Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
It is a pleasure to serve under your expert chairmanship, Sir Mark. I thank my hon. Friend the Member for Bridgend (Dr Wallis) for securing today’s debate and bringing this important issue to Westminster Hall. I am also grateful to all colleagues who have taken part. It strikes me that this is a good example of bringing to bear on Parliament not just opinions or political points but real depths of expertise from the outside world. I think it has been a very good debate.
I thank the SNP spokesman, the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald), and the Opposition spokesperson, the hon. Member for Halifax (Holly Lynch), for the constructive way that they engaged with the important discussion. I reassure everybody that it will feed into the review, which I will come back to later. I confirm to my hon. Friend the Member for Bridgend that I would be pleased to meet with him and a group of colleagues to discuss the issue further—I look forward to it.
As the Minister for Security and Borders, I am keenly aware of the scale of the cyber-crime threat facing our citizens and businesses. Keeping them safe is a key priority for the Government and our operational agencies and I take this opportunity to thank all those who work tirelessly to protect the public.
The threat from cyber-crime has intensified over the last couple of years. As the hon. Member for Halifax said, the pandemic meant that even more of our lives were spent online, and, inevitably, criminals have sought to exploit that shift. The statistics bear out the scale of the threat, with computer misuse now accounting for an estimated 15% of all crime. That opportunism is despicable and underlines how crucial it is that we have a robust and effective response. The Computer Misuse Act is primarily about hacking into someone else’s computer, but clearly there are more crimes that involve misusing computers for criminal means—most fraud, for example. Later today we have the Second Reading of the Online Safety Bill, which is an ambitious and forward-looking piece of legislation that will tackle online harms around fraud and fraudulent advertising.
I turn to some of the points made by the hon. Member for Strangford (Jim Shannon) about protecting individuals and small businesses. I reassure him that comprehensive advice is available from Cyber Aware. We encourage everybody to act on that, starting with three key things: protecting email security with a password made up of three random words; using two-factor authentication where that is available; and keeping operating systems up to date—often when an update comes around it is to see off some weakness that has been found.
I want to note important steps taken by industry that can make what hacking yields of less utility—things such as the banking sector’s deployment of the confirmation of payee system. We have sector charters in place with key industries, including retail banking. While Northern Ireland has a different policing arrangement, in this part of the UK we have the regional and national cyber-resilience centres, supported by policing, to help give extra support and guidance to small businesses that may have less wherewithal to invest in cyber-security expertise.
I also want to respond to my hon. Friend the Member for Barrow and Furness (Simon Fell) about skills; he is absolutely right that although the issue is about machines, it is ultimately about people. It is people who improve our defences. There are key pathways and standards in the Institute for Apprenticeships and Technical Education system, including under the cyber-security technologist umbrella and more broadly with the introduction of T-levels. Indeed, the critical T-level is digital business services, which includes a minimum of nine weeks of industry placement. I strongly encourage firms operating in the area—in cyber-security and in-house digital technology—to support that to make sure we all work together to bring on that next generation of experts who will help keep us all safer.
The Minister has prompted me to recommend a book called “Peopleware”. It is a classic in software engineering and is all about people and how they develop software. One of its points is the orders of magnitude difference between different categories of competence in software engineering. It raises some interesting issues that I am sure he and his officials would find helpful.
I am grateful to my hon. Friend. I shall add that to my bedtime reading list, which is not uncrowded at present. I will look forward to getting to that.
In the last year, we saw a number of high-profile ransomware attacks around the world, including attacks on local authorities and schools in the UK. The National Cyber Security Centre has reported that in just the first four months of 2021, it handled the same number of ransomware incidents as for the whole of 2020. The National Cyber Security Centre has improved our understanding of the threat and provides a unified source of advice and support to Government and business.
I am afraid that the threat posed by cyber-attacks continues to grow in scale and complexity. That is why the national cyber strategy, mentioned by a number of colleagues and published in December, sets out how the Government will invest £2.6 billion over the next three years to develop a whole-of-society approach to increasing national cyber-security and resilience, including reducing the risk and opportunity for cyber-crimes and disrupting cyber-criminals. As part of that funding, we will continue to invest in the law enforcement cyber-crime network at national, regional and local level. In the face of such a broad and complex threat picture, law enforcement agencies must have the powers they need to investigate online criminality. It is also essential that we have robust legislation in place to enable action to be taken against the perpetrators.
