Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
(1 day, 10 hours ago)
Public Bill CommitteesRead Hansard Text Read Debate Ministerial Extracts
The Chair
Good morning, everyone. We are now sitting in public and the proceedings are being broadcast. I remind Members, please, to switch electronic devices to silent, and that tea and coffee are not allowed during sittings. Today, we will first consider the programme motion on the amendment paper. We will then consider a motion to enable the reporting of written evidence for publication and a motion to allow us to deliberate in private about our questions before the oral evidence sessions. In view of the time available, I hope we can take those matters formally without debate. I call the Minister to move the programme motion standing in his name, which was discussed yesterday by the Programming Sub-Committee for the Bill. Time Witness Until no later than 10.00 am Royal United Services Institute; DLA Piper Until no later than 10.40 am techUK; Nine23; ISC2 Until no later than 11.25 am Cisco; Darktrace; NCC Group; Amazon Until no later than 2.40 pm Information Commissioner's Office; Ofcom; Ofgem Until no later than 3.00 pm Inter-Parliamentary Alliance on China Until no later than 3.20 pm Professor John Child, Professor of Criminal Law, University of Birmingham Until no later than 3.40 pm National Police Chiefs’ Council Until no later than 4.00 pm The Worshipful Company of Information Technologists Until no later than 4.20 pm NHS Greater Glasgow and Clyde Until no later than 4.50 pm Fortinet; Palo Alto Networks Until no later than 5.10 pm Department for Science, Innovation and Technology
Ordered,
That—
1. the Committee shall (in addition to its first meeting at 9.25 am on Tuesday 3 February) meet—
(a) at 2.00 pm on Tuesday 3 February;
(b) at 11.30 am and 2.00 pm on Thursday 5 February;
(c) at 9.25 am and 2.00 pm on Tuesday 10 February;
(d) at 9.25 am and 2.00 pm on Tuesday 24 February;
(e) at 11.30 am and 2.00 pm on Thursday 26 February;
(f) at 9.25 am and 2.00 pm on Tuesday 3 March;
(g) at 11.30 am and 2.00 pm on Thursday 5 March;
2. the Committee shall hear oral evidence on Tuesday 3 February in accordance with the following Table:
3. proceedings on consideration of the Bill in Committee shall be taken in the following order: Clauses 1 to 22; Schedule 1; Clause 23; Schedule 2; Clauses 24 to 61; new Clauses; new Schedules; remaining proceedings on the Bill;
4. the proceedings shall (so far as not previously concluded) be brought to a conclusion at 5.00 pm on Thursday 5 March.—(Kanishka Narayan.)
Resolved,
That, subject to the discretion of the Chair, any written evidence received by the Committee shall be reported to the House for publication.—(Kanishka Narayan.)
The Chair
Copies of written evidence received by the Committee will be made available in the Committee Room.
Resolved,
That, at this and any subsequent meeting at which oral evidence is to be heard, the Committee shall sit in private until the witnesses are admitted.—(Kanishka Narayan.)
The Chair
We are now sitting in public again. We have heard declarations of interest. If there are any other others, please say. We will now hear oral evidence from Jen Ellis, associate fellow for cyber and tech at the Royal United Services Institute, who is joining us online, and David Cook, who is a partner at DLA Piper. Thank you for coming.
Before calling the first Member to ask a question, I remind Members that questions should be limited to matters within the scope of the Bill. We must stick to the timings in the programme order that the Committee has agreed to. For this session, we have until 10 am. I call the shadow Minister.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
Q
Jen Ellis: There is a thing that you always hear people say in the cyber-security industry which is, “There are no silver bullets”. There is no quick fix or one easy thing, and that definitely applies when looking at policy as well. I cannot give you a nice, easy, pat answer to how we solve the problem of attacks like the ones we saw last year. What I can say is that, looking at the Cyber Security and Resilience Bill specifically, I think it could include companies above a certain size or impact to the UK economy. The Bill currently goes sector by sector— which makes lots of sense, to focus on essential services—but I think we could say there is another bucket where organisations beyond a certain level of impact on the economy would also be covered. That could be something like the FTSE350. Including those might be one way to go about it, but it is worth noting that it would not simply solve the problem because the problem is complex and multi-faceted, and this is just one piece of legislation.
David Cook: With respect to NIS2, that is an example of a whole suite of laws that have come in across the European Union—the Digital Decade law; I think there is something like 10 or 15 of these new laws. They do all sorts of different things, and NIS2 sits within that. NIS2 is the reform of the NIS directive, which is the current state of play in UK law. NIS2 gives certainty and definition, by way of the legislation itself and then the implementing legislation, which means that organisations have had a run-up at the issue and a wholesale governance programme, which takes a number of years, but they know where they are headed, because it is a fixed point in the distance, on the horizon.
The Bill we are talking about today has the same framework as a base. The plan then is that secondary legislation can be used in a much more agile way to introduce changes quickly, in the light of the moving parts within the geopolitical ecosystem outside the walls. For global organisations with governance that spans jurisdictions, a lack of certainty is unhelpful. Understanding where they need to get to often requires a multi-year programme of reform. I can see the benefits of having an agile, flexible system, but organisations—especially global ones, which are the sort within the scope of this Bill—need time to prepare, recruit people, get the skillset in place, and understand where they need to get to. That fixed future point needs to be defined.
Chris Vince (Harlow) (Lab/Co-op)
Q
David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.
Bradley Thomas (Bromsgrove) (Con)
Q
Jen Ellis: For sure, it should not come down to whether you are public or private; it should be about impact. Figuring out how to measure that is challenging. I will leave that problem with policymakers—you’re welcome. I do not think it is about the number of employees. We have to think about impact in a much more pragmatic way. In the tech sector, relatively small companies can have a very profound impact because they happen to be the thing that is used by everybody. Part of the problem with security is that you have small teams running things that are used ubiquitously.
We have to think a little differently about this. We have seen outages in recent years that are not necessarily maliciously driven, but have demonstrated to us how reliant we are on technology and how widespread the impact can be, even of something like a local managed service provider. One that happened to provide managed services for a whole region’s local government went down in Germany and it knocked out all local services for some time. You are absolutely right: we should be looking at privately held companies as well. We should be thinking about impact, but measuring impact and figuring out who is in scope and who is not will be really challenging. We will have to start looking down the supply chain, where it gets a lot more complex.
Tim Roca (Macclesfield) (Lab)
Q
Jen Ellis: As a starting point, I will clarify that I am a fellow at RUSI. I work closely with Jamie, but I do not work for RUSI. I also take no responsibility for Jamie’s comments.
On the comparisons, David alluded to the fact that Europe is a little bit ahead of us. NIS2, its update to NIS1, came into force three years ago with a dangling timeline: nations had until October 2024 to implement it. My understanding is that not everybody has implemented it amazingly effectively as yet. There is some lag across the member states. I do not think we are too out of scope of what NIS2 includes. However, we are talking about primary legislation now; a lot of the detail will be in the secondary legislation. We do not necessarily know exactly how those two things will line up against each other.
