Jaguar Land Rover Cyber-attack Debate
Full Debate: Read Full DebateDepartment: Department for Business and Trade
Chris Bryant
Main Page: Chris Bryant (Labour - Rhondda and Ogmore)Department Debates - View all Chris Bryant's debates with the Department for Business and Trade
Jaguar Land Rover Cyber-attack
Chris Bryant Excerpts(1 day, 23 hours ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Urgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.
Each Urgent Question requires a Government Minister to give a response on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
The Minister of State, Department for Business and Trade (Chris Bryant)
Thank you, Mr Speaker. I fully recognise the anxiety and deep concern that employees at Jaguar Land Rover and across the supply chain will be feeling. The Government and the National Cyber Security Centre will do everything in our power to help resolve this as soon as possible. We are engaging with JLR on a daily basis to understand the challenges that the company and its suppliers are facing, and we are monitoring the situation closely. I have spoken to the company myself, and I will have a further meeting with the chief executive officer later this week. I understand that the company has also invited local MPs to a question and answer session this Friday.
The National Cyber Security Centre has been working with Jaguar Land Rover since last Wednesday to provide support in relation to the incident. I am sorry that there is a limit to what I can say on the specifics because I do not want to prejudice the ongoing investigations.
The cyber-security of the UK, however, is a key priority for the Government—crucial to protecting the public, our way of life and the successful growing economy. We have been taking significant action to help protect businesses against cyber-attacks. We are reducing cyber-risk across the economy by making technology more secure by design. That includes the Product Security and Telecommunications Infrastructure Act 2022, introduced by the previous Government, which requires manufacturers to build security into the manufacture and operation of internet-connected devices; the software security code of practice, which sets out how vendors and developers should make their software more secure; and the AI cyber-security code of practice, which sets out how AI developers should design and operate AI systems securely.
We are also providing businesses with the tools, advice and support to protect themselves from cyber-threats. That includes the cyber governance code of practice, which shows boards and directors how to effectively manage the digital risks to their organisations; the highly effective cyber essentials scheme to prevent common attacks, reducing the likelihood of a cyber insurance claim by 92%; and a wide range of free tools and support from the National Cyber Security Centre, including training for boards and staff, the “Check Your Cyber Security” tools to test IT systems for vulnerabilities, and the early warning system to get notified about cyber-threats to networks. I urge all businesses to take up these tools and improve their cyber-defences.
It is not for me to announce future business of the House, but when parliamentary time allows the Government will introduce the cyber-security and resilience Bill to raise cyber-security standards in critical and essential services, such as energy, water and the NHS.
Derek Twigg
I am grateful to you, Mr Speaker, for granting this urgent question—as a north-west MP, you know what a large employer JLR is in the region. As we have heard, this serious cyber-attack on Jaguar Land Rover has stopped production and halted sales, and staff have been instructed to stay at home. The car plants at Halewood in my constituency and in Solihull, and other production facilities around the world, have been unable to operate. From what has been reported, JLR shut down its IT systems in response to the attack. I believe that dealerships have been unable to register new cars and—initially, at least—garages that maintain JLR vehicles were unable to order the parts they needed.
The JLR Halewood plant in my constituency is an important and valued employer. Many of my constituents are employees, which is also the case for my neighbouring Merseyside MPs. Thousands of jobs in the supply chain have been affected. I am disappointed that despite the cyber-attack happening just over a week ago to one of our most important businesses, which has nearly 33,000 direct employees and, of course, a huge supply chain, no statement has been made to Parliament on what actions have been taken to help the company or to prevent future attacks.
The latest attack raises wider issues following on from the attack on Marks & Spencer. The two instances in themselves are very worrying. One would like to believe that all companies reviewed their cyber-security after the M&S attack. If these attacks continue, there could be an ongoing and even more serious effect on our economy. What are the Government doing to help protect our businesses from cyber-crime? I have heard what the Minister has said today, but it is in our national security interest for them to work closely with business. Is there an underlying weakness in how business is dealing with cyber-security? In that regard, we heard from Ciaran Martin, former head of the National Cyber Security Centre, on the “Today” programme this morning, suggesting that companies are perhaps focusing more on protecting customer data at the expense of the security of their operations.
This House needs to hear more in the coming months about what the Government are doing to work with business and to help prevent these attacks being successful, because they are a threat to our economy and to national security.
