4 Mar 2014 : Column 775

Jonathan Reynolds (Stalybridge and Hyde) (Lab/Co-op): Further to the Foreign Secretary’s comments about energy security, the United Kingdom thankfully receives only a limited supply of Russian gas, but other European countries, particularly Germany, have considerable exposure, with consequences for the rest of Europe. What discussions has the Foreign Secretary had with his European Union counterparts about ensuring the security of European energy supply, so that this does not end up limiting our ability to take action against Russia?

Mr Hague: The hon. Gentleman has raised a very important issue, but it is an issue for the medium to longer term. We are doing important things now to diversify energy supplies to Europe. I have already mentioned the new pipeline through Azerbaijan, whose construction we inaugurated in December. That pipeline, however, will take several years to construct.

Although this is, as I have said, a medium to long-term issue, I think that what has just happened will be a sharp reminder to everyone in Europe and in this country that it is also an important issue, and that dealing with it will become one of the important foreign policy and security considerations over the next few years.

Mark Pritchard (The Wrekin) (Con): This is a real test for the United States and, indeed, for the Obama Administration, but it is also a test for the European Union. What discussions has the Foreign Secretary had with his German counterpart? He has used the word “united” numerous times during his statement and in his replies. Are the Germans part of that united effort? Of course, other members of the international community are looking on to see whether there is unity and whether there is resoluteness, not least in Beijing, which has its own aspirations in different parts of the world?

Mr Hague: My hon. Friend has made a good point about European unity and the role of Germany in that. I have very regular discussions with my German counterpart, Minister Steinmeier—indeed, I had a discussion with him at the weekend— and the Minister for Europe was with him at the Foreign Affairs Council yesterday. The Prime Minister spoke to Chancellor Merkel last night, having also had discussions with her when she was here last Thursday. We will be working closely with Germany, and we will be working for a clear, united position at the European Council on Thursday.

Mr Brian H. Donohoe (Central Ayrshire) (Lab): Is not part of the explanation for the action taken that Putin and his Government are seriously concerned that the same thing might happen in Russia as has happened in Ukraine, where people power has taken over?

Mr Hague: As with many countries, Russian foreign policy is partly determined by domestic pressures, and what happened 10 days ago in Ukraine was a major reverse for Russian foreign policy. In many ways, many would have thought it a humiliation. There are many explanations of why Russia has chosen to take the action it has, and one is that it is an attempt to alleviate, including in domestic opinion, that humiliation of the flight of Yanukovych from Kiev.

Mr Andrew Tyrie (Chichester) (Con): This is nothing less than a land grab and the biggest strategic shock on the continent for decades. If Putin gets away with this,

4 Mar 2014 : Column 776

sooner or later more trouble will follow in central and eastern Europe. Does the Secretary of State agree that the west now needs to unify around a much more robust response than we have seen so far, and that in support of it the UK should demonstrate that it is actively considering all forms of economic sanctions?

Mr Hague: I can assure my hon. Friend that we are actively considering a wide range of options, and I have not ruled out any options in my responses to questions, as I am sure he will have noticed. Clearly, I think the response we have made so far is correct. We have emphasised the need for new diplomatic openings as well as for there to be costs and consequences from this Russian action, but in the absence of a change of policy from Russia we will, of course, have to move on to making sure those costs and consequences ensue.

Gemma Doyle (West Dunbartonshire) (Lab/Co-op): The right hon. Gentleman mentioned arms export licences earlier. In considering what sanctions may be used against Russia, has he had any discussions with his colleagues in the Ministry of Defence about the forthcoming military and technical co-operation agreement, which I understand is due to be signed in the next few weeks?

Mr Hague: The hon. Lady is right that we have been due to agree to sign a military and technical co-operation agreement with Russia in the near future. Clearly, in the current situation the chances of our doing that are rather reduced, to put it mildly, but we have not made a formal decision about that. We are certainly reviewing that, and we will decide about it in conjunction with any other measures we choose to adopt.

Mr Peter Bone (Wellingborough) (Con): Russia may well be trying to repeat in Crimea what it has been allowed to do in Moldova. Why should the Russians fear that the international community will act differently from how it acted over Moldova?

Mr Hague: My hon. Friend is right that, as I have said in answer to earlier questions, there are parallels with Transnistria, and, indeed, with Abkhazia and South Ossetia, which are part of Georgia. Russia has certainly been able to live with any consequences of those actions in the past. This is a repetition of that, but on an even greater scale, so there must be costs and consequences in response, to deter the repetition of such events in future.

John Woodcock (Barrow and Furness) (Lab/Co-op): But what are the other costs and consequences that the Secretary of State is actively considering? He has mentioned visa restrictions, but surely just restricting a few people from entering is not sufficient to meet the bar of significant costs, given how much Russia clearly feels it has to gain from its current actions in Ukraine? Will he say what else is actively on the table?

Mr Hague: No—to be consistent with all the answers I have given before. The European Union has referred to targeted measures and I have referred to well judged, well targeted legal measures. I have not excluded anything. Many hon. Members have made interesting proposals during the course of this statement, but I stressed before that when we take such measures it is important

4 Mar 2014 : Column 777

for there to be unity on them, as well as for them to be well judged and well targeted. That means we must work on them together in the European Union, and that is what we are doing now.

Dan Byles (North Warwickshire) (Con): Why does my right hon. Friend believe President Putin feels that he will get away with this? What are we and the rest of the free world doing wrong if Putin believes he can act with impunity, as he clearly does?

Mr Hague: As I said to my hon. Friend the Member for Wellingborough (Mr Bone), there have been previous Russian actions in Georgia and Moldova which might be considered a model for this action, and Russia has not felt sharp consequences as a result of them. That is no doubt an emboldening factor, but I think Russian policy has also been driven by the imperative I referred to a few moments ago of trying to alleviate, or reverse in some way, the major setback for Russian foreign policy that took place only 10 days ago in Ukraine, and also possibly by the desire—which I referred to much earlier—permanently to impair the free and democratic operation of Ukraine and its Euro-Atlantic aspirations. There is a mixture of motives, and I entirely accept that it is important that we raise the penalties and consequences for acting on those motives.

Mark Lazarowicz (Edinburgh North and Leith) (Lab/Co-op): Even if Russia will not agree at this stage to having international monitors in the areas under its control, if the Ukrainian Government agree, is there not a case for a rapid deployment of international monitors to other areas of Ukraine, particularly those where there is potential conflict? That may well deter further incursion by Russia and those aligned with it, and will also allow the truth of what is happening to come out.

Mr Hague: Yes, there is. That is a very important point and it is one of the things we are pursuing at the OSCE. We hope the United Nations representatives will also discuss it in Ukraine. We will continue to pursue that point.

Mr Dominic Raab (Esher and Walton) (Con): Two years ago this week the House unanimously endorsed the principle of the Magnitsky sanctions, which are visa bans and asset freezes on those responsible for crimes against humanity in Russia but also beyond. In light of the situation in Ukraine, may I urge my right hon. Friend to look closely at the Magnitsky model of targeted sanctions for those responsible for ordering the military incursions into Ukraine, a clear violation of the cardinal rule of international law?

Mr Hague: My hon. Friend has consistently pursued this matter over a long time and he has heard the previous answers of my right hon. Friend the Minister for Europe about it. We already have the power to refuse entry to the UK to people who we believe are guilty of serious human rights violations, but I say again that I am not excluding any options on what we might decide to do in this situation.

Gavin Williamson (South Staffordshire) (Con): With all that is unfolding in Ukraine, there is great concern in

4 Mar 2014 : Column 778

nations such as Latvia, Lithuania, Estonia and Poland about their future. What reassurance is my right hon. Friend giving our NATO partners that we stand shoulder to shoulder with them in the defence of their sovereignty and independence?

Mr Hague: I think they know we do. Those countries are very important members of NATO. I mentioned earlier our strong commitment to NATO, including maintaining the strongest armed forces in Europe all round, but it will be important for other countries across NATO to strengthen their own military budgets and defences over the coming years. I have advocated that for a long time, and I think that would be of additional assurance to them.

Conor Burns (Bournemouth West) (Con): President Putin has shown very clearly that under his leadership Russia will not respect the border and the sovereignty of a friendly neighbour. As a president who prides himself on advancing Russia’s self-interest, should he not be profoundly alarmed by the market reaction to that action? Regardless of what individual nation states or the European Union decide, will not many businesses across the world be looking at this and asking how, if Russia can act so cavalierly on something so big, they can invest in Russia?

Mr Hague: My hon. Friend makes an important point. I think Russia has underestimated the longer-term consequences of the action it has taken, because there is an important read-across to upholding international law on other issues. The reaction of the world over the long term will tend to diminish the influence of Russia in the world. This will also, of course, shed new light on Russia’s insistence on sovereignty in other international disputes. It will have very far-reaching consequences, and I do not think they have yet been fully appreciated in Moscow.

Jason McCartney (Colne Valley) (Con): Huddersfield has a vibrant Ukrainian community, which I know is very concerned about family and loved ones across the whole of Ukraine. The attention in the past few days has been on Crimea, but what assessment does my right hon. Friend make of the civil unrest across the rest of the country in cities such as Kharkiv and Dnipropetrovsk?

Mr Hague: The situation in those cities and areas is an important consideration, too. New governors have been appointed in some of those areas, and they have been drawn from those areas. The acting President of Ukraine has told me of the care he has taken to do that, so that there is an inclusive approach to regional and local government. There have been disturbances in some of those cities, although, as other hon. Members have said, there is some evidence that those have been planned externally—we do not have any proof of that, but there is some evidence of it. I hope that calm will return to those parts of Ukraine.

Christopher Pincher (Tamworth) (Con): I wish to pursue the question from the hon. Member for Newcastle-under-Lyme (Paul Farrelly). Should the people of Crimea and elsewhere in Ukraine seek a plebiscite to determine their sovereign future, what concrete support can the

4 Mar 2014 : Column 779

British Government give to ensure that such plebiscites are conducted freely and fairly, and not down the barrel of a Russian gun?

Mr Hague: We cannot give much assistance if a plebiscite takes place in an area entirely controlled by the Russian military—clearly we will not be able to give any such guarantees. It would be far better for such plebiscites or referendums to be held under the Ukrainian constitution, with international observers, exactly in the way that my hon. Friend has described. The referendum currently planned for Crimea on 30 March, under the eyes or guns of the Russian military, is not one to which we could give that same level of assistance.

Henry Smith (Crawley) (Con): May I seek clarification from the Foreign Secretary that in the event of there being a legally and freely constituted referendum on sovereignty in Crimea, under the Ukrainian constitution, the Budapest memorandum of 1994 would not be an impediment to it?

Mr Hague: My hon. Friend puts big ifs into his question, because the situation at the moment is not at all the one he describes; the referendum proposed for Crimea is not properly and legally constituted under the Ukrainian constitution. So we are a long way from that situation but, as he knows, the UK will always try to respect democracy and the principles of human rights that we believe in, which so often include self-determination, whenever they are truly, freely and legally expressed.

Mr Tobias Ellwood (Bournemouth East) (Con): I welcome the statement, but the interest, complexity and severity of this crisis justify not only a statement, but a full debate in the House on the matter. As a soldier, I had to study the Geneva conventions and the Hague regulations, which both state that combatants must wear a

“fixed distinctive emblem recognizable at a distance”.

Does the Secretary of State agree that Russia must abide by the Geneva conventions in order to avoid incorrect or confused targeting or engagement, with the possibility of igniting a more serious and deadly conflict?

Mr Hague: My hon. Friend makes a crucial point; despite having one of the last questions he has managed to make a new and pertinent point. There are reasons

4 Mar 2014 : Column 780

why soldiers should wear the insignia of their country, and the most terrible misunderstandings can occur without that. So he is right about that. On the subject of a debate, the Leader of the House is not in his place but I am sure that he is always aware of such requests and he will have heard that particular one.

Mr Robert Buckland (South Swindon) (Con): Does my right hon. Friend agree that Russia’s provocative warmongering exposes its long-term weakness and will serve to drive more and more Ukrainians to the ineluctable conclusion that their future lies with the west? Rather than being frightened of that, should we not warmly welcome Ukraine as a potential ally within the institutions of Europe?

