Asked by Baroness McIntosh of Pickering To ask His Majesty’s
Government what is the role of the National Cyber Security Centre
in monitoring and preventing cyber attacks. The Minister of State,
Foreign, Commonwealth and Development Office (Lord Ahmad of
Wimbledon) (Con) My Lords, the NCSC, as the UK’s technical
authority, is the UK Government’s authoritative voice on the cyber
threat, providing independent assessments and improving
cybersecurity across the...Request free
trial
Asked by
To ask His Majesty’s Government what is the role of the National
Cyber Security Centre in monitoring and preventing cyber
attacks.
The Minister of State, Foreign, Commonwealth and Development
Office () (Con)
My Lords, the NCSC, as the UK’s technical authority, is the UK
Government’s authoritative voice on the cyber threat, providing
independent assessments and improving cybersecurity across the
United Kingdom. The NCSC provides protection at scale and drives
improvements to resilience and security to mitigate threats from
our adversaries and reduce cyber harms in the UK. Through
tailored expertise to protect citizens, businesses and
organisations, the NCSC works to make the UK the safest place to
live and work online.
(Con)
My Lords, I am grateful to my noble friend for that Answer, and
for the White Paper that the centre has produced. What advice
would my noble friend and the Government give to a firm in North
Yorkshire that underwent a cyberattack a year ago and had its
systems restored only by the payment of a rather large ransom in
cryptocurrency? The White Paper focuses on prevention but, in the
midst of an attack, what can a company possibly do other than pay
the ransom?
(Con)
My Lords, my noble friend raises a couple of important points.
First, on ransom demands, as she will be aware, it is the firm
position of the Government and UK law enforcement that we do not
encourage, endorse or indeed condone the payment of ransom
demands. For example, if you pay a ransom after your computer has
been affected or your systems have been impacted, there is no
guarantee that you will not be targeted in the future by criminal
groups. In that regard, , the CEO of the NCSC, and
the Information Commissioner have written to the Law Society and
the Bar Council.
However, the Government offer specific support, including to
small businesses. There are the 10 Steps to Cyber Security and
the Small Business Guide; there is also a ransomware portal that
provides fresh advice, as well as the NCSC’s assured cyber
incident response scheme. It is ever evolving, but the Government
are very robust, and we are working across departments to ensure
that we give the best information and response possible.
(Lab)
My Lords, of course, I refer to my interests in the register. I
suspect that the excellent schemes that the Minister has outlined
are very useful but that they do not address the question that
the noble Baroness, Lady McIntosh, asked. If a company or
organisation is subjected to a ransomware attack, can it get
tailored help as to what to do in real time from the NCSC, and
how do people know how to access that?
(Con)
My Lords, if the noble Lord reflects on the answer that I gave,
he will see that I answered the question quite directly. The
first point is, “Don’t pay”, because the experience is that there
is no assurance. Of course, a small company will have limited
resources, and some of the portals, information and websites, as
well as the response that I have outlined, are designed to help
exactly those kinds of small businesses in their response.
However, one thing is very clear, whether it is within my
department or the Home Office: that by paying such demands there
is no assurance, for a small or a large company, that a ransom
attack will not happen again.
(CB)
I declare an interest as the chair of Wilton Park, an executive
agency of the Foreign and Commonwealth Office. Small
organisations, while they are not completely part of government,
nevertheless provide some back-door entrance to government by
some people with malign intent, and they carry quite
disproportionate costs to ensure their cybersecurity. Have the
Government given any thought to how they could support ALBs and
executive agencies across government more comprehensively?
(Con)
My Lords, I recognise the vital insights of the noble Baroness.
In working across government, we also work to ensure that
government systems, structures, departments and agencies are
fully protected. As I said in my Answer, this is an ever-evolving
and ever-challenging threat—what is good today needs to be
adapted for tomorrow’s threats. Where specific issues arise, be
they for small businesses or for agencies, we seek to provide the
necessary focused support.
