Earlier today I went to a meeting (organised by the Henry Jackson Society) in one of the more remote Commons Committee Rooms chaired by James Arbuthnot MP, the Chairman of the Select Committee on Defence.  He began by intoning that we were all attending “the most important meeting you will ever go to”.  I am not sure about that, but it was undoubtedly one of the scariest I have ever attended.

It was addressed by Avi Schnurr, President of EMPACT (The EMP Awareness Coordination Taskforce) and concerned the threat of an electro-magnetic pulse that could permanently disable the electricity grid and most electrical systems.

In 1962, the United States conducted “Starfish Prime,” a nuclear weapon test over a remote region of the Pacific Ocean. The test was successful, with one unexpected result: fifteen hundred kilometers away in Hawaii streetlights burned out, TV sets and radios failed and power lines fused. This was unexpected and demonstrated that a nuclear warhead set off above the atmosphere causes an Electromagnetic Pulse, or EMP. Unlike a ground burst, an EMP blast can mean (depending on how high in the atmosphere the explosion takes place) continent-wide catastrophe, a capability potentially in the hands of any rogue nation or terror organization that can acquire a single nuclear-tipped missile.

With some of the world’s most unstable regional powers acquiring or already in possession of nuclear weapons, the United States Congress established the Electromagnetic Pulse (EMP) Commission, tasked with evaluating this growing threat. The Commission, based on testimony from throughout the federal government, warned that America’s current vulnerability invites attack. They concluded, remarkably, that “EMP is capable of causing catastrophe for the nation,” as “one of a small number of threats that has the potential to hold our society seriously at risk, and might result in defeat of our military forces.”

During the Cold War, the USA and the USSR relied on deterrence, but because of the threat from EMP (which could have limited their capacity to respond after a first warhead had detonated) both would have responded to a single missile in flight by a full maximum response within minutes – hence the briefcase with the codes that still follows the US President.

However, if one postulates a rogue state or a rogue group having access to a quite small nuclear device and a rocket powerful enough to send it into the upper atmosphere above the target nation or nations (perhaps launched from a boat), deterrence is no longer the answer.  The attraction for a North Korea or an Iran (and in both countries there is evidence according to Avi Schnurr that the military elites are not only aware of the potential of EMP attack but have also actively discussed it) is the comparative simplicity of delivering such an attack that would disable the United States or Europe and that it could be done stealthily.  The same attraction would also be there for terrorist groups.

And there is no question that the effect of an EMP attack could be devastating.  Electricity grids would be destroyed as transformers burnt out (and although these could be replaced the process would take years and again according to Avi Schnurr there is only one company in the world that makes the transformers on which the US electricity grid relies).  Control systems for parts of the critical infrastructure (eg the water supply) and even for vehicles would be destroyed by an EMP attack.  For a significant period the infrastructure could not function, distribution systems (eg for food) would not function, and the internet would not work.  Given the nature of modern society, social structures would break down very rapidly.

And as if the threat from a rogue state or terrorists was not enough, electromagnetic pulses can occur naturally as part of solar activity. Avi Schnurr quoted the US National Academy of Sciences as warning that solar activity can produce effects of equivalent magnitude and does so approximately every hundred years or so.  The last such massive solar surge was in 1859 and shorted out telegraph wires and caused widespread fires.  The next occasion when there might be such a surge is 2012 (although it might not be the big one, but that is when the next peak of solar activity is anticipated).

I will have to check but I don’t remember any of this being mentioned in last month’s National Security Strategy.  I can feel some Parliamentary Questions coming on …

Alan Johnson, the Home Secretary, has made it clear that ID cards will not be compulsory.   In a press conference, he said that the pilot schemes for airside workers to have ID cards in Manchester and London City Airports would not now be compulsory for UK citizens.

He said:

“Holding an identity card should be a personal choice for British citizens – just as it is now to obtain a passport.   Accordingly I want the introduction of identity cards for all British citizens to be voluntary and I have therefore decided that identity cards issued to airside workers, planned initially at Manchester and London City airports later this year, should also be voluntary.”

At the press conference, he was asked by journalists if ID cards would be made obligatory and said quite clearly that they would not be.

In a Parliamentary written statement he said:

“There will be significant benefits to individuals from holding an identity card which will become the most convenient, secure and affordable way of asserting identity in everyday life. Identity cards will also be valid for travel throughout Europe in place of a British passport. ….. However, holding an identity card should be a personal choice for British citizens – just as it is now to obtain a passport. Accordingly I want the introduction of identity cards for all British citizens to be voluntary.”

This is a sensible and proportionate approach to adopt.

