Dr Ben Spencer (Runnymede and Weybridge) (Con)

- Hansard -

Copy Link

- - Excerpts

It is a pleasure to serve under your chairmanship, Mr Stringer. I thank all hon. Members on both sides of the Committee for taking part, and the officials for their work on the Committee stage of this important Bill.

The Bill will significantly update and expand the Network and Information Systems Regulations 2018 by bringing new services within scope of regulation, giving sector regulators the power to designate critical suppliers, updating and expanding the reporting regime for cyber-security incidents and making significant changes to the regulatory funding model and regulators’ information-gathering and sharing powers. The Bill will also grant extensive powers to the Secretary of State to respond to emerging cyber-threats, including the power to bring further sectors within the scope of regulation, giving directions to regulated entities and issuing a code of practice that sets out measures for compliance with duties under the NIS regulations. Recognising the increasing role of malicious cyber-activity as a threat to our national security, part 4 will give the Secretary of State far-reaching powers to issue directions to regulated entities for reasons of national security.

Covid turbocharged the digitalisation of all aspects of the economy and our daily lives, bringing new opportunities but at the same time heightening the exposure of digital systems to exploitation by malicious actors. The previous Government recognised that in their post-implementation reviews of the NIS regulations and in a subsequent series of consultations on proposals to improve the cyber-resilience of the entities that are most important to the UK economy. Those consultations included a review of information security risks relating to outsourced IT provision, data centres and organisations controlling large amounts of electrical load. The last Government’s work assessing those threats has informed this Government’s decision to bring data centres, managed service providers and large load controllers within the scope of the NIS regulations.

Industry stakeholders have welcomed the Bill as essential for bringing the cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments, and for moving our cyber-security regulatory framework into closer alignment with international partners to ease cross-border operations for businesses that provide services overseas.

In some respects, at least, the Bill identifies the right problems, but, crucially, it falls short of providing workable solutions. In embarking on our scrutiny of the Bill, the Committee should be acutely aware of the raft of digital legislation with which businesses and regulators have been asked to grapple in recent years. Many of those new regulations are necessary, but as lawmakers we should be conscious of the burden that we are placing on industries and particularly on small and medium-sized enterprises, which are the lifeblood of the UK economy and which have fewer resources to navigate complex layers of regulation. It is therefore incumbent on all of us to enact laws that are clear and capable of practical implementation.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for her intervention. I am reminded of the Committee’s evidence session earlier this week, in which expert after expert lined up to raise concerns around the scope of the definition. Although they acknowledged the importance of and appreciated the reasons for leaving some things to secondary legislation in a climate as fast-moving as the IT and digital sector’s, they raised concerns about the uncertainty that is coming for business and the need for extensive consultation so that businesses can feed into and have some degree of influence over the regulations that they will have to abide by.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I am certainly going to come back to it a few times—if not other Members—and I will invite the Minister to come back to it a few times.

Returning to the point about the dependency on particular sectors, I mentioned the impact that Amazon Web Services had on our society and systems; interestingly, the AWS outage was caused not by a cyber-attack, but it demonstrates the disruption to our lives and businesses that could occur in the event of such an attack. The last Government recognised the vital and growing importance of data centres to the UK economy and people’s lives, as well as the risks of serious interruption to these services. That led to a public consultation on enhancing the security and resilience of UK data infrastructure.

The Conservatives therefore welcome that this vital element of our national infrastructure will be subject to cyber-security regulation. However, for regulation to be robust for cyber-resilience and regulator data centres it is essential that there are high rates of industry compliance. The Government stated in their impact assessment for this Bill that there is an ongoing engagement with the data centre sector. Could the Minister lay out what feedback he has received on the sector’s preparedness to meet the cyber-resilience standards set by the NIS regulations?

Likewise, in terms of ensuring effective regulation, Ofcom will have a dramatically increased role in terms of cyber-security regulation when these provisions come into effect. In view of Ofcom’s current regulatory workload and the challenges with recruitment, which I mentioned earlier and highlighted in the evidence session this week, what ongoing engagement is the Minister having with Ofcom more broadly to make sure that it is sufficiently resourced to play its role?

Before I move on to clause 6, on large load controllers, I feel I need to go back to the discussion about proportionality and the purpose and need for these regulations in the Bill. One of the biggest criticisms of the NIS regulations is that they have not really been enforced. I am not saying that a certain rate of enforcement is a marker of efficacy or compliance, but it is curious, and it has been raised to me, that the level of enforcement indicates that the NIS regulations have not really had teeth or changed anything.

In one bad world, we have regulations that are completely disproportionate and place a huge and unnecessary burden on industry. But in some ways the worst of all worlds, or rather another problem that we would need to deal with, would be for us to legislate, produce this wonderful cyber-security Act, and go away happy as legislators—“Hey-ho, it’s all sorted and finished; we can sleep well in our beds about the cyber-security of the UK.” But if the companies cannot follow the legislation, will not follow it or do not have the resources to do so, then all we will have done is waste our time. Worse, we will have given ourselves a false sense of security, rather than delving into some of the real challenges and problems in the sector, which include overall education, encouraging businesses to take the issue more seriously and encouraging people to do Cyber Essentials.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

