Defence Committee - Minutes of EvidenceHC 106

Back to Report

Oral Evidence

Taken before the Defence Committee

on Wednesday 27 June 2012

Members present:

Mr James Arbuthnot (Chair)

Mr Julian Brazier

John Glen

Mr Dai Havard

Mrs Madeleine Moon

Penny Mordaunt

Ms Gisela Stuart

________________

Examination of Witnesses

Witnesses: Rt Hon Francis Maude MP, Minister for the Cabinet Office, and James Quinault, Director, Office of Cyber Security and Information Assurance, Cabinet Office.

Q140 Chair: Minister and Mr Quinault, you are both most welcome to this inquiry of the Defence Committee into defence and cyber-security. Mr Quinault, you have been in front of us before, so I will not ask the Minister to introduce his team-that is not necessary. By the way, we hope to finish the sitting by 4.30 pm-we are aiming at 4 pm-so brevity on all sides will make that more likely.

Minister, how would you characterise the Government’s general approach to cyber-security and to dealing with the cyber-security threat?

Mr Maude: We started, at the very outset of the coalition Government being formed, by raising the level of concern about cyber-security. The security and defence review rated it as one of the four Tier 1 threats. In what is understood to have been an incredibly tight financial settlement generally, this was one of the few areas to which additional funds were apportioned, as a recognition that it was a growing threat. There was a high degree of continuity with the approach of the previous Government, with, I suppose, two variations. The first was a raising of the level of concern and the issue’s profile, and the deploying of more financial resource into it. The second would be a recognition that this has to be dealt with not just by the Government; it is a whole-of-economy threat. The Government do not sort it out on their own, nor the public sector on its own; this has to be done holistically.

Q141 Chair: From all you say, this is one of the most important threats that we face.

Mr Maude: Yes.

Q142 Chair: Are you in charge of it?

Mr Maude: I am not in charge of all of it, any more than any one threat that is very diverse in the way it presents itself can be dealt with in one part of the Government. I have responsibility for co-ordinating the Government’s approach to it.

Chair: This very important threat.

Mr Maude: Yes, absolutely, but-

Q143 Chair: So how much of your time do you spend on it?

Mr Maude: I would say 25% to 30% of my time, at a guess.

Q144 Chair: You are in the Cabinet Office. What executive authority do you have in the Cabinet Office for dealing with cyber-security?

Mr Maude: The executive authority. Well, in what aspect, because-

Q145 Chair: The Cabinet Office is a co-ordinating office, isn’t it?

Mr Maude: Yes, but it has certain executive functions as well, so there are some parts of the cyber-security programme for which we have direct responsibility-the identity assurance programme, for example. Responsibility for the Government’s ICT strategy sits in the Cabinet Office. The Government CIO reports to me. In respect of the whole approach to the public sector network, for example, while responsibility for delivering it across Government sits with the CIO in the Ministry of Defence, for these purposes he reports to me. But this is very variegated in the way the cyber-threat appears and what needs to be done to counter it, so responsibility, very properly, is spread across the Government. I doubt whether there is a single part of the Government that does not have some kind of responsibility for this. The co-ordination of responsibility in the Cabinet Office is a recognition of that.

Q146 Chair: But it used to be the case that we had a Minister in charge of cyber-security as such. Lord West was one of them; Lady Neville-Jones was another. That is no longer the case, is it?

Mr Maude: No, but that was by no means their sole responsibility in either case. They were both Minister for security, with a whole lot of responsibilities that were much wider than just cyber.

Q147 Chair: What are your other responsibilities?

Mr Maude: Many and various. I sometimes think I am "Minister for everything else".

Q148 Chair: Isn’t that a bit of a worry?

Mr Maude: Probably-it may be a worry to others.

Q149 Chair: It’s a bit of a worry to us, I think.

Mr Maude: Okay, I hear that. Should there be a Minister whose sole responsibility is cyber-security? Possibly, but it would not be a Minister with seniority and authority to get things done. The fact that it is only a part-albeit quite a significant part-of my responsibilities does not mean that it suffers from a lack of attention. You could have it as 100% of the responsibilities of a rather junior Minister in one Department, which would mean that the focus and the span of authority were rather narrow, or you could have it as one of the responsibilities of a senior Minister such as myself, where my ability to operate across Government is reasonably well established.

Q150 Chair: In May last year, therefore, the lines of authority-the responsibility for cyber-security-transferred from the Home Office to the Cabinet Office.

Mr Maude: Well, it transferred from a Home Office Minister. The office of cyber-security already existed in the Cabinet Office. It reported-and I think this was before James arrived there-

James Quinault indicated assent.

Mr Maude: The co-ordinating function sat in the Cabinet Office, but ministerially it reported to Pauline Neville-Jones. I think that was probably the case before the election, but James will know more about that.

James Quinault: Yes, that is correct.

Q151 Chair: It sounds like a diffuse muddle.

Mr Maude: I do not think it is a muddle. It is quite diffuse, and it may not be particularly tidy, but a lot of things are not tidy in life. It is not a muddle; we have quite clear lines of authority. The National Security Council sets this as a Tier 1 threat. The Foreign Secretary chairs a ministerial group that draws together Ministers with responsibility for particular aspects of the cyber-security strategy, which obviously I sit on. I chair the programme board-rather unusually for a Minister-but I am always quite interested in how the money gets spent, and in ensuring that it is spent to good effect and that we do not duplicate and reinvent the wheel, which can very easily happen with a programme such as this where new money is made available. It may not be particularly tidy, but we are getting quite a lot done in rather an effective way.

Q152 Chair: The Intelligence and Security Committee has said that it is concerned that there is a large number of Government agencies with overlapping interests in cyber-security. You may say that that is life-that’s the way that life is-but what have you done to minimise the muddle I told you that I feared that we might be in?

Mr Maude: Did it say that there were overlapping responsibilities? I would be concerned if there were fewer agencies.

Q153 Chair: I think overlapping interests.

Mr Maude: I would be concerned if that were not the case. I would be concerned if there were only a few Departments that had any interest in this, and if they rigidly stuck to concerning themselves only with what lay within their narrowly drawn boundaries. This is very far-reaching, and it is changing all the time. One of the challenges is that we do not know what threat we will be facing next month, let alone in a year’s time. When I took responsibility for the programme a little more than 12 months ago, one of the things I did was to say that rather than lay out now the plans for spending all this money over the whole of the CSR period, because we do not know what we are going to be facing, we actually need to hold some of it back. The thing we know we are going to need in government and in the law enforcement authorities is more capability, particularly in GCHQ, where quite a large chunk of the money will get spent. We need to have a real centre of excellence and expertise, which is the case-it is world-renowned for the quality of its expertise. My concern is that we need to hold back, because we need to be able to operate in an agile and fleet-of-foot way to respond to new and changing threats as events unfold.

