Andrew Cooper (Mid Cheshire) (Lab)

- View Speech - Hansard -

Copy Link

-

It is a privilege to follow my hon. Friend the Member for Milton Keynes Central (Emily Darlington), who made a fantastic speech. I do not think mine will be of quite the same quality, but I will do my best.

Having spent my career prior to entering this place as a software developer, it is perhaps not so much a pleasure as a blast of nostalgia to be speaking on this Bill today. The Bill provides for an important and long-overdue update to the NIS regulations, and provides the means to keep those regulations up to date more quickly as new threats emerge. That was a massive gap in our capability left behind by the rather haphazard and cavalier manner of our departure from the EU, and it is absolutely right that we resolve it as soon as we can.

It is a cliché to say that the nature of the threats we face has changed. Whether it is state-sponsored cyber-attacks, hacktivism, identity theft or ransomware attacks, those threats can have a widespread and significant impact on people’s lives, on the wider economy, and on our safety and security. Many Members from across the House have noted the cyber-attack on Jaguar Land Rover —which led to that company posting a loss of £485 million last year and, as I think we heard earlier, to a £2 billion impact on the wider economy—and the Co-op infiltration, which cost that retailer at least £206 million. However, this is not a new issue, and virtually no area of the economy has not experienced attempts to penetrate its systems and cause disruption or steal data.

Andrew Cooper

- Hansard -

Copy Link

-

I thank the hon. Member for his intervention. I confess that I am not an expert on the IT of Gloucester city council, but I am sure the Minister has heard his intervention, and may wish to respond in his summing up.

I welcome the measures in the Bill to bring managed service providers and data centre infrastructure into scope. When I began my career working on hotel reservation systems, legacy on-premise infrastructure was the standard operating practice. Some organisations would develop their own line of business systems and some would buy in, but virtually all would be hosted on their own servers, often with clever names such as Spartacus, Xena or Buffy the Vampire Slayer—names that I worked with over the years.

That situation changed for a whole pile of reasons, such as the need to support more public access, the requirement to facilitate more home working, huge increases in the speed of domestic and business broadband, the need to provide failover, redundancy and scaling, the shift away from big capital investment towards infrastructure as a service, and wanting to benefit from more rapid roll-out of features and applications that require significant server infrastructure behind them, such as we have seen more recently with AI. Systems have been moving virtually wholesale to those that are managed remotely and sandboxed to multiple organisations, and towards virtual servers or services in data centres, rather than on-premise tin.

Bringing these two areas into scope is obvious, and it is long overdue. I offer a note of caution about this part of the Bill, and it relates to the threshold at which the regulations apply. For managed service providers, we need to ensure that we are providing appropriate levels of cyber-security without blocking new entrants to the market. That applies to critical suppliers, too. The risk is that we end up boosting the hegemony of the big outsourcers and IT suppliers, rather than being able to support new domestic entrants. There is a risk of vendor lock-in, as we have heard several times today. Equally, the threshold on data centres appears to have been set so high that only larger ones will be in scope. I hope that the Minister will keep both of those points under review as the Bill progresses and think about how we can strengthen this provision to strike the right balance.

The other area of the Bill that I want to talk about relates to the regulators. The Minister set out in his opening remarks why he believes a sectoral approach is appropriate, and there is merit to that argument. Sectoral regulators have deep, long-standing institutional knowledge and they understand how the processes work in their sector. However, as I touched on earlier, the consequences of failure are enormous, with real-world impacts on people’s everyday lives. We should not expect an overarching cyber regulator to have the domain-specific knowledge of the water sector or the air traffic control sector, and nor should we expect every sectoral regulator to carry the expertise of how modern scalable data centres that detect faults automatically and automatically failover to different regions or different jurisdictions work. We just need to think about what the priority of an individual sectoral regulator will be, because it will not necessarily be cyber-security. We have to get the balance right, and we need to listen to the sectoral expertise on that.

In conclusion, this Bill is an important and long-overdue update to the UK’s cyber-security framework. I look forward to working with the Government to get the scope and scale of these regulations right and to ensure that all the systems that we rely on every day are secure in the face of current and emerging threats.