Julia Lopez

- Hansard -

Copy Link

- - Excerpts

Absolutely. The hon. Gentleman is correct: this is fundamentally about culture—that is the point that I am making. We can pass as many regulations as we like, but a lot of the holes in our cyber-security systems come down to human frailties. That means this challenge is not just about new laws but about changing a number of things to make us more resilient.

It is right not to dictate technical standards in primary law that will soon be outdated in the fast-moving world of technology, so the question is whether this law has the right mix of carrot and stick to make affected firms act in a way that raises the security bar—there are several areas where we fear it may not.

First, there is potentially an enforcement paradox. The Bill expands regulatory powers and increases the scale of potential fines, but the evidence from the existing regime does not suggest definitively that fines and new regulations deliver us greater cyber-resilience. Under the current NIS regulations, enforcement has been slow, inconsistent and often toothless. Very few significant penalties have been issued. Where they have been issued, the delay between incident and sanction has sometimes stretched beyond two years. That delay matters, because it actively undermines deterrence and disconnects accountability from operational reality. Simply widening the scope of regulation without ensuring that regulators are properly resourced, empowered and required to act quickly risks creating obligations that exist on paper but lack any real-world bite.

We also have concerns about the Bill’s cost recovery model. Funding regulators through levies on the organisations that they oversee risks unintended consequences in terms of improving our resilience. For large firms, the cost burden may be manageable, but for smaller enterprises it amounts to an additional operational tax that could divert scarce capital away from cyber-defence, staff training and innovation.

There is also a structural risk here. Regulators that are reliant on fee income might face incentives to expand scope and complexity unnecessarily, creating bureaucratic drag that crowds out voluntary, market-led initiatives, which often raise standards more effectively than prescriptive regulation.

More generally, I worry that this Bill will play into tech monopolies. The companies that thrive in this kind of environment are those with big compliance and legal departments. That concentrates risk and makes our tech economy less diverse, with serious implications that I shall come on to.

There may be reporting challenges too. A two-stage reporting process within 24 and 72 hours may be achievable for large, well-resourced organisations with in-house cyber teams, but for smaller operators it risks creating a compliance culture focused on speed, not substance.

There is also the danger of duplication. Many organisations already face overlapping reporting obligations under UK GDPR, sectoral rules and existing legislation. Without simplification and proportionality, the administrative load could be significant, once again diverting attention and resource from the very cyber-threat management that the Bill seeks to improve. We need to avoid this legislation becoming a “something must be done” Bill that totally misses the mark.

The Bill also fails to grapple properly with the human factor in cyber-security, which has already been talked about by the hon. Member for Harlow (Chris Vince). Technology alone does not keep organisations safe; governance matters. Yet board-level ownership of cyber-risk is moving in the wrong direction. Only 27% of businesses now have a board member explicitly responsible for cyber-security, down from 38% just three years ago. Without mechanisms to ensure senior accountability, fines risk becoming little more than a cost of doing business. Directors remain insulated while operational teams are left to carry the can. National cyber-resilience depends not just on systems and software, but on leadership, culture and accountability at the very top.

For those reasons, ahead of Committee consideration, we on the Opposition Benches are examining how the legislation can be strengthened, while continuing to support its core objectives. In the meantime, regulators must be properly equipped with the right powers, resources and clarity from Parliament on the intent of the law. Sanctions must be applied swiftly and consistently, and guidance must be clear, so that enforcement is credible and deterrence is real.

The Government should also look at how reporting obligations are calibrated. A one-size-fits-all approach might place disproportionate burdens on smaller firms, and it might be better to ensure that reporting thresholds reflect the size, complexity and risk profile of an organisation.

Equally, the funding of regulators must be transparent and predictable. There have to be safeguards against regulatory expansion for its own sake and firm assurances that funds raised are reinvested directly into improving national cyber-resilience, not absorbed by administrative overheads. While the Bill rightly prioritises critical national infrastructure, it cannot afford to ignore high-risk sectors that sit beyond its immediate scope.

There is also a major role for market-based solutions. Cyber insurance, sector-wide intelligence sharing and collaborative resilience initiatives can all complement regulation. These tools can reduce risk and improve preparedness without adding unnecessary legislative complexity.