I have always felt that identity cards were mis-sold when they were first announced.  They were never going to be a magic bullet in the battles against terrorism or organised crime – although that was what was claimed when the proposals were first aired.  However, a simple system enabling the citizen to demonstrate – should they wish to do so – who they are always seemed to me to have enormous value (certainly better than having to turn up at a bank with a driving license, a council tax receipt and a utility bill).  In essence, that is the system that the Government is now saying we will be moving towards.

The Government has today published its much-heralded “Cyber Security Strategy of the United Kingdom“.  The document is welcome and will lead to an Office of Cyber Security (OCS) being set up to “provide strategic leadership” across Government.  In addition, a Cyber Security Operations Centre (CSOC) will be set up as part of GCHQ.  This Centre will be responsible for “incident response”, as well as monitoring “the health of cyber space” and providing advice and information.

This all looks extremely positive, as does the philosophy under-pinning the Strategy which includes working in partnership with industry, being more integrated within government, tackling security challenges early, and being grounded in a set of core values based on human rights.

As ever, (forgive the lapse into cliche) the devil will be in the detail – and the detail is not contained in the Strategy.  How much clout and authority will the OCS have within Government?  Will the CSOC have the resources it needs to be sufficiently pro-active and will it have the legal powers to take appropriate action?

According to the Independent this morning, the announcement of the new Cyber Security Strategy that was promised last week and that I have been calling for over the weeks (years?) will take place tomorrow.  Earlier this week I chaired a seminar on “Meeting the Threats in Cyberspace”.  One of the most impressive (worrying?) presentations was from Scott Borg of the US Cyber Consequences Unit.  His conclusions, which spell out why a fresh approach from the UK Government is so urgent, can be summarised as follows:

“Based on the work the US-CCU has already done, it is evident that the potential economic and strategic consequences of cyber-attacks are very great.  The US-CCU’s research has demonstrated that the numbers widely quoted for the costs of denial-of-service cyber-attacks lasting up to three days are actually wildly inflated.  But the US-CCU’s findings show that other types of cyber-attacks are potentially much more destructive.  Especially worrisome are the cyber-attacks that would hijack systems with false information in order to discredit the systems or do lasting physical damage.  At a corporate level, attacks of this kind have the potential to create liabilities and losses large enough to bankrupt most companies.  At a national level, attacks of this kind, directed at critical infrastructure industries, have the potential to cause hundreds of billions of dollars worth of damage and to cause thousands of deaths.

Some of the attack scenarios that would produce the most devastating consequences are now being outlined on hacker websites and at hacker conventions.  The overall patterns of cyber intrusion campaigns suggest that a number of potentially hostile groups and nation states are actively acquiring the capability to carry out such attacks.  Meanwhile, the many ways in which criminal organizations could reap huge profits from highly destructive attacks are also now being widely discussed.  This means that American corporations and American citizens need urgently to be informed, not just of their technical vulnerabilities, but of the economic and strategic consequences if those vulnerabilities are exploited.  It is only by basing our cyber-defenses on a comprehensive assessment of cyber-attack consequences that we can make sure those defenses are sensible and adequate.”

The Boston Globe has an article from a fellow at the Harvard Kennedy School of Government arguing that the United States should assert its right to cyber self-defence by declaring that “it will promptly counter-attack as accurately and as proportionally as technology allows”. 

This is an interesting – if scary – argument.  It conjures up memories of the Cold War and “Mutually Assured Destruction” or even further back of Lord Palmerston and “the send a gun-boat” style of diplomacy.  Did either strategy work?  Well, some would argue there was no nuclear war during the Cold War years (although, the aftermath poses some interesting problems of proliferation etc).  And, of course, during the Palmerston era the Sun never set on the British Empire (allegedly because the Sun knew it could never trust the British Empire in the dark).

It is undeniably the case that a number of nation-states are developing an offensive cyber-warfare capacity and those that ostensibly are only interested in developing a defensive strategy can readily reverse the process to become offensive (Porton Down was always ostensibly about developing chemical weapons defence …).

Similarly, non-state-sponsored cyber attacks often emanate from countries who are either indifferent to the activities going on within their borders or are powerless to intervene.

Does this give a country the right to retaliate?  The Boston Globe article suggests that a few bouts of such retaliation would bring about the creation of some international means of regulating and protecting  cyberspace.  That may be true, but it would be good to think that such an outcome could be achieved without the digital trench warfare that the article describes.

