Holding the Intelligence and Security Services to Account over Implementing a Robust Cyber Strategy

Mark made the following speech today at the 2012 Cyber Defence and Network Security Conference in his capacity as a member of the Intelligence and Security Committee:

The growth of the internet is the defining technological change of this generation. Not only has it transformed the way we communicate, socialise, transact, consume, but it has linked the world in ways seemingly unimaginable even a decade ago. Needless to say we have only just started down this road and the transformative effect of technology over the forthcoming decade will very likely be greater still.

The inevitable impact on my own sphere – politics – was clear for all to see last year. The Arab Spring, the rapid coordination of global protest movements, the London riots, the continued dramatic, debilitating drip of Wikileaks – these events were not necessarily foreseen, but they were in part facilitated, and certainly enormously accelerated, by the internet.

In 1995, the number of web users stood at 16 million. That figure has mushroomed to the over two billion users we see today. Such expansion brings exciting economic and cultural opportunities, not to mention political and legal challenges. But it also heralds a new age of previously unseen threat. With a total disregard for convention and an ability to break down perceived norms at staggering pace, the internet presents to diplomat, politician, businessman and everyday citizen alike a challenge of epic proportions.

That challenge is likely only to be magnified with the rise of cloud computing and the movement of more personal data and government services online. Public authorities will need to be nimbler, faster and more responsive and adaptive than ever before. How can that be done? And how can we make sure that the British government is fulfilling its duty to safeguard and protect its citizens in this brave new virtual world?

It is here that parliament’s Intelligence and Security Committee, of which I am a member, plays a part. Chaired by former Foreign and Defence Secretary, Sir Malcolm Rifkind, a key element of the Committee’s remit is to hold the government to account when it comes to ensuring that our security services are implementing a robust cyber strategy. This afternoon I hope to take you through the key threats as the Committee currently sees them and discuss how we intend to keep some check on the government and its agencies’ response to the national security aspects of these.

Established by parliament in 1994, the Intelligence and Security Committee provides democratic scrutiny of the finances, policy and administration of our three intelligence agencies – MI5, MI6 and GCHQ. Only two decades ago it was regarded as unthinkable that parliament should have a role in this shadowy area of the State. Indeed it was a space that where only senior Cabinet Ministers and civil servants could – in private – acknowledge the existence, let alone the work of the security services.

Our nine members, taken from both Houses of Parliament, are appointed by and report to the Prime Minister and while bound by the Official Secrets Act, with regular access to the most highly sensitive material, we are not formally vetted – rather against the grain of current public opinion, Members of Parliament are deemed to be of sufficient integrity to avoid that process and I am glad to confirm that in this sphere at least, there has never been a leak! In fact party politics is left firmly at the door and while the UK media’s appetite for criticism and sensationalism naturally extends to our work, we do not play to the gallery. Instead, we typically take evidence in private from Ministers and senior officials. We enjoy the freedom to set our agenda before publishing our own, proudly independent, annual and ad hoc reports. We draw our own conclusions regardless of what might make the best headline.

As I mentioned, it is important to recall that when the Committee was first established, it represented a radical departure for Agencies that were only just being publicly acknowledged. As you might imagine, there was more than a small degree of trepidation on their part in being made accountable to politicians. Consequently, safeguards were built into legislation that permitted the Agencies to withhold material if it was deemed necessary. Nevertheless the relationship has developed over time such that the Agencies now accept a greater level of accountability, and have greater respect for the independence of the ISC. As a result, the legislative safeguards have never been used and are now largely redundant.

While our remit in legislation is to examine ‘policy, expenditure and administration’, in reality it runs wider. Supported by a small Secretariat and a part-time investigator, we have conducted detailed examinations into operational issues such as rendition and, most notably, the 7/7 bombings, two of which took place in my own Cities of London and Westminster constituency.