Mr Hague: So far as I could see yesterday, the effect of the Russian intervention has been to solidify the determination among Ukrainians about their own independence, including among leading figures in the Party of Regions, which usually represents the east and south of Ukraine. My hon. Friend is also right to say that this action is born of weakness rather than strength. As I was arguing a few minutes ago, it is a response to a major reverse and an effort to alleviate that. The people of Ukraine will be all the more determined to pursue their own sovereign rights, including closer association with the European Union.

Mr Andrew Turner (Isle of Wight) (Con) rose—

Mr Speaker: The prize for patience today goes to the hon. Member for Isle of Wight (Mr Turner), who has stayed in the Chamber for an hour and a half without any indication of frustration or irascibility at hearing his colleagues. We are grateful to him.

Mr Turner: That is very kind, Mr Speaker. How long will it take for Ukraine to become a member of the EU, assuming that is what it wants? Should Ukraine not prefer trade with all its neighbours?

Mr Hague: I hope that Ukraine will be able to trade with all its neighbours, including Russia. European Union membership is not what is on offer to Ukraine—that is not what is being discussed or debated. Association with the EU and a deep and comprehensive free trade area with the EU are the things on offer. Any possibility of EU membership is too distant to be a realistic possibility in the foreseeable future.

4 Mar 2014 : Column 781

Point of Order

2.7 pm

Grahame M. Morris (Easington) (Lab): On a point of order, Mr Speaker. On 5 November, in a Westminster Hall debate, the Under-Secretary of State for Health, the hon. Member for Central Suffolk and North Ipswich (Dr Poulter) stated unequivocally that hepatitis C is not a curable condition. It has been drawn to my attention by the Hepatitis C Trust and a number of others that the Minister may have inadvertently misled Parliament, because with current treatments the cure rates are about 70%—or even higher, according to the NHS Choices website. Hepatitis C is a hugely overlooked and under-diagnosed condition, and I seek your guidance, Mr Speaker, on how we can have the record corrected so that the public are not misled by the Minister’s comments.

Mr Speaker: I am grateful to the hon. Gentleman for his point of order. My response to him, a persistent fellow, is twofold. First, all Members have responsibility for the veracity of the statements they make in the Chamber. In the event that an error is made, it is incumbent upon the Member, be they a Back Bencher or a Front Bencher, a Minister or an Opposition Member, to correct the record. Secondly, on the strength of what I have heard, and I use those words advisedly, it seems to me that this is, in essence, a matter of political debate.

Grahame M. Morris indicated dissent.

Mr Speaker: I am weighing my words carefully, notwithstanding the evident frustration of the hon. Gentleman, and it is not obvious to me that there is a role for the Chair here. He asks my advice and my advice to him is that he should be persistent—I am not sure he needs this advice—and repetitive. Doubtless he will find other opportunities to raise his point, courtesy of the use of the Order Paper. He has been doing it for the past nearly four years and there is no reason to suppose that he will change the habits of what, thus far, has been his parliamentary lifetime.

4 Mar 2014 : Column 782

Sale of Tickets (Sporting and Cultural Events)

Motion for leave to bring in a Bill (Standing Order No. 23)

2.9 pm

Nick Smith (Blaenau Gwent) (Lab): I beg to move,

That leave be given to bring in a Bill to regulate the selling of tickets for certain sporting and cultural events; and for connected purposes.

The Bill I am proposing today speaks to anyone who has loved something enough to want to see it live. For me, that is rugby. In 2015, this country will host the rugby world cup, one of the premier events in the sporting calendar. On the field, our teams will be doing their best to bring the cup to these shores, but who will be cheering them on from the stands? In an ideal world, the most committed fans will be rewarded with a chance to see a once-in-a-lifetime event—Wales becoming rugby world cup champions.

Many fans will be forced to pay sky-high prices in a rigged secondary market. I used to believe that ticket buying was a fair lottery where a quick phone call or a mouse click would give someone the chance to see their heroes. Unfortunately, all too often the true fans do not stand a chance. The touts have evolved from blokes in sheepskin jackets lurking outside stadiums trying to sell spare tickets to sophisticated people, harvesting thousands of tickets just seconds after they go on sale. These people have been described as power sellers. Using multiple credit cards and sometimes computer programmes called “botnets”, they are able to make thousands of attempts to get tickets each second, manipulating the market and claiming large pools of tickets.

This is a story that has been repeated across the country. Monty Python fans discovered that just three months ago. The much-anticipated comeback show sold out in 43.5 seconds. In 2012, the Rolling Stones attacked secondary sites after sky-high prices—up to £1,300 a ticket—meant that their 50th anniversary tour was littered with empty seats. Even the Chelsea Flower Show is not immune. Prince Harry’s attendance in 2013 saw record ticket sales, with £22 tickets going for as much as £466.

This Bill calls for two things. The rugby world cup should be designated an event of national significance, and it should be illegal to resell tickets for profit. For all other events, there should be a cap on the amount for which a ticket can be resold. We are letting down the fans by not giving them a chance of a fair deal. We must call time out, and stop new internet spivs fleecing honest fans.

To see what sort of prices the secondary sites command, I took a look at the prices for a rugby world cup game that I will be watching with great interest—Wales’ victory over England. Tickets are not even on sale yet, although the organisers have said that they will range from £75 for the cheaper seats to £315. However, a quick search on Google turned up a range of prominent secondary sites already offering tickets at prices ranging from £920 to £1,725. That kind of ticket touting is parasitic. It leeches off fans who are desperate to see their heroes and organisations that are charging fair prices.

4 Mar 2014 : Column 783

The Rugby Football Union tells me that it puts every penny earned back into the game. It has ambitions to grow the sport as part of the rugby world cup legacy, just as the Olympics inspired our next generation of superstars. However, these grossly inflated ticket prices will not result in a single extra ball for a school's kit bag.

I have heard the argument that resales do not cost the event organisers a penny, as they have already earned the face value of the ticket. That could not be further from the truth. Kilimanjaro Live, an events promotion company, estimates its costs of policing resale of tickets to be more than £100,000 a year. The National Theatre spends tens of thousands a year, as does the RFU. The misleading nature of online ticket touting means that many people buy tickets believing that they are coming from fellow fans. The first web page they come to may be a secondary sales site and the uninitiated could believe that they are buying from the only outlet or paying a fair price, when really they are being ripped off. Unfortunately, despite evidence of touting in the secondary market, the Government refuse to designate the rugby world cup 2015 as a competition of national significance as was done for the 2012 Olympic and Paralympic games.

Designating the games in such a way would make it illegal to resell tickets for the tournament. It is urgent that the Government act to protect genuine rugby fans from being exploited by online rip-off merchants. Tickets for the rugby world cup 2015 will be sent to rugby clubs in May and go on general sale this autumn. Even at this late stage, if the Government were to bring forward legislation to make the rugby world cup an event of national significance, Labour would give them their support.

Before I finish I would like to place on the record my thanks to my hon. Friend the Member for Washington and Sunderland West (Mrs Hodgson) and other colleagues in the all-party group on ticket abuse who are showing important leadership on consumer rights. Our concerns include the business practices by companies such as Viagogo. Just last night I pressed it on its supply of tickets from the power sellers and the public selling tickets they cannot use. Answer came there none. We are also concerned that the secondary market and its exorbitant prices are the only game in town thanks to mass ticket touting, and that there are links to organised crime as identified by police Operation Podium.

Like my hon. Friend, I believe we can only address the industrial ripping off of consumers with regulation. To deal with the power sellers, resale prices should be capped at say 10% or 20% of face value. Although that needs further discussion, our overall objective must be fairness to fans.

Fans need to know that they can buy a ticket in confidence without being gouged financially. When it comes to nationally significant events such as the rugby world cup, fans also need to know that if they cannot attend the event, they can sell their ticket back to the organisers and recoup the cost. The Bill would not stifle the right of the genuine fan to buy and sell tickets for most events at a fair price when they can no longer attend. Instead, real fans would get back the first-come, first-served fairness of buying direct. They would be protected from

4 Mar 2014 : Column 784

internet chicanery that is crowding them out and ripping them off. We need to end the market manipulation of sporting and cultural events in this country.

2.17 pm

Philip Davies (Shipley) (Con): I rise to oppose the Bill not just because of the delusional prediction that the hon. Member for Blaenau Gwent (Nick Smith) made about the forthcoming match between England and Wales but because of the nature of the Bill itself. I suggest that the hon. Gentleman starts by looking at the report, which was produced in the last Parliament, of the Culture, Media and Sport Committee of which I was, and happily remain, a member. It found that the secondary ticketing market was perfectly legitimate. Furthermore, the Office of Fair Trading also concluded that the secondary ticket market worked in the interest of the consumer.

The hon. Gentleman might want to consider the evidence given to our Select Committee by the right hon. Member for Barking (Margaret Hodge) when she was a Member of the previous Labour Government. She gave a particularly robust defence of the secondary market and why Labour did not want to interfere in it. He would be wise to read her evidence because it was compelling.

One misapprehension is that ticket touts and people in the secondary market are guaranteed to make a substantial profit, but that simply is not the case. For example, 50% of tickets sold on Viagogo are sold at face value or below and people can make a loss. As far as I am concerned, this is a matter of clear principle. If someone buys a ticket, that ticket belongs to them and they should be able to do what they please with it, just as they should with any other commodity that they buy. For argument’s sake, there are times on the high street when designer handbags come out in a limited edition. Some 30 or 40 may be available. It is first come, first served. People rush to the shops to snatch one. They then immediately put them on eBay to make a massive profit. I do not see what the difference is between that and selling on a ticket at an inflated price if demand outstrips supply.

That also happens with toys. One Christmas, Buzz Lightyear was an especially popular toy, so people bought the limited stock and immediately sold the toys on eBay at a huge profit. I do not understand why tickets should be treated differently, but perhaps the hon. Gentleman wants to restrict people’s ability to resell any commodity above the price that they paid for it.

The hon. Gentleman fairly made the point—he then disagreed with it—that a promoter or organiser does not lose anything as a result of the secondary ticketing market. If a promoter puts on an event for which there are 50,000 tickets and charges £20 for each, they have decided that they want to realise £1 million from that event. After all the tickets have sold, that £1 million has been made, so whatever happens subsequently makes no difference to the event’s viability or that promoter. The hon. Gentleman talks about people spending money on policing the secondary market, but I suggest that they do not bother, because they then do not waste money doing so and can realise the amount that they get in the first place.

4 Mar 2014 : Column 785

It is absolutely essential that there is a resale mechanism for tickets for the rugby world cup. The supporters of some of the successful rugby teams, such as the All Blacks, are likely to buy many of the tickets for the final in the expectation that their team will reach it. That might well be the case, but the All Blacks could equally find themselves knocked out in the semi-final, and if that happens, surely it would be in the best interests of the competition for there to be a mechanism through which New Zealand supporters may sell on their tickets to the supporters of the teams that reach the final. If those All Blacks supporters are not allowed to resell their tickets in the way that I would like, we will have the ridiculous situation that the crowd at the final is full of people who do not support either team, yet the people who want the tickets cannot buy them.

The hon. Gentleman talked about real fans, but I am not sure what the definition of a “real fan” is. I suggest, Madam Deputy Speaker, that if someone is prepared to pay £1,200, £1,500 or £2,000 for a ticket, you can bet your bottom dollar that they are a real fan. I do not understand the suggestion that selling tickets at inflated prices stops real fans attending events because if people are prepared to pay such prices, the chances are that they are especially keen fans. There is a simple premise that if someone does not want to pay the price that a seller asks, they should not do so. No one forces someone to pay an inflated price for a ticket—it is a free choice. If I decide at the last minute that I want to attend a sold-out event, the secondary market is the only place I can go to access a ticket. I am not sure why the hon. Gentleman wants to remove that choice from people. If I think that the price being asked is too high, I will just walk away and not attend, but at least I will have had a chance to go to that event, although I would have had no such opportunity without the secondary ticketing market.

The hon. Gentleman should be aware that the promoters of many events such as concerts do not offer people a refund if they buy a ticket but then find that they cannot attend. What on earth are such people supposed to do except the perfectly legitimate thing of selling their ticket to someone else?