The review cycle set out in the Bill may be too slow for the threat landscape we face and the pace of technological change. Annual or biannual reviews might allow Parliament to scrutinise effectiveness, respond to emerging threats and ensure that the legislation remains fit for purpose.

Let me make some more general points about the Government’s approach to cyber-security and resilience, and issues about the risk of dependence and threat from adversaries. I see no evidence from this Government that they are thinking with any clarity about the risks of long-term technological dependency and lock-in—quite the opposite, in fact. Large parts of our economy now depend on secure, high-quality digital infrastructure, and that reliance will only increase as AI advances. Whoever provides that infrastructure will wield huge future leverage. It was that reality that ultimately drove the change of heart over Chinese tech sitting at the core of our 5G telecom networks a few years ago.

However, the Government are seemingly betting every chip on US hyper-scalers. They provide our data centres, supply the platforms on which Government Departments are run and, more often than not, are the ones winning all the Government contracts. These investments will provide our companies with things that they need, from compute power to increasingly sophisticated AI platforms, but the UK is doing little simultaneously to mitigate our increased technological dependency. When I say “technological”, we need to understand that technology is what we now run our defence systems, factories, energy networks and communications on. Technology is the plumbing of our nation.

During September’s much crowed-about state visit by President Trump, this Government were visibly begging for good economic headlines after the humiliating resignations of the Deputy Prime Minister and the ambassador to the US, not to mention the uncontainable mess of the Chancellor’s first Budget and the threat of her second Budget. The US-UK tech partnership was the result, with a huge amount of smoke and mirrors deployed over what it actually contained. Whatever substance lay within it, we heard just before Christmas that it had been paused, used as leverage by the US while other trade negotiations were under way.

I am not criticising the US Administration for skilfully playing their hand in their national interest; I am asking this Government rapidly to wake up to the reality of a new world in which the post-war settlement is coming to an end—one that has been giving clues to its existence for many years, since long before President Trump came into office. The United States remains a vital ally, but in this new era Britain must be very clear-eyed about risk, the reality of hard power and the need to protect our sovereign interests.

Cyber-risk requires as much thought about the fundamentals of plumbing as it does about the laws that try to manage how humans use or exploit technology. The UK Government have a vast procurement budget for which our own firms ought to be able to make a successful bid, but UK tech tells me consistently that, for all the talk in the Government’s AI strategy of sovereign tech capability, it has not got a look-in since Labour has been in power. I am concerned that this Bill should not introduce new, burdensome regulation for UK firms in a way that benefits non-UK incumbents with giant compliance teams and legal resources in a way that would exacerbate the risk of vendor lock-in.

Let us turn to another risk. The private sector will have noticed that the new obligations in this Bill broadly do not touch the public sector, where cyber-risk remains red-light-flashingly large, notwithstanding the public cyber strategy that was thrown out today in implicit acknowledgment of that gaping hole. Knowing that the public sector holds such enormous cyber-risk, this Labour Government choose not to minimise it, but to create a brand-new one—a hulking great identity system mandated for anyone who wants a job and, we now hear, possibly for new-born babies. It is mandatory identity by stealth, not consent, and with no honesty about it.

It is not to be against the ability of people to verify themselves digitally for banking, to access certain online services or to stop fraud to think that Labour’s mandated digital identity plan is a complete rotter. The Association of Digital Verification Professionals called what Labour inherited on digital identity a

“world-leading model for data sovereignty that digitised liberty rather than diluted it”.

The citizen, not Government, would be in control. This naive Government are crowding out private sector expertise and making everyone have one of these identities by stealth. They have no idea what this system will cost, and they will not be honest about what it will be used for.

What of the cyber-security of this system? The system on which this digital identity will be run was breached during red team testing last year. When I asked the Secretary of State if that system has now met the National Cyber Security Centre’s cyber-security standard, no answers came. Whistleblowers have continued to speak out about the vulnerabilities of the system, and there is no sense whatsoever from Government that the dodgy digital identity plan will be paused until such a point when they are confident about cyber-security.

Julia Lopez

- Hansard -

Copy Link

- - Excerpts

The hon. Gentleman is wilfully misinterpreting what I am saying. There is not an issue with having systems tested; there is an issue with the fact that the system test failed. There is no evidence that the Government have therefore acted to deal with those systemic failures.