The UK seems to be taking a bit of a different approach. The EU has very specifically tried to make the detail as clearly mandated as possible, because it wants all the member states to adopt the same basis of requirements, which is different from NIS1, whereas it seems as though the UK wants to provide a little bit of flexibility for the regulators to “choose their own adventure”. I am not sure that is the best approach. We might end up with a pretty disparate set of experiences. That might be really confusing for organisations that are covered by more than one competent authority.
The main things that NIS2 and CSRB are looking at are pretty aligned. There is a lot of focus on the same things. It is about expanding scope to make sure that we keep up with what we believe “essential” now looks at, and there is a lot of focus on increased incident reporting and information sharing. Again, the devil will be in the detail in the secondary legislation.
The other thing I would say goes back to the earlier question about what is happening internationally. The nations that David mentioned, like Australia or the jurisdiction around the EU, are really proactive on cyber policy—as is the UK. They are taking a really holistic view, which David alluded to in his introduction, and are really looking at how all the pieces fit together. I am not sure that it is always super clear that the UK is doing the same. I think there is an effort to do so, and UK policymakers are very proactive on cyber policy and are looking at different areas to work on, but the view of how it all goes together may not be as clear. One area where we are definitely behind is legislating around vendor behaviour and what we expect from the people who are making and selling technology.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
Jen Ellis: Again, that is a hugely complex question to cover in a short amount of the time. One of the challenges that we face in UK is that we are a 99% small and mediums economy. It is hard to think about how to place more burdens on small and medium businesses, what they can reasonably get done and what resources are available. That said, that is the problem that we have to deal with; we have to figure out how to make progress.
There is also a challenge here, in that we tend to focus a lot on the behaviour of the victim. It is understandable why—that is the side that we can control—but we are missing the middle piece. There are the bad guys, who we cannot control but who we can try to prosecute and bring to task; and there are the victims, who we can control, and we focus a lot on that—CSRB focuses on that side. Then there is the middle ground of enablers. They are not intending to be enablers, but they are the people who are creating the platforms, mediums and technology. I am not sure that we are where we could be in thinking about how to set a baseline for them. We have a lot of voluntary codes, which is fantastic—that is a really good starting point—but it is about the value of the voluntary and how much it requires behavioural change. What you see is that the organisations that are already doing well and taking security seriously are following the voluntary codes because they were already investing, but there is a really long tail of organisations that are not.
Any policy approach, legislation or otherwise, comes down to the fact that you can build the best thing in the world, but you need a plan for adoption or the engagement piece—what it looks like to go into communities and see how people are wrestling with this stuff and the challenges that are blocking adoption. You also need to think about how to address and remove those challenges, and, where necessary, how to ensure appropriate enforcement, accountability and transparency. That is critical, and I am not sure that we see a huge amount of that at the moment. That is an area where there is potential for growth.
With CSRB, the piece around enforcement is going to be critical, and not just for the covered entities. We are also giving new authorities to the regulators, so what are we doing to say to them, “We expect you to use them, to be accountable for using them and to demonstrate that your sector is improving”? There needs to be stronger conversations about what it looks like to not meet the requirements. We should be looking more broadly, beyond just telling small companies to do more. If we are going to tell small companies to do more, how do we make it something that they can prioritise, care about and take seriously, in the same way that health and safety is taken seriously?
David Cook: To achieve the outcome in question, which is about the practicalities of a supply chain where smaller entities are relying on it, I can see the benefit of bringing those small entities in scope, but there could be something rather more forthright in the legislation on how the supply chain is dealt with on a contractual basis. In reality, we see that when a smaller entity tries to contract with a much larger entity—an IT outsourced provider, for example—it may find pushback if the contractual terms that it asks for would help it but are not required under legislation.
Where an organisation can rely on the GDPR, which has very specific requirements as to what contracts should contain, or the Digital Operational Resilience Act, which is a European financial services law and is very prescriptive as to what a contract must contain, any kind of entity doing deals and entering into a contract cannot really push back, because the requirements are set out in stone. The Bill does not have a similar requirement as to what a contract with providers might look like.
Pushing that requirement into the negotiation between, for example, a massive global IT outsourced provider and a much smaller entity means either that we will see piecemeal clauses that do not always achieve the outcomes you are after, or that we will not see those clauses in place at all because of the commercial reality. Having a similarly prescriptive set of requirements for what that contract would contain means that anybody negotiating could point to the law and say, “We have to have this in place, and there’s no wriggle room.” That would achieve the outcome you are after: those small entities would all have identical contracts, at least as a baseline.
Emily Darlington (Milton Keynes Central) (Lab)
Q
David Cook: The original NIS regulations came out of a directive from 2016, so this is 10 years old now, and the world changes quickly, especially when it comes to technology. Not only is this supply chain vulnerability systemic, but it causes a significant risk to UK and global businesses. Ransomware groups, threat actors or cyber-criminals—however you want to badge that—are looking for a one-to-many model. Rather than going after each organisation piecemeal, if they can find a route through one organisation that leads to millions, they will always follow it. At the moment, they are out of scope.
The reality is that those organisations, which are global in nature, often do not pay due regard to UK law because they are acting all over the world and we are one of many jurisdictions. They are the threat vector that is allowing an attack into an organisation, but it then sits with the organisations that are attacked to deal with the fallout. Often, although they do not get away scot-free, they are outside legislative scrutiny and can carry on operating as they did before. That causes a vulnerability. The one-to-many attack route is a vulnerability, and at the moment the law is lacking in how it is equipped to deal with the fallout.
Jen Ellis: In terms of what the landscape looks like, our dialogue often has a huge focus on cyber-crime and we look a lot at data protection and that kind of thing. Last year, we saw the impact of disruptive attacks, but in the past few years we have also heard a lot more about state-sponsored attacks.
I do not know how familiar everyone in the room is with Volt Typhoon and Salt Typhoon; they were widespread nation-state attacks that were uncovered in the US. We are not immune to such attacks; we could just as easily fall victim to them. We should take the discovery of Volt Typhoon as a massive wake-up call to the fact that although we are aware of the challenge, we are not moving fast enough to address it. Volt Typhoon particularly targeted US critical infrastructure, with a view to being able to massively disrupt it at scale should a reason to do so arise. We cannot have that level of disruption across our society; the impacts would be catastrophic.
Part of what NIS is doing and what the CSRB is looking to do is to take NIS and update it to make sure that it is covering the relevant things, but I also hope that we will see a new level of urgency and an understanding that the risks are very prevalent and are coming from different sources with all sorts of different motivations. There is huge complexity, which David has spoken to, around the supply chain. We really need to see the critical infrastructure and the core service providers becoming hugely more vigilant and taking their role as providers of a critical service very seriously when it comes to security. They need to think about what they are doing to be part of the solution and to harden and protect the UK against outside interference.
David Cook: By way of example, NIS1 talks about reporting to the regulator if there is a significant impact. What we are seeing with some of the attacks that Jen has spoken about is pre-positioning, whereby a criminal or a threat actor sits on the network and the environment and waits for the day when they are going to push the big red button and cause an attack. That is outside NIS1: if that sort of issue were identified, it would not be reportable to the regulator. The regulator would therefore not have any visibility of it.
