23 November 2005 :
Mark Pritchard (The Wrekin) (Con): I am grateful for the opportunity to bring an important issue before the House.
There are four types of cyber threat—worms, viruses, trojans and spyware, which can also appear in combination. Worms are self-replicating programs designed to spread through networks and cease operations. Viruses are usually files that attach themselves to other programs and spread themselves into other programs or computers with which they come into contact. A trojan is usually a program that disguises itself as helpful, but then proceeds to replicate itself throughout the computer network, allowing external control as well as user debilitation. Spyware is a type of trojan usually attached to another program which when downloaded is used to record activity on a computer, and is then accessed by the originator.
Today I will consider the national security and economic implications of the advent of new and more aggressive breeds of virus and cyber security threats to Government and the private sector. It is noteworthy that the United States Department of Homeland Security records that the number of cyber attacks increased from 10,000 in 1999 to more than 400,000 in 2004. We are all aware of major incidents that have taken place in recent years. In May 2000, the "I love you" virus, a macro virus that overwrites key computer files, caused some $10 billion-worth of damage across the globe. In September 2001, the "Nimda" virus—a worm and virus—which spread throughout north America in just one hour, attacked more than 8 million computers and took weeks to eliminate. It was spread by e-mail attachments and copied itself to mailing lists and networks.
In November 2004, the "Agobot" virus, a dormant virus that replicated itself throughout computer networks, hit the world. It is still dormant in many computers across the globe. Nine million computers have been affected, and that figure is rising as people discover the virus on their systems. In March 2004, "Mydoom", the appropriately named combination of a trojan and a virus, spread to more than 1 million computers in just 56 hours, thereafter infecting another 4 million computers. The US State Department has suggested that there has been a 300 per cent. increase in trojans in the past year alone. More worryingly, those viruses have been introduced not by amateurs—although they have been involved in some cases—but by professional hackers.
The rise of the professional hacker has serious implications for the UK, particularly in relation to national defence. I would be very concerned indeed if my constituents, or anybody in Britain, felt that our intelligence and defence systems and networks were being penetrated by viruses. There is also the danger that potential enemies of this country might spy on vulnerable and security-restricted areas of the internet. We know that that does occur; it has been confirmed by Governments around the world, including that of France, and, again, the US Department of Homeland Security. We hear little from the British Government, and I hope that the Minister will be able to throw some light on what Britain is doing about protecting our national security systems from such viruses and cyber security threats.
I recall that in July 2001 a worm targeted a weakness in the White House network. That had serious implications for the running of the White House. All users who attempted to access that server were attacked. More than 250,000 computers were affected in three hours. It was code red.
Key national infrastructures, such as energy, transport, finance, telecoms and aviation, rely constantly on an exchange of information, primarily through computer networks. A penetration of any of those networks would be a serious threat to national security, not least when it comes to the potential to access Britain's 14 nuclear power stations. I hope that if the Government decide on new nuclear power stations as part of the current energy review—clearly, there is a bit of confusion, but the Prime Minister has hinted about going new nuclear—the software and the systems involved in running new nuclear power stations will be fully protected from cyber security threats. It is interesting that the imprisoned al-Qaeda members have admitted that their organisation has been attempting to—and no doubt is still attempting to—develop cyber threats to strike western Governments.
There are other issues, such as Government databases—especially those proposed for the national identity card scheme, which would contain biometric data. They have been identified by Infosecurity Today online magazine as potent targets for hacking, possibly allowing massive levels of identity fraud. That brings me to the issue of identity fraud. It is reported that more than 200,000 cases of identity fraud on the internet were recorded in 2004–05, at a cost of nearly £60 million to the UK economy alone. That is in spite of the launch by Companies House of Monitor, which seeks to secure company details—never mind the details of individuals.
There is an added cost in the form of people who would shop online and access services and products—either wholesale or retail—in that way, but who are put off by the risk of being exposed to fraud. Online credit card fraud has also increased by about 29 per cent. over the past year alone, at a cost to UK businesses of at least £16 million and a cost of £260 million worldwide. That is a small proportion of the total and ever-increasing fraud on the world wide web.