Q154 Chair: Minister, my concern is obvious from my line of questioning. We have seen you in the past few months giving statements and answering questions on a whole range of things from the civil service to all sorts of other issues. A few months ago, I wrote a letter to the Prime Minister asking for a meeting between this Committee and him about our Report on the threat from electromagnetic pulses. That meeting is now going to go ahead. You were kind enough to answer a few weeks ago to say that the Cabinet Office would respond to our Report shortly. What concerns me about that is that you did not give any impression of being aware that the Cabinet Office-your office-had already responded to our Report. That made me less convinced by your expression of interest in our Report in the letter.

Mr Maude: I can’t comment on the background to the Cabinet Office’s previous response to your Report.

Q155 Ms Stuart: Who would sign off a letter from the Cabinet Office to this Committee in response to a Defence Committee Report?

Mr Maude: There are a variety of Ministers in the Cabinet Office. I do not know which particular part-It would not have been myself.

Q156 Ms Stuart: If cyber-security is your responsibility within the Cabinet Office, who else would sign that off?

Mr Maude: I do not recollect who would have signed that off.

James Quinault: This was not a report on cyber-security, as I understand it, but on electromagnetic pulses.

Q157 Chair: It was on the threat from electromagnetic pulses, which could take out our entire electronic infrastructure. Well, you sounded interested in your letter to me.

Mr Maude: I-

Chair: Perhaps you might like to read our Report-and your response.

Mr Maude: I am aware of it.

Chair: I am grateful.

Q158 Ms Stuart: Might we have an explanation of who signed it off, and if it was not you, why not? What other authorities are there in the Cabinet Office that allow another Minister to sign off a letter about a report of that nature? That would help us to understand how this all works.

Mr Maude: I will get you a detailed answer to that.

Q159 Chair: You will accept, I think, that it rather highlights our concern that we are not sure that anybody is in charge of this.

Mr Maude: In charge of what? In charge of electromagnetic pulses?

Q160 Chair: Well, A, that and, B, cyber-security in general. I have the impression that you are very busy doing other things.

Mr Maude: I am quite busy, yes.

Q161 Mrs Moon: Chair, I would like to go back to one of the Minister’s earlier responses. I was not clear whether we were talking about a muddle or a model. It does seem to be more of a muddle than a model that we have been talking about.

Chair: My pronunciation has always been poor. Shall we come back to Gisela Stuart?

Ms Stuart: Do you want me to proceed? I thought Madeleine was asking questions.

Chair: I think that Madeleine has made her observation.

Mrs Moon: I was merely making an observation. I thought the Minister and the Chair were talking at odds. I thought one was talking about a model and the other about a muddle. It will be interesting to see what Hansard makes of it.

Mr Maude: I am sure it can clarify.

Q162 Ms Stuart: I have to confess that about 30 years ago I used to attend lessons in English as a foreign language. I was beginning to wonder whether I ought to go back to those. I still don’t understand what you were trying to tell us. Could you try again for my benefit and simplicity?

You tried to start to say that the National Security Council establishes a tier of authority, and there is a clear chain of authority. I am not clear where the responsibility goes. Will you set out for me in simple language that I can understand: national security, National Security Adviser, deputies, the functions of the Office of Cyber Security and Information Assurance. How does all that hang together? Who instructs whom? How often do those people talk to each other?

Mr Maude: As throughout our system of Government, there are political appointments who are called Ministers and there are civil servants. The line of authority in civil service terms is the National Security Adviser and then the deputy National Security Adviser, to whom James Quinault reports. The line of ministerial responsibility is that I am asked by the Prime Minister to take responsibility for the cyber-security programme overall. I do that not because I have direct ministerial responsibility for most of it-although I do for some relatively small parts of it. I chair the programme board that oversees the programme.

Q163 Ms Stuart: Can you then instruct other Departments?

Mr Maude: We allocated the resources through the programme.

Q164 Ms Stuart: That is permissive, but can you instruct?

Mr Maude: Just to be clear, the way our system works is that we work through collective decision taking. I do not have the ability to instruct Philip Hammond or his Department. He has the ability to do that and he would be understandably affronted if I were to seek to do that. If there is a sense that the Ministry of Defence-or any other part of Government-is not doing what is needed to be done, the way that gets dealt with is through the collective process.

Ms Stuart: You describe something that is permissive and a line of authority, but, at some stage, someone must take-

Mr Maude: I do not think that I used the phrase "permissive."

Q165 Ms Stuart: But by allocating money, you enable Departments to do things. Specify a bit more clearly to me how if everything is so interconnected between every Department, you allocate the money but they are actually not doing what they should be doing. That then jeopardises the whole system. Who has the authority to say, "You are not stepping up to the plate and doing what you need to do"?

Mr Maude: That would be done through the programme board, where we-

Q166 Ms Stuart: Which you chair?

Mr Maude: Yes, absolutely. We expect-both I and my officials in James’s team, but also other parts of Government-to hold each other to account for how the money is being spent.

Q167 Ms Stuart: But to be clear, if you, as the chair of the programme board, find a Department that has been given allocated resources to fulfil a function relating to cyber-security but it does not do it, you would be the person who has the authority to instruct them to do so?

Mr Maude: We would certainly have the authority to withhold further funding and address the failure, but I do not have the authority to instruct-nor would I expect to-officials in other Departments. That is a universal principle of the way our Government works.

Q168 Ms Stuart: How often does the NSC discuss cyber-security?

Mr Maude: Not very often.

Q169 Ms Stuart: What is that? Three times a year, 10 times a year?

James Quinault: It comes up as part of other agenda items. There is a plan to have a dedicated session on this in the autumn.

Q170 Ms Stuart: Twice a year, once a year?

Mr Maude: Once or twice a year.

James Quinault: As a subject in itself, maybe twice or three times a year.

Q171 Ms Stuart: So the most important security threat gets discussed twice a year.

Mr Maude: No one has ever said that this is the most-it is one of the four Tier 1 threats.

Q172 Chair: Mr Quinault, you said that there is a plan to have one of these meetings in the autumn.

James Quinault: A dedicated session on cyber.

Mr Maude: Solely on that.

Q173 Chair: Has there been one in the past?

James Quinault: There have been large parts of meetings devoted to cyber earlier on, at a stage when the programme was still in gestation.

Q174 Chair: But not a dedicated one.

James Quinault: No. But there is another ministerial group solely devoted to this topic, which meets more frequently.

Mr Maude: The ministerial group that the Foreign Secretary chairs meets every six weeks or so.

James Quinault: Also, as a programme in its delivery phase, the important thing now is to be chasing delivery on those agreed actions under the strategy. That is what is done by the programme board that the Minister chairs.

