Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
David Chadwick
Main Page: David Chadwick (Liberal Democrat - Brecon, Radnor and Cwm Tawe)Department Debates - View all David Chadwick's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
David Chadwick Excerpts(1 day, 8 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Freddie van Mierlo (Henley and Thame) (LD)
I rise to speak to new clauses 13 and 15, standing in my name.
New clause 13 would require the Secretary of State to publish, within 12 months, a comprehensive statement on how the Government intend to manage the risks of foreign interference in our critical systems. It calls for steps to be taken to assess the need for a digital sovereignty strategy. We need to know not just how we will fight cyber-threats but whose technology we will rely on to do it. The new clause would force the Government to set out a plan to explicitly assess risks in hardware, software and supply chains.
We should ask what is being done to support UK tech and home-grown cyber-security. We cannot claim to be serious about national resilience if the very infrastructure protecting our critical systems is outsourced abroad to vendors we cannot fully trust. New clause 13 would require the Government to explain how they intend to mitigate the risks associated with reliance on foreign technologies. It would also require the Government to assess the need to encourage and support the use of domestic technologies. That would turn cyber-security into an engine for growth. By identifying high-risk foreign vendors, and pivoting to trusted, home-grown alternatives, we could improve our security and create high-skilled jobs here in the UK. For those reasons, I will press new clause 13 to a vote.
I now turn to new clause 15. How can we be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad? New clause 15 would ensure transparency and force the Government to look at the threat of foreign ownership. The threat to British democracy from foreign interference is clear and present. From Russian money flooding into politics, and Chinese surveillance and intimidation, to foreign oligarchs buying influence, our democratic institutions are under sustained attack. The previous Conservative Government failed the UK. They failed to take the threat posed by Russia seriously, they weakened the Electoral Commission and they allowed foreign money to distort our politics. They withdrew from international commitments at precisely the wrong moment.
This Government have made some welcome moves, but they do not go far enough. Over the last few years, we have seen a rise in cyber-attacks on critical infrastructure. Across the country, schools have closed, airports have been shut, local councils have been hacked and retail stores have been crippled. New clause 15 would require the Government to review the security risks posed by critical suppliers and essential service providers, and to flag which of those are linked to foreign states. It would also push the Government to evaluate whether current powers are sufficient to address these threats. I intend to push new clause 15 to a vote.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.
We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.
The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.
In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.
Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.
Kanishka Narayan
It is a pleasure to serve with you in the Chair, Ms McVey.
I thank the shadow Minister, the hon. Member for Runnymede and Weybridge, for the new clauses in his name, which would require the Secretary of State to create a register of foreign powers that pose a threat to UK cyber-security, to review that register, and to lay a report before Parliament. This is intended to inform the use of powers granted under part 4 of the Bill. I empathise with the shadow Minister’s concerns that hostile foreign actors could target the network and information systems of operators of essential services or critical supplies. That is a clear risk, and one that we are addressing through the Bill.
As drafted, the Bill grants the Secretary of State new powers to issue national security directions to regulated entities or regulators where their compromise poses a national security risk. So long as those tests are met, the powers may be used by the Secretary of State irrespective of the actor that is causing the national security incident or threat.
New clause 2 would require the creation of a register of foreign states that pose a risk to the UK based on GCHQ advice. I reassure the shadow Minister that regardless of the proposed new clause, any decision to use the powers in this part of the Bill will be informed by expert national security advice from GCHQ. As a result, it is unclear what additional support the proposed register would provide to the Secretary of State when, for example, deciding whether to issue a direction to a regulated entity.
Additionally, the report required by new clause 3 would effectively be a list of the vulnerabilities of the network and information systems of our essential services, and would therefore be an asset to malicious actors. That would be counterproductive to national security. The new clause would allow the Secretary of State not to publish part or all of the report, if publishing would be contrary to the interests of national security. However, it is unclear how even part of the report could be published without harming national security, given its intended content.
Drafting a report of vulnerabilities that cannot be disclosed to Parliament without harming national security would simply duplicate existing assessments, and run the risk of distracting Government from more effective measures to protect from hostile foreign actors. That is not to say that we shirk transparency about these kinds of risk. The Government are already able to communicate with Parliament and the public about such cyber-security risks where it is appropriate to do so, through things such as the National Cyber Security Centre’s annual report and advisories. I therefore kindly ask that the shadow Minister withdraw the new clause.