Julia Lopez

- Hansard -

Copy Link

- - Excerpts

The whistleblowers continue to raise serious concerns about the structures upon which the Government’s digital identity platform will be built. The hon. Member looks absolutely outraged that I might suggest there are some concerns about the cyber-security risk of a national, mandated digital identity platform. I find it extraordinary that he suggests that I am expressing concerns that a system might be tested. Of course every system must be robustly tested—that is not the point I am trying to make, and the hon. Member is being wilfully ludicrous in suggesting otherwise. This Prime Minister cannot run an economy, keep promises or control his Back Benchers, or his Front Benchers, so how on earth does anybody think he can run a secure digital identity system?

At the same time as risking technological lock-in by friendly allies, we are creating new vulnerabilities for adversaries to attack. Just before Christmas, UK intelligence agencies warned about increasing, large-scale cyber-espionage from China, targeting commercial and political information. We discovered from Ministers that the Foreign Office itself was the subject of a major cyber-attack in October, which officials believe was carried out by Chinese hackers, and this came in the midst of a major row between the Government and the Crown Prosecution Service about the prosecution of spies operating here in Parliament.

We will be looking closely at this legislation to identify where the Government should be addressing this cyber-reality with much greater force. An approach to cyber-resilience that looks only at introducing new regulations and compliance burdens without thinking through risks such as a mandated identity scheme, dependence on non-sovereign suppliers, the malign intent of other nations, and a failure to build up our own workforce and skills is one that will fail.

Cameron Thomas

- Hansard -

Copy Link

- - Excerpts

The hon. Member speaks of the cyber-attacks on Jaguar Land Rover and the Co-op. Those who pay council tax to Gloucester city council have concerns that following a Russian cyber-attack in 2021, that council recently discovered a £17.5 million deficit. Will the hon. Member recognise that too?

Lincoln Jopp

- Hansard -

Copy Link

- - Excerpts

Do either of the other witnesses have anything to say on that?

Jill Broom indicated dissent.

Dr Sanjana Mehta indicated dissent.

Sarah Russell (Congleton) (Lab)

- Hansard -

Copy Link

- - Excerpts

Q Obviously no one wants to put crippling costs on to businesses, but cyber-security costs money—there is no way of avoiding that. We only have to look at the JLR attack to see the scale of the impact on our economy when it does not work, and we are looking at only critical national infrastructure here. Have you had any information from business about whether and to what extent this will promote increased spending on cyber-security?

Jill Broom: We can assume that it will, because if you are in the supply chain or come within scope, you will have certain responsibilities and you will have to invest, not just in technology but in the skills space as well. How easy it is to do that is probably overestimated a bit; it is quite difficult to find the right skilled people, and that applies across regulators as well as business.

Generally speaking, yes, I think it will be costly, but there are things that could probably help smaller organisations: techUK has called for things such as financial incentives, or potentially tax credits, to help SMEs. That could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first.

Dr Sanjana Mehta: If I may expand on that, we have been consulting our members and the wider community, and 58% of our respondents in the UK say that they still have critical and significant skills needs in their organisations. Nearly half of the respondents—47%—say that skills shortages are going to be one of the greatest hurdles in regulatory compliance. That is corroborated by evidence, even in the impact assessment that has been done on the previous regulatory regime, where I think nearly half of the operators of essential services said that they do not have access to skills in-house to support the regulatory requirements. Continuing to have sustained investment in skills development is definitely going to require funding. Taking it a step back, we need first of all to understand what sort of skills and expertise we have to develop to ensure that implementation of the Bill is successful.

Dave Robertson (Lichfield) (Lab)

- Hansard -

Copy Link

- - Excerpts

Q I have a bit of a blended question. Earlier, Stuart, you said that some of the wording in the Bill says that only 11% of managed service providers are likely to be covered by the legislation, but in previous answers we have heard about skills shortages and where we will need to build those skills. Although I think we all want as many organisations covered as possible, where is the line? Do we currently have enough professionals working in this space to be able to deliver this level of compliance across 11% of MSPs? Given the number of people available for this very specialised work, is the 11% figure in the right ballpark, or do we need to make that wider or thinner to ensure compliance?

