Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Alison Griffiths
Main Page: Alison Griffiths (Conservative - Bognor Regis and Littlehampton)Department Debates - View all Alison Griffiths's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Alison Griffiths Excerpts(1 day, 9 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Kanishka Narayan
What a pleasure it is to serve with you in the Chair. Clause 9 brings large and medium-sized managed service providers—MSPs—into the scope of the Network and Information Systems Regulations 2018. MSPs are organisations that provide an ongoing IT function, such as an IT help desk or cyber-security support, to an outside client. In doing so, MSPs often have widespread and trusted access to clients’ networks and systems. A single targeted attack can ripple outward, disrupting thousands of other systems. That makes MSPs attractive targets for cyber-attacks. Last year an attack on Collins Aerospace halted check-in and boarding systems at major European airports, causing international disruption. Such attacks highlight what can happen if a single point of failure is compromised, and the importance of managed service providers implementing robust cyber-protections. Despite that, MSPs are not currently regulated for their cyber-security in the UK. As organisations rely more and more on outsourced technology, we must close that gap. The clause provides essential definitions of a “managed service” and of a “relevant managed service provider” to clearly set out which organisations are in scope of the regulations.
Clause 10 imposes new duties on MSPs that have been brought into scope by clause 9. For the first time, such businesses must identify and manage risks posed to the network and information systems that they rely on to provide their managed services. As part of that duty, MSPs must have
“regard to the start of the art”,
meaning that they must consider new tools, technologies, techniques and methods that threat actors may employ. That includes artificial intelligence, and means that providers must deploy the right tools to mitigate the risks and take action to minimise the impact of incidents if they occur. By bringing MSPs into scope of the regulations and imposing such security duties on them, we will strengthen cyber-security and resilience across supply chains, reduce vulnerabilities in outsourced IT services and better protect businesses and services across the UK.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Bringing MSPs into scope is the right direction of travel, and MSPs sit at points of concentrated risk, but they are not all the same and the real risk is not size alone but the level of privileged access and cross-customer dependency. Proportionality will be critical under these provisions if we want better security, not just box-ticking.
Kanishka Narayan
I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.
Clause 11 defines what it means for a digital or managed service provider to be
“subject to public authority oversight”
under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.
In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.
Alison Griffiths
I think my hon. Friend is about to reference the commercial impacts on MSPs. We have already referenced the fact that they are of many different sizes. One of the concerns the Committee will need to consider is whether new contracts will need to be written. The level of uncertainty being created may render the existing frameworks within which they operate redundant.
Dr Spencer
I thank my hon. Friend for that pertinent intervention. The burden she talks about is not just financial; companies could also find themselves in legal jeopardy should they become subject to overlapping and competing duties without realising when the Bill becomes an Act. More than anything else—perhaps even more than a low taxation regime—businesses want certainty about the regulatory environment they operate in. This is made even more complicated by the fact that many organisations operate in different jurisdictions and have to contend with different, competing regulatory frameworks. My understanding is that the majority try to take an approach in one jurisdiction that will also cover them in the other so that they have an overlap, but those are the big companies. They have more capacity and resource to do that. The problem will be for the companies on the margins that are struggling.
Dr Spencer
The cloud providers tell me that the energy costs are crippling, which is highly problematic, and that is why we need to drive those costs down. They talk about the challenges of getting data centres built and about planning considerations, which are a concern across the country. They talk about the taxation environment and costs on businesses more generally, particularly when they are footloose, and they talk about the regulatory framework. Pretty much all of those things are not specifically in the Bill, with the exception of the regulatory framework, so there is a lot that is suppressing the opportunities for cloud providers and others in the sector and hindering them from doing business and succeeding.
There is a broader point to make about the Bill and the philosophy behind it, because there is something that we have to avoid. There is a sense in the UK that we are getting gummed up by regulation and obsessing more and more about limitations and restrictions to businesses. In that environment, people and organisations that do well financially, succeed and grow are seen as either targets or cheats—as something that we can go for, tax and punish. We have lost or diminished our can-do attitude when it comes to supporting the risk takers and the entrepreneurs, who are the people and organisations building the MSPs and data centres on which our economy relies.