Nevertheless, the coalition government believes there is room for stronger oversight of intelligence. To this end, and in the context of introducing new rules to protect intelligence material in judicial proceedings following the Binyam Mohamed court case of 2009-10, it wants to give the ISC further powers. If the government’s proposals are adopted, the ISC would become a Committee of parliament, rather than being based in the Cabinet Office, following past criticism that we are currently too close to the Prime Minister. The right to ‘require’ rather than ‘request’ information would be given, allowing access to original information as of right. Our support staff would be expanded and have formal oversight for the whole of the intelligence community, not just the three main Agencies. These reforms are likely to prove necessary if we are to keep on top of rapidly developing sectors such as cyber.

Businesses, individuals and governments are increasingly dependent on cyber space, from the use of email and other communication methods to internet shopping. But that exposes us all to risks and in January of last year, the Chief of the Secret Intelligence Services, told the Committee that ‘the whole question of cyber security is shooting up everybody’s agendas’. The ISC has been advised that the threat from the expansion of the internet falls into three categories: criminals, states and terrorists.

According to NATO, criminal intent now accounts for ninety percent of malicious cyber activity. Online fraud, for instance, is now being perpetrated on an industrial scale, with the tools to carry it out readily available online. Adding to the problem is that many criminals base themselves in foreign jurisdictions, making their successful prosecution tricky. Nevertheless, protections are also widespread and the Serious Organised Crime Agency has estimated that eighty per cent of online fraud could be prevented if individuals kept security software up-to-date, chose better passwords and observed basic security practices. Indeed I cannot emphasise strongly enough that we all, as individuals, already have the answer to most of this problem. F

ar lower in volume, but more significant in national security terms, is the risk from Hostile Foreign Activity from other states. Cyber space means that countries no longer have to invest in global networks and pursue complex operations with high level agents when it comes to espionage: they can access much of the same information using relatively inexpensive cyber attacks. GCHQ believes the greatest threat of electronic attack continues to be posed by State actors and, in this regard, Russia and China are attributed with the majority of attacks.

Activity in this area tends primarily to be for espionage purposes, as well as the theft of government and economic material. Yet we cannot discount the possibility that attempts could also be made to disrupt critical infrastructure. It is thus vital that our government and vulnerable sectors of the economy have adequate defences.

Finally, international terrorism. We are all aware that terrorists have ruthlessly exploited the internet as a vehicle for the dissemination of propaganda as well as a means to exchange technical knowledge. Indeed, it has proved the ideal outlet for groups such as Al Qaeda to radicalise new recruits and distribute its extremist material.

Taking these three strands into account, the government identified the risk of cyber attacks as a Tier One threat (in other words, the most grievous threat), in its October 2010 National Security Strategy. Make no mistake, the volume of e-crime and attacks on government and industry systems continue to be disturbing. Attempts to steal British-owned intellectual property, namely patents, ideas and designs – most pressingly but by no means exclusively in the IT, technology, defence, engineering and energy sectors – to gain commercial advantage are commonplace. Similarly attempts to profit from secret knowledge of confidential contractual arrangements are potentially massively damaging. Such intellectual property theft does not just cost the companies concerned, it represents a substantial attack on the UK’s continued economic wellbeing, especially in these troubled times. In the public realm, last summer, our security services identified one significant, yet thankfully unsuccessful, attempt on the Foreign Office and other government departments to acquire sensitive information from government computer systems.

As a consequence of such threats, part of the last Spending Review settlement saw £650m of funding announced over four years to implement a National Cyber Security Programme. Fully £600m of this money was ‘new’ in the sense of being ringfenced and not in planned budgets to that date. It is intended that this Programme will overhaul the UK’s approach to tackling cyber crime; address deficiencies in the UK’s ability to detect and defend against cyber attack; address shortcomings in our critical cyber infrastructure; sponsor long-term cyber security research; and introduce a new programme of cyber security education and skills.

As recently as November 2011, to take account of developments in this fast changing world, the government updated its Cyber Security Strategy, setting out a vision for 2015 where the UK would tackle cyber crime, be more resilient to cyber attacks and shape the development of cyberspace. But the approach must be a joint one between government, individuals and businesses for the government simply has not the remit to control what happens in cyberspace. The UK already has world-class capabilities in this area but we must keep pace. In this regard, the London Cyber Conference that also took place in November marked an important step toward developing internationally-agreed rules on what is acceptable behaviour in the virtual realm.

