Dr Ben Spencer (Runnymede and Weybridge) (Con)

- View Speech - Hansard -

Copy Link

-

The cyber Bill should be one of the most fundamentally important pieces of legislation the House will consider in this Parliament, because the UK’s cyber-resilience is a cornerstone of the foremost duty of Government: the protection of the people.

The shadow Secretary of State has already made clear that His Majesty’s official Opposition appreciate the urgent need to act to protect our society, our economy and our security in the face of growing and evolving cyber-security risks. The cyber Bill, however, is a Bill of missed opportunities. It would not have stopped the JLR or Marks & Spencer cyber-attacks. It is silent on the threats from hostile state actors, and it does not answer the fundamental question of: if NIS1 was not enforced, what difference will further regulations make?

Cyber-security is key to our national security. It is too important an issue to play partisan politics with. As a responsible Opposition, we will work with the Government to get the approach to this legislation correct.

Many Members have made insightful contributions today. My right hon. Friend the Member for Hertsmere (Sir Oliver Dowden), who has great experience in this regard, raised the issue of hostile state actors and gave the Ministers some practical advice on which I hope they will reflect. My hon. Friend the Member for Exmouth and Exeter East (David Reed) spoke about his professional experience and about the need for proportionate regulations and modification of the Computer Misuse Act 1900, which was mentioned by several other Members. My hon. Friend the Member for Bromsgrove (Bradley Thomas) made an important point about physical technology and the risk of threats from cellular modules. My hon. Friend the Member for Bognor Regis and Littlehampton (Alison Griffiths) also spoke about her own experience and, in particular, about the importance of the Government’s ensuring that the Bill has an impact. The hon. Member for Ceredigion Preseli (Ben Lake) mentioned digital sovereignty, another important issue which we have discussed on many occasions in this place.

We also heard from the hon. Member for Warwick and Leamington (Matt Western), the Chair of the Select Committee; from the hon. Members for Newcastle upon Tyne Central and West (Dame Chi Onwurah) and for South East Cornwall (Anna Gelderd); from the right hon. Member for Oxford East (Anneliese Dodds); and from the hon. Members for Congleton (Sarah Russell), for Northampton South (Mike Reader), for Portsmouth North (Amanda Martin), for Milton Keynes Central (Emily Darlington), and for Mid Cheshire (Andrew Cooper).

The gravest and the most pernicious risks to UK cyber-security go completely unaddressed by this Bill. Cyber is the emerging battlefield of state security, with hostile state actors ramping up their efforts to disrupt our society, our economy and our democracy apace. Time and again in this Parliament, the Government have baulked at acknowledging the elephant—or, in this case, the dragon—in the room when it comes to matters of national security. Last year the director of GCHQ, the UK’s intelligence and cyber-security agency, confirmed that it devotes more resource to China than any other single mission.

The evidence is clear: the Chinese Communist party is one of the greatest national security threats that our country faces. In November last year, Mr Speaker took the exceptional step of circulating a briefing from MI5 warning of the widespread efforts of individuals and organisations working on behalf of the Chinese Ministry of State Security to target Parliament for intelligence gathering. In the intervening weeks we have learned that Home Office systems were accessed, apparently by a Chinese state-affiliate group. Reports have circulated that the attack is linked to the Chinese gang Storm 1849, previously connected with cyber-attacks on MPs and the Electoral Commission. Furthermore, in December 2025 the Government confirmed that they had sanctioned two Chinese companies for perpetrating what they described as indiscriminate cyber-attacks on the UK public and private sector IT systems.

These are not isolated incidents. They are evidence of a concerted and intensifying campaign on the part of the Chinese Communist party and its affiliates to undermine vital public services and UK businesses. How our country, and how our democratic allies and partners, face the threat of hostile state actors, working in concert, is an epoch-defining challenge. It is a challenge that we must meet, or we will live to regret it.

It is no coincidence that several recent cyber-incidents have targeted organs of Government, with malicious actors rightly perceiving that many of our Departments are the weakest links in the cyber-security ecosystem. The National Audit Office’s 2025 report on Government cyber-resilience laid bare the inconsistent, and in some cases glacial, progress of the Government in making effective improvements in cyber-resilience. Last month’s attack on Home Office IT systems is a stark reminder of the urgency of improving Government cyber-security. His Majesty’s official Opposition have received a clear message from cyber-industry stakeholders: the Government should be leading from the front and setting the standard for effective cyber-resilience. I am pleased that the Government managed, at the last moment, to push out the cyber action plan today. It acknowledges the challenge, but how it will ensure that change is delivered is unclear.

Attacks on household names such as Jaguar Land Rover, Marks & Spencer and the Co-op have raised public awareness of the risks we face, with consumer supply chains interrupted and jobs put in peril. However, the Bill would not have prevented those attacks had it been in force when they took place. Given the constraints on public finances as a result of the Chancellor’s reckless Budget decisions, the Government need to ask themselves how many cyber-attacks of the magnitude of that on JLR we can afford to bankroll. The Government must undertake an urgent review to identify companies whose failure as the result of a cyber-attack would present a comparable risk to the UK economy to that on JLR.