If event promoters and sports organisers—perhaps the organisers of the rugby world cup—are so concerned about ticket touts and the secondary ticketing market, why do they not do something about it themselves? If they are worried, why do they put all the tickets on sale right from the word, go meaning that they sell out in 43.5 seconds, to use the Monty Python example that the hon. Gentleman cited? Why do they not sell a few tickets each week so that tickets are still available at face value in the week before the game or concert, meaning

4 Mar 2014 : Column 786

that no one would have to pay inflated prices through secondary ticketing? If this is such a big issue for the organisers of events, sporting fixtures and concerts, they could do something about it at the drop of the hat. However, they do not anything about it, which can only lead us to conclude that they are shedding crocodile tears and are actually rather pleased that they can sell all their tickets in 43.5 seconds because that is good for their cash flow and guarantees a sell-out. I do not think that organisers are as bothered about the situation as the hon. Gentleman would have us believe.

It is often said that public opinion favours restricting the secondary ticketing market, but let me share the results of ICM polling with the House. ICM asked people to agree or disagree with the statement:

“If I had a ticket to a sporting event, concert or other event that I could no longer use, then I should be allowed to resell it”—

and 86% agreed. Some 83% of people agreed with the statement:

“Once I’ve bought a ticket it is my property and I should be able to sell it just as I can any other private property.”

Despite such agreement with that premise, the hon. Gentleman argues against it.

I am extremely proud of the fact that when I worked for Asda, before I entered the House, it challenged and overturned the net book agreement, under which publishers set a book’s price and no one could sell it at a different price without the publisher’s agreement. Overturning that agreement has driven down the price of books for consumers throughout the country, but the hon. Gentleman wants a system such as the net book agreement whereby event organisers sell tickets at a particular price and no one can sell them at a different price, which would represent a massive retrograde step for this country’s free market. The Office of Fair Trading concluded that such a system would not work in the best interests of the consumer, but the current arrangements do, as was endorsed by the Culture, Media and Sport Committee. I do not intend to press the motion to a Division, but I hope that the Minister has listened to my objections and that the Government will not go down the route that the hon. Gentleman encourages, which is a rabbit warren that it would be best to avoid.

Question put (Standing Order No. 23) and agreed to.


That Nick Smith, Mrs Sharon Hodgson, Mike Weatherley, Roger Williams, Steve Rotheram, Julie Elliott, Chris Evans, Nic Dakin and Fiona O’Donnell present the Bill.

Nick Smith accordingly presented the Bill.

Bill read the First time; to be read a Second time on Friday 6 June, and to be printed (Bill 177).

4 Mar 2014 : Column 787

Estimates Day

[3rd Allotted Day]

Estimates 2013-14

ministry of Defence

Defence and Cyber-security

[Relevant documents: Sixth Report from the Defence Committee, Session 2012-13, on Defence and Cyber-security, HC 106, and the Government response, HC 719.]

Motion made, and Question proposed,

That, for the year ending with 31 March 2014, for expenditure by the Ministry of Defence:

(1) further resources, not exceeding £1,672,884,000 be authorised for use for current purposes as set out in HC 1006,

(2) the resources authorised for use for capital purposes be reduced by £1,863,070,000 as so set out, and

(3) a further sum, not exceeding £1,400,160,000 be granted to Her Majesty to be issued by the Treasury out of the Consolidated Fund and applied for expenditure on the use of resources authorised by Parliament.—(Mr Evennett.)

2.28 pm

Mr James Arbuthnot (North East Hampshire) (Con): Given how long I have been in this House, I really ought to know whether I should be thanking the Backbench Business Committee, the Government, the Chair of the Liaison Committee or you, Madam Deputy Speaker, for my securing the debate. Just to be on the safe side, I will thank them all, and especially you.

Mr James Gray (North Wiltshire) (Con): I apologise for interrupting my right hon. Friend so early in his speech, but he makes a good point. In the old days, we had regular, sensible defence debates throughout the year, but they are now at the discretion of the Backbench Business Committee, which is a retrograde step.

Mr Arbuthnot: My hon. Friend makes a good point, but it rebounds slightly on the Defence Committee because we have been told that we are responsible for applying for such debates and, I have to confess, we have not done so in recent months, so perhaps we ought to revisit that.

The Defence Committee launched an inquiry into defence and cyber-security in January 2012, as part of a series of debates and inquiries looking into emerging threats. It was the first time the Committee had investigated cyber-security as a discrete topic, although in 2009 we had looked at Georgia and Estonia, and visited Talinn, as part of another inquiry. The UK Government had identified cyber-threats as one of four tier 1 risks to national security, and in November 2013 published a UK cyber-security strategy, updating their 2009 strategy and setting out four objectives: first, to make the UK one of the most secure places in the world to do business in cyberspace; secondly, to make the UK more resilient to cyber-attack and better able to protect our interests in cyberspace; thirdly, to help to shape an open, vibrant and stable cyberspace that supports open societies; and fourthly, to build the UK’s cyber-security knowledge, skills and capability.

4 Mar 2014 : Column 788

The programme is to be implemented via a four-year national cyber-security programme costing £650 million, and the Chancellor of the Exchequer announced an extra £210 million investment after the 2013 spending review. The funding is shared between the security and intelligence agencies, the Ministry of Defence, the Home Office, the Department for Business, Innovation and Skills, the Cabinet Office and the Foreign and Commonwealth Office, but most will be spent by the security and intelligence agencies.

During our inquiry, the Committee investigated whether the high profile given to the cyber-threat in the UK was matched by a coherent plan and a chain of command in the event of a major cyber-attack on our national infrastructure or our national interests. The complexity of the threat must be matched by an agile, many-layered response; accordingly, many different agencies are involved in the cyber-security effort, ranging across cybercrime, cyber-espionage and cyber-commerce. Cyber-security is therefore to some extent everybody’s responsibility, but we must avoid its ending up being nobody’s responsibility as a consequence. Someone has to be in charge.

Thomas Docherty (Dunfermline and West Fife) (Lab): It is good to see so many colleagues here to take part in the debate. If we contrast the approach taken in the United States, where there is a unified structure under CYBERCOM, with the disparate approach taken in the United Kingdom, does the right hon. Gentleman share my concern that we seem to have a number of lessons still to learn?

Mr Arbuthnot: Well, there are pluses and minuses to having a unified structure, and there are risks in having a siloed approach. I said this is the responsibility of everyone, and so it is. I shall explain how wide that responsibility extends.

Mr Tobias Ellwood (Bournemouth East) (Con): Further to that, although a number of Departments have an interest, was my right hon. Friend assured by the MOD—within his sphere of responsibility—that there is a single individual in charge? I understood from reading his Committee’s report that the Joint Forces Commander is currently responsible, but the intention is to have the Chief of Defence Intelligence involved as well, and perhaps to appoint a three-star Defence Chief Information Officer. The report did not make it clear to me where we intend to go. The Americans have a four-star in charge. Is my right hon. Friend convinced that there will be an individual clearly responsible for the MOD’s part of the spectrum?

Mr Arbuthnot: Things have moved on since our Committee reported. There is somebody in overall command and that is my right hon. Friend the Minister for the Armed Forces, who will, I have no doubt, set out precisely how things have moved on when he responds to the debate. That is the purpose of Select Committee reports, and I am pleased about that.

The Committee was particularly concerned that the armed forces are now very dependent on information and communications technology and if those systems suffered a sustained cyber-attack, their ability to operate might be fatally compromised.

4 Mar 2014 : Column 789

Sir Bob Russell (Colchester) (LD): We are talking about cyber-technology, but may I use an old-fashioned phrase in warning of the danger of having all our eggs in one basket?

Mr Arbuthnot: Yes, and I entirely agree. I have discovered a new organisation being set up in Cambridge called the centre for the study of existential risk, which is right up my street. Being a gloomy sort of person, that is precisely the sort of thing I am worried about, and the hon. Gentleman will not be surprised to hear that I am already in deep contact with the centre.

Mr Julian Brazier (Canterbury) (Con): I have heard of that work at the university of Cambridge, too, and I am in favour of it, but may I take my right hon. Friend back to his point on co-ordination? Surely the bottom line of the response to any major threat to this country, whether it is flooding or rioting and so on, is the armed forces. Does he share my concern that there seems to be no mechanism for referring problems in other sectors through to the MOD and, crucially, that there are no rehearsals taking place?

Mr Arbuthnot: I do, and I hope that in answering the debate my right hon. Friend the Minister for the Armed Forces will take that point straight on the chin, because in many respects the armed forces are the resource of last resort, and cyber-security may be an area where the armed forces do not accept that responsibility.

There is a necessary focus within the defence world on securing the systems and networks needed by the MOD and the armed forces from cyber-threats. It is not only contemporary civil society that is utterly dependent on network technology; our armed forces are increasingly reliant on such technology for the tools of warfare, and the next step must be to ensure that the supply chain for those systems and their components is secure. That will require a trusting, transparent relationship between Government and their suppliers, with full disclosure of attacks and possible vulnerabilities, which runs all the way down the supply chain. The UK has world-class expertise and facilities on which to draw, but will the Government be able, in competition with the private sector, to keep enough of that expertise and experience in the service of the state? Are there enough such people to serve both and how should we prioritise?

The announcement by my right hon. Friend the Secretary of State for Defence in September 2013 about the establishment of a joint cyber reserve unit is a significant development, but that will rely on FTSE companies and other, smaller companies releasing key personnel to participate. Will my right hon. Friend the Minister for the Armed Forces tell us what progress has been made? According to the Government, the number of ICT and cyber-security professionals in the UK has not increased in line with the growth of the internet. Are there enough experts in industry willing to join a cyber reserve? Will technology experts—the geeks of our world—fit well within highly regimented military structures, or will a more flexible structure be required to facilitate their work?

John Woodcock (Barrow and Furness) (Lab/Co-op): The right hon. Gentleman is rightly raising just some of the myriad questions about the future in cyberspace.

4 Mar 2014 : Column 790

Does he agree that these questions are so wide-ranging and fluid, given the incredible acceleration in technology, as to pose the question whether in future we should have vari-speed defence and security reviews? On larger items we should look beyond the 10-year horizon, but in cyber, five years is far too long for what is happening.

Mr Arbuthnot: Like my hon. Friend the Member for Canterbury (Mr Brazier), the hon. Gentleman contributes effectively to the Defence Committee and makes an interesting point—one I had not heard before. That is the value of these debates. We will all have to think about that issue.

We must seek to defend ourselves, but we must also, as has been suggested, expect to develop a capability to respond to threats in cyberspace. When doing that, we face some of the same considerations as when developing conventional military capabilities. Where does the balance lie between international collaboration and sovereign capability, for example? What sort of international arrangements will best suit our aims?

My right hon. Friend the Secretary of State also talked about how the UK was developing a full spectrum military cyber-capability, including strike capability. This is an interesting and novel declaration. Everybody knows it has happened but nobody has been prepared before now to announce it. Will this declaration act as a deterrent or will it make the UK a more likely target for hacktivists and foreign states? What about the legal implications of establishing a strike capability for the personnel involved? The necessary rules of engagement for cyber-attack need to be put in place, although of course we will not be told about them.

Some maintain that cyber is just another military domain and that we can expect to do everything in cyberspace that we do in the air, on land or at sea to prevent, deter coerce or intervene. But has the distinctiveness of the cyber domain been fully grasped? It is not clear, for example, that deterrence is a concept that can apply to a domain where there are real difficulties in discovering quickly who has perpetrated an attack and for what purpose, or even that an attack has taken place. Neither is it clear that everyone has grasped how important it is to avoid a silo approach to the cyberworld. It is essential to break down the dividing lines between civilian and military, among Government Departments, between Government and the private sector, and between our country and other countries, and therefore to approach the issue in an holistic way. Paul Dwyer of Mandiant came to brief the Defence Committee and told us that it takes a network to defeat a network.

Perhaps because the threat cannot be neatly categorised, it may be unrealistic to expect a neat categorisation of the responses. Everything we have been told in the UK emphasises that the armed forces have a very limited role, protecting their own systems and developing military cyber-capabilities. For other areas of activity, those in the lead are likely to be based elsewhere, particularly in the intelligence services. That is where the important point made by my hon. Friend the Member for Canterbury comes in.

Mr Gray: My right hon. Friend makes a good point about the threat being so diverse as to be difficult to counter. None the less, the briefing we were given by Mandiant was very interesting: there are a large number

4 Mar 2014 : Column 791

of extremely serious attacks, not by a lot of people but by one or two groups. He even named Unit 61398 of the People’s Liberation Army as one of the main culprits. In other words, it would be reasonably easy for the British Government and the MOD to counter a specific attack such as that.