Q175 Mr Havard: Can I just press you? National Security Adviser and National Security Council-I understand that. On the Office of Cyber Security and Information Assurance, can I get some of the language clear because we have got the Strategic Defence and Security Review? The "defence and security" bit can often cause an issue because they are different, but they are interrelated and they are the same. That title is about cyber-security-electronic pulse, for example, is about cyber-security-but then there is "information assurance". There are two related things here. Are you doing information assurance for Government and does that include the Ministry of Defence? We are trying to discover where the Ministry of Defence’s involvement starts and finishes in all of this. Like defence and security, some of it is not really proper for the Ministry of Defence, even though it might take it on. It might be that others need to sharpen up and take on their bit. We are trying to find whether these delineations are for purpose. Could you unpack some of that for me on cyber-security and, separately or related, on information assurance?

James Quinault: Yes. It makes for a rather long and inelegant title, but I think my predecessors thought that it was important to have "information assurance" in there, in that there are aspects of that, which are not to do with the protection of computer networks, that can simply be about losing information-leaving it on the train or misplacing discs.

Q176 Mr Havard: Don’t go there, we know that story.

James Quinault: Indeed. There is that aspect to it as well.

Yes, the office has overall oversight of activity on that right across Government, including the Ministry of Defence, but the Ministry of Defence is very active in this area on its own account for good reason. The day-to-day lead on issues of information assurance in the MoD is, very properly, with it.

Q177 Mr Havard: Right, what I am trying to get to is-Bob Gates, the previous DOD Secretary in America, had a simple way of describing this: he talked about .mil, .gov, .org, and .com. So .mil can protect itself, .gov is not very good at it, .org is less good at it, and some bits are spectacularly good and others are rubbish. Then there is .com and people objecting to the fact that you are spying on their computer, so you might be able to do it, but will you be allowed to do it? Where does the military fit in? You are supposed to sit over all of this, presumably, and the business opportunities that come out of it. Yours is a very broad canvas.

James Quinault: Yes. As the Americans would say, this is absolutely not just a .mil or .gov issue. It goes right across the economy, as the Minister was saying.

Q178 Mr Havard: Where does DIS sit in that?

James Quinault: The Defence Intelligence Service? They are absolutely part of this. As I understand it, they also report to Sir Stuart Peach, the Joint Forces Commander, who is also the cyber and information assurance leader for this in the MoD. They are absolutely involved.

Q179 Mr Havard: Is he getting some of this money?

James Quinault: Just to go back, we see this absolutely as not just a Government and military issue. It touches everything in life, not just everything in Government, which is precisely why the approach to it has to be one of co-ordinating activity, rather than directing it all from the centre. If you want to reach business, the business Department needs to be mainstreaming this into its other communications with business.

Mr Havard: My colleague is going to ask you questions about that.

James Quinault: It has to lead on that. That cannot be done from the Cabinet Office.

Q180 Mrs Moon: Will you say a bit more about what you see as the role of the Ministry of Defence in national cyber-security and who defines that role? Does it define it itself, bring it to you and ask for permission-"Yes, that’s fine, you do that" or "No, we would like you to do a bit of that."? Who decides what its role is and what is it?

Mr Maude: Its role, I would say, is to ensure that cyber is actually in the mainstream of what it does in strategy, doctrine, training and operations, and to help to build a good sovereign capability to defend our interests in cyberspace. It needs to work really closely with GCHQ. It is the centre of expertise in this territory and should remain so. We should be absolutely at pains to ensure that we do not replicate small pockets of expertise in different places. There is a great tendency for that to happen in Government and we have been at pains to ensure that it does not happen. Of course, it has a serious job to do, which is protecting its own networks and equipment. That is what I think Mr Havard has just been asking about. No one else can do it. We are not going to try and second-guess that. That is its obvious responsibility. The cyber-security programme does not pay for that. That ought to be business as usual for the MoD, which does not at all suggest that it is trivial. It is not; it is incredibly important.

Q181 Mr Brazier: We have focused so far on policy development, systems development and standing arrangements. This afternoon, let us suppose, there is a major cyber-attack on the UK. Who takes the lead, and on whose authority?

Mr Maude: The place where that would appear, first, is in the Cyber-Security Operations Centre, which is at Cheltenham. That is where the knowledge would be; the first intimations would be gathered together there. It depends on the scale and the nature of it. If it is deemed essential-if it is of a scale that it cannot be dealt with just by the Cyber Security Operations Centre at Cheltenham-then it would come up to the Cabinet Office.

If it was of sufficient scale, it could lead to COBR being convened at different levels, depending on the scale, with different Departments, potentially, in the lead, depending on what it was. If it was an attack on the energy infrastructure, for example, unless it was at a level where the Prime Minister would want to chair it, you would ordinarily expect the Energy Secretary to chair COBR. Similarly, if it was an attack on transport infrastructure, the Transport Secretary would, and so on.

Q182 Mr Brazier: Let’s suppose for a moment that there was the kind of attack that Georgia suffered from. I am just talking in cyber terms, not about other things. Suddenly, all the Government websites come under attack, all the information movements come under attack, and the City of London. It is a massive viral attack right across all the dots, to follow up Mr Havard’s point. COBR then convenes, presumably under the Prime Minister’s chairmanship, because it is across-

Mr Maude: Yes, I would expect that.

Q183 Mr Brazier: Where does the chain of command go after COBR?

Mr Maude: How do you mean, "after COBR"?

Q184 Mr Brazier: Or below COBR.

Mr Maude: When COBR sits, you first of all assess what the hell is going on and establish what needs to be done in real time. Actions emerge in real time-you sit there and they appear on a screen as the discussion proceeds-and are taken up by whichever Department or bit of Government is appropriate, which will be allocated at the time.

Q185 Mr Brazier: So COBR would decide between the competing views of different Departments?

Mr Maude: Yes, totally. And immediately, in absolutely real time.

Q186 Mr Brazier: Within all this, the Cyber Security Operations Centre is clearly crucial to it all. Has its role changed since it came under the direction of GCHQ rather than the Cabinet Office? Do you think its role has changed or not?

Mr Maude: I would say it is probably changing every day, because the whole thing is changing. James may want to comment on that.

James Quinault: No, the role it performs of monitoring and triaging incidents and making sure there is a single version of the truth for Government to act on remains the same. I think the decision to change its reporting line was made for administrative reasons. It is based in Cheltenham, and many of its staff are from there. It made sense for their reporting line for administrative purposes to go through that route, but their responsibilities and accountability remain exactly the same.

Q187 Mr Brazier: Forgive me for taking a parallel, but given that the Cabinet Office is there in the centre and COBR is there with you and the rest, a parallel example is a very good initiative the Committees visited: the National Maritime Information Centre, which looks at potential maritime threats. Some of us were rather surprised that that has moved away from the Cabinet Office to the Home Office. In the same way, I am just trying to get the logic of something that so obviously needs co-ordinating from the centre and will so obviously be vital to COBR if there is a particular concern. It is a little puzzling that these vital assets seem to be moving away from the Cabinet Office.

Mr Maude: These things are not fixed for all time. In Government, as in all big, complex, dispersed organisations, there is no perfect structure that says, "All of this must be done in the centre, and everything else dispersed." That will always slightly be in flux in any organisation. If you look at any big multinational company, you will see that that will vary. Is there a perfect answer for all time? No. Will all of this work perfectly every time? No, nor is there a way of preparing for every possible eventuality.

