Publications on the internet
UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE To be published as HC 1029-i
HOUSE OF COMMONS
TAKEN BEFORE THE
PUBLIC ACCOUNTS COMMITTEE
UK CYBER SECURITY
DR THOMAS RID, PROFESSOR SADIE CREESE and MARK HUGHES
KEN MCCALLUM, JAMES QUINAULT and OLIVER ROBBINS
Evidence heard in Public
Questions 1 - 95
USE OF THE TRANSCRIPT
This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.
Taken before the Public Accounts Committee
on Wednesday 13 March 2013
Margaret Hodge (Chair)
Mr Richard Bacon
Mr Stewart Jackson
Amyas Morse, Comptroller and Auditor General, Gabrielle Cohen, Assistant Auditor General, Sally Howes, Director, National Audit Office, and Marius Gallaher, Alternate Treasury Officer of Accounts, were in attendance.
REPORT BY THE COMPTROLLER AND AUDITOR GENERAL
The UK cyber security strategy: Landscape review (HC 890)
Examination of Witnesses
Witnesses: Dr Thomas Rid, Reader, Kings College London, Professor Sadie Creese, Professor of Cyber-security, Oxford University, and Mark Hughes, Managing Director of Security, BT, gave evidence.
Q1 Chair: Welcome. Thank you all very much indeed for coming. I do not know whether you are aware of the way in which we carry out our proceedings, but this first session today will be slightly different; it is about hearing from you, as experts in the field, on where you think we should focus our questions when we move into the main session with those responsible in government for overseeing this area of work. That is the first thing to say. The second thing is that this is what we call a landscape review; we are trying to get to grips with the issues, and then we will return with specific studies, following on from this first excursion into covering the issues. This session is to gather a much more general understanding of what the UK cyber-security strategy is all about, and where the strengths and weaknesses are.
I will start with very general questions for you, Dr Rid. As I read the Report, two things came to my mind. One is: have we got the regulatory framework right? The second is: given the massive impact that this could have on both the country’s security and the lives of individuals and communities, are we spending the right amount, and are we spending it properly? Those are quite big questions, but the regulation and the expenditure seem to be two issues that would be of interest.
Dr Rid: Both issues that you mention are indeed of great interest. Let me briefly respond to what you said about the importance of this issue. It is very important, especially when talking about spending money and getting the regulation right, to differentiate between the different threats that we face.
To be somewhat simplistic, there is crime-cybercrime-that takes many different forms. There is espionage and foreign espionage, which is commercial as well as political. Those are the first two, and crime is a massive problem. Espionage is also a significant problem, in monetary terms. Then there is sabotage of critical infrastructure, interrupting the most essential systems that the country depends on: utilities-energy especially-and perhaps even telecommunications. That can be a problem, but so far it has not been a major problem; there has not yet been a major incident. We are talking about a very different problem here from a technical point of view. Finally, there is hacktivism and political activity online, which again is very different. I think that regulation needs to reflect the very complex technical landscape, and I am sure there is room for improvement.
Q2 Chair: At the moment, if you read the Report, a lot of circulars go out from the various Departments that are responsible for it, but-I am thinking about myself as a user-there is very little onus on me to make sure my own PC is secure. There is nothing telling me that I have to do anything to ensure it is secure.
Dr Rid: One thing that the Government are doing well, as far as I can see from reading the Report and from what I can observe, is addressing the public education part of the problem. They educate public users of computers and online bank accounts to be careful and to apply the necessary hygiene. That is very important, but it does not cover all the problems we face. At the opposite end of the spectrum, utilities and critical infrastructure have computer systems that are entirely different-so-called industrial control systems. They are very complex technically, and are much more difficult to attack than, say, a bank account, so the two have very little in common.
The person in the Government in charge of critical infrastructure should have nothing to do with banks and with telecommunications, and they don’t, but the problem is that if we focus on critical infrastructure, we, as individual users, have very little to directly worry about, in the sense that we cannot do anything. We can turn on our tap in the morning to brew coffee, but that is about it. We cannot change anything in terms of our consumption behaviour, as we can with bank accounts. We need to improve the visibility of vulnerabilities in the critical infrastructure field in the UK.
Q3 Mr Bacon: Why has there never been a lethal cyber-attack against a country’s critical infrastructure?
Dr Rid: If I can give you a blunt, populist answer, al-Qaeda is too stupid, and China does not want to do it. Right now the question is, what if al-Qaeda acquires the necessary skills to do so? Al-Qaeda is, of course, a place holder for all sorts of militant, non-state actors who could have an interest in something like that. The problem is that actually disrupting critical infrastructure requires not just skill, but intelligence about the targets you are trying to penetrate. It is not enough just to switch off the system through a software attack; you have to reprogram the system to modify the output parameters. That is much more difficult, and you need to know what you are doing. You need skills and intelligence, and right now militants do not have that.
Q4 Mr Bacon: And those that do don’t want to?
Dr Rid: Let us put it this way, differentiating between espionage and sabotage: people in China have a commercial interest in stealing information from western companies. They do not have a commercial interest in breaking anything. They want to steal stuff, but they do not want to break stuff because, after all, they are part of the same economy.
Q5 Chair: Can we go across the table and then bring Stewart in? Just opening thoughts, and things like that. You might want to respond to my issues about the regulatory framework, or the investment by Government in this area.
Professor Creese: I will take the regulatory framework first. Obviously regulation is just one lever with which we create cyber-security within the UK, in the broadest sense. On a personal level, regulation is not one of the spaces that would be at the top of my list as somewhere we should take action. As the years have shown-before we coined the word cyber-security we all worked as computer security professionals, and in information security after that-regulation with associated compliance frameworks can often just encourage ticking-the-box activity, and not create the output you are looking for. It definitely has a role, but it is not one that I would have at the forefront-
Q6 Chair: What are your priorities?
Professor Creese: When you were elucidating your question, you mentioned that you felt that there was nothing telling you, as a citizen of the UK, how you should be contributing to the UK’s cyber-security posture, and you were asking how you could do a better job of that. Actually, there are places that you can go-they are referred to in the Report-for some of that advice.
Q7 Chair: Four million people.
Professor Creese: Okay, yes, but there is always a very positive experience at the other end of it. I have always felt that we invested very heavily in good advice and under-invested in promoting it. Ultimately, what you are really talking about is not something that you solve through regulation. It is more than that; it is a culture change for the UK. One might argue for education and awareness-raising, but that in itself does not stand alone. People have to have the right tools. You have to tell them what to do and enable them to do it.
Q8 Mr Bacon: What about what not to do? Someone put it to me that part of the problem is Explorer, and that we should stop using Windows Explorer. He said, "God, I would never use Internet Explorer. I would use Firefox or Safari."
Professor Creese: It is nefarious advice.
Q9 Mr Bacon: I am not in a position to assess Windows Explorer technically, but what merit is there in such assertions?
Professor Creese: The truth of the matter is that all software and middleware has some form of vulnerability.
Q10 Mr Bacon: Software and what? Did you say middleware?
Professor Creese: Middleware. Stuff you use to access cyberspace-technology-will have a vulnerability that is exploitable by bad people doing nefarious things. That is a fact. Some technologies have been focused on more than others, in terms of detecting the vulnerabilities. That is usually related to how prevalent they are in the community. There is an economy of scale to be had here. Many, many years ago, when Windows was the only platform of choice, a lot of people spent a lot of time finding fault in Windows-related products, such as Microsoft Internet Explorer and the like. We have other software companies that are experiencing the same effects now. If you were actually to look at the kinds of attacks that are prevalent and are concerning us, it is not just about vulnerability in software; people are also being heavily targeted-just as much as software-and encouraged to give away credentials and to give people access to systems.
Q11 Chair: We are about to have a vote, which is a pain. Going back, what are your priorities? Culture change? I have to say to you that I have always believed that to get culture change, you need a regulatory framework to encourage it. It is certainly true of the work that I have done in other areas of life that if you do not have the regulation, you cannot promote culture change. Be that as it may, go on.
Professor Creese: I should clarify that culture change is not necessarily my top priority. I was suggesting to you that to achieve the kinds of difference you would like in the citizen’s understanding you are really talking about a culture change campaign, and embracing people who understood that kind of culture change management. There are other areas that would concern me, to do with our ability to protect against very well-resourced and persistent threats across UK plc. A lot of commercial loss-
Q12 Chair: So more money into R and D?
Professor Creese: Not necessarily. Some investment is going into helping people actually exploit the solutions that are already available to them more effectively, but we do a reasonably good job of that. I have to say that my perception is that the UK is at the leading edge of how we tackle cyber-security and the governance of cyberspace. We do not have the solution, but we are at the leading edge.
Q13 Justin Tomlinson: On that specific point, what about the flow of potential future staff? From our reading and the evidence that we have been presented with so far, there seems to be a chronic shortage of people with your enthusiasm and knowledge to help lead the fight.
Professor Creese: Sure, there is a chronic shortage of people, and not just in the UK. We need to do something about that.
Q14 Justin Tomlinson: Are we doing something about that?
Professor Creese: Based on my limited awareness, yes, we appear to be doing that at all levels, from primary to secondary and up through to university. I can certainly speak for Oxford. We now have this stuff within our MBA programme. We are not just talking about creating techie security professionals, but about having very clever consumers of that advice in the leadership of our companies in the future.
Q15 Justin Tomlinson: Am I right in thinking that it is not just your traditional techies that we need? Do we need this in all walks of life, whether it is in the legal department or whatever, so that everybody has an understanding of it?
Professor Creese: Yes. Cyber-risk has to be managed alongside all the other risks that you would typically manage in an organisation.
Q16 Chair: Let’s hear from Mr Hughes, and then we will go to Stewart, because he has been waiting.