Mr Arbuthnot: I am sure that my hon. Friend is right in saying that the Government are well aware of where some of these attacks are coming from. I do not agree that it would be relatively easy to counter them, because these threats are developing at a frightening speed, as the hon. Member for Barrow and Furness (John Woodcock) said. The diversity and development of these threats is changing on a second-by-second basis.

I am pleased to say that the Government are taking action to make the UK more resilient to cyber-attacks. It has established a new computer emergency response team in early 2014, CERT-UK, to improve the co-ordination of national cyber-incidents and to share technical information among countries. The Government set up a new cyber-incident response scheme in GCHQ to help organisations recover from a cyber-security attack. They have extended the remit of the Centre for the Protection of National Infrastructure—the CPNI—to work with all organisations that may have a role in protecting the UK’s critical systems and intellectual property. They have agreed with regulators in essential services a set of actions to make sure that important data and systems in our critical national infrastructure continue to be safe and resilient. As I have said, responsibility for cyber-security rests principally with companies and organisations themselves. Government agencies’ roles will be limited by available resources and national priorities.

Ms Gisela Stuart (Birmingham, Edgbaston) (Lab): Does the right hon. Gentleman agree that there is a difficulty in making cyber-security just a defence issue and saying that the issue lies with companies? There is a network of things that need to combine, and we have not yet developed a system to create resilience across the spectrum; there are only chimneys of responsibility.

Mr Arbuthnot: The hon. Lady is quite right. We are groping towards it, but we are not quite there. One of the benefits of this debate, of our report and of the Government’s response is to help us move to a better place.

Mr Ellwood: My right hon. Friend makes an important connection between the business community and state operations. I am concerned that state operations do not have the funds to attract the necessary expertise—geeks, my right hon. Friend called them—when they are in demand in the civilian sector. Banks and so forth pay huge sums of money to make sure they are able to fight off any cyber-security issue. Does he agree with a stance that my hon. Friend the Member for Canterbury (Mr Brazier) might take—that there is a need to make sure that those in the reserve forces who actually have such skill sets through working in businesses can work in the MOD as well?

4 Mar 2014 : Column 792

Mr Arbuthnot: I would have entirely agreed, but the problem may be whether there are enough reserves and enough people with those skills in the country at all. Let us move on towards that.

Sir Gerald Howarth (Aldershot) (Con): To deal with the point made by my hon. Friend the Member for Bournemouth East (Mr Ellwood), that was one of the key factors in the strategic defence and security review of 2010. The then Secretary of State for Defence, my right hon. Friend the Member for North Somerset (Dr Fox), said that we needed to see “up arrows” and “down arrows”. Heavy armour was a down arrow but cyber was an up arrow. Some £500 million was set aside specifically for this purpose, so it has been identified as a serious and important area for investment.

Mr Arbuthnot: Interestingly, the Prime Minister, in giving evidence to the Joint Committee on the National Security Strategy, pointed out that some of the areas had cuts but that this area was one of growth. His regret was that it had not been one of greater growth, and that that change had not been more exaggerated than it was.

I ought to bring my remarks to a close, as others want to speak. Paul Dwyer told the Committee that the willingness of companies to share information about cyber attacks with one another and with the Government is critical to allowing an effective response to be developed and implemented but, while critical, it is far from easy to achieve.

Dr Julian Lewis (New Forest East) (Con): I am a little concerned that my right hon. Friend is bringing his arguments to a close, because he touched on one point that I was rather hoping he would develop. He said that the Committee visited Estonia. For people who, like me, were not part of the Committee’s study, it would be extremely helpful to know in concrete terms a little more about what it discovered on that visit about what a cyber-attack by a hostile neighbour can really mean.

Mr Arbuthnot: The Committee visited Estonia in 2009. It has still not been conclusively established who precisely was responsible for the attacks that took down much of that country’s banking system, although we have our suspicions—they may have been marching around in unmarked uniforms. We discovered that the attack had been comparatively easy to achieve. It was a distributed denial-of-service attack that did real damage. We also discovered the international centre of excellence in Estonia, which at that stage the Government were not contributing towards in dealing with cyber-attacks. I am delighted that they have since decided, perhaps as a result of our incredibly effective report, to contribute to the centre.

Sir Bob Russell: I was biding my time, but the intervention from the hon. Member for New Forest East (Dr Lewis) has prompted me to intervene. Has any evidence yet come forward to suggest that what is going on in Crimea has involved cyber-security breaches either way?

Mr Arbuthnot: If there is evidence of that, I do not yet know of it. All I can say is that before the invasion of Georgia there was an extensive cyber-attack on its computer network that was very similar to the one on Estonia. I suspect that it is now a new method of fighting wars that we must all get used to.

4 Mar 2014 : Column 793

The need to share information is critical, as I have said, and important mechanisms for that exist, such as the cyber-security information sharing partnership, which is now open to companies beyond critical national infrastructure sectors, including small and medium-sized businesses. CISP analysts will be expected to feed into CERT once it is fully operational.

The Committee produced many recommendations, but our final conclusion was that the cyber-threat, like other emerging threats, has the capacity to evolve with almost unimaginable speed and with serious consequences for the nation’s security. The Government need to put in place—they have not yet done so—mechanisms, people, education, skills, thinking and policies that take into account both the opportunities and the vulnerabilities that cyber presents. It is time the Government approached the subject with vigour. I am pleased to see the actions that they have taken since we issued our report. Clearly there is much more to be done—in the cyber world it is a matter of constantly playing catch-up—but I personally have the impression that the Government are, at the very least, joining in the game.

Several hon. Members rose

Madam Deputy Speaker (Mrs Eleanor Laing): Order. It will be obvious to the House that a large number of Members wish to speak this afternoon and that the time available is limited. Rather than imposing a formal time limit, I thought that I might try an experiment. I wish to see whether Members have the ability to be courteous to one another by limiting their speeches to around 10 minutes.

2.54 pm

Mr Dai Havard (Merthyr Tydfil and Rhymney) (Lab): I would first like to say something about the debate. I agree that the Defence Committee is perhaps remiss in not applying for debates more regularly. This debate is taking place on an estimates day. It is a really serious debate that should be taking place in the Chamber in its own right. Our report is now more than 12 months old—it was published in January 2013—which says something about how quickly these things move. The Government published their response in March 2013 and then made a series of announcements last September, but here we are today with the first opportunity to talk about it. That is an issue we need to look at.

I will not repeat what my colleague who chairs the Defence Committee, the right hon. Member for North East Hampshire (Mr Arbuthnot), said about structure, but I would like to say something about structure, about investment—we are talking about money, after all—and about accountability. The statement made in September was very interesting from two points of view. First, it set out a structure for how the Ministry of Defence, along with the Department for Business, Innovation and Skills, the Cabinet Office and others—this cannot be done in isolation—can start to look at its relationship with industry and at protecting itself through its relationships with the rest of the British community. I think that is hugely important.

There is a lot of work being done on achieving proper standards. We took evidence from industry representatives on that, and they were all over the shop, frankly. For example, they did not want standards, or they wanted

4 Mar 2014 : Column 794

their own standards. The question of standards is absolutely at the guts of the whole issue of defining cyber, and not just for the Ministry of Defence. Industry must now have a compliance process with the Ministry of Defence, and I am sure that the Minister will say something about how that is to be done. That is hugely welcome, because it is vital. How we then do that in relation to our allies, NATO, the EU, the French—with our treaty—and others is a big issue that needs proper discussion. We need to have proper compliance and assurance mechanisms, as we do with our “Five Eyes” colleagues and many others, because we are all trying to understand the process.

Most people go to Wikipedia when they do not know much about something, as I did with cyber-warfare, because the announcement in September also mentioned having some sort of offensive capability. Wikipedia states:

“Not to be confused with Electronic warfare… Cyberwarfare refers to politically motivated hacking to conduct sabotage and espionage. It is a form of information warfare sometimes seen as analogous to conventional warfare.”

Well, that is terribly helpful. What we know is that there is no clear definition, either domestically or internationally. We are all fishing for something to help us understand this properly, and we should have some humility in that. However, we recognise its interconnectivity.

Let me turn to the statement on having offensive capability. It was very brave of the UK Government to make that statement. We are the first country to come out and say that. I have spoken with some of our international allies about that, and they say, “Well, that’s a very interesting statement for the Brits to make.” How we actually do that will be a matter for discussion. I am not necessarily against the investment or the capability, but I think that we need to be very clear about what we are saying and how we are going to do things. There will need to be a doctrine and rules of engagement. If we are saying that this is a new domain, I do not think that we can run away from some of these questions. If we do and we keep it too secret, we will lose legitimacy for the activities that we wish to undertake. That is a difficult balancing act, but it is absolutely crucial.

If we are to weaponise the process, how will we do that? There is a lot of talk about countries using the Stuxnet virus in Iran. That was actually delivered physically on a memory stick. The programme then searched out the thing it wanted to destroy or debilitate. It was a hugely expensive exercise. I do not know how much it cost, because I am not supposed to know who did it. Well, we do not know who did it, or we all suspect that we know. Whoever did it, it was not a bunch of amateurs; it was someone who could put substantial investment into it. It turned out to be a one-shot weapon.

If we are to weaponise this area, we must be clear that it will cost money. This sort of activity cannot be done by a boy working in his bedroom to come up with a fancy programme. We will have to invest in the process of weaponisation alongside all the other things we are talking about. How will we procure, what will we do with regard to research and technology, and how will we keep a sovereign capability in these areas? I suspect that those are big questions that Parliament will be discussing for many years to come.

4 Mar 2014 : Column 795

Mr Brazier: The hon. Gentleman is making an interesting speech. Does he agree that the issue is about not only the technical side but the personal side? More medieval fortresses fell through the inside touch than through outside assault. In the high-tech area, as everywhere else, people can be bought or suborned.

Mr Havard: The short answer is yes. The other aspect is who can be engaged to help to do such things. As the hon. Gentleman, who is on the Defence Committee, will know, the structuring of things to ensure a reserve capability is hugely important. The way in which the process is being put together is correct; there will be no monopoly on understanding in the areas we are discussing. We need as good a collaboration as possible. The delivery of the processes will not always be remote. Intelligence and knowing what is happening, where and with whom will be crucial. I shall come to that later.

The other question that comes up is about the law—I mentioned legitimacy earlier. I am helping to lead a sub-study in the Defence Committee of the military and the law. That is coloured, obviously, by Supreme Court decisions, individual cases and all the rest of it. The issue raises questions about international law, humanitarian law, extra-territorial jurisdiction and other things. An argument is being put that says, “We don’t need anything to be separate. This is a different domain, but all the current legal constructs are good enough and we do not need anything different.” I come back to my earlier point. We need to be clear about doctrine. In large part, our doctrine is public. Some, however, may not be as public as we would like, but we need to be clear about how we do things.

Ms Gisela Stuart: We seem to accept that cyber can be not just defensive, but offensive—we can use it offensively. Does my hon. Friend think that our domestic legal structure is sufficient to deal with cyber as an offensive weapon and to contain the power of the Executive to apply that weapon?

Mr Havard: I do not know, but in the sense that I think I do know, I think that our legal structure is not sufficient and needs revision. I may be wrong, but that debate has to take place and people more qualified than I am need to comment.

It is interesting to note where our allies are. The United States has and has not made all sorts of declarations. If we believe The New York Times, there was a secret legal review that concluded:

“US military forces could legally launch an attack on digital infrastructure located in a foreign country if it found evidence of a threat against its own systems”.

A rules of engagement debate then starts. That is the other difficult bit—we will have to have rules of engagement for such activity. The more we discuss legitimacy in law for these things, the better. If we do not have such a discussion, the issue will be forced on us. That is what we are seeing now in a lot of other areas, so we should structure how we wish to have the debate rather than having a structure imposed on us.

Proportionality is at the guts of the whole business of international law, human rights and legitimacy. We have to show that proportionality is there and that we have mechanisms and systems to ensure that it is. Simply claiming that it is there will not be good enough.

4 Mar 2014 : Column 796

We are not on our own. We need to be joined up not only internally within the United Kingdom, but internationally. We do not have time to go fully into this now, but it is interesting to see Russia’s current adventures in Ukraine. In September 2011, Russia and China said to a UN group that they wanted a code of conduct for cyberspace that would include requirements for co-operation in

“curbing dissemination of information which incites terrorism, secessionism, extremism or undermines other countries’ political, economic and social stability, as well as their spiritual and cultural environment”.