That is something that I know will come up in debate as we go through the Bill. It is curious that we are receiving consistent feedback that some boards are not taking the issue of cyber-security seriously, in terms of allocating resource to it, especially in the light of the very high-profile cyber-attacks on businesses. Obviously, I am all over this issue, given my role as shadow Minister, but I think it is completely insane, certainly for larger companies, not to focus on the challenge of cyber-security. It is a challenge for businesses of all sizes, but I am mindful that implementation is particularly problematic for very small businesses.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for that pertinent intervention. The burden she talks about is not just financial; companies could also find themselves in legal jeopardy should they become subject to overlapping and competing duties without realising when the Bill becomes an Act. More than anything else—perhaps even more than a low taxation regime—businesses want certainty about the regulatory environment they operate in. This is made even more complicated by the fact that many organisations operate in different jurisdictions and have to contend with different, competing regulatory frameworks. My understanding is that the majority try to take an approach in one jurisdiction that will also cover them in the other so that they have an overlap, but those are the big companies. They have more capacity and resource to do that. The problem will be for the companies on the margins that are struggling.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

The cloud providers tell me that the energy costs are crippling, which is highly problematic, and that is why we need to drive those costs down. They talk about the challenges of getting data centres built and about planning considerations, which are a concern across the country. They talk about the taxation environment and costs on businesses more generally, particularly when they are footloose, and they talk about the regulatory framework. Pretty much all of those things are not specifically in the Bill, with the exception of the regulatory framework, so there is a lot that is suppressing the opportunities for cloud providers and others in the sector and hindering them from doing business and succeeding.

There is a broader point to make about the Bill and the philosophy behind it, because there is something that we have to avoid. There is a sense in the UK that we are getting gummed up by regulation and obsessing more and more about limitations and restrictions to businesses. In that environment, people and organisations that do well financially, succeed and grow are seen as either targets or cheats—as something that we can go for, tax and punish. We have lost or diminished our can-do attitude when it comes to supporting the risk takers and the entrepreneurs, who are the people and organisations building the MSPs and data centres on which our economy relies.

Over and above that, there is a cultural issue that is impacting our IT and tech sector. As legislators we should ensure that the thing we have direct control over, which is the legislation in front of us, imposes as small a regulatory burden as possible while still ensuring that it is sufficient to meet our aims. We must listen to businesses and hear their concerns. We hear time and again that the lack of clarity, particularly in this part of the Bill, is putting them at financial and legal risk. That is a very substantial concern.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for her intervention. Legal clarity is important. I have absolutely no issue with lawyers, but we do not want to make a load of money for lawyers as a consequence of the definitional challenges around the Bill’s implementation. That is not good for businesses, which need certainty as to how to apply the regulatory framework under which they operate. Regulatory uncertainty will not help a business to make decisions. My assumption is that the default position will be for businesses to assume that they are not regulated entities, which means that they will not take actions that we would like them to take as a result of the Bill. Again, we will be making laws under which everybody loses out.

My final point is about the carve-out in respect of public authority oversight. It is all well and good for the Government to say, “We have an action plan and we’re going to sort out Government IT and the cyber-security risk for Government services,” but it is not playing out that way. Our biggest risks, and the most vulnerable components of our digital IT infrastructure, are those that are linked to Government services. Change is needed. My sense is that when a company interacts and shares data with Government and public sector services, the biggest-cyber security risk is likely to be in the aspects that are provided by Government services. We are making legislation that puts a host of burdens on the private sector, yet we are largely silent about what is happening in the public sector. Putting people at risk in that way is really not good enough. We need to support our overall cyber-security.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

My hon. Friend has figured out what I am going to say in a moment, when it comes to the scoping of the regulator and that communication process. Such is the depth of the rabbit hole that the provision creates that, even though my hon. Friend’s intervention did not go where I thought she was going, another problem has just come to mind.

What happens in the circumstance where a critical supplier that acts as a proxy for multiple critical suppliers? How does designation operate in that fashion? There are suppliers that essentially operate as a marketplace to a certain provision of services. Is it the marketplace that is regulated, or is it each supplier within the marketplace? A locum agency could hypothetically be an umbrella company for multiple different smaller locum agencies, each of which would share the corporate risk as part of that.

Going back to my first point, the idea that access to the IT network or system will somehow be discriminatory, or dichotomise between people who are in scope of this measure and people who are not, seems to me complete nonsense. It is difficult to see what organisations, if they provide a service to a modern OES, will be in scope of it.

Secondly, there is systemic or significant disruption. I often say that, if someone wanted to cripple a hospital, the best way to do that would be to stop the cleaners cleaning rooms, and to stop the porters pushing people around the hospital to get them to their appointments and moving beds. There is often a focus on doctors and on the rest of the core medical and nursing staff— I myself often focus perhaps a bit too much on doctors—but it really is a whole-team effort. In fact, the most critical people are often the people who might not be the subject of the most focus, such as the cleaners and porters.

If the cleaners stop work or do not turn up to work, the hospital grinds to a halt. If taxis are not taking people to and from hospital out of hours, or if the patient transport is not taking people to hospital, out-patient departments grind to a halt. If the locum companies that fill gaps in staff rotas are not available to do that, and there are substantial rota gaps that make the provision of services unsafe, the hospital also grinds to a halt. If it is not possible to get access to critical medicines, if staff cannot maintain the blood gas machine or the blood pressure machine, or if the boiler breaks down, the hospital grinds to a halt.

It is not just something as obvious as the tragic situation with blood and pathology testing that causes a hospital to grind to a halt. Indeed, I cannot think of many private sector provisions that would not have a substantial impact on a hospital if they were to be removed; if any other Member can, I will be very happy to stand corrected. However, just skimming through them, I can see that the removal of most of them would cause the hospital to grind to a halt. The idea that the significant impact definition will be a discriminatory factor regarding suppliers just does not work. Someone might say: “Ben, you’re completely wrong. We found some providers.”, but, if that situation arises, how will the arbitration occur in terms of the threshold?