Admiral Lord Alan West, the Security Minister, has spoken out today about the cyber-threat that Britain faces.  I am pleased that he has tackled the subject so directly.  Too many businesses and too much of Government have been complacent about what has been happening for years.

When I first started raising the problem in the House of Lords more than five years ago, I was repeatedly assured that there was no significant threat and that the protection around the critical national infrastructure was more than sufficient to fend off any problems.

When I started asking questions of each Government Department about how often their systems had been compromised, it was apparent from the answers that some Departments simply didn’t know.  I was clearly making progress when two years ago, I started being told it was “not in the national interest” to divulge the information.

When I found three reputable penetration-testing companies prepared to check Government systems pro bono, I was assured such external testing was not needed.

Now – at last – the real and present danger of such cyber-attacks is being acknowledged and the necessary systems to combat it are starting to be put in place.  I just hope it is not too little too late.

Scott Charney, the Microsoft Vice President in charge of Trustworthy Computing, is speaking today at the RSA Conference in San Francisco.  He is re-stating both Microsoft’s commitment to “End-to-End Trust” but also the need for business, government and the public to work together to ensure that those using the internet are safe and secure.

The message is an important one: responsibility for internet security has to be shared.  The House of Lords Committee on Personal Internet Security, on which I sat, reported nearly three years ago and used a road transport analogy to make the point: safe road use requires responsible behaviour by drivers and pedestrians, but cars need to have safety features embodied in them, roads themselves need to be well-maintained and properly lit, there need to be laws regulating safe behaviour on the roads (speed limits etc) and those laws need to be properly enforced.

If anything the message has become even more important since our Committee reported.  More and more commercial and personal interactions take place on line.  Social networking sites are booming and an increasing proportion of commerce is conducted via the internet.

The threats to security have also become more pronounced.  The threats are no longer from isolated individuals, but from organised crime and it is also becoming abundantly apparent that some nation states are operating in the same way to infiltrate commercial and government networks for their own purposes.

And the technology itself is developing.  Cloud computing is becoming the norm and this presents its own challenges.  Certainly, this has raised the issue of security for many people (although it is not automatically a given that the security of data held in a cloud is necessarily worse than if it is held on your own servers, particularly if it turns out that they are inadequately protected).

So how do we move forward?

Partnership is certainly essential.  Governments have to work together in setting an international framework for collaboration and for law enforcement.  And at a national level they must also work with IT service providers and with business in general.

But above all, the individual user must be at the heart of all this.  Sensible security arrangements that make sense to the individual have to be devised.  It needs to be acknowledged that most individual users of the internet, whether they are trying to do their weekly shopping or organise their social lives, are rushed and busy.  Moreover, they are not technological experts.  They have inadequate levels of knowledge, so an error message or system alert that makes sense to an IT professional will probably be gibberish to most of us.

And critical to all of this is the need for robust identity management.

Surely, it is not too much to ask that people can feel confident that their personal details are secure, that they can communicate with others secure in the knowledge that the person or organisation with which they are communicating is who it says it is, and that when they are asked to identify themselves they need reveal no more about themselves than is necessary for the transaction concerned.

If today’s discussions at the RSA Conference take us further towards those objectives, we will be making real progress and we can all feel more hopeful that a trusted and secure internet environment is being built.

The ubiquitous Guido Fawkes reports this morning that he has received personal details of every Conservative Parliamentary candidate – courtesy (presumably a mistake) of Conservative Central Office.

Looks like a potential breach of the Data Protection Act to me.

And the Information Commissioner can now levy heftier fines …..

There is to be a new Joint Committee to consider the National Security Strategy.

The first National Security Strategy was published in March 2008 and looks beyond the traditional areas of foreign, defence and security policies to include transnational crime, pandemics and flooding.

The Strategy was updated in June 2009 with further updates to be produced every year.  It has always been the intention that there would be a Joint Parliamentary Committee with members drawn from both Houses to help monitor the implementation and development of the Strategy.

The Committee is to consist of twelve Commons members, including the Chairmen of the Departmental Select Committees on Foreign Affairs, Defence, Home Affairs, International Development, Business and Enterprise, Energy and Climate Change, and Justice, and also the Chairman of the Intelligence and Security Committee, and ten Lords members (and I have been asked to be one of these).

Two recent articles demonstrate how seriously more and more countries are taking the possibility of war in cyberspace, either by developing their own offensive capability or by strengthening internet security and resilience.  There are even talks about a new international treaty to “demilitarise” cyberspace.

According to Reuters, Major-General Amos Yadlin, Israel’s chief of military intelligence, has placed vulnerability to hacking in the same list of security threats to the State of Israel as the Iranian nuclear project and Syrian and Islamist guerrillas attacking across Israel’s borders.

He also made it clear that Israeli armed forces had the means to provide network security and launch cyber attacks of their own, pointing out that:

“The cyberwarfare field fits well with the state of Israel’s defense doctrine  …. This is an enterprise that is entirely blue and white (ie. Israeli) and does not rely on foreign assistance or technology. It is a field that is very well known to young Israelis, in a country that was recently crowned a ’start-up nation’.”

Reuters says that:

“Cyberwarfare teams nestle deep within Israel’s spy agencies, which have extensive experience in traditional sabotage techniques and are cloaked in official secrecy and censorship.

They can draw on the know-how of Israeli commercial firms that are among the world’s hi-tech leaders and whose staff are often veterans of elite computer units in the conscript army.”

Meanwhile, the New York Times reports that the United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace.  According to the New York Times:

“Many countries, including the United States, are developing weapons for use on computer networks that are ever more integral to the operations of everything from banks to electrical power systems to government offices. They include “logic bombs” that can be hidden in computers to halt them at crucial times or damage circuitry; “botnets” that can disable or spy on Web sites and networks; or microwave radiation devices that can burn out computer circuits miles away.”

The Russians are apparently arguing that the increasing challenges posed by military activities to civilian computer networks can be best dealt with by an international treaty, similar to treaties that have limited the spread of nuclear, chemical and biological weapons.

So where is the UK on all of this?

Well according to Major-General Yadlin, Britain is setting up a cyberwarfare command, and this demonstrates why Israel needs to have its own “soldiers and officers” dedicated to this field.

I have to admit that the existence of a UK cyberwarfare command is new to me – not that I (or many other people either – apart presumably from Major-General Yadlin) would necessarily know if it did exist.

My concern has usually been the opposite and that until recently at least the UK has seemed naively complacent about the scale of the cyber-threats faced.

The publication of a national cyber security strategy has been a welcome first step in the right direction (as I have commented before) and there are also signs of increasing Parliamentary interest in the matter (although when I sat in on the last part of the latest House of Lords hearing on internet security in Europe the main preoccupation seemed to be that Heraklion – where the relevant EU agency is based – is awfully difficult to get to from London).

Nevertheless, these two articles do show that the rest of the world recognises the problem, so the UK probably ought to be doing more as well (unless we really do have a cutting edge cyberwarfare command based in a bunker underneath Cheltenham).

The Parliamentary Information Technology Committee (PITCOM), of which I am the Honorary Treasurer, has produced a useful briefing summarising the key issues about the increasing reliance of the critical national infrastructure (CNI) on technology and the crucial importance of ensuring that that technology is resilient and adequately protected.

The potential vulnerability of the CNI to a variety of threats and the need to raise the level of protection and readiness of the UK to respond to attacks are highlighted.  The briefing also emphasises the importance of partnership between the Government and the private sector to mitigate risks, particularly given the extent to which major parts of the CNI are under private ownership and may not automatically prioritise the national interest above short-term commercial interests.

The briefing should be essential reading for all Parliamentary candidates and anyone else interested in national security.

I am delighted to hear that the Government is going to make internet safety and security part of the core curriculum for primary schools.

This is being described as the internet equivalent of the Green Cross Code on road safety.   This neatly continues the use of the road safety metaphor adopted by the House of Lords inquiry into personal internet security which I took part in and which reported in 2007.  The idea of better IT citizenship training was also a concept developed there.

Concerns about the vulnerability of children on social networking sites was in addition a topic that I pursued in the debate I sponsored in the House of Lords earlier this year.

Given the early age at which children are now IT-literate and regular users of the internet, this proposal is long overdue.  Predictably, some teachers are already complaining that there is too much in the curriculum already, but unless school education is relevant to modern needs it is all the more likely that young people will be alienated from the classroom.  And in any event they face real dangers on the internet, unless they are warned, just as much as kids face real dangers on the roads.

The BBC has picked up on yesterday’s mini-row about the curse of “Reply All”.  What started the problem was an email from Mark Pritchard MP asking, what he no doubt thought was an innocuous question, about who might be interested in joining a new All-Party Group on Cyber-Security.  He had sent it to all MPs and Peers on the Parliamentary email system.  This in itself is not uncommon.

Derek Wyatt MP then responded to say – I paraphrase – that, as one of the handful of Parliamentarians interested in and knowledgeable about cyber issues, he  hadn’t known that Mark Pritchard was also concerned about such matters, that there were a number of other All-Party Groups in existence that looked at cyber questions and, given the extraordinary number of All-Party Groups in general, was an additional one really necessary.  Perhaps in an effort to stifle the fledgling prior to birth he pressed the “Reply All” button and sent his comment to all MPs and Peers.

This then prompted, first, a cascade of MPs and Peers agreeing with him that there were far too many All-Party Groups (all sent using “ReplyAll”) and, second, a torrent of MPs and Peers complaining about the excessive use of the “Reply All” button (some of them were quite intemperate in tone, typed in capitals and used red ink) but also – no doubt to emphasise how irritating it was – sent “Reply All”.

There are, of course, two issues here.

The first is why for so many people is it their default reaction when responding to something to tell an entire mailing list that unfortunately they cannot attend a particular meeting or whatever it might be.  No doubt, it is assumed that their presence or otherwise is so crucial that the response of others will be determined by what they say.   This is sheer arrogance.  If they are that self-important, there are other outlets – they could take up blogging, for example.

