There is to be a new Joint Committee to consider the National Security Strategy.

The first National Security Strategy was published in March 2008 and looks beyond the traditional areas of foreign, defence and security policies to include transnational crime, pandemics and flooding.

The Strategy was updated in June 2009 with further updates to be produced every year.  It has always been the intention that there would be a Joint Parliamentary Committee with members drawn from both Houses to help monitor the implementation and development of the Strategy.

The Committee is to consist of twelve Commons members, including the Chairmen of the Departmental Select Committees on Foreign Affairs, Defence, Home Affairs, International Development, Business and Enterprise, Energy and Climate Change, and Justice, and also the Chairman of the Intelligence and Security Committee, and ten Lords members (and I have been asked to be one of these).

Two recent articles demonstrate how seriously more and more countries are taking the possibility of war in cyberspace, either by developing their own offensive capability or by strengthening internet security and resilience.  There are even talks about a new international treaty to “demilitarise” cyberspace.

According to Reuters, Major-General Amos Yadlin, Israel’s chief of military intelligence, has placed vulnerability to hacking in the same list of security threats to the State of Israel as the Iranian nuclear project and Syrian and Islamist guerrillas attacking across Israel’s borders.

He also made it clear that Israeli armed forces had the means to provide network security and launch cyber attacks of their own, pointing out that:

“The cyberwarfare field fits well with the state of Israel’s defense doctrine  …. This is an enterprise that is entirely blue and white (ie. Israeli) and does not rely on foreign assistance or technology. It is a field that is very well known to young Israelis, in a country that was recently crowned a ’start-up nation’.”

Reuters says that:

“Cyberwarfare teams nestle deep within Israel’s spy agencies, which have extensive experience in traditional sabotage techniques and are cloaked in official secrecy and censorship.

They can draw on the know-how of Israeli commercial firms that are among the world’s hi-tech leaders and whose staff are often veterans of elite computer units in the conscript army.”

Meanwhile, the New York Times reports that the United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace.  According to the New York Times:

“Many countries, including the United States, are developing weapons for use on computer networks that are ever more integral to the operations of everything from banks to electrical power systems to government offices. They include “logic bombs” that can be hidden in computers to halt them at crucial times or damage circuitry; “botnets” that can disable or spy on Web sites and networks; or microwave radiation devices that can burn out computer circuits miles away.”

The Russians are apparently arguing that the increasing challenges posed by military activities to civilian computer networks can be best dealt with by an international treaty, similar to treaties that have limited the spread of nuclear, chemical and biological weapons.

So where is the UK on all of this?

Well according to Major-General Yadlin, Britain is setting up a cyberwarfare command, and this demonstrates why Israel needs to have its own “soldiers and officers” dedicated to this field.

I have to admit that the existence of a UK cyberwarfare command is new to me – not that I (or many other people either – apart presumably from Major-General Yadlin) would necessarily know if it did exist.

My concern has usually been the opposite and that until recently at least the UK has seemed naively complacent about the scale of the cyber-threats faced.

The publication of a national cyber security strategy has been a welcome first step in the right direction (as I have commented before) and there are also signs of increasing Parliamentary interest in the matter (although when I sat in on the last part of the latest House of Lords hearing on internet security in Europe the main preoccupation seemed to be that Heraklion – where the relevant EU agency is based – is awfully difficult to get to from London).

Nevertheless, these two articles do show that the rest of the world recognises the problem, so the UK probably ought to be doing more as well (unless we really do have a cutting edge cyberwarfare command based in a bunker underneath Cheltenham).

The Parliamentary Information Technology Committee (PITCOM), of which I am the Honorary Treasurer, has produced a useful briefing summarising the key issues about the increasing reliance of the critical national infrastructure (CNI) on technology and the crucial importance of ensuring that that technology is resilient and adequately protected.