Mark Hughes: Being in a business where regulation applies to us in many shapes and forms, I think that the national cyber-security strategy is deliberately set out not necessarily to put wraps or regulation around things. The four key parts of the strategy very clearly have work programmes underneath them that are about encouraging business in many areas to understand the risk and take action to mitigate that risk. At the end of the day, it is important that it is about making those risk-based decisions.
Ultimately, regulation can go so far, but given the threat landscape that Dr Rid talked about earlier, things are changing very quickly. Different types of threat are out there, and to have regulation to keep pace with that type of change would be extremely difficult. Hence why I think that the national cyber-security strategy has focused on ensuring that there are key strands where action can be taken almost in real time.
There are some examples. The second strand is about making the UK a more resilient place to do business. We are involved very heavily in the Cyber-security Information Sharing Partnership-CISP-which is exactly what it says. We share information in real time and can then, together, take action on that and against potential threats. I do not see how a regulatory framework would necessarily be able to cope with that.
Q17 Chair: What would help you, Mr Hughes, if you are against regulation? Or does it work for you; do you think that we have got it about right? You are here as a representative of a big institution for which it would be a big problem. What would help you beyond what is already being worked through in the cyber-security strategy?
Mark Hughes: I think that we are in the fairly early days. We are a year into a few years of programme of activity. I am not thinking about what would help me now; it is more about sustaining what has been started. That is what I think is key. There are a number of important strands that we need to reinforce and to ensure that they really execute. Going back to Professor Creese’s point about awareness-raising, as you rightly point out, culture change does not happen overnight. Think of organisations such as the National Fraud Authority and initiatives such as Get Safe Online, which the Report talks about.
Q18 Chair: How many people have looked at Get Safe Online?
Mark Hughes: I don’t know the numbers off the top of my head.
Chair: Tiny numbers.
Mark Hughes: But notwithstanding that, these things do take time. I would liken it to the "Clunk-click" campaign that happened many years ago to get people wearing seatbelts.
Q19 Chair: No, that was regulation.
Mark Hughes: There was indeed an element of regulation there.
Q20 Fiona Mactaggart: It was after the change to the law that the increase in seatbelt use went up. I think it went up from 30% on average to 70% the day after it was passed.
Mark Hughes: But notwithstanding that, there was a very big campaign around it as well. Campaigns take time to imbed-awareness is not something that just happens once; it has to be continually worked at. We must also increase the level of reporting around where people have been affected by, for example, cybercrime. That is happening through the National Fraud Authority action line.
Q21 Mr Jackson: Obviously we are talking about a defensive capability in cyber-security. Dr Rid, I was interested in what you were saying about the security element. You will know that, in June 2010, the Stuxnet malware worm hit the Iranian nuclear capability at Natanz. In the course of that attack, we are led to believe that it knocked out 58.8% of the entire computer network in Iran. In terms of cyber-security, that was obviously a massive event. Was it unique? Was it something that was built up to? Could that happen to, for instance, critical infrastructure-gas, electricity, dams, rivers and so on? How big a threat is that for us, going into the future?
Dr Rid: Thank you for bringing up that point. Indeed, the Stuxnet attack affected in total about 100,000 so-called hosts-basically, computer systems-but on only one system did it actually cause any damage, and that was in Natanz. It was highly targeted. The rest is collateral infection-inconsequential. It did not take out Iran’s network. It infected computers, but it did not act on those computers. I sent you a map, which you should have on your iPads.
Q22 Mr Bacon: I was going to ask you about that, but Mr Jackson beat me to it. What Professor Creese said earlier made me reach for the map. Professor, you said that the UK was at the leading edge. If each dot is a degree of threat, as I understand it, I am pleased to see that Norfolk is completely clear of threat-I will just get that on the record. I do not want you to take this the wrong way, Dr Rid, but my question is: what is wrong with the Germans?
Dr Rid: Let me briefly explain and make sense of that map.
Mr Bacon: They look like they have measles.
Dr Rid: The Germans are in trouble, but so is the UK, and here is why. This map shows control systems. They could be controlling a water pump, a brewery, an elevator, or part of the grid.
Mr Bacon: We would all like to control a brewery.
Dr Rid: These systems are often connected to the internet. The data you can see on the map show control systems-not computers where people work-that are connected to the internet. Oftentimes the red dots are unknown to the company that is actually connected to the internet, because sometimes companies do not know they are connected. We have precedents for that. Why is the UK seemingly not vulnerable while Germany is a red carpet? Because the data are currently biased towards German products. The small initiative that Freie university, Berlin came up with-it came up with this data-has a biased dataset, because it is German.
The question is: what does that map look like in the UK? We do not know. The Government do not know exactly, and business does not know exactly. You have very low visibility into that map. Even if we could replicate the data, as in Germany, it would still not answer all the questions that we have. So what does that mean? Let me say something about regulation, because I think we have to be careful not to come forward with wholesale statements.
Let me focus on the breweries, water pumps and whatnot that are connected to the internet. If you open your tap in the morning to make coffee and Thames Water has a cyber-security problem, you will still most likely have water flowing out of your tap, so you will not change your water provider. But you will change your bank account if HSBC messes up-no question.
Q23 Mr Bacon: If you know about it. I heard you on the radio this morning and the man played to you his clip from the Friday business boss. He asked you whether it was correct, and you said, "Absolutely." The point was, for those who did not hear Dr Rid at twenty-past six, that banks get these attacks all the time. Sometimes they are successful, but they quietly put the money back in the account, because they do not want the reputational damage, and no more is said. What we do not know and do not understand is the prevalence of that.
Dr Rid: But the point I am trying to make is that, for utility companies, the risk of reputational damage is very low at this point, so the market does not fix the problem for us and we need to create additional incentives.
Q24 Chair: Which means what?
Dr Rid: It can mean insurance policies or some form of regulation, but it has to be highly tailored towards the product that you are trying to improve.
Q25 Mr Jackson: Can I go back to my question? You seemed to be very reassuring in answering my direct question, but can I refer you to A.Q. Khan? He was a freelance nuclear scientist who decided to sell his information, expertise, skills and knowledge, and he facilitated the nuclear capability in possibly North Korea, but definitely Pakistan. You say that al-Qaeda is too stupid to embark on a course of action to destroy or retard critical infrastructure, but how likely is it that freelance operatives would offer their services, for significant money, to do exactly the same thing in terms of cyber-security?
Professor Creese: First, there is already a supply chain that exists within the community that attacks systems. You can sell something called a zero day on to the market, which means you are selling knowledge of a vulnerability, and, in particular, a way of exploiting that vulnerability that was not previously known about, so it is generally quite hard to protect against. But let us focus in on these control systems. The truth of the matter is that the map issue does not apply to the UK for all the reasons Dr Rid said. There are many control systems that have the capacity to connect to the internet for remote control that are not switched on. In truth, a lot of these technologies were designed in a time when we assumed either that they were enclosed environments, so they were never going to be connected to the internet, or that there would be a fairly benign environment. That is true of many systems of this nature.
The challenge we face now is that we have evidence that people would seek to understand the vulnerabilities that exist in those systems and get into them for malign purposes, and we have not necessarily developed them to the right levels of integrity that would prevent those vulnerabilities existing. They are existent in our environments. We cannot start from scratch; we have to cope with them.
To try and answer your question directly, this matters to us, but we need to understand that we can have any discussion about the nature of the threat in this room today, but the threat environment constantly changes. So even if you satisfy yourself today that all of these control systems in the UK that run on SCADA are not of primary concern and we should be investing elsewhere, that could change tomorrow.
I should like to bring you back to a comment that Mark made earlier to do with the investments and in particular the focus on enabling organisations-whether they be Government Departments, public sector, commercial multinationals and smaller-to make good risk-based decisions, because it is key. The environment changes-not just the threat environment, but your consumption of technology, your use of cyberspace, your enterprise and the services you offer-so you have to be enabled to make good risk-based decisions on how you protect yourself, and that can change on a daily or hourly basis, depending on who you are and what you are being subjected to. Yes, it should be of concern, in short, but you could have a different conversation next week. Something might happen and might raise it up your risk register. We need to bear that in mind.
Q26 Chair: I don’t know where that thought takes you. That’s the interesting thing. Where does that take you? If it is such a fast-changing environment, what do we do today, or what should the Government plan to do over the next three years?
Mark Hughes: I think back to my previous point about establishing the frameworks in which first businesses, and those who are responsible for the type of infrastructure that we are talking about, really get what they need to do. For example, 10 Steps to Cyber Security, which was launched a few months ago, is very good, straightforward advice. If a lot of businesses got hold of it, we could raise the bar quite significantly. In addition, there is that information-sharing piece: understanding between us what the real threats are as they are manifesting themselves in various parts of UK business, and then being able to take action in line with the best practice that comes out from the Centre for the Protection of National Infrastructure, for example, where these aggregated risks can be assessed. Then business and various Government Departments can take action as required. More information-sharing is key and then also being able to have the appropriate responses in place-GovCertUK is a good example-to be able to respond to this stuff. BT operates in many countries in the world and we are quite different in the UK. Things are much more advanced in the UK-
Q27 Chair: Are we different because there is more advice out there?
Mark Hughes: There is more information-sharing. The frameworks are in place and the advice is quite straightforward and is targeted. I was in the room when those 10 steps were launched with 100 chief execs and chairmen from UK business. This is targeted right at the top of UK business.
Chair: And no SMEs.
Dr Rid: Just a quick response to your question. Yes, there is a threat. Is it cyber-Pearl Harbour? No, it is not, but it is still significant. On the speed of change, I agree mostly with what Professor Creese said. On telecommunication, for example, you all have mobile phones in front of you that probably change every two years-although I see people using BlackBerrys; it doesn’t apply to you.
