Even though Parliament isn’t sitting, each week Hansard publishes the written answers to Parliamentary questions tabled before the recess started and whose answers have finally emerged from the civil service sausage machine and been signed off by the relevant Minister.  I have just caught up with the latest list, which includes the answer to the question I tabled five or six weeks ago on electromagnetic pulses (EMP) and the National Security Strategy.

My question followed on from a scary briefing I had attended on the threat of EMP attacks on the critical national infrastructure.  (Some comments have suggested that the briefing was scare-mongering rather than scary, although I remain convinced – as subsequent discussions I have had with people who know about the subject have confirmed – that the subject has real substance and should be taken seriously).

The answer I have received from Lord Alan West is as follows:

“The Government’s updated National Security Strategy takes into account the threat posed to UK interests, including the critical national infrastructure, by the full range of “threat actors”, a definition that includes natural hazards, as well as individuals or organisations with malign intent. The associated Cyber Security Strategy of the United Kingdom, published alongside and reflected in the National Security Strategy update, considers a number of methods of cyber attack, including those that generate high levels of power that can damage or disrupt unprotected electronics.

In addition, the Centre for the Protection of National Infrastructure (CPNI) provides advice on electronic or cyber protective security measures to the businesses and organisations that comprise the UK’s critical national infrastructure, including public utilities companies and banks. CPNI also runs a CERT service which responds to reported attacks on private sector networks.”

Reading between the lines, I take this to mean that EMP attacks (and including natural pulses emitted by the Sun) are considered as part of the Strategy and that the CPNI provides relevant advice.  I am reassured by the first part of the answer, but less convinced by the second part – I received similar-sounding answers to my questions a few years ago about the advice that the CPNI (or its then predecessor) were giving about information security.  And the big question remains: it is only advice, is anyone actually doing anything?

I spent an interesting hour or so this afternoon with a “white hat hacker” – someone who uses his substantial computing experience to identify system weaknesses and vulnerabilities so that those weaknesses and vulnerabilities can be fixed.

He demonstrated how simple it is to clone most so-called smart cards, so as to render many (virtually all) secure entry systems redundant.  The technology is readily available as are the programmes required to do it.

This doesn’t mean that card-based systems are of no value, but what it showed was how often there are basic design flaws that could be fixed, so as to render such systems much harder to compromise.

I had missed the reports of the Dutch researchers who were able to put phantom money onto their Oyster cards so as to travel round London free.  This afternoon, I saw how easily it can be done by those who are minded to cheat the system.  I wonder how much Transport for London are losing by this weakness each day and whether their systems for detecting such fraud and de-activating the cards concerned are as robust as they claim.

At the end of 2005, I persuaded three reputable “white hat” penetration testing companies to offer their services for free to any Government department that would like some independent checking of their information security.  I wrote with this offer to the designated “senior information risk owner” in every Ministry.  The three companies were worried that they would be put out of business by the rush of Government agencies taking them up on their generous offer.   However, you will not be surprised to learn that after seven weeks not a single one of the twenty or so “senior information risk owners” that I had written to had replied.  I then got a letter from the Cabinet Office on behalf of all of them – an example of coordinated Government rarely seen before or since – declining and saying that they were confident that their systems for protecting information were more than sufficient and that no external validation was needed.  Subsequent experience showed how complacent that response was.

This afternoon’s meeting suggested that similar complacency still all too often reigns – not only in the public sector but in the private sector as well.  Of course, there are exceptions and I have come across examples of excellent practise with systems checked by two external penetration testing companies, independent of those who have supplied, installed or manage the systems concerned.   However, those examples are just that – exceptions.  Too often senior managers don’t understand the problem or the risks that they face and are too readily reassured by those who have a vested interest in saying that everything is fine.

My attention has been drawn to Kevin Anderson’s very sensible and balanced analysis of the Gary McKinnon extradition case.  It is far more measured than Mayor (and part-time Telegraph columnist) Boris Johnson’s rant.  I wonder who earns the most from his journalism – the one who provides analysis or the one who rants with cavalier regard for fact?

