The announcement on the Cyber Security Strategy looks like being tomorrow

According to the Independent this morning, the announcement of the new Cyber Security Strategy that was promised last week and that I have been calling for over the weeks (years?) will take place tomorrow.  Earlier this week I chaired a seminar on “Meeting the Threats in Cyberspace”.  One of the most impressive (worrying?) presentations was from Scott Borg of the US Cyber Consequences Unit.  His conclusions, which spell out why a fresh approach from the UK Government is so urgent, can be summarised as follows:

Based on the work the US-CCU has already done, it is evident that the potential economic and strategic consequences of cyber-attacks are very great.  The US-CCU’s research has demonstrated that the numbers widely quoted for the costs of denial-of-service cyber-attacks lasting up to three days are actually wildly inflated.  But the US-CCU’s findings show that other types of cyber-attacks are potentially much more destructive.  Especially worrisome are the cyber-attacks that would hijack systems with false information in order to discredit the systems or do lasting physical damage.  At a corporate level, attacks of this kind have the potential to create liabilities and losses large enough to bankrupt most companies.  At a national level, attacks of this kind, directed at critical infrastructure industries, have the potential to cause hundreds of billions of dollars worth of damage and to cause thousands of deaths.

Some of the attack scenarios that would produce the most devastating consequences are now being outlined on hacker websites and at hacker conventions.  The overall patterns of cyber intrusion campaigns suggest that a number of potentially hostile groups and nation states are actively acquiring the capability to carry out such attacks.  Meanwhile, the many ways in which criminal organizations could reap huge profits from highly destructive attacks are also now being widely discussed.  This means that American corporations and American citizens need urgently to be informed, not just of their technical vulnerabilities, but of the economic and strategic consequences if those vulnerabilities are exploited.  It is only by basing our cyber-defenses on a comprehensive assessment of cyber-attack consequences that we can make sure those defenses are sensible and adequate.”

The United States should “declare a right to cyber self-defense” says one US commentator

The Boston Globe has an article from a fellow at the Harvard Kennedy School of Government arguing that the United States should assert its right to cyber self-defence by declaring that “it will promptly counter-attack as accurately and as proportionally as technology allows”. 

This is an interesting – if scary – argument.  It conjures up memories of the Cold War and “Mutually Assured Destruction” or even further back of Lord Palmerston and “the send a gun-boat” style of diplomacy.  Did either strategy work?  Well, some would argue there was no nuclear war during the Cold War years (although, the aftermath poses some interesting problems of proliferation etc).  And, of course, during the Palmerston era the Sun never set on the British Empire (allegedly because the Sun knew it could never trust the British Empire in the dark).

It is undeniably the case that a number of nation-states are developing an offensive cyber-warfare capacity and those that ostensibly are only interested in developing a defensive strategy can readily reverse the process to become offensive (Porton Down was always ostensibly about developing chemical weapons defence …).

Similarly, non-state-sponsored cyber attacks often emanate from countries who are either indifferent to the activities going on within their borders or are powerless to intervene.

Does this give a country the right to retaliate?  The Boston Globe article suggests that a few bouts of such retaliation would bring about the creation of some international means of regulating and protecting  cyberspace.  That may be true, but it would be good to think that such an outcome could be achieved without the digital trench warfare that the article describes.

Digital Britain report praises “The Geek Squad” and the “Tech Guys” but don’t the public need more assurance about services such as these?

Today’s “Digital Britain” report has an interesting paragraph on “Securing Home Networks” which says:

“In addition, the market is increasingly providing a high level of after sales support to its customers through additional assistance in relation to dealing with technical complexity – a sort of “AA breakdown” assistance for your personal networking needs. As home networks become more complex, it is legitimate to expect that these types of service will continue to grow. Services such as “the Geek Squad” from Carphone Warehouse and “Tech Guys” at PC World provide consumers with fast and effective advice on a range of issues including computer optimisation, device set-up, software installation, parental control set-up and tuition, security and software installation, back-up services and many others.”

I expressed some reservations about this when the report was introduced in the House of Lords this afternoon by Lord Stephen Carter. saying:

“I note in the report the support for the after-sales services provided by a number of computer retailers, such as the Geek Squad, the Tech Guys and so forth.  Have the Government given any thought to the personnel who visit people in their homes and put things on their computers?  What steps are being taken to ensure that those individuals are quality-assured and regulated in the same way that physical security personnel are regulated by the Security Industry Authority? “

My concern was that at present the individuals who work in such areas are unregulated, there is no agreed quyalification standard, and there is no guarantee that they are honest.  Those people who rely on such services to protect or maintain their IT equipment are the least likely individuals to know whether something adverse (such as installing a key-logger) has been done to their systems.

