Dr Spencer

- Hansard -

Copy Link

- - Excerpts

I am not making any sort of comment on that. My point is very simple: it is citizenship and age. If we are to apportion the respect to voting that we absolutely should—I think all of us in this House think voting is a critical thing to do—giving it the status of being an adult decision, as opposed to one made by children, is also important. To not do so is fundamentally anti-democratic. It diminishes what people have to go through in terms of the status of voting compared with other decisions. Voting is more important than being able to buy a beer, have a driving licence or join the cadets. Voting is absolutely critical, and that is why it is so important that it should be seen as an adult act, not an act that is within the scope of being a child.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

The point the hon. Member makes illustrates exactly why we have to use an adult citizenship criteria, not one based on capability or ability, because the moment we start to do that, all sorts of awful things risk happening. People should get the right to vote in the UK if they are a citizen and if they are an adult, and that is it. We should never put at risk someone’s right to vote because of considerations about their cognitive ability, and that goes in both directions.

People should be careful what they wish for in making arguments to remove adult status and citizenship from voter enfranchisement. They may not like where they end up.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

New clause 16 would require active board oversight of security and resilience measures and accountability for board members where they fail in those oversight duties, whereas new clause 17 would require regulated entities to carry out proportionate, periodic testing of the security and resilience of their network and information systems, and provide the results to regulatory bodies upon request.

On board accountability, as we have already discussed in this Committee, the existing regulatory model under NIS regulations has not been sufficiently effective in driving up cyber-resilience standards to meet emerging threats. Board engagement is a key part of that, but the stat I quoted previously in this Committee indicates that engagement is going in the wrong direction. What assessment has the Minister made of the potential advantages and disadvantages of direct accountability in the adoption of effective cyber-resilience measures, based on a roll-out of the NIS2 regulations?

Proportionate testing of systems may be a useful tool in detecting and managing cyber-security risk. What consideration has the Minister’s Department given to how that topic should be approached in the Secretary of State’s code of practice?

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clause 43 grants the Secretary of State powers to issue directions to regulate entities where there is a risk to national security, or where an action must be taken in the interests of national security. Directions can include requirements relating to the management of systems, the yielding of information and the removal or modification of goods and services. The Secretary of State may also require a regulated entity to engage the services of a skilled person to comply with directions issued. The Secretary of State has wide discretion to dispense with providing reasons for directions or consulting with the affected parties on the basis of national security considerations.

Clause 44 clarifies that the Secretary of State’s directions under part 4 prevail if there is a conflict between those directions and another statutory requirement. The exercise of these powers by the Secretary of State could have far-reaching consequences for businesses, which may experience interruption to their commercial activities, as well as the potentially considerable time and expense in adhering to a request made on national security grounds.

I have spoken on several occasions in the House and in this Committee about the critical risks posed to our cyber-security and national security by hostile state actors and their affiliates. It is, of course, right that the Secretary of State should have this power, but it should be used only in extremis. Like other extensive powers granted to the Secretary of State under part 3, it must be subject to oversight and guardrails. A report to Parliament, which may well be redacted, on the exercise of functions under part 4 will not be sufficient to ensure that this power is used proportionately. Has the Department considered introducing an obligation for the Secretary of State to report to the Intelligence and Security Committee when she exercises powers under part 4?

We discussed the Chinese super-embassy earlier. Later in the Committee’s proceedings, I will talk about an Opposition new clause that would deal with that problem effectively.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Clause 18, which the Government seek to modify through amendments 14 to 18, creates new pathways for information sharing between regulators, public authorities and Government Departments. It also creates a power for NIS enforcement authorities to share information with relevant overseas authorities for specified purposes. The new regime is intended to remove gaps and ambiguities in the existing framework governing the sharing of information obtained in the course of competent authorities and the oversight role of NCSC, and to create legal certainty in this domain.

In turn, it is anticipated that greater information sharing will assist with the detection of crime, enforcement activity and awareness of emerging cyber-risks and with ascertaining the effectiveness of the NIS regulations in building UK cyber-resilience. In particular, the Bill creates a new gateway to ensure that NIS regulators can share information with UK public authorities, and vice versa, as well as sharing and receiving information from organisations outside of the NIS framework, for example other regulators or bodies such as Companies House.

The Bill strengthens safeguards on how information can be used once it has been shared under the NIS regulations by restricting onward disclosure. More effective information sharing will be vital for competent authorities to keep up to date with emerging risks and building resilience in their sectors, and the new measures were broadly welcomed by regulators in our oral evidence session.

However, industry bodies such as techUK have called for further detail on the new information-sharing regime. What steps are the Government taking to ensure that regulators share responsibility for protecting sensitive data, and that information-sharing processes are coherent, proportionate and secure? Could the Minister elaborate on the discussions he has had with regulators on those matters, and on how secure information sharing will work in practice?

Finally, on the detail of the text in Government amendment 14, proposed new paragraph (aa)(ii) refers to persons

“otherwise in connection with…any other matter relating to cyber security and resilience,”.

Given that this is an information-sharing power, that seems a remarkably broad “any other matter” provision. What disclosures that are not already covered in the Bill does the Minister conceive will come up in that scope? What guidance or consultation will the Minister produce to make sure that such powers are proportionate and not at risk of abuse?

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

What the last Government did not do is release a consultation that had a ministerial foreword to say that the position of copyright was uncertain. What they did not do was say their preferred option was opt-out, which spooked the creative industry and caused all these problems in the first place. It is this Government’s ham-fisted approach that caused so many of the problems that they are now trying and failing to fix. The Government have played a large part in creating this problem.