Well, there we are—now we know. Translating that into current events will tell us a lot. That proposed code of conduct was about closing things down and giving legitimacy to the avoidance of dissent and to having systems that are less rather than more open. How we collaborate in this area will be important.

When he was Secretary of Defence in America, Bob Gates said that he could protect .mil, .gov, .org or .com, but that as the protection systems were put in, the public might not like what they saw on .com. That debate is not only to do with defence, but defence has a place in it. Whether there should be a code of conduct and the international arrangements are problematic issues, but there is a growing urgency around them.

At the end of the day, the issue can be about the collection of raw information and the sending of viruses to blow up particular equipment. That is the geeky stuff—the weaponisation and the sexy stuff that the press love. However, at the end of the day, those and other actions are only as good as the intelligence that exists to put them into effect. One area of investment that must not be lost in the question of cyber-issues is defence intelligence. In my opinion, we have the best intelligence analysts and they need to be developed.

We can collect the raw information, but if we do not understand it we will go nowhere with it and make the wrong decision. Investment discussions should please not just be about technical toys, GCHQ and all the stuff about weapons; they should also be about intelligence analysts. Let us protect the capability. The issue is about a whole force, but also about a whole community. Those people are vital in that community and investment also needs to go to them.

3.6 pm

Jack Lopresti (Filton and Bradley Stoke) (Con): I welcome the chance to debate the UK’s cyber-security defence. Cyber-security is a particularly wide-ranging subject and cyber-attacks are a growing threat. Without stating the obvious, a cyber-attack could impact on everyone’s lives in many ways. We are now all very reliant on technology and the internet; without our mobile phones or when our e-mail goes down, we almost cease to function.

A major cyber-attack on any of this country’s main utilities, such as transport, energy or the banking system, would cause chaos. It would be, at the very least, very bad for the economy; it could, in the worst-case scenario—if we did not have the means to transport food and fuel, for example—cause social breakdown in a short time. South Korea, for instance, has suffered huge jamming attacks, launched by North Korea, against its GPS systems. They affected major airports and shipping

4 Mar 2014 : Column 797

lanes. The travel of more than 1,000 ships and 250 planes was disrupted by North Korean jamming attacks in 2012.

Cyber-security needs to protect us against many threats: criminals attacking personal data, small-scale political activists—or hacktivists, as somebody said earlier—and state-sponsored hostilities. The Government’s cyber-security strategy is along the right lines and has led to the national cyber-security programme, which has clear objectives.

Cyberspace is often compared to the wild west and thought by some to be beyond the rule of law. However, our Government have made it clear that it is not and they have encouraged law enforcement teams to use the existing legal framework to prosecute. When cyber-crime emanates from overseas, the Government are working with the G8, the United Nations, NATO and the European Union to help shape the standards and norms of behaviour for cyberspace. Obviously, the solutions have not all yet been found but the discussions are ongoing and the work is slowly evolving. I am pleased that the work has started in earnest.

Part of the solution is a normal, sensible protocol for cyber-security on the domestic agenda and it can be addressed through simple best practice. There is a knowledge gap and the Government are addressing it in the long term via the development of education in cyber-security: teaching materials on cyber-security are being produced for GCSE and A-level students. Academic centres for cyber-security have been set up in 11 universities. Investment in education are far-sighted and will position the UK with experts in the cyber-security arena.

The Government have also gone some way to engaging with industry by setting up the Cyber-Security Information Sharing Partnership. Furthermore, the Centre for the Protection of National Infrastructure, or CPNI, is working with businesses to encourage them to make cyber-security a board-level responsibility. The current work on the development of an official cyber-standard will help stimulate the adoption of good cyber-practices among businesses. Given the risks to our infrastructure as a whole, the Government have highlighted the role of regulators in overseeing the adoption of robust cyber-security measures. The companies that supply essential services such as power, telecommunications, water, transport and banking, need maximum protection.

I praise the many organisations that are tasked with upholding the Government’s cyber-defence plans. However, as has been said, the threat is so great that I worry that as a nation we are not doing enough, fast enough. An industry study produced by BT last month found that British companies are lagging way behind rivals in other major countries in addressing cyber-security risks. The survey found that only 17% of UK businesses see cyber-security as a priority compared with 41% in the US. Nearly 90% of directors and decision makers in the US are given IT security training, but in the UK it is only around 37%.

On defence, our armed forces are among the most technologically advanced in the world, and I am sure we are all proud of that. In theory, that allows us to put fewer of our people in harm’s way and their lives at risk. However, as the Under-Secretary of State for Defence, the hon. Member for Ludlow (Mr Dunne) said recently, it makes every aspect of our military capability vulnerable

4 Mar 2014 : Column 798

to cyber-attack. Obviously, there is no point spending millions on developing leading-edge technology without the cyber-security to stop it being felled by a single cyber-attack.

The Defence Committee noted that the Army has between 35% and 40% too few corporals and sergeants to man its cyber-capabilities. The Government have rightly set up a joint cyber-unit for the reserve forces, which was going well towards the end of the year, and others have said that the reserve forces will play a crucial role in our future capability. The Government have instigated broadly sensible long-term solutions such as apprenticeships to fill the staff-skills gap in industry and business, but how can we attract more trained staff immediately, especially in the defence reserve?

A further concern is that the threat is so wide and imminent that the command structure is not resilient. I understand that the global operations security control centre at Corsham has been empowered to take rapid action without direction from above to defend the MOD’s own networks from attack. That is great, but with the many groups set up to implement the UK cyber-strategy, how will one section know what the others are doing when an attack has happened?

Mr Gray: We are all pleased to see my hon. and gallant Friend back in full working order. The GOSCC is in my constituency, and does an outstanding job in providing cyber-security for the MOD. Is he not concerned, as I am, that with the plethora of Government and MOD organisations with responsibility for cyber-matters, the expertise of GOSCC is being undermined by a variety of quangos and committees whose exact function is clouded in mystery?

Jack Lopresti: I thank my hon. Friend for his intervention. He is absolutely right. Within the chaos of a potential attack, I am not sure how the disparate groups would communicate with one another, how there would be a uniform chain of command and how it would work in practice. GCHQ seems to be in charge, but in other countries the matter would fall under the Ministry of Defence. It is fine that the MOD seems to be still developing its own basic cyber-security techniques with the armed forces setting up separate units, but it is the responsibly of the Centre for the Protection of National Infrastructure to take the lead in co-ordinating a UK response to a major cyber-security incident.

An extremely clear command structure will be needed to deal with a cyber-attack, which may come from a political group such as the group that claimed that the Sochi games were being held on the graves of millions of people who had been murdered and that was, according to the US Government’s computer emergency readiness team, threatening companies financing or supporting the Sochi winter games with cyber-attacks.

The response would be different if an attack was state-sponsored, but it would be extremely difficult, especially in the first day or so, to determine where the threat came from and whether it came from an individual or a country. The internet is worldwide and even if we knew where the attack came from geographically, it would be difficult to identify who was behind it.

Bob Stewart (Beckenham) (Con): I am pleased to be able to give my hon. and gallant Friend a pause to think what he is going to say next. When Mandiant briefed us last week, we were told by Paul Dwyer that 66% of our

4 Mar 2014 : Column 799

companies take about 243 days to realise that they are subject to what he called an advanced persistent threat, and that some companies have no idea that they are being attacked and will never find out.

Jack Lopresti: I thank my hon. Friend for his helpfully timed intervention. He is absolutely right. Sometimes it is difficult or impossible to determine that an attack has taken place.

On offensive cyber-capability and action, a recent article published by the Royal United Services Institute said that Stuxnet, the malware supposedly used to attack Iran’s nuclear weapons capability, was not successful in delaying Iran’s technical progress. With hindsight, some have seen Stuxnet as a hindrance to diplomatic solutions. I am not sure I entirely agree with that analysis, but it is interesting. Cyber-space is being described as the fifth domain of warfare, so its defence and protection from attack are integral to the operation of our nation’s defence infrastructure.

My last point is whether we are spending enough, which is not an easy subject in a time of fiscal austerity. Last week, Chuck Hagel, the US Secretary of Defence, outlined a vision for a leaner US defence posture with reductions in the US army to a pre-1942 position. However, at the same time, he rightly proposed increased spending on cyber-defence.

Ms Gisela Stuart: Does the hon. Gentleman share my concern that the size of the reduction in the US army is exactly the same as the size of our entire Army?

Jack Lopresti: Yes, I agree, but obviously we are talking about different scales.

I am fully aware that the issues I have raised today are not easily solved, but I fully commend the Government for the progress they have made so far.

Madam Deputy Speaker (Mrs Eleanor Laing): Order. It is usual for hon. Members to stand up to indicate that they wish to speak. It makes the life of the Chair rather difficult if no one does so. I was about to draw the debate to a close.

3.16 pm

Mrs Madeleine Moon (Bridgend) (Lab): I apologise, Madam Deputy Speaker, for not standing up. I thought the hon. Member for Filton and Bradley Stoke (Jack Lopresti) had sat down to take an intervention, but slowly it came to my mind that he had finished his speech.

It is an honour to follow the hon. and gallant Gentleman. I share his concern about an attack on our national infrastructure, but we sometimes focus on things such as banking and transport when we should perhaps look at our food supplies or our hospitals. The impact of such an attack on the civilian population and the country’s morale would be huge. We must address resilience to a cyber-attack and we must engage the civilian population in understanding and preparing for that.

T he Chairman of the Defence Committee and I were given a book for holiday reading: “One Second After”. That delightful read, which probably wrecked my summer,

4 Mar 2014 : Column 800

was a description of the United States after an electro-magnetic impulse attack had taken out all its computer-based systems. Everything went. No cars could go on the road and nothing would work. It was a scary prospect and I now understand why the Defence Committee’s Chairman runs a car that does not have a computer in it. I am sure the book was a great influence in the decision to purchase that car.

The book also made me aware of the very narrow issue of who is the enemy. In traditional warfare, we tend to know who we are fighting, but in future we may be fighting criminals who are holding the country to ransom. We could be fighting terrorists, because a state is not needed to manufacture a cyber-attack, or activists or anarchists. It has been suggested that some of the attacks in Estonia were by third-party actors. At the bottom of the list is the potential for a state to attack, because states like rules and the rest do not follow rules. That is why they must be our focus, our worry and our concern.

A statement made in 2012 informed us:

“Our cyber defences blocked around 400,000 advanced, malicious cyber threats against the government’s secure intranet alone”.

On the whole, we do not know where those threats are coming from. We do know that the Government have given a commitment to having full-spectrum capability in dealing with cyber-attacks. In fact, in response to the growing number of cyber-attacks, the Secretary of State said that

“we are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK’s range of military capability. Increasingly, our defence budget is being invested in high-end capabilities such as cyber and intelligence and surveillance assets to ensure we can keep the country safe.”

I was very interested in that statement, so it sent me off on a little tangent, as such things often do.

As the Minister, who has received many of my quirky little requests for information, will know, I sent off a parliamentary question to every Department asking them how many specialist IT staff they employed who had a PhD in computer science, who had a master’s degree in computer science, and perhaps who even had just a basic bachelor’s degree in computer science. It did not bode well, I have to say. The Ministry of Defence can rest on its laurels; it came second to the Department for Work and Pensions, with 1,625 such members of staff. None of the Departments could break the information down by qualification across Departments, which could explain why Government are not very good at commissioning cyber-capability and improved computer networking capability. Only 5,088 people, in total, held a degree-level capability in computing. It was depressing to note that the Department for Culture, Media and Sport had only three people with such a qualification, so we should watch out for its contracting.

Ms Gisela Stuart: Given the logic of Government, did my hon. Friend also ask whether the people with a computing degree actually worked in such areas beforehand or did something completely different?

Mrs Moon: I did, and most Departments responded that they worked in specialist teams, as we would expect.

Interestingly, the response from Her Majesty’s Treasury told us that a total of 48 people are employed within its

4 Mar 2014 : Column 801

centralised IT department, or teams. Those staff provide IT services to the Cabinet Office and to the Treasury. That compares with 57 people in 2008 who worked exclusively within the Treasury, so the numbers are going down, and that has to be a matter of concern. As people with these skills are increasingly highly valued in the marketplace, can Government stay ahead of the market in being able to recruit them?