The Minister’s response recognised that there was an issue, although he sidestepped the point about regulation,:

“I do not know what checks and balances those operators put in place, but I will do further due diligence to find out. My noble friend raises an interesting question; as people’s domestic IT systems become more and more sophisticated—which they will—the level of complexity, and therefore the level of security and trust that people will want to have with the providers of those services, will only increase. My view is that it will be four or five years before we have a sort of AA or RAC of the IT world providing that level of assistance at scale for many homes. It is an intriguing question.”

The issue may well be worth pursuing ….

Digital Britain report promises a national Cyber Security Strategy

The “Digital Britain” report, published today has an excellent section on “Digital Security and Safety”.  The report makes it clear that there will definitely be a national Cyber Security Strategy, something I have been calling for for some time, when it says:


“The UK’s National Security Strategy describes how ‘cyber security’ cuts across almost all the national security challenges that it identifies, and the need to address them in a coherent way. To this end, the Government is developing a Cyber Security Strategy to build a safe, secure and resilient cyber space for the UK, through both the beneficial exploitation of cyber space and the reduction of risks posed by those who seek to do the UK harm: the forthcoming Cyber Security Strategy will set out how the Government intends to approach this task.”

This is an extremely welcome development.  When Lord Stephen Carter made his statement introducing the report in the House of Lords this afternoon, I asked him when the Strategy might be issued and he said he hoped it would be ready by the end of July.

A new Cyber Security Agency?

According to David Hencke (so it must be true) in today’s Guardian, the Government is planning to establish a new Cyber Security Agency and this will be announced in a wide-ranging statement, updating the National Security Strategy.

Last month I pointed out the radical approach being taken by the Obama Administration in the United States towards tackling the cyber threat.  As I told David Hencke, it will be welcome if the UK is now going to do something similar. 

However, whatever is proposed will have to be adequately resourced and will need to be properly linked to the national Police E-crime Unit and also to the national security apparatus.

Peter Mandelson’s “reach” stretches right across Government

When I arrived in Parliament today, a friend pressed into my hand an organisational diagram showing the Ministerial appointments in the new Department for Business, Innovation and Skills (it’s DaBiz!).  My noble friend, Lord Peter Mandelson, who is now First Secretary of State (ie Deputy Prime Minister in all but name), Lord President of the Council, and Secretary of State for Business, Innovation and Skills, rules over a Department with ELEVEN Ministers – an unprecedented number – the size of many nineteenth century Cabinets. 

Of the eleven, a majority (six) are unelected and members of the House of Lords (and that excludes Sir (soon to be Lord??) Alan Sugar who is “an advisor” not a Minister (so why does he need a peerage?). 

More significantly, five of the Ministers are also holding posts in other Government Departments: Foreign and Commonwealth Office; Ministry of Defence; Department of Children, Schools and Families; Department of Communities and Local Government; and the Department of Culture, Media and Sport. 

This gives the First Secretary of State what has been described to me as a “tentacular” reach into most of the rest of the Government. 

And, of course, as Lord President he presides over meetings of the Privy Council. 

Not bad for a former Lambeth Councillor. 

There is nothing that a few years as a member of a London Borough Council does not equip you to do …..

How quickly would the UK “Men in Black” respond if their “secure” connection was cut?

Thanks to Faber Brent Security, my attention has been drawn to an article in the Washington Post, describing how when men working underground on the Washington Metro accidentally sliced through a cable within a matter of minutes three black SUVs appeared and a number of very serious men got out demanding to know what had happened to their secure connection! Nothing out of the ordinary in a cable being cut – unfortunately it happens all too often. But usually the problem is finding out what cable that has been cut actually does. In this instance, however, the mysterious men in the black SUVs took over extremely quickly!
If something similar happened in the UK, I wonder what the equivalent response time would be? Do the key parts of our critical national infrastructure even know where the critical cables are?

President Obama to appoint a “Cyber Tsar” – when will the UK get an equivalent

I have already commented on how the Obama administration takes the cyber threat seriously.  Now there is more evidence.  While it is not yet clear, what the substance will be in this latest announcement – it may be no more than recreating a role that existed under President Clinton – there is no doubt that President Obama is taking the whole issue much more seriously than the UK Government.

