Sir Mark Hendrick (Preston) (Lab/Co-op)

- Hansard -

Copy Link

- - Excerpts

I beg to move,

That this House has considered cyber security laws and tackling crime.

It is a pleasure to serve under your chairmanship, Ms Bardell. I am delighted to lead this debate on the important issue of cyber-security, particularly in relation to cyber-crime and the need to enhance the UK’s national cyber-resilience.

Cyber-security has a significant impact on society, the economy and individuals, as well as on both national and global security. The UK faces cyber-threats from a number of hostile actors, whether they are states, state-sponsored groups or criminal organisations motivated by money. Cyber-crime itself ranges from complex ransomware attacks to less sophisticated cyber-threats such as hacking and phishing, which many in their everyday lives. In today’s world, virtually every business, charity and public sector organisation is in some way digital, but, as high-profile incidents have shown, cyber-attacks exploiting that digitalisation can quickly undermine trust in our private and public sector institutