Cyber Security Committee Select Committees

Thank you for coming on the committee is grateful for you for

coming and to give evidence to us. We are fortunate to have a lot of

written evidence as well, so we have quite a lot to chew on. If we can

begin, what I'd like to do right at the beginning, because this is our

enquiry, is to put on record at the enquiry, is to put on record at the

start of the evidence taking some simple contexts suggesting

questions. You will know that the national security risk assessment

characterises cyber as a top tier threat. If you think that is

justified, what would you say is the nature of the threat to the United

Kingdom and how might it be made manifest, and are there any threats

to which either government or the private sector are particularly

vulnerable, and if so, what are they? I can start. That is a fair

assessment as to what the threat is today. Where it manifests itself,

much is made of the nation state capability, and we do have

aggressors that are targeting the UK and the private sector. Similarly we

should not underestimate the force with which organised crime is

embracing cyber capability, and for various reasons. So to gain direct

economic benefits from activities, second wary to that, by proxy,

supporting certain nation states by creating some clear water, shall we

say. Anyone else? I am dubious to the idea that it is a tier one

thread. I think it has been overhyped. We do have intense worry

about cyber espionage and Internet warfare, but the probability

critical infrastructure attack would critical infrastructure attack would

only be very likely under the context of a global war, so that is

something that is a bit beyond the normal consideration. Most cyber

aggressors use it for information advantages, and that is the nature

of the cyber threat right now. I would suggest it would be

a tier one threat largely because it a tier one threat largely because it

has so much impact on the other category one threats to the UK. I

guess that cyber is something that can happen directly, but it can also

have an impact on public health, on terrorism and it can be an enabler

for military conflict, and because of that it would make sense that it

would be classed alongside as a tier one threat. The other way of looking

at this is that we often talk about what it means Drame nation to nation

perspective. We should not lose track of the fact there is a real

threat to members of the population through ransom, where we are now

seeing organised crime units trying to monetise attacks by targeting end

users, encrypting their laptops and having an impact that is probably

seen much more frequently on a day-to-day basis. I would come at it

from the consideration of exposer. We are a digital society, whether we

like it or not, and will no everything that is physical has

digital processes behind it, so we are vulnerable to those digital

processes and data flow being interfered with. Much of what we do

in society depends on whether it could be physical things in

hospitals, but there are scheduling, blood ordering, and all things go on

in the background that our digital processes, and without those digital

processes a lot of the physical world will deteriorate. So I think

it is absolutely a tier one threat less because of the threat to date

but because of the vulnerability and the possibility a could materialise

quickly. Having established that three of you think it is a tier one

threat, although you have some doubts about it, without wanting to

scaremonger, what is the worst-case scenario for cyber attack on this

country, and how likely is it? As you all know, the whole point about

the risk register is a mess -- mix of impact unlikelihood. -- and

likelihood. Getting into the specifics of what could happen, you

could see a very likely scenario where our ability for the financial

markets to operate and for much of the health systems, and the

infrastructure to function, that could be disabled. That could be

severely impacted. Many of the adversaries who might want to do

that until now, there are other geopolitical boundaries around that

might cause them not to do so. But as capability becomes more and more

accessible then I think we could see criminals and terrorists becoming

more capable and then you have less political and diplomatic bounce

around behaviour and constraint. I would agree with that. If we look at

the UK by virtue of our maturity, we adopted technology very early on,

and by virtue of that we have some legacy systems which will run some

quite key elements of our country, and that in itself provides some

unique challenges where we have some ageing systems coupled with an

increasing capability, which we might not intend to take them down,

but through their own exploration and success in compromise have an

inadvertent outcome on the systems. If the worst does happen it might

not always be intentional as well, so that is something to bear in

mind. My comment would be is to use your imagination in terms of what it

might entail. What do I mean by that? Anything that draws upon data,

information or anything that touches currency and trading. I read an

article last week on the BBC website about how even farmers are now using

data to make decisions about how much fertiliser to put onto their

crops. The suggestion was that if a hacker could get access to some of

the systems and manipulate the information you could have a

scenario where where the levels of crops being produced might result in

some form of famine. You might come up with another form of famine that

says many of the industrial consoled -- control systems now touch data

networks, so if somebody could straddle a data network and from

there get action -- access to control systems. There are all sorts

of different things the individual might be able to do. We have seen

some of that both out in the Ukraine and in some other countries over the

last two years. The problem is we cannot make policy based on

worst-case scenarios, and we need to do it on probabilities what is

likely to happen. Aggressors have had the technology for 30 years and

they have been generally restrained in using it for aggressive purposes.

Terrorists are not so restrained they don't necessarily have the

capabilities. So the real difference between who is the aggressor, what

is the target and what are the goals? We have to worry about a

general societal programme to promote resilience in the state to

recover from possible cyber attacks, but the probability of a dramatic

cyber attack is only highly likely in the context of a major war with

Russia or China and that's not necessarily on the table. Will it

happen any time soon? That is something out of the imagination and

that is not how we should govern. We need government based on what is

likely to happen. We have not seen cyber technology used for massive

effect so far and we are unlikely to. We have seen sabotage but that's

generally been done by nation states to attack launch capabilities to

prevent other countries from acquiring certain technologies but

we've not seen any great devastation so far and I don't think we are

likely to any time soon. If I may counter that slightly, one thing we

cannot say from a policy perspective is say we can deal with it when it

becomes an issue. We are building the digital society today. If in ten

years' time we find ourselves in a conflict situation we won't rewind

the clock ten years and say we can build a secure digital society. I

think there is a policy imperative to build a secure society, without

necessarily trying to anticipate what the threat may be or may become

in the next five or ten years because we have to build today for

the future. The word resilience was used there, and I think that is an

important word. The free market, if left to its own devices will make

money, which is a wonderful thing but security is, to a greater or

lesser extent not seen by buyers as a key point at the moment in terms

of their purchasing decision, so our resilience is probably not where it

should be, and that is where the national cyber strategy outlines the

levers and incentives, and this is where we need to take a very long,

hard look on how we increase that resilience. Would I be exaggerating

if I was to say, from what you have said, that if you had to say where

the balance of investment should go, you would put it into resilience

rather than the offence, stopping attacks? We recognise now that the

concept that you are either secure or not secure as a binary state has

long gone. You need to be able to deal with successful attacks of

varying degrees of impact and be able to recover accordingly with a

minimum level of disruption, which is why resilience is a key concept

now in cyber security. We throw this term around without really defining

it and without really saying what needs to be done. The key thing

would not be investing in their private and public partnership but

investing in education and from the ground up. The other thing we need

to start to invest in is the public and promoting how they might react

away cyber threat or rape cyber attack. -- a cyber attack. We did

that in the nuclear error but we are not developing these programmes to

manage the emotional reactions of what happened because of the

dependency on digital. It's a very good point. I will speak to Mr

Cooper, then Lord West. We spoke about the cyber threat to the public

infrastructure and the private sector, but in the light of the

experience of the US elections, what is your assessment of whether or not

there is any sort of cyber threat to British democracy, either to

democratic institutions, electoral systems, political parties or

Parliament and so on? If we look at what happened in the United States

in the primary means taken in terms of manipulation of the message and

trying to influence public understanding of the situation by

virtue of having a free and open media, which in a highly connected

society we are obviously susceptible to. To say they would be able to

influence how somebody cast their ballot through pen and paper that we

still employ, that would be going too far, but in terms of leaking or

manipulation and propaganda, we have to accept that that is a practical

means that they can employ. There is a really important general principle

about how attackers think in that is illustrated by the question around

elections. We see whether it is online banking or all different

attack scenarios, the attackers will not target the core system you are

trying to defend itself, but attack the inputs and manipulate the input

is going into it and therefore get a different result. The discussion

around elections, and we know the head of the NCSC has reached out to

political parties to talk about their security, is so really

important principle. You might not be able to influence the casting of

votes itself, but if you can influence the dates that the

decisions are made, you might be up to influence it and that is an

important principle for how the attackers attack in this space. If

political party's e-mails are leaked and then selectively leaked to

present a coloured view of what the party stands for, or the individuals

stand for, that is the kind of concept that is often used in cyber

attacks. We have to be clear about the US attack. It was mainly done

through third-party applications, third-party e-mails, people changing

e-mail passwords. It was the least of the least in terms of cyber

attacks. The real problem with the American electoral system is the

lack of trust in the media and that's a question you have to ask

yourselves internally. Do we trust the BBC and the media? In America

they did it, and they trusted Russia today quite a bit to the tune of 9

million views of Hillary Clinton making money from a foundation,

which wasn't true. It a question of trust and where people get

information from and how are they educated to take in end education.

We'd tell the story of the dramatic Russian hack, but it was simpler

than that. Lord West and Lady Faulkner. I'm interested in this

take. I put a huge amount of working with the Americans on Y2K. An

immense amount of work. And it never really quite came to what we

thought, although some things we did good. It was thousands and thousands

of man-hours on it. We had some information when

suddenly he lost cashpoints including by foot, which I think can

be used in the context of what happened in a cyber attack. My

question is, resilience and recovery, do you believe there is

sufficient money being spent by commercial companies in terms of

their recovery for when start to go wrong, and even think there is any

legislation that forces companies to have proper recovery mechanisms in

place? There is a will and that is what were concerned about in the

cyber Security industry that has popped up. That is regulated at the

moment. We need to ask if they are encouraging good practices. We do

not really talk about that, we do not talk about how companies use IT

departments to handle their security when they really need is cyber

Security group now. We need to understand the nature of the threat

and how to respond to it. I worry that we are focusing too much on the

fencing we are not thinking about the defence perspective first. Going

back to the earlier point, the impression one got from you about

the interference with democracy and electoral systems, the implication

was that it was a manipulation rather than a direct impact. Angela

Merkel has come out three times to warn off interference in the

forthcoming German elections. Why is she so concerned? Any of you? The

Russians have been engaging in this activity for a long time in Europe.

She is making sure the population do not respond to this information

attacks. In America that is a lack of trust in Government, hopefully

Germany has more trust and they will fight back against the attacks that

will come. The German intelligence agency said the date -- said that

they caught a Russian group tried to compromise on various systems, which

is where her concern will have come from. The three bustling companies

that deal with threats and respond to incidents when they happened. It

is real. You cannot deny the fact that there are people all over the

world whose day job it is, and they work 9-5, and they go on holiday, it

is their job to get into networks and compromise digital processes for

whatever means it is, if they are criminals for financial gain, as

they are nation states it is still a back door as they can exploit in the

future to get information out, but there are armies of people out there

for whom this is their job. We're focusing on the Government's

national cyber Security strategy. What would you see as being the key

lessons learnt from the 2011 shattered Gia and whether it was

effective and do you think those letters have been sufficiently

addressed in the 2016 strategy? There are two key things come out of

the recent strategy that our portent. One is the that there may

need to be regulation, incentives as you might freeze it, and the other

is capacity building in terms of skills. What we have already seen in

terms of that policy being enacted around getting to the younger

generation, we are talking 11-15, that will benefit us in six years

when they enter the workforce, that is absolutely key. I think it did

address a lot of the shortcomings. I was in the Cabinet Office in 2011.

The thought process back then in 2011 was very much that the

Government could encourage the private sector, upon which much of

the dependency for action sets on, to understand the risk and take

action appropriately. What has become clear is that maybe the

Government needs to be a bit more active and take a bit more

intervention. Things like the establishment of the national cyber

Security Centre, that is a very welcome initiative, it jive some

innovation and working together with infrastructure providers in the UK

to tackle a lot of the noise at source, remove a lot of the

low-level activity that is going on so people can focus on the more

sophisticated activity. I would agree with that. One of the

challenges were cyber is now left to market forces sometimes you do not

get the results that you might imagine. Often cyber security is

regarded as a lemon market, that is asymmetry of information between the

people who buy services and sell services. If you are a seller you

might understand the acronyms and did complex details, while if you

are a buyer a lot of those things are confusing and difficult to

understand. It is one of those ramps were market forces alone do not come

up with an appropriate level of response. We are seeing a greater

need for some kind of regulation to try and define bars for people to

strive towards. Where we talk about regulation, we do not see it as

being universal. It has to be proportional to the criticality of

the firm in the services it provides to the nation. As long as we take

that into account, and we're seen regulators take lead on this and

take a proportional approach, that is where we see a good response and

an improvement. You are all saying the market has not delivered in this

area, either because the vendors selling people products they do not

need or understand, or whatever else. Is that how we should

interpret the emphasis on extra cyber offence? Is it an admission

that the existing strategy is not working or is not going to work? It

addresses to problems. It helps those who cannot help themselves. It

is a complex subject. It is an assumption that they have the

skilled people. The majority of the France United Kingdom are SMEs and

they cannot retain the skill set. Cyber defence provides those firms,

some meaningful defence against these actors in the real world. Can

I have swore generally about whether or not the 2016 strategy is robust

enough for the protection of the UK critical national infrastructure?

We're seen recent attacks in Ukraine and in France. Has this latest

strategy led the right lessons from those major attacks. You will

probably have seen the recent US science board report essentially

said actors on behalf of the Russians and Chinese had effectively

penetrated the US's key critical infrastructures to the extent that

given the opportunity to switch off that infrastructure, which has

bigger locations for American society. I we facing the same level

of threat? Has our ambition should be penetrated to that extent and, if

so, what can we do to deal with that, given that the US defence

science board was saying that it would take at least ten years for

the US to rectify that position? The honest answer to your question is

that no one knows. You can take some confidence and things that happen,

but with the US, they did not know what had happened until it became

clear. Part of the challenge for the national shattered G is that this is

an area that is very fast and one thing that needs to be thought about

in the context of the national strategy is the five-year cycle may

not be rapid and off to deal with the world as it develops. Our

dependencies in the digital world as they develop is much faster than

that five-year rhythm. We might need to think about a new more agile

approach to revisiting the strategy. I have a different perspective which

is that a lot of the things we are calling for, new regulation or extra

cyber defence, take a while to build. There will always be in

anxiety. If you shorten the life cycle, you will not have data on

whether they will work and deliver. That would be shrinking it to

something like three years. It's critical national infrastructure

compromise to the same extent? I don't think the companies would be

willing to comment on client relationships, but it is courtesy

that most organisations, when facing threat, will face some incursion.

These actors have many cyber operatives and they will target

everything, so we need to be prepared for that. I don't know if

we are doing the stress tests we need to do to make sure we are

prepared. We cannot survive major rainstorm sometimes, so can we

really survive is possible attacks? I do not think they are likely, but

they are possible. We always have to come to a mindset where we accept

that at some point we will be compromise, still a mindset nuisance

are looking at how you respond to those kind of attacks. The aggressor

only missed event when we enter an organisation, the defendant is to

defend against every single attack, so there is asymmetry there. When

the debt landscape as much as cover technology but also people and

process, that is a really large landscaped to try and protect. We

are targeted as employees of the organisations that we work for, but

also people in the community, our wives and children, are also

targeted. If you take that as a starting point, assuming someone was

surely a day would get in, the focus would be on that ability to detect

and respond. Those of you who are working closely with the private

sector, some of whom are infrastructure providers that many

of whom are supplies to the infrastructure, water should

experience of the extent to which, without breaching confidentiality,

what is the extent to which you find they are already harbouring things

under systems that they may not know about and can do much about. Supply

chains since it gets very murky. The firm has to report to regulate, but

you can report what you know is true. What we are increasing see is

that they're looking at their supply chain as an area of risks to them.

How do they have the confidence that the smaller firm they have engaged

with connectivity into their environment will not launch an

attack? Today, that is where it is found wanting in many suppliers, the

reason is that they supply and magic widget, something very niche, but

they'd not have a fully fledged system because they are a

multidisciplinary firm. There is a supply chain that is a worry and a

lot of what we do is stand for a cost benefit analysis, and sometimes

you need to spend a lot more to ensure security. We feel are back

where often. To what extent are larger companies putting in criteria

for small suppliers to meet their obligations. Is being used by some.

There are contractual obligations but it is a written world card with

-- it is the written word, but then you can have any obligation to

inform if you wish but if you do not know you cannot tell them. The

reality is, you will not. You are outsourcing to them because they're

cheaper, or the very specialise, you're not contribute your own

requirements on them that will erode the saving you may make. Some

organisations are rethinking their organisational decisions. Cyber

security may not be a technical issue is much as how you structure

your processes. The number of dependencies you have on others is a

key part of your risk. Some of the outsourcing and supply chain

decisions that have been made in the past, which have been driven by

cost, some of those will need to be rethought and organisations will

need to reconfigure themselves so they have more control over those

processes end to end. They will never be able to eliminate supply

risk, and the comment feature of all cyber attacks is that they go for

the suppliers and suppliers to suppliers, that can be a part of

that thinking. What we've seen over the last three

years is more intelligence led assurance frameworks, so rather than

looking at organisations straight on, we try to look at the other

interconnecting elements around the organisation. Maybe not as

far-reaching as supply chain, but certainly looking outside

conventional tech within the UK. We will also see a growing number of

attacks that have relevance to the UK that target subsidiaries and

other operating functions of the national organisations that are

outside of the UK. Doctor Morrison and Lord West. With General data

protection regulations changing next year and the big fines that some

will potentially introduce, will that affect the supply chain that

has been discussed, and will it alter behaviour significantly or

not? Yes, I think there are certain firms today that are very anxious

about GDP are becoming active, and that will drive more of an invasive

look at certain suppliers that process personally identifiable

information, definitely. One of the things to watch, in general data

protection, it provides a strong regulation of personal information,

though many of the cyber attacks that my concern this committee from

a national security perspective might be less about consumer

information and more about attacking infrastructure and military

processes and disrupting processes. So there is a strong regulatory

regime around consumer information and we need to watch it does not

skew co defences do over focus on that and not thinking about

disruption to processes. Would there be public health problems in

accessing data? Absolutely there would be. I should declare an

interest that I am chairman of a company that works in the cyber

area. And I also speak a lot on cyber as well, for which I get a bit

of loot, which is quite nice. The question Lord Harris was asking, and

the report, and I read it as well, is actually saying there are lines

of code already in masses of the software within whole areas of the

US that can be sparked but we don't know how. What I want to run on from

there is, how dangerous do you think it is that switching pieces of gear

are incorporated in masses of systems and we don't know how the

upgrades go unless we put people onto it to look at it closely, but

now Chinese firms are taking the largest data centre in the UK may

have taken over the largest CCTV company in Europe, and with the

Internet of things, we know what you can do with CCTV remotely. How much

of a threat or danger does the panel see that as, particularly when one

takes into account these lines of code which we find at times, we go

in and say we did not know it was there, so how much of a threat do we

think this is? Pure software quality will outstrip by an ordinary

magnitude, so any back door being introduced into the line of code,

the number of unintentional weaknesses present in software and

hardware systems today far outweigh them, and that again is it as

economics driving it, quality assurance, good architectural

principles, all of these things in a lot of cases don't make sound

commercial sense, so we can attribute that to malice, but

sometimes we can attribute it to pure neglect. You did not quite

answer my question about whether these companies not doing this is an

issue? I think it is an issue but for those capable of bringing that

force, those same systems will be vulnerable to many, many other

things which were not introduced by those actors and I would be more

worried about that, especially when we talk about the Internet of

things, because those products we expect to have a half life of

between three or ten years on the outside, a very cheap price point.

Where do we think firms can produce to that point? They don't have sound

security and engineering, which is why we are seeing almost the

regression of what we have learned over the last 30 years in terms of

security design being undone with the advent of IOT because we are

moving away from three or four massive multinationals that can

invest in cyber security implementation too many smaller

manufacturers churning products out as quickly as they can. So there is

not one company held to account and you are not going to cut off an

entire country from supplying you today. I think you can assume there

is definitely a threat from the lines of code as you describe it.

But there is equally a thread from people and process. If you look at

the worm that targeted a load of IOT equipment at the end of last year, a

lot of what it did to propagate initially was just use weak

credentials. So when we are faced with problems of people choosing bad

passwords and bad user are not putting any kind of security

configuration onto devices, that is where we should be focusing. That is

the low hanging fruit. We need to think about the coward that powers

the systems but it's more than technology alone. Why did the

Americans say they would not use it? Why do Australia say that? If it is,

as you say, they are both buffoons and they are not doing it correctly?

The UK did a compensating control by creating the Secure site. Week at a

commercial agreement with Huawei to have UK people to do the diligence

on the code -- week at a commercial agreement. So instead of cutting off

entirely, we realised the benefits but there was a compensation in risk

controls by having those individuals being British National is reviewing

the products that they are producing. Just a very quick point.

Do you think it is possible that American concerns about some Chinese

companies like Huawei are caused by competition factors, and they don't

really want Huawei in the market? I take silence as consent. There is a

certain amount of prudence in avoiding the mistakes of the past

that we have done in terms of the intelligence of the past and making

sure we do not diversify that much. That has been the path forward, to

be careful about what we let in, and I'm not so much worried about lines

of code, I'm worried about the hardware, something we are reluctant

to change through time. I think we need to recognise from a national

security strategy perspective, in the UK this is an area where we are

in a position of weakness because we don't have our own technology supply

base in the UK manufacturing the core infrastructure we need, and

other countries have the luxury of having that supply base. The

strategy contains a list of categories of cyber threats, so

cyber criminals, states and state-sponsored threats, terrorists,

hacker activists and what I gather are known as script kiddies. I would

be interested to hear the views of all of you as to whether it is

usable to categorise the threats in that way. Yes, in so much in that it

makes it real for both businesses and users, I guess, and maybe to

understand who they are trying to defend against and their motives. We

need some form of categorisation. That relatively core set is a good

measured balance from the archetypal teenager in their bedroom who is a

bit bored but massively inquisitive, through to what we see in the

Hollywood movies in terms of a nation state threat. It's really

critical in terms of method and target. Each threat will have

different methods and targets, so you could focus on critical

infrastructure attack, and that will be their target, information and

architecture. That division tends to be useful from passing out what we

need to protect and what is more critical and more important. Of

course the nation state is our more capable actor than the terrorist,

then the criminal, then the script kiddie, and the basic chaos person.

The only caveat their eyes I would mention the nation state. When we

communicate with clients we differ between established nation states

that understand the international norms of using this capability and

emerging nation states, those rapidly developing cyber capability,

who maybe not use the sanctions or anything else being placed on them

when they go too far or have other sticks wielded at them will stop

that is an important one, because the disincentives for those, as we

have seen in certain instances like Sony pictures, they will be quite

happy to use that capability with an aggressive affect. The only thing I

would caution is seeing them as two distinct. This is an area where

essentially it is a marketplace of anniversaries, and if you were a

nation state with a hugely sophisticated armoury and you wanted

to get access to a company, the first thing you might do is go via

access of a criminal forum. We see quite a lot of that potential

activity happening. We need to recognise that this is a marketplace

and the nation state can deploy a tool, and within days that tool can

be available for criminals to buy and use. We saw that with poison ivy

many years ago. That anticipates my many years ago. That anticipates my

next question and I'd be interested to hear from the rest of the panel

as the way you think the key overlaps are between the categories.

One of the things to pick up on an earlier point is the overlap is

definitely significant. It's becoming more and more significant.

The modus operandi might remain distinct, but the level of

sophistication and capabilities continually grow. So in the security

strategy will make reference to different levels of capability, and

you might say that organised crime units have a different level of

capability compared to nation states. But the gulf between those

is beginning to blur. What you might assume is that that will continue to

blur down, and when we look at people like script kiddies, who

today might be regarded as having on sophisticated tooling, they can

still have a significant impact on infrastructure. If we look at one of

the large breaches that took place against a telecoms provider a couple

of years ago, that was disproportionately devastating for

them from somebody who would have been regarded as a script kiddie but

had a large financial impact on that telecommunications provider. So I

don't think we can just assume that nation states are the only types of

entities that can inflict significant damage. The reality is,

all of them can. I would agree. On a technical level, organised crime and

the others are getting very close, if not the same in terms of what

they can unleash. The differences, generally, planning, coordination

and capacity to launch that is the difference when we talk about nation

states above organised crime. But on a purely technical level, going on

one engagement, they can be approximately level. They are not

getting that close. The real issue with Russia and China is they will

identify and utilise those people who have those capabilities and they

will identify them early and pull them out and tell them, if you don't

work for us, in addition to what you do in your day job, you will have

trouble. That is the real thing. There is no mythical cyber criminal

that just has these dramatic capabilities. Quite often what they

do, generally falls in line with what we call shrinkage, losses by

revenue or volume, so these dramatic attacks on looking at the American

cases that happen in the last ten years, the only one that went beyond

the shrinkage calculation was the Target attack. Can I stop you there?

I'm afraid we have a division in the Commons. I do apologise. Order,

order, I am adjourning the committee for 15 minutes. Mr de Villiers you

are cut off, but had you almost finished your questions? -- Mrs de

Villiers. Could I ask those briefly? A lot of the material I've seen so

far indicates that terrorists, while they have malevolent intent have

limited capacity in relation to cyber attacks. And yet we have these

relatively low-tech script kiddie type categories. How come those kind

of individuals, teenagers in their bedrooms can inflict harm that seems

to elude terrorist groups? Is there more scope for them? Should we be

worried about that overlap between the two categories in cyber security

responses? Are blue one reason historically attributed is

stability. Terrorists have instabilities in the lives of

physical environment which don't allow them to get access to the

education required all the facilities to do these things. But

you are right to say or highlight the risk. As we assume with

organised crime, young, capable individuals that are persuaded,

cajoled and otherwise influenced to undertake the activities at somebody

else's behest is a risk, and that is where we have to look at the

National Crime Agency and what they have been doing there in terms of

intervention, where they capture or identify young people that may be on

the wrong path, and they sit down with the parents or send a letter to

the parents to say, do you know what your son and daughter are up to, and

maybe you need to be a better parent?

If these individuals are successful that says more about our defects

than their success usually. These enterprises by young people, it is

like that is competition, but they're injuring nature of attack is

not their convicted terrorists. Terrorists have a problem with

infrastructure and education. That is a difference in terms of modus

operandi to this different groups. Often children want to attack

systems, but they do not care what the system is, they just want to try

it out to gain peer notoriety. That is slightly different to a terrorist

group that may have a specific focus on a specific set of end goals. It

is reasonable to assume that as technology develops and the people

who are practising these attacks develop their techniques, we will

see more terrorist attacks. One last question that takes you back to the

first questions you were acid the start of the session, which of the

categories in the 2016 review poses the biggest threat? Is that the

criminals, the state actors, or the other categories? In terms of

availability, long-term financial health, the United Kingdom, you have

to take each of those on their merits. Patient states and long-term

viability of the nation, but it will be someone left field that will

cause the unforeseeable to happen and stop nation states of the most

capable but the probability of those people targeting us is very low. The

main threat is cybercrime. What people are not talking about is what

we will do after Brexit. That is a question we need to dive into and I

have not seen a lot of positions on the impact of regulation, use of

Interpol and things like that. Given that there are so many signatories

to Interpol who are not member of the European Union, who else would

be affected? Idle what the impact of Brexit will be on Britain's cyber

security. To what extent do you think it is possible to distinguish

the source of cyber attacks? You have touched upon it already in some

of the remark she made. It is important obviously these sorts of

interventions and has a bearing upon what remains do collectively and

otherwise it is very dangerous to rely a natural Grecians and cyber

for doing that. It is a very hard problem to solve. Today we have

levels of confidence, we cannot say categorically that we now they

attributed these traits and modus operandi, but these are easy to

copy. Just because these things are coming from a country, it doesn't

mean it isn't coming from a person. I would always caution at your

patient. -- attribution. Adapters are no overstatement. Responsibility

is difficult. Finding the leader will very rarely be there. It is not

clear what that was. We have got good at getting better at and should

you should through the years. We are seeing more cyber attacks being used

to signal that states want is to know what they are doing so they can

push of the now certain way. I do not worry too much about

attribution. Tenet on individuals is very difficult, especially in Russia

and China. It is very difficult to attributed attacks. It is easy to

subvert a responder and point them in the wrong direction. If we look

at the attacks that occurred this year, and initially there was

narrative that looks like it was Russian and the rationales was that

there were some Russian words in some of the cold. The reality is

that it is not difficult to insert Russian code to make it look like

someone from another nation state. Things like are used -- things like

Tor are used to hide the people are coming from and proxies are common.

Sometimes it is only possible to attributed an attack back because

the hacker made a mistake. If the work effectively that is very

difficult. I would reflect those comments and see that it is an

intelligence activity that comes with varying degrees of confidence.

None of you will be recommending that we extend article five to the

sphere? There are numerous issues that would need to be worked through

and that is a hard area to work through. One possibility might be

that you'd respond like for like. It could be made more explicit that

anything one finds as a result of the intelligence that we have that

we believe is reliable, that a state actor in particular vision is

possible for something we have picked up. That is one possibility

because then you avoid the danger of the spiral effect. The Americans

respond with sanctions, they do not necessarily respond back with cyber

attacks because that might open Pandora's box. We do not want to do

that ourselves. Red-mac I do not want to be too pessimistic about

Article five if a country was to continue its assault, then it is

right for countries to get together. We can put on sanctions or other

things. Including cyber in article five is very sensible, sidled why

there is such an objection to it. Another view to consider, from the

British perspective, if a criminal organisation in the UK launches an

attack against a foreign entity and the UK was held responsible for it

rather than it being seen as criminal activity, then we might

feel differently. I hope that we would feel very guilty and get to

the bottom of who was doing it. In article five the should be physical

violence attack ATTACHED to it. If that was to happen then it would be

worth doing, at moment it is conjectured. One of the problems is

that the whole of the need to resume in general UN Security Council

resumed is built around more conventional warfare, though it has

adapted. What I would like to hear from you is to what extent,

alongside attribution, do you believe that the environment has

become safer through the inclusion of collective defence under an

enlarging Nato since the inclusion of cyber Cayman? Is seen to me out

of the last year at the Warsaw Summit. Factor defence leads to

collective goal fence, which leads to escalation. They should be at

individual country. That is a threshold I hope we do not get far

enough to talk about. There is a case to be made because power is

generated in other places off the island. I climb to strategy make

sure that the country functions for certain things. -- a collective

strategy. Food and so forth can be impacted by cyber defence, so we

should look to take a collective approach. I wonder if it would be

possible to break down the different cyber threats into certain

categories. I have come up with three, but this may be inadequate

and I wonder if you think I'm missing anything here. The first

category is using cyber for the gathering of intelligence, whether

commercial or political or military. That is clearly something that

requires defending against, making sure your systems are as well

protected as they can be. The second is what was being talked about in

terms of the US election which is the use of cyber importers issue

additional methods with regard to any medication system for the

dissemination of propaganda and this dissemination of propaganda and this

information and misinformation. Your best weapon there is to get your own

messages out and expose the fact that your opponents have been doing

dirty tricks. The third one, which is the one that most concerns us in

relation to Nato, because the other two are bound to go on as long as

there is a cyber sphere, our tax that could paralyse societies and

for those, although you may try to prevent them, that is where the

concept of deterrence and the threat of retaliation would come in and

then I'm inclined to think that the doctor is right that they got to the

stage they would probably be conventional military action going

on at the same time anyway. Have I missed anything in terms of the

spectrum of threats that would not fall into one or other of these

categories? I've been writing a book on this topic. We divided cyber into

the activities, you included cyber information which is not

traditionally a part of it. In terms of cyber tactics, we divided by

espionage and manipulation of information. People can be looking

to destroy or sabotage the targets. That seems to be pretty

comprehensive in getting most nation state based cyber attacks. When you

get into the criminal sphere you're going to have different impacts,

equally large... I want to concentrate on defence because then

the issue arises of how you do something like this and the only way

to deter something is to have a threat of retaliation, which is both

unacceptable and unavoidable. Here it is not now and in the past, for

example, when the two new wars it was thought that the great threat

was gas warfare and saw a lot of resilience was Putin and every

household had a gas mask. It is accepted that why it did not happen

in the end is that the threat of massive retaliation by this country

was an effective deterrent. Can you envisage a threat of massive cyber

attack that would be effective in determining that third category that

I talked about, attacks that are intended to paralyse societies. In a

short word no. Academics disagree that it has never worked. The

problem is that you need to have credibility, you need to have some

sort of assurance that if someone does this there will be a response.

The main problem with cyber is that there is a lack of utility because

those weapons can be used against you. There is no issue of

retaliation. We can have cyber resiliency, we can have assurance

that there would be a response to any attack, but to ever be able to

prevent a cyber attack is almost impossible given those conditions

and what deterrence as an academic term arrears.

Just to last point is, when you say there is a belief deterrence has

never worked, I hope you're not suggesting in any field whatsoever,

because there is a strong belief that deterrence in form -- the

former Nato was effective for half a century, so if you're throwing out

is that you don't believe in deterrence in any sphere at all, you

are wasting your time with this audience. I hope that wasn't what

you were doing. But in terms of dealing with this particular

construct, surely the notion that a massive attack was taking place that

was trying to bring down a country, if that was going hand-in-hand with

conventional warfare, as you seem to think it would, then surely that

solves, for this category, the problem of identifying where the

massive attack is coming from, because of its part and parcel of a

conventional attack then the secrecy around where the cyber attack is

coming from will presumably have disappeared because we will know

whose tanks it is well simultaneously attacking. The real

problem with the military is a lack of one to use cyber tools because of

the risk involved. There's a low probability of using cyber tools in

any war game because of the risk of using them. There is no assurance

that the cyber tools will work so there has been yes -- less utility

to want to use that as a response to cyber attacks. Conventional

responses are something that should be made very clear, that if you do

this, there will be this sort of response, but no government I'm

aware of as clearly said that this is what will happen if there is a

massive cyber attack, and that's what needs to be done. If you want

to establish a series of workable deterrence, that is. We have seen

evidence of certain nation states launching attacks against particular

sectors. There was a country that launched a financial attack against

various countries, or they tried to. Surry? Are you referring to Israel

or Saudi Arabia? No, Iran. The concern we have when we think of the

responses, we have heard the word asymmetry a lot. Our susceptibility

versus the susceptibility of the source to a corresponding cyber

attack might be far less because of their own dependence on technology

might just be far less. That has to be a key consideration and that is

why would have to consider other responses be they sanctions, etc

because it simply won't work against the target. One final point on the

attribution of deterrence, if you place yourself as someone who wanted

to do harm to the UK you might imagine a scenario where you chip

away and gradually increase the level of attacks without

conventional attacks being part of it and you confuse the attribution,

so you undermined and weakened before you use other attack

mechanisms as well. Can I just say to everybody that we are getting

short of time and there is likely to be another division in the Lords,

and who knows if there will be another in the Commons, so good I

urge colleagues to make their questions and witness replies as

brief as possible? It is to continue with a point from Doctor Lewis. One

of the problem seems to me that countries don't even know what their

own vulnerability is. They are scared to get into the tit-for-tat

with other countries because they haven't really calculated what it

sees and the other factor seems to me is there an intelligence balance.

There are lots of countries in the world where we march at will through

their Computerworld, allegedly, and we march at will through the whole

thing and there is a massive intelligence balance so there is a

constant argument that if you don't know that bit you don't know what

the president is saying to his Pope, so I do agree that those

calculations that are tricky. -- to his Po. The first point is

understanding the true vulnerability today is one of the biggest

concerns. We've had a very interesting

presentation from Doctor Mc Cormack about how cyber has become a

military weapon, potentially. Leaving aside the various points

made about the unlikelihood of cyber being a principal weapon,

nevertheless by virtue of the fact that in 2013 the then Secretary of

State for Defence, Philip Hammond, announced we would gauge -- engage

in offensive cyber, to what extent do you think this is something, as

Doctor Mc Cormack suggests, should be matter of public debate bearing

in mind that when the Secretary of State made his remarks to the

Commons he said much of the action will not be in the public domain.

And, indeed, it's been suggested that the necessary secrecy

surrounding cyber weapons undermines its credibility. If it is to be a

deterrent, if people out there, potential enemies out there

understand we will retaliate with a cyber attack, it needs to be

credible. To be credible, it has to be known about. How do policymakers

managed to juggle -- juggle this? It's quite interesting, does it have

to be known about? Can you measure a country's or infer their cyber

capability by the health of its industry? If you look at Israel in

terms of what they are amassing in terms of the private sector

capability and you make the logical leap in terms of what makes the

skate -- state capability, can you do something similar with the UK? So

without having to disclose your hand entirely, by having a buoyant injury

-- industry that can reduce these things in the private sector you can

probably jump to what the adversarial is. Credibility is about

willingness to use a weapon and that is a major problem we have had,

because in the American experience they are considering using lawyers

with every unit because of the immense implication for civilian

space, so if we start to use cyber tools in the military, how much do

we need to train these people in terms of the legal ramifications,

but also the difficulties in training if the entire operation is

secret. They don't know how to train because there's no qualified

teachers to train the units at that level, so it becomes a huge problem.

Credibility is more about willingness to use a weapon, and we

really willing to use it at this level and I'm not sure the West is.

We also have to worry about proliferation. In terms of what we

are talking about in terms of a weapon, it could be hundreds of

thousands or millions of Americans things on a USB stick, and we have

seen some devastating links in the North American programmes. That will

always be a consideration. As you lower the bar of entry in terms of

who can use it in a defence force in a country, what safeguards are there

around it, that won't leave them open? I would just add that this is

an area where as soon as you publish details of your technique, you have

rescinded the value of that technique, so there has to be a

degree of secrecy around the defence of psycho -- cyber capability. And

some of the leaks we have talked about earlier, whilst potentially

very damaging to our security agencies, they have reinforced the

credibility of what their capability has been and buying is -- and by

extension continues to be. I don't think the credibility capability an

issue. I would add, if you have a genetic weapon, it can be there, or

there, but not in both places at the same time. With a cyber weapon, in

theory, it can exist in multiple places. We saw at the beginning of

March the disclosure by WikiLeaks which talked about a whole load of

cyber tools that had been collected allegedly by the US. And as much as

they might have been able to use the arsenal against their adversaries,

now that has been disclosed, theoretically they could be used

against them, and that is one of the challenges of cyber warfare. So your

verdict is we should be having a debate about the management the

weapon system? If it is to be made more widely available, then yes.

There is no division between military and civilian space. The use

of this weapon is entirely difficult and problematic because of the

involvement of civilians and the possibility of war crimes. That is

the real issue here. We hear about -- a lot about the Internet of

things and we did have a briefing by Melissa Hathaway who has worked with

President Obama and president Trump, I believe, but one of the things she

said which was quite amazing to me was that by 2020 is it expected

there will be 50 billion devices, globally, attached to the Internet.

People I've spoken to think this is a massive understatement. I just

wanted to get your reaction. Is this all hype? The prospect of our

televisions being a Trojan horse to spy on us, or do you take it

seriously? It's going to be a thing. We are seeing smart meters and other

benefits in this country, so now that your boiler can report that it

is starting to degrading performance, so when the engineer

comes out they just replace a part proactively, these are the upsides

companies will see from the Internet of things. The connected vehicles,

before autonomous vehicles, we are seeing a proliferation of these.

There are all these functionalities, so we have to accept that our lives,

infrastructures, CDs and buildings will be connected to the Internet --

cities. I would add to that and say one thing that needs to be

considered as part of the security strategy going forward is a consumer

protection angle for these Internet of things. Much of what we bring

into our homes, various consumer protection legislation around it,

and how could it be extended to protect both of us as individuals

from the connected things that are going to be within our houses, but

they also connect society and protect them from the Mass effect.

One thing I can say is while there will be a proliferation of connected

devices, there is something to be said about complexity breeding a

problem and being able to attack it. Complexity can make is more safe in

some ways. The more things that are connected are less worried that

people are about things being disconnected, so that's something to

consider. It is inevitable, but it does not mean it is doomed. I would

say the risk is very different. If you look at conventional PCs and

laptops and smartphones, if one of those devices gets compromised there

is a fair chance because people interact on a daily basis they might

notice it is doing things that are a bit strange. If you think about the

connected device, video recorder, a web camera, broadly speaking people

only interact with them to do a specific function and if they are

running a bit slow it doesn't make them think it has been compromised.

What we see is consumers go out and buy these types of devices and buy

them based on their functionality, not on security, that should in

theory be built into them. So really what we have is a bit of a

disconnect. You have manufacturers trying to produce something as

quickly and cost effectively as they can, and users that really care

about functionality and security as an afterthought, so what you see is

that the risk is passed on from the manufacturer onto the consumer. One

of the things we see as an industry, and potentially government needs to

look at, is worker how we can manage the risk more effectively. Whether

it should be kite marks or standards that manufacturers of IOT devices

need to strive towards. Before regulation catches up, what we

managed to build in the intervening period gives us a chance. Things are

connecting everyday and there will be a legacy to contend with. Just

come back to something we discussed a bit earlier, the relation between

government and the private sector. There is a tendency to think that

government should be responsible for virtually everything and I'm sure

you gentlemen don't believe in that since you make a living advising the

private sector, so you don't necessarily believe government

should be trampling about in it too much. There are areas where

government is essential, National infrastructure, intelligence is

another. But surely across the private sector generally, government

should encourage companies to take steps to protect themselves and make

information available, but is there really a need for much more

intervention than that? Do we need legislation and regulation? I would

suggest it is probably not necessary. I remember President

Reagan saying the nine most dangerous words in English is, I'm

from the government and I'm here to help you. I wonder whether we are

getting to and upon government intervention? I would agree from the

perspective of almost the worst outcome, that would be the

government setting a whole load of requirements and becomes a

compliance exercise because that would drive the wrong behaviour in

the private sector. It would drive lawyers and compliance activity

rather than risk management. I think the government can be demanding in

terms of what it expects private sector in terms of principles. There

are principles you can expect them to adopt and across the public

sector as well. And you expect a degree of responsibility in stepping

up to those principles. In some areas that might be embedded

in legislation or code of conduct. There are many policy tools

available. It will be unlikely to require legislation as there are

already many policy tools the Government can use. If you look at

what the Bank of England has managed to achieve with the critical

economic functions of our country, you do not tell them what to do,

they just say they want independent evidence that they are able to be

resilient against an attack. That is simulated every 3-4 years, but it

gives them the assurance that the institutions are maintaining the

appropriate capability. They want independent assurance that they are

doing the right thing. If you pick Government into private transactions

it becomes responsible physician 's actions and that is the problem. We

need clear lines of oversight and control. If this happens, this is

who you should consult an go to. If we look at three different

frameworks, some of which are regulations, we see a lot of

organisations looking at EPR, because it will come into effect. It

is driving his ear in our organisations. If it did not exist

some of that focus on disclosure probably would not be happening

today. If we look at cyber essentials, we have a great idea and

it is aimed at a large part of the population that has significantly is

a vulnerability. But the adoption levels are not where anyone would

want them to be. How do you bridge that gap? A lot of the organisations

that have gone through cyber essentials, look at it like a click

box exercise, I need to do this I can report I have done it. The ones

that have not done it, they do not understand the threat. They never

think they will be targeted. We need to have more of a debate about

is there a way of building things is there a way of building things

into supply chains or through procurement frameworks. We cannot

just have a framework that people look at and do not bother. It isn't

the self-interest of the company to do this. In the US, the companies

I'm involved with take cyber security very seriously. They are

not told today by the Government, they are accountable to the

Government. Is that the right way? It is the environment they work in.

We do not have a cultural mirror. If we did I think organisations we take

a long and hard look at themselves. Many boards around the country do

not understand the risk. They think it is technology centric and it is a

function of IT departments, when in reality it is wider than that. If

you understand what the rescuers, is not a surprise that they do not work

as well as we planned. I think one of the challenges is that as our

digital world involves investing money in building controls will no

longer be adequate and that will involve some hard decisions. That is

where existing mindsets where we can tell them to build a set of controls

and report back to us, that will not be sufficient. Just another

question, is the Government right to be bullying big IT companies? I

think the question of rule of law in the digital world jives the criteria

that existing balance. We need now is to protect us and in force the

rule of law, they need to have some terrifying capability available to

them but the rule of losses that is constraint and it demands its

misuses constraints. In the digital world you cannot Nessus violate

constraint the misuse of some of the capabilities that might be required

by law enforcement. A policeman have guns and we are grateful for that

and the potential for Ms Lewis -- the potential for misuse is small.

The potential I misuse by criminals of the vulnerabilities discovered is

much greater. I do not think you can look at one of those criteria in

isolation. I would say that goes beyond cyber. It is an ethical and

moral question. I have been at conferences where questions have

been opposed to the audience about what is more important, privacy or

protection. I do not think that is a clear answer. People want both.

Sometimes you want one more than another, but they both have their

place. It is called having your cake and eating it. English real they are

willing to sacrifice more privacy for security, but are we willing to

do that? If you make sure that messaging applications cannot using

correction, consumers are going to move to another platform, just as

they did when the digital music platforms, they moved to other forms

of communication. End-to-end encryption was weekend and cyber

security, the options available to cyber criminals and so on would be

increased. That is correct. We have one example of where a regulator has

taken a very assertive approach to the systems at the centre of this,

financial services. There are reasons why given the failure is in

that sphere, by the regulator has taken this approach. There is a

broad spectrum across other regulators as to the extent to which

they feel this is an issue they need to get involved with. Are there any

particular gaps or the regulator you can think of that should be looking

at this more seriously than they are at the moment? We see today that all

major regulators understand the challenge, but they are forming

their own views. They are not doing it in isolation. Everyone recognises

the threat, the challenge we have a certain sectors, if we take energy

for example, we have the National Grid comes through tyres, so there

will be hard decisions. Do you want more cyber security? You will have

two pass the cost on somewhere. Those will be some of the frictions

we ran into as opposed to legislators being asleep at the

wheel. Regulators focus on the companies that they regulate. Those

companies have dependencies on other companies and providers and

infrastructure. The attackers do not just attack the regulator company,

the attack everything around it. Just focusing on the regulated

companies is not going to drive results, it needs to be all business

understanding their role in society. I wonder if I could move on to the

question about the cyber Security Centre, because we have covered the

earlier question. The national cyber Security Centre has been announced

as the linchpin in the Government's engagement with the private sector.

Is the Government being realistic about what can be achieved by what

is at the present moment a small organisation, or does it need to be

expanded to taken into account all the dialogue that you think should

be taking place? I think they would say the same things themselves, the

Government has taken an innovative step into looking to allow

innovation to drive policy and to work in partnership with the private

sector and industry and the public sector organisations. This is

absolutely the right step. Too much too early has always been a distinct

risk where they were given too much Ruben Loftus-Cheek number turn on

investment. With the initiatives that they have the building the

foundations and have the foundations of what will be a critical function

within our country. It is a big aspiration but a very welcome one.