Chris Bryant
First, I commend my hon. Friend on seeking this urgent question and you, Mr Speaker, on granting it. My hon. Friend makes the important point that Jaguar Land Rover is not only an iconic national brand, but a very significant employer—it employs 34,000 people in the UK, including in his constituency, and 39,000 worldwide. He is right that we need to ensure that cyber-security is something that every company in the land take seriously, and every public sector organisation. In my previous ministerial role I was conscious of the attack on the British Library, which was actually one of the most financially significant attacks heretofore, and it pointed the way for some of the other issues arising across the economy, which is why we have been keen to bring forward a Bill on this, as stated in the King’s Speech. We will introduce such a Bill “soon”—I think I can get away with that with the Chief Whip and the Leader of the House, although, in the words of Humpty Dumpty, when I use a word it means precisely what I choose it to mean, no more and certainly no less. As my hon. Friend says, there are serious issues that we need to address across the whole of the economy to ensure that we get this right.
My hon. Friend pointed to one person; I point to another—Richard Horne, the chief executive officer of the National Cyber Security Centre—who recently stressed that the UK faces increasingly hostile activity in cyber-space. We simply cannot afford any degree of complacency in this. There are major criminals operating in this space, as well as some malicious state actors, and some 40% of companies in the UK reported last year that they had faced some kind of cyber-attack. It is a very important issue that we take seriously.
Dame Harriett Baldwin (West Worcestershire) (Con)
I congratulate the hon. Member for Widnes and Halewood (Derek Twigg) on securing this important urgent question. I welcome the Minister to his new role, although I will never be able to rival his literary quotations.
This attack on Jaguar Land Rover is extremely concerning. The impact on that world-leading business, and on its suppliers and workers, has been significant. I hope that the whole House agrees that we must use the full force of the state to crack down on cyber-criminals. I appreciate that the Minister is constrained in what he can say, but when were the Government and the National Cyber Security Centre informed of the attack? What kind of support are the Government and law enforcement agencies able to offer Jaguar Land Rover? How much longer do the Government expect the disruption, which is impacting on the supply of vehicles, to continue?
The attack is just another in a series against British brands and iconic institutions—the Minister says that 40% of our businesses have been affected—including the attack earlier this year on Marks & Spencer. Will he elaborate on what the Government are doing to prevent future attacks? Has he identified who is responsible for the attack? Can he rule out its being a state-sponsored attack? If the group responsible for the attacks on Jaguar Land Rover and Marks & Spencer are linked, what progress have law enforcement agencies made in pursuing them?
Chris Bryant
I am not sure whether the shadow Minister is in a new role—
Chris Bryant
She is not; I will not welcome her to her new role, then—I welcome her to the Dispatch Box none the less. She asked a series of questions, and I will try to answer those that I can as precisely as possible.
First, the shadow Minister asked when the NCSC was notified and engaged. It has been engaged since last Wednesday. We have an undertaking that when people get in touch with the NCSC, the response will be very immediate.
The shadow Minister asked what engagement there is from the Government. The primary engagement is through the NCSC, which is fully engaged and devoted to the work. It is also in the public domain that the Information Commissioner’s Office was notified. I should clarify that that was not because JLR was certain that there had been a data breach, but it wanted to ensure that it had dotted every i and crossed every t, which is why it notified the Information Commissioner’s Office.
The shadow Minister asked about a timeline for getting this resolved. I wish that I could provide one, but I cannot. I think she will understand why: this is a very live situation that has been ongoing for a week. I note the points that JLR has been making. As I say, there will be an invitation for all local MPs—my hon. Friend the Member for Widnes and Halewood (Derek Twigg) should already have had one—for a Q&A session on Friday morning, when JLR hopes that it will be able to provide more information.
The shadow Minister asked what else we are doing. This summer, the Home Office undertook a consultation on our policy on ransomware. I am not saying that that relates specifically to this case—we do not know that yet and I am not coming to any foregone conclusions—but that is one of the things that we must address, and it was heartening to see resolute support from the vast majority of companies in the UK for our ransomware policy. Maybe we will come to that later.