It is very easy to write a piece of legislation, but if we do not have the professionals needed to deliver the level of compliance at the thresholds we are setting in this place, that raises other potential issues. Do you have a view about whether the 11% you mentioned is in the right ballpark for the number of professionals we have, or whether it needs to move either way?

Stuart McKean: I am referring to the Government’s report on MSPs that was done a couple of years ago. There are some 12,500 MSPs in the UK. Of those that are in scope of the Bill, 11% are medium-sized and large, but they account for something like 85% of the revenue that MSPs generate in the UK. Proportionally, the larger and medium-sized organisations will have the skillsets needed to deliver the requirements set out in the Bill. As it comes down the supply chain, most managed service providers are suitably qualified to deliver, but they will not be in scope of the Bill. Certainly the critical national infrastructure will not be in that sort of space. We have a good industry, and I think most of the MSPs are in that space, but I would highlight that MSPs are generally IT companies, and cyber-security is not an IT problem. It is much bigger than IT.

Although MSPs can be at one end, this goes back to a question that was asked before about why companies do not just do this anyway, and so be more secure. The reality is that they do not generally understand it; they do not understand the risk and they do not have the qualified people, and it goes on in a sort of vicious circle. A lot of those companies will just go, “Yeah, I’ve got an MSP. They deal with that.” It is an interesting challenge, but, to your question directly, I think medium-sized and large MSPs will not have an issue.

Dr Sanjana Mehta: If I may weigh in on this, I just want to take a step back and comment on the state of the profession in the UK. I appreciate that we are having this discussion specifically in relation to the regulated entities, but there is a broader picture. Parts of the industry are not in scope, but they need to have the right skills as well. We are starting off on a good foundation. The work done by industry, academia and professional associations over the past few years has helped to grow the profession steadily. The report by the Department for Science, Innovation and Technology mentions that the number of cyber-security professionals directly employed in the sector has increased by 11% over the past year.

That said, there is more to be done. I urge the Government to think about the skills piece, not only in relation to the Bill but as a wider challenge. We are very proud of our 10,000-plus members in the UK, who work very hard day and night to secure their organisations despite all the challenges and pressures, but the Bill does give Government a pivotal opportunity to elevate the status of the profession and to professionalise the sector.

Bradley Thomas

- Hansard -

Copy Link

- - Excerpts

Q Do the witnesses have a view on the benchmarks that, at the moment, do not appear to sit behind the scale of incidents that must be reported? Do you have a view on the absence of any benchmarks and the impact that they may have on smaller firms, or on the risk of over-reporting?

Stuart McKean: Under the designation of a critical supplier, the Bill says:

“any such disruption is likely to have a significant impact on the economy or the day-to-day functioning of society in the whole or any part of the United Kingdom”.

That is a pretty big statement. As a small business owner, how do I know whether what I do is going to have an economic effect on the UK? It will have an economic effect on my business, but whether it has a wider impact is a big statement. I am not sure that it is clear enough.

Lincoln Jopp

- Hansard -

Copy Link

- - Excerpts

Q I want to come back to that point. Chris, you said something like, “SMEs find it very difficult, if not impossible, to bear the regulatory burden, so we have to be very careful when designating SMEs as operators of essential services.” To me, that says that you think the Bill, as currently drafted, will place too much of a regulatory burden on SMEs. Is that correct?

Chris Parker: I was referring to strategic and critical suppliers, which is a list of Government suppliers. We are advocating that the level of governance and regulatory requirement inside an organisation is difficult, and it really is. It requires quite a lot of work and resource, and if we are putting that on to too small a supplier, on the basis that we think it is on the critical path, I would advocate a different system for risk management of that organisation, rather than it being in the regulatory scope of a cyber-resilience Bill. The critical suppliers should be the larger companies. If we start that way in legislation and then work down—the Bill is designed to be flexible, which is excellent—we can try to get that way.

As a last point on flexibility—this is perhaps very obvious to us but less so to people who are less aware of the Bill—there is a huge dynamic going on here where you have a continuum, a line, at one end of which you have the need for clarity, which comes from business. At the other you have a need for flexibility, which quite rightly comes from the Government, who want to adjust and adapt quite quickly to secure the population, society and the economy against a changing threat. That continuum has an opposing dynamic, so the CRB has a big challenge. We must therefore not be too hard on ourselves in finding exactly where to be on that line. Some things will go well, and some will just need to be looked at after a few years of practice—I really believe that. We are not going to get it all right, because of the complexities and different dynamics along that line.