The potential vulnerability of the CNI to a variety of threats and the need to raise the level of protection and readiness of the UK to respond to attacks are highlighted.  The briefing also emphasises the importance of partnership between the Government and the private sector to mitigate risks, particularly given the extent to which major parts of the CNI are under private ownership and may not automatically prioritise the national interest above short-term commercial interests.

The briefing should be essential reading for all Parliamentary candidates and anyone else interested in national security.

I am delighted to hear that the Government is going to make internet safety and security part of the core curriculum for primary schools.

This is being described as the internet equivalent of the Green Cross Code on road safety.   This neatly continues the use of the road safety metaphor adopted by the House of Lords inquiry into personal internet security which I took part in and which reported in 2007.  The idea of better IT citizenship training was also a concept developed there.

Concerns about the vulnerability of children on social networking sites was in addition a topic that I pursued in the debate I sponsored in the House of Lords earlier this year.

Given the early age at which children are now IT-literate and regular users of the internet, this proposal is long overdue.  Predictably, some teachers are already complaining that there is too much in the curriculum already, but unless school education is relevant to modern needs it is all the more likely that young people will be alienated from the classroom.  And in any event they face real dangers on the internet, unless they are warned, just as much as kids face real dangers on the roads.

The BBC has picked up on yesterday’s mini-row about the curse of “Reply All”.  What started the problem was an email from Mark Pritchard MP asking, what he no doubt thought was an innocuous question, about who might be interested in joining a new All-Party Group on Cyber-Security.  He had sent it to all MPs and Peers on the Parliamentary email system.  This in itself is not uncommon.

Derek Wyatt MP then responded to say – I paraphrase – that, as one of the handful of Parliamentarians interested in and knowledgeable about cyber issues, he  hadn’t known that Mark Pritchard was also concerned about such matters, that there were a number of other All-Party Groups in existence that looked at cyber questions and, given the extraordinary number of All-Party Groups in general, was an additional one really necessary.  Perhaps in an effort to stifle the fledgling prior to birth he pressed the “Reply All” button and sent his comment to all MPs and Peers.

This then prompted, first, a cascade of MPs and Peers agreeing with him that there were far too many All-Party Groups (all sent using “ReplyAll”) and, second, a torrent of MPs and Peers complaining about the excessive use of the “Reply All” button (some of them were quite intemperate in tone, typed in capitals and used red ink) but also – no doubt to emphasise how irritating it was – sent “Reply All”.

There are, of course, two issues here.

The first is why for so many people is it their default reaction when responding to something to tell an entire mailing list that unfortunately they cannot attend a particular meeting or whatever it might be.  No doubt, it is assumed that their presence or otherwise is so crucial that the response of others will be determined by what they say.   This is sheer arrogance.  If they are that self-important, there are other outlets – they could take up blogging, for example.

Parliamentarians are not, in fact, the worst offenders.  I find members of the London Assembly and their staff are even more profligate with the “Reply All” button.

The second issue is the extraordinary number of All-Party Groups these days.  If you want to count them, look here.  There are so many that it is often impossible for them to find a room, however small, in the Parliamentary Estate for a meeting.  Often there are so many competing Groups meeting simultaneously that most of them are lucky to get more than two or three Parliamentarians even to look in for a few minutes.

And just for the record I responded to Mark Pritchard saying this was a topic I was interested in and in which over the last few years I had been actively involved.  I didn’t press “Reply All” – my reply was just to him – but I also said I had some sympathy with the view that the issue could be pursued ender the umbrella of one of the existing groups.

I have a confession to make.  At least once a day I read Iain Dale’s blog.  Sometimes I find it amusing and sometimes I find it interesting, particularly as a means of understanding the modern Conservative mindset.  Occasionally, of course, I read it as an antidote to low blood pressure.

Today, he had a good rant with “This Pseudo-Fascist Plan Must be Scrapped“.  This relates to the proposals on communications data and the need to preserve these for law enforcement purposes.