NIS2 and the Bill talk about something being identified that is caused by or is capable of causing severe operational disruption. It widens the ambit of visibility and allows the UK state, as well as regulators, to understand what is going in the environment more broadly, because if there are trends—if a number of organisations report to a regulator that they have found that pre-positioning—they know that a malicious actor is planning something. The footprints are there.
Freddie van Mierlo (Henley and Thame) (LD)
Q
Jen Ellis: You have covered a lot of territory there; I will try to break it down. If you look at the attacks last year, all the companies you mentioned were investing in cyber-security. There is a difficulty here, because there is no such thing as being bullet-proof or secure. You are always trying to raise the barriers as high as you can and make it harder for attackers to be successful. The three attacks you mentioned were highly targeted attacks. The example of Volt Typhoon in the US was also highly targeted. These are attackers who are highly motivated to go after specific entities and who will keep going until they get somewhere. It is really hard to defend against stuff like that. What you are trying to do is remove the chances of all the opportunistic stuff happening.
So, first, we are not going to become secure as such, but we are trying to minimise the risk as much as possible. Secondly, it is really complex to do it; we saw last year the examples of companies that, even though they had invested, still missed some things. Even in the discussions that they had had around cyber-insurance, they had massively underestimated the cost of the level of disruption that they experienced. Part of it is that we are still trying to figure out how things will happen, what the impacts will be and what that will look like in the long term.
There is also a long tail of companies that are not investing, or not investing enough. Hopefully, this legislation will help with that, but more importantly, you want to see regulators engaging on the issue, talking to the entities they cover and going on a journey with them to understand what the risks are and where they need to get to. If you are talking about critical providers and essential services, it is really hard for an organisation—in its own mind or in being answerable to its board or investors—to justify spend on cyber-security. If you are a hospital saying that you are putting money towards security programmes rather than beds or diagnostics, that is an incredibly difficult conversation to have. One of the good things about CSRB, hopefully, is that it will legitimise choices and conversations in which people say, “Investing time and resources into cyber-security is investing time and resources into providing a critical, essential service, and it is okay to make those pay-off choices—they have to be made.”
Part of it is that when you are running an organisation, it is so hard to think about all the different elements. The problem with cyber-security—we need to be clear about this—is that with a lot of things that we ask organisations to do, you say, “You have to make this investment to get to this point,” and then you move on. So they might take a loan, the Government might help them in some way, or they might deprioritise other spending for a set period so that they can go and invest in something, get up to date on something or build out something; then they are done, and they can move back to a normal operating state.
Security is not that. It is expensive, complex and multifaceted. We are asking organisations of all sizes in the UK, many of which are not large, to invest in perpetuity. We are asking them to increase investment over time and build maturity. That is not a small ask, so we need to understand that there are very reasonable dynamics at play here that mean that we are not where we need to be. At the same time, we need a lot more urgency and focus. It is really important to get the regulators engaged; get them to prioritise this; have them work with their sectors, bring their sectors along and build that maturity; and legitimise the investment of time and resources for critical infrastructure.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Q
David Cook: The legislation talks about secondary legislation, so it allows for an agile, flexible programme whereby organisations can be brought within scope very quickly if concerns make that necessary. What that leaves us with, though, is that although legislation can be changed quickly, organisations often cannot. Where there is a definition, as we see with NIS2, as to which entities are in scope, organisations can embark on a multi-year programme to get into a compliant position. They can throw money at it, effectively.
What this legislation talks about, through the secondary legislation, is bringing organisations into scope and mandating specific security controls or specific requirements on those organisations in terms of security, but while the law might come in over a weekend, organisational change will not necessarily follow. There is a potential issue there. I can see the benefit and attractiveness of secondary legislation being used to achieve that aim, but having a clearer baseline as to what that sort of scope might look like—it could be ramped up or down, and the volume could be turned up or down, depending on need—would be more helpful. Reducing scope while diverging from NIS2 might be a benefit in terms of the commercial reality, but it might be a misstep in terms of security and the long tail that it takes to get more secure.
The Chair
Thank you. I am going to bring Allison Gardner in, because she has been waiting. You have two minutes, Allison.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
Jen Ellis: That is a great question, and a tricky one. We talk a lot about training and security awareness, and unfortunately I think it becomes yet another tick box: you start a job and watch your little sexual harassment training video, then you watch your cyber-security training video, and probably the former sticks with you better than the latter. I think we have to change that. We have to change that dynamic.
I go back to my last answer, which was that I think one of the strengths of the Bill is that, hopefully, it will enable the regulators to engage much more on this topic and therefore to engage their covered entities much more. That is what we need to see. We need to see the leadership in organisations engage with the topic of cyber-security, not as a chore, as a tick-box exercise or as that headline they read about JLR, but actually as something that matters to their organisation—as something they are going to engage with at a board and executive team level, all the way down through the organisation. Cultural change comes from the top, typically, and we need to see that level of change.
I do not think that there is anything specific in the legislation, as it is currently written, that says, “And this,” in flashing lights, “is going to change the human factors piece.” I think that the devil will be in the detail of the secondary legislation, and then in what the regulators specifically ask for. But there does need to be a general shift in the culture, whereby as sectors generally we start to talk more about this as a requirement. The financial services sector has talked about security for a long time—it has been a reality for it—but I am not sure how true that is, at breadth, in something like the water industry.
I hope that that will change. I hope that we will start to see having those conversations at the top levels, and then all the way down, becoming more of a cultural norm. Unfortunately, you cannot create culture change quickly. When it comes to talking about human factors, it is about people becoming much more aware of it and thinking more about it. That will take time—
The Chair
Order. Thank you very much, but I have to cut you off there.
Jen Ellis: Sorry for taking too long.
The Chair
No, you have been brilliant.
That brings us to the end of the time allotted for the Committee to ask questions. On behalf of the Committee, may I thank you both for sparing time from your busy schedules to give evidence this morning?
Examination of Witnesses
Jill Broom, Stuart McKean and Dr Sanjana Mehta gave evidence.
The Chair
Good morning, everyone, and welcome. We will now hear oral evidence from Jill Broom, head of cyber-resilience at techUK, from Stuart McKean, chairman of Nine23, and from Dr Sanjana Mehta, senior director for advocacy at ISC2. We must stick to the timings in the programme motion that the Committee has agreed for this session; we have until 10.40 am. Will the witnesses please briefly introduce themselves for the record?
Dr Sanjana Mehta: Good morning. My name is Sanjana; I work as senior director, advocacy, at ISC2.
Jill Broom: Good morning. My name is Jill Broom; I am head of cyber-resilience at techUK, the trade association for the technology industry in the UK.
Stuart McKean: Good morning. I am Stuart McKean; I am the founder and chairman of Nine23. We are a small MSP, based in the UK.
Dr Spencer
Q
My second question is a bit more technical. Do you consider that the definition in the Bill of a managed service provider is sufficiently clear and certain for businesses to understand whether they are in scope or out of scope of the Bill?