Parliamentarians are not, in fact, the worst offenders.  I find members of the London Assembly and their staff are even more profligate with the “Reply All” button.

The second issue is the extraordinary number of All-Party Groups these days.  If you want to count them, look here.  There are so many that it is often impossible for them to find a room, however small, in the Parliamentary Estate for a meeting.  Often there are so many competing Groups meeting simultaneously that most of them are lucky to get more than two or three Parliamentarians even to look in for a few minutes.

And just for the record I responded to Mark Pritchard saying this was a topic I was interested in and in which over the last few years I had been actively involved.  I didn’t press “Reply All” – my reply was just to him – but I also said I had some sympathy with the view that the issue could be pursued ender the umbrella of one of the existing groups.

I have a confession to make.  At least once a day I read Iain Dale’s blog.  Sometimes I find it amusing and sometimes I find it interesting, particularly as a means of understanding the modern Conservative mindset.  Occasionally, of course, I read it as an antidote to low blood pressure.

Today, he had a good rant with “This Pseudo-Fascist Plan Must be Scrapped“.  This relates to the proposals on communications data and the need to preserve these for law enforcement purposes.

Reading the rant, I was surprised – not at its tone (Iain Dale is renowned for giving good rant), but at what I naively assumed was the factual trigger for the rant.  It sounded as though the Government was pressing ahead with legislation on this with a view to getting it passed this side of a General Election.  I was surprised for two reasons: first, that I had missed the announcement; and second, I had understood that this was not what was intended.

However, such was my faith in Iain Dale that I have only just got round to checking the facts.

And what did I find?  The entire rant was based on absolutely nothing.

The Government has NOT announced that it is pressing ahead with legislation.  All it has done is publish the results of its consultation exercise on the issue.  And sensible commentators (not Iain Dale) have recognised that the plans have been shelved.  The idea of a single Government database had in any event been dropped months ago.

I have two warnings for Iain Dale.

First, if he gets himself this worked up about something that ISN’T happening, he will need to be on heavy-duty tranquillisers long before we get into a General Election campaign.

And second, as I have pointed out before, there is a real and serious issue here that any Government must address.  As I said before the consultation was launched:

“At present, telephone companies keep data on their subscribers who make telephone calls, who they connect to and for how long.  They do this, so that they can bill people.  For many years, it has been possible for the police to access this data as part of their investigations into crime.  To do so, they have to get proper authorisation, certifying that accessing the data is proportionate to the crime being investigated and each case has to be considered individually.  The data can be used as evidence in Court and does not involve tapping the call and listening to the content.  Many trials rely on this evidence for criminals to be convicted – there is a murder trial under way at the moment where the crucial evidence is which mobile phones contacted each other just prior to and immediately after the murder took place.

But – and this seems to have passed the pundits by – technology is changing.  Telecoms companies (both fixed line and mobile operators) are building new networks based on VoIP technology.  This is cheaper and more flexible and - critically – does not require detailed call-by-call billing.  The data on which so many trials now rely will soon cease to exist.  The Government is therefore quite rightly going to consult on what can be done to capture this information and allow it to be used in criminal investigations where necessary.

It is not about giving the police more powers to pry into people’s personal lives.  It is about not losing vital material that is currently used to catch criminals.

And, of course, new forms of communication are being created all the time (eg. on social networking sites and chat facilities built into on-line gaming).  Should the police have powers to find out who is communicating with who in these new ways?  That’s what the consultation is about.  It is not some monstrous new assault on civil liberties.  It is allowing a sensible debate about how existing powers should be modified to reflect the changes in technology.”

Unless Iain Dale wants to see the police having to fight serious criminals with even less information available to them than they have at the moment, this is a nettle that is going to have to be grabbed.

I see from the Evening Standard that a member of CO19, the Metropolitan Police’s specialist firearms command, has had to stand down/withdraw*/quit the command after his profile on an adult dating site came to light.

Apparently, on the site he appears as “funboybobby”, had posted pictures with his weapon displayed and as the Standard puts it:

“In some photographs the CO19 officer appeared aroused while in another he showed off a tattoo above his bare bottom.”

A Met spokesperson said:

“We expect firearms officers to display the highest standards of skill, professionalism and judgement on a daily basis.”

I would, of course, hope that all officers display the highest standards of skill, professionalism and judgement.  The spokesperson then continued:

“This case highlights serious concern about the officer’s judgement.”

Indeed!  I would hope that everyone understands the dangers of putting too much personal information on social networking sites – see my earlier comment following the debate I initiated in the House of Lords.

Or as the Standard reports:

“One source close to CO19 said officers could not lay themselves open to blackmail: “Armed officers keep surveillance on terrorists and serious criminal suspects. It is not appropriate that their most personal details should be open for anyone to view.””

Although, I am not quite clear which personal detail the source had in mind in this case ….

Also, the question arises how did Metropolitan Police management find out about “funboybobby”?  Were they trawling the adult dating site in question?

*searching for a term without triggering a double entendre