I attended a meeting this morning where in passing there was a reference to the new British Telecom network upgrade (21CN) that is now underway.  The presentation had just included a warning to British businessmen travelling to China (after all, even a senior No10 aide had been caught).  Then it was pointed out that a key component of 21CN was manufactured in China by a manufacturer with close links (don”t they all?) to the Chinese Government, that Government departments and most businesses allowed at least some of their key data or their voice communications to go over BT networks.  So by implication any malign intervention wouldn”t require a honey-trap on someone visiting China but could be done remotely via the components in 21CN.

Apparently, one of the suppliers of 21CN”s Multiservice Access Nodes (and let”s be honest, I am not sure precisely what these are, but they sound important) are Huawei Technologies.  Huawei promise that their success in winning the contract will create “many new jobs in the UK”.

Obviously, it is possible for people to be paranoid (and many are) that anything electronic manufactured in China (or anywhere  else that we don”t trust this week) might contain “hidden” code capable of broadcasting back the contents of communications or even allowing control of equipment to be passed to those with malign intent overseas.  But as we know being paranoid, doesn”t mean that people aren”t out to get you.

So how worried should we be about the security of British business and of the UK”s critical national infrastructure?

I cannot assess the real scale of the threat, although there does seem to be a growing consensus that the Chinese Government are building up their capacity to wage cyber war and that there is the intent to achieve cyber dominance by 2050.  The Chinese are certainly investing heavily in high technology and there is substantial US concern about the Chinese capacity for conventional and industrial espionage by electronic means.

What I am clear about is that as a nation we do not take information security as seriously as we should – and this applies both in the public sector but also in the private sector.  If there is a threat from BT”s 21CN, it may now be too late to do anything about it, and that leaves the real question what is being put in place to ensure that the threat is being mitigated.

When the Digital Britain White Paper was published on 16th June, I raised some concerns about the White Paper’s apparent endorsement of “The Geek Squad” and “The Tech Guys”.

I have now received from Lord Stephen Carter a response to the points I made in the debate.  Unfortunately, the response slightly misses the point (by about a mile, actually).  It sets out the measures being introduced to improve the enforcement of consumer law applying to on-line transactions.  This is all good stuff – a single online complaints register for people encountering an online scam; investment in new equipment, training and staff for on-line consumer law enforcers; and a review of enforcement powers in an on-line world.  However, this is not really going to provide much reassurance for people nervous about letting an unknown person into their homes to fidedle around with their computer systems.

I have now written back to Stephen Carter – although my letter may well have arrived after his last day in office (he is one of the GOAT ministers who is resigning this month).  My letter says:

“Thank you for your letter of 8th July.  I am grateful for the clarification you have provided on the points I raised following your statement to the House on 16th June.

However, I would like to come back on the second issue I raised.  This related to the need to ensure that consumers have adequate protection when dealing with suppliers, such as “The Geek Squad” or “The Tech Guys” – both specifically mentioned in “Digital Britain”.

In your response, you mention the measures being taken to improve enforcement of consumer law applying to on-line transactions.  Whilst these measures are valuable, they rather miss the point of my concerns.  Both “The Geek Squad” and “The Tech Guys” involve the consumer permitting individuals to access their computer equipment (and usually their homes).  Such individuals are being given a position of trust by the consumers concerned, who will assume that they are (1) honest and (2) know what they are doing.  As far as these points are concerned, it is extremely unlikely that the consumer will have the technical knowledge to understand (or indeed to be able to detect) what has been done to their equipment – that is after all why they have asked “The Geek Squad” or “The Tech Guys” to visit or to look at their equipment.

If you engage a security guard from a security firm, the individuals engaged are required to be registered with the Security Industry Authority and will have been vetted for criminality and there are requirements relating to their training.  Yet the activities of most security personnel will usually be visible and will normally be comprehensible to the person engaging them.  Should there not be some similar system of regulation and customer assurance of the quality of work in place for those individuals engaged by “The Geek Squad”, “The Tech Guys” or any other similar service?  If no such system is in place, most customers – who are likely not to be skilled technically – will be vulnerable to data being stolen from them, to malicious code being placed on their machines or to more traditional forms of criminality.