I was worried about the budget and looked into that aspect. We have heard about the figure of £650 million over five years, which is a mere fraction of the figure for the annual economy, which is set to lose £27 billion every year to criminal activity in the cyber-realm. In contrast, the US Department of Defence has outlined a $23 billion spend on cyber operations in the financial year of 2018 alone.

I thought that I would then have a look at how well we were doing in this area. I discovered, rather alarmingly, that the Government had withdrawn from a new cyber-warfare project called Project Cipher, which was intended fully to scrutinise complex programmes to ensure that they had the potential to meet our needs. After thorough assessment, it was decided that Cipher would not meet the full defence capability required to offer long-term value for the taxpayer, and so the programme was not taken forward. The costs of the stalled project, in the assessment phase alone, had been £66 million, so we have lost a large percentage of the money set aside for cyber, and they were £47 million above the original budget. Overall, this was a major disaster. IHS Janes has said that the project was

“intended to renew the MoD’s cryptographic inventory and automate its crypto-key management systems by replacing obsolete current systems to prevent encoded communication links being compromised.”

I understood half that sentence. The important bit is that it was intended to replace obsolete current systems, because Departments are not good at replacing obsolescent systems. They tend to work things for the length of a Parliament, which is now five years, when we all know that these computers are dying on their feet after about the first two years.

IHS Janes continued:

“The delays in bringing Cipher online are creating capability risks, says the NAO, because the ministry’s existing crypto capability lacks the flexibility to deliver the flagship Network Enabled Capability project, which aims to link up a wide range of military communication networks. This means efficiency savings relating to the automation of crypto capability has been delayed, leading to increased demands on military manpower.”

It explained that the problems with Cipher’s design first emerged during an assessment phase and that they were the result of the lack of suitably qualified experienced civil servants—you will be surprised to hear that, Madam Deputy Speaker. One of the essential things that we must do if we are to be responsible in looking to the defence of this country is to find the way to employ and retain the capability that we need within government to provide the skills and oversee the systems that we operate to keep this country secure.

There has been considerable discussion about having a cyber reserve. I have had conversations with a number of companies that have told me that they are very worried about their employees joining the reserves because they fear for them when they have to travel abroad. Many international companies work around the globe, and they worry about someone who has been in our

4 Mar 2014 : Column 802

cyber reserve and transfers to work in another country, or merely travels through a country perhaps on business or on holiday, being prone to personal attack because of the information they would hold not only on their company but on the UK’s cyber-defence capability. I hope the Minister is aware of that concern and will address it.

This is perhaps one of the most urgent and pressing issues affecting this country. We have to take it seriously across every Government Department, but we also have to alert our citizens to the fact that they are now on the front line, because the attack may come from their personal computer, which could be hacked and used for an attack not only on this Government, but on other Governments.

Several hon. Members rose

Madam Deputy Speaker (Mrs Eleanor Laing): Order. Hon. Members are not doing terribly well on the supposedly self-imposed 10-minute time limit. Perhaps if they were to aim for nine or eight and a half minutes, we might be more on target.

3.29 pm

Mr Crispin Blunt (Reigate) (Con): I will do my best, Madam Deputy Speaker.

I agree with the conclusion of the hon. Member for Bridgend (Mrs Moon): this is an extremely important issue and addressing cyber-security rightly sits at the top of our national security agenda. Cybercrime and cyber-attacks are not only tomorrow’s dangers; they are a very real and growing threat today. As others have already made clear, Governments, business and members of the public come under sustained attack from cyber-criminals and foreign powers. There were an estimated 44 million incidents in 2011 alone.

As we become ever more reliant on the internet, our vulnerability increases. Cyber-threats take two primary forms—cybercrime and cyber-attack, although sometimes the distinction is blurred. Cybercrime was estimated by the Association of Chief Police Officers to have cost £57 billion globally back in 2009, while Detica estimated that the 2011 figure for the United Kingdom alone was £27 billion. It is difficult to believe that that there has not been a geometric increase since then.

Large-scale cybercrime is an issue of national security. Cyber-attack and cyber-espionage also present a serious threat both to the state and to the community, and the state should be acting to protect both. As we know, cyber-attacks have had real-world effects, as exampled by the denial-of-service attacks in Estonia in 2007 and the Stuxnet attack on Iranian nuclear development capability, although there appear to be disagreements about the degree of its effectiveness.

Cyber-espionage and theft of sensitive information is another major concern, so addressing the danger of cyber-threats today is real, not academic. The Security Service estimates that at least 20 foreign intelligence agencies currently operate to some degree against British interests. That threat merits our immediate and strong attention, which is why I welcome this debate and the attention the Defence Committee has given to the subject.

Mr Gray: Will my hon. Friend give way?

4 Mar 2014 : Column 803

Mr Blunt: Given the amount of time I have left, I hope my hon. Friend will forgive me if I do not give way to him. If I have time at the end, I will come back to him.

What is being done and developed in the strategy? In 2009, the previous Government produced Britain’s first cyber-security strategy, which, though laudable for initiating a centralised approach to cyber-security, I as the then shadow Minister critiqued as being a shallow copy of the then American strategy. I said:

“Minimal or no attention is given to key areas such as co-ordination of the new cyber-structures with existing agencies, response to a cyber incident and information sharing between government, industry”

and international action. I also said:

“There is no consideration within the strategy of how we would respond to a cyber-attack. No mention can be found of a framework for response or who would lead it. There is no discussion of issues such as back-up communications networks for security and emergency personnel.”

All of those were given coverage in the United States review at the time.

Given the severity of the threat, the then Opposition felt that the strategy was an inadequate response, so before the general election we produced our own paper on cyber-security and keeping Britain safe in the digital age. I am pleased to say that much of it found itself in the Government’s 2011 cyber-security strategy, which is currently being co-ordinated by the Office of Cyber Security and Information Assurance.

The strategy is far more detailed than its predecessor and offers a more thorough, co-ordinated and ambitious programme to enhance our cyber-security. The recent progress report from the Cabinet Office highlights the successes in implementing the strategy and the progress made towards achieving its objectives by 2015. I commend the strategy for its scope and ambition, incorporating everything from changes to law enforcement to greater co-operation and information-sharing with the private sector and enhancing our cyber-resilience. That the strategy also balances the attainment of security with civil liberties is reassuring.

Mr Gray: Everything my hon. Friend says is absolutely right. The Ministry of Defence, of course, has no responsibility whatsoever for this. Is my hon. Friend therefore proposing that the things he is describing perfectly adequately should now become part of a defence cyber-strategy, or is he talking about something other than the topic of this debate?

Mr Blunt: My hon. Friend, in his usual perspicacious way, has identified precisely what I am moving on to, but before I finish on the wider cyber-security issue, I want to recognise the contribution made by the Baroness Neville-Jones in pulling this strategy together and much improving our country’s response.

No strategy, however, is incapable of improvement and the Government still appear to preside over a patchwork muddle of agencies and mandates responsible for cyber-security. In 2011, the Intelligence and Security Committee identified 18 different actors with responsibilities for cyber-security, which raises concerns about duplication, cost-effectiveness and confusion. I note the counterpoint expressed by the Minister for the Cabinet Office and Paymaster General, who said in evidence to the Defence

4 Mar 2014 : Column 804

Committee that although the arrangement is untidy, it is effective, given the need for a cross-Government approach. I must say that, in the absence of a personality as strong as Baroness Neville-Jones, there remain issues about co-ordination and leadership, as was also mentioned by my hon. Friend the Member for Filton and Bradley Stoke (Jack Lopresti).

We must recognise that the updated cyber-security strategy is a major step forward, but, as my hon. Friend the Member for North Wiltshire (Mr Gray) has made clear, defence is only one small component of the pan-Government effort and by no means the most important. I wonder whether the bracketing of cyber-security and defence is in fact wise, given the MOD’s relatively limited role. The MOD has only two formal responsibilities: to ensure that armed forces operability is maintained both at home and abroad by securing its networks, and to enhance military operations by developing future cyber-capabilities.

Cyber-capability is immensely important for the armed forces: it is a battle-winning asset. In the same way that military operations become difficult if not impossible without air supremacy, cyber-superiority if not cyber-supremacy is required. What differentiates cyber-security is that it also applies to nearly every aspect of modem civil life. Not many businesses need to worry about the effectiveness of the F-35 and the Eurofighter in their daily operations, but the defensive cyber-capability is a daily national necessity for our financial system. Defence against most high-end cyber-threats, including those to critical national infrastructure, is the responsibility of other Departments, not least GCHQ and the Centre for Protection of National Infrastructure. Given that fact, the conflation of cyber-security with defence is possibly misleading, in that it obscures a complex and much bigger picture. However, we are debating cyber-security in the context of defence, so I shall focus on that.

Other hon. Members have outlined the threat, so I simply want to say that the armed forces are increasingly vulnerable to highly targeted forms of cyber-attack, given the networked nature of modern military systems and the increased use of unmanned aerial vehicles and robots on the battlefield. Adversaries may seek signals interception to distort intelligence, disrupt logistical supply chains or, most worryingly, render major platforms and systems, such as ships and aircraft, dysfunctional. If we now regard cyber as a fifth domain of warfare, we must expect other countries to do so too. Britain is a world leader in defence technology, but we must expect emerging powers to be keen to shrink the development gap by stealing what they cannot easily or quickly develop for themselves. The need to protect the operability of our armed forces and the integrity of our defence establishment is thus abundantly clear.

Of the £650 million set aside to transform Britain’s national cyber-security capabilities over the next four years, the MOD will receive £90 million. That funding is not intended to secure MOD networks, because that is assumed to be business as usual, but I know that the Department is securing its supply chain against cyber-attack. The point has already been made about the importance of the need for a resilient industrial base, which must form part of the goal of the national cyber-security strategy. The MOD has responsibility to help to manage the security of its suppliers, and I note the work that has been done to that effect.

4 Mar 2014 : Column 805

I also note the emphasis on reserve forces, which other hon. Members have mentioned, and I welcome the establishment of a joint cyber reserve unit. That is exactly the sort of imaginative use of civilian-qualified reservists in the armed forces that we will want in times of need, but we must bear it in mind that if the armed forces need them at a time of crisis, so will their host employers. On a separate point, I am encouraged by the assurance that spending on cyber will automatically be increased in the budgets of future programmes.

Cyber is part of how our armed forces will wage war in future, so the Department must be able to continue to enhance its military cyber-capabilities. I therefore want to touch briefly on cyber-attack. Inevitably, developments in technology will always be highly classified because the possessor of the latest technological advance is likely to have a battle-winning capability. I therefore understand why information in this area is restricted. However, I emphasise to the Minister that the military should understand that this House expects them to possess cyber-attack capability alongside the ability to defend their own networks from cyber-attack.

This area is highly sensitive because such technology can be applied against other states’ non-military assets in a way that makes it difficult to be clear about whether the laws of war apply. I will finish by discussing this international aspect. This area sits in the grey area between espionage and conflict. That is why, in 2009, I called for us to co-operate internationally on cyber issues to regulate the relations between states in respect of cyber-conflict. I am delighted that that is recognised in the 2013 statement on aspects of state behaviour in cyberspace. We must try to identify the future international rules of the road that will govern relations between states in this area.

I will end by reiterating three questions. First, by bracketing cyber-security with defence, are we in danger of misleading ourselves about where the main effort needs to be? Secondly, can the lead responsibility for cyber-security be made clearer? Thirdly, are we affording enough resources to research and development in this vital area?

Several hon. Members rose

Madam Deputy Speaker (Dawn Primarolo): Order. Despite the presence of the new clocks to aid Members in calculating how long they have been speaking, and despite the fact that Members have been asked to keep their speeches to 10 minutes or less, we are left with six speakers and only 40 minutes to go. There is now an eight-minute time limit and the clock will count it down for Members. It might be necessary to revisit the limit to ensure that every Member who has been sitting in the Chamber patiently is able to participate.

3.42 pm

Mr Iain McKenzie (Inverclyde) (Lab): The growth of the internet has, without question, transformed our everyday lives. I say that as someone who spent many years working for a multinational corporation that introduced every home to the personal computer and introduced the business world to the speed of the e-mail. The importance of the internet is underlined by the part that it plays in our economy. The internet-related market in the UK is estimated to be worth £82 billion a year.