Today’s “Digital Britain” report has an interesting paragraph on “Securing Home Networks” which says:

“In addition, the market is increasingly providing a high level of after sales support to its customers through additional assistance in relation to dealing with technical complexity – a sort of “AA breakdown” assistance for your personal networking needs. As home networks become more complex, it is legitimate to expect that these types of service will continue to grow. Services such as “the Geek Squad” from Carphone Warehouse and “Tech Guys” at PC World provide consumers with fast and effective advice on a range of issues including computer optimisation, device set-up, software installation, parental control set-up and tuition, security and software installation, back-up services and many others.”

I expressed some reservations about this when the report was introduced in the House of Lords this afternoon by Lord Stephen Carter. saying:

“I note in the report the support for the after-sales services provided by a number of computer retailers, such as the Geek Squad, the Tech Guys and so forth.  Have the Government given any thought to the personnel who visit people in their homes and put things on their computers?  What steps are being taken to ensure that those individuals are quality-assured and regulated in the same way that physical security personnel are regulated by the Security Industry Authority? “

My concern was that at present the individuals who work in such areas are unregulated, there is no agreed quyalification standard, and there is no guarantee that they are honest.  Those people who rely on such services to protect or maintain their IT equipment are the least likely individuals to know whether something adverse (such as installing a key-logger) has been done to their systems.

The Minister’s response recognised that there was an issue, although he sidestepped the point about regulation,:

“I do not know what checks and balances those operators put in place, but I will do further due diligence to find out. My noble friend raises an interesting question; as people’s domestic IT systems become more and more sophisticated—which they will—the level of complexity, and therefore the level of security and trust that people will want to have with the providers of those services, will only increase. My view is that it will be four or five years before we have a sort of AA or RAC of the IT world providing that level of assistance at scale for many homes. It is an intriguing question.”

The issue may well be worth pursuing ….

The “Digital Britain” report, published today has an excellent section on “Digital Security and Safety”.  The report makes it clear that there will definitely be a national Cyber Security Strategy, something I have been calling for for some time, when it says:

“The UK’s National Security Strategy describes how ‘cyber security’ cuts across almost all the national security challenges that it identifies, and the need to address them in a coherent way. To this end, the Government is developing a Cyber Security Strategy to build a safe, secure and resilient cyber space for the UK, through both the beneficial exploitation of cyber space and the reduction of risks posed by those who seek to do the UK harm: the forthcoming Cyber Security Strategy will set out how the Government intends to approach this task.”

This is an extremely welcome development.  When Lord Stephen Carter made his statement introducing the report in the House of Lords this afternoon, I asked him when the Strategy might be issued and he said he hoped it would be ready by the end of July.

According to David Hencke (so it must be true) in today’s Guardian, the Government is planning to establish a new Cyber Security Agency and this will be announced in a wide-ranging statement, updating the National Security Strategy.

Last month I pointed out the radical approach being taken by the Obama Administration in the United States towards tackling the cyber threat.  As I told David Hencke, it will be welcome if the UK is now going to do something similar. 

However, whatever is proposed will have to be adequately resourced and will need to be properly linked to the national Police E-crime Unit and also to the national security apparatus.

When I arrived in Parliament today, a friend pressed into my hand an organisational diagram showing the Ministerial appointments in the new Department for Business, Innovation and Skills (it’s DaBiz!).  My noble friend, Lord Peter Mandelson, who is now First Secretary of State (ie Deputy Prime Minister in all but name), Lord President of the Council, and Secretary of State for Business, Innovation and Skills, rules over a Department with ELEVEN Ministers – an unprecedented number – the size of many nineteenth century Cabinets. 

Of the eleven, a majority (six) are unelected and members of the House of Lords (and that excludes Sir (soon to be Lord??) Alan Sugar who is “an advisor” not a Minister (so why does he need a peerage?). 

More significantly, five of the Ministers are also holding posts in other Government Departments: Foreign and Commonwealth Office; Ministry of Defence; Department of Children, Schools and Families; Department of Communities and Local Government; and the Department of Culture, Media and Sport. 

This gives the First Secretary of State what has been described to me as a “tentacular” reach into most of the rest of the Government. 

And, of course, as Lord President he presides over meetings of the Privy Council. 

Not bad for a former Lambeth Councillor. 

There is nothing that a few years as a member of a London Borough Council does not equip you to do …..

Thanks to Faber Brent Security, my attention has been drawn to an article in the Washington Post, describing how when men working underground on the Washington Metro accidentally sliced through a cable within a matter of minutes three black SUVs appeared and a number of very serious men got out demanding to know what had happened to their secure connection! Nothing out of the ordinary in a cable being cut – unfortunately it happens all too often. But usually the problem is finding out what cable that has been cut actually does. In this instance, however, the mysterious men in the black SUVs took over extremely quickly!
If something similar happened in the UK, I wonder what the equivalent response time would be? Do the key parts of our critical national infrastructure even know where the critical cables are?