Q28 Mr Bacon: Can I just check? Is that an advert or a warning?
Dr Rid: The point is that the pace of change is much slower in the control system environment. The Siemens vulnerability, which allowed Stuxnet to damage the Natanz plant, started in 2005-we have to keep that in mind-and was going on for almost seven years. Some of those vulnerabilities have still not been fixed, so the same systems have been in place for more than a decade. Change in the control system environment is much slower, and different laws apply.
Q29 Chair: So should the 10 steps be a regulatory obligation, if they are so good? Would that not be a sensible preventative measure, a bit like seat belts?
Dr Rid: I would be hesitant to make a strong statement on that.
Q30 Chris Heaton-Harris: Or are they like the king who wears no clothes? We are all ageing legislators, and the people driving the technology are young, SME-based types, in a garage somewhere doing something whizzy and scaring the life out of us all. I do not think we can ever catch up on the curve to where they are with regulation. It is about putting in place the building blocks where we can catch the pieces, should things go wrong.
Mark Hughes: You are absolutely right. There is a balance to be struck between hard regulation and-this was your point, Professor-box-ticking. There is a lot of good stuff in the 10 steps. I think it was Iain Lobban who said that if the 10 steps were implemented properly, 80% of the problem would be dealt with. There is a lot that can be done and could-
Q31 Chair: Sorry to interrupt, Mr Hughes-I completely take Chris’s point about the web changing so rapidly-but you said those 10 steps are really good. You are BT; you are big and you are in that world and you are bound to do it. Reading the Report, we do not know how many big companies are doing it. We know that SMEs are miles from your understanding, knowledge and willingness to implement it. Professor Creese talked about that. Thinking about it, is it crazy that we will always be playing catch up, or is it sensible? It is about a balance, and I have not got a clue what the answer is.
Dr Rid: The problem here, to a great degree, is detail and knowledge of what we are talking about, and visibility. That is not just in this room, but in the larger debate as well. If you want to talk about control system weaknesses in the UK, it is difficult to say something sensible, because the information is hard to get and is sometimes not in the public domain. In terms of the control system problem-this relates back to the skill problem-the UK just does not have enough skilled young people working for Government.
Sitting suspended for a Division in the House.
Chair: I am really sorry. It is terrible to have these sessions interrupted, but we have to vote.
Q32 Chris Heaton-Harris: My first point was the one I made about regulation not being able to keep up with the speed of what is going on. The National Audit Office reviewed nine countries that share our cyber-security objectives-figure 7 in the Report shows the numbers from that review. I was taken by the fact that only one country other than us is interested in helping shape an open, vibrant and stable cyberspace. Is that just because Ministries are not answering questions sensibly, or is it that that priority is actually really very low down the pecking order of what people are trying to do? Are they much more interested in tackling cybercrime? What do you think it would be?
Mark Hughes: I think there are a number of things. How I interpret that particular point in the strategy is that it is about the UK taking a lead role in helping shape how cyberspace is going to develop: for example, the Budapest convention on cybercrime was very much driven by the UK, and there have been a number of conferences held here where the Foreign Secretary has been involved. To me, that objective is about putting the UK front-centre stage in terms of the international debate, if you will, about this topic.
Chair: Skills is a big issue; it might be an issue for both Dr Rid and Professor Creese. You are both at universities, and presumably people come and do their degrees there. What is the problem? Do you notice it in your student intake? Could you take more if you had appropriately qualified people with the right A-levels coming to you?
Q33 Chris Heaton-Harris: Can I add a quick question to that? If you are absolutely gifted at designing your own computer programs at the age of 11, have you gone past the idea that you need to have a degree to get a decent job by the time you get to 18?
Professor Creese: Gosh. That is a convolution of many points, so I will try to pull them apart. Obviously, there is a lead time in addressing these things. There are, actually, lots of good initiatives; it is just that it takes time for them to change the pool of people that are coming into the workplace.
Certainly, I would say that there are initiatives covered in the Report, of which you are all aware, but there are other initiatives that have been announced, perhaps since this Report, such as the Government investing in centres for doctoral training. That will be announced in April. There are other initiatives, such as the ones that I mentioned to do with working with business schools, and there are other things such as teacher training that we have been talking to. It is not just about how you get it into the syllabus, but how you educate the teachers who will deliver this messaging in the classroom.
All these good things are occurring. To a degree, it will be a matter of time, unfortunately, to understand whether we have done enough. Of course, we will have to measure our progress over time. We are in the position where, unfortunately, we do not have 20 years of back data to compare this to. I believe we are taking action, and we are taking action not just with a UK focus-encouraged by the cyber-security strategy in the office and the public servants that deliver it, I have been involved in events that have linked us with people doing similar things across the globe so that we can share best practice. We need to remind ourselves that that is exceptionally important, and it is very interesting that we are the only one of the countries reviewed that talks about creating a cyberspace, in the broadest sense, that can be sustainable in the future. Perhaps that is a measure of our maturity, in terms of leading the debate.
Mark Hughes: If I may, I employ over 2,000 people in this particular space in BT. In my team alone we have employed 400 additional staff this year. Finding the skills is important, and Professor Creese makes the very good point that it does take time, but there are initiatives: there is the cyber-security challenge, for example, where we are, indeed, dealing with young people-16-year-olds and even younger-who are being put into those types of challenges where we can talent spot to get that coming through. These are all initiatives that are kick-starting what is a dearth of skill and expertise.
In my team alone, some of the people I brought in are apprentices, and there are graduates as well. So there is certainly demand, and to match the demand and supply is going to take time, but there are a number of initiatives that are happening that will address that. Hence, that is why I think it is one of the key strands in the strategy.
Dr Rid: If we are talking about cyber-security, imagine construction-rebuilding a house. To do that, you need painters, carpenters, plumbers, joiners and all sorts of different professions. It is a bit like that within cyber-security; you cannot train somebody just in cyber-security, because a good plumber cannot be a good carpenter at the same time. The problem is that some sub-specialisations are highly specialised, and basically, Germany may be in the business of training plumbers, to put it bluntly. There is only so much that we can do about that problem. Part of the problem is to bring the people together, on highly specific questions, in one country to make the best use of their expertise. The UK is in a very good position to do that, but it can do much more to make that happen. Also, some of the skills do not come from universities. Arguably, some of the most critical ones are built up and grown within companies.
Mark Hughes: Yes, and they are in co-located spaces. In our particular area, because we operate a large global network, good networking skills are critical, so you do not take a good network specialist and then bring them into the cyber-security arena. That background of skill is critical to them being good at doing their roles.
Amyas Morse: If I may, I have a question for you, Dr Rid. I was looking back over your career and you have been in Israel, Washington, Germany and Paris. This is a positive Report about what we are doing in the UK. I want to know what lessons we should be learning from elsewhere. We are busy saying how well we are doing and how leading edge we are. Is that how you view it, given your international background?
Dr Rid: There are many possible answers to your question. I will pick one tiny aspect. The UK can learn a great deal from several countries but especially from the United States. In the US there is a very impressive open debate. Even the intelligence community is a bit more open than it is here. I will give you an example. If I want to drill into detail on a very specific security problem-because I am writing a book about it, for instance-I quickly end up getting that information from an American small company, from an American contact I have in Washington with the necessary skills.
Openness is a great strength. I don’t want to rely on private security companies with vested interests in publishing a report. I sometimes want the information from the horse’s mouth, from the intelligence community, but it is very hard to get them to talk in the public domain, or even to publish something.
The UK has very good capabilities inside and around Government, shall we say? Iain Lobban at the IISS made some very prudent statements in a very good speech. I would like to see more public statements coming from that community, because they tend to be quite good.
Q34 Austin Mitchell: I am lumbering behind the Committee here, because it is all moving off into science fiction as far as I am concerned. It looks like any firm dealing with cyber-security, and anybody wanting to spend money, has a limitless future. There will be an endless bonanza of spending to deal with something that you might make yourself safe from today but not tomorrow. Systems can be penetrated by some crazed kids trying to find out if there are flying saucers in the American Pentagon cyber-system. It is just limitless spending going on for ever, isn’t it?
Mark Hughes: My observation on that is, no, there is a balance to be struck. We strike a balance every day: should we turn our house into Fort Knox or leave all the doors open?
Q35 Austin Mitchell: But wherever you strike the balance, you can’t make yourself completely safe.
Mark Hughes: The objective is not necessarily to build Fort Knox everywhere. It is to strike that balance. There is a huge upside from what cyberspace comes with-all the interactions and types of services that get delivered, enabling business to do things, which I think the Report spoke about. There has to be a proportionality check here. Yes, while there is an upside, there therefore does have to be a realisation that it comes with risk and that risk needs to be managed proportionately.
There are good practices and things that can be done if that risk is understood and then targeted spending can be put in the right place. It then does give that proportionate level of protection. Your point, though, is well made. It is a very fast-moving space. You have to be continually reviewing that and then obviously adjusting those controls in an appropriate way.
Q36 Chair: Let me just ask a question. With an economic downturn, does your expenditure on cyber-security at BT go down?
Mark Hughes: No. Because of the type of threats we have been talking about, we have been investing heavily in this space.
Q37 Chair: I haven’t looked at your balance sheet, but is that the case, even though presumably you are doing less well at the moment than you might otherwise?
Mark Hughes: No. Our Q3 results were very respectable. Seriously, we are investing in this space, for the very reasons that we are here to discuss. These threats are important and need to be taken very seriously. For BT that is very critical but, more importantly, for our customers. We deal in the type of services where they get impacted by the work in cyberspace. Ensuring that we are there ready to be able to provide services to help them deal with this is really important for us. We have been investing heavily in staff, equipment and technology.
Q38 Chair: And do you tell your customers if there has been a breach?