4 Mar 2014 : Column 806

However, with greater openness, interconnection and dependence on technology comes greater vulnerability. To put that in perspective, cyber-attacks have been categorised as a tier 1 threat to the UK’s national security, which puts them up there with international terrorism, military crises and natural disasters. The threats to our national security from cyber-attacks are therefore real and growing.

Terrorists, rogue states and cyber-criminals are among those who are targeting computer systems in the UK. That is highlighted by the fact that 93% of large corporations and 87% of small businesses have reported a cyber-breach in the past year. Performing an attack need not be expensive. With minimal equipment in the right hands, a lot of damage can be done. However, protection against such attacks does not come cheap. The cost of a cyber-security breach can be between £450,000 and £850,000 for a large business and between £35,000 and £65,000 for small and medium-sized businesses, which are not insignificant sums. The UK faces a staggering 1,000 cyber-attacks every hour, at an estimated annual cost of £27 billion.

In cyberspace, power can be exerted by states, non-state organisations or individuals, or by proxy. The boundaries are blurred between the military and the civilian, and between the physical and the virtual. The threats to security and information in the cyber-domain include state-sponsored attacks, ideological and political extremism, serious organised crime, low-level individual crime, cyber-protests, espionage and cyber-terrorism.

Some of the most sophisticated threats to the UK in cyberspace come from other states that seek to conduct espionage, and some states regard cyberspace as a way to commit hostile acts “deniably”. That is why, alongside our existing defence and security capabilities, the UK must be capable of protecting our national interests in cyberspace.

“Advanced persistent threat” is the term used most often to describe threats that are unlikely to be deterred by simple cyber-hygiene measures. Acts of aggression or malice in cyberspace differ from those in other domains. Cyberspace is regarded as an asymmetric domain, which means that even adversaries of limited means can pose a significant threat to military capabilities. We will all agree that cyberspace is a complex and rapidly changing environment.

The British Security Service estimates that at least 20 foreign intelligence services are operating to some degree against UK interests in cyberspace, and their targets are in the Government as well as in industry. The Government have pledged £650 million for cyber-security over four years—0.6% of the cost of attacks. It is therefore essential that the MOD works alongside other Departments and the Security Service to ensure that there is no duplication or inefficiency, given budget constraints. We believe that the Government must ensure that every company working with the MOD, regardless of its size or the scale of its work, signs up to a cyber-security charter. That will ensure that hackers cannot use small suppliers to get into the systems of major defence companies.

With the armed forces now so dependent on information and communications technology, should such systems suffer sustained cyber-attack, their ability to operate could be fatally compromised. Because events in cyberspace happen at great speed, there will not be time in the midst of a major international incident to develop doctrine, rules of engagement, or internationally accepted norms

4 Mar 2014 : Column 807

of behaviour. That is why the Defence Committee recommended that the MOD make the development of rules of engagement for cyber-operations an urgent priority, and ensure that the necessary intelligence, planning and co-ordination functions are properly resourced.

The rapidly changing nature of the cyber-threat demands that a premium be placed on research and development to enable the MOD to keep pace with, understand, and anticipate that threat. The Government should make it a priority to develop robust protocols for sharing information with industry to allow expertise to be pooled. A cyber-threat has the capacity to evolve with almost unimaginable speed, with serious consequences for the nation’s security.

In conclusion, I repeat our call for the Government to ensure that every company working with the Ministry of Defence, regardless of its size or the scale of its work, sign up to a cyber-security charter.

3.47 pm

Martin Horwood (Cheltenham) (LD): I should declare an obvious interest as the MP for Cheltenham, since GCHQ is based in my constituency. This is also a topical day to debate cyber-security, because this morning the Deputy Prime Minister made a speech in which he talked about the balance that needed to be struck between digital freedom and national security. He praised GCHQ for its continued expertise and its role in defending us all against cyber-attack.

Although there is currently no cold war in the old sense—I hope that is not the wrong thing to say; perhaps events in Ukraine are making us worry a little about that, but there is no active cold war in the way there used to be in the 1960s and 1970s—we are in effect at war in cyberspace. Ongoing attacks are taking place against this country and its institutions and businesses, and it is right that in 2010 the national security strategy identified cyber as a tier 1 threat alongside international terrorism, military crises and major accidents or natural hazards. Although the £650 million committed to the national cyber-security programme in 2011 sounded like a great deal of money, considering it against the billions being committed to Trident, for instance, which does not address any of those tier 1 threats, should give us some pause.

Trident addresses a theoretical and perhaps quite real future risk, and there are different views on that, but the cyber-security programme is defending us against current ongoing attacks. As hon. Members have pointed out, they are taking place at the rate of thousands an hour. It is almost like attacking an onion—Russian dolls would be the topical way of describing it. The core is the Government, the Ministry of Defence and the armed forces. We know that malicious e-mails are being blocked at the rate of 33,000 a month at the gateway to the Government secure internet. The next layer is defence contractors and the supply chain which, as other hon. Members have rightly pointed out, are just as critical to the successful operation of the armed forces and our defences as the Government core.

Critical infrastructure is the next layer. Hon. Members have rightly referred to banks and food supplies as part of that wider layer. The next layer is the wider economy

4 Mar 2014 : Column 808

and society. The threat to business is a threat to our national security; 93% of large businesses and 87% of small businesses have reported cyber-attacks in the past year, potentially costing thousands, as the hon. Member for Inverclyde (Mr McKenzie) mentioned.

The Defence Committee rang the alarm bell in 2013. It said that the risk of military operations being fatally compromised continued despite all the effort, and that we perhaps needed more resource and focus on cyber-security. It is right that we commit spending, and look at structures and process, but spreading the culture and practice of cyber-security matters at all levels, and across Government, business and society.

We have talked about the various units. I am pleased to say that GCHQ is in the lead, but the Global Operations Security Control Centre plays a vital role, as do the cyber-security information sharing partnership and various cyber-units in various places across Government. The hon. Member for Reigate (Mr Blunt) offered criticism of that proliferation of different units, but I believe the network approach is the right one. We need attention and focus in different places across Government. The last thing we want is for cyber-security to be silo-ed. We need the culture and practice of cyber-security to spread across Government.

That was brought home to me recently when I visited Bletchley Park, and the brilliant National Museum of Computing, which was celebrating 70 years since the Colossus machine, arguably the world’s first programmable computer, started breaking the Geheimschreiber codes at Bletchley Park. A lot was said about the technical expertise of the Government code and cipher school, which became GCHQ, and the genius of Alan Turing and Tommy Flowers, the great engineer who led the Colossus team—I am proud to say that my father was one of his Post Office engineers. However, it was emphasised that human error allowed many of those codes to be broken. It was not just human error in the sense of mistakes that gave away code keys, but the fatal underestimation of Bletchley Park’s capabilities on the part of Hitler and the German high command. Right up until D-day, Hitler held back Panzer divisions in the Pas de Calais because he simply did not believe that the Normandy landings were the real deal—he believed the misinformation and the false intelligence that was being fed to him. It never occurred to him that the Geheimschreiber codes were being broken and that our side had that capability.

I am pleased that GCHQ is in the lead on cyber-security and that it provides that technical expertise, but we need to spread the culture and understanding. By way of justifying the supplementary defence estimates to support that and other defence work, having that expertise has benefits for the UK economy. GCHQ has enormous links to academia, business and other parts of Government, but it supports cyber-skills at all levels, including encouraging maths, science and engineering in schools. I saw that at the Cheltenham science festival, although it encourages those subjects in many other ways. It also recognises academic departments that specialise in cyber-security. As has been said, they are now present in a large number of universities. That focus on high-tech skills, and research and development, could, and should already, make the UK a centre of global importance in cyber-security skills. In turn, that builds resilience, not just in Government but in businesses, making Britain a

4 Mar 2014 : Column 809

safer place to do business in cyberspace. All those things have economic benefits and more than justify the spending we are considering.

There is a slight sting in the tail. GCHQ and its expertise are widely recognised now, which may be one of the benefits that it has inadvertently gained as a result of Mr Snowden’s recent activities. Business recognises that expertise and skill, and is able to poach very expert people from GCHQ and, perhaps, from the Global Operations Security Control Centre as well. The Government need to value the people in GCHQ and GOSCC, and others across Government, who have those extraordinary skills, and—sometimes, I am afraid, in material terms—try to ensure that we hold on to the best people, and the real skills and expertise. We need to value those skills in all sorts of different ways, but I hope that Ministers will not take it wrongly if I say, on behalf of my constituents, that that way would also be appreciated.

We are facing a global threat. The United Kingdom is under current attack, and, while I think that the Government have got the strategy broadly right, I also think that they should not let up in defending us against this new and very 21st-century threat.

3.55 pm

Jim Shannon (Strangford) (DUP): Our society relies more and more on cyberspace in activities ranging from internet shopping to internet banking. More and more of our lives, and consequently our details, are online, and our constituents are affected by that every day. It is only right that the Ministry of Defence has a cyber-system that provides security, can be updated, and can be foolproof.

The national cyber-security programme puts in place £650 million over four years to transform the United Kingdom’s cyber-security capability, of which the MOD’s defence cyber-security programme is part. The cyber-threat has a capacity for almost unimaginable speed, which could have serious consequences for the nation’s security. The nation therefore needs to do what it has not yet fully done, and provide the mechanisms, people, education, skills, thinking and policies that will make it possible to take into account both the opportunities and the vulnerabilities that cyber presents. If a reason for action were ever needed, that would be a very clear reason.

All of us, both inside and outside the House, will have watched films on television in which Governments are brought down by computer networks. I remember thinking that that was science fiction and that it could never actually happen, but all of a sudden, in our own lives as elected representatives dealing with constituents, we have found ourselves relating to some of the issues with which they have had to deal in connection with, for instance, banks. There is a real, definite possibility, for which we must be prepared.

We have heard more and more about hacking skills. Businesses and livelihoods now depend on cyber-security for protection, and we have a duty to protect ourselves, to protect Government Departments, and to protect our constituents. Currently, 91% of UK businesses and 73% of UK households have internet access, and £47.2 billion was spent online in the UK alone in 2009. The Minister has said that exact figures are hard to pin down, but a recent study by the Cabinet Office suggests

4 Mar 2014 : Column 810

that cybercrime now costs the UK £27 billion a year, with a cost of £2.2 billion to the Government, £3.1 billion to individuals in the form of fraud and identity theft, and by far the largest proportion—£21 billion—to industry.

Cyberspace is a continually evolving environment, and if we are to defend ourselves from the threats that emanate from it, we must keep pace with that change. However quickly a threat is identified, 10 more will have been dreamt up by those who have the capability to do so. We must ensure that our constituents are protected, and, if necessary and if possible, educated as well. One cyber-security chief has pointed out in one of the national papers that even a simple password is better than no password at all, and that many people are frightened of terminology.

I was pleased to learn that the new cyber-security programme essentially seeks to build on the centralised approach established by the last Government, and to tackle some of the emerging gaps. It seeks to establish new cyber-security institutions and education and skills initiatives, with the aim of locating and addressing the weaknesses in existing cyber-measures, anticipating future threats, and building good working relationships across UK sectors, both public and private, as well as within nations. That certainly requires, and is worthy of, the funding support proposed in the motion. I hope that the Minister will be able to give us some indication of how, while the investment is taking place, all the regions of the United Kingdom—including Northern Ireland—can benefit from it. I am keen to understand how we in Northern Ireland can gain some direct advantage.

I understand that protection and security are essential for individuals and also for the Government and the Ministry of Defence, and the money must be used to maximise protection and education. The information provided by the Commons briefing stated the following, which determined my support for what has been proposed here today, because these facts and figures are horrendous. Some Members have mentioned them already. The director of GCHQ has described how cyberspace is contested around the clock. In the United Kingdom there are over 20,000 malicious e-mails on Government networks each month, 1,000 of which deliberately target that very department. The Security Service estimates that at least 20 foreign intelligence services are operating to some degree against UK interests in cyberspace. Again, that illustrates the scale of the problem.

The US estimates that the Pentagon’s computer systems are probed 250,000 times an hour, with more than 140 foreign spy organisations trying to infiltrate US networks. During the 2008 Olympic games, Beijing alone experienced 12 million cyber-attacks per day. That underlines the magnitude of this problem and the importance of our being prepared and ready to combat it. I again ask the Minister to comment on the collaboration aspect of that. The report mentions our collaboration with the United States, as other Members have. Can the Minister explain exactly what that entails, and can he assure us that we will not be exploited by the United States of America and its Government?