I would welcome your comments on what can be done to address this.  I am copying this letter to Lord West of Spithead (in view of the information security implications) and to Alun Michael MP (in view of his role chairing the Tripartite Internet Crime and Security Initiative).”

I will be interested to see if the civil servants get the point this time.

This morning I took part in a breakfast discussion on the Lords Terrace (over orange juice and croissants, but fortunately under cover as it was pouring with rain) with Lord Young of Graffham and Lord Razzall about what can be done to re-energise the British technology sector.  The occasion was the launch of the Micro Focus Technology Manifesto, “Making BrITain Great Again“.  It was well-attended and the Q&A session at the end was lively and could clearly have continued for much longer.

The central theme was that Britain has the potential to generate a much larger proportion of its GDP from the technology innovation-driven sector and the manifesto is designed to kick-start a debate about what can usefully be done to create an environment in which the sector can thrive, expand and create new and sustainable jobs in the UK.  The manifesto has five strands:

• increasing the supply of world-class technology talent in the UK
• harnessing the expertise and goodwill of successful leaders around the world to mentor leaders of UK-based emerging technology businesses
• changing substantially the tax incentives available to companies and individuals who want to invest in growing technology businesses in the UK
• implementing fiscal incentives for UK-based companies seeking to take forward world-leading R&D
• encouraging overseas technology companies to invest in a UK hub

I hope that the manifesto does kick-start a debate on these issues and that all the main Parties will commit to following the direction of travel indicated.  Indeed, I would hope that the core principle would be readily endorsed.  Future UK prosperity can only be sustained if the country is able to offer something significant to the world economy and that something in my view has to be that Britain is able to exploit innovation effectively and can deliver substantial value-added in technology and intellectual property.  The UK will never compete by trying to cut wage costs to Third World levels, we no longer have a heavy manufacturing base and there is a limit to how much national income that can be generated from tourism and heritage.  The only route to sustainability has to be through becoming a leading force in innovation and technology.

I remain concerned that too many young people do not see careers in technology as exciting, that too many further and higher education courses are irrelevant to the technology sector’s needs, and that for those who do emerge from further and higher education there are too few entry-level job/training opportunities.  Moreover, as a country we do not do enough to foster entrepreneurialism, nor to support investment in innovative start-ups and to support the growth of such enterprises as they develop.  The Micro Focus manifesto contains a number of suggestions as to how these issues may be addressed.  I am sure it is not definitive, but the future of the UK economy requires that this debate starts now and is taken seriously.

The Health Services Journal (reporting an investigation by More4 News) says that NHS computer systems were infected by more than 8000 viruses in the last year, most of which would have been avoided if the NHS Trusts concerned had kept their anti-virus software up-to-date.

This would be worrying enough (consequences described included the breakdown of patient appointment systems), but the complacent response of the Department of Health is breathtaking.

According to the HSJ:

“The revelation that NHS trusts have been poor at keeping their anti-virus software up to date has provoked concerns that they are vulnerable to viruses that could cause confidential patient data to be disseminated.

 ”But a spokesman for the Department of Health said the electronic patient records systems provided through the national programme for IT were “protected by the highest levels of access controls and other security measures”.”

However, my understanding has always been that once an individual machine has been compromised – depending on what malware has been installed – then all the data accessed or stored by that machine is potentially vulnerable.  So if so many Trusts are failing to maintain up-to-date anti-virus software, then confidential patient data IS at risk.

The Department of Health spokesperson went on to say that:

“local NHS trusts were legally responsible for complying with data protection rules and were expected to record any breaches.”

So that’s all right then …….

According to the FBI, Goldman Sachs fell victim to potentially one of the most costly losses of information ever when one of their computer specialists decided that the $400,000 a year he was being paid was not actually sufficient compensation for his talents and decided to move to another company who were prepared to treble his salary.  In the few days before he left, the employee apparently copied part of the code controlling Goldman Sachs’s electronic trading platform which enables them to respond almost instantly to market movements (probably in a way that makes those market movements even more destasbilising for the rest of us but is highly profitable for Goldman Sachs).

