Lordships within, of course, the constraints of national security—mentioned by the noble Lord, Lord Bradshaw—what progress that new agency has made in meeting its objectives; what progress has been made by the European Network and Information Security Agency, set up at the same time as our own domestic agency; what degree of co-operation exists between our own agency and the European one; and what degree of co-operation exists between both of them, on the one hand, and the United States' National Infrastructure Assurance Council, on the other.
All the activities to which I have referred are criminal. What is required is an international convention whereby the perpetrators can be tried like the pirates they are, wherever they are caught, no 1074 matter to which country their activities are directed and no matter what their motivation. Personally, I would like to see the Government undertaking to promote such an international convention, especially in our forthcoming capacity as president of the EU and of the G8 industrial giants.
In the light of recent small-scale, random and individual computer attacks, which the Government should regard as a warning of things to come, I hope that we shall receive from the Minister, not just warm words of reassurance, but news of what Winston Churchill used to describe as "action this day".
§ 5 p.m.
§ Lord Bassam of BrightonMy Lords, I would like to place on the record my thanks to all those who have taken part in this short but very valuable debate this afternoon about something which is obviously of central and critical importance. I am especially grateful to my noble friend Lord Harris for his continued interest in this area of government activity.
We have heard a lot this afternoon about cyber-vandalism, "botnet armies" and attacks on systems from skimmer worms and so on. It begins to paint a picture of quite understandable concern about a very complex issue. Today's society is complex and interconnected. We live in complex times and in a world where global events determine what happens across and between nations and where systems can be particularly susceptible to attack from places far away. It is right that we carefully look at and manage our response to that.
At its heart is a technology infrastructure that supports virtually every aspect of our interdependent lives. Some parts of that infrastructure are considered to be so important that the loss of them would cause serious disruption or worse to society. We have heard some examples of that during the course of the debate. This structure, the critical national infrastructure, (CNI) is well known to all of us.
In the United Kingdom the CNI is broken up into 10 sectors—communications, energy, finance, government and public services, water and sewerage, health, emergency services, transport, hazards and public safety, and food. Each of those touches our lives in some way, from significant through to trivial. The failure of parts of the CNI might have drastic consequences in personal, economic, commercial, law enforcement or even national security terms.
Like every other strategic service that the nation operates, the CNI is vulnerable to attack from a list of potential aggressors. However, the nature of the CNI makes it particularly vulnerable to attack by the very components from which it is constructed; namely, computers. A range of individuals may seek to do damage. Those range, as my noble friend Lord Harris said, from the nerdy schoolboy with a computer in his bedroom able to hack into a system, through to the hostile state anxious to acquire our secrets or to damage our economy.
More seriously, there are also terrorists who would challenge and seek to undermine democratic society using any methods within their grasp. It is not 1075 complacent to say this; but perhaps it should be made plain that at the moment they do not appear to be interested in attacking us electronically. However, as we all know, that could change at any time. So it is right that we should be in a state of ready preparedness.
To focus and co-ordinate the Government's response to these threats, in 1999, as my noble friend Lord Harris said, the then Home Secretary set up the National Infrastructure Security Co-ordination Centre (NISCC). Its remit remains unchanged: to minimise the risk of electronic attack against the critical national infrastructure.
A number of parts of government contribute towards NISCC—defence, trade, the intelligence agencies, central policy and law enforcement. The Home Office, the Cabinet Office, the Department of Trade and Industry, the Ministry of Defence, the Security Service, the National Hi-Tech Crime Unit and CESG—a part of GCHQ—all contribute effort and expertise to that.
However, not all of NISCC's expertise is drawn from the public sector. Most of the CNI is owned and operated, as we know, by the private sector. NISCC has developed a number of innovative ways in which to harness the very extensive expertise that exists in that sector. It seeks to combine this with public sector input to provide assurance to the Government about the resilience and robustness of the CNI to withstand electronic attack.
NISCC conducts its work through four broad streams of activity: threat assessment, using a wide range of resources to investigate, assess and disrupt threats; through outreach work, promoting protection and assurance through outreach information sharing and varied communications; by response, by warning of new threats, advising on mitigation, managing disclosure of vulnerabilities and helping the CNI to investigate and recover from attack; and through research and development by advising the most advanced techniques and methods to support efforts across all work streams.
The NISCC is unique in the world as it brings together open sources of information with some of the most sensitive to combine to a common purpose. It produces threat assessments, some general in nature and others tailored to a specific critical national infrastructure sector or company. It will always seek to prevent or disrupt damaging activity against the CNI.
The NISCC issues alerts and advice, often on a 24/7 basis. In the past 12 months, it has issued 40 alerts about incidents or important issues requiring immediate action; for example, news of newly discovered viruses. It has issued 713 briefing papers and technical notes, providing background on IT security matters, and 83 protectively marked assessments and formal reports on the threat from electronic attack to various elements of the CNI. I hasten to add that those latter documents are not in the public domain for important national security reasons.