Mark Hughes: It really depends on what it is and what type of customer, but absolutely, if we can identify in our consumer base that something is going wrong and that perhaps they have been infected, we absolutely engage with and work with them.
Q39 Chair: Despite the reputational risk? I am trying to think of one. Jackie might want to come in on this. You would inform your customers if there has been something?
Mark Hughes: Let me take an example. Spam is quite a big problem for individuals when computers get infected and start sending out rubbish e-mails. It is important for us that we do not want our customers to be infected by that, so we have a process that is about ensuring that we alert our customers if that is happening and then ensure they can take measures to clean up their machine and to prevent it from happening again. For example, all our broadband packages come with an antivirus solution and if you run it, that helps to safeguard against the problem. That would be an example of where we absolutely have a very heavily vested interest, and we therefore invest to ensure-
Q40 Chair: That’s prevention, but what if there is a breach?
Mark Hughes: If there is an issue and if we can identify it, we will work with our customers to ensure that we or they can remediate against it.
Q41 Austin Mitchell: As far as a layman is concerned, it is all a bit like the millennium bug, when millions were spent on safeguarding ourselves against this bug that was going to stop all the computers at midnight at the start of the millennium and the world would grind to a halt, but it did not.
Professor Creese: Maybe they were millions well spent.
Austin Mitchell: Maybe they were and we do not realise it.
Mark Hughes: The Report mentions the £27 billion and the fact that the UK has been impacted. These are difficult things to measure, but, notwithstanding that, there are some pretty clear stats about the fact that this is not just a one-off; things are happening all the time. These measures are important.
Q42 Austin Mitchell: Given the kind of prediction I have just made, would it not be better if we did like the Americans and had a tsar for this issue and everything centralised in the Department of Homeland Security, which concerns itself with the bigger issues, instead of having everything spread out among the Departments with everyone doing something different in their own way?
Mark Hughes: Can I just respond to that specifically, Dr Rid? That is a very interesting point. There is a central co-ordination point in Government-the OCSIA-but it is important that it is spread across different Departments, because each one of them needs to do things specifically in that Department. That is not only to protect themselves, but also to protect whatever subject matter they are responsible for and to ensure that the particular sector-whether it is DECC or BIS, as it is in our case with Ofcom-does things that help to achieve part of the strategy, which is to raise resilience. It absolutely has to be spread across different Departments. It will not embed itself if it were somehow centrally controlled.
Q43 Chair: We have six more minutes and I have three people wanting to ask questions, so make it a quick answer please.
Dr Rid: Very quickly, I entirely agree with Mark Hughes that centralisation would not be the right way forward. The problem is extremely diverse and it needs a diverse solution. We should be conscious of wholesale discussions about whether regulation is good or bad, because the answer is that it depends on what we are talking about.
Professor Creese: Just to build on that, it is not just about diversity; it is about internalisation. It is about internalising within the Departments the ownership and the responsibility and the ability to push forward on those things that are within their sphere of influence and capability. You could not centralise it and then wrap all these things up in bubble wrap.
Chair: I have questions from Justin, Steve and Jackie. I might ask you to ask your questions and then I will go for the answers. Is that all right?
Q44 Justin Tomlinson: I will be quick. I want to return to the problem of the skills shortage again, because paragraph 2.12 of the Report says that "the number of ICT and cyber security professionals in the UK has not increased in line with the growth of the internet." We know that young people are permanently attached to some sort of computer-related device, so there is that pool. We are obviously making massive changes to the school curriculum, which we would hope will filter through, but I am interested in what are the other things that could spark interest. In the 1980s, the likes of Mr Heaton-Harris and I were inspired by "WarGames" and we have recently had "Skyfall". Is it something like that? Is it the fact that it is going to be such a growing industry that, as a young person thinking, "How am I going to make a fortune?" it will be somewhere where there is huge potential? Or will something else provide that spark to get the numbers back up to where we want them?
Chair: Hold your answer.
Jackie Doyle-Price: I want to ask you, Mr Hughes, to reflect on something. The telephone network in my constituency office is being hacked every week. Thankfully, the hackers have not managed to get through, but I am getting more and more casework about cases where they do. My information is that BT insists on billing people once that has happened. For example, Castle Point borough council was hacked over a weekend, and the bill came to £10,000. I would have thought that that was unusual activity that BT could detect. I want your reflections on whether you are doing enough to protect your customers from that, and whether it is really fair that they should carry the can for the whole crime.
Stephen Barclay: Building on both questions, this is about the pace at which we are moving. Professor Creese, you talked of the chronic skills shortage. By when do we expect that to be fixed, in your assessment? In Dr Rid’s analysis, we do not have an adequate understanding of the risk. While we do not want to centralise, we want to challenge. At our current pace, by when do you expect that to be fixed?
Chair: Mark Hughes first. We will be called back in literally a few minutes, so could you deal with Jackie’s question?
Mark Hughes: I will be very quick. You are specifically referring to a thing called dial-through fraud. When the equipment that a customer is responsible for is not properly protected, a criminal will exploit it. We monitor that proactively, but we cannot catch everything. I am very happy to speak to you offline if you want to discuss the specific issue about some of your constituents to see what we can do and to understand what happened there. We can perhaps give them more advice about what has been going on. We do monitor it, but we cannot catch everything, and there are a lot of criminals out there.
Q45 Jackie Doyle-Price: Is it growing?
Mark Hughes: I could not say off the top of my head, because I do not have the stats. I know it is a problem. When a customer has a piece of equipment and takes service from a telecoms operator, but that piece of equipment is not secured to the necessary standard, a criminal can hack into it and use it as a jumping-off point to make calls from their service. That is how it is perpetrated. I would certainly be more than happy to talk to you about that issue.
Chair: The other issue that Jackie raised was that the customer pays.
Q46 Jackie Doyle-Price: Yes. It is the customer who carries the can for it.
Mark Hughes: Well, the customer’s equipment is the problem in those cases. I cannot be specific, because I do not know the exact case. I would be very happy to go through the exact case with you to see what is happening.
Q47 Jackie Doyle-Price: A local authority would not suddenly start calling Nigeria constantly every weekend. That is pretty obvious, but you still bill it £10,000.
Mark Hughes: At the end of the day, their equipment belongs to them. I cannot comment on the specific case, but I am more than happy to look into it. We proactively monitor where we can, but we do not necessarily catch everything.
Q48 Chair: Professor, very quickly.
Professor Creese: I would imagine that with a fair wind you are looking at 10 years, but I think we might need to take more action to encourage that fair wind. We need to make it attractive as a career option, and we can possibly do more about that.
Q49 Justin Tomlinson: What would you do?
Professor Creese: I don’t know. Persuade Brian Cox to promote it. [Laughter.] I am being semi-serious here. We need pathways. We all recognise that there are not many bachelor’s degrees in becoming a cyber-security professional. Speaking as a member of a university, we need to educate people who are officially in other roles and who have a part to play, whether they are software engineers, whether they are going to be financial controllers or project managers-whatever they might be. They all have a role to play, and we need to make sure that it is pervasive across every aspect of our curricula. We need to understand that. With a fair wind, we can expect to see kids coming out of secondary school now passing through the educational system and coming out. We will get some early wins.
Dr Rid: Very quickly, on when will the problem be fixed-
Q50 Stephen Barclay: I am not talking about when it will be fixed, but the disparity regarding your map, and the extent to which we do not know.
Dr Rid: Related to that, the philosophy should be that the problem will never be fixed, and we will never achieve total visibility. We are constantly playing catch-up, which means that we need to be more nimble in understanding the threat, and we need a more powerful work force able to dedicate themselves to that. The Government have the power to boost markets that are very important-for instance, through insurance policies. If certain companies have to show that they are improving visibility in their networks-I am talking about critical infrastructure networks-then companies will offer that service and create new products. That is the way forward.
Q51 Stephen Barclay: Do you have a sense of the time scale on that?
Dr Rid: It will never be finished, but something needs to be done now.
Mark Hughes: Reflecting on that, flowing down things like the 10 steps in many different arenas is going to take some time, and it will always be an iterative process.
Chair: Thank you very much. That was really helpful to us novices in this area. You all gave us a lot of useful insights, which will hopefully help us to be better in questioning the accounting officers, which we will do straight after this vote.
Sitting suspended for a Division in the House.
Examination of Witnesses
Witnesses: Oliver Robbins, Deputy National Security Adviser (Intelligence, Security and Resilience), Cabinet Office, James Quinault, Director, Office of Cyber-security and Information Assurance, Cabinet Office, and Ken McCallum, Head of Cyber-security, Department for Business, Innovation and Skills, gave evidence.
Q52 Chair: Welcome to you all. As you can tell, this is a very exploratory session. I shall probably start where we started with the previous witnesses. I will tell you what went through my mind, and then you may tell me I am completely mad. I am not allowed to go on the road unless I get a driving licence and insurance. You may think the analogy is ridiculous, but I am allowed to use my computer without making sure that I have a firewall or up-to-date antivirus software. Nobody stops me doing that. Yet the threat is clearly huge. Is it right that we do not have a regulatory framework, or is it just too difficult? I want to explore that whole aspect of how we get to cyber-security. I certainly do not read the literature that is out there, as is the case with lots of companies. Much as you try to persuade me to do so, I am too busy.
Oliver Robbins: First of all, the important thing that we are trying to do at the moment is get people to use the sources of advice there are. I accept that in some contexts, Parliament regulates and legislates. Those are mainly in the contexts of safety and security in areas where your actions could actively harm others. If I could change your analogy for a minute, Chair, think about the security of your house. The locks you put on your windows and doors are not mandated by regulation. The fact is that the decisions you make about how to secure your property in that context are made by a combination of pressure from insurers, advice from police, what other people do and learning as best you can how to protect yourself in that situation. What we fear is that trying to regulate too actively in this area would mean that we would embed 19th-century locks on the system as the technology is leaping forward geometrically every few years.