I thank the hon. Member for Henley and Thame for the Liberal Democrat new clauses in his name, which would require the Secretary of State to publish a statement of how the Government intend to address risks posed by foreign actors to UK network and information systems, and to assess how many entities regulated by the NIS regime are owned in part or in full by foreign states.
Let me reassure the hon. Member that the Government take the risks posed by foreign interference seriously. The NCSC’s annual reviews continue to highlight cyber-risks to the UK from foreign actors, as well as measures to mitigate those risks. We have robust processes for assessing such threats, drawing on the expertise of the intelligence community, including the National Cyber Security Centre and the National Protective Security Authority.
The measures introduced by the Bill will boost the security and resilience of network and information systems across essential services, managed services and relevant digital services, protecting them from the risks of foreign interference. Where that is not enough, the Bill provides a backstop: the new direction powers in the Bill will enable the Government to protect our critical services from exactly those kinds of national security risks. We will be able to require a regulated entity to undertake any action that is necessary and proportionate for national security in response to the threat of a compromise. Conducting assessments of the ownership structures of the many thousands of in-scope entities within six months would be disproportionately resource intensive, distracting Government from more effective measures to protect our services.
Publishing a review identifying national security risks caused by foreign state ownership, or assessing whether our powers are adequate, as the Opposition’s new clause 3 would require, would provide valuable insight to our adversaries. As I have previously set out, there is a clear pathway for Government to communicate with Parliament and the public about such cyber-risks where it is appropriate to do so, but where we identify specific concerns, it is right that we retain the ability to assess and respond without disclosing our conclusions to those who might exploit them.
Finally, it is worth pointing out that, as drafted, new clause 13 is not aligned with the intended scope of the Bill. The Bill is solely concerned with entities that are currently, or could one day be, regulated under the NIS regulations. This new clause would require a statement on the risks posed to all UK network and information systems, which is a significant broadening of the scope of NIS-regulated entities and sectors. Similarly, the focus on Government procurement seems outside that scope, given that Government network and information systems are not wholly regulated by the Bill. For those reasons, I ask that the hon. Member for Henley and Thame kindly consider not pressing his amendment.
David Chadwick
I beg to move, That the clause be read a Second time.
The purpose of new clause 10 is to ensure that regulatory authorities and regulated persons have adequate resources and capabilities to carry out their responsibilities. Fundamentally, this is a question of state capacity. Surely it is hard to disagree with that statement. We can pass legislation in this House, but if the regulators tasked with enforcing that legislation lack the resources and capabilities to fulfil their duties, and if the businesses subject to the new requirements lack clarity about what is required of them, the Bill will remain little more than words on a page.
Cyber-resilience cannot be achieved through legislation alone, poor and weak though this piece of legislation is; it must be delivered by regulators with properly trained staff, clear guidance and sustained investment in enforcement and oversight. Without that foundation, even the strongest legal framework risks becoming ineffective. The new clause would create a vital statutory reality check. It would require the Secretary of State within one year of the Act coming into force to consult with regulators and regulated organisations, and report to Parliament on whether the regulatory system is equipped to function under the new rules. The new clause asks a simple but essential question: do the bodies responsible for protecting our critical digital infrastructure have the people, funding, tools and skills that they need to succeed?
Laws work only if the people enforcing them have the time, money, expertise and systems to do so properly. The scale of the challenge is already clear. Research from ISC2 shows that 88% of organisations that have suffered cyber-incidents link those breaches directly to skills shortages. If regulators themselves face similar skills or operational shortages, enforcement will be slow, inconsistent and ultimately ineffective, and may leave businesses facing uncertainty about what is required of them.
The new clause would help to ensure that issues are identified early and addressed proactively, rather than after a major cyber-security incident exposes weaknesses in our regulatory system. For this legislation to work, it requires fully funded and effective regulators. That is why I will press the new clause to a vote.
Dr Spencer
This new clause, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations. Historical levels of regulatory oversight and enforcement in relation to the NIS regulations 2018 have fallen short of what is necessary to achieve meaningful cyber-resilience across regulated sectors. The second post-implementation review of the NIS regs 2018, conducted in 2022, found that incident reporting on the part of regulated entities was very low, with only 13, 12 and 22 NIS incidents reported in 2019, 2020 and 2021 respectively.