The hon. Lady asked whether I can say who is responsible. I am afraid that I cannot. I note what is in the public domain, but I have no idea whether that is accurate and I do not want to impede the investigation. She asked whether the attack was state sponsored. Again, I do not want to jump to conclusions, and I can neither confirm nor deny anything. She also asked whether the case is linked with that of M&S. Again, I cannot answer that as fulsomely as I would wish, simply because I do not know, and I do not think anybody has come to any secure decisions on that. In one sense, all cyber-attacks are linked, in that it is the same problem, which is relatively new. The previous Government were seeking to tackle it, and we are seeking to tackle it in broadly the same way. Some of the techniques used are remarkably old-fashioned, such as ringing up helplines, which are designed to be helpful. That is exactly the same as when News of the World was ringing up mobile companies and trying to get PINs to hack other people’s phones. This is an old technique. The new bit is that sometimes people use AI-generated voices, which are remarkably accurate and can lead to further problems. I am not saying that that is what happened in this case, but some of the patterns are across the whole sector.
Liam Byrne (Birmingham Hodge Hill and Solihull North) (Lab)
I congratulate my hon. Friend the Member for Widnes and Halewood (Derek Twigg) on securing this urgent question, and warmly welcome the Minister to his new role. This is an extraordinarily serious issue, and the Business and Trade Committee will soon table its recommendations on tackling economic harms such as this. Many companies such as JLR now confront a much bigger threat surface, and the peril of state-backed threats. That is why this will be a much bigger issue in the future, and why companies in this country will need more than new laws. They will need new investment incentives to clean up legacy infrastructure that is currently not safe enough.
When we took evidence from Archie Norman and Marks & Spencer in the wake of that cyber-attack, we were given a distinct impression that more could have been done by agencies to help M&S. Will the Minister reassure the House that all the lessons from how the M&S case was handled have been learned, and that the state will bend over backwards to ensure that JLR has every assistance it needs to get back up and running, and to prosecute the guilty?
Chris Bryant
The single most important thing we can do is ensure that we end up prosecuting the guilty and that people are sent to prison, such as the gentleman—well, the person—in the United States of America who was recently sent down for 10 years as part of one of these networks, which was important. I am a Minister in the Department for Business and Trade, but the Minister for Security, my hon. Friend the Member for Barnsley North (Dan Jarvis), and the Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), who is on the Front Bench, are actively engaged in these discussions, and we must ensure a cross-Government approach. I look forward to what we will hear from the Business and Trade Committee. I was intrigued by what my right hon. Friend was saying about investment incentives, and I hope he might come up with some clever idea that we could put into practice once he has produced his report.
On the main point about whether we have learned all the lessons from M&S, I certainly think we have. I have read Archie Norman’s evidence to the Committee, and I hope that M&S has also learned the lessons that he laid bare. I hesitate in trying to make too immediate a connection between one case and another, because as my right hon. Friend will know, I do not want to prejudge what has happened in this particular set of circumstances.
Clive Jones (Wokingham) (LD)
I welcome the Minister to his new role. There has been a spate of cyber-attacks on important UK companies such as Jaguar Land Rover, on supermarkets and on the Legal Aid Agency. What are the Government doing to restore public and, just as importantly, international trust in the UK’s cyber-security networks? Do the Government think that the attacks have come from overseas?
Chris Bryant
That is the second time I have been asked whether this attack has come from overseas, although I suppose that is a slightly different question from one about state actors. Again, I am not going to prejudge the investigation—I can tell that the hon. Gentleman knows that, because he is smiling. He referred to UK companies, but were I speak to any of my counterparts in Europe, or in most countries in the world, I would find that they are going through exactly the same issue. Qantas, Pandora, Adidas, Chanel, Tiffany & Co., Cisco—all those companies have had major attacks over the past months, and unfortunately that is simply a part of modern business. It is a despicable practice and a set of criminal actions. We must prosecute those who are responsible and ensure that they go to jail for a very long time, so that we can protect our industry in the UK, and co-operate with other international agencies to ensure that we do the same around the world.
Maria Eagle (Liverpool Garston) (Lab)
I congratulate my hon. Friend and neighbour the Member for Widnes and Halewood (Derek Twigg) on securing this urgent question. I used to represent the Halewood plant until boundary changes, and hundreds of my constituents work at that plant, with many more working in supplier companies. They are at home and being paid at the moment, but The Sunday Times reported that prospects of a quick end to the saga are limited, and that the worldwide shutdown is costing £72 million a day in lost sales. Despite requests, local MPs have had no meaningful information from the company, although we have a 30-minute Zoom call on Friday, which is a start. What can the Government do to ensure that this disaster is brought to a close as soon as possible? These attacks threaten our economy and our national security, so what help can the Minister offer the company and my constituents at this worrying time? Things do not seem to be getting any better.