So today's difficulty in Asia is often tomorrow's problem in Europe. NISCC staff are available throughout the day and throughout the year to help 1076 support the critical national infrastructure. Now, the NISCC is playing a leading role in identifying key vulnerabilities in systems and working with vendors to get mitigation in place.
§ Lord Harris of HaringeyMy Lords, I am sorry to interrupt my noble friend in mid-flow. He said that the NISCC was available throughout the day and throughout the year. Does that mean that it is not available at night?
§ Lord Bassam of BrightonMy Lords, perhaps I should have used the term 24/7 because that is exactly what it provides. In the past year it has issued 12 reports about serious vulnerabilities in protocols used across the CNI.
A strong emphasis is placed on international co-operation. As we all appreciate, CNI issues transcend geographical borders. Problems can strike anywhere in the world and affect countries almost immediately. Many countries are seeking to set up structures to protect their critical national infrastructure. Most want to visit the United Kingdom to learn how we do it. We should be proud of our standing as a leader in this important field.
To improve international co-operation, the NISCC publishes an international directory—the first of its kind—of those involved in similar duties across the world. That is no mean feat considering countries have very different ways of organising their CNI protection responsibilities. They often spread across a range of different departments, agencies and private bodies. So far 18 countries have contributed and the list continues to grow.
The NISCC has pioneered a number of information-sharing models which allow CNI providers to "share" experiences in a secure and confidential environment. These models include what are known as information exchanges, which are groups of experts from a particular sector who share experiences on a confidential basis so that the lessons from one can be learnt by many without damaging the commercial interests of anyone. At present, there are six information exchanges and there are plans for more.
Current exchanges are for telecoms, finance, aviation, managed service providers and government. The sixth brings together those companies which use computers to control industrial processes. These processes are known by the generic term SCADA—supervisory, control and data acquisition. In 2003, the NISCC hosted the first ever conference in Europe on SCADA issues. A second conference was held earlier this year, with strong international attendance. The NISCC also works with individual companies and organisations to identify and assure critical systems, examine threats and vulnerabilities and recommend measures further to improve protection.
Another information sharing concept, WARPS—warning, advice and reporting points—encourages the formation of self-help groups for specific communities of interest outside of the CNI. There is no question in my mind that the NISCC's work has improved the 1077 resilience of the CNI making it much more resistant to attack. Sometimes this work has a much broader impact, improving the resilience of the Internet itself.
It was particularly successful earlier this year in the way it handled a potentially serious Internet communications vulnerability that could have had an enormous impact on the Internet. Over a six-week period, the NISCC team worked with more than 120 software vendors and hardware manufacturers to ensure that sensitive information about the vulnerability was not released before the required software patches were in place. This is just one example of the high-quality and continuing work that is undertaken.
The NISCC is actively engaged with the Department for Transport and industry bodies representing the major transport sectors, such as, in aviation, all major UK airlines. The Multi Agency Threat and Risk Assessment Group, MATRA, run under TRANSEC auspices, covers all UK airport operators. Recently the NISCC started the Aviation Security Information Exchange, to be run like all its other information exchanges and designed to address issues related to protecting that sector from electronic attack.
Turning to the rail system, London Underground, Network Rail, Transport for London and Eurotunnel have all worked with NISCC. It has recently begun preparations on an assurance report on the Channel Tunnel which will comment on its ability to withstand electronic attack. Those are just two examples of the way the NISCC is working.
Concerns have been expressed about staffing and funding. Because of the inter-departmental nature of the NISCC, it is difficult to state the exact number of staff engaged in its work at any one time. The numbers will vary according to the amount of activity required. The NISCC's funding model allows it to buy in extra expertise when needed. Around 90 civil servants are engaged full time on NISCC activity. However, the numbers from the private sector involved in supporting its activities is more difficult to estimate. Not all will work on a full-time basis. Funding for the NISCC is supplied by the contributing departments, and we believe that the level of funding is proportionate to the task in hand.
A number of questions were asked during the course of the debate and I shall try to work through them. An important point was made by my noble friend Lord Harris about how the NISCC operates. As he rightly pointed out, it is only an advisory body. I do not think that that should be seen as weakening the role and function of the body. Although it is advisory, it draws strength from that. In our estimation, the voluntary co-operation that we obtain through NISCC is judged to outweigh the impact of it operating within a more rigorous regulatory framework, although that is not to say that regulation does not play an important part. Indeed, in terms of working with the private sector, there is a certain perception among some elements that there is already 1078 too much regulation. At this point another layer of regulation might be unwise and perhaps counterproductive.
My noble friend asked whether government departments compile statistics on electronic attacks. Government rules oblige departments to report instances of electronic attacks to the NISCC, which then compiles statistics relating to those, building an understanding of the nature of the problem it regularly confronts. He also asked whether annual exercises are undertaken to test scenarios of electronic attack. Next year a major joint exercise is planned with the US to do precisely that. It will ensure that our systems are protected.