A review conducted by the Worshipful Company of Information Technologists identified a near total absence of formal financial sanctions under the NIS regulations, with zero confirmed major penalties from 2021 to 2024. The model has not been conducive to effective discharge of regulatory responsibilities, with knock-on effects for cyber-resilience and regulated industries, yet regulators will be expected to oversee a far larger pool of regulated bodies and process a far larger number of incident reports under the Bill’s provisions. It is therefore right for us to scrutinise carefully whether regulators are in a position to meet these obligations.
In the evidence sessions, many of my questions to witnesses, including those from Ofgem, Ofcom and the Information Commissioner’s Office, focused on their preparations to meet the demands of their expanded roles. It was clear from feedback that although regulators understand what they need to do to prepare, the practical challenges associated with securing sufficient resource are far from resolved. I would therefore be grateful if the Minister could clarify his plans to review regulators’ progress and what the key milestones will be to ensure that regulators can discharge their new duties alongside their existing ones when these provisions come into effect.
The Chair
With this it will be convenient to discuss new clause 17—Requirement for regular testing of network and information systems—
“(1) A relevant body must undertake regular testing of the security and resilience of the network and information systems on which it relies in the provision of its services.
(2) Testing undertaken in accordance with this section must –
(a) be proportionate, having regard to the size, nature and risk profile of the business; and
(b) be conducted periodically, at intervals that are appropriate to the risks identified by the body.
(3) A relevant body must document –
(a) the outcomes of testing undertaken in accordance with this section; and
(b) any remedial actions required or taken in response to the testing.
(4) Information documented under subsection (3) must be provided to the relevant regulatory authority upon request.
(5) For the purposes of this section, a relevant body is one which is –
(a) an operator of an essential service,
(b) a relevant digital service provider,
(c) a relevant managed service provider, or
(d) a critical supplier
within the meaning of the NIS Regulations.”
This new clause would require bodies to carry out proportionate, periodic testing of the security and resilience of their network and information systems and provide the results to regulatory bodies upon request.
David Chadwick
New clauses 16 and 17 work in tandem to align the Bill with best practice among our European neighbours, introducing measures that would strengthen ongoing oversight and enhance preparation, therefore improving the UK’s cyber-resilience before incidents occur.
New clause 16 would make cyber-resilience a core responsibility of organisational leadership. It would require boards to oversee security arrangements, approve risk management approaches, satisfy themselves that protections are working on an ongoing basis and, importantly, be accountable. Numerous witnesses that we have spoken to over the past month told us that cyber-security deserves the most senior level of oversight. In fact, those professionals from within the industry told us that they desperately need this to happen to make sure that they can do the job that the Government are asking of them. ISACA, an organisation that I remember looking up to when I was working in cyber-security, has said that it supports both our new clauses.
Bradley Thomas
While I agree with the hon. Member, and acknowledge witnesses’ evidence suggesting that cyber-security should be a board-level responsibility, does he share my concern that, given the complexity and technical nature of cyber-security, there is perhaps a risk of, for want of a better phrase, window dressing? It may be that non-competent people without the relevant technical expertise could be reliant on reports issued by other technical staff who do not sit at board level. We have to strike the right balance. Does the hon. Member share that concern, and how does he propose we address that?
David Chadwick
One of the measures that the new clause would introduce is a requirement for board members to receive education. Clearly, it is necessary for boards to understand cyber-security risk, and the new clause is about putting that into legislation. Board accountability is the cornerstone of corporate governance. Corporate governance is one of the reasons for the Bill. We have seen drastic failures in corporate governance across the UK in numerous sectors. Financial services, historically, is one sector that corporate governance has completely failed in, yet the Conservatives continued to support it with tax cuts.
All we are saying with our new clause is that boards need to be held accountable for the cyber-risk that they pose, and that making boards responsible for that obligation helps the cyber-security professionals responsible for securing those organisations to do their jobs properly. ISACA has 8,000 members. They are the people who will be carrying out this work. Surely, we should listen to them when they tell us that this is what they need. It was not just one organisation that told us that either.
