My Lords, I beg leave to ask a Question of which I have given private notice, and in so doing I refer to my interest in the register as chair of the National Preparedness Commission.
My Lords, the Department for Science, Innovation and Technology is leading the Government’s response to the Amazon Web Services outage that took place yesterday. DSIT continues to work across government and with businesses to understand the full impacts of the outage. All AWS services were restored yesterday evening, and DSIT is in contact with AWS to understand how such events can be mitigated in future.
My Lords, I am grateful to my noble friend for that response. I notice that he did not say whether the outage was precipitated by hostile state activity. Given the impact on UK critical services, including those run by the Government, should we have more variety in cloud producers and more sovereign capability? What additional guidance are the Government intending to give to enable the public and private sectors, as well as individuals, to prepare for such disruptions in future?
My Lords, I thank my noble friend for those questions. There is no evidence that this was caused by any malicious activity, and we have to be very careful that we do not speculate otherwise. AWS has publicly stated that the outage was initially caused by an issue with its configuration of the domain name system, or DNS, and some wider related complications. Departments independently determine which suppliers to use based on their use cases. Some cloud providers are strategic suppliers, but departments make decisions on adoption based on not only reliance but cost, capability and their staff’s expertise. We are working to diversify the UK’s cloud ecosystem and encourage greater participation by UK-based and European providers, as well as promoting innovation through our digital infrastructure and cybersecurity programmes. At the same time, the NCSC offers advice and guidance on how businesses and organisations can make themselves more cyber resilient, and this advice is also broadly applicable to digital resilience issues.
As I mentioned in Oral Questions last week, businesses should also take it upon themselves to ensure that they have sufficient cyber resilience systems in place by ensuring that their software and hardware are up to date and, if they can, seeking certification so that their systems are Cyber Essentials certified. Businesses should also be encouraged to have a business continuity plan so that, if anything happens, they have a plan in place.
My Lords, I congratulate my noble friend on his Question; I submitted exactly the same Question yesterday. Is it possible that some of the sites affected in the UK, including the GOV.UK portal, were not aware that the data was held in America rather than in the UK and that, therefore, when a problem arises as it did in East-1, or whatever it is called, on the east coast of America, they were not aware that we would be in this vulnerable position?
I thank my noble friend for that interesting point. I think most businesses, and government, know that AWS is a provider with significant market share—something like 30% of cloud services. The other providers—Microsoft Azure and Google Cloud—also provide such services. I am not sure what he means by people not being aware of AWS’s services.
My Lords, I feel that I am a member of a large club, as I too submitted an identical PNQ. I note that the whole House will have been deeply concerned by this outage. Although, indeed, it does not appear to have been caused by a cyber or other malicious attack, as the Minister has said, we have to work on the assumption that it will happen again. Can officials please urgently produce a report setting out, first, the cost to the United Kingdom of this outage; secondly, the long-term policy implications for the Government as they seek to enhance our resilience; and, thirdly, the immediate mitigations that are, I trust, being devised or implemented as we speak?
My Lords, in respect of the noble Viscount’s point about cost, this happened just yesterday so, of course, we are still working it through; it will take us some time to evaluate how much it will cost the economy. I am sure that economists will be kept very busy for some time working out the costs and the impact on productivity.
We are already taking steps to strengthen the resilience of the UK’s digital infrastructure. Through the national cyber strategy and the national resilience framework, we are working with the National Cyber Security Centre to treat major cloud service providers as part of our critical national infrastructure. This includes measures to ensure that they have robust redundancy back-up and incident response capabilities in place. At the same time, we are consulting with industry on enhanced incident reporting and transparency requirements so that the Government can be alerted immediately to any service disruption that could have national impact.
My Lords, at the very least, this should be a wake-up call for the Government. It is clear that the Government have been overdependent on two US cloud service providers, which, as the Competition and Markets Authority says, have 70% to 90% of the market, and restrictive practices impede competition. Of course, there is now a sovereign AI unit within DSIT. Will government procurement policy now change to encourage UK cloud service providers, which would then help to deliver sovereign AI? Will the Government also encourage the CMA to act rapidly, given this lack of competition?
I thank the noble Lord for those points. The Government are aware and are taking cybersecurity seriously. That is why we have published a number of strategies and are working with the National Cyber Security Centre, as I mentioned earlier. The noble Lord also mentioned procurement and the service providers. The three providers I just mentioned—Amazon Web Services, Microsoft Azure and Google Cloud—probably have something like 60% of the market share. Yes, we have other small, independent providers as well but, at the same time, procurement is dependent on government departments: on how they want to procure their services and from where. The basic point is that, going forward, we have to ensure that it is safe and resilient.
My Lords, the departments impacted were HMRC, the Home Office, the DVLA and the DWP. I am not aware that the Ministry of Defence was impacted, but I will write to the noble Lord if it was.
Unfortunately, as Health Minister I saw at first hand instances of lack of resilience in the health systems, not just in the NHS but among a lot of its suppliers. Many noble Lords will recall the cyberattacks on the blood testing services in summer 2024. I did not quite hear in the noble Lord’s response to the question from the noble Viscount, Lord Camrose, that we will make sure we can really understand the costs and the lessons learned from all this. Given the nature of these sorts of incidents, is the Minister willing to do this?
I thank the noble Lord for reminding me. Yes, of course we have learned from what happened last year with CrowdStrike. As we know, in July 2024 the Government committed to a review of the lessons learned from the CrowdStrike incident, which was co-drafted between DSIT and the Cabinet Office. The Government have made a number of changes since that incident, including announcing a forthcoming cybersecurity and resilience Bill and bringing the Government Digital Service, including the newly formed government cyber unit, into DSIT as part of the digital centre of government.