I would not want to leave you with the impression that there is no law and no regulation in this area. We have crimes that are about the misuse of computers-the Computer Misuse Act. We have standards for the protection of information; all of us in the public sector, and many other institutions, have legal responsibilities about how we look after data. We think the most important points of pressure on businesses to improve their cyber-security are really about, for instance, the insurance industry, their auditors, their non-executives and audit structures, and ultimately their investors and shareholders, as they begin to see over time that bad cyber-security leads to losses in the real world.
Q53 Chair: Let me push you a little bit on this. Okay, let us take it that you do not want to do it to M. Hodge, but if the water goes off or the banks close, that is pretty important to all us, right? So there is a threat to all of us. I was very taken with the witnesses’ argument that you cannot see this as a whole; you have to segment it and respond to particular bits of the population, and particular threats. Would you take that same view about regulation? At the moment we do; there is no regulation for any of the key institutions-energy suppliers or key services-to make sure that they take all the necessary steps to limit the potential for cyber-security issues. Would you take the same view there?
A supplementary on that: don’t you think they should at least tell you if they are victims of an attack? From what I have read in all the literature, everybody is so worried about their reputation that they hide it. Wouldn’t it at least be a good idea if they told you when any attack occurred? You would have to regulate to make them do that, wouldn’t you?
Oliver Robbins: We already treat the critical national infrastructure at a slightly different standard. That is not backed by law-it is a voluntary arrangement-but most of the industries that we are talking about here are heavily regulated industries anyway, which have economic regulators. If you are talking about the telecoms industry, obviously it is Ofcom; there is Ofwat for water, and so on. We talk to their economic regulators to make sure those regulators are taking a close interest in the security of supply; they have a strong interest in that security of supply from their overall duties as regulators, as well as from our perspective of protecting against a particular attack vector on that industry, so we take a strong interest in the CNI. It is not, you are right, currently backed by law, but then we get a very high degree of co-operation from them.
Q54 Chair: What does that mean-100% co-operation?
Oliver Robbins: I honestly wouldn’t be able to put a percentage on it because of how it is handled. To give you a sense of that, there are hundreds of daily interactions between our Centre for the Protection of National Infrastructure and members of that community. It is a very close relationship.
Q55 Chair: Okay. Let me take a final stab at this. EDF controls most of our nuclear energy supply. It is a French-based company. How on earth do we make sure that there is proper security in place to best protect the nuclear energy sources for which a foreign company is responsible?
Oliver Robbins: In short, as operators in the UK, they are subject to the same regulation as a UK-owned company.
Q56 Chair: There aren’t any regulations.
Oliver Robbins: There are regulations about their general duties as operators of the plant. What we do is use those regulatory relationships to make sure that they take advice from CPNI on how to protect themselves. In particular, for the nuclear industry there is the Office for Nuclear Regulation, which has a security responsibility, and which will be saying to them, "Part of your security responsibility as the operator of Sellafield is to understand the cyber risk to your business."
Q57 Chair: What about telling you about incidents, for all these key services and institutions, particularly around basic energy supplies and those sorts of things?
Oliver Robbins: As I am sure you will have picked up from the NAO’s work, we are very keen on getting a bit more transparency around this, not just for the critical national infrastructure, but more generally in business. At the moment, as Pricewaterhouse heard from companies last year, 93% of big companies are saying that they have had a cyber breach in the reporting year; for smaller companies, it is 76%, and you can imagine that probably quite a bit of that gap is people just not knowing. There is a lot to report.
On the critical national infrastructure, several sectors-the most important ones, which are looked after under the critical national infrastructure-are members and are being encouraged into the cyber information sharing partnership that Mark Hughes was talking to you about earlier. That is where we are getting Government, GCHQ and the businesses involved in those sectors to share, in real time, information about the threats and attacks that are coming across the network, so-this is better, I would argue, than formal reporting months later-there is real-time reporting of attack signatures going on between members of that community and GCHQ. That flows in both directions.
Q58 Chair: And you would rather have that than comprehensive reporting?
Oliver Robbins: I think I would, for the moment. It is not my role to rule it out for all time, but my advice for the moment would be to stay where we are, because some of the things in the 10 steps that you were hearing about earlier are very judgmental. It is about things like ensuring that you have good user access controls on your computer IDs. That is something that I think most IT security professionals know when they see it, and would be able to evaluate and advise on improving it, but it is quite a hard thing to enshrine in regulation.
Q59 Justin Tomlinson: I want to cover a few things, starting with paragraph 1.13, which mentions the £650 million funding, but also says that a number of other Departments spend money but do not clearly identify it. Do you have an estimate of what that is and of just how much influence you can have on that extra spending?
Oliver Robbins: It has been a real challenge for us, because it of course depends to a great extent on how you define cyber-security work across Government. The short answer to your question is that we do not currently have an estimate; we think that it would be useful to have one and we are working on creating one, and we would hope to continue to receive the NAO’s support in doing that.
Q60 Stephen Barclay: Is there a common definition?
Oliver Robbins: There is not a completely common definition, no. Cyber-security is partly about IT security, but in the work I do I am just as concerned about personnel security. When we talk about cyber-security we tend to focus a lot on the internet, but in many ways as powerful and potent a weapon is a human being turning up in an office with a USB stick and putting some malware on to a computer; you do not need an internet connection for that. We are trying to look across elements of vetting and personnel security, IT security, the law and various functions across Government that are contributing to baseline cyber-security and to come up with an estimate of that. My guess would be that that would be many times the £650 million we are able to spend now as a transformative programme, but I would not be able to put a number on it today.
Q61 Justin Tomlinson: I am very supportive of the role of cyber-security, both because of the importance of defending UK plc and because it is potentially a hugely growing market that UK plc, if we were at the cutting edge, could do very well out of.
One of the biggest challenges you have-this is touched on in paragraph 1.14-is being able to identify just how much progress you can make because of chronic under-reporting. We saw that when Sony-a major international company-was hacked, 5% was wiped from its share price straight away. As consumers, the one that would probably get all of us very, very nervous is the banks: I think the point was made earlier that the water would still come out of your tap if Thames Water was targeted, but if HSBC was targeted, we would all suddenly be rioting in the streets. When I had my former business, my bank account was hit and the bank would not report it to the police-they kept it all quiet. How are you able to get a true picture of the scale of the battle you are engaged in and then, ultimately, the successes that flow from that?
Oliver Robbins: We need to develop better techniques for doing that. We have two techniques at the moment, of which one is anonymity. I was talking about survey data that PricewaterhouseCoopers were collecting last year; they were able to collect the data because it is anonymous. The other thing we are depending on is trusted communities. In the case of the Cyber-security Information Sharing Partnership that I mentioned, we effectively have the banks working together, but privately, confidentially and in a trusted community-working not to exploit one another’s potential commercial downsides of reporting new cyber attacks, but for the greater good. How have we got them to that position? Not through pure altruism, but by saying, "If you get together in a room like that, GCHQ will come into the room as well and add to the picture."
Q62 Justin Tomlinson: That is great and I am sure that it is in their vested interests to come and work with you. The difficulty you have is when you fast-forward to 2015, when you come back to the equivalent of us and have to justify how you have spent the £650 million. It is very difficult for you to use a lot of that secret information, so you cannot turn up and say, "We stopped three banks from being brought to their knees," because you are bound by the secrecy of what they are telling you. Under those obvious constraints, how will you be able to justify the money that you are being given?
Oliver Robbins: It is a very hard thing. We start from the point of view that there is not a secure baseline for this work. It is hard to tell exactly what the position was in 2010 or 2011, when we started, even on a phenomenon that has been as relatively widely reported on as cybercrime: the estimates, as in the NAO Report, vary very considerably between £18 billion and £27 billion lost to cybercrime. We are trying to work at three levels. First, we want to know absolutely what it is that we are doing and to monitor progress very carefully against the projects and tasks that we have set ourselves-I hope that people would take that as a bare minimum. Secondly, we are trying to work out whether the things we have done are having the impact on cyber-security that we hoped they would. We are choosing a whole series of proxy measures for that, which are mainly based on open source information about the scale of the threat and what people are reporting about it. Thirdly, we are trying to ask how much of that might have happened anyway. We are acting in a very dynamic environment here, so if cybercrime gets two times worse, is that because our measures have failed, or is it that we have done okay, but the number of cybercriminals has trebled? We can draw in more measures to help us with that, but quite a lot of it is subjective.
James, do you have anything to add?
James Quinault: We have tried to make it easier for people like you to report cybercrimes against them. Action Fraud was the response to that, as mentioned in the NAO Report. That will have rolled out to all police force areas by the end of this month, and so far there have been 40,000 reports to that on cybercrimes.
Q63 Justin Tomlinson: Can I ask a technical question? When my bank fraud happened I went to the police, who said, "It’s not you who has had fraud against you. It’s your bank, and only your bank can report this to us. You reporting it to us will not count in any of the statistics." Will that change?
James Quinault: That has changed so that it would count if you reported it. We have also made it easier for institutions, banks and organisations to bulk-report cases. That is also increasing the capture of data in this area.
Q64 Justin Tomlinson: The bit I am kind of excited about is the potential to lead in a growing industry-we could be very much at the cutting edge, and it is not often we hear that about UK plc. From what I can tell, though, of the £650 million budget, looking at either figure 4 or figure 6, I am not sure whether it is £13 million or £17 million of that £650 million that seems to be spent on the more proactive side, trying to get UK plc at the forefront and get lots of expensive consultants flying off all around the world to earn and bring back huge amounts of money to us. That is about 2% of the spend. Does that reflect the priority of that element?
