Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Debate between David Chadwick and Freddie van MierloTuesday 24th February 2026
(1 week, 1 day ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
Freddie van Mierlo (Henley and Thame) (LD)
I rise to speak to new clauses 13 and 15, standing in my name.
New clause 13 would require the Secretary of State to publish, within 12 months, a comprehensive statement on how the Government intend to manage the risks of foreign interference in our critical systems. It calls for steps to be taken to assess the need for a digital sovereignty strategy. We need to know not just how we will fight cyber-threats but whose technology we will rely on to do it. The new clause would force the Government to set out a plan to explicitly assess risks in hardware, software and supply chains.
We should ask what is being done to support UK tech and home-grown cyber-security. We cannot claim to be serious about national resilience if the very infrastructure protecting our critical systems is outsourced abroad to vendors we cannot fully trust. New clause 13 would require the Government to explain how they intend to mitigate the risks associated with reliance on foreign technologies. It would also require the Government to assess the need to encourage and support the use of domestic technologies. That would turn cyber-security into an engine for growth. By identifying high-risk foreign vendors, and pivoting to trusted, home-grown alternatives, we could improve our security and create high-skilled jobs here in the UK. For those reasons, I will press new clause 13 to a vote.
I now turn to new clause 15. How can we be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad? New clause 15 would ensure transparency and force the Government to look at the threat of foreign ownership. The threat to British democracy from foreign interference is clear and present. From Russian money flooding into politics, and Chinese surveillance and intimidation, to foreign oligarchs buying influence, our democratic institutions are under sustained attack. The previous Conservative Government failed the UK. They failed to take the threat posed by Russia seriously, they weakened the Electoral Commission and they allowed foreign money to distort our politics. They withdrew from international commitments at precisely the wrong moment.
This Government have made some welcome moves, but they do not go far enough. Over the last few years, we have seen a rise in cyber-attacks on critical infrastructure. Across the country, schools have closed, airports have been shut, local councils have been hacked and retail stores have been crippled. New clause 15 would require the Government to review the security risks posed by critical suppliers and essential service providers, and to flag which of those are linked to foreign states. It would also push the Government to evaluate whether current powers are sufficient to address these threats. I intend to push new clause 15 to a vote.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.
We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.
The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.
In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.
Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.