We have relationships with the Cabinet Office and have an

opportunity to engage with a part of Government that consolidates a lot

of ideas. That makes for much more joined up thinking. That is well

received. That is encouraging. Perhaps you could pick up the last

question? Vote where have we got to? -- where have we got to? I am keen

to ask number 14. When I introduced the first cyber security strategy,

one area I hopes to make better was using the insurance industry and

time that in so there was a cost aspect to it. That does not seem to

have happened as much as I hoped it would. Do you think it is a useful

and important thing to do? When I was working on the banks on the

stock exchanges, after the big hit on the New York Stock Exchange is,

we went for a double by an electric for logon. Do you think that this

login is a useful thing? On the cyber insurance, I would say the

market needs to mature. We have done quite a lot of work with insurance

companies and I have worked a lot with actuaries and the market is

quite premature. The insurance companies are still working out how

to set premiums. In the US, you can buy and a certain area of risk that

you can ensure where there are more regimented responses to cyber

breaches. The challenges insurance means it is insurable. Double

biometric, the average citizen can login... There is a huge reliance on

passwords and services today and we see so many attacks exploiting weak

people and process around passwords. The world needs to move on beyond

the use of passwords. Whether that is biometrics or one use passwords,

however it works out, stronger methods of authentication required.

I think there is synergy with the cyber insurance sector, however it

is disappointing that we have not seen much of the take up we've have

imagined. You would imagine an insular with care about cyber risk

want to mitigate against it. They would want to understand how to have

a robust process to measure this before issuing a policy. That is not

ready focus appears to be. The insurers are more interested in what

happens after the breach and making sure that if an organisation has

been compromised from a cyber security perspective may have the

friends of the ability to go when and discover what has happened. If

there was one thing to take away, if the insurance sector could work more

closely with the cyber industry and encourage more organisations to look

at vulnerabilities as part of their policy renewal creation process,

there would be at the chance of that happening.

On cyber assurance we are also seeing things like blast furnace in

Germany, whether or not these could be sourced from cyber defence in the

future, and for those large policies, they are taking a serious

look, and I agree the market is not massive at this time. In terms of

your point about double biometrics, do remember that biometrics are not

secret and they can be copied. We have done work around copying

voices, fingerprints and faces and there will always be solutions we

employ. But it is difficult and that is why the stock exchanges and banks

did that and then they sent them passwords. To give you a flavour of

what is possible today, taking three high-resolution photos of somebody's

face, we got a 3-D facemask that would satisfy the current capability

in terms of facial biometrics. It only takes three photos, and for a

pop star that has social media activity, we have to consider this.

It's all is the responsibility problem quite well because you know

what the vulnerability is, but in many ways it causes more problems

than it is worth because the government biometric system in the

US is the worst thing that could happen is if you lose your card, and

how long it takes to replace it. I was hoping for an unequivocal bid

for an identity card. I am reminded forcefully of the term yesterday

whatever human ingenuity can devise, human ingenuity can find a way

around. Lady Faulkner? It was question 17 and I will comment after

Mrs de Villiers. We are not doing this the way we normally do, but if

there is something you want a passionate pick-up on the way down

to question 17, I will ask Mr de Villiers do ask that, and that will

be the final questions. -- Miss de Villiers. Is it a realistic goal to

try and get international agreement on a kind of Geneva convention for

cyberspace, to set norms for activities by states in cyberspace

and what do you think should be in it? It's a realistic goal. But does

it matter is the other question? Countries agree to things and they

don't mean to follow along with them. Having some sort of shared

standard of behaviour and a normative baseline is something we

need to try for but that is tough given the differences and

difficulties we have with Russia and China and how they operate in

cyberspace, which is diametrically opposed to how we do it, so it will

be a tough prospect and we see that from the UN GGE which has been

fraught with complications and a lack of involvement with critical

countries. Thereafter countries today that have a private sector

which, in the name of defence, have some quite aggressive tactics and

they earn a lot of money for those countries. It's not intellectual

property theft, its intelligence collection happening in the private

sector not at the behest of the government. Again, what is the

commercial incentive for them to sign up to these norms in what is an

immature market? What have we learned about warfare over the last

500 or 600 years? We now have a sector that is barely 30 years old.

You are sounding like a global politician and I would say there is

no harm in striving for something because often at a bilateral

agreement you would form along the way can be valuable in itself and

you might not achieve the end goal but you will certainly make progress

through dialogue, and we've seen examples with the UK, the US and

China where dialogue has made a difference. One caution I would have

is where we sign up with these things. We have to think of the

implications it has on the economic growth prospects of the UK. As a

private sector firm trying to do what we are trying to do, which is

not offensive by any stretch, we have been caught up somehow and had

to seek export licences for its technology because of its potential

jewel use application, for example. Lady Faulkner? You have touched on

China once or twice. Why do you think China is keen to sign up to

some sort of international norms? Is it because it will help it control

its own domestic agenda? Is it because it is concerned that its

capabilities won't be able to keep up with the developments once the US

and other star putting real money into it? What is China's motivation

in that case? -- and others start. It is decidedly different to the

Russian approach. If I was a betting person I would say that they are

sensing a change in the international attitudes and that

people are growing tired of their behaviour and they think there may

be a ratcheting, so getting that taken out of the source by agreeing

to something is probably a prudent step before it comes back to their

parliament. China is as vulnerable as we are in cyberspace, as is

Russia, so there is an intense idea of an agreement as to how we should

behave. I don't really believe cyber conflict is the most important

thing, despite it being the basis of my academic work. I think cyber

aggression is more important. I'm worried about what states will do to

individuals. China will be willing to sacrifice an international

conflict for the ability to repress their population and that is what we

should really be worried about when that happens. And you think that is

a motivation in China? I think it would be a trade-off where they can

behave how they want to behave internally and restrict external

behaviour, which they have been happy to do until now. I think there

is the ability to verify adherence to international agreement is very

difficult in this space. In the nuclear world you can see nuclear

tests, but you can't see cyber tests. We don't have a buy in from

the east on the Tallin manual, and we need that if we don't want to

have new expectations. War and constraining behaviour as shown in

that way, but that would only work if the other countries agree. Just

in closing, we have to also think about spaces like space and the

International see, these have connected devices in today, and what

applies there? Thoughts of verification had crossed my mind.

Thank you very much indeed and thank you for your patience. At least we

were not disrupted by a second division in the Lords. But it is

always a problem where we have hearings. As I say, thank you very

much and I hope you have all found it very helpful and illuminating. I

just wish to declare my interest. I might not been the only one I'm

nonexecutive director of the cyber security challenge and I chair

National trading standards which supports the national trading

standards in crime unit and I'm UK coordinator for the electric

infrastructure Council. I have connections with three companies

which work in the cyber fielding one way or another and to institutions

which engaged in research on it, as I declared in my declaration of

interests. Thank you very much. I edited a cyber newspaper as well. On

that happy note, order, order.