Chris Bryant
I pay tribute to my right hon. Friend for all the work that she and I did together, particularly on space, in my old job and in hers. She was an excellent Minister to do business with, and I slightly fear having her on the Back Benches as she is a very redoubtable person. Many suppliers, including Evtec, WHS Plastics, Sertec, OPmobility and a series of others, are in an even more complex situation than Jaguar Land Rover, and I will try to co-ordinate the activity that we are doing in our Department to ensure that we provide every possible support to them. I note the tone in which my right hon. Friend said that MPs were getting a half-hour Zoom call on Friday. I will try to ensure that all MPs get the support they need, so that they can do the job of reassuring their constituents. Earlier today I made that point forcibly to JLR, and as I say, I intend to have a meeting with its chief executive later this week. When I possibly can I want to keep MPs updated, either individually in constituencies, or the whole House.
Sir Edward Leigh (Gainsborough) (Con)
I congratulate the hon. Gentleman on surviving the reshuffle. This Minister adds to the general merriment of the nation, so we will miss him when he’s gone—[Laughter.] We’re all mortal. May I ask a serious question about the public sector? As it happens, I am an enthusiast for the Prime Minister’s idea of a national digital ID card as a means of countering illegal working, but it raises a whole new spectre if tens of millions of people have an ID card on their mobile phone in their pocket and malign forces—Russia and elsewhere—seek to attack us. What work are the Government doing with their Bill and in the National Cyber Security Centre to try to get this right?
Chris Bryant
The right hon. Gentleman is right on two points, and to take his point a little further, data is a wonderful thing—a gold mine, in many ways—but it is also a potential vulnerability. We must ensure that if we take people into a digital future, with digital ID cards—I am not saying that we are, but if we were to go down that route; or wherever we go, for instance with a digital driving licence, which we will have soon—we must ensure that it is safe, secure, and that people’s data is not imperilled.
I do not know what the right hon. Gentleman meant about me surviving. I love him too.
Sonia Kumar (Dudley) (Lab)
I warmly welcome the Minister to his place. In the light of the cyber-security breaches survey published in April 2025, which reported that 43% of businesses and 30% of charities experienced a cyber-attack last year, what steps is he taking to strengthen national cyber-security? How are the Government working with businesses and charities to improve prevention and ensure better intelligence-sharing, as a matter of national security?
Chris Bryant
I am grateful to my hon. Friend, who is on the Business and Trade Committee, which I will be before next week, I think. On ransomware, one of the questions is whether we know the full extent of what is going on in the UK. That is why we have suggested mandatory reporting. It is interesting that more than 70% of businesses in the UK agreed with what was in the consultation that the Home Office produced in the summer, and I hope that we can introduce further measures when the Bill comes forward. I have referred to some of the means of providing support to businesses up and down the land, but I am happy to fill my hon. Friend in with more details, if she wants to grab me afterwards.
Mr Joshua Reynolds (Maidenhead) (LD)
As has been said, Jaguar Land Rover is not the first British household name this year to experience cyber-attacks. In a recent Business and Trade Committee meeting, the chairman of Marks & Spencer said that he wished that somebody would ride in the cab with them for this experience; he felt like there was too much one-way traffic, and not enough dialogue between the Government and the business. Can the Minister reassure us that the Department has learned those lessons? Can he reassure us that Jaguar Land Rover is having that two-way dialogue, and that someone is in the cab with it at the moment?
Chris Bryant
We want to make sure that is the case. As I have said, I have spoken to Jaguar Land Rover, and I intend to have a further meeting with the chief executive later this week, though he is departing in November. Two new Ministers from the Department for Business and Trade are here. Our job and our absolute determination is to ensure that business can flourish in this country, because in the end, business largely pays the bills, keeps the lights on, keeps the NHS functioning, and keeps everything going. That is why we are determined to have a strong working relationship with businesses, in this and many other areas.
