Dr Ben Spencer (Runnymede and Weybridge) (Con)

- View Speech - Hansard -

Copy Link

-

The cyber Bill should be one of the most fundamentally important pieces of legislation the House will consider in this Parliament, because the UK’s cyber-resilience is a cornerstone of the foremost duty of Government: the protection of the people.

The shadow Secretary of State has already made clear that His Majesty’s official Opposition appreciate the urgent need to act to protect our society, our economy and our security in the face of growing and evolving cyber-security risks. The cyber Bill, however, is a Bill of missed opportunities. It would not have stopped the JLR or Marks & Spencer cyber-attacks. It is silent on the threats from hostile state actors, and it does not answer the fundamental question of: if NIS1 was not enforced, what difference will further regulations make?

Cyber-security is key to our national security. It is too important an issue to play partisan politics with. As a responsible Opposition, we will work with the Government to get the approach to this legislation correct.

Many Members have made insightful contributions today. My right hon. Friend the Member for Hertsmere (Sir Oliver Dowden), who has great experience in this regard, raised the issue of hostile state actors and gave the Ministers some practical advice on which I hope they will reflect. My hon. Friend the Member for Exmouth and Exeter East (David Reed) spoke about his professional experience and about the need for proportionate regulations and modification of the Computer Misuse Act 1900, which was mentioned by several other Members. My hon. Friend the Member for Bromsgrove (Bradley Thomas) made an important point about physical technology and the risk of threats from cellular modules. My hon. Friend the Member for Bognor Regis and Littlehampton (Alison Griffiths) also spoke about her own experience and, in particular, about the importance of the Government’s ensuring that the Bill has an impact. The hon. Member for Ceredigion Preseli (Ben Lake) mentioned digital sovereignty, another important issue which we have discussed on many occasions in this place.

We also heard from the hon. Member for Warwick and Leamington (Matt Western), the Chair of the Select Committee; from the hon. Members for Newcastle upon Tyne Central and West (Dame Chi Onwurah) and for South East Cornwall (Anna Gelderd); from the right hon. Member for Oxford East (Anneliese Dodds); and from the hon. Members for Congleton (Sarah Russell), for Northampton South (Mike Reader), for Portsmouth North (Amanda Martin), for Milton Keynes Central (Emily Darlington), and for Mid Cheshire (Andrew Cooper).

The gravest and the most pernicious risks to UK cyber-security go completely unaddressed by this Bill. Cyber is the emerging battlefield of state security, with hostile state actors ramping up their efforts to disrupt our society, our economy and our democracy apace. Time and again in this Parliament, the Government have baulked at acknowledging the elephant—or, in this case, the dragon—in the room when it comes to matters of national security. Last year the director of GCHQ, the UK’s intelligence and cyber-security agency, confirmed that it devotes more resource to China than any other single mission.

The evidence is clear: the Chinese Communist party is one of the greatest national security threats that our country faces. In November last year, Mr Speaker took the exceptional step of circulating a briefing from MI5 warning of the widespread efforts of individuals and organisations working on behalf of the Chinese Ministry of State Security to target Parliament for intelligence gathering. In the intervening weeks we have learned that Home Office systems were accessed, apparently by a Chinese state-affiliate group. Reports have circulated that the attack is linked to the Chinese gang Storm 1849, previously connected with cyber-attacks on MPs and the Electoral Commission. Furthermore, in December 2025 the Government confirmed that they had sanctioned two Chinese companies for perpetrating what they described as indiscriminate cyber-attacks on the UK public and private sector IT systems.

These are not isolated incidents. They are evidence of a concerted and intensifying campaign on the part of the Chinese Communist party and its affiliates to undermine vital public services and UK businesses. How our country, and how our democratic allies and partners, face the threat of hostile state actors, working in concert, is an epoch-defining challenge. It is a challenge that we must meet, or we will live to regret it.

It is no coincidence that several recent cyber-incidents have targeted organs of Government, with malicious actors rightly perceiving that many of our Departments are the weakest links in the cyber-security ecosystem. The National Audit Office’s 2025 report on Government cyber-resilience laid bare the inconsistent, and in some cases glacial, progress of the Government in making effective improvements in cyber-resilience. Last month’s attack on Home Office IT systems is a stark reminder of the urgency of improving Government cyber-security. His Majesty’s official Opposition have received a clear message from cyber-industry stakeholders: the Government should be leading from the front and setting the standard for effective cyber-resilience. I am pleased that the Government managed, at the last moment, to push out the cyber action plan today. It acknowledges the challenge, but how it will ensure that change is delivered is unclear.

Attacks on household names such as Jaguar Land Rover, Marks & Spencer and the Co-op have raised public awareness of the risks we face, with consumer supply chains interrupted and jobs put in peril. However, the Bill would not have prevented those attacks had it been in force when they took place. Given the constraints on public finances as a result of the Chancellor’s reckless Budget decisions, the Government need to ask themselves how many cyber-attacks of the magnitude of that on JLR we can afford to bankroll. The Government must undertake an urgent review to identify companies whose failure as the result of a cyber-attack would present a comparable risk to the UK economy to that on JLR.

Failing to address all the urgent problems will leave an open goal for malicious cyber-actors to undermine the UK’s security and prosperity. The House is unlikely to revisit cyber-security legislation for some time. The threat to our economy and national security from malicious cyber-actors is one of the most serious we face as a country.

In the parliamentary debate after MI5’s China espionage briefing, the Minister for Security pledged to strengthen the legislative tools available to disrupt the threat. Why not use the opportunity presented by the Bill to address that head-on? We stand ready to work with the Government to stand up for and protect our country, and to prevent the Bill from becoming yet another missed opportunity.