Reading the rant, I was surprised – not at its tone (Iain Dale is renowned for giving good rant), but at what I naively assumed was the factual trigger for the rant.  It sounded as though the Government was pressing ahead with legislation on this with a view to getting it passed this side of a General Election.  I was surprised for two reasons: first, that I had missed the announcement; and second, I had understood that this was not what was intended.

However, such was my faith in Iain Dale that I have only just got round to checking the facts.

And what did I find?  The entire rant was based on absolutely nothing.

The Government has NOT announced that it is pressing ahead with legislation.  All it has done is publish the results of its consultation exercise on the issue.  And sensible commentators (not Iain Dale) have recognised that the plans have been shelved.  The idea of a single Government database had in any event been dropped months ago.

I have two warnings for Iain Dale.

First, if he gets himself this worked up about something that ISN’T happening, he will need to be on heavy-duty tranquillisers long before we get into a General Election campaign.

And second, as I have pointed out before, there is a real and serious issue here that any Government must address.  As I said before the consultation was launched:

“At present, telephone companies keep data on their subscribers who make telephone calls, who they connect to and for how long.  They do this, so that they can bill people.  For many years, it has been possible for the police to access this data as part of their investigations into crime.  To do so, they have to get proper authorisation, certifying that accessing the data is proportionate to the crime being investigated and each case has to be considered individually.  The data can be used as evidence in Court and does not involve tapping the call and listening to the content.  Many trials rely on this evidence for criminals to be convicted – there is a murder trial under way at the moment where the crucial evidence is which mobile phones contacted each other just prior to and immediately after the murder took place.

But – and this seems to have passed the pundits by – technology is changing.  Telecoms companies (both fixed line and mobile operators) are building new networks based on VoIP technology.  This is cheaper and more flexible and - critically – does not require detailed call-by-call billing.  The data on which so many trials now rely will soon cease to exist.  The Government is therefore quite rightly going to consult on what can be done to capture this information and allow it to be used in criminal investigations where necessary.

It is not about giving the police more powers to pry into people’s personal lives.  It is about not losing vital material that is currently used to catch criminals.

And, of course, new forms of communication are being created all the time (eg. on social networking sites and chat facilities built into on-line gaming).  Should the police have powers to find out who is communicating with who in these new ways?  That’s what the consultation is about.  It is not some monstrous new assault on civil liberties.  It is allowing a sensible debate about how existing powers should be modified to reflect the changes in technology.”

Unless Iain Dale wants to see the police having to fight serious criminals with even less information available to them than they have at the moment, this is a nettle that is going to have to be grabbed.

I see from the Evening Standard that a member of CO19, the Metropolitan Police’s specialist firearms command, has had to stand down/withdraw*/quit the command after his profile on an adult dating site came to light.

Apparently, on the site he appears as “funboybobby”, had posted pictures with his weapon displayed and as the Standard puts it:

“In some photographs the CO19 officer appeared aroused while in another he showed off a tattoo above his bare bottom.”

A Met spokesperson said:

“We expect firearms officers to display the highest standards of skill, professionalism and judgement on a daily basis.”

I would, of course, hope that all officers display the highest standards of skill, professionalism and judgement.  The spokesperson then continued:

“This case highlights serious concern about the officer’s judgement.”

Indeed!  I would hope that everyone understands the dangers of putting too much personal information on social networking sites – see my earlier comment following the debate I initiated in the House of Lords.

Or as the Standard reports:

“One source close to CO19 said officers could not lay themselves open to blackmail: “Armed officers keep surveillance on terrorists and serious criminal suspects. It is not appropriate that their most personal details should be open for anyone to view.””

Although, I am not quite clear which personal detail the source had in mind in this case ….

Also, the question arises how did Metropolitan Police management find out about “funboybobby”?  Were they trawling the adult dating site in question?

*searching for a term without triggering a double entendre

The Ministry of Justice has issued a consultation document on proposals to introduce prison sentences for thsoe who who seek to profit from the illegal trade in personal data, and for those who knowingly or recklessly disclose personal data to those who have no right to have it.