Of course, it could have been worse, he could have tinkered with the code as well before he left, so that the trading platform would have bankrupted Goldman Sachs instead of making them enormous profits.  At least, I assume that would have been worse …..

Moral: be nice to the geeks in your IT department.

I have tabled a question for written answer on electromagnetic pulses and the National Security Strategy arising from the meeting I went to yesterday:

To ask Her Majesty’s Government:

“What consideration was given to the threat to the critical national infrastructure of a high intensity electromagnetic pulse, produced either by malign intent or as a result of solar activity, in preparing the National Security Strategy.”

Earlier today I went to a meeting (organised by the Henry Jackson Society) in one of the more remote Commons Committee Rooms chaired by James Arbuthnot MP, the Chairman of the Select Committee on Defence.  He began by intoning that we were all attending “the most important meeting you will ever go to”.  I am not sure about that, but it was undoubtedly one of the scariest I have ever attended.

It was addressed by Avi Schnurr, President of EMPACT (The EMP Awareness Coordination Taskforce) and concerned the threat of an electro-magnetic pulse that could permanently disable the electricity grid and most electrical systems.

In 1962, the United States conducted “Starfish Prime,” a nuclear weapon test over a remote region of the Pacific Ocean. The test was successful, with one unexpected result: fifteen hundred kilometers away in Hawaii streetlights burned out, TV sets and radios failed and power lines fused. This was unexpected and demonstrated that a nuclear warhead set off above the atmosphere causes an Electromagnetic Pulse, or EMP. Unlike a ground burst, an EMP blast can mean (depending on how high in the atmosphere the explosion takes place) continent-wide catastrophe, a capability potentially in the hands of any rogue nation or terror organization that can acquire a single nuclear-tipped missile.

With some of the world’s most unstable regional powers acquiring or already in possession of nuclear weapons, the United States Congress established the Electromagnetic Pulse (EMP) Commission, tasked with evaluating this growing threat. The Commission, based on testimony from throughout the federal government, warned that America’s current vulnerability invites attack. They concluded, remarkably, that “EMP is capable of causing catastrophe for the nation,” as “one of a small number of threats that has the potential to hold our society seriously at risk, and might result in defeat of our military forces.”

During the Cold War, the USA and the USSR relied on deterrence, but because of the threat from EMP (which could have limited their capacity to respond after a first warhead had detonated) both would have responded to a single missile in flight by a full maximum response within minutes – hence the briefcase with the codes that still follows the US President.

However, if one postulates a rogue state or a rogue group having access to a quite small nuclear device and a rocket powerful enough to send it into the upper atmosphere above the target nation or nations (perhaps launched from a boat), deterrence is no longer the answer.  The attraction for a North Korea or an Iran (and in both countries there is evidence according to Avi Schnurr that the military elites are not only aware of the potential of EMP attack but have also actively discussed it) is the comparative simplicity of delivering such an attack that would disable the United States or Europe and that it could be done stealthily.  The same attraction would also be there for terrorist groups.

And there is no question that the effect of an EMP attack could be devastating.  Electricity grids would be destroyed as transformers burnt out (and although these could be replaced the process would take years and again according to Avi Schnurr there is only one company in the world that makes the transformers on which the US electricity grid relies).  Control systems for parts of the critical infrastructure (eg the water supply) and even for vehicles would be destroyed by an EMP attack.  For a significant period the infrastructure could not function, distribution systems (eg for food) would not function, and the internet would not work.  Given the nature of modern society, social structures would break down very rapidly.

And as if the threat from a rogue state or terrorists was not enough, electromagnetic pulses can occur naturally as part of solar activity. Avi Schnurr quoted the US National Academy of Sciences as warning that solar activity can produce effects of equivalent magnitude and does so approximately every hundred years or so.  The last such massive solar surge was in 1859 and shorted out telegraph wires and caused widespread fires.  The next occasion when there might be such a surge is 2012 (although it might not be the big one, but that is when the next peak of solar activity is anticipated).

I will have to check but I don’t remember any of this being mentioned in last month’s National Security Strategy.  I can feel some Parliamentary Questions coming on …