James Quinault: If I may comment, these arrangements have been exercised and practised many times in the past few months as we run up to the Olympics, including some exercises involving the Minister himself. We consider them fit for purpose.

Mr Maude: Yes, we do test. It is not just that it looks like it works in theory.

Q188 John Glen: One of the issues must surely be that, if something goes horrendously wrong, it is difficult to attribute who is behind it and what the intent is. Could you address the issue of how that complicates matters? From this Committee’s perspective, one of the things we are concerned about is at what point it would be discerned as a hostile act by a party and when the military lead would be assigned. It seems to me that you could presume that that happens in all circumstances, or you could wait. How do you see that as a complicating factor in terms of the attribution and the intent, and discerning that?

Mr Maude: Attribution is very difficult in this field, not only in the field of cyber-attack. Obviously, this is a subject that it would be easier to pursue in private session. You are quite right that this is a significant complicating factor. Proof is not always easy. Attackers are quite good at doing a false attribution.

Q189 John Glen: I suppose that what we are seeking is an assurance that there is a clear protocol of giving lead responsibility to some part of Government, and that that aggravating factor of how to attribute does not delay the appropriate response.

Mr Maude: In every set of circumstances, there is a judgment. It will rarely be the case that there is absolute proof. There are judgments to be made-difficult, complex and delicate judgments.

Q190 John Glen: I think from what you have said so far that those judgments will be made collectively under your headship of executive responsibility.

Mr Maude: If something looked like it could be a sovereign attack, that would clearly be for the Prime Minister.

Q191 Chair: Minister, you may want to tell us things that ought not to come out in public session, so we will consider either moving into private session at the end of this, or writing to you, depending on how things go during the rest of the afternoon.

Mr Maude: Sure.

Q192 Mrs Moon: Minister, could you tell us who, across Government, decides what investments should be made in understanding and anticipating the evolving cyber-threat? Do you make that decision, or is it down to individual Departments?

Mr Maude: The way allocation of money within the programme works is that different bits of Government bid for money.

Q193 Mrs Moon: Who decides who gets it? Who decides on the bids?

Mr Maude: Ultimately, I do, but obviously with appropriate consultation and discussion. My earliest decision was to say that we are not going to commit it all. The perfectly understandable Whitehall preference is, generally, "Here’s money-let’s work out how we’re going to spend it," but I said that we are not going to do that in this case. There are things we know we are going to need, and that is investing in people and capability. That is focused predominantly, but not exclusively, on GCHQ. We need to retain flexibility.

Q194 Mrs Moon: Are we spending enough on this task?

Mr Maude: Could you spend more? Absolutely. Is this a perfectly judged and precise science? No, it isn’t. As I say, we do not know what the threat will look like in two years’ time. We need to be as prepared as we can be. You want to pitch this at the point where what we are doing in terms of the rising graph of protection against money spent starts to flatten off, where you could spend more and it would get better, but not that much better when there is a hell of a lot of competing claims for the money. So, could more be spent? Yes.

Without wanting to sound remotely complacent, which I am not-and touching wood at every available opportunity-Britain is generally regarded as being in a reasonably good place on this front. There was a study, but I can’t remember who did it-

James Quinault: Booz Allen Hamilton.

Mr Maude: It said that the two countries that were ahead of the game on cyber-security were the United States and ourselves. I recollect that it put us ahead of the United States. But as I said, there is not a flicker of complacency about that.

Chair: Who was that?

James Quinault: It was Booz Allen Hamilton.1

Q195 Mrs Moon: You said that we don’t know what is coming at us two years’ ahead. How much time and money are we spending to scan the horizon and to keep up with the latest threats? This is not something that has even been static.

Mr Maude: No.

Mrs Moon: There is a risk. With Government, we are very good at setting up things that we expect to sit there for the next 50 years. This is not an area where we can do that. Are you confident that we have and will retain the capacity to horizon-scan and adapt rapidly and effectively?

Mr Maude: I am, actually-again, not to be remotely complacent about that. In our civil service reform done last week, we explicitly said that horizon-scanning needs to be strengthened generally for the Government. I would say that our ability to scan the horizon is reasonably good. There is a lot going into it, but I will let James talk a bit more about that.

James Quinault: If your question was a detailed one about how much and where we are spending money on this, intelligence and anticipation of the threat is a thread in a lot of the programme allocations. Understanding where the threat is going to go next and how best to deter that and defend against it is a big part of the investment in GCHQ. I obviously cannot say in a public session how much, but it is a big feature of that.

It is also a strand of the money going to law enforcement and SOCA to understand the ecology of cybercrime, a strand of the money going to the police e-crime unit, and strand in the work done by BIS and Government ICT to understand the market of this: where that might go and what new challenges that might throw up, for example in the move to do much more computing through mobile, what difference that would make to the threat, how that migrates and how therefore our responses need to migrate to follow it.

Q196 Mrs Moon: So you are not making a distinction, say, between cybercrime and national security? You see them as a whole, as a package?

Mr Maude: They overlap a lot.

Mrs Moon: We appreciate that.

Mr Maude: In terms of technologies, they obviously completely overlap. In addition to what James has said, I should like to point out that BIS has a scheme to recognise the academic centres of excellence in this area. It has awarded the status to the first eight UK universities earlier this year. I think David Willetts is hoping to announce another round in the autumn of this year. Again, we are looking to build up the centres, where there is real expertise, and to tap into that. We might say a little bit also about the work that we are doing with the private sector to develop the kind of information sharing and the ability to react in a much more cohesive way.

Chair: We will be coming on to that in a moment.

Q197 Mrs Moon: Do different Departments have different assessments and rankings in terms of the risk that cyber-attacks pose to them? For example, is the Ministry of Defence and the Foreign Office perhaps the most important Departments, but Education is at less risk? Is the spend differentiated between Departments? How do you work out which Departments need a greater focus?

Mr Maude: It is just different in different places: BIS, for example, will have a range of activities. One will be what I have just talked about with the university building up the centres and supporting those centres of expertise and excellent. Another, which is hugely important, will be building up awareness in business. It is generally the rule that businesses that are explicitly and overtly internet businesses take this really seriously and tend to be pretty good at it, but the most physical business that there is will depend one way or another on the internet.

The range of different degrees of preparedness in the business world is enormous. You will have seen the Director General of the Security Service yesterday talking about working with a particular company that has been very vulnerable. So BIS has a big task working with the business world to encourage them to be better prepared and to defend themselves better. Other Departments will have a different role. The MoD’s role obviously will be very specific.