Bill Esterson (Sefton Central) (Lab)
We have heard from my hon. Friends and the Minister how wide the impact of the cyber-attack has been, across the economy. Hon. Members have mentioned the national security threat. The Minister gave evidence to the Joint Committee on the National Security Strategy in his previous role, and spoke about his confidence in the “robust” contingency plans in place for critical national infrastructure, to quote a phrase he used. To what extent does he have the same confidence when it comes to cyber-attacks?
Chris Bryant
The evidence that my hon. Friend mentions related to subsea cables, for which I think the situation is robust. In fact, we had another cut to one of the subsea cables during the summer months; it was, I think, repaired within eight days. We are one of the best countries in the world at repairing subsea cables, but we are also one of the more vulnerable countries, because we are an island nation. I assure him that we three Ministers—the Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), the Minister for Security and me—will apply exactly the same diligence and lack of complacency to this issue as to the issue of subsea cables.
Sir Andrew Mitchell (Sutton Coldfield) (Con)
I thank the hon. Member for Widnes and Halewood (Derek Twigg) for seeking and securing this urgent question. It is good to see the Minister in his place, with his perennially cheerful, Tiggerish demeanour, following the reshuffle.
In the royal town of Sutton Coldfield, we are extremely concerned about this incident. The Minister mentioned WHS Plastics, which is based in Minworth in my constituency. I spoke to the chief executive yesterday in some detail; he has 2,000 employees and eight plants, and the vast majority of his business goes to Jaguar Land Rover. The Minister will know that throughout the west midlands, there are probably more than 200,000 people in the supply chain who are directly affected, and I understand that all the factories globally have been shut down.
May I ask two questions to the Minister and support what was said by the Chair of the Business and Trade Committee, the right hon. Member for Birmingham Hodge Hill and Solihull North (Liam Byrne)? First, can we have an absolute assurance that we will have full help from all the relevant agencies of the state, and that they are seriously and 100% engaged in all this? Secondly, will the Minister press for maximum transparency, so that the staff who are being sent home in very large numbers, and who are naturally very anxious and worried about this issue, can be reassured to the greatest extent possible?
Chris Bryant
Yes, all the agencies will be engaged to the fullest possible extent. As the Chair of the Business and Trade Committee said, we will bend over backwards and do everything we possibly can to ensure that this issue gets resolved as soon as humanly possible; I do not want to say when that will be, because I simply do not know. If the right hon. Member for Sutton Coldfield (Sir Andrew Mitchell) would like to pass on the details of the chief executive of WHS Plastics, I am very happy to have a call with them, and with others in the supply chain, later this week. It is often not just individual companies, but the whole supply chain that is affected. As for Tigger, I seem to recall that the final line in the song is:
“the most wonderful thing about Tiggers is I’m the only one!”
Mrs Sureena Brackenridge (Wolverhampton North East) (Lab)
I thank my hon. Friend the Member for Widnes and Halewood (Derek Twigg) for securing this urgent question, and the Minister for coming to the Dispatch Box. Jaguar Land Rover is a valued employer in Wolverhampton North East and an iconic British brand, so the disruption to production and the impact on the wider supply chains have caused much concern. What action is being taken to protect businesses and supply chains from ransomware and cyber-attacks?
Chris Bryant
I laid out in my initial answer some of the things that the Government are already engaged in, such as the NCSC, which has had involvement with Jaguar Land Rover since last Wednesday. There are really good online aids that can help many companies work through how they can protect themselves better. Some of those things are relatively simple, but some are more complex; it depends on the size of the organisation. As I said, we have consulted on ransomware. As we have said previously, paying the criminals does not get us out of the hole; they are not to be trusted, and people should be extremely cautious. We do not recommend people paying ransoms in any circumstances. It does not solve the problem, and actually adds to the business model of the criminals, whom we want behind bars.
Saqib Bhatti (Meriden and Solihull East) (Con)
I welcome the Minister to his role, and thank him for recognising the anxiety of the staff in the supply chain. Jaguar Land Rover is a huge employer in my constituency, not least because I have the factory in Elmdon, which employs thousands, and there could be an effect on tens of thousands, through its supply chain. Many of my constituents will be really anxious, not least because there is a lack of information at the moment. I echo the comments of the right hon. Member for Liverpool Garston (Maria Eagle) about briefings for MPs. Can the Minister reassure my constituents that this Government will give the NCSC all the resources it needs to pursue the perpetrators? I am more than happy to work with him on that. Given the reports of losses being made every day, have there been any requests for financial support? Is he talking to Chancellor about anything like that, or is it too early to say?