Oliver Robbins: I would say-I hope this makes sense to you-that a huge amount of the sum that we have already spent under the programme have been about establishing the UK’s credentials in this field. If we get our own sovereign cyber-capabilities right, and if we are able to use those in ways that-a bit like the cyber-information sharing partnership-ultimately benefit British business and businesses operating here in the UK, then Britain will become known and better known as a centre of excellence for this kind of work, and the export opportunities and the size of the UK’s own cyber-market will increase.
The amount we are spending on actively marketing cyber-exports as a piece of trade promotion is relatively small, though it is growing rapidly within security exports. However, a good proportion of the cyber-programme, including the information-raising and the international diplomatic activity we are doing, is beginning to get the idea out there, which I hope is true and reflects reality, that the UK is a place worth buying your products in this area from.
Q65 Justin Tomlinson: The key, as you have said, is about exporting. We are all desperate for lots more export opportunities. What would be your baseline for us to judge you by when you come back in 2015? In terms of the contribution to the exporting levels of this country, what would be a success?
Oliver Robbins: It depends slightly on how fast the market grows. It has been estimated globally at $100 billion, and the UK has a sizeable chunk of that, compared with our relative weight in the global economy at the moment, which is a good sign. If the market continues to grow as it has over the next few years, I would be very disappointed, and I am sure Ministers would be, if the UK was not at least attracting the same market share globally and hopefully increasing it.
Ken, would you like to add anything on that from BIS’s perspective?
Ken McCallum: We undertook research in 2011, which estimated the UK’s cyber-solutions market at £2.8 billion, estimated to rise to £3.3 billion by 2015; similar research conducted last year came out with broadly similar figures. In 2011, UK cyber-exports were estimated at £805 million, which constituted 34% of the overall security exports from the UK for that year. I do not yet have figures for 2012, but it is already the case that cyber-security constitutes a meaningful chunk of UK security exports.
Q66 Justin Tomlinson: Turning to the bit we covered quite a bit earlier: the chronic shortage of skills at the moment. Obviously, they are seeking to address that in the education system, but one of the witnesses earlier said that it would probably take about 10 years for that to be addressed. I touched on, tongue in cheek, how films-"WarGames" when we were younger and "Skyfall" now-can help to inspire. The fact that it is a growing industry, with the potential for people to go and earn a lot of money, can incentivise young people. Dr Rid and Professor Creese could become the new Brian Cox and have a TV series to inspire a whole generation. What is it that will give that spark, in addition to the changes in the education system?
Oliver Robbins: When I started this job, the press cuttings I received every week would have one or two cyber stories in them, which people at the time thought was astonishing and revolutionary. Now, the wodge of cyber stories every day has a good half dozen serious stories about something relating to cyber-security. Senior politicians in this country and around the world are talking about the need for international co-operation to tackle cyber-security. Collectives of senior business people are coming together-our cyber-growth partnership is a good example of how they will be talking about the opportunities from cyber. None of those will be the spark that you are talking about, but there is a good chance that, as that ecosystem of comment and interest in the subject develops, spooks for cyber will be the next thing.
Q67 Justin Tomlinson: It is not just about the obvious cyber-security trained staff; it is about making sure that those other professions, whether it is the accountants or the legal teams, understand the importance and factor that into their role. It is about how you can get that into part of their education system.
Oliver Robbins: Absolutely. I will let James come in in a second, because he is leading the work on this. We have already done a lot of work with professions that you would not necessarily have thought of, such as procurement, legal services and auditing, to ensure that there are modules in their training courses and professional qualifications that prepare them, not to be cyber-experts but to be able to ask the right questions from their professional point of view about the standards to which the firms they are advising operate.
James Quinault: I simply want to add that it is important that people are not turned off this by what they learn about it at school. The Government are working to overhaul the curriculum on computer science, as you know, so that it is genuinely about computer science and not just office skills. To supplement that, we are also trying to do things that are outside school. The Government part-funds, with private sector partners, the cyber-security challenge Mark referred to, which is about doing exciting competitions and so on that will grab people’s attention.
One more point is that we do not just want to this to be about young people, not least because they take a while to be oven-ready. We also want to get people who are already in the IT profession switching into this area. There is a lot of work going on to create professional formation routes for that to happen. Ken may want to say something about work with the lawyers, because he is about to do that thing with the Law Society.
Ken McCallum: Absolutely. I was planning to intervene, but your question took me in the same direction anyway. Alongside the work to influence young people to take up cyber-security explicitly as a career, it is very important that we influence associated professions. The two best examples on that score include auditors. I spent most of Monday this week with some of the big audit houses working on how we can best utilise the pre-existing methods and accesses that audit houses have to inject cyber-security and mainstream that within UK corporate governance. I am spending most of this Friday working with the Law Society and compliance and risk professionals within the legal profession-they are not cyber-security experts, but they are the compliance and risk gurus across the piece-to help them understand how best to hoist cyber-security into their professional activities.
Q68 Stephen Barclay: Building on Justin’s comments, computer coding has benefits beyond cyber-security for the economy. Yes, there are fixes at GCSE level, but I do not know whether we have enough teachers for coding, so perhaps you could comment on that. There is a big gap between GCSE and university, though. Is it about plugging in with apprenticeships and other things? Could you clarify that?
Oliver Robbins: I will let my colleagues come in shortly, if I may. In the earlier session I was bursting to say that we take the point that there is a category of people here who are vital from a cyber-security point of view, but who will probably not be conventionally attracted to a degree route. That is one of the reasons why GCHQ has launched 100 apprenticeships in this area, so that there is a chance to attract people in that late teens bracket who have an obvious talent or vocation, but who will not necessarily be interested-or it might not be appropriate-in going down the degree route.
James Quinault: We are working to try to encourage the same sort of thing in the private sector as well. It is an obvious route to go down. There is action going on at every level. I mentioned the GCSE stuff. We have also worked with the IET to try to make sure that there is a cyber-security module in all software engineering degrees. At the moment, you can do a complete degree and not do a single hour of cyber-security. From 2015, that module will be mandatory. It is being trialled by Lancaster and Queen’s, Belfast now.
We are also, at the top end, investing in the real cutting-edge researchers and experts in this space, so the Government is funding 78 more cyber-security PhDs. With the best will in the world, those take a while to come through. The first will not be awarded until 2017. That is why, as I said, we are also working on those faster-burn initiatives that are about getting people to transfer from other places.
Q69 Stephen Barclay: That is very welcome, and GCHQ’s apprenticeships are very welcome. In terms of the base of people with good level coding skills-it is not just this industry; it is wider-it is a talent pool from which you will benefit. In terms of measuring progress in the future, how many people would you expect and at what level? Are you working to projections on that?
James Quinault: Yes. It is obviously not just through a cyber-security route that we are trying to boost the number of people in the UK who are good coders. As you said, we need lots of them for lots of things, not just for this purpose. There is a massive amount going on on that. In terms of how we will measure progress, we commissioned work in order to try and get a fix on what the skills gap was now. We will revisit that work periodically to see whether the things that we are trying to do are making a difference. Ken might want to comment on that.
Ken McCallum: We commissioned some work last year. Any single figure is dangerous in this area, I guess, because these people do not come in one size. I think the key finding from the research is that the most acute gap currently is for seasoned professionals who not only have these skills, but have years of experience working in the field, and the UK has a shortfall there. That is a difficult issue. James has described some of the high-end interventions.
Q70 Chair: Where do they go?
Ken McCallum: They get jobs in this area, but it is growing quickly and there are not enough people for both the private and the public sector to have what they would ideally like. Hence the funding of 78 PhDs and other issues around higher education. There will be some announcements made next month by my Minister, David Willetts, on the appointment of two centres for doctoral training, on a second research institute in cyber-security, and the next tranche of academic centres of excellence for cyber-security research. There is a good deal going on.
On the wider skills point, the estimate we had last year was 6,900 full-time equivalents, but that does not necessarily mean 6,900 people, because, for a large part of this, it is about people holding generalist IT roles and hoisting cyber-security in as part of what they are doing, but not necessarily full-time occupations. So there is a spread here, where the most acute gap currently is in high-end skills, as I have described, but there is a need also to spread cyber-security awareness across professionals more broadly.
Q71 Stephen Barclay: This might be something you could do in a note. We can see there is a fix at GCSE level. There is a question about how many teachers we have got. I know that the computer games industry, for example, has a need for coders as well. I am keen to understand how we as a Committee can make recommendations that address that interim level between the GCSE and the advanced university experts, what we are actually aiming for and what the impediments are, as you see it now.
James Quinault: We will be happy to give you a note. As I said, it is a broader issue than just cyber-security. We are one of a number of people who would want to fish in that pond.
Q72 Stephen Barclay: On the second point from the earlier evidence, Dr Rid spoke about the need to develop the insurance market, the limitations of the market and reputational risk as a driver of business investment. What are you doing in that space? Do you agree with the analysis that he set out? What is it that you are doing and what are the impediments?
Oliver Robbins: If I may, I will ask James to talk about that, because he has been talking to the industry.
James Quinault: We do think there is potential for insurers to be another set of people incentivising and sending the right sort of messages to business about how they operate in this space. It may be that a fully functioning cyber-security insurance market will develop in due course. That is not something that we are particularly pushing or targeting at the moment; our interest is much more in getting insurers to ask about cyber-security when they consider businesses for existing policies. A lot of people have business recovery insurance, and one of the things that you insure against is an IT-driven interruption to your business. These days, that could be as a result of malicious cyber-activity, and it would be good to get insurers asking, "Well, what steps have you taken to reduce that risk? If you have taken those steps, we can have a conversation about your premium."