The Government Digital Service, which reports to me, has developed the identity assurance programme, which we intend to be something that does not just enable people to verify their identity for Government purposes, but actually to create a federated model where people can have a way of their choice to verify their identity to be able to transact on the internet with anyone, and not through a centralised system, but with a whole lot of different providers of identity services based on common standards. That sits with us. That is something that will be of benefit not only to Government as we move towards the digital provision of services online, but it will make it easier for people to transact online in other ways.

I have bank accounts with two different parts of the same bank. I have two different widgets from the same bank to enable me to assure my identity to do banking online, which is absurd. We should all have from the provider of our choice-not, emphatically, from the Government-an ability to assure our identity more widely. That is being done, as it were, from my teams in the Cabinet Office.

Q198 Mrs Moon: How much oversight does the Office of Cyber Security and Information Assurance have on individual Departments’ spend? If you think BIS is not spending enough, can you tell them that they need to spend a bit more and that they are not focusing enough? We talked about collective decision making, but how much are you there also to make sure, as a sort of internal watchdog, that people are doing their jobs and to chivvy them if they are not?

Mr Maude: I see that very much as my job and the job of James’s team in the office. That is what we do at the programme board

I am trying to move us away from "Are you spending the money?" to "What are we achieving?" It is quite difficult to measure what the outcomes are. Some of the bids were to hire people in particular places to do particular things, and one of the things we have been really concerned to do is to make sure that different Departments, different parts of the public sector, aren’t bidding against each other to get what is a fairly scarce resource-people with high degrees of expertise. So we do this in a much more holistic and collaborative way, and don’t duplicate. That is a huge part of what we are doing.

It is very much holding different parts of Government’s feet to the fire, to make sure they are delivering on the strategy. It is no good having a strategy and a programme if it just exists on paper.

Q199 Mrs Moon: Are your salaries equivalent to private sector salaries?

Mr Maude: I hope not.

Q200 Mrs Moon: How do you know you are getting the best?

Mr Maude: Well, it is absolutely the right question. We won’t always get the best. I think GCHQ operates in a very specific market-and this is an issue for them, which we are alert to. Across government we will not always be competitive in salary terms. People will generally not come and work for government just because the money is better. We need to make it attractive, but actually particularly in this area the attraction of coming and working in this field in government is that you have the chance to make a difference, on a big scale; and by and large people do respond to that sense of being able to operate on a big canvas and make a difference to the big picture.

Q201 Penny Mordaunt: Minister, can I ask you how effectively you think information on cyber-threats is shared across government?

Mr Maude: Pretty well, I would say. We are not aware of any particular problems in that respect. There have been problems between Governments. Things can sometimes be slow, but we are working very actively in the international field. I would say we are the leaders in the international field at promoting co-operation, particularly within law enforcement agencies. We hosted the London conference last November and will be active lead participants in the Budapest conference this October. We were certainly in the lead in drafting the Budapest convention. So I don’t think particularly there is a problem on information sharing-2

James Quinault: On an operational level, I am not aware of problems of sharing information about threats between Government agencies. Did you have a particular thing in mind? At the moment, while we would always like to know more, what we do know is very quickly and appropriately shared. The issues are more about sharing between Governments or between Government and the private sector, where the programme is making strenuous efforts to get better information sharing at that level.

Q202 Penny Mordaunt: So things like classification of information; those sorts of issues.

James Quinault: Yes, that is an issue.

Mr Maude: Yes, and we are aiming to simplify; what we tend to do is we have an over-complicated hierarchy of classifications, which we are aiming to simplify, but also-and this is a matter of culture and behaviour more than protocol-to limit and constrain the tendency there is to over-classify documents and other information. There aren’t very many examples of things like the milk rota in one part of my Department being a restricted document, and somebody being given a security breach because the milk rota was left on their desk overnight; but this is not as streamlined as it might be.

James Quinault: It is not an obstacle to the sharing of cyber-threat information. It is a problem for some of the business generally. We all have different classifications. We have different classifications, again, between Government and the police. Simplifying that would make for speedier, more sensible conduct of business more generally, but it is not specifically a problem on cyber.

Chair: If you think that the Cabinet Office is a problem, you should see the Ministry of Defence.

Q203 Penny Mordaunt: Are any other barriers of that nature causing things not to be as speedy as they might?

James Quinault: As I say, not within Government, we don’t think.

Mr Maude: And the steps we have taken to accelerate the rolling out of the public sector network, which is essentially about mandatory open standards on things like security and interoperability, will make that easier. It is not fully rolled out, but it is being rolled out. It is much cheaper than what it replaces, and much more efficient and effective.

Q204 Mr Havard: Is that sort of stuff being done through what was the WHISPER programme, and so on? There were different ways of trying, first of all, to collect people together so that they could have the discussion about common understanding, or have those been overtaken by events? Various aspects of the efficiency of the process were being researched, and the Royal College of Defence Studies was doing some stuff. Lots of people were doing things. Are you saying that a formal process is now in place that has overtaken those things?

Mr Maude: For what?

Q205 Mr Havard: Well, the WHISPER programme-the Whitehall information programme, or whatever-was trying, at the very start, to get the various agencies together that needed to come into the same room to have that conversation you have just described. It was at a very low level at the start, and it has obviously moved on significantly. You are talking about the local authorities being involved, for example, and the devolved agencies. There are all those aspects of government, not all of which are in Whitehall, in a physical sense.

Mr Maude: The public sector network is very deliberately for the whole public sector and offers considerable savings.

Q206 Mr Havard: Does that include government, if you see what I mean? Is it the public sector in its broadest definition?

Mr Maude: The wider public sector. Absolutely, and my recollection is that the first entities to take up the public sector network were two big county councils.

Q207 Mr Havard: Does that include agencies as well?

Mr Maude: Absolutely.

Q208 Mr Havard: And sponsored bodies of the National Assembly et al?

Mr Maude: Yes, totally.

James Quinault: One of the goals of the security classification review is to get to something that is more easily shared with agencies outside government, with whom we deal on some things.

Q209 Penny Mordaunt: Is any information on cyber-threats and related issues not shared routinely between Departments? Do you think there is a problem there?

Mr Maude: That would depend on the level of security needed. If it is highly sensitive, it would be on a very restricted basis, but I do not see any constraint, I would say.

James Quinault: I am not aware of any constraint to sharing information on, as it were, the warning, the alert, or the thing that the Department needs to act upon in order to protect itself. Obviously, we are much more careful in sharing the information from which that is derived, which may be very sensitive. There is a problem in that sometimes the warning that you wish to give people comes from a very sensitive source, and sanitising it, so that it is still useful to the recipient but does not reveal where it has come from or compromise some of your equities, can be a difficult thing to do. But it is being done. I am not aware of any case where a warning that could have helped a Department to protect itself was held back.

Mr Maude: But there are particular difficulties or sensitivities in the sharing of information with the business world, and within the business world, where it is incredibly important that information is shared, so that the knowledge of threats, in quite a specific way and very quickly, can be disseminated. The real task is to find ways of desensitising and anonymising information. For understandable reasons, businesses tend to be quite diffident about sharing widely.