Given the abundent evidence of an increasing threat to the critical national infrastructure from cyber attacks – whether from teenage delinquent-type cyber-nerds, organised crime, foreign governments or terrorists – the respose in the UK has so far been extremely limited.  Yes, money was eventually found to support a national Police-E-Crime Unit based at New Scotland Yard, and yes, the Centre for the Protection of the National Infrastructure now at least acknowledges that the cyber-threat is an issue.  However, this falls a long way short of a coherent strategy to protect the UK’s interests.

How many Earls does it take to change ……………… the mind of the Department for Transport

I have just introduced a short debate in the Moses Room (Grand Committees in the House of Lords take place in a room known as the Moses Room as there is a large fresco called ‘Moses bringing down the Tables of the Law from Mount Sinai’ there) on the possible use of the Segway Personal Transporter in the UK.  My interest in this was fired by seeing a demonstration of a Segway in use and hearing of the use of  them made by some 1000 police and law enforcement agencies around the world.

The police experience elsewhere has found a series of benefits: they can easily be integrated into patrolling, they cut down response times, they provide a better line of sight for officers (because the officer is on a platform 40-50cm above the ground), and they improve engagement between the police and the public (compared with officers in a car).

They are also of use for other specialised purposes.  For example, BAA deploy them at Heathrow and find that they speed up response times in the event of an incident or equipment breakdown and provide an efficient way of patrolling and doing routine maintenance tests.  A number of UK local authorities are also interested in deploying them in parks, city centre precincts, routine maintenance patrols and even for parking enforcement.

Finally, if made available for general use, there is evidence from a major study in Canada that a high proportion (62%) of car users would be keen to give up their cars for many short journeys – with a considerable saving in carbon emissions and congestion.

Most other countries permit their use.  In the UK, however, the Deparment for Transport is adamant that existing legislation does not permit their use on roads, on cycle routes or on pavements.  Moreover, there are – it is claimed – no powers that would even permit a trial to take place. (I am not convinced of this.  As a non-lawyer, Section 44 of the Road Traffic Act 1988 seems to permit the appropriate exemptions to be made.)

Andrew Adonis, the Lords Transport Minister, stonewalled elegantly on behalf of the Department.  However, he did agree to try one out himself (although he insisted that I do so as well) and offered me a meeting with his Departmental colleague, Jim Fitzpatrick MP.

What was noticeable was the make-up of the discussion.  As Andrew pointed out, he and I, “as the representatives of the Proletarian Party were the only mere Life Barons present”.  The other speakers were the Earls Attlee (grandson of Clement, but now speaking on behalf of the Conservative front-bench), Liverpool (also a Conservative and descendent of another former Prime Minister – a Tory this time) and Erroll (a cross-bencher who is also the hereditary Lord High Constable of Scotland), and Viscount Falkland (speaking for the Liberal Democrats).  The Earl of Glasgow (another Liberal Democrat, who had originally wanted to speak as well) also sat in for most of the debate.  When Earl Attlee expressed his sympathy to Viscount Falkland that he was only a Viscount, Lord Falkland hastened to point out that he was, in fact, also an Earl, but as it was a Jacobite creation it didn’t count.  All in all, five of the ninety-two remaining hereditary peers still sitting in the Lords were present.  I am not sure what it means, but it certainly felt strange.

The US Government takes the need to protect the US infrastructure against cyber-attacks – do we do likewise?

According to an article in The Wall Street Journal last week (sorry, I’ve only just seen it), the US electricity grid and other key parts of the critical national infrastructure have been the subject of cyber-attacks and there are real concerns about those behind the attacks being able to disrupt or even take control of the systems that have been penetrated as a result of the trojans left behind.  Apparently, many of the attacks were not detected by the infrastructure provider’s own security systems.  So seriously is the threat viewed and so widespread is it, that Congress approved funding for a $17 billion programme to combat it and minimise the risk to the critical national infrastructure.  And in the last couple of weeks, Democratic Senators have introduced a proposal that would require all critical infrastructure companies to meet new cyber-security standards and grant the President emergency powers over the electricity grid and other infrastructure systems.

So if the threat is viewed so seriously in the United States, do we have the same concerns in this country?  The answer is we certainly ought to be as worried.  My understanding is that UK systems have been similarly attacked, but I have real doubts whether our detection systems are as good or as thorough as those deployed in the USA.  Moreover, we do not have sufficient controls over infrastructure providers to require the highest possible standards from them.  We believe in “light-touch regulation” so in many instances all the UK authorities can do is try to use moral persuasion to get infrastructure companies to instal the best systems of security.  What regulatory systems there are are geared to ensuring competition and to the economic regulation of the market, rather than to protecting national security.  So we ought not to be worried, we ought to be very worried.