Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Allison Gardner
Main Page: Allison Gardner (Labour - Stoke-on-Trent South)Department Debates - View all Allison Gardner's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Allison Gardner Excerpts(1 day, 7 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Chair
Thank you. I am going to bring Allison Gardner in, because she has been waiting. You have two minutes, Allison.
Dr Allison Gardner (Stoke-on-Trent South) (Lab)
Q
Jen Ellis: That is a great question, and a tricky one. We talk a lot about training and security awareness, and unfortunately I think it becomes yet another tick box: you start a job and watch your little sexual harassment training video, then you watch your cyber-security training video, and probably the former sticks with you better than the latter. I think we have to change that. We have to change that dynamic.
I go back to my last answer, which was that I think one of the strengths of the Bill is that, hopefully, it will enable the regulators to engage much more on this topic and therefore to engage their covered entities much more. That is what we need to see. We need to see the leadership in organisations engage with the topic of cyber-security, not as a chore, as a tick-box exercise or as that headline they read about JLR, but actually as something that matters to their organisation—as something they are going to engage with at a board and executive team level, all the way down through the organisation. Cultural change comes from the top, typically, and we need to see that level of change.
I do not think that there is anything specific in the legislation, as it is currently written, that says, “And this,” in flashing lights, “is going to change the human factors piece.” I think that the devil will be in the detail of the secondary legislation, and then in what the regulators specifically ask for. But there does need to be a general shift in the culture, whereby as sectors generally we start to talk more about this as a requirement. The financial services sector has talked about security for a long time—it has been a reality for it—but I am not sure how true that is, at breadth, in something like the water industry.
I hope that that will change. I hope that we will start to see having those conversations at the top levels, and then all the way down, becoming more of a cultural norm. Unfortunately, you cannot create culture change quickly. When it comes to talking about human factors, it is about people becoming much more aware of it and thinking more about it. That will take time—
The Chair
Order. Thank you very much, but I have to cut you off there.
Jen Ellis: Sorry for taking too long.
Kanishka Narayan
Q
Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.
For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.
You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.
Dr Gardner
Q
Jill Broom: With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.
I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.
Dr Gardner
Q
Jill Broom: Some of our members have pointed out that the number of organisations under cyber-regulations is very small, and it is only going to increase a small amount with the advent of this particular Bill. Similarly, in the different jurisdictions there are duties at the board level. There is an argument for it. The key thing is that we need to be mindful of it being risk-based, and also that there are organisations that could be disproportionately affected by this. I think it needs a little more testing, particularly with our members, as to whether a statutory requirement is needed.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
The Chair
Please, Gentlemen, do not feel obliged to answer each question.
Dr Ian Levy: On the diverse networks and where they are hosted, it is important to be clear that resilience changes as scale changes. When it comes to the statistical model used to talk about resilience for a national system, if you have, say, three physical data centres in the UK connected by a redundant ring, that has a well-understood statistical model, but as you get bigger and bigger and more diverse, the statistics change, so the way you analyse resilience changes. That is not specific to Amazon Web Services; it applies to any large-scale system.
The way that we talk about resilience needs to be thought through carefully. I would urge you to consider outcomes and talk about availability and resilience to particular events. If somebody drives a JCB into a data centre, in a national-scale resilience model that can have a big impact, but in a hyperscale it will not.
We need to be clear about what the regulation is trying to do. If you look at us as a data centre operator, it is very different from someone who is providing co-location services. We provide our data centres for the sole purposes of providing our services, which have a very particular resilience model that is very different from somebody sticking their own racks in a third-party data centre. Some of the terms need to be better defined.
In terms of balancing growth, regulation, oversight and so on, there is a fallacy about putting specific technologies into legislation, except in very specific circumstances. We talked about post-quantum cryptography and AI. They will affect resilience, but probably not in the way we think they will today, so I would caution about putting specific technology definitions on the face of the Bill.
Matt Houlihan: On the cross-border question, very quickly, there are clearly a lot of jurisdictions looking at legislation in this space. There is absolutely an opportunity in the UK to look at things, such as mutual recognition agreements, that would simplify the international regulatory landscape, but there is also the opportunity for the UK to lead in this space as a very well-respected and cyber-capable country.
