Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Emily Darlington
Main Page: Emily Darlington (Labour - Milton Keynes Central)Department Debates - View all Emily Darlington's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Emily Darlington Excerpts(1 day, 8 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
David Chadwick
I think this once more comes down to state capacity and how we see the state’s role. Clearly there needs to be an expansion of the state’s powers—that is why the Bill was introduced—to mandate in writing various requirements of the companies that provide the critical infrastructure upon which our country relies. The hon. Member will remember the numerous witnesses who told us that board accountability was crucial. Some told us that in public and some in private. They are the people who are doing this job, and whom the Government are asking to do this job. That is why we should listen to them and why we will press the new clauses to a vote.
Emily Darlington (Milton Keynes Central) (Lab)
The new clauses raise a really important point about security by design implemented within companies, and within the companies that provide cyber-security technology to them. An hon. Friend of mine tabled an amendment, which we are not speaking about today, on a similar subject.
Security and safety by design is something that we talk about quite often in this area. It may not be appropriate for this Bill, but I am keen to hear how we will progress those discussions, because ultimately we do want to prevent cyber-attacks. We need to make sure that companies, small and medium-sized enterprises, major infrastructure and local government all have access to technology and infrastructure that looks at security by design in its own design right from the outset, because that is what makes us most secure.
How will we take forward those discussions, and extend the idea that already exists in legislation, through the Online Safety Act 2023, about safety by design, in order to ensure that products around cyber-security have this at their heart, and deliver the prevention mechanism that I think we all want to see—especially the small businesses and organisations that are victims of such attacks?
Dr Spencer
New clause 16 would require active board oversight of security and resilience measures and accountability for board members where they fail in those oversight duties, whereas new clause 17 would require regulated entities to carry out proportionate, periodic testing of the security and resilience of their network and information systems, and provide the results to regulatory bodies upon request.
On board accountability, as we have already discussed in this Committee, the existing regulatory model under NIS regulations has not been sufficiently effective in driving up cyber-resilience standards to meet emerging threats. Board engagement is a key part of that, but the stat I quoted previously in this Committee indicates that engagement is going in the wrong direction. What assessment has the Minister made of the potential advantages and disadvantages of direct accountability in the adoption of effective cyber-resilience measures, based on a roll-out of the NIS2 regulations?
Proportionate testing of systems may be a useful tool in detecting and managing cyber-security risk. What consideration has the Minister’s Department given to how that topic should be approached in the Secretary of State’s code of practice?
Kanishka Narayan
I thank the hon. Member for his point. I am also aware that the National Cyber Security Centre’s cyber assessment framework has very specific measures on appropriate testing as well. It already exists, and we want to make sure that it is an important part of specific security and resilience requirements in secondary legislation.
It is crucial that industry is consulted on the nature of any requirements related to testing. As mentioned, we intend to consult on the proposals later in the year. We will also issue a statement of strategic priorities for regulators, and will explore whether that is an appropriate vehicle for driving consistency in the behaviours of regulators in respect of their approach to testing for their sector.
Overall, any approach to going further on proportionate and regular testing must be developed alongside the full set of security and resilience requirements, and co-ordinated and communicated with a wider package of implementing measures. That will allow the impact of options to be assessed, and provide the industry with clarity on the overall approach, including how the components fit together.
The shadow Minister asked about the consideration of NIS2 requirements. We have looked at NIS2 provisions, and variability in member states’ implementation of it, as part of a wider set of considerations on which we will be consulting regarding secondary legislation on governance.
My hon. Friend the Member for Milton Keynes Central made an incredibly important point about security by design, which I very much take into account. The Government Digital Service is already working on a secure by design standard. We want to make sure that it is as robust as possible, and extend it across not just the public sector but parts of the private sector. I will make sure that security by design remains at the heart of the Government’s cyber action plan, as well as that of the private sector.
Emily Darlington
I thank the Minister for that commitment. Would he consider setting up a meeting between GDS and those MPs who have expertise in this area, so that we can share our expertise and reassure ourselves that this is going in the right direction and at the speed that is necessary?
Kanishka Narayan
My hon. Friend has extensive expertise, from which I benefit extensively. I will be keen to make sure that the Government Digital Service does so too.
In the light of those commitments, I kindly ask the hon. Member for Brecon, Radnor and Cwm Tawe not to press the new clauses.