In his contribution my noble friend Lord Harris also stressed the need for powers to recover in the event of an attack on the critical national infrastructure. The general approach in relation to the recovery of those who have been the subject of a serious attack is to place emphasis on the recovery of the system while also taking care to secure the necessary evidence to support a prosecution against perpetrators, if that is appropriate, under the Computer Misuse Act 1990. Moreover, there are further powers under counter-terrorism legislation which the Government can draw on if that is thought to be the right approach. Of course there will be critical times when that is exactly the right approach.
The noble Lord, Lord St John of Bletso, asked about compliance with British Standard 7799. I am afraid that I do not have that information to hand, but I will he happy to write to the noble Lord and copy the correspondence to all noble Lords who have contributed to the discussion this afternoon.
Contrary to the point raised by the noble Lord, Lord Bradshaw, far from being complacent about electronic and cyber attacks we have been very much on the front foot. The setting up of the National High Tech Crime Unit was an important initiative, as was the setting up of the NISCC at the time we did so. We are working very hard to assess the threat and to respond to it.
As to resources, in 2001 we established the High Tech Crime Unit within the National Crime Squad—the noble Baroness, Lady Harris, knows a great deal more about this than I do—and it provides a very valuable service to all. It tackles serious and computer-related crime and helps to enhance the powers of local police forces to investigate criminal activity on-line.
The National High Tech Crime Unit is a key partner within the NISCC and has played a very valuable role. It has established itself as an important focal point for domestic law enforcement. It provides effective strategic assessments on both an operational and tactical support basis and it provides business intelligence and good best practice advice.
Most computer crime is dealt with by officers of the computer crime units of local forces. Child abuse investigation teams and fraud units increasingly have such expertise. These officers will be involved in a range of investigations which will use computer systems and networks to withstand attacks against computer systems.
1079 As well as funding the National High Tech Crime Unit, we have also provided additional funding for local forces, outside of the police grant, to enhance their ability to investigate criminal activity on-line by funding staff training and equipment. This, together with the creation of the Serious Organised Crime Agency, will help us to lead the way in this field.
We have not been short of putting money into the sector either. The provision for policing in England and Wales has increased by more than £2.3 billion—or more than 30 per cent—between 2001 and 2005, and the recent spending review settlement will allow us to continue with this significant investment in policing. I am sure that I do not need to remind your Lordships that we now have a record number of police officers, and an important element of that is working to take counter measures in this field.
§ Lord St John of BletsoMy Lords, while it is very encouraging that additional funds have been allocated to policing, will greater funds be allocated to providing more detectives who are qualified to investigate e-crimes with the National High Tech Crime Unit?
§ Lord Bassam of BrightonMy Lords, that has been a part of our overall strategy. It is our intention to ensure that we have that dedicated expertise. Like the noble Lord, the Government fully recognise the importance of that.
In her contribution to the debate, the noble Baroness, Lady Miller, raised the issue of whether we should establish a department of homeland security. Obviously this has been a part of the protracted national debate—the issue arose during the course of proceedings on the Civil Contingencies Bill—and our view is that it is not required. There is more discussion to be had on how we continue to take counter measures and it is important in that debate to focus more on the different structures of government.
We believe that our approach provides for the enhanced resilience that we will require in the future. Some countries have a homeland security ministerial profile and others do not. It is hard to say which approach works best and whether there is a wrong or right approach. What is more important is the level of investment in resilient staff that we have managed to 1080 achieve and the importance that Ministers place on the issue. In both respects, the United Kingdom is performing very strongly.
Ministerial accountability for matters of resilience is clear. The Home Secretary is the lead at Cabinet level; he is supported by Nick Raynsford as Minister for civil resilience, Hazel Blears as Minister for counter-terrorism and Ruth Kelly as Minister responsible for the Civil Contingencies Secretariat. The Cabinet Office co-ordinates activity across government under the Security and Intelligence Co-ordinator, Sir David Omand. So there is a clearly understood and definable structure. All other Ministers have a responsibility and role to play in giving support to that.
I have spoken for some time because I felt it was only right to go through as many of the issues as I could. In summing up, I want to say this: I think it is right that we place the emphasis as we do. It is right that the NISCC is an inter-departmental centre that draws together a range of skills from across government. All the staff in those departments should be praised for their efforts in this important field.
However, the protection of the critical national infrastructure could not take place without the considerable input of the private sector. As we said at the outset, it runs most of the UK's CNI and devotes notable effort to supporting the NISCC across the breadth of its work and activity. Its contribution to the UK's security is worthy of particular note.
It is clear that the Government have put in place the right mechanisms to ensure that the CNI is protected to the best of our abilities. Our defensive measures are among the best organised in the world, and are widely acknowledged as being so. The risk of electronic attack is growing, due to the increased sophistication of technology. It is important to remember that the very technology that enables business and facilities growth in the United Kingdom can also be the route by which it can be undermined unless the risks are properly appreciated and protected against.
We have committed considerable time, considerable resource and dedicated effort to tackling this issue. But we are not complacent—we recognise that there is more to do, and, of course, we have the will to do it.
§ House adjourned at twenty-one minutes past five o'clock.