Dr Sanjana Mehta: I appear before the Committee today on behalf of ISC2, which is the world’s largest not-for-profit membership association for cyber-security professionals. We have 265,000 members around the world and 10,000-plus members in the UK.
On your question about sectoral scope, our central message is that we welcome the introduction of the Bill and we believe that it will go a long way towards improving the cyber-resilience of UK plc. Yes, there are certain sectors that are outside the scope of the Bill, and we believe that there are a number of non-legislative measures that could be used to enhance the cyber-security of other industries and parts of the sector. In particular, the forthcoming national cyber action plan should be used as a delivery vehicle for improving the resilience of UK plc as a whole.
On the previous panel, I think Jen mentioned that there are voluntary codes of practice. As an organisation, we have piloted the code of practice for cyber governance, and we have signed up to the ambassadors scheme for the code of practice for secure software development. We think that the upcoming national cyber action plan can further encourage the uptake of such schemes and frameworks. Most importantly, we call upon Government to focus on skills development as a non-legislative measure, because ultimately that will be the key enabler of success, whether it is for organisations that are within or outside the scope of the Bill.
The Chair
The witnesses need not feel obliged to answer every question; if colleagues could direct their questions to individual witnesses, we will get through quicker.
Stuart McKean: I think that the MSP definition is quite broad at the moment, so adding some clarity to it will help. At the moment, the key definition of an MSP is based on size, and whether you are a small, medium, large or even microenterprise. The reality is that only11%, I think, of MSPs are the large and medium-sized enterprises that are going to fall in scope of the Bill as a managed service provider. Although the definition might be quite broad, the clarity on the size of MSP is actually quite particular, and you will lose a lot of MSPs that will not be in scope.
Jill Broom: Although some of our members are content with the definition of managed service provider, others feel that, as Stuart said, it is too broad. It continues to cause a little bit of confusion, since it is likely to encompass virtually any IT service. Probably some further work needs to be done and further consultation. There will be some further detail in the secondary legislation around that definition. I wanted to highlight that a lot of detail is coming in secondary legislation, which can make it quite difficult to scrutinise the primary legislation. A broad call-out for ensuring mandatory and meaningful consultation on that secondary legislation and associated guidance would be really welcome.
We are already working with the Bill team to put some of the pre-consultation engagement sessions in place, but we would call for the consultation to be brought forward to help us to understand some of the detail. The consultation period on the secondary legislation is currently estimated to happen towards the end of the summer, but we would like that to be brought forward, where possible. That consultation is going to cover a lot of detail, so it needs to be a substantial amount of time to allow us to comment. We are keen to be involved in that process as much as possible.
Kanishka Narayan
Q
Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.
For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.
You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.
Dr Gardner
Q
Jill Broom: With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.
I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.
Dr Gardner
Q
Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Alison Griffiths
I am so sorry. Could you possibly speak into the microphone? I cannot hear you.
Stuart McKean: Sorry. I was saying that the cyber-criminal does not care about lines, geographies or standards. They do not care whether you have an international standard or you follow the legislation of a certain country. They will attack where they see the weak link.
Lincoln Jopp
Q
Stuart McKean: It is probably across all three, to be quite honest with you. It is very dependent on what they want to achieve, whether it be an economic attack or a targeted attack on a corporate entity. I do not think it has those boundaries—I genuinely think it is across the whole industry and the whole globe. The reality is that cyber-attacks everybody. We are being attacked every day. I do not see it as an international boundary, or a UK thing or a US thing. It is generally across the globe.
Lincoln Jopp
Do either of the other witnesses have anything to say on that?
Jill Broom indicated dissent.
Dr Sanjana Mehta indicated dissent.
Andrew Cooper (Mid Cheshire) (Lab)
Q
Jill Broom: I think, again, there is something to be said about the devil being in the detail. A lot is coming with the secondary legislation, so we will learn more about the specifics on incident reporting and penalties that will come into play. There needs to be a balance between those in terms of the risk and the impact. In the Bill itself, there probably need to be some greater safeguards or references to frameworks about how those types of decisions will be made.
Andrew Cooper
Q
Stuart McKean: It is an interesting cultural challenge. You want people to be open and to report incidents that are having an impact, but at the same time, if they report those incidents they might get fined, which could be economically challenging, particularly for a small business. Yes, we want to open and to report incidents, but—and this is where the detail comes in—what is the level of detail that needs to be reported and what is the impact of reporting it? When you report it to the regulators, what are they going to do with it? How will they share it and how will it benefit everybody else? The devil is definitely in the detail, and it is a cultural change that is required.
Sarah Russell (Congleton) (Lab)
Q
Jill Broom: We can assume that it will, because if you are in the supply chain or come within scope, you will have certain responsibilities and you will have to invest, not just in technology but in the skills space as well. How easy it is to do that is probably overestimated a bit; it is quite difficult to find the right skilled people, and that applies across regulators as well as business.
Generally speaking, yes, I think it will be costly, but there are things that could probably help smaller organisations: techUK has called for things such as financial incentives, or potentially tax credits, to help SMEs. That could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first.
Dr Sanjana Mehta: If I may expand on that, we have been consulting our members and the wider community, and 58% of our respondents in the UK say that they still have critical and significant skills needs in their organisations. Nearly half of the respondents—47%—say that skills shortages are going to be one of the greatest hurdles in regulatory compliance. That is corroborated by evidence, even in the impact assessment that has been done on the previous regulatory regime, where I think nearly half of the operators of essential services said that they do not have access to skills in-house to support the regulatory requirements. Continuing to have sustained investment in skills development is definitely going to require funding. Taking it a step back, we need first of all to understand what sort of skills and expertise we have to develop to ensure that implementation of the Bill is successful.
Alison Griffiths
Q
Stuart McKean: I am not an expert on the detail, but I would say that there is currently very little detail in the Bill regarding IT and OT.
Alison Griffiths
Q
Stuart McKean: The devil is always in the detail, so any more clarity that can be put in the Bill is always going to be a good thing.
Alison Griffiths
Does anyone have anything else?
Jill Broom: I think that I will need to come back to you in writing on the specifics of operational technology.
The Chair
Feel free to write in, secondary to this session, if you feel that you want to expand on any answers.
Dave Robertson (Lichfield) (Lab)
Q
It is very easy to write a piece of legislation, but if we do not have the professionals needed to deliver the level of compliance at the thresholds we are setting in this place, that raises other potential issues. Do you have a view about whether the 11% you mentioned is in the right ballpark for the number of professionals we have, or whether it needs to move either way?
Stuart McKean: I am referring to the Government’s report on MSPs that was done a couple of years ago. There are some 12,500 MSPs in the UK. Of those that are in scope of the Bill, 11% are medium-sized and large, but they account for something like 85% of the revenue that MSPs generate in the UK. Proportionally, the larger and medium-sized organisations will have the skillsets needed to deliver the requirements set out in the Bill. As it comes down the supply chain, most managed service providers are suitably qualified to deliver, but they will not be in scope of the Bill. Certainly the critical national infrastructure will not be in that sort of space. We have a good industry, and I think most of the MSPs are in that space, but I would highlight that MSPs are generally IT companies, and cyber-security is not an IT problem. It is much bigger than IT.