Failing to address all the urgent problems will leave an open goal for malicious cyber-actors to undermine the UK’s security and prosperity. The House is unlikely to revisit cyber-security legislation for some time. The threat to our economy and national security from malicious cyber-actors is one of the most serious we face as a country.

In the parliamentary debate after MI5’s China espionage briefing, the Minister for Security pledged to strengthen the legislative tools available to disrupt the threat. Why not use the opportunity presented by the Bill to address that head-on? We stand ready to work with the Government to stand up for and protect our country, and to prevent the Bill from becoming yet another missed opportunity.

Dr Ben Spencer (Runnymede and Weybridge) (Con)

- Hansard -

Copy Link

-

It is a pleasure to serve under your chairmanship, Mr Turner. I thank the hon. Member for Perth and Kinross-shire (Pete Wishart) for securing this timely and important debate, as well as his characteristically forceful and measured speech. It has been a fun debate with lots of contributions. I am sure there will be plenty more opportunities going forward, but I want to draw out a few particularly powerful contributions.

First, my hon. Friend the Member for South Shropshire (Stuart Anderson) pointed out the issues around the prevalence of digital exclusion and the use of the veteran card. Secondly, my right hon. Friend the Member for Goole and Pocklington (David Davis) rightly pointed out the issues that the gov.uk One Login has had. Thirdly, my hon. Friend the Member for Farnham and Bordon (Gregory Stafford) pointed out the problem of the prevalence of digital poverty among the elderly. Finally, the hon. Member for Dewsbury and Batley (Iqbal Mohamed), who always speaks with great wisdom in these debates, spoke about the issue of multiple NHS logins.

This plan will make Government-issued digital ID compulsory to access work. Ignore the piffle—this is de facto mandatory. Given the contentious history of mandatory ID schemes in this country, one might have expected a policy of such weighty constitutional importance to appear in the Government’s manifesto, but it was conspicuously absent—like most current Government policy.

Earlier this year, I stood across the Dispatch Box from the previous Minister, debating the digital verification system brought in by the Data (Use and Access) Act 2025. That scheme created a trust framework for a register of approved providers of digital identity verification services. Building on the competitive ecosystem established by the last Government, private sector companies are already providing right to rent, right to work and many other identity checks.

Dr Spencer

- Hansard -

Copy Link

-

The point is that we have a sector that is already developing voluntary ID schemes. It is now being let down by the Government, who are bringing in their own mandatory scheme. Not once in the course of previous debates did the Minister mention that the Government intend to launch their own mandatory digital ID system for the right to work or anything else, but the concerns with this policy go beyond questions of democratic legitimacy.

The National Audit Office’s report on Government cyber-resilience, published early this year, contains a number of concerning findings about serious gaps in cyber-security amongst Government Departments and public sector bodies. One of the most concerning is that the Cabinet Office does not have a strategy for how Government organisations could become cyber-resilient by 2030.

There is no current plan to secure the Government’s cyber-resilience over the very same timeframe that this mandatory Government-run identity scheme, which will host the data of every working person in the UK, will be rolled out. We are yet to hear from the Government a clear timescale for bringing their cyber-security and resilience Bill forwards.

Digital inclusion remains a challenge for many across this country and impacts vulnerable groups, such as those on low incomes and those with disabilities, the most. The Government’s policy of making digital ID mandatory to access work flies in the face of digital inclusion. The consideration given to digital exclusion being, “Well, we are going to consult on what to do,” as an afterthought is frankly shameful.

Digital inclusion was at the heart of the previous Government’s levelling-up ambitions. The Government published their own digital inclusion plan in February, which will be implemented over several years. Why not concentrate on putting that plan into effect, rather than diverting resources towards their own costly digital identity programme? Universal digital inclusion and robust cyber-security must be conditions precedent to any Government-run ID scheme. At the moment, we have neither.

We are left with a number of pressing questions. Why was this flagship policy not part of the Government’s election manifesto last year? Why has it been brought forward now? Why should it be mandatory rather than optional? Why are the Government pursuing a costly, Government-run ID scheme when the private sector infrastructure for digital ID services exists already? What is the Government’s plan to keep citizens’ data secure? Can the Minister guarantee that no one lawfully eligible to work will be excluded from employment by this scheme?

Dr Ben Spencer (Runnymede and Weybridge) (Con)

- Hansard -

Copy Link

-

8. What assessment she has made of the ability of the CPS to participate successfully in virtual hearings during the covid-19 outbreak.

Dr Spencer

- Hansard -

Copy Link

-

One of the challenges of moving virtually is that it can act as a barrier to certain groups, and I am sure that my right hon. and learned Friend would agree that justice needs to be fair, open and available to all. What measures are in place to support people with vulnerabilities—such as people living with disabilities and people with health and mental health issues—in navigating the criminal justice system?