I have mentioned America and the French and now I should like to mention the Japanese, being a member of the all-party group on Japan. I am supporting not just Japan's rugby bid, but its anti-corporate-espionage activities. It is leading the way in preventing corporate espionage, including the theft of patents, scientific research data, business strategies and client information. In fact, the Japanese Home Office has estimated that there has been a 200 per cent. increase in corporate espionage over the past year. That could have limitless implications for British businesses and entrepreneurs.
So, what can be done? The US has a unified agency called the National Cyber Security Division to assess and respond to cyber-threats. The computer emergency readiness team is a sub-agency of the division and its role is to inform the private sector of any threats and to co-ordinate private sector action and responses. The US Government have also taken several other measures to reduce the rise in cyber threats, such as a regular exchange of information between the state and the private sector to alert one another to such threats. Known threats are analysed and strategies to deal with them are developed. Software is updated and protected against the latest threats. The private sector is encouraged to develop contingency plans should the internet and computer systems, networks and servers fail. However, it is incentivised for doing so.
The rise in aggressive viruses and cyber security threats is a clear and present danger to Britain's national security. It is also a threat to Britain's economic well-being. More than 90 per cent. of cyber threats have a major impact not only on the originating country but across the globe. Britain is the international hub for banking, finance houses and many other businesses, so if we get it wrong it will have implications for many other countries as well as ourselves; yet we have no international treaty or convention to deal with cyber crime. We have only a series of bilateral engagements and extradition laws. The Americans, however, extradited someone from the UK, perhaps because their laws are more robust than ours.
That leads me to my questions for the Minister. Would Her Majesty's Government consider strengthening domestic laws to ensure that penalties are severe enough to act as a deterrent for all those caught and convicted of cyber crime? Would the Government work with the international community and the World Trade Organisation towards creating a standard or uniform legal approach at a global level on such issues?
Would the Government consider doing what the United States has done, and establish a cyber security week or cyber security day? That would provide a platform to promote awareness and understanding of cyber security issues, and the potential damage to Britain's economy and national security. It would help if the Government were to deal separately with the impact on the private and public sectors.
Would the Government consider forming a unified national cyber security agency, which would take a lead on their behalf and be a single point of cyber security information, guidance and advice for the nation? What are the Government doing to ensure a robust and co-ordinated response to cyber threats in the UK and among our allies? Viruses can often get through weaker systems. If we, with improved cyber security measures, share intelligence information with nations that do not have similarly robust firewalls—what I might call added-value firewalls—our systems will still be vulnerable. We need to be aware of that.
Will the Government please consider those matters urgently? I have spoken this afternoon about defensive measures. I hope that we shall have time in the House to speak about offensive measures—about how to avoid wars and confrontation by disabling our enemies' systems before they can push the button on missiles that might strike our shores. The House should have the opportunity to debate offensive cyber-security issues.
I hope that the Minister agrees with his noble Friend Lord Harris of Haringey, who said only a few months ago that the Government should consider appointing a cyber security tsar. I have expressed personal views, but there is cross-party support for them. I hope that the Minister will look upon my proposals and questions favourably.
The Parliamentary Under-Secretary of State for Trade and Industry (Barry Gardiner) : I begin by congratulating the hon. Member for The Wrekin (Mark Pritchard) on bringing such an important matter to the attention of the House. I hope that he will forgive me for gently reminding him that he should register his interest as a remunerated director of an internet company, as it is pertinent to our debate.
Mark Pritchard : I am grateful to the Minister for reminding me. I am happy to register that.
Barry Gardiner : Secure networks are absolutely vital, not only to ensure that data held by public and private bodies are not compromised or lost, but to build the element that is essential in any commercial or financial market: consumer confidence. If consumers do not have confidence in their ability to transact online business in safety, they will not transact online business at all.
The Government take such issues seriously. Although my Department's responsibilities focus primarily on the business community, I can outline progress in a range of activities across Government. The strategic focus of Government is co-ordinated through the Cabinet Office. Its primary concern is to ensure that the Government's information assets are properly secured. It is recognised as of vital importance that work in Government is informed by and informs developments in the private sector. For that reason, we see the question of communication between Government and business and end users as vital.
