My Lords, I am pretty sure this will be significantly briefer. This is largely a measure to highlight a particular issue and should certainly engender less confrontation. We are very supportive of the Government and other institutions on matters of cybercrime. This is a nudge. It is our attempt to add some measures to an important part of enterprise: sustaining effective and secure business, and the ability to secure cyberspace.
The ONS crime survey established that during the period surveyed there were 5.1 million frauds, of which 2.5 million were cybercrimes. These are crimes committed under the Computer Misuse Act. Their detection is based on footprints—that is, looking at devices affected by viruses, hacking, denial of services and virus proliferation, all those sorts of elements. Surveys, as I am sure the Government are aware, have indicated that 74% of small business and 90% of larger business have identified some form of cyber breach. In recent times there have been prominent cases where people who have been breached have suggested that they have the problem under control. We wish to raise this point because we do not believe this to be the case.
I personally participated in what I think outside America is the western hemisphere’s largest conference on cybersecurity, which took place in Tel Aviv with participation by chief information security officers— a term I had not heard of 18 months ago but these individuals are now very significant in their companies—law enforcement, intelligence services and government representatives, who were able to identify that the vast majority of offences actually are detected. It is easier to introduce a virus that is undetectable afterwards. In fact, cyber thieves produce around 250,000 novel variants of viruses every day, which is a huge amount, and I will come on to other aspects that impinge on this. We are seeing massive problems that we have to address.
It was instructive to learn during the course of the conference that the Sony cybersecurity breach that gained great prominence was identified only because they purposely left an imprint to make sure that people understood. Despite the fact that it had the participation of the most powerful cyber nation on this planet, you could not identify what the source was or its full extent. You could not even identify that it was North Korea by any form of examination of where it had been penetrated. It was only via the means of the traditional intelligence services that they were able to identify that it was North Korea. What hope, then, do businesses have in these circumstances?
Furthermore, there is a huge imbalance in the spend between larger and smaller businesses. Government figures that were published some time ago suggest that small and medium-sized businesses with 100 or more employees spend £10,000 a year on cyber security, but the smallest firms with fewer than 20 employees spend around £200 a year. This is highly problematic to the aim of having markets that are fully protected.
Over the past few years cybercrime has evolved, and it is now an enormous industry. The City of London Police estimate that it is a £39 billion industry, most of which is recycled into other forms of criminality. It is a hugely circular flow. Actually, it is an incredible market with suppliers, merchants and service providers. There are all sorts of things going on. It used to be said that armed robbery rates went down because if you wanted to be a criminal it was easier to sell drugs. Now, why carry a gun when you can make more with a laptop? The massive infrastructure of cybercrime is hugely problematic.
What I found most interesting at a different session of the cybersecurity conference was where it was identified that there is a massive penetration of companies’ customer details. Those details are blended and traded so that no company can ever detect that their particular security was breached. The details are sold in batches and strips. Even if your security is breached, no one actually knows the extent of the customer payment details that have been penetrated. In any blended list, you are not likely to have more than 2% of any particular company’s list in any list that is used for a cyber hack. I found this to be of extreme concern.
Mobile has been less prone to these sorts of attacks largely because Apple, Google and BlackBerry are the ones that integrate their encryption systems—this is relevant to a debate in other areas. The internet of
things is now extremely vulnerable. The disaggregation of security is a huge problem and some fundamental strength is needed.
Criminals are able to recruit from security, intelligence and private sector organisations because they can pay more than the others, so I think that we have a massive issue here. As I say, the Government have not done enough. They have done quite a bit and many good initiatives are in place, but we are suggesting these amendments to try to give greater prominence to and amplify what they are doing, as well as to prod them to move in a couple of directions. I wish that we could have tabled an amendment that we were not allowed to, which would have been to try to encourage more small businesses in this country that are actually creating cyber security products. We wanted to table an amendment that would have mandated government departments to spend 8% of their entire IT spend on cyber security, because that would generate an ecosystem of cybersecurity firms. We have some good ones, although in this country really only in Cambridge, but imagine what a boost it would be to our cybersecurity capacity if we were able to do that.
Instead we believe that there is a role for government to set standards. In particular, we should promote our best: the City of London Police are outstanding. They are utterly world-leading on this and I pay a massive tribute to Adrian Leppard, who has been an outstanding commissioner. He is a world-leading and well renowned figure and the City of London Police are undoubtedly seen as one of the most significant, important and expert agencies in this. We would be very encouraged if the Government were to consider providing more prominent advice to businesses, which do not really know how to deal with this or know the right sort of things, and promoting the best in practice that we have—that of the City of London Police. I beg to move.