Q210 Penny Mordaunt: The last question I wanted to ask you is that presumably, sharing information will make better collective Government decision making, as well as improving decisions within Departments. What evidence do you have that that is happening, if it is?

Mr Maude: Without wanting to spend all our time in meetings discussing things, we do have sessions where decisions are taken on the basis of shared knowledge. That is essential.

Q211 Ms Stuart: Following on from what you said about Government and private sector involvement and this clash between national security needs and confidential commercial interests, how are you progressing with developing protocols that would allow for that kind of sharing so that both sides know exactly what is possible and what is required?

Mr Maude: We are making some progress. We are working to develop a sort of information-sharing hub with what we have described as nodes, where different sectors can share knowledge. Some of these can exist in incipient form. James can perhaps talk a bit more about the detail of that. In terms of the protocols, this is a kind of work in progress.

James Quinault: That is what the hubs and nodes are all about-finding ways of sharing information, pooling information on situational awareness between Government and industry and between different firms so that we all get a better picture and can protect ourselves better.

Q212 Ms Stuart: I know that you thought that you were making good progress in that you gave a speech on 4 May when you said that there is now really tangible progress being made. So you have made the tangible progress, but may I press you a bit more as to where you are with the protocols? You may even want to give me one or two examples of how you know that there is tangible progress.

James Quinault: One instance would be that the hub and node thing is already broadening out between the pilot sectors that we started with. We began with five-finance, energy, defence, telecoms and pharma. We have now added transport to that list. We are broadening out as we go. Colleagues of mine spent most of last week with industry partners talking about how we can collectively build up to the next stage. The pilot has identified that we probably need slightly different delivery vehicles for different bits of this. So for the high-threat club, as it were, defence and security firms, perhaps telecoms and some parts of the critical national infrastructure, we would probably need something with some infrastructure behind it, so that people can share very highly classified information in real-time, fast, with one another. For the rest, where it is more about warnings and alerts coming out from the centre and where the idea is to get as many people as possible joining, we would probably want something that is much less classified, much easier to reach and where the circles that people want to join are decided by them rather than being policed from the centre. It is something much more like a social network to be honest. Work is going on now to bring those things forward. We are making progress and the programme can point to places where firms would say that the information that they have shared through this process has definitely helped them to protect themselves from what otherwise would have been a significant loss.

Q213 Ms Stuart: Are you already making, or are you intending to make, the requirement for information sharing part of your public sector contract when you contract with the private sector?

Mr Maude: With suppliers? I guess that where it is in the defence and security field, it is already part of the arrangements.

James Quinault: Yes, the MoD is looking now at whether it should be tightening up and increasing the standards asked for, particularly from List X companies. There are already requirements, but they do not include, for example, mandated auditability and that kind of thing.

Q214 Ms Stuart: That is just the MoD. I am not clear whose responsibility that bit is. Is it the MoD or the Centre for the Protection of National Infrastructure?

James Quinault: For defence and security companies, as the contractors of the MoD, it is principally an MoD responsibility, but the CPNI and ourselves are involved with the MoD in thinking about that, because it obviously has implications beyond the defence sector.

Q215 Ms Stuart: Are there then MoD and general public sector requirements?

Mr Maude: I am assuming that it is the case, but I will check.

Ms Stuart: It would be helpful.

Mr Maude: I will definitely check. I would assume that that is built in, but we should absolutely check.

Q216 Chair: Do I take it from what you said that the issue of the supply chain for the MoD and perhaps for other Government Departments and whether those small and medium-sized enterprises are properly protected from cyber- attack themselves is an issue which your Department would tend to consider was the responsibility of those other Departments to deal with? So managing the defence supply chain would be an issue for the Ministry of Defence, would it?

Mr Maude: Yes, definitely. Where suppliers are providing cross-cutting services, which they frequently do through the Government Procurement Service, we would expect to be in the lead on that. I think James will say that we are chairing work on that across government.

James Quinault: So our view would be that the MoD has to be in the lead on thinking about its relations with its own defence suppliers, which is completely appropriate, but we are involved in thinking with them about what may need to be done to those relationships to deal with cyber-issues.

Q217 Chair: I am pleased to hear that, because the Ministry of Defence think they have not got this quite right yet. Are you working with them to help them to get it quite right?

James Quinault: Yes, and with other Government Departments for whom this is an issue, too

Q218 Chair: If the MoD hasn’t got it quite right, other Departments-for example, those Departments dealing with the finances of the country-will have got it less right, won’t they?

James Quinault: It is also not just a question of getting it right once and for all. Just as the market you are dealing with moves on, so, too, do your responses and policies. You are talking here about telecoms, which doesn’t stay still. So the Government’s thinking about this has to move with the nature of the beast.

Q219 Chair: Who is gingering all of this up?

James Quinault: The Cabinet Office leads collective work on this, but, as I said at the beginning, it is then for the Ministry of Defence, let us say, to think about how it plugs that into its relationships with its suppliers; it is not for the Cabinet Office to run all of that from the centre.

Q220 John Glen: Minister, can I ask about your level of contentment with what the MoD have reported back to you on the progress they have made on their cyber-security programme and the components that they are in the lead for?

Mr Maude: The parts that they are responsible for are the Global Operations Security Control Centre at Corsham, which I visited two or three months ago and which is incredibly impressive and state of the art. They have set up the Joint Cyber Unit at Cheltenham in GCHQ, which seems to me to be working pretty well. We are not reinventing the wheel in different places. MoD and GCHQ have properly grasped that we need a single integrated capability in this territory, which absolutely should be based in GCHQ.

I would say, but you will have investigated this yourselves, that the MoD have a good sense of the importance of cyber for military thinking in the future. It is built into, I understand, the concept of the responsibilities of the new Joint Forces Command. I think they have got, as far as I am aware, decent plans for rolling out training on cyber across their personnel.

There is a scarcity of key skills in this area. That is universal, which is one of the reasons why one of my obsessions in this area is avoiding duplication. These are scarce resources in the economy generally, so we need to make sure that we are not replicating functions in different places. That is a challenge in the law enforcement area, which is very dispersed. Some of it is central Government and some of it is wider public sector, so it is not all within our control.

Q221 John Glen: Obviously, as you have explained in your answers to the earlier questions, there is a degree of autonomy within different Departments, but I think you probably also agree that there is an issue on the need for consistency and for you to have a level of assurance that each Department is dealing with cyber-security in a responsible and adequate way. Are you confident that you have that level of consistency? One of the things that has come up is concern about metrics for measuring it. If we return to this in 18 months to two years, what would we look for to see consistency?

Mr Maude: Am I totally happy that it is consistent? No, I wouldn’t say that, that would be very complacent. But am I aware of any particular failings, in terms of progress? I think it took a little time to establish the necessary degree of collaboration in the law-enforcement world-I do not know that we are completely there but we are in a better place. We have been quite insistent on that.