Although MSPs can be at one end, this goes back to a question that was asked before about why companies do not just do this anyway, and so be more secure. The reality is that they do not generally understand it; they do not understand the risk and they do not have the qualified people, and it goes on in a sort of vicious circle. A lot of those companies will just go, “Yeah, I’ve got an MSP. They deal with that.” It is an interesting challenge, but, to your question directly, I think medium-sized and large MSPs will not have an issue.
Dr Sanjana Mehta: If I may weigh in on this, I just want to take a step back and comment on the state of the profession in the UK. I appreciate that we are having this discussion specifically in relation to the regulated entities, but there is a broader picture. Parts of the industry are not in scope, but they need to have the right skills as well. We are starting off on a good foundation. The work done by industry, academia and professional associations over the past few years has helped to grow the profession steadily. The report by the Department for Science, Innovation and Technology mentions that the number of cyber-security professionals directly employed in the sector has increased by 11% over the past year.
That said, there is more to be done. I urge the Government to think about the skills piece, not only in relation to the Bill but as a wider challenge. We are very proud of our 10,000-plus members in the UK, who work very hard day and night to secure their organisations despite all the challenges and pressures, but the Bill does give Government a pivotal opportunity to elevate the status of the profession and to professionalise the sector.
Andrew Cooper
Q
Stuart McKean: It is about understanding what your service is delivering. Again, one of the key terms in the Bill is resilience. Needing resilience is a key part of the Bill. Whether you need a service that has international boundaries and you need to fail over to another country will be down to the organisations defining where they want their services to be. If they are happy that they are failed over into the US or another country, that is fine; but the reality is that it will be down to the organisation that has a requirement for a resilient service understanding where its data is. As long as it understands where its data is and what it is asking of the MSP, I am not sure the Bill will cover that as such. It is talking about resilience in general. I do not think it goes into the detail of where your data is.
Bradley Thomas
Q
Stuart McKean: Under the designation of a critical supplier, the Bill says:
“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.
That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.
Bradley Thomas
Q
Stuart McKean: It needs more detail, even if that is about providing some boundaries so that we have something to say, “If it is going to do the following, what is a ‘significant economic impact’?”. I would like to think that none of our services would have a significant economic impact, but they may well affect a person, so I would bring it more on to the citizen and the impact on people. We heard this a number of times in relation to the JLR incident: the impact on the supply chain was huge, it was economically very costly and directly impacted people’s lives. Anything that can provide more clarity in the definition of an impact at that level can only help.
Jill Broom: I agree. More clarity is needed. The Bill should be tighter in terms of defining that sort of systemic risk.
Dr Sanjana Mehta: The Bill as it stands requires competent authorities and regulators to designate an organisation as a critical supplier rather than the regulated entity. Organisations work with complex multi-tier supply chains, and the concern is that competent authorities that are one step further removed from those complex supply chains, and have even less visibility, transparency and control over those supply chains, might find it difficult to determine true criticality and risk within the supply chains. We ask for greater collaboration and co-ordination between the regulated entities and the competent authorities in designating an organisation as a critical supplier.
Dr Spencer
Q
Jill Broom: There is probably a broader point around legal certainty, which is not given on the face of the Bill. Some of our members have highlighted language that could create some pretty significant legal jeopardy for regulated entities. The Bill needs to go a bit further. It could and should do more to provide some legal certainty, because the cost to companies could be quite significant. To the point on consistency across regulators and things like that, we need more frameworks around how that is going to work. Leaving all the detail to secondary legislation is what makes it slightly difficult to examine what is on the face of the Bill, so making sure that everything is consulted on in a mandatory and meaningful way will be important.
The Chair
I am looking around the table, and it seems to me that everybody is satisfied. Thank you very much indeed, Sanjana, Jill and Stuart, for giving your time so freely this morning—I know you are very busy people.
Examination of Witnesses
Matt Houlihan, Ben Lyons, Chris Anley and Dr Ian Levy gave evidence.
The Chair
Q
Dr Ian Levy: Good morning. I am Ian Levy, and I am a vice-president and distinguished engineer at Amazon. That job allows me to look across everything that Amazon does, including Amazon Web Services, the bookshop, our new satellite system and everything in between. Prior to that, I spent 23 years in GCHQ, and I was the founding technical director and designer of the National Cyber Security Centre.
Chris Anley: I am Chris Anley, chief scientist at NCC Group. We are a multinational cyber-security company, listed on the London Stock Exchange and headquartered in Manchester.
Matt Houlihan: Hi everyone. I am Matt Houlihan, and I am the vice-president for government affairs in Europe for Cisco, which is a technology company specialising in networking, security and collaboration technologies.
Ben Lyons: Good morning. I am Ben Lyons, and I am senior director for policy and public affairs at Darktrace. We are a company that uses AI for cyber-security, headquartered up in Cambridge.
Dr Spencer
Q
Starting with Ben from Darktrace, how are developing and emerging technologies such as AI and post-quantum crypto changing the nature of cyber-security threats? Do you think the Bill responds adequately to that changing threat landscape?
Moving on to Matt from Cisco, what further guidance and consultation from the Government and the Information Commissioner is needed for MSPs to comply effectively with their obligations under the Bill?
Chris from NCC Group, the National Audit Office report last year highlighted lots of serious deficiencies in Government cyber-resilience. Do you think the cyber action plan goes far enough? How can Government Departments be overseen and held to account in a way that will deliver meaningful improvements in cyber-resilience?
Finally, Ian from Amazon, a core feature of your business model is extensive exposure to supply chain partners. Do you think that the designation of critical suppliers by regulators under the Bill is the correct approach? What further consultation is needed to make sure that that is proportionate, prioritises the most critical suppliers and, crucially, gives a degree of certainty, whether legal or financial?
Ben Lyons: AI is significantly changing cyber-security. You can think about it at three levels: first, the way in which attackers are using AI to mount cyber-attacks; secondly, the need to secure AI systems and AI within companies and organisations; and thirdly, the question of how AI is changing cyber-security on the defensive side.
In brief, we see significant use of AI by attackers. Today, we are releasing the results of a survey in which 73% of surveyed security professionals say that AI-powered threats are having a significant impact on their organisation. These are things like phishing, reconnaissance, and lowering the barriers to being able to launch attacks and review more targets more effectively. Last month, the chief executive officer of Anthropic, which is one of the main frontier AI labs, warned that he sees AI-led cyber-attacks as potentially being the main way in which cyber-attacks are conducted in the future.
At the level of the enterprise, you have a challenge of how you secure the enterprise, in terms of not only developing and deploying AI, but visibility of AI used in an organisation. We are certainly seeing AI transform how cyber-security vendors and organisations manage the threat: they have greater visibility, can detect threats more quickly and the like. On how the Bill responds to that, one positive in its approach is that it is setting out an agile, outcomes-based approach that means that the regulatory regime can be capable of evolving as the threat evolves. It is sensible not to talk about AI in depth on the face of the Bill, but through mechanisms such as the code of practice, it will be possible for expectations to evolve over time as the threat and the technology mature.
