This Thursday I spoke during an Estimates Day debate on the importance of Cyber Security to the UK. You can read my speech and find a link to the full text of the debate below or you can click on the video above to watch the debate and my contribution.
Mrs Madeleine Moon (Bridgend) (Lab): It is an honour to follow the hon. and gallant Gentleman. I share his concern about an attack on our national infrastructure, but we sometimes focus on things such as banking and transport when we should perhaps look at our food supplies or our hospitals. The impact of such an attack on the civilian population and the country’s morale would be huge. We must address resilience to a cyber-attack and we must engage the civilian population in understanding and preparing for that.
The Chairman of the Defence Committee and I were given a book for holiday reading: “One Second After”. That delightful read, which probably wrecked my summer,
was a description of the United States after an electro-magnetic impulse attack had taken out all its computer-based systems. Everything went. No cars could go on the road and nothing would work. It was a scary prospect and I now understand why the Defence Committee’s Chairman runs a car that does not have a computer in it. I am sure the book was a great influence in the decision to purchase that car.
The book also made me aware of the very narrow issue of who is the enemy. In traditional warfare, we tend to know who we are fighting, but in future we may be fighting criminals who are holding the country to ransom. We could be fighting terrorists, because a state is not needed to manufacture a cyber-attack, or activists or anarchists. It has been suggested that some of the attacks in Estonia were by third-party actors. At the bottom of the list is the potential for a state to attack, because states like rules and the rest do not follow rules. That is why they must be our focus, our worry and our concern.
A statement made in 2012 informed us:
“Our cyber defences blocked around 400,000 advanced, malicious cyber threats against the government’s secure intranet alone”.
On the whole, we do not know where those threats are coming from. We do know that the Government have given a commitment to having full-spectrum capability in dealing with cyber-attacks. In fact, in response to the growing number of cyber-attacks, the Secretary of State said that
“we are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK’s range of military capability. Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe.”
I was very interested in that statement, so it sent me off on a little tangent, as such things often do. As the Minister, who has received many of my quirky little requests for information, will know, I sent off a parliamentary question to every Department asking them how many specialist IT staff they employed who had a PhD in computer science, who had a master’s degree in computer science, and perhaps who even had just a basic bachelor’s degree in computer science. It did not bode well, I have to say. The Ministry of Defence can rest on its laurels; it came second to the Department for Work and Pensions, with 1,625 such members of staff. None of the Departments could break the information down by qualification across Departments, which could explain why Government are not very good at commissioning cyber-capability and improved computer networking capability. Only 5,088 people, in total, held a degree-level capability in computing. It was depressing to note that the Department for Culture, Media and Sport had only three people with such a qualification, so we should watch out for its contracting.
Ms Gisela Stuart: Given the logic of Government, did my hon. Friend also ask whether the people with a computing degree actually worked in such areas beforehand or did something completely different?
Mrs Moon: I did, and most Departments responded that they worked in specialist teams, as we would expect.
Interestingly, the response from Her Majesty’s Treasury told us that a total of 48 people are employed within its centralised IT department, or teams. Those staff IT services to the Cabinet Office and to the Treasury. That compares with 57 people in 2008 who worked exclusively within the Treasury. So the numbers are going down, and that has to be a matter of concern. As people with these skills are increasingly highly valued in the marketplace, can Government stay ahead of the market in being able to recruit them?
I was worried about the budget and looked into that aspect. We have heard about the figure of £650 million over five years, which is a mere fraction of the figure for the annual economy, which is set to lose £27 billion every year to criminal activity in the cyber-realm. In contrast, the US Department of Defence has outlined a $23 billion spend on cyber operations in the financial year of 2018 alone.
I thought that I would then have a look at how well we were doing in this area. I discovered, rather alarmingly, that the Government had withdrawn from a new cyber-warfare project called Project Cipher, which was intended to scrutinise fully complex programmes to ensure that they had the potential to meet our needs. After thorough assessment, it was decided that Cipher would not meet the full defence capability required to offer long-term value for the taxpayer, and so the programme was not taken forward. The costs of the stalled project, in the assessment phase alone, had been £66 million, so we have lost a large percentage of the money set aside for cyber, and they were £47 million above the original budget. Overall, this was a major disaster. IHS Janes has said that the project was
“intended to renew the MoD’s cryptographic inventory and automate its crypto-key management systems by replacing obsolete current systems to prevent encoded communication links being compromised.”
I understood half that sentence. The important bit is that it was intended to replace obsolete current systems, because Departments are not good at replacing obsolescent systems. They tend to work things for the length of a Parliament, which is now five years when we all know that these computers are dying on their feet after about the first two years.
IHS Janes continued:
“The delays in bringing Cipher online are creating capability risks, says the NAO, because the ministry’s existing crypto capability lacks the flexibility to deliver the flagship Network Enabled Capability project, which aims to link up a wide range of military communication networks. This means efficiency savings relating to the automation of crypto capability has been delayed, leading to increased demands on military manpower.”
It explained that the problems with Cipher’s design first emerged during an assessment phase and that they were the result of the lack of suitably qualified experienced civil servants—you will be surprised to hear that, Madam Deputy Speaker. One of the essential things that we must do if we are to be responsible in looking to the defence of this country is to find the way to employ and retain the capability that we need within government to provide the skills and oversee the systems that we operate to keep this country secure.
There has been considerable discussion about having a cyber reserve. I have had conversations with a number of companies that have told me that they are very worried about their employees joining the reserves because they fear for them when they have to travel abroad. Many international companies work around the globe, and they worry about someone who has been in our cyber reserve and transfers to work in another country, or merely travels through a country perhaps on business or on holiday, being prone to personal attack because of the information they would hold not only on their company but on the UK’s cyber-defence capability. I hope the Minister is aware of that concern and will address it.
This is perhaps one of the most urgent and pressing issues affecting this country. We have to take it seriously across every Government Department, but we also have to alert our citizens of the fact that they are also now on the front line, because the attack may come from their personal computer, which could be hacked and used for an attack not only on this Government, but on other Governments.