Carla Baker: This debate about whether SMEs should be involved or regulated in this space has been around since we were discussing GDPR back in 2018. It comes down to the systemic nature of the supplier. You can look at the designation of critical dependencies. I am sure you have talked about this, but for example, an SME software company selling to an energy company could be deemed a critical supplier by a regulator, and it is then brought into scope. However, I think it should be the SMEs that are relevant to the whole sector, not just to one organisation. If they are systemic and integral to a number of different sectors, or a number of different organisations within a sector, it is fair enough that they are potentially brought into scope.

It is that risk-based approach again. But if it is just one supplier, one SME, that is selling to one energy company up in the north of England, is it risk-based and proportionate that they are brought into scope? I think that is debatable.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Q I would also like to ask some questions on this definition of critical supplier. I know you will have heard the questions I had for the other panel. Is there a danger, in the way this Bill is approaching definitions of critical suppliers, that a supplier may end up being deemed critical solely by virtue of supplying to a critical industry, rather than the criticality of that particular supplier in the ecosystem?

Chris Parker: Yes, absolutely.

Carla Baker: Yes, completely. That is similar to my point, which was probably not explained well enough: how you are deemed critical should be more about your criticality to the entire ecosystem, not just to one organisation.

Lincoln Jopp

- Hansard -

Copy Link

- - Excerpts

Q To be very clear, the three regulators we had here today were the Information Commissioner, Ofgem and Ofcom. If they thought that they had a locus because of something that that hospital did, all three would do the step test, they would come up with their bucket of SMEs that they wanted to bring into scope, and those would be added together and that would be the impact.

Kanishka Narayan: Yes, I guess, added together in the sense that they would be separately regulated, but they would all come within the scope of the regulations. Where there is an overlap in the party being regulated, my hope is that the Bill provides for individual regulation, but is very much open to the prospect of a lead regulator engaging in a softer way with the other regulators, as long as each regulator feels that that has assured them of the risk.

The Chair

- Hansard -

Copy Link

I think this might be the last question to the Minister.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

I thank hon. Members for their new clauses; I recognise the strong feeling and thoughtful contributions about reforming the Computer Misuse Act.

I speak first to new clause 18, which seeks to place a duty on the Secretary of State to review whether amendments to the Computer Misuse Act could support the security and resilience of network and information systems used for carrying out essential activities. I assure the hon. Member for Runnymede and Weybridge that the Government remain committed to ensuring that the Act remains up to date and effective.

The Home Office is already conducting a review of the Computer Misuse Act, and is developing proposals that arise from its findings. That includes careful consideration of proposals to introduce a statutory defence that would allow researchers to spot and share vulnerabilities. It will provide an update as soon as the proposals are finalised. However, limiting a defence to only the sectors covered by the NIS regime would be impractical. Any package of workable defence would need to be broad enough to apply economy-wide.

New clause 19 raises the introduction of a statutory defence to the Computer Misuse Act. I acknowledge the strong sentiment regarding reform of the CMA. There is no doubt that UK cyber-security professionals play a significant role in maintaining the country’s overall security and resilience. Supporting them is vital.

I agree with the principle behind the new clause: that a defence to section 1 of the Computer Misuse Act could strengthen the resilience of network and information systems by allowing researchers to spot and share vulnerabilities. The Government are already conducting a review of the Computer Misuse Act, and we have made significant progress in developing a proposal for a limited defence to the offence provided for in section 1 of the Computer Misuse Act.

Kanishka Narayan

- Hansard -

Copy Link

- - Excerpts

My hon. Friend is absolutely right to recognise the shared sense on the principle of reforming the Computer Misuse Act. Although I am not in a position to give him a specific timeline, I absolutely take into account his recognition that the work needs to proceed at pace. Having held an industry engagement recently on specific proposals, with more than 75 attendees from a range of cyber-security organisations, the Home Office is now reviewing specific feedback as a particular proposal. The question is not whether we will reform the Computer Misuse Act, but simply how.