Q73 Stephen Barclay: Do you challenge outliers from an investment point of view? Do you look at the investment within sectors?
James Quinault: The point here is to get insurers challenging businesses because, frankly, businesses are much more likely to listen to insurers, auditors and investors than a man from the Government. We have had conversations with the ABI and Lloyd’s about this, and that is something that is continuing.
Q74 Chris Heaton-Harris: To a certain extent, are you not pushing at an open door, though? No business wants to be hacked. It seems that I have won a lottery while I have been here. I do not really want to be hassled by a load of spam. Everybody wants to protect their own system and do the right thing, so is it not more a question of making it very easy for individuals and businesses to go through the door to find whatever they need to protect their systems?
James Quinault: Yes, it is, although the difficulties here are that, first of all, as came up in the last session, businesses are very different and it is easier for us to push those messages out with detailed guidance to big businesses than it is to the vast majority of smaller businesses in the country where some of the challenges, and some of the ways of raising awareness, are probably more like those that we need to be taking with individual citizens.
The things that I am excited about are initiatives such as the HMRC website where if you log on to that and you do not have an up-to-date browser with the right protections, it will direct you to get safe online and tell you how to update your browser. For the vast majority of small businesses in the country, that kind of initiative is exactly the way that we need to go, and that is why we are going to try to do it with a range of other Government services.
We are pushing at an open door, but, as came up in earlier questioning, as businesses get bigger and as IT infrastructure becomes more and more central to their commercial success, they have become more and more reluctant to talk too openly about the various breaches and penetrations that they have suffered. That is why we need to operate on two fronts: both openly, in terms of raising awareness across business, but also using the kind of structures that I was talking about earlier to make sure that we are behind them and, in a rather more trusted and confidential environment, encouraging them to open up about the kind of attacks they have suffered and the harm that has been caused by that, to mutual benefit.
Oliver Robbins: We consider the outreach activity to be necessary but not sufficient. We think that until businesses feel that you can make money by being good at this, and that you may lose money by being bad at it-before the point at which you get taken to the cleaners-they are not going to invest. That is why the market mechanisms around this are very important. For example, the development of an organisational standard will allow businesses that are good at this to make that a differentiator in the marketplace by being able to point to the badge, if you like. BIS have been leading the work on this, and Ken may wish to comment.
Ken McCallum: On 1 March, we published the Government’s view of what a good organisational standard would look like. We did not draft the standard ourselves because long experience shows that industry-led standards are far more effective and stand more chance of gaining international traction, but we have said, "This is what the cyber equivalent of an Investors in People-type badge might look like."
Q75 Chair: Is this the 10 steps?
Ken McCallum: It builds on the 10 steps, but it is not directly the 10 steps. It says that the Government thinks that organisations which have good cyber-hygiene and have taken this issue seriously will accord to the following criteria, and those criteria are heavily based on the 10 steps that you mentioned.
It is now open to industry to come up with proposals over the next few months for what they think the right shape of organisational standard looks like. The Government, in the autumn, will take a view on which of those standards looks like the most effective for our objectives here, and then it will endorse that standard and promote it widely. Once that standard exists, consumers and customers in the marketplace can make judgments based on whether potential suppliers carry this badge or not. It will take time for that kind of standard to be fully proven and accredited.
Q76 Chris Heaton-Harris: It is a kitemark.
Ken McCallum: Yes, it is effectively a kitemark.
James Quinault: It is a way of making it easier for people who are doing the right things to show that and make it a differentiator, and to make it easier for people who want to ask questions of those who are not, to give them something to bite on, if you like.
Q77 Chris Heaton-Harris: Mr Robbins, you said something about opening up about attacks. As you are the deputy national security adviser, I am sure Sir Kim would be delighted by my next question. The Report discusses state-supported espionage being recognised by Government as one of the biggest threats from the internet. Alongside this, figure 5 discusses, as objective 2 of the security services, "additional capability to investigate cyber-threats from foreign intelligence agencies". As these attacks are supposedly state-supported, could you give us a rough idea about what sort of diplomatic actions might be being taken to condemn them? Do you agree with the policy of other Governments, where unit 61398, APT1 in a 12-storey building in Pudong was identified as an area where some of this might be emanating from?
Oliver Robbins: First, I should say attribution in cyberspace is extremely difficult. We read quite a lot in the newspapers and elsewhere about countries that are alleged to be doing a lot of this. It is often quite quick to identify where a server is based, from which at least at some stage in its evolution an attack may have been launched. It is harder to ascribe exactly who the human brain was behind it who launched it. I am very cautious, as are the Government, about attributing cyber-attacks to foreign states, not least because the definitions in cyberspace between what is a state-sponsored or state-authorised attack and what isn’t are even more complicated and difficult than they are in normal espionage.
Having said that, there is a lot of material creeping in to the public domain about what state actors get up to in cyberspace. The Mandiant report that you referred to about the research that a US cyber-security company has done into what they think the Chinese have been doing in cyberspace is a good example of that and is an interesting read. I would say that we think the best course for us is to ensure that we understand what is going on in cyberspace as best we can.
That is why we have spent so much of the first two years of the programme, in terms of money and time, building the right capabilities in the UK properly to understand what goes on in cyberspace. We can then tailor our response accordingly. I am not sure that the right response to an attributed cyber-attack is necessarily a cyber-response. It may be, as you hinted, something completely different. Working with our allies is critical in this. Some of the states we may end up needing to talk to about this problem are also states that we need to work with, in terms of clamping down on cybercrime and law enforcement. Law-enforcement channels can be very effective in doing that.
We will also be more powerful when trying to set out what the shape of cyberspace should look like in future, and the norms or the rules of the road-people use different phrases-if we are working closely with our allies. So, the objective in the strategy that is about shaping the cyberspace of the future is the long-term answer to your question.
Amyas Morse: I want to make sure about something on the subject of transparency and openness. I will ask a couple of questions and you might like to reply to them as a composite. First, with reference to Dr Rid’s answer to my earlier question, which you will have heard, how open are we and do we need to be? I think we are quite a secretive country, though I accept we are moving in an open direction. Could we be more open in our participation in these discussions, particularly from the security community?
Secondly, in the business and industry area, it is good that they want to take part in secure discussions, but these failures cost consumers a great deal of money, don’t they? The reality is that if you have a lot of cybercrime in a bank or something like that, it is all basically paid for at the end of the day by the customers. In a way, therefore, in having a more open approach, whereby people were able to understand what was actually happening and whether there was at least a reasonably healthy, appropriate, sensible and maintained level of spend, while you cannot prevent penetration, you would expect to be able to have exhibited that there was a reasonable, prudent effort. A kitemark may be symptomatic of that, and you can get a little closer, over time, to where the rubber meets the road, don’t you think?
Oliver Robbins: First, on openness from the Government, and from the security community in the Government in particular, I would say-but maybe I would say this-that the agencies have been considerably more open about this problem than they have been about anything else really. So you have the quite unusual step during my time in this job of Sir Iain Lobban giving his first public speech as director of GCHQ. He has made remarks again in the past few months, which again have been trying to give some general reference point and guidance about the nature of the threat. Also, powerfully, before the Olympics, Jonathan Evans spoke out about the variety of threats that the Security Service worries about, including-I think for the first time in a major speech by a director general-by putting cyber front and central.
I know that you did not make them, but comparisons with the US are a little false here, not least because constitutionally officials such as Director Clapper, as the National Intelligence Director, and the director of the CIA are direct presidential appointees, with considerable public profiles, and that has not been the tradition here. In our system, of course, Ministers speak about these issues and the Foreign Secretary has done so recently. The Minister for the Cabinet Office-my Minister-does so very frequently, and I was just hearing as I came in that Mr Brokenshire, the security Minister, is giving a speech about cyber, I think tomorrow. So we are trying to put information in the public domain with an authoritative stamp on it, but I suppose in a British way rather than necessarily in exactly the same way as the Americans do.
Your second point, if I understand it right, was about getting businesses themselves to be a bit more transparent with the consumer about the risks they are running. We obviously want that to happen and one of the things that we are working with telecoms and internet service providers to do is to have guidelines for them, which of course the regulator and consumers can then ask them about to check the extent to which they are informing customers of breaches in their own cyber-security. That is something that will take a little time to embed-we will have to get the regulator, of course, to be asking questions about it to give it a bit more force-but it is something that we will test in the next few months.
Q78 Chair: I just wanted to ask one question about all this, because it is all encouragement, encouragement. Can I just ask a question of BIS? It says-on page 24, paragraph 2.4-that you put out some stuff for boards of big companies. Can you tell me how many boards have read the advice and taken action?
Ken McCallum: I can’t give you a total figure, Chair, but I can say that we have had direct feedback from a number of companies that received that advice and that have taken different action within their companies in response to reading the advice.
Q79 Chair: I ask that question if you are going down this voluntary route and you think some of us are wrong to say that you should be doing slightly more. I know this is a difficult area, so I am not being particularly dogmatic about this, but you ought at least to know how effective the stuff you are doing is, so you ought to have a figure.
Ken McCallum: Okay. So we have a number of things. We have the Cyber Information Sharing Partnership, involving 160 UK businesses, which is due to launch at the end of this month-
Chair: That is not an answer to the question.
Ken McCallum: We do not have an exact metric of how many businesses are taking different action specifically in response to this guidance.
Q80 Chair: Do you know how many found it helpful?
Ken McCallum: Of the businesses that have responded-both those that have directly responded to us and those that we have separately engaged with-
Q81 Chair: Have you tested? I say this a little bit because of my ministerial experience that you put out a bit of guidance and think, "Tick; done," but it is effective only if it is used. I think that you should know how many businesses have used it and how many have found it helpful, and perhaps you will tell us how you are going to assess the impact of the advice-to know whether it is working.