There is now a sense of ownership for the issue among Departments, and a recognised community of senior risk owners who are responsible for promoting best practice. The Cabinet Office is also taking a far more forward-looking approach to future risks and acts as the Government's customer for expert work in devising common-good solutions to emerging information security problems. The budget for the vital investment in software and hardware to protect Government information in the current spending round amounts to some £30 million.
The Cabinet Office has also tried to simplify basic security requirements for the entire public sector by producing guidelines on secure e-government. They are supported by a new initiative that will help by the simple method of verifying security claims made for a product. All parts of Government make informed purchases of information technology.
All in all, I believe that the importance of cyber security is now embedded in Government thinking. Hon. Members will have noted that it was one of the key features highlighted in the recent "Transformational Government Enabled by Technology" strategy paper. Government can effectively be moved online only if it is consistently available and, as I said before, has the confidence of its users.
My second point is about the work that we have done to protect our critical national infrastructure. With the emergence of the threat of a remote attack on information systems, the Government have placed particular importance on protecting the systems that are critical to maintaining the energy, communications, water, transport and government systems that are crucial to our way of life. For that reason, in 1999 the Government developed a policy on protecting those systems and created the National Infrastructure Security Co-ordination Centre, NISCC, to implement that policy. NISCC can draw on nearly 100 experts from agencies and works in close partnership with the police and other parts of Government that have an interest in protecting the critical information infrastructure.
Mark Pritchard : The Minister is absolutely right that that organisation exists. Bringing that organisation on line, if the Minister will forgive the pun, was a major step forward for the Government. However, it only has an advisory role and the threat should be managed more robustly.
Barry Gardiner : I understand the tenor of the hon. Gentleman's remarks. However, NISCC has established good working relations with the management of public and private sector owners of the infrastructure. It discusses with them, as a trusted partner, how those systems are secured against a constantly changing threat paradigm. It has established communities in the relevant sectors called information exchanges, where front-line security specialists can talk frankly about emerging problems and solutions. There are active information exchanges in the financial and communications sectors. In terms of this aspect of Government policy, we are one of the world's leading nations. The UK experience is seen as important, particularly as the EU gets to grips with the issue in the context of new threats to our security.
Of course, the business community understands that the move to the information age will function only if there is confidence in systems and networks that are resilient and that do not pose a risk to the privacy or the pocket of the user. We all know that mistakes have been made in the past and that, in the rush to get the world connected, security was perhaps sometimes traded off against functionality. Those days are long gone and there has been a move by vendors to work towards a much more inherently secure generation of both hardware and software. I draw the hon. Gentleman's attention to the trusted computing initiative, which brings together the leading technology vendors in a joint enterprise to address the issue.
That, of course, reflects an increased concern by Government that technology should develop in a way that is inherently more resilient. The continued resilience of the internet was one of the underlying public policy concerns that drove the recent world summit on the information society. I am pleased to say that, difficult as it was, we have an outcome in terms of future stakeholder engagement on these issues that is a step forward. I can report that we have had notable success and have agreed that the way forward from the summit will address cyber security and spam. The summit constitutes a call for further co-operation by all stakeholders, and for Government and industry to move forward in partnership.
While the business community is addressing the issue, we must accept that there remain several important roles for Government. At this stage, we have not sought to go further than is necessary down the path of regulation. The relevant regulation in this area is rightly lean and focused. Those who process sensitive personal information are bound by the Data Protection Act 1998 to apply appropriate protection to ensure that such information is not inappropriately accessed. There are fairly broad requirements on those who provide communications services to ensure that they are secure.
There is a role for Government and business to work together in a non-regulatory way. I have mentioned the work undertaken as part of our national security agenda and the collaboration with technology vendors in relation to the Government's own requirements. We are also working with technology vendors and service providers to deal with the new generation of malicious software, which first became a problem as those who pushed out spam sought to conceal their activities by colonising the computers of other internet users to pass on their products. That led to an explosion of criminal activity based on the ability to dupe innocent users into giving up personal information or downloading software that, through constantly changing technology, seeks to extract personal information or passwords in order to access online accounts.