Touching on getting the balance right on growth and security, we have seen some useful moves recently from the UK Government and previous Governments on looking at codes of practice, which are voluntary in nature but help engage companies, as the recent software security code of practice did with mine and Chris’s. Techniques like that offer a nice balance and engage companies, but get that message around growth absolutely right.
Dr Gardner
Q
My second question is for Ben. In combining AI and cyber, you are combining technologies that come with their own unique risks with cyber-security. I am interested in how you mitigate against that. I am intrigued because, when you talk about AI, I assume you are not talking about straightforward machine learning.
Chris Anley: In terms of what other things we could do, we have talked about voluntary codes. The value of voluntary codes was questioned in an earlier session; but the World Health Organisation best practice guide on handwashing, which is entirely voluntary, saved millions of lives in the recent pandemic. It is important to bear in mind that codes that help you to protect yourself are definitely valuable.
Other actions that are already taking place that we may want to extend on the basis of solid evidence and data are the cyber essentials scheme, for example, and the various codes of practice. The cyber governance code of practice for boards was mentioned earlier, along with the Government outreach and attempting to get boards to recognise that cyber risk is a business risk and an existential threat. We talked about the cyber assessment framework and how that is likely to be the scope within which this Bill is implemented. So, we do not necessarily need to do something new. The scope of the Bill, as we said, is 0.1% of the UK private sector. There is scope to expand the existing things that we are doing, especially cyber essentials, for example, raising the bar for small and medium-sized enterprises across the economy. There is a lot that we are already doing that we could do, that we already have the scope to expand, but obviously that must be done prudently and on the basis of solid evidence.
Dr Gardner
Q
Ben Lyons: That is something we think very deeply about. We see AI as helping to mitigate some of the risks from cyber-security by making it possible to detect attacks more quickly, understand what might be causing them, and to respond at pace. We are an AI native company and we have thought deeply about how to ensure that the technology is both secure and responsible. We are privacy-preserving by design. We take our AI to the organisation’s environment to build an understanding of what normality looks like for them, rather than vast data lakes of customer data. We take a lot of effort to ensure that the information surfaced by AI is interpretable to human beings, so that it is uplifting human professionals and enabling them to do more with the time they have. We are accredited to a range of standards, like ISO 27001 and ISO 42001, which is a standard for AI management. We have released a white paper on how we approach responsible AI in cyber-security, which I would be happy to share with you and give a bit more detail.
Chris Vince
Q
Matt Houlihan: I am very happy to. Two main comparators come to mind. One is the EU, and we have talked quite a bit about NIS2 and the progress that has made. NIS2 does take a slightly different approach to that of the UK Government, in that it outlines, I think, 18 different sectors, up from seven under NIS1. There is that wide scope in terms of NIS2.
Although NIS2 is an effective piece of legislation, the implementation of it remains patchy over the EU. Something like 19 of the 27 EU member states have implemented it to date in their national laws. There is clearly a bit of work still to do there. There is also some variation in how NIS2 is being implemented, which we feel as an international company operating right across the European Union. As has been touched on briefly, there is now a move, through what are called omnibus proposals, to simplify the reporting requirements and other elements of cyber-security and privacy laws across the EU, which is a welcome step.
I mentioned in a previous answer the work that Australia has been doing, and the Security of Critical Infrastructure Act 2018—SOCI—was genuinely a good standard and has set a good bar for expectations around the world. The Act has rigorous reporting requirements and caveats and guardrails for Government step-in powers. It also covers things like ransomware, which we know the UK Home Office is looking at, and Internet of Things security, which the UK Government recently looked at. Those are probably the two comparators. We hope that the CSRB will take the UK a big step towards that, but as a lot of my colleagues have said, there is a lot of work to do in terms of seeing the guidance and ensuring that it is implemented effectively.
Chris Anley: On the point about where we are perhaps falling behind, with streamlining of reporting we have already mentioned Australia and the EU, which is in progress. On protection of their defenders, other territories are already benefiting from those protections—the EU, the US, and I mentioned Portugal especially. As a third and final point, Australia is an interesting one, as it is providing a cyber-safety net to small and medium-sized enterprises, which provides cyber expertise from the Government to enable smaller entities to get up to code and achieve resilience where those entities lack the personnel and funding.