Ken McCallum: I will make three points, if I may. First, we are conducting a continuation of the annual breaches survey, which was referred to previously. We have statistics for last year on how many large businesses, and how many of all businesses, received breaches over the previous year. We will publish the next iteration of that survey in April-
Q82 Chair: Breaches?
Ken McCallum: Breaches, but the survey has been extended this year to include wider questions around corporate governance and how individual companies are managing their risks. That survey will be repeated in 2014 and 2015, so this is part of providing some sensible baselines and metrics for us on how company behaviours are changing in the UK. Related to that, we are doing some deeper-dive work, building on the kinds of relationships we are forming with the audit houses and with the Law Society and so forth, to understand in more depth how the boards and the audit committees of the largest UK firms are handling these risks, and getting the issue out of the IT department and into the board room, so to speak.
Q83 Chair: All good stuff. I would simply suggest that if you are putting out tools, you should assess whether they do the job that you intended, and that requires you to collect some data and do a bit of evaluation. We might end up with that as a recommendation.
James Quinault: We have done that awareness work. We regard it as important to work out whether it is hitting the right targets.
Q84 Chair: It is not the question of targets. It is just assessing how effective-
James Quinault: You said at the beginning, Chair, that you don’t read the stuff that comes out. We are painfully aware of that and are trying to do something about it. There is Get Safe Online.
Q85 Chair: But just tell me how many people have used Get Safe Online?
James Quinault: At the moment, 60,000 people a month visit it. That number is going up rapidly as more people are directed to it by the HMRC website.
Chair: It’s peanuts.
James Quinault: However, we realise that we need to do more to drive people into the arms of this stuff and that we need to do that in a way that works with the grain of how people currently receive information. Over the next year, there will be big campaigns on that. Those will be followed by a tracker to see whether it has taken off. We dipped a toe into the water of this sort of thing back in April with The Devil’s in Your Details. That campaign reached 4 million people-we were able to track that. We surveyed people afterwards to see whether it had an effect. In the surveys, two thirds of those who responded said that they would change their behaviour as a result. That campaign was pretty effective. It cost £300,000, which was shared between us and the private sector. That is 0.06p per person reached. That is why we are keen to do more, because we think this is an effective way of getting the message out.
Q86 Mr Jackson: I have two brief questions. Given the responsibility of this Committee, what particular milestones will you use to demonstrate the effectiveness and efficacy of the strategy that you are pursuing so that people like me can understand it, because we are not specialists? Secondly, going back to the point Mr Barclay touched on earlier, in terms of both private sector and public sector research-academic research-to assist our efforts to export cyber-security, how do we compare internationally with China, India and the United States?
Oliver Robbins: I will have a crack at both those questions to try to keep things brief for you, Chair, but if you want more depth, you may need my colleagues. To answer your second question first, it is hard to compare. We are obviously, as you have heard from your independent witnesses and from us, doing an awful lot to try to sustain and develop the UK as a world leader in research and academic work on cyber-security. We think at the moment that what we are doing, and what we will be doing over the next few years with the initiatives you have heard about today, is as least as good as anything else being done in the world. We don’t have the scale of a China or an India, but we do think we have quality.
The second thing I would say is that the sort of investments we are making across the board in the cyber-security programme are mutually reinforcing. So if the Foreign Secretary is chairing a conference in London about the future of cyberspace, as he did two years ago, and if we are then seen as the biggest backers, as one of your independent witnesses said, of the Budapest convention, these sorts of things help to create an atmosphere for exporting markets in which people think, "Here come the Brits; they know a little bit about this," and our reputation as one of the bigger and more powerful SIGINT powers in the world helps to reinforce that, too.
Q87 Mr Jackson: A very interesting book was published two years ago: Richard Clarke’s Cyber War which obviously popularised the issue. The one message from that book is the asymmetrical nature of the United States’ cyber-security policy-they are good at offence, but not very good at defence. Would you like to compare that, as far as you possibly can, to our experience?
Oliver Robbins: If I may say so, I think it is a bit of a red herring. The most important priority for the UK, which we are spending a very significant proportion of the programme on-the bit in the pie charts that is secret-is mainly about understanding what is going on. You can then use that understanding either to try to protect networks that you know are likely to be under attack, or you can use it, if your understanding is sufficient, to try to head those attacks off before they start. At the extreme, they can even be used to develop capabilities you can use offensively.
The most important thing is to understand the environment in which you are working. The first two years of our investment in what we call sovereign capabilities in the paperwork is really about that deep understanding. You are only as strong as your weakest link in this area. If the UK Government had superb offensive capabilities, but could not protect the Ministry of Defence from intrusion, our offensive capabilities would be useless. To be trite about it, I’m sorry, I think that protection of our critical networks, which extend-as we have been talking about in this hearing to the national infrastructure-well beyond the conventional public sector, is a sine qua non for being a serious cyber-power.
Chair: It’s a bit of an aside, but I would junk a couple of aircraft carriers and put more money into this security.
Chris Heaton-Harris: You had better ask the French.
Q88 Mr Jackson: Sorry, we interrupted you. The milestones, briefly.
Oliver Robbins: I was going to come back to you on that one. As we were trying to expose a bit earlier in the hearing, this is very difficult stuff because we are conscious that we are trying to influence an environment that is moving very fast and is subject to extremely large swings, depending on other actors’ moves in the game. What we are trying to do-we would welcome some more NAO support with this-is to set out measures we are confident we can measure, and that over time will tell us something about the impact of what we are doing.
Some of those will be objective. To take the crime area as an example, we try-even this is hard-to measure the harm done by cyber-criminals in the UK and the harm avoided by police action in this area. We can measure that and see whether it is going up or down. We can try to guess whether cyber-crime is going up or down. Some of it is subjective. One of the most important things for any internationalised crime is to get upstream of the threat, to work much more heavily with countries in which we know that cyber-criminals are operating to get their own law enforcement structures to clamp down on those criminals. It may surprise people, but that is possible. But a lot of that is about the quality of your liaison relationship. It is about whether a particular police officer-or, as it will be in the future, National Crime Agency officer-has built a deep relationship with that country and its law enforcement agencies over years, such that, when he turns up and says, "These people are bad. You’ve got to help me," they work with him, or not. Understanding the quality of our liaison relationships is actually one of the most important factors in working out whether we are making a decent impact on cyber-crime.
Q89 Stephen Barclay: Witnesses to this Committee repeatedly tell us of the need for more specialist skills at the top of Whitehall. Do you have any computer qualifications?
Oliver Robbins: I do not. I don’t want to sound defensive about this, but part of our message today-I hope it resonates with you-is that professionals at the top of every organisation need to worry about this threat. Whether you are a lawyer-in my case, a policy adviser-or have a completely different training, you ought to be able to have the right kind of level of skill to be able to ask good, basic questions quickly. That is what I hope I bring.
Q90 Stephen Barclay: Do you have computer qualifications?
James Quinault: No, I don’t have a technical background. I was interested in and keen on computers when I was younger, but I don’t have a technical background.
Q91 Stephen Barclay: And do you have a computer qualification?
Ken McCallum: I don’t, but I did two years of computing science as part of a mathematics degree. However, what the Business Department brings to this is primarily trying to translate technical concepts into language that businesses will understand.
Q92 Stephen Barclay: But aside from university, you have not worked in computing?
Ken McCallum: I have worked in cyber-security roles previously within Government, but I have not worked in computing as such.
Q93 Stephen Barclay: I am trying to understand, because we talked about coding, whether any of the three of you have ever written any code.
Ken McCallum: I have.
Q94 Chair: This is slightly off topic, but I have a big interest in children, safety and pornographic images. The NSPCC-I know this is another aspect of this-has just given me some data. It did an FOI request to various police forces in England and Wales asking how many child abuse images they had seized in the previous two years-March 2010 to April 2012. Five forces replied. You will be interested to hear that Cambridgeshire was one of them, Stephen. They had a staggering 26 million illegal images of child sex abuse. An expert at NSPCC has calculated that those five counties-Humberside, Lincolnshire, Nottinghamshire, Dyfed and Cambridgeshire-are broadly representative of England and Wales. Depending on how you calculate it, we are talking about between 100 and 350 illegal images being seized by the police over a two-year period. That is gobsmacking and more than we have ever had before on the use of the internet for potential child abuse. It is shocking. My understanding from the NSPCC is that a lot of this is peer-to-peer networks and other dark web elements. Why are we not doing very simple things such as using this programme, PhotoDNA? Why are we so against regulation even here, which could sniff out known illegal images. Why aren’t we doing this stuff to try to contain what is currently a collective failure in our ability to control access to these images by children-or paedophiles, or whoever?
Oliver Robbins: Chair, I do not want to dodge the question, and I hope you do not think I am. Those are horrifying statistics. What we try to do at the centre of this programme is to ensure that the UK has the right capabilities and policies in place to support cyber-security and the growth of a good cyber-security posture inside Government and industry in the wider economy. The Home Office sets policy and the law on what constitutes a crime, and through its looking after what is currently CEOP and will become the National Crime Agency’s e-crime unit, it is, I am sure, worrying about precisely that issue. Unless James knows any more than I do on the specific question you asked, I am afraid we would have to ask the Home Office to help us to provide you with an answer.
Q95 Chair: I have been banging on about it during the hearing this afternoon, but I understand that this PhotoDNA would be a very simple thing to put in, which would at least sniff out these illegal images. That might become something that would prevent the extent of circulation of outrageous stuff. It is just gob-smackingly awful.
Oliver Robbins: We will take that point back with us, if we may, and get you a note from the Home Office that answers your question.
Chair: All notes within a week would be warmly welcomed. Thank you very much for a very interesting first roam around what are, obviously, really complex issues.