The Chair
I should say to the witnesses: do not feel obliged to answer each question if you do not feel that you have anything material to add.
Matt Houlihan: It is very tempting to answer the question on AI, but thank you for the question on managed service providers. It is right that managed service providers are looked at in this Bill. An increasing amount of the work of managing IT services is clearly now outsourced to managed service providers. There needs to be some scrutiny and some baseline of cyber-security with those. I would say a couple of things on what guidance is needed. We broadly support the definition in the Bill. I appreciate the comments in the previous session that suggested that the definition was a little too broad and could be refined, which I think is fair, but when you compare the definition in the CSRB with the definition of managed service providers used in the NIS2 legislation, a couple of bits of clarity are provided in the CSRB. First, the managed service provider needs to provide an
“ongoing management of information technology systems”.
We feel that word “ongoing” is quite important. Secondly, it has to involve
“connecting to or…obtaining access to network and information systems relied on by the customer”.
We feel that
“connecting to or…obtaining access to”
the network is an important part of the definition that should be put forward. One area where more tightness can be provided is where, in the Bill, there is a non-exhaustive list of activities that an MSP could be involved in, such as
“support and maintenance, monitoring, active administration”.
The Bill then says, “or other activities”, which adds quite a bit of uncertainty on what is and is not an MSP.
The other area I would like to highlight and link to Ben’s answer on AI is that the “active administration” activity raises a question about the extent to which AI-enabled managed services would come under that definition. I am sure that lots of managed service providers will use AI more and more in the services that they provide to their end customers; to what extent does “active administration” involve an AI-related service?
To end on that specific question, the Information Commissioner’s Office will, I believe, issue guidance for managed service providers once the Bill is passed. That guidance will be the critical thing to get right, so there should be consultation on it, as my colleague from techUK suggested earlier. I would also suggest that that guidance cannot be a simple check-box list of things that have to be done. We should shift our thinking to have more of an ongoing appreciation of what cyber-security involves in practice for MSP or other regulated entities under the Bill. Making sure there is an ongoing process and that there is effective enforcement will be important.
Chris Anley: On the NAO report , the cyber action plan and public sector cyber-security, you are absolutely right to point out that the NAO report identifies serious issues. The Government recently acknowledged that they are likely to miss their 2030 cyber-resilience targets. It is also important to point out that the cyber action plan lays out an approach with many very positive elements such as an additional £210 million in central funding. There are many benefits to that, including a centralised provision of services at scale, a concentration of expertise and a reduction of costs.
Then there are other broader initiatives in the cyber action plan. The UK software security code of practice, which has been mentioned several times in these sessions, is a voluntary code that organisations can use as a tool to secure their supply chain. Cisco and NCC Group are ambassadors for that scheme and voluntarily comply with it, and it improves our own resilience.
Whether the cyber action plan goes far enough is a very difficult question. The NAO report also points out the extreme complexity of the situation. Within the budgetary constraints, I think it is fair to say that the steps in the plan seem reasonable, but there is a broader budgetary conversation to be had in this area. Two of the most significant issues identified in the report are the skills shortage, which has come up in these sessions—almost a third of cyber-security posts in Government are presently unfilled, which is dangerous—and the fact that Departments rely on vulnerable, outdated legacy IT systems, which may be the cause of an incident in their own right and would certainly make an incident much more severe were one to occur. The problem is that those are both largely budgetary issues. Successive Governments have obviously focused on delivering taxpayer value, as they should—we are all taxpayers—but over a period of a decade or more, that has led to a position where Departments find it difficult to replace legacy IT systems and fill these high-skill, high-cost cyber-security positions. There is very much a broader discussion to be had, as has been raised in these sessions, about where we should be in terms of the budget. You are absolutely right to raise the public sector issues. Although the Bill focuses on the private sector, the public sector obviously must lead by example.
Dr Ian Levy: We think the current definitions of critical suppliers are probably overly broad and risk bringing in SMEs, when you really do not want to do that. That said, we need to think about the transitive nature of supply chains. With previous regulations that talk about cyber-security, we have seen a flow-down of requirements through contracting chains. There is a question about how far it is reasonable to go down those contracting chains. In my experience, the value of the contract and the potential impact are not necessarily correlated. We certainly saw that when we were giving evidence for the Telecommunications (Security) Act 2021.
There is a real question about how you define what supply chain you mean. You mentioned that AWS has a complex supply chain. We certainly do—it is astoundingly complex—but the important thing is that we control the really important parts of that. For example, we build our own central processing units, graphics processing units, servers, data centres and so on. The question then becomes: how does that translate out to customers? If a customer is using a partner’s service running on AWS, where does the liability accrue? I do not think that is adequately covered in the Bill.
In terms of certainty and foreseeability, the Bill as it stands admits a single entity being regulated multiple times in multiple different ways. We are subject today to at least four different sets of regulations and regulators. Some of them conflict, and some of them are ambiguous. As this expands out, a single reporting regime—a lead regulator model—would take some of that ambiguity away so that you have more foreseeability and certainty about what you are trying to do.
There are things in the current drafting of the Bill that we think need some consultation. There are things in primary legislation, such as the Secretary of State’s powers, that seem to be unbounded—that is probably the best way to describe it—and that seems dangerous. We understand the necessity for powers around national security, but we think there need to be some sort of safeguards and consultation about how they are used in practice. For any multinational company, something that is effected in the UK is likely to affect all our customers, so some real constraint is needed around that.
Kanishka Narayan
Q
Chris Anley: By our calculation, as you say, the number of organisations that fall under the scope of the Bill in terms of the Government’s impact assessment is 0.1% of the private sector, which is one one-hundredth of the tip of the iceberg. We are going to have to adopt a whole-of-economy approach if we are going to secure the UK—we have already talked about the public sector issues.
On the Bill itself, we have three main comments. First, the secondary legislation forms the bulk of the technical measures, so we are calling for early consultation on that. Secondly, the Bill imposes additional reporting obligations, adding to an already complicated situation for reporting cyber-incidents in the UK. The reporting obligations trigger at a time of great complexity for an organisation, so we are calling for a single point of contact for reporting all cyber-security incidents in the UK and a single timeline. That may sound like a big ask—an impossible dream. Australia has already done it, and the EU is in the process of doing it in its digital omnibus streamlining package.
Finally, in terms of cyber professionals, the passage of a cyber-security Bill through Parliament is a golden opportunity to address the serious problems with the Computer Misuse Act 1990. Cyber professionals who are defending the UK cannot currently do so without risking criminal prosecution. We cannot carry out basic identification and verification actions without potentially committing the offence of unauthorised access to computer material, because a ransomware gang, for example, is unlikely to give us authorisation to identify the command and control system they are using to attack the UK.
We support the CyberUp campaign, which is proposing an amendment to the Computer Misuse Act to provide a statutory defence, resting on four strong safeguarding principles. We believe that that would help to protect our defenders while maintaining the integrity of the law. Based on the campaign’s research into the size of the cyber-security industry in the UK, the amendment would not only help to prevent incidents and mitigate incidents in progress, but add 9,500 highly skilled jobs and over £2.5 billion in revenue to the UK economy. Other nations are already benefiting from this type of safeguard, including our oldest ally, Portugal, which has implemented them in its recent amendments to NIS2, which is the exact legislative equivalent of the process we are in today. In summary, please help us to defend the UK by protecting our defenders.