I accept that our prisons are already seriously over-full, but I am quite clear that we will not achieve higher standards of data security in this country until there are much tougher penalties.  The Government is committed to ensuring a robust framework of protection for personal data and wants to increase public confidence in its use and deter and punish appropriately those who seek to profit from its illegal trade.  (Quite properly it is proposed that there be a “public interest” defence to protect genuine investigative journalism.)

The only thing that will concentrate the minds of those engaged in this sort of trade will be the threat of prison.  Such crimes are not “victim-less”.

Apparently, computer hackers are human beings too.

A new survey of computer hackers has found that hackers like to go on holiday during the summer months, but warns that they will be particularly active over Christmas and New Year.  Apparently, even though company IT security managers are likely to be on holiday during the summer months, hackers also like to go away then.  And for them the best time to target companies is over the winter holidays.  Of the hackers surveyed 56% said that Christmas was the best time to do some serious hacking into corporate systems, while 25% favoured New Year’s Eve.

Dominic Grieve has published a Conservative Party policy paper that promises to “reverse the rise of the surveillance state.”  Much of it is inevitably about ID Cards, DNA samples and the like.

There is also the usual stuff about repealing the Human Rights Act.  This, of course, is the Act that has given the citizen all sorts of legally-enshrined rights to protect him or herself against the power of the State – notably that any action by the Government which impacts adversely on an individual has to pass a proportionality test in relation to the supposed benefits that are intended to flow from it.  This can be tested in the Courts – as successive Home Secretaries have discovered to their cost in respect of Control Orders etc.  So why the repeal of the Human Rights Act is going to protect the public is not clear.

And then there is the strange (if you are Tory who normally fulminates against such politically-correct notions) proposal that a Privacy Impact Assessment must be prepared for new laws and regulations.  This is no doubt modelled on the requirement for Equality Impact Assessments – a requirement that as far as I am aware has not received universal approval from most Conservatives.

However, tucked away in the paper are a number of proposals on improving information security that I have to acknowledge are eminently sensible.  I have to acknowledge it because they are things for which I have been calling for years.

So I welcome proposals to strengthen the role of the Information Commissioner.  Not only have I been saying this for the last six years or so, but it also formed part of the report of the House of Lords Select Committee (I happened to be a member of it) on Personal Internet Security published in August 2007.

Likewise, I welcome the proposal for industry-wide kitemarks on data security best practice – another recommendation of the Select Committee.

And the proposal that a Minister and a senior civil servant in each Government Department should be designated as having personal responsibility for data security in that Department is also welcome (and again has a familiar ring to it).

I have long argued that requiring individual Ministers to champion information security and senior Whitehall mandarins to certify that they are personally satisfied with the information assurance processes in place would concentrate their minds wonderfully and lead to a real improvement in security.  (In a similar way, I am introducing – through the Committee I chair on the Metropolitan Police Authority, a system whereby senior officers sign off the health and safety arrangements in their commands.)

Dominic Grieve’s paper sets out an eleven-point plan.  I am happy to say that I can give three of the points my whole-hearted support.  It  would be churlish of me not to do so.  They were my ideas first.  (I’d accuse the Tories of pinching them from me, but I suspect it would be fairer – although why I should be fair, I don’t know – to accuse them of pinching them from the same person I did, if I could remember who it was.)

I do, however, have one concern about their/my proposal on Ministerial responsibility.  The difficulty is that most Ministers stay in particular jobs for too short a time for that responsibility really to mean anything.  Most Ministers are reshuffled every year – often far too short a time for them to make a real difference to anything.  Perhaps the answer would be for legislation saying that once appointed Ministers would have to stay in the same job for at least three years (unless sacked, in which case they would be banned from taking another Ministerial position until the original three years was over).  That would be good for the quality of administration in general.  I offer this to the Conservatives (or indeed anyone else) free, gratis and for nothing ….