Chris Bryant
I am tempted to say that it is too early to say, as the hon. Gentleman gave me that get-out clause at the end. The main thing I want to ensure is that all MPs have the information they need on a secure basis, so that they can provide reassurance to their constituents. I am sure that there will be all sorts of rumours spreading around, some of which may be very wide of the mark, and I want to ensure that JLR is able to provide information to everybody. We are going into recess next Tuesday; otherwise, I would have been more than happy to gather MPs to have these discussions in a private setting. It is probably best if we see how we go on Friday. I do not think that half an hour will suffice for a Zoom call with JLR; I will make that point to the chief executive.
Laurence Turner (Birmingham Northfield) (Lab)
I thank my hon. Friend the Member for Widnes and Halewood (Derek Twigg) for securing this urgent question, and welcome the Minister to his new role. JLR employs hundreds of people directly in my constituency, and many more indirectly. This is an extremely concerning time for them, and I hope that the Department will consider providing information directly to local MPs, in addition to engaging with the company. As has been said, this attack follows attacks on Marks & Spencer, the NHS, the British Library and other public institutions. I understand why the Minister has set out that the Government’s focus is on ensuring that companies are better protected and report these kinds of incidents, but can he assure the House that all steps are being taken to identify areas of critical national vulnerability in both the public and private sectors, so that we can try to avoid these attacks in the first place?
Chris Bryant
Yes, I can assure my hon. Friend that we do that. Of course, I fully understand that this issue comes on top of other issues for JLR this year, not least tariffs in the United States of America. As my hon. Friend knows, the Prime Minister was very personally engaged in making sure that we got a better deal with the United States, and was able to announce that in a JLR factory. I know that some voluntary redundancies are going through the normal business process at JLR at the moment; that has nothing to do with this cyber-attack. However, I can give my hon. Friend the assurance he asks for.
Sir Gavin Williamson (Stone, Great Wyrley and Penkridge) (Con)
Jaguar Land Rover is the largest employer in the west midlands, so every west midlands constituency is impacted by this cyber-attack. The attack on JLR is not the first of its kind, and it certainly will not be the last. Increasingly, we are seeing state actors using criminal gangs, whether they originate from Russia, North Korea or Iran, to get hard cash into their country. What more can the Minister and the state do to support our businesses with the robust defences that are required? They are fighting states, and they need this state right behind them.
Chris Bryant
They certainly have this state right behind them. Incidentally, I apologise to the right hon. Gentleman: I think I visited his constituency during the recess, and he might have known about it only 10 minutes before I arrived. We were looking at digital inclusion issues.
One thing that all businesses can do now is get a certificate for cyber-essentials, which is a programme that helps businesses to protect themselves better. I am very hesitant to jump to conclusions about overseas involvement in this situation at JLR, but of course the Government take very seriously the fact that there are undoubtedly foreign state actors who want to interfere in our businesses and, for that matter, in the way we do politics in this country. We need to keep our eyes wide open for that.
Shaun Davies (Telford) (Lab)
This cyber-attack is terrible news for Jaguar Land Rover and its supply chain. Many of those companies are based in and around my constituency. Pool Re is a publicly owned insurance provider that provides insurance cover for physical terrorist attacks, invests in terrorism reassurance initiatives, and has £2.3 trillion of assets on its books. Have the Government considered extending the reach of that publicly backed insurance scheme to cyber-incidents such as this one?
Chris Bryant
My hon. Friend has stumped me there. I do not have the faintest idea. I will have to write to him with an answer to that one.
Sir Jeremy Wright (Kenilworth and Southam) (Con)
I welcome the Minister to his new responsibilities, and on behalf of the many JLR employees in my constituency, welcome anything the Government can and will do to get JLR back to business as usual as soon as possible. On our broader defences, the Computer Misuse Act 1990 is 35 years old, and there are many who believe that its provisions impede the work of cyber-security professionals almost as much as, if not more than, cyber-criminals. Will he take this incident as an incentive to look again at the provisions of that Act, and to update it, as we need to, to make sure that cyber-security professionals can help companies such as JLR to deal with incidents just like this one?