Dr Ian Levy: To follow up on what Chris says, we strongly agree on early consultation on the technical detail of the secondary legislation. Somebody said in the previous session that, in security, the devil is always in the detail. Well-meaning text can be massively misinterpreted. We need to be very careful about that, so wide, early consultation is key.
On incident reporting, I will make two points. Chris made the point that when you are being asked to report, you are at your most desperate, because you have just found out that you have been attacked and you do not know what is going to happen. A lot of legislation accidentally ignores the victim. When we set up the NCSC, one of the primary things was that we were there to support the victims. I urge you not to lose sight of that. Absolutely, go after and find the culprits later, but in the moment, the victims are absolutely key to this.
The second part of that, about a single reporting timeline and a single reporting route, is that it is not just good for the victims but the only way that we generate strategic intelligence. That is one of the things that is missing in the UK—and has been for decades. We have five, six or seven different reporting portals that all characterise things differently and take different types of information, and bringing them together to have a single picture about the actual threat to the UK is incredibly difficult. A single reporting forum could fix that.
Ben Lyons: I might distinguish between what organisations need to do and whether organisations are in scope. In terms of what they need to do, the outcomes-based approach is sensible. If you think about when the Johnson Government were consulting on the measures that would go on to form this Bill, that was a time when ChatGPT had not been invented and the geopolitical environment was very different. The world is moving fast, and I think that the cyber assessment framework is a good starting place for what a code of practice could look like, because it is already understood by industry and is outcomes-driven.
I agree with the previous comments about incident reporting. I think that there is a lot of merit in the suggestion around a shared portal so that it is easier to report incidents in that moment of dealing with a cyber-attack. Within the regime as envisaged, probably the most important bit with reference to reporting is about improving that early clarity and visibility for the NCSC so that they can help. That is probably where I would place the emphasis, more than on regulators having that information within 24 hours. In that context, an approach that recognises best efforts in that first 24 hours but is focused on tackling the problem will be important for dealing with the issue.
On the supply chain, I would say—and we have heard about this before—that there could be more clarity there in terms of who would be in scope for designated suppliers. Thinking a bit around both systemic dependency and the potential for wider disruption would be important factors to give it more clarity.
Matt Houlihan: To round off the responses, on the question about finding the balance between specificity and agility, the Bill does a reasonable job at that. We can totally see the need to keep some of the doors open, because not only is the nature of the threat changing rapidly but the nature of technology—and of our capabilities to defend—is changing as well. We have already talked about AI, and we have lots of quantum research taking place as well that will have a big bearing on cyber-security.
It is right that the Bill has some agility in it, but it is clear from the responses today that there is a need to tighten it up in certain places. We talked about incident reporting, and having a simpler, more co-ordinated system for regulated entities to work with so that that reporting process is easier. The definition of “incident” itself needs to be looked at, we believe. The idea of an instance not only having, but being capable of having, an adverse effect on information systems opens the door very widely to lots of potential incidents that may need to be reported on. Having a tighter definition there would be very useful.
To touch on the point about Secretary of State powers, we feel that the door is a little bit too wide. If you look at legislation such as Australia’s cyber-security legislation from 2018, the Security of Critical Infrastructure Act, that also has some good Secretary of State powers, but there are lots of guardrails contained in it that make it clear that it is a power of last resort, where the entity is unwilling or unable to carry out the remedial action itself. There are also other guardrails contained in that legislation. We urge the Committee and the Government to look at that Act and take inspiration from it to think about where those guardrails could be worked into the UK law.
The Chair
Four colleagues wish to ask questions, and they have only 20 minutes in which to ask them, so I appeal for brevity, both in the questions and, if you do not mind, in the answers.
Bradley Thomas
Q
Dr Ian Levy: I will start with that one.
The Chair
Please, Gentlemen, do not feel obliged to answer each question.
Dr Ian Levy: On the diverse networks and where they are hosted, it is important to be clear that resilience changes as scale changes. When it comes to the statistical model used to talk about resilience for a national system, if you have, say, three physical data centres in the UK connected by a redundant ring, that has a well-understood statistical model, but as you get bigger and bigger and more diverse, the statistics change, so the way you analyse resilience changes. That is not specific to Amazon Web Services; it applies to any large-scale system.
The way that we talk about resilience needs to be thought through carefully. I would urge you to consider outcomes and talk about availability and resilience to particular events. If somebody drives a JCB into a data centre, in a national-scale resilience model that can have a big impact, but in a hyperscale it will not.
We need to be clear about what the regulation is trying to do. If you look at us as a data centre operator, it is very different from someone who is providing co-location services. We provide our data centres for the sole purposes of providing our services, which have a very particular resilience model that is very different from somebody sticking their own racks in a third-party data centre. Some of the terms need to be better defined.
In terms of balancing growth, regulation, oversight and so on, there is a fallacy about putting specific technologies into legislation, except in very specific circumstances. We talked about post-quantum cryptography and AI. They will affect resilience, but probably not in the way we think they will today, so I would caution about putting specific technology definitions on the face of the Bill.
Matt Houlihan: On the cross-border question, very quickly, there are clearly a lot of jurisdictions looking at legislation in this space. There is absolutely an opportunity in the UK to look at things, such as mutual recognition agreements, that would simplify the international regulatory landscape, but there is also the opportunity for the UK to lead in this space as a very well-respected and cyber-capable country.
Touching on getting the balance right on growth and security, we have seen some useful moves recently from the UK Government and previous Governments on looking at codes of practice, which are voluntary in nature but help engage companies, as the recent software security code of practice did with mine and Chris’s. Techniques like that offer a nice balance and engage companies, but get that message around growth absolutely right.
Dr Gardner
Q
My second question is for Ben. In combining AI and cyber, you are combining technologies that come with their own unique risks with cyber-security. I am interested in how you mitigate against that. I am intrigued because, when you talk about AI, I assume you are not talking about straightforward machine learning.
Chris Anley: In terms of what other things we could do, we have talked about voluntary codes. The value of voluntary codes was questioned in an earlier session; but the World Health Organisation best practice guide on handwashing, which is entirely voluntary, saved millions of lives in the recent pandemic. It is important to bear in mind that codes that help you to protect yourself are definitely valuable.
Other actions that are already taking place that we may want to extend on the basis of solid evidence and data are the cyber essentials scheme, for example, and the various codes of practice. The cyber governance code of practice for boards was mentioned earlier, along with the Government outreach and attempting to get boards to recognise that cyber risk is a business risk and an existential threat. We talked about the cyber assessment framework and how that is likely to be the scope within which this Bill is implemented. So, we do not necessarily need to do something new. The scope of the Bill, as we said, is 0.1% of the UK private sector. There is scope to expand the existing things that we are doing, especially cyber essentials, for example, raising the bar for small and medium-sized enterprises across the economy. There is a lot that we are already doing that we could do, that we already have the scope to expand, but obviously that must be done prudently and on the basis of solid evidence.
