Chris Vince

- Hansard -

Copy Link

- - Excerpts

Q Part of my concern is the pace of change in the technology that hackers are using, and I am sure that is a concern for you as well. One of the conversations about the Bill is about how flexible or inflexible it should be. What is your view on the changing pace of the threat we face from criminality when it comes to cyber-attacks, and on how the Bill can best be framed to deal with that ever-changing challenge and threat?

DCS Andrew Gould: It is a tricky one. It feels like the technology change is getting ever faster and ever more challenging, but I first went into cyber-crime in the Met back in 2014, and we are giving the same advice now as we were giving then. Sometimes your head can explode with the technical complexity of it, but a lot of the solution just comes down to doing the really boring basics in a world-class way. It is things like patching and doing your software updates. Whether you are a member of the public or running an organisation, finding a way to do those updates and patches means that 50% of the threat has gone, there and then. With something like multi-factor authentication, it seems like most organisations do not want to inconvenience their staff or customers by putting it in place, but that would be another 40% of the problem solved. It is not infallible—nothing is—but if you are thinking about how attacks are still successful, it is pretty basic: a lot of our protections are not in place. Solving that means that 90% of the threat is gone, there and then. That then leaves the 10% of more sophisticated threats—let’s make the criminals work a bit harder.

Chris Vince

- Hansard -

Copy Link

- - Excerpts

Q Thank you for your time, Minister. Listening to the evidence and looking at the Bill, what strikes me is that this is about a balance between the importance of flexibility—particularly given the increase in threat and the complexity of the issues we face—and businesses wanting certainty. Do you feel confident that the Bill strikes that balance, and how have you sought to ensure that it does?

Kanishka Narayan: The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.

On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through clause by clause to explain why the intent of the Bill is reflected in the particular definitions.

Chris Vince (Harlow) (Lab/Co-op)

- Hansard -

Copy Link

- - Excerpts

Q I feel that I should declare an interest as the MP for Harlow, which has a large data centre within it. My question is about international alignment. Is this legislation in keeping with developments that you are seeing globally?

David Cook: There is reform all over the world. At its core, we have got a European law that is transposed in UK national legislation, the General Data Protection Regulation. That talks about personal data and has been seen as the gold standard all over the world. Different jurisdictions have implemented, not quite a copycat law, but one that looks a lot like the GDPR, so organisations have something that they can target, and then within their territory they are often going to hit a compliance threshold as well. Because of changes in the geopolitical environment, we are seeing—for example in Europe, but also in Australia and the United States—specific laws coming in that look at the supply chain in different sectors and provide for more onerous obligations. We are seeing that in the environment. NIS2 is being transposed into national laws. Organisations take a long time to get to the point of compliance. We are probably behind the curve, but this is not a new concept. Adapting to change within tech and change within how organisations themselves are relying on a supply chain that is more vulnerable and fragile is common.