Chris Bryant
The right hon. and learned Gentleman makes a very good point about legislation that is somewhat out of date and needs renewing. That is one of the reasons why, as we stated in the King’s Speech, we will introduce a new cyber Bill. I see the Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), nodding. If we do not do that properly, I am sure that the right hon. and learned Gentleman will table an amendment to the Bill when it is debated.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
I congratulate the Minister on his new role. I am sorry that we never had the opportunity to welcome him to the Science, Innovation and Technology Committee when he was at the Department for Science, Innovation and Technology, but I believe I see the new artificial intelligence and cyber Minister, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), sitting on the Front Bench, and I look forward to welcoming and congratulating him.
The devastating JLR cyber-attack is one of a series of cyber-attacks that have been wreaking havoc on British businesses and consumers and undermining public confidence. Will the Minister confirm my understanding that neither JLR nor Marks & Spencer are deemed to be providers of essential services under cyber legislation, and are therefore not required to meet the highest levels of cyber-security and reporting requirements? If that is the case, will that change under the new cyber-security and resilience Bill, which he mentioned? If not, how will he improve cyber-resilience in our industry and society without such measures?
Chris Bryant
It is interesting, is it not? My hon. Friend makes a very good point. There is a balancing act for us to achieve: we do not want to overburden businesses with requirements, but we want to make sure they take every action to ensure they are properly protected. I will write to my hon. Friend if I have got this wrong, but my understanding is that those companies are not presently included. I am afraid that she will have to wait for the Bill, but our intention is that it will directly relate to things like energy and water supply—drinking water and things like that. As I say, it is a balancing act, trying to make sure that industry has the freedom to operate as it should while embodying the best practice.
One other thing I will say is that all businesses, whether large or small, should avail themselves of the early warning tool available from the National Cyber Security Centre whenever they think that they may have had an attack. It is really important that we have a real idea of the prevalence of this problem across the whole sector, and that we are able to join up the dots between different incidents.
Sir Julian Lewis (New Forest East) (Con)
I welcome the Minister to the world of “neither confirm nor deny”, though I fear it may cramp his inimitable style somewhat. Does he accept that there are broadly three categories of hacker? There are the show-offs, who are aiming to boost their egos in the online world; the wreckers, who are usually working on behalf of hostile countries or political ideologies; and the extortionists to whom he referred earlier, who are out to blackmail people and relieve them of large amounts of money. In every case, though, there is always the anxiety that people’s personal data is going to be compromised and publicised. To that end, is the Minister really satisfied that so many Government services that deal with personal data—the latest being His Majesty’s Revenue and Customs—insist that people go online to supply that data to Government?
Chris Bryant
The right hon. Gentleman makes a very good point about personal data. When I was the data Minister, that was one of the things I was trying to push very strongly—there is no point in trying to get people to give data if it is not then secure. That is the single most important part of what we have to do, not least because if people do not trust that their data is going to be secure, it is perfectly understandable that they are not going to surrender it. That does not just apply to Government, although it is very important in Government; it applies across all sorts of different companies.
I slightly take issue with the right hon. Gentleman’s delineation of those three groups; I think there is just one, which is a bunch of criminals. Their intent sometimes mixes a desire for cash with a desire for some kind of spurious infamy, but I just think of all of them as criminals. As for my inimitable style, I can neither confirm nor deny it.
Dr Scott Arthur (Edinburgh South West) (Lab)
I agree with those Members who have raised concerns about the impact that this cyber-attack might have on jobs. It also has an impact on our reputation as a country when two iconic brands basically have to go offline. I do not expect that this will be the last attack on either a retailer or an automotive company, but the risks to automotive companies are particularly acute, because going forward, cars are basically going to be computers on wheels. Customers will be concerned about what attacks mean for their security, but also about what the impact on the automated features within the car means for driver safety. The Minister said that the UK is increasingly a target; is that because of the interest in the UK, or because we are more susceptible?
Chris Bryant
No, I meant that every country in the world is increasingly susceptible, not just the UK. This is a growing business, and the worst thing we could do would be to feed that business model. I would urge caution about one thing. It may well be that we do not know all the incidents that have taken place, because understandably, lots of companies will not want to make them known publicly if they feel that they have managed to deal with the issue fairly swiftly. That is why, as I said, we consulted on the issue of ransomware earlier this summer, and I was gratified by the response we had from more than 70% of businesses.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
Fundamentally, this is a question about resilience across British industry. These attacks are costing British industries millions of pounds a day. What are the Government doing to facilitate knowledge-sharing within industry to boost resilience and guard against operational technology attacks? I know from personal experience that people in the cyber industries like to share information together, but require a forum to do so.