Boards have an obligation to oversee financial risk, for which they need financial literacy. Cyber-risk deserves the same treatment. Importantly, this would bring the UK into line with international best practice. The European Union’s NIS2 framework explicitly places cyber accountability at senior management level, and makes the same demands of board oversight in these areas. That is why it is confusing again to see the Government diverging from that framework without a clear explanation of why. It is not clear why the UK should be settling for less. Why have the Government taken that out?
Lincoln Jopp
I am a little confused—which is easily done, I hasten to add. The new clause says:
“The management body may be held accountable for failures by the body to comply with duties relating to the security and resilience of its network and information systems.”
Does the hon. Member not think that the directors of companies are already responsible and accountable for their companies? Why does the state need to tell them more about those responsibilities?
David Chadwick
I think this once more comes down to state capacity and how we see the state’s role. Clearly there needs to be an expansion of the state’s powers—that is why the Bill was introduced—to mandate in writing various requirements of the companies that provide the critical infrastructure upon which our country relies. The hon. Member will remember the numerous witnesses who told us that board accountability was crucial. Some told us that in public and some in private. They are the people who are doing this job, and whom the Government are asking to do this job. That is why we should listen to them and why we will press the new clauses to a vote.
Emily Darlington (Milton Keynes Central) (Lab)
The new clauses raise a really important point about security by design implemented within companies, and within the companies that provide cyber-security technology to them. An hon. Friend of mine tabled an amendment, which we are not speaking about today, on a similar subject.
Security and safety by design is something that we talk about quite often in this area. It may not be appropriate for this Bill, but I am keen to hear how we will progress those discussions, because ultimately we do want to prevent cyber-attacks. We need to make sure that companies, small and medium-sized enterprises, major infrastructure and local government all have access to technology and infrastructure that looks at security by design in its own design right from the outset, because that is what makes us most secure.
How will we take forward those discussions, and extend the idea that already exists in legislation, through the Online Safety Act 2023, about safety by design, in order to ensure that products around cyber-security have this at their heart, and deliver the prevention mechanism that I think we all want to see—especially the small businesses and organisations that are victims of such attacks?
David Chadwick
Is the Minister aware that the financial services industry is required to conduct regular testing of its systems, and that sectors like aviation and nuclear have designated individuals in their security organisations who are responsible for overseeing those sorts of practices?
Kanishka Narayan
I thank the hon. Member for his point. I am also aware that the National Cyber Security Centre’s cyber assessment framework has very specific measures on appropriate testing as well. It already exists, and we want to make sure that it is an important part of specific security and resilience requirements in secondary legislation.
It is crucial that industry is consulted on the nature of any requirements related to testing. As mentioned, we intend to consult on the proposals later in the year. We will also issue a statement of strategic priorities for regulators, and will explore whether that is an appropriate vehicle for driving consistency in the behaviours of regulators in respect of their approach to testing for their sector.
Overall, any approach to going further on proportionate and regular testing must be developed alongside the full set of security and resilience requirements, and co-ordinated and communicated with a wider package of implementing measures. That will allow the impact of options to be assessed, and provide the industry with clarity on the overall approach, including how the components fit together.
The shadow Minister asked about the consideration of NIS2 requirements. We have looked at NIS2 provisions, and variability in member states’ implementation of it, as part of a wider set of considerations on which we will be consulting regarding secondary legislation on governance.
My hon. Friend the Member for Milton Keynes Central made an incredibly important point about security by design, which I very much take into account. The Government Digital Service is already working on a secure by design standard. We want to make sure that it is as robust as possible, and extend it across not just the public sector but parts of the private sector. I will make sure that security by design remains at the heart of the Government’s cyber action plan, as well as that of the private sector.
Kanishka Narayan
My hon. Friend has extensive expertise, from which I benefit extensively. I will be keen to make sure that the Government Digital Service does so too.
In the light of those commitments, I kindly ask the hon. Member for Brecon, Radnor and Cwm Tawe not to press the new clauses.
David Chadwick
During the evidence sessions, numerous very knowledgeable witnesses called for these new clauses, so I will push them both to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I will speak to new clause 19, tabled in my name on behalf of His Majesty’s official Opposition. The new clause would compel the Secretary of State, within 12 months of Royal Assent, to review the need for a statutory defence, encompassing legitimate cyber-research activities, to criminal offences under clause 1 of the Computer Misuse Act 1990, which is about unauthorised access to computer programs.