My hon. Friend the Member for Wycombe (Mr Baker) was right about how much has changed since 1990, and my hon. Friend the Member for Barrow and Furness pointed out that the world is more interconnected than ever. Next year, it will be even more interconnected again. All that is correct and we must make sure we are up to date and up to pace. However, as my hon. Friend the Member for Boston and Skegness (Matt Warman) pointed out, it is also the case that over the last 30 years, the Computer Misuse Act has generally proven to be a far-sighted piece of legislation for tackling unauthorised access to systems. As the threat has changed, so too has the Act, which has been updated a number of times—most recently in 2015, where the offence of unauthorised acts causing, or creating risk of, serious damage was introduced.
We are firmly and fully committed to ensuring the legislative framework that underpins our efforts to address cyber-crime remains relevant and effective. That is why last May the Home Secretary announced a review of the Computer Misuse Act. The Home Office subsequently launched a call for information, which marked the first step in that process. The purpose of the call for information was to seek views of interested stakeholders across the piece, including in industry, academia and the agencies, on the Act and the associated investigative powers available to law enforcement. The Home Office has received responses covering a range of interesting and complex issues and we are grateful to those who have sent in their views. We are considering the feedback submitted and continue to engage with partners to determine whether changes are needed. We will provide an update on the initial findings of the review shortly.
I want to touch on a couple of key points directly relating to the Act that will influence the approach we take on defences. First, the Act is based on the principle that the owner of the computer and computer data has the right to say who can access it. I want to stress that point, which was made repeatedly during the development of the Act. Authorisation to access a system is the prerogative of the owner. It is that person who is responsible for the operation of the system and bears the cost of securing it.
Equally, the Government are rightly seeking to ensure that system owners take more responsibility for the security of their systems and the content held on them. Therefore it is right that the system owner has the protection of the law from those who obtain or attempt to obtain unauthorised access to computers and their data. We encourage firms to agree to having their systems tested for vulnerabilities by third parties but the fundamental point is that it is the choice of the legal property owner to determine that.
Secondly, we need to ensure that the Act continues to criminalise those who take unauthorised action against computer systems and provides the legal basis for relevant legal authorities to act.
In launching the review, we have been clear that we are open to changes to the Act that enhance our approach to that threat. However, I must also emphasise that any such changes should be well-considered and well-evidenced. We must guard against taking any action that would undermine the ability of law enforcement agencies and prosecutors to investigate criminals and prosecute them.
I have heard the views of Members on defences. My hon. Friend the Member for Boston and Skegness identified the nuance very well, as my hon. Friend the Member for Wycombe did the nuance of the registration of industry professionals. We are still considering the question of defences, but I am sure that Members would agree with me that we cannot put in place measures that would act as a mechanism for criminals and state actors to hide behind. That is why we need to tread cautiously. An ill-conceived defence could leave prosecutors with the burden of trying to prove a negative, for example, in needing to prove that cyber-attacker X was not, in fact, intending to protect a computer system when they attempted to access it without permission.
It is also worth pointing out that there are already defences in the Act that apply to cyber-security activity. If a person has the authorisation of the system owner to access the system, no offence is committed. In addition, any decision on prosecution is a matter for independent law enforcement and prosecuting agencies who take into account all relevant facts of the case. We must also ensure that any changes to the Act do not permit or encourage retaliatory cyber-activity, sometimes known as “hack back”. There is a danger that such a defence could embolden so-called hacktivists, or commercial entities who wish to offer such services, if they believe their actions could be protected under the law. The UK does not condone unlawful cyber-attacks of any kind.
Some responses to the call for information set out proposals for a review of sentences, and we have also had suggestions for new powers for law enforcement agencies to take action against criminals online. We are considering them as part of the review, including whether sentencing guidelines are needed to ensure that the harms caused by those committing Computer Misuse Act offences are appropriately considered during sentencing.
The hon. Member for Halifax asked a direct question and yes, state threats in this area are absolutely a prevalent and growing issue. I know she would not expect me to give a commentary on a specific security matter, but I want to reassure her and the House that the Government take extremely seriously the question about state capability in this area.
There is absolutely no doubt that the UK needs a Computer Misuse Act that is fit for purpose and can rise to the challenges of the present day. As colleagues know, the Home Office is engaged in a review that is charged specifically with ensuring exactly that.
The context of the war in Ukraine makes that work more important than ever, as the shadow Minister said quite rightly. I am acutely conscious of that, but we cannot rush this. That would only serve to help our adversaries. We are, therefore, approaching the exercise with the careful consideration that the public would expect and which these sometimes complex issues demand. Through the review, and as part of business as usual, we are listening attentively to law enforcement agencies and National Cyber Security Centre experts on what is most likely to enhance our national cybersecurity. Of course, we are also studying the approaches of other countries.
I thank my hon. Friend the Member for Bridgend for securing the debate, which has been interesting and insightful. I am grateful to have had the opportunity to outline our activity in the space and, as I said at the start of my remarks, I look forward to meeting my hon. Friend and colleagues to discuss it further.