Andrew Cooper (Mid Cheshire) (Lab)

- Hansard -

Copy Link

-

Q Carla, I want to come back on the potential for unnecessary over-reporting of incidents. I cannot speak for the Minister, but I am sure it is not his intention that every phishing email is reported. I was listening carefully to what you said about your proposed tiered approach, and I can imagine, say, a situation where you are United Utilities and you intercept somebody trying to put a pre-emptive virus on to one of your industrial control systems. There has been no impact on customers or your infrastructure, because you have caught it. However, I would argue that it is quite important that United Utilities share that information with the regulator and that that information is disseminated to Severn Trent, Thames Water and whoever else needs to know, so they can patch their systems, look out for the virus or find out whether they have been infected already.

I can imagine that the legislation has been worded as it is to try to capture that situation where activity might occur, but not have an impact. Would you accept that that is important, and how would that fit in with the tiered approach that you described?

Carla Baker: I completely get your point. We have looked at that; my legal colleagues have looked at things such as spyware, where you have malware in the system that is not doing anything but is living there, for example, or pre-emptive, where they are waiting to launch an attack, and we think this amendment would still cover those scenarios. It is not necessarily cause and impact: the lights have not gone out, but if there is, for example, a nation state actor in your network, we think the amendment would still cover that.