The ISC first commented on cyber matters in 2009 when the Committee raised its concerns about the threat and urged the government to give it far greater priority. While the coalition’s Natural Security Strategy is therefore to be welcomed, concern remains about the number of units in different departments and agencies (some eighteen that we were aware of) with fingers in the cyber pie. This undoubtedly represents an opportunity for duplication, confusion and inefficiency which surely cannot be cost-effective.

Our concern is reinforced by evidence given by the Agencies themselves. The Director General of the Security Service informed us that ‘it’s not absolutely clear what the overall architecture is going to be for cyber security’, while the Chief of SIS advised that ‘I’m not sure the Cabinet Office processes for determining what is a coherent cyber programme are as sophisticated as they should be’. To this end, we have recommended that existing structures be rationalised and it is an area which we shall continue to monitor.

As a Committee, we have also been critical of the ministerial lines of accountability for cyber issues. They had been deeply flawed, with the original Minister in charge (in the Home Office) having no direct responsibility for the unit in the Cabinet Office that had been coordinating the government’s response, in spite of decisions relating to national security demanding the clearest lines of accountability. It was neither sensible nor appropriate to assign ministerial responsibility for cyber security to the Home Office when officials were themselves split between the Cabinet Office and GCHQ. Thankfully this has now been rectified, with ministerial responsibility for cyber security transferring to the Minister for the Cabinet Office, a simplification which we have welcomed.

The intelligence and security agencies are currently developing new capabilities in the area of cyber security with the additional funding granted by the government. Former Security Minister, Baroness Neville Jones advised us that the jewel in the crown in terms of our cyber capability is GCHQ where work is divided into four specific categories that include the development of our own military cyber capability – we should not forget that when hostile actors use the internet or cyber attack methods, they too become vulnerable. The ISC intends to keep this effort under very close review and will be reporting on progress when we publish our Annual Report later in the year.

In conjunction with the Security Service, responsibility for engaging the private sector on cyber security rests with the Centre for the Protection of National Infrastructure, which provides advice on protective security to owners of key elements of our national infrastructure in both the government and private sector. The aim here is to reduce the vulnerability of key physical, personnel and information assets to attack, primarily from terrorism, but also from Hostile Foreign Activity. In the coming years, the provision of cyber security advice to a growing range of private sector organisations is likely to be the CPNI’s principal area of growth. We shall no doubt be watching how this activity progresses.

Cyberspace is quite clearly going to continue to be one of the great challenges of our day. We need to develop a collective approach to our security in this regard which will make UK networks resilient in the face of threat. In view of the high-profile cyber crimes in the financial markets resulting in significant losses, one area where we may soon see significant progress is in insurance, or more properly, re-insurance. The current cyber crime insurance market is weak with sporadic cover and little above a relatively modest £100 million. Arguably the market resembles terrorism insurance where Pool Re has stepped in since the vastly expensive IRA bombing campaign of the City and Canary Wharf in 1992/93. As cyber crime becomes more prevalent perhaps government will consider assisting the insurance industry in funding (and then spreading the risks associated with) extreme losses. Such a reinsurance scheme might also boost the UK as a hub and a place open for the largest global businesses most vulnerable to cyber attack.

Thankfully, in the ISC, the UK has powerful parliamentary oversight of our security services which is likely only to be strengthened further in future, trusting that the government’s proposed reforms, which I have outlined, will be adopted. The relationship between Agencies and Committee, built up over many years, is strong and trusting, unconstrained by the Committee’s narrow legal remit.

The government’s commitment to tackling the threats posed by cyber crime and espionage is also reflected in the sum of money being invested in this area. My role, as an ISC Committee member, is to help ensure this money is spent wisely and that the Agencies are playing their part in implementing the National Cyber Security Strategy. I have no doubt that as a Committee, we shall continue with pride our role of holding the government and its agencies to account.

I would like to finish by paying public tribute to the work of the intelligence services, both in the UK and across Europe. Their work is not well understood but it is clear to me that it is vital in keeping us safe from our enemies. We are lucky to have them.