Dr Gardner
Q
Ben Lyons: That is something we think very deeply about. We see AI as helping to mitigate some of the risks from cyber-security by making it possible to detect attacks more quickly, understand what might be causing them, and to respond at pace. We are an AI native company and we have thought deeply about how to ensure that the technology is both secure and responsible. We are privacy-preserving by design. We take our AI to the organisation’s environment to build an understanding of what normality looks like for them, rather than vast data lakes of customer data. We take a lot of effort to ensure that the information surfaced by AI is interpretable to human beings, so that it is uplifting human professionals and enabling them to do more with the time they have. We are accredited to a range of standards, like ISO 27001 and ISO 42001, which is a standard for AI management. We have released a white paper on how we approach responsible AI in cyber-security, which I would be happy to share with you and give a bit more detail.
Chris Vince
Q
Matt Houlihan: I am very happy to. Two main comparators come to mind. One is the EU, and we have talked quite a bit about NIS2 and the progress that has made. NIS2 does take a slightly different approach to that of the UK Government, in that it outlines, I think, 18 different sectors, up from seven under NIS1. There is that wide scope in terms of NIS2.
Although NIS2 is an effective piece of legislation, the implementation of it remains patchy over the EU. Something like 19 of the 27 EU member states have implemented it to date in their national laws. There is clearly a bit of work still to do there. There is also some variation in how NIS2 is being implemented, which we feel as an international company operating right across the European Union. As has been touched on briefly, there is now a move, through what are called omnibus proposals, to simplify the reporting requirements and other elements of cyber-security and privacy laws across the EU, which is a welcome step.
I mentioned in a previous answer the work that Australia has been doing, and the Security of Critical Infrastructure Act 2018—SOCI—was genuinely a good standard and has set a good bar for expectations around the world. The Act has rigorous reporting requirements and caveats and guardrails for Government step-in powers. It also covers things like ransomware, which we know the UK Home Office is looking at, and Internet of Things security, which the UK Government recently looked at. Those are probably the two comparators. We hope that the CSRB will take the UK a big step towards that, but as a lot of my colleagues have said, there is a lot of work to do in terms of seeing the guidance and ensuring that it is implemented effectively.
Chris Anley: On the point about where we are perhaps falling behind, with streamlining of reporting we have already mentioned Australia and the EU, which is in progress. On protection of their defenders, other territories are already benefiting from those protections—the EU, the US, and I mentioned Portugal especially. As a third and final point, Australia is an interesting one, as it is providing a cyber-safety net to small and medium-sized enterprises, which provides cyber expertise from the Government to enable smaller entities to get up to code and achieve resilience where those entities lack the personnel and funding.
Emily Darlington
Q
Dr Ian Levy: The previous set of witnesses talked about board responsibility around cyber-security. In my experience, whether a board is engaged or not is a proxy indicator for whether they are looking at risk management properly, and you cannot change corporate culture through regulation—not quickly. There is something to be done around incentives to ensure that companies are really looking at their responsibilities across cyber-security. As the previous panellists have said, this is not just a technical thing.
One of the things that is difficult to reconcile in my head—and always has been—is trying to levy national security requirements on companies that are not set up to do that. In this case I am not talking about Amazon Web Services, because AWS invests hugely in security. We have a default design principle around ensuring that the services are secure and private by design. But something to consider for the Bill is not accidentally putting national security requirements on those entities that cannot possibly meet them.
When I was in government, in the past we accidentally required tiny entities, which could not possibly do so, to defend themselves against the Russians in cyber-space. If you translate that to any other domain—for example, saying that a 10-person company should defend itself against Russian missiles—it is insane, yet we do it in cyber-space. Part of the flow-down requirements that we see for contracting, when there is a Bill like this one, ends up putting those national security requirements on inappropriate entities. I really think we need to be careful how we manage that.
Matt Houlihan: Can I make two very quick points?
The Chair
Very briefly—yes.
Matt Houlihan: My first point is on the scale of the challenge. From Cisco’s own research, we released a cyber-security readiness index, which was a survey of 8,000 companies around the world, including in the UK, where we graded companies by their cyber maturity. In the UK, 8% of companies—these are large companies—were in the mature bracket, which shows the scale of the challenge.
The other point I want to make relates to its being a cyber-security and resilience Bill, and the “resilience” bit is really important. We need to focus on what that means in practice. There are a lot of cyber measures that we need to put in place, but resilience is about the robustness of the technology being used, as well as the cyber-security measures, the people and everything else that goes with it. Looking at legacy technology, for example—obsolete technology, which is more at risk—should also be part of the standards and, perhaps, the regulatory guidance that is coming through. I know that the public sector is not part of the Bill, but I mention the following to highlight the challenge: over a year ago, DSIT published a report that showed, I think, that 28% of Government systems were in the legacy, unsupported, obsolete bracket. That highlights the nature of the challenge in this space.
Alison Griffiths
Q
Chris Anley: On the OT versus IT question, we have mentioned specificity versus flexibility. The benefit of the UK sectoral regulator model is that regulators that are in areas where OT is predominant can set specific measures that can reinforce those environments, whereas if you try a one-size-fits-all approach, you run the risk of certain critical OT-based systems becoming subject to successful attacks.
Ben Lyons: The broad approach that the UK is taking is sensible, in that the existing guidance has a range of principles around OT, as well as IT, security. Manufacturing is not in the scope of the Bill, which is probably appropriate, but it is worth looking at what could be done to improve the security of the manufacturing sector, more broadly, probably through non-legislative means. In light of recent attacks, it is important to ensure that guidance and incentives are in place to support that sector.
Freddie van Mierlo
Q
Dr Ian Levy: In October 2025, we had an incident that had quite a widespread impact. We have engaged with regulators around the world, including multiple regulators in the UK, to explain what happened. We published, quite transparently, what had happened during the incident and afterwards. Explaining how the part of the organisation that had built that particular system works is very time-consuming. It is also almost certainly out of date by the time we have finished. In that particular case, it was something called a “race condition”, which is a well understood computer-science hard problem. No amount of regulation or legislation would have made a difference, because it was a race condition, and they are incredibly hard to find in software.
I think that regulating outcomes is the right answer, and making sure that we are doing due diligence, and that our view of appropriate risk management is broadly the same as yours, without making us a national security entity. That is the challenge. How we run our business is not really relevant; it is the outcomes that matter.
Matt Houlihan: It is increasingly important that businesses, parliamentarians and Government officials work together on these issues. As we said earlier, the pace of change in terms of the technology, and indeed the business environment—at both the UK and global levels—is moving very quickly. Having that exchange of information will be important.
It is important—from an international business point of view—that regulation is as aligned as is practicable with the other jurisdictions that a lot of the companies here will be working in. That will not only benefit companies that are headquartered elsewhere and operate in the UK; it will benefit UK-headquartered companies that are looking to expand abroad. It must also be proportionate and targeted. I think that at the nub of your question, there is clearly a need, going forward, for strong co-operation and the sharing of expertise and experiences.