§ Lord Harris of Haringey
asked Her Majesty's Government:
Which public sector organisations and which private sector companies the National Infrastructure Co-ordination Centre (NISCC) regards as comprising the United Kingdom Critical National Infrastructure; and how many computers and communications systems the NISCC regards as comprising the Infrastructure; and [HL2576]19WA
What is their response and that of the National Infrastructure Co-ordination Centre to attacks by malicious computer software programs in recent years; and [HL2577]
In respect of the malicious computer software programs attacks, My Doom, NetSky, and SoBig—
- (a) how many United Kingdom Critical National Infrastructure (CNI) systems these programs infected;
- (b) whether the attacks degraded the functioning of the United Kingdom CNI, and if so, in what way;
- (c) how long it took to remove these programs from United Kingdom CNI systems; and
- (d) what is their estimate of the fiscal damage (the opportunity loss and the loss of trading) which these programs caused the United Kingdom CNI; and [HL2578]
What action they are taking to ensure that the financial component of the United Kingdom Critical National Infrastructure is not placed at increased risk because certain United Kingdom financial organisations have advised their security departments to cease checking for computer system vulnerabilities because of the potential liabilities that may arise if vulnerabilities are identified but not corrected; and [HL2580]
How many of the United Kingdom Critical National Infrastructure systems have been subjected to formal vulnerability testing to evaluate their ability to withstand a systematic logical attack by an adversary; and, in those cases—
- (a) who performed this testing;
- (b) what were the results;
- (c) what actions have been taken based on the results; and
- (d) what actions remain to be taken; and [HL2581]
In respect of the National Infrastructure Coordination Centre (NISCC):
- (a) what missions and functions are formally assigned to NISCC;
- (b) where is NISCC located;
- (c) what facilities are available for Members of both Houses of Parliament to tour NISCC premises and observe the operation;
- (d) what is the source of NISCC staffing;
- (e) how many personnel are assigned to NISCC, and what is it's annual budget;
- (f) whether NISCC's financial and personnel resources are adequate to perform its duties. [HL2616]
§ Baroness Scotland of Asthal
The Government define the Critical National Infrastructure (CNI) as those assets, services or systems that support the economic, political and social life of the United Kingdom whose importance is such that any loss or compromise would have life-threatening, serious20WA economic, or other grave social consequences for the community, or would otherwise be of immediate concern to the Government. It is not possible to give exact details of the numbers of computers and communications systems that comprise the CNI as these details are not held centrally.
The National Infrastructure Security Co-ordination Centre (NISCC) was formed in 1999 as an interdepartmental organisation to co-ordinate and develop existing work within government departments and agencies, and organisations in the private sector, to minimise the risk to the CNI from electronic attack. While owners of CNI systems are responsible in the first instance for the protection of their systems, they are supported in this role with advice and technical expertise from NISCC.
There are three strands to NISCC's approach:
- investigating and assessing the threat of electronic attack;
- promoting protection and assurance within Government and the CNI; and
- responding to incidents and new vulnerabilities with information, practical help and advice on mitigating action.
NISCC is able to assist organisations in effective risk management and assurance of their systems through information exchanges with the UK CNI and with international partners. Part of NISCC's role is to promulgate regularly updated advice and warnings to reduce the vulnerability of critical systems to attacks. There is of course a limit to what government resources can do—it is for companies and organisations to take prime responsibility for their own IT protection and security.
Within that operating framework it is therefore not possible to give exact figures on how many Critical National Infrastructure (CNI) systems were infected by the My Doom, Netsky and SoBig viruses, or what the exact extent of the fiscal damage was as this information is not collected centrally. However, NISCC overall assessment of these attacks is that their impact on the CNI was minimal, and that they did not significantly degrade CNI systems.
As part of its information exchange work, NISCC has well established and extensive links with the financial sector. The Government are not aware that advice has been issued by financial organisations to their security departments to cease checking for computer system vulnerabilities.
In terms of vulnerability testing more generally, again this is primarily the responsibility of individual system owners. NISCC is able to support the CNI in this role by providing the necessary support and information on current threats and the steps needed to protect against such threats.
NISCC's work is spread across a number of government departments including the Home Office, Cabinet Office, Security Service, Ministry of Defence, National High Tech Crime Unit, CESG and DSTL. Anyone who is interested in the work of NISCC can 21WA visit its website or approach any of the relevant departments for further information.
NISCC's staff is drawn from those central government departments that carry out its work. It's core staff is around 60. However, NISCC has the option to buy in technical expertise from other government departments and the private sector as needed. NISCC's annual budget for running costs for 2003–04 was £5.15 million. Budgetary provision for NISCC is assessed annually in the light of the overriding assessment of the threat to the CNI from electronic attack and alongside other central government resource considerations.