The metrics is really difficult, and it is the kind of question I have asked a number of times. One of things that I did in the latter part of last year was to bring on to the programme board a very experienced senior non-exec from the business world, who had run one of the big technology businesses, to help with that and to provide the challenge and so on. It is very easy, when you have an early stage programme, to say yes we are spending the money, hiring people and doing all this, but what are we actually achieving? In terms of metrics, it is difficult. In terms of the outcomes, can you measure how many cyber-attacks do not happen that would have happened had we been less successful? It is hard.

Q222 John Glen: But presumably there are known information networks across Government Departments that you can identify as critical and needing to be treated and protected in a consistent way? Have you identified specific things as well? It is a separate question.

Mr Maude: I see what you mean, yes. Is our own infrastructure-our own vulnerabilities-protected to a reasonably consistent level? I think so, but do you want to add anything, James?

James Quinault: Yes, to the extent that consistency is appropriate. One of the ways of making this easier for yourself is by trying to decide what information assets most need to be protected and to make sure that you are only protecting them to a proportionate level, otherwise your walls are too long and they are bound to be breached somewhere. We do have metrics on that, we do know how many attacks have been thwarted, but what you do not always know of course is what has got through. But we do have metrics.

I think the Minister was talking about metrics for the programme as a whole: how do we tell that the investments being made through various Departments are producing the goods? There are, absolutely, metrics in terms of the outputs that we expect from each element of the programme-we know what the money is supposed to be buying and whether we are getting it-but what is less clear, as the Minister said, is whether overall that is making the dent in the outcome that we want to see, with the overall problem. The problem there is that we do not have a baseline, we do not know how big the problem is that we are trying to shrink. We are working on that, but if we had waited to solve it before we cracked on, we would be further behind the curve than we are.

Q223 John Glen: I understand the difficulty with the issue and with resolving it, but from our perspective-not that you are doing things from our perspective-of scrutiny, if we come back to this in two years, what do you suggest we should be looking for to demonstrate that progress has been made between now and in two years’ time, for example?

James Quinault: You will need to do what we are deciding we need to do, which is to try and make a great big pile of all the pieces of data that bear on that question and then form a subjective view about whether you think things are getting better or worse-taken from infection rates, as revealed by security vendors or reports, or data on numbers of attacks mounted from Britain-and just piling it all up and deciding whether you think that means that the problem is getting bigger or smaller. That is what we think we are probably going to have to do, but the hunt is still on.

Mr Maude: Finally on that, this is an internationally competitive environment. One of things that we explicitly say in the strategy-the first objective-is to make the UK one of the most secure places in the world to do business in cyberspace. I think we kind of are there at the moment, and acknowledged to be. Keeping there is very important, because the attackers and the fraudsters-whatever-will go for the places and the entities that are most vulnerable.

Q224 Chair: Which is partly a problem of the skills we have in the sector. You have mentioned that before.

Q225 Mr Brazier: I have some questions about people, Minister. Commenting to this Committee, Professor Brian Collins-as you know, he is an expert in the field-said:

"Perhaps as a codicil to that…there is an assumption that there will be continuity of stewardship of the strategy over a period of many years."

I appreciate that you are not answerable for MoD but it slightly concerned us that when we had got a National Security Strategy and then a SDSR that put the spotlight very firmly on MoD as having a very large role in this, they immediately appointed a man as the project manager who was known to be leaving the Army a year later. In fact, he performed very well in front of this Committee almost hours before he left the Army a week or two ago. Is there going to be some continuity in this field of key individuals, or not?

Mr Maude: Ideally. It is a general plea, actually, that we need greater continuity generally. One of the benefits of a coalition is that you get greater continuity among Ministers because reshuffles are more difficult. Not more difficult-more complicated. But when we were developing the civil service reform plan, one of the pleas among Ministers was to rotate civil servants less frequently and keep them in post longer. That is a general plea.

Q226 Mr Brazier: General Shaw was clearly well enthused and briefed on the subject, but it just seemed a great shame to have somebody in his last year in the Army leading the charge, and leaving.

A wider point. What is the Government’s long-term strategy for competing with the private sector to recruit and retain the brightest talent in cyber-security? You were asked a bit about that earlier, so I will go on into the supplementary. Is there a danger that highly trained people no longer employed by the Government could one day use their skills in service to those attacking UK interests? Having taken people through some of these very sensitive areas, to what extent are you able to keep tabs on them if they leave?

Mr Maude: To the greatest extent we can. How do we compete? As I say, it is not just money. By and large, brilliant people do not go and work at GCHQ for the money; they do it because it is fascinating and it is very big-picture, serious stuff. We need to home-grow more talent and not expect to recruit everyone at the level of talent and expertise that we need, but to develop it more, which is something I believe we should be better at generally in the civil service.

So far as keeping tabs on people afterwards, would you like to say a word about that, James?

James Quinault: Keeping tabs on-?

Q227 Mr Brazier: The possibility that they may go and work for someone who is-

Mr Maude: Hostile. Senior people, when they leave Government, are subject to rules on business appointments and need consent.

Q228 Mr Brazier: And you are satisfied with the vetting process at the beginning? I mean, there were always stories about terrorists in Ireland getting training from the Army. That is something you could not prevent in principle. There is always the occasional story on that. This is an area that you are satisfied you have a pretty strict vetting process for people who start in it, not just at GCHQ but more widely?

Mr Maude: I don’t suppose it is infallible, but I think it is pretty damn good.

Q229 Mr Brazier: What issues arise with the engagement of staff from private sector partners to work on Government cyber-security, for example potential conflicts of interest if staff feel they are being pressured to divulge threat information from their employers, or difficulties with security clearance for staff who work internationally? What sort of issues arise when you are dealing with the private sector in collaboration?

James Quinault: There are sometimes issues, and necessarily, because for the reasons you gave, we need to make sure that we are not harbouring a cuckoo in the nest. That said, there is a pressure from the other side to make sure that these rules are not inadvertently cutting us off from sources of talent. So we think hard and carefully about what levels of security clearance are proportionate and, where we can, we try to find ways of separating out the problem that we want people to work with us on from the information about where it has come from-its background and so on-which they do not need to know, and which is the really sensitive stuff.

We would get on very much better in this field if we could find ways of doing that on a regular basis, disassociating the problem we want help with from the rest of the sensitive stuff, and laying that out there for people to work on publicly. If we could do more frequently what the big vendors do, in advertising some of their difficulties and vulnerabilities and asking people to come up with solutions, we would be getting on a lot faster and would get a lot of talent for free. So we are keen to do that. The last thing one wants to do in this area is narrow it down to a small set of vendors to deal with, because that is not the way to breed innovation and the sort of quick response that you need.

Q230 Mr Brazier: That is a rather interesting point. You are saying that part of the key to it is finding, in cyber terms, ways of separating the product from the source.