Chris Bryant
The hon. Member is right. For that matter, I suspect that every single Member of the House will have had some kind of attempted cyber-attack, whether that is phishing or vishing or whatever it may be on their mobile phones, where something comes up that looks remarkably possible. Then you say to yourself, “Oh, no, HMRC probably wouldn’t ask me to do that.” I urge all Members, incidentally, to take their own personal cyber-security seriously, and the House provides facilities for that. One other thing that we can do is for all companies to follow the cyber governance code of practice and provide board training. The more that board members understand these issues, the better.
Chris Vince (Harlow) (Lab/Co-op)
I welcome the Minister to his role. Previously, I inadvertently suggested that he was not a national treasure, and I would like to set the record straight on that one. More and more often, businesses and charities in my constituency of Harlow are reliant on the internet for sales, for trade and for human resources services. What reassurance and advice can the Minister give to charities and businesses in Harlow, if they are worried that they might be the next victims of such attacks?
Chris Bryant
Basically, every organisation in the country should be considering whether they might be the next under attack. It is possible that there might already have been an attempted attack on them. Obviously, iconic brands such as M&S and JLR are possible candidates in that sense, but I urge all organisations to take these issues seriously, because the costs are dramatic, both financially and in staff power.
Carla Lockhart (Upper Bann) (DUP)
Cyber-security costs are rarely taken into account by any company, but for a company such as JLR, such costs should be easily absorbed because of its profit margins. SMEs do not have that luxury. Their profit margins will not necessarily cover the costs, and often they hold just as much personal and financial data. The Government should be coming alongside those businesses and assisting them to ensure that their security is industry-standard and that they are secure. Can the Minister give me an update on that?
Chris Bryant
The hon. Member is absolutely right that it is not just about big companies, listed companies or, for that matter, big organisations in the public sphere; it is also about much smaller ones, which may have all sorts of different attacks. I am not sure whether she is asking for financial support.
Chris Bryant
Ah, she is. I saw the nod. I am not sure how Hansard records a nod, other than the fact that I have now said it. The important point is making sure that everybody has an understanding that cyber-security is important to every single organisation, big or small, and the services of the state are there to help.
Richard Foord (Honiton and Sidmouth) (LD)
The Minister talked about a cross-Government approach, and last week the Ministry of Defence stood up the cyber and specialist operations command, building on the foundations of strategic command and bringing together more than 26,000 specialists. Can the Minister comment on what collaboration exists between officials at the Department for Business and Trade and those working in this area in the MOD?
Chris Bryant
The primary relationship is between my Department, because we have responsibility for businesses and making sure that they can prosper in the future, the Department for Science, Innovation and Technology, as represented by my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan) here, and the Minister for Security in the Home Office, but the hon. Member makes a good point. The MOD has an equal responsibility for ensuring that we are all secure.
Mr Speaker, I am sure that some kind of digital identification service will be available for identifying the right MP to call.
Jim Shannon (Strangford) (DUP)
Always rear gunner. I am pleased to see the Minister in his position. It is well earned, and we are pleased to see him where he is. He will be aware that cyber-attacks on Marks & Spencer and Co-op have left many people concerned about the security of their information online. This attack on Jaguar will heighten those concerns, and businesses in my constituency have told me that. I have been contacted by people who are concerned about the ramifications of a cyber-attack on the Government’s systems, particularly in health. What discussions have been held with Cabinet colleagues on the robustness of cyber-defence, and what information can be shared with private businesses to help them defend themselves against these criminals that we all fear?
Chris Bryant
In fact, the first of these big cyber-attacks was on the British Library, which is an arm’s length body of the Department for Culture, Media and Sport, so some of these lessons were taught immediately to Government. The hon. Member is absolutely right, and we need to make sure across every Department that not only is data—personal data and all other kinds of data—secure where it needs to be, if it is not open-source, but that cyber-attacks can be rebuffed, spotted and prevented at all costs. That is an ongoing piece of work between the different parts of Government. When we are able to bring forward the cyber Bill in the very near future—sorry, soon—I hope that we will be able to address some of these things and discuss them in the round in the House.