The campaign for reform in this area, CyberUp, has argued that, in its current form, the CMA inadvertently criminalises critical activity such as vulnerability research and threat intelligence, both of which are essential for defending the nation’s digital systems. The new clause would also require the Secretary of State’s review to evaluate whether the creation of such a defence would enable regulated bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
New clause 18, tabled by the hon. Member for Henley and Thame, relates to the same important topic and would require the Secretary of State to review, and report to Parliament within 12 months of the Bill’s entering into law, whether amending the Computer Misuse Act could improve the resilience of network and information systems.
Hon. Members will recall the insightful oral evidence of Professor John Child of the University of Birmingham. Professor Child made a clear and compelling case for the need to amend the Computer Misuse Act to provide statutory defences for legitimate cyber-research—sometimes called ethical hacking activities. Likewise, campaign groups, industry specialists and parliamentarians have all argued that the Computer Misuse Act, which was written before the modern internet, is no longer fit for purpose.
At present, the Act fails to distinguish between malicious attackers and cyber professionals acting in the public interest, inadvertently criminalising a large proportion of research that UK cyber-security professionals can carry out to protect UK critical infrastructure and the UK’s technological ecosystem. This means that cyber-security professionals working to defend UK organisations from real-world threats risk prosecution. That has created a chilling effect—talent is being lost, investment is stifled and security gaps are going unidentified.
If we are to have true UK cyber-resilience—not just among regulated sectors, but across businesses of all types and throughout society—we need a multifaceted approach. Industry and private sector-led initiatives will play a strong role in that. Professor Child made clear that countries that have implemented more favourable regimes, such as the US and Israel, are benefiting from increased cyber-resilience as a result of cyber-research activity.
The Government have acknowledged that reform of the CMA is a pressing issue. Indeed, the Home Office has been reviewing that question for some time. Further, the Minister for Security, the hon. Member for Barnsley North (Dan Jarvis), highlighted the urgent need for changes to the law in this area in a recent speech, stating that Government have
“heard the criticisms about the Computer Misuse Act, and how it can leave many cyber security experts feeling constrained in the activity that they can undertake.”
He went on to say:
“These researchers play an important role in increasing the resilience of UK systems, and securing them from…vulnerabilities.
We shouldn’t be shutting these people out, we should be welcoming them and their work.”
Yet the Home Office has brought forward no specific proposals for reform. Parliament is unlikely to legislate again in the cyber-security domain for some considerable time; we cannot afford to kick the can down the road on this vital issue any longer if we are to have a credible plan for whole-of-society cyber-resilience.
David Chadwick
Can the hon. Gentleman address the point of who he thinks would benefit if that Act was repealed?
Dr Spencer
I am a bit unclear about the hon. Gentleman’s intervention. The point I was making was that there is legitimate concern that people doing research into this area and doing threat assessments risk prosecution, so, across the whole of our society, that work is not being done. We have heard quite a lot of evidence from cyber campaigns about the benefits that changes to this law would make to the system, which is why we tabled the new clause. I commend new clause 19 to the Committee. I hope the Minister agrees that now is the time to address the issue.
I suspect that this will be my last, or penultimate, time speaking to the Committee, so I would like to finish by thanking Members on both sides of the Committee for a fun and, at times, robust debate over the past month. I thank the Chairs, the Clerks and all the teams working on the Bill—and Sophie Thorley from my office, who has done incredible research on the Bill.
David Chadwick
Will the Minister clarify what he thinks ethical vulnerability research actually constitutes?
Kanishka Narayan
Sure. I would not wish to define it technically, but my understanding is that it is research aimed at ethical hacking. It is effectively trying to find vulnerabilities through simulated attack systems, which can broaden our understanding of risks and vulnerabilities and allow us to mitigate them accordingly.
I return to new clause 19. Limiting a defence to just the sectors covered by the NIS regime would be impractical; any proposal for a workable defence needs to be broad enough to apply across the economy. That is why we are making sure that, through the Home Office, we are working as promptly as possible to ensure a proposal that is strong in its safeguards to prevent misuse. Engagement, including with the cyber-security industry, is already under way to refine our approach.