James Quinault: Separating out the thing on which you want to bring innovation and skills to bear from the reason why you are worried about it, if you like. There is an obvious problem with advertising a vulnerability to the world at large, but if you can find a way of keeping that dark while asking people about the particular technical issue on which you want help, you can do that much more easily, and thereby draw on a much wider set of expertise, rather than having to go back and back to a small set of vendors who have passed over a barrier to entry in terms of security clearance. It would be great to get the widest possible set of firms and interested people working on these problems, instead of having to deal with a small group of defence companies all the time.

Mr Brazier: That is very helpful.

Chair: The final issue is international direction.

Q231 Ms Stuart: Minister, I gather that, like many of us, you have finally visited Estonia, for obvious reasons, not least because they have had direct experience. As a result of that, I gather that we now have someone in the embassy in Tallinn who will focus specifically on co-ordination on cyber, and act as a permanent point of liaison with the Cyber Defence Centre of Excellence. Why did we not just join the NATO group, which is part of the centre of excellence, in the first place? Would that not have cut out the middleman?

Mr Maude: The centre of excellence there, which I visited, was not operational.

Q232 Ms Stuart: I seem to remember visiting one some years ago that was operational.

Mr Maude: It is not an operation centre, it’s a know-how and research centre.

James Quinault: It is operational in the sense that it is working. It is not operational in the sense that it is not the place from which cyber-defence of NATO would be commanded.

Mr Maude: Absolutely. That is what I meant.

Q233 Ms Stuart: But we could still have joined it, rather than appointing a liaison officer to talk to it, or am I misunderstanding something?

James Quinault: The officer concerned will have other responsibilities besides liaising with the centre. They will also, for example, help the Government to tap into what Estonia is doing on putting public services online. There is a lot of other stuff going on in Estonia.

Q234 Ms Stuart: But it is already a paperless Government, or has aspirations of being one.

James Quinault: Yes. This liaison person will help us to tap into that, as well as liaising with the centre. It is not everything they do. It would indeed be peculiar to have a liaison officer to the centre but not to join it, if that was all they did. In fact, they have other jobs as well.

Q235 Ms Stuart: May I press you just a little more? Why are we not part of the NATO centre, if what is going on there is so interesting and important?

Mr Maude: It is interesting, but it is not the only thing going on in Estonia from which there is much to learn. Estonia, which famously was the victim of a massive cyber-attack, is, at the same time, the most digital Government in the world, and has not been one whit deterred by the cyber-attack from going down that path. There is a huge amount of knowledge, generally, in Estonia, and some really interesting businesses in that field-small start-ups in the field in Tallinn. One of the things we were doing was looking to build links between those sorts of businesses and businesses in Britain. We are good at this stuff-not only Tech City; I visited Malvern recently, where there is a particular cluster of businesses in this field.

Q236 Ms Stuart: May I press you a little more? Estonia is barely larger than Birmingham and you have been to the place in Malvern. What did you learn other than that interesting small businesses could work together and that it would be very interesting if they did that?

Mr Maude: Enormous amounts about moving to digital Government and provision of public services online and the possibilities. We talked to them about how they contract with suppliers. They contract on a much shorter-term basis. They do not do what we do and have typically done in this country in government, which is to embark on massively long and huge IT contracts with one oligopoly of major suppliers. They looked at us in bewilderment when we described some of the things.

Q237 Ms Stuart: But they are that much smaller, so it would be quite different. I want to press you a little on an earlier question on protocols in terms of procurement and sharing. Do they have protocols in place that would require information-sharing in terms of cyber-security, and unless they did that, would the Government not sign contracts with them? Is that the kind of thing you have learned from what they are doing?

Mr Maude: Do you mean with their suppliers?

Ms Stuart: Yes.

Mr Maude: I do not know whether we particularly focused on that. Of all the Governments in the world, they are the most focused on this.

Q238 Ms Stuart: I have seen them sat around their Cabinet table with their laptops and not a single piece of paper, but what did you come away with that made you say, "Hey, that’s really interesting what they are doing. Why don’t we do it here"?

Mr Maude: The single insight I took from it is that we in this country allow ourselves to be excessively transfixed with security and prevent ourselves from doing really interesting things that drive productivity and better services for our citizens, because of what are sometimes inflated concerns about security. One of the concerns-any civil servant will tell you-about the frustrations of operating in the civil service is that there is IT that is incredibly difficult to use, because somebody has inserted into it security constraints. A senior civil servant in my Department who is not dealing with anything particularly sensitive told me that before he can start work every morning it takes 15 minutes for his computer to fire up. The effect of that on productivity, and the frustration for people, is huge.

As I have said, Estonia has very intense concerns about security-no one more so. They paid a big price to learn the lessons that, actually, everyone else has learned, but they are still doing this stuff and they are doing it very aggressively and pursuing it vigorously. The particular insight I drew from it is that we should push ahead with creating digital services here, aggressively and at pace, with proper concern for security, but the security should not be a block on making progress on digitalisation.

Q239 Ms Stuart: Other than Estonia, are there any other countries where you felt, as you looked around, "They are really quite good and ahead of things. We could learn from them"?

Mr Maude: The States is very good. In February, I was in the States and visited the National Security Agency. Again, what was fascinating there was to find that they operate on a very short-term basis, similar to Estonia-although the United States is not small like Estonia-and they use a lot of small suppliers. If you go to Silicon Valley, you will find a number of really small companies with 80 or 90 employees, newly set up in 2008 or 2009, which are doing business with the National Security Agency. They are open-source, cloud-based suppliers, and they are doing incredibly sensitive, difficult stuff. The point is that to do the stuff well, we need to be tapping into the new wave of suppliers and developers. There are possibilities now, and those on the other side of the argument, if you like, are developing all the same things. We need to be as alert and agile as they are.

Q240 Chair: Will you forgive me for hammering into the ground one question that I still do not feel I have really got to the bottom of? Why is it that we are not joining the Cyber Defence Centre of Excellence? Would it be wrong for me to paraphrase what you have said as the Estonians are well ahead of the game; they are doing very interesting stuff; it is extremely helpful; we need the liaison officer; but we are even better and we do not think that is how we should be spending our money? Is that it?

Mr Maude: Just to be clear, the centre of excellence is a NATO institution. It happens to be based in Tallinn, but it is not the sole repository of Estonian knowledge and expertise. The reason for having someone based there whose sole role will be cyber but who will not be solely interacting with the centre is that it would be quite limiting just to be involved with that.

Q241 Chair: Just to be involved with that, yes. Have you been inspired to add anything to what you have just said?

Mr Maude: No, not really. That is the way I put it to them, because they raised the same question with me, as you would expect.

Chair: Thank you very much, Minister. It is just past 4 o’clock, and given the number of other things you have to do, I think we ought to release you. Thank you both for a very helpful evidence session.


[1] Note by witness: Economist Intelligence Unit report sponsored by Boo z Allen Hamilton

[2] Note by witness: W e were certainly one of the leaders in helping to draft the Budapest Convention

Prepared 12th March 2013