The new generation of malicious software, by which I mean spyware, keyloggers, adware and the like, is requiring new defences to work with the approaches developed to combat the virus and worm attacks that there have been since the late 1990s. The Government have been among the leaders in trying to develop a multifaceted approach to the problem, looking at a toolkit of regulatory technological processes and awareness-raising tools.
One of the issues emerging is the pressing need to find a solution to the problem of identity online. The failure to have certainty about the identity of the person or body that one is dealing with is at the heart of many of the problems. I am glad to note that the question of electronic identities is moving up the agenda for further work in the EU, and the thinking on our own identity card will be informed by the need for greater certainty about online identities.
My Department can make an important contribution to the future of cyber security through the work that we support in the research community and through our existing programmes to support innovation. I remind hon. Members that Lord Sainsbury of Turville, who is responsible for the Office of Science and Technology, commissioned a major piece of work in 2004 under the foresight programme. It was called cyber trust. It took a long-term, scenario-based approach and identified possible directions for technological and sociological work in this area. The Department's innovation programme is reflecting that thinking and work is under way to improve the way in which the UK's supplier base can improve its performance in adopting new ideas.
Mark Pritchard : I just wondered whether the Government would consider, as Lord Harris suggested—and we agreed—appointing a cyber security tsar and having a cyber security day or week, which would include the private and public sectors.
Barry Gardiner : I have noted the hon. Gentleman's comments and his strong recommendation that we should do that. Obviously, he would not expect me to make any announcements at this stage, but the Government should consider those sensible suggestions and arrive at an appropriate conclusion.
My Department has had a long-standing role in identifying and promoting best practice in information security, with a particular focus on the needs of smaller businesses. The hon. Gentleman will be aware, I am sure, of the Department's biennial information security breaches survey, one of the best of its kind in the world, which looks at the changing pattern of security problems as they are experienced by UK companies. The last survey reported some positive developments in relation to how the subject was being treated by companies—some 75 per cent. of managers thought that information security was a high priority—but it still found a worrying lack of awareness and preparedness. Only 20 per cent. of respondents had a business continuity or disaster recovery plan. I suspect that the next survey, on which the fieldwork is under way as we speak, will give us a good insight into how business is responding to the current surge in malicious software.
The survey assists us in many ways—and I should say in passing that sponsorship and input from business make it a great example of public-private partnership. It has allowed us to focus our outreach efforts to small business against a clear understanding of their problems. Let me illustrate that. UK industry classifies 51 per cent. of its information as highly sensitive, but small business spends less than 1 per cent. of its IT budget on protecting that asset. It is clear that investing in IT security is perceived as a burden by that group, especially as identifying a return on the money invested is so hard to calculate. Yet it can cost upwards of £10,000 to rectify a security breach. We aim to get the message across that a small investment in appropriate systems and products will increase security exponentially.
The material that my Department has produced for smaller businesses is rightly regarded as among the most effective in the EU. My Department looks to work with high profile partners to support the dissemination of these ideas. We are fortunate in having recently completed one successful project with the Institute of Directors and there is another one with the CBI and Ernst and Young, which is due for launch in the new year. That project will seek to use the supply chain as a method for reaching smaller businesses and will involve a series of regional roadshows.
The survey also allows us to measure how businesses are treating information security as a business issue. It has always been the Department's objective to put information risk at the heart of the UK business approach to risk management. To that end, the Department has collaborated with businesses in the production of information security management standards, and we have worked together to produce two key standards: a guideline document and a specification for an information security management system. I am glad to say that both those UK initiatives have been recognised by the international standards community and have been adopted as international standards. The publication of the information management systems specification took place as recently as 15 October, and there is every prospect that it will become a major tool for businesses that wish to deal with information risk systematically.
I am mindful that we need to promote good practice to support e-business—of which I understand the hon. Gentleman has personal experience—and I assure him that the Government remain committed to promoting a vibrant e-business community with confidence in its ability to work securely. As I have explained, it is not the Government's role to manage the internet, or regulate how business is conducted through it. We need to regulate to allow e-business to flourish and, through laws such as the Computer Misuse Act 1990, provide a deterrent to those who would seek to conduct crime online.