(LD)
My Lords, I have visited the centre and greatly admire the work
of the whole team. The public and the private sector should
adhere to its advice. The Government have consulted on
prohibiting payments to ransomware. The Minister and I well know
that the source of many such attacks is Russia and, currently,
Iran. Does it not sit ill that businesses are only being told not
to pay ransomware, rather than having a legal prohibition, when
that money will end up in Tehran or Moscow?
(Con)
My Lords, the noble Lord is quite correct and we have often
discussed these issues and challenges. The mitigations we have
put in and the advice we provide are all part of an overall
package but, as I am sure he will agree, the challenge is that we
also need sharp-end sanctions against these states. As I know
from my experience at the Foreign Office over the last few years,
we never used to call out or challenge state actors for
cyberattacks. We now do so. The two countries the noble Lord
named—Russia and Iran—are very much part of our focus. I am sure
he will acknowledge that we have imposed cyber sanctions on
Russia.
(Lab)
My Lords, to take the Minister back to prevention, he will be
aware of the increase in the number of ransomware issues—the
incoming Costa Rican Government last year and the Irish
healthcare system the year before were both hit by ransomware
attacks. Can he tell the House more about what we are learning
through international co-operation? Prevention is obviously
better than having to deal with a significant problem afterwards,
so I hope that we are learning something from other countries
that have had to deal with this and that we can extend that to
public bodies and private organisations.
(Con)
I totally agree with the noble Baroness and assure her that we
work very closely with our key international partners in calling
out some of these cyberattacks against companies or even
government websites and systems. We seek to act together and have
done so. She will be aware that at the beginning of next month we
will host an AI summit, which the Prime Minister is overseeing,
very much aimed at exactly what she articulates—how we can learn
from each other while improving our responses. I always say that,
for cyber and many of the other challenges we face, as good as
mitigations or mechanisms may be, those who seek to cause us
harm—be it to business or directly to the Government—are looking
at new ways to overcome them, so we will continue to share and
co-operate with our key partners and allies on this.
(LD)
My Lords, a few weeks ago, the National Cyber Security Centre
issued a warning about the risks of “prompt injection attacks” on
the new large language models such as ChatGPT when used in the
workplace, which enable them to be open to manipulation. What are
the Government doing to ensure that they mitigate that risk in
their own workplaces?
(Con)
My Lords, as I have said, we are working across government and
internationally. I think we all recognise the catch-up element
with the evolution of these new methods. There are
transformational elements with new innovations—that is why I
referred to the AI summit, which is intended not just to avail us
with the opportunities these new technologies present, as the
noble Lord articulated, but to address the challenge and high
risk presented to government, industry, sectors and
individuals.
Noble Lords may recall the sad occasion when this very Parliament
was attacked physically. I remember the emotional exchanges and
statements made at the time, including by my noble friend Lady
Evans. There was another attack at that time, on the
parliamentary emails of many Members of this House and the other
place. The knowledge base available for mitigation was limited,
as was awareness. I think most Members and colleagues were
concerned about getting their machines and devices up and working
rather than about the data loss. The more learning, education and
information we can share, the better we will be at mitigating
some of these risks.
(Con)
My Lords, a company which is the subject of a cyberattack may not
wish to be publicly identified, but they may have suffered severe
financial problems. How is HMRC taking this into account and
giving those companies some breathing time to put right what may
have happened to them? It is all very well saying it in one
section, but is there a cross-government approach to this
issue?
(Con)
My Lords, I assure my noble friend that we do have a
cross-government approach to this. He raises a very important
point about both risk and the cost associated with cyberattacks,
and we are very much seized of this. I have already outlined
specific schemes and support. It is very important that we share
this, however, so in the interests of full information, I will
write to my noble friend and put on record in the Library the
number of schemes that are available for information sharing and
the support that can be offered to those impacted.
|