Over and above that, there is a cultural issue that is impacting our IT and tech sector. As legislators we should ensure that the thing we have direct control over, which is the legislation in front of us, imposes as small a regulatory burden as possible while still ensuring that it is sufficient to meet our aims. We must listen to businesses and hear their concerns. We hear time and again that the lack of clarity, particularly in this part of the Bill, is putting them at financial and legal risk. That is a very substantial concern.
Alison Griffiths
On my hon. Friend’s point about the lack of clarity in the Bill, there is a real possibility that firms will find that an MSP has one view of an issue while their client has another. Unless there is sufficient clarity in the wording of the Bill, we will have issues.
Dr Spencer
I thank my hon. Friend for her intervention. Legal clarity is important. I have absolutely no issue with lawyers, but we do not want to make a load of money for lawyers as a consequence of the definitional challenges around the Bill’s implementation. That is not good for businesses, which need certainty as to how to apply the regulatory framework under which they operate. Regulatory uncertainty will not help a business to make decisions. My assumption is that the default position will be for businesses to assume that they are not regulated entities, which means that they will not take actions that we would like them to take as a result of the Bill. Again, we will be making laws under which everybody loses out.
My final point is about the carve-out in respect of public authority oversight. It is all well and good for the Government to say, “We have an action plan and we’re going to sort out Government IT and the cyber-security risk for Government services,” but it is not playing out that way. Our biggest risks, and the most vulnerable components of our digital IT infrastructure, are those that are linked to Government services. Change is needed. My sense is that when a company interacts and shares data with Government and public sector services, the biggest-cyber security risk is likely to be in the aspects that are provided by Government services. We are making legislation that puts a host of burdens on the private sector, yet we are largely silent about what is happening in the public sector. Putting people at risk in that way is really not good enough. We need to support our overall cyber-security.
Kanishka Narayan
Clause 12 will introduce a new power for regulators to designate critical suppliers to organisations as in scope of the NIS regulations. These are suppliers that are so pivotal to the provision of essential digital or managed services that a compromise or outage in their systems can cause a disruption that would have serious cascading impacts for our society and economy; I am thinking in particular of the Synnovis incident in 2024, when 11,000 medical appointments were cancelled across London hospitals as a result of an attack on a pathology service provider.
The clause will ensure that the power to designate can be exercised only where suppliers pose a credible risk of systemic disruption and when the regulator has considered whether the risks to the supplier cannot be managed via other means. In other words, it is a very high bar indeed.
The clause provides safeguards for suppliers, which must be consulted and notified during the designation process. It also requires regulators to consult other relevant NIS regulators when they are considering whether to designate, or decide to do so, ensuring that they have an accurate understanding of how suppliers are already regulated.
Finally, the clause provides for designations to be revoked when risks no longer apply or when a supplier has met the thresholds for regulation as a relevant digital service provider or relevant managed service provider. It should be noted that the clause does not set out the security duties on critical suppliers; these will be defined in secondary legislation following an appropriate period of consultation.
By addressing supply chain vulnerabilities, this measure will strengthen the resilience of the UK’s essential and digital services on which the public rely every day. I commend the clause to the Committee.
Alison Griffiths
The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.
Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.
The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.
As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.
There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.
UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.
My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.
Lincoln Jopp
To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.
To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:
“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”;
so we cannot tell how many there are. The same page also states:
“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”
We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.
Alison Griffiths
The clause is drafted broadly, which is understandable, but in practice many of the supply chains, as my hon. Friend has ably demonstrated, involve several layers of providers and sub-providers. I would welcome clarity on how regulators are expected to approach designation in these cases, so that responsibility is clear and preparation can happen upstream, rather than only after an incident.
Dr Spencer
My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s intervention did not go where I thought she was going, another problem has just come to mind.
What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.
Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.
Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.
If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.
It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?