Cyber-security Debate

Full Debate: Read Full Debate
Department: Home Office
Tuesday 7th May 2024

(7 months, 2 weeks ago)

Westminster Hall
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.

Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Dan Jarvis Portrait Dan Jarvis (Barnsley Central) (Lab)
- Hansard - -

It is a pleasure to serve under your chairship, Ms Bardell. May I say how good it is to see the Minister in his place? I congratulate my hon. Friend the Member for Preston (Sir Mark Hendrick) on securing this important debate. He is a long-standing and dedicated servant to his constituents and Lancashire more widely; any compliment about Lancashire does not come particularly easily from my side of the Pennines, but that is certainly one that my hon. Friend deserves for his very long-standing service for his constituents.

I pay tribute to the men and women who serve in the National Cyber Force, soon to be based in Samlesbury, and to those who serve across the security and intelligence services and in the cyber-security sector. They fight on the digital frontline day in and day out to detect, disrupt and deter individual and state-sponsored adversaries that threaten our cyber-security.

The cyber threat is constantly mutating and spreading. The latest crime survey for England and Wales shows a staggering 29% increase in computer misuse between 2022 and 2023. Computer misuse disrupts services, obtains information illegally and extorts individuals, meaning that personal information can be published online without consent, entire life savings can be lost due to fraud, and individuals, including children, can be blackmailed. The Government need to be increasingly ruthless in their approach to countering those threats and legislate for the challenges of today, not those of yesterday. Doing so will give cyber-security professionals the means to retain the advantage over those who seek to harm us and protect more people and organisations from cyber-crime.

Therefore, as the right hon. Member for Midlothian (Owen Thompson) rightly said, the Computer Misuse Act needs updating to reflect the challenges of the cyber age, not those of the Ceefax age. Accelerating technological change means that outdated legislation is struggling to catch up with cyber-threats posed by the likes of artificial intelligence. That is why, on this side of the House, we have already proposed criminalising the programming of chatbots that radicalise and spread terrorist material. We also welcome the Government’s announcement last month of the criminalisation, through the Criminal Justice Bill, of the creation of sexually explicit deepfakes. Outdated legislation is at best restrictive and at worst punitive for cyber-security professionals in the UK who conduct ethical hacking to expose system vulnerabilities and protect us from harmful cyber-attacks.

The National Cyber Security Centre, which is home to exceptional men and women fighting cyber-crime, has said that ethical hacking reports by individual researchers provide valuable information that organisations can use to improve the security of their systems. That is why the Opposition tabled an amendment to the Criminal Justice Bill that would reform the CMA by introducing a statutory defence for cyber-security researchers and professionals involved in ethical hacking.

Our amendment comes after the Chancellor’s commitment to implement all of Sir Patrick Vallance’s recommendations on the regulation of emerging digital technologies published alongside last spring’s Budget, which included the introduction of a statutory defence. If this Government do not deliver, the next one should. Until that happens, the legislative lag will have consequences. Half of UK businesses and 32% of charities suffered a cyber-breach or attack in the last year alone. Breaches due to vulnerabilities in cyber-security drive some of the most pernicious types of criminality. According to the accounting firm BDO, fraud doubled in 2023.

Furthermore, the Joint Committee on the National Security Strategy warned in December that the Government could face a catastrophic ransomware attack at any moment. The sobering reality is that such attacks are already happening on the UK’s critical national infrastructure. Just today, it was reported that in response to a ransom not being paid, personal information illegally obtained by a ransomware attack on NHS Dumfries and Galloway has been published on the dark web—a truly despicable act that accompanies another deeply concerning development today: a hack into the Ministry of Defence’s payroll records by a malign actor.

Those are only two of the most recent examples, and they show that the threat landscape has never been more dangerous. However, progress on reforming the CMA has been buffering for three years since the Government first announced their review of the legislation. Despite two public consultations, a Home Office industry working group and several public commitments, the Government have not yet made progress and, as the Minister will know, we are fast running out of parliamentary time. Though time is in short supply, there is consensus on acting in the national interest to update the CMA, and the Opposition are keen to play our part.

I would be grateful if the Minister would answer the following questions. He will know that they are meant in the constructive spirit in which we always seek to engage on these important matters. First, will he give an assurance that the proposed legislation, as outlined in the Government’s response to the CMA consultation, will be introduced in this Parliament?

Progress on legislation requires political leadership. However, the JCNSS report on ransomware said that the leadership by a former Home Secretary did not treat it as a priority. The Minister will remember that I wrote to him in January about this matter and others identified in the JCNSS report. Can he give a further assurance that his Department and other Departments are now prioritising ransomware by confirming that they will finally respond to the consultation on unauthorised access to online accounts and personal data, which was published in September 2022?

On public sector payments to ransomware, the Deputy Prime Minister responded to me at Cabinet Office questions on 25 April by saying that that “is not something” that he would “rule out totally”. However, the Security Minister’s written answer to me on the same question on the same day was much more resolute about the policy not to pay ransoms.

Dan Jarvis Portrait Dan Jarvis
- Hansard - -

I am listening to the Minister. I do not know whether the Deputy Prime Minister is; that is possibly the problem.

It would be really helpful if the Minister would say whether a new approach to the public sector paying ransoms will be included in any update to the CMA. These assurances and clarifications matter, as the Home Office is part of a cross-Government response to countering cyber-threats, joining the Department for Science, Innovation and Technology, the MOD, the Foreign, Commonwealth and Development Office and the Cabinet Office in driving policy to detect, disrupt and deter cyber-criminality.

As the Minister will know, the fulcrum of such activity is the National Security Council, but he will also know that, while it has a sub-committee for economic security, there is not a dedicated equivalent for cyber-security. Has consideration been given to the creation of a dedicated sub-committee of the NSC for policy responses to intermediate and long-term cyber challenges?

Another long-term challenge, which the Minister will be familiar with, is the retention of our best and brightest in fighting cyber-crime, both in the security and intelligence services and in the cyber-security sector. Do our modern-day Alan Turings, who play a vital role in keeping our country safe, feel that the most innovative and effective work can happen in the UK under current cyber-security legislation? The answer, sadly, is likely to be no: 60% of respondents to a recent cyber-ops survey said that the CMA is a barrier to their work in threat intelligence and vulnerability research, and 16,850 cyber-defenders—the equivalent of two GCHQs—are estimated to have been lost due to outdated cyber-security laws. The Minister knows that criminals profit the most from poor retention and recruitment, so has he considered how changes to the CMA could unlock the cyber-security sector’s huge potential to protect our country’s cyber-space better?

This debate has not just been about protecting our cyber-space through effective legislation; it has been about the principle of legislation retaining the advantage over malign actors intent on harming us. I said at the start of my speech that there are exceptional men and women working to defend our cyber-security, who are very much at the cutting edge of efforts to detect, disrupt and deter myriad threats. As legislators providing the legal framework for that crucial work, we must now all play our part.