I start by declaring my interests. Much of my previous career was spent in the cyber-security industry, and in the four years before being elected to Parliament, I led commercial strategy and public policy for BT’s cyber-security team. BT was one of the companies that helped to design the Secure by Design code of practice, some of which we are putting into law through the Bill. Also, I have recently undertaken cyber-security work for MHR, which is set out in my entry in the Register of Members’ Financial Interests, although the company does not produce consumer devices, connected or otherwise.
In some ways, cyber-security was good preparation for politics—for example, waking up to nightmare headlines such as,
“Attack of the refrigerators! The cyber-threats lurking in your home”
and
“Is your smart TV too wise? The FBI warns your screen is watching you”
and
“HACKED IN THE HOME: Your entire home could be HACKED with these simple mistakes, cyber-experts warn”.
Perhaps the most disturbing one I have seen is:
“Hacker who stole nude self-portraits of George W. Bush jailed for four years”.
I am all for being tough on crime, but surely in that case the perpetrator had already suffered enough.
Alarmist headlines aside, the Bill is very much needed to protect our constituents. The average UK household has nine connected devices, and the security on most of them will be poor. Information about how secure the devices are, or how long they will receive security updates
for, is unlikely to have been provided when they were sold. What are the risks? There is a huge impact on our constituents’ privacy. Your TV really could be watching you. Two years ago, footage stolen by hackers from home security cameras in Hong Kong was sold to pornographic websites—a huge invasion of people’s intimate private moments. There are numerous reports of baby monitors being hacked by paedophiles.
There is also the danger of hackers using a fairly innocuous connected device as a gateway to jump to other devices and steal valuable information. An infamous example from the business world is the attack in 2013 on Target, one of the top five retailers in the US. Criminals gained access to its network through a supplier connected to an external vendor portal. They then stole the details of 40 million customer credit and debit cards. The supplier just provided air-conditioning. The total cost of the cyber-attack was more than $200 million. That is one hell of an expensive air-conditioning bill. There was also an attack on a casino, where hackers gained entry to the network through the thermometer of a fish tank.
Once they have a foothold in the home, hackers can access other devices that are not properly secured. There is a real danger that sensitive information relating to a constituent’s health or their financial information could be compromised, but how common is that really? Is it just a case of a few alarmist headlines? The consumer watchdog Which? ran an interesting experiment last year. It set up a smart home with a range of consumer devices, from kettles to thermostats, televisions and security devices, all connected to the internet. It experienced 12,000 hacking or scanning attempts in a week. At one stage, it experienced up to 14 hacking attempts an hour. We have a problem, therefore, but not a problem of which many people are aware. A recent report that surveyed 2,000 UK consumers found that people were largely unaware of the risks. Some 48% of respondents were not aware that hackers could hijack their connected devices.
Unsecured consumer devices are also a real risk to our digital infrastructure. Hackers who control connected devices can harness their collective power into a botnet—a network of devices that can be used to launch denial of service attacks on our digital infrastructure. The Secretary of State referred earlier to the Mirai botnet. What is interesting is that it is thought to be the first botnet to harness the power of insecure consumer devices or the internet of things. At its peak, it had about 600,000 devices—baby monitors, radios, cameras—at its beck and call. You and I would not necessarily have noticed it, Mr Deputy Speaker, until the day it launched an attack on the domain name service provider Dyn in 2016. In doing so, it took out Netflix, PayPal, Amazon, Visa, Reddit and Airbnb for the best part of a day.
Contrary to some of the claims we have heard from those on the Opposition Benches, the UK has always been a world-leading cyber-power. Back in 2011, we were one of the first countries in the world to publish a cyber-security strategy. It recognised the risks and opportunities that cyber-security brought to nation state relationships, critical infrastructure, business, consumers and society as a whole. We have always been out in front when it comes to protecting people, businesses and critical infrastructure.
In the 2016 refresh of the national cyber-security strategy, the Government moved from relying on a market-based approach to protect consumers, to a more active role through the UK’s active cyber defence programme, which makes the infrastructure of the UK’s internet more difficult for cyber-criminals to exploit. It does that through measures such as improving the security of internet protocols—the method by which data is sent from one computer to another—and domain name system filtering that blocks access to sites known to host malware, such as phishing sites. The 2016 strategy also committed to publishing guidance on how to improve the default security of consumer products. There are three measures on that in the Bill. As we know, it forms the basis of similar codes used in India and Australia, but it also forms the basis of the first global technical standard for consumer cyber-security products. So far from being behind, the UK is the leading country in the world on this issue.
As has been set out, the three measures put forward are: banning default passwords; implementing a vulnerability reporting scheme; and informing consumers how long a product will receive security updates for at the point of sale. They are really necessary because, I am sorry to say, we have not seen the response from industry that we should have. Too many manufacturers are still not taking responsibility for ensuring their products have the basic security that our constituents need. Too many still shunt their security responsibilities on to the users of their products.
We need to call time on this. The digital economy is growing and holds huge opportunities, but those who benefit from its growth should also be investing in the safety and security of its users. We are still, in my view, only on the cusp of the fourth industrial revolution, the fusing of our digital and physical worlds. Cyber-security needs to be a part of that revolution to ensure that the inevitable risks are outweighed by the opportunities.
2.41 pm