On the NATO Cooperative Cyber Defence Centre of Excellence, will Parliament be fully apprised of any decisions regarding participation in that and other international co-operative arrangements? It is important that everyone understands exactly what is proposed and what will happen.

4 Mar 2014 : Column 811

These attacks are happening around the world and in the UK and we must protect ourselves. I am therefore very happy to support the proposals, and I ask the House to support them too, while also ensuring that every pound is spent effectively and enhances the skills of those in Government dealing with these threats. Other Members have stressed the importance of having skills in the MOD at corporal, sergeant and private level, so we can address the many pitfalls that may arise.

While cyber-terrorism may not be physical terrorism of the sort that some of us in this Chamber have faced personally, and whose effects can be seen in blood and tears, the effects of cyber-terrorism can bring a nation to its knees and we must ensure we are not the ones who are brought to our knees, but are instead able to withstand any such attack.

4.3 pm

Bob Stewart (Beckenham) (Con): The greatest threat of electronic attack continues to be posed by state actors. Russia and China are suspected of carrying out the majority of assaults, but other countries—North Korea, Iran and even Syria—run very effective attacks too. The targets are in Government as well as in industry.

Let me give an example of a cyber-attack. On 23 April 2013 the American stock market dropped 1%; it lost $136.5 billion in a matter of seconds because of a false tweet posted on the Associated Press Twitter account. That tweet apparently came from Syria.

Let me give another example of a possible danger to this country, and here I will use information from a paper written for the Defence Committee by the distinguished academic Chris Donnelly. Huawei, a Chinese company strongly suspected of having close links to the Chinese Communist party and Government, is now providing crucial equipment for our national telecommunications system. The company has been debarred from doing that in the United States because it could not prove that it did not have strong links to the Chinese leadership.

Chris Donnelly’s paper highlighted three areas where Huawei could present a security risk. First, the company could insert undetected malware into its equipment, either to disable the system at will or at least to monitor it. Secondly, there is a possible security risk from the Chinese managers and technicians who man the system. Thirdly, allowing Huawei to dominate the field takes away our sovereign ability to deal with matters ourselves. Recently, there has been growing concern that our national cyber-security systems might not be able to detect whether malware has been inserted into the system.

Mr Gray: My hon. Friend is right to be concerned about the possibility that companies of all sorts might act against the interests of this country, but it is also right to record that Huawei is a major employer in the United Kingdom and is a multi-billion-pound multinational company. The suggestion that it is, in some way or another, an agent or a foreign force in the way he describes may of course be true, but it is worth saying that there is no evidence that that is the case.

4 Mar 2014 : Column 812

Bob Stewart: I thank my hon. Friend for that, but I am not sure that he is right. Huawei has been involved in setting up our cyber-security evaluation centre. It offered its services at knock-down prices—no western firm could match them, and our economy was and is in a poor position to resist the temptation of accepting what looked like a very good deal. So we could be setting a thief to catch that same thief. Of course the suspicions I voice may be erroneous and our cyber-security services could be totally on top of this one, but without access to classified information I have no way of checking. Members may recall that Huawei offered to provide a mobile phone system for the London underground during the 2012 Olympics—was it not free or close to being free? If I recall it correctly, that offer was turned down on security grounds.

As Chris Donnelly highlighted, state security requirements and gaining commercial advantage are two sides of the same coin in China. We should be under no illusion about the Chinese’s willingness to put huge efforts into understanding and, if necessary, harnessing all sorts of systems in the UK to advance the Chinese national interest. Already there is a mass English learning programme in existence, which Chris Donnelly suggests involves 300 million people in China, and a similar mass programme to teach computing. In 2012, China conducted what it called its first “digital technology exercise” in Inner Mongolia, when an entire division of hackers in the uniform of the Chinese liberation army was deployed. These cyber warriors went to war across the whole spectrum of western activity, not just against western military communications. We are wasting our time calling on China to stop hacking into our systems. Of course the Chinese will deny they are doing it until they are blue in the face—

Sir Bob Russell: Red in the face, surely.

Bob Stewart: Forgive me, my hon. Friend is absolutely right. He always stands up for the infantry, so he would use the word red, and I accept it; red is the colour of the infantry.

We had better wake up to the fact that systematic and state organised hacking is a massive Chinese industry. I am pretty sure that our security services are well aware of the threat, but the public must also be made aware of it. We need the funding to do what we can to counter the threat.

Let me be clear: hacking can be more deadly than a gun. Cyber-warfare, taken to its logical conclusion, could bring our society to its knees. Almost nothing works without electricity. I am talking about light, energy, traffic control—on the ground and in the air—hospitals, police and even sewerage. Undoubtedly, the national grid would be a No.1 priority target for someone wishing to reduce us to our knees. Von Clausewitz stated that war is an extension of politics by other means, but systematic hacking is also war, by new, subtle and probably very effective means.

4.10 pm

Mr Tobias Ellwood (Bournemouth East) (Con): In a hands-free, wireless, bluetooth enabled world, how would any of us cope without access to our mobile phone or computer data for any duration of time? Our lives and livelihoods depend on those assets, and they would

4 Mar 2014 : Column 813

change fundamentally if they did not work. The recent flooding in Dorset affected electricity and caused some households to reach for the candles. What a new experience that was for a generation of people who perhaps take our world a little bit for granted. They believe that all these things that we enjoy are there and will not be challenged.

I welcome this debate, and I commend the Defence Committee and its Chair for their report. My concern is that we are debating something that is changing almost daily and yet the report was printed on 26 March 2012. In answer to my interventions at the start of the debate, the Minister made it clear that changes have been introduced, but even they will be out of date given the pace of change in this area.

As we move into an ever more digital and virtual world, we are increasingly exposed to attacks not just on personal data and intellectual property but on state operations, from air traffic control systems to electricity grids. Cyber-attacks are simpler and cheaper than a dirty bomb. We no longer see robbers running in to rob a bank; it is all done electronically. This is the world that we now need to recognise.

Two years ago, I attended a course at Harvard university on national and international security. A cyber-security expert borrowed a laptop. He then purchased and downloaded $16 of software, and managed to tap into Boston’s traffic light systems. Had he taken it one step further, he would have been traced and got into trouble. None the less, he showed how easy and quick it would have been, with just $16 of software, to cause huge disruption.

Let me place this issue in perspective. In the development of warfare, there are occasionally seismic leaps in capability as new systems are introduced, and they force all of us to adapt. Going back in history, the longbow changed the outcome of the battle of Agincourt. The introduction of the cannonball changed the way in which ships attacked one another, preventing the need to go on board. The introduction of the submarine, the tank, the plane and the aircraft carrier all changed the conduct of war. As has been said again and again in this Chamber, cyber-technology will provide a new dimension, which we all need to understand.

I am a little saddened that the Chamber is so empty. I hope that it is not because I am on my feet.

Bob Stewart: I think it is actually.

Mr Ellwood: Thank you! The fact is it is the usual suspects who are here today, by which I mean those who are interested in defence matters. However, as my right hon. Friend the Member for North East Hampshire (Mr Arbuthnot) said, this issue does not affect just defence. It covers the business arena, the Home Office and the Ministry of Defence, yet we are not familiarising ourselves with the structures and processes so that we are at the front end of this capability. The speed of attack, if it happens, will be phenomenal. We have not yet seen anything on a scale that would fundamentally affect our lives, but there will be no build-up to such an attack. There will be no arms, tanks or ships mustering on the border; our lives will suddenly change when our computer systems no longer work.

4 Mar 2014 : Column 814

The UK’s military equipment is increasingly vulnerable because of the complexity of its IT. What would happen if we lost the global positioning system? How would anything operate and could we cope? When I was at Sandhurst, we were taught how to use a compass. I am not sure whether that happens any more, but if the systems go down, that is what will be required.

Today’s statement on Ukraine reminds us of our involvement in the Crimean war and the charge of the Light Brigade. That infamous event took place because of a breakdown in communications, as by the time the orders reached Lord Cardigan, he had the wrong idea of what his mission was. Goodness knows what would happen today if we had insufficient resilience to communicate using our usual systems.

Knowing a little about Joint Forces Command, I understand the logic of placing cyber-security in that domain—it is wise that it is fed into the command—but cyber-security should have its own distinct command with its own expertise, as is advocated by some in the United States. Additionally, the relationship between the Global Operations Security Control Centre and the defence cyber operations group needs to be clarified for those of us who were unable to participate in the Committee’s inquiry. Will the Minister update us on bringing together disparate groupings and organisations within various Ministries through the GOSCC?

I support the call for the use of reservists. Banks and other financial services businesses are at the high end of ensuring that they protect their capabilities, so we need to determine how we attract people with the skill sets to do that job to work in the Ministry of Defence as well. Will the Minister tell us what is being done to encourage our NATO allies to improve joint capabilities? That subject might be suitable for discussion at the 2014 NATO summit, which will take place in this country. Given the damage and disruption that a cyber-attack might inflict, would a full-scale attack on another country be subject to article 5 of the North Atlantic treaty? Have rules of engagement been determined for offensive and defence cyber-operations?

I welcome this debate and I agree with my hon. Friend the Member for North Wiltshire (Mr Gray) that we should have defence debates more regularly. The House needs to understand this emerging threat that faces us all, as it is only a matter of time before a major strike takes place. I welcome the huge progress that the Government are making, but there is clearly much more to do.

4.18 pm

Yvonne Fovargue (Makerfield) (Lab): Labour Members welcome the increased focus that cyber-defence is receiving. The report by the Defence Committee is evidence of that focus, so I congratulate its members on their excellent work. Cyber-attacks are at last properly acknowledged as a serious threat to our national security and are rightly prioritised as a tier 1 risk in the Government’s 2010 national security document. As the Committee’s report says, the threat is liable to grow and evolve at “almost unimaginable speed”. Indeed, the pace of technological change is faster than traditional Government structures and time lines can cope with. As my hon. Friend the Member for Barrow and Furness (John Woodcock) said, five years is a long time in the cyber-world

4 Mar 2014 : Column 815

and the threat from cyber-attack is rising exponentially. The number of global web users in 1995 was 16 million; it is estimated that by 2015, there will be more interconnected devices on the planet than there are human beings.

As communications technologies spread and as the UK critical infrastructure networks become even more heavily based on IT networks, cyber-defence becomes an increasingly pressing security concern. There will be even more attacks. According to the Government’s own national security strategy document, the UK faces up to 1,000 cyber-attacks every hour, which is estimated to cost the UK £27 billion a year. Cyber-attacks are now a constant reality, with the Government, the private sector and private citizens all under sustained cyber-attack from both hostile states and criminals, as my hon. Friend the Member for Bridgend (Mrs Moon) articulated so well.

I have no doubt that the Government take the threat of cyber-attack seriously, although perhaps not seriously enough. The report makes it clear that Ministers have not yet put in place the infrastructure to deal with that real threat properly, or approached the problem with vigour or sufficient robustness. As the right hon. Member for North East Hampshire (Mr Arbuthnot) said, the problem is agile and many-layered—I think it has been likened to an onion, and the Opposition would agree with that.

Bob Stewart: It is not an onion, because that implies that one peels away a layer to get at it; actually, it is an attack on all institutions—every single part of our society—simultaneously. I therefore disagree with the onion analogy.

Yvonne Fovargue: I will not be tempted to go further into vegetable analogies. I think the multi-layered approach is the one we are dealing with here.

The Government have committed £650 million over four years to the cyber-security programme, which seems like a significant sum, but only 14% of that was allocated to the Ministry of Defence, while the total investment equates to only 0.6% of the £27 billion that the UK loses through cybercrime every year. In its report, the Defence Committee questioned whether enough was being done to secure the supply chain and the industrial base. We know that supplies of armed forces’ equipment are increasingly being targeted, and are especially vulnerable to cyber-attack. In their response, the Government say they are working closely with industry on matters such as information sharing and incident reporting, but give precious little detail. The Government need to go further, and Labour is calling on them to ensure that every company working with the Ministry of Defence, regardless of its size or the scale of its work, signs up to a cyber-security charter. That will ensure that hackers cannot use the small suppliers to get into the systems of the major defence companies. As my hon. Friend the Member for Inverclyde (Mr McKenzie) said, the risks from cyber-attacks are huge and growing; we need to do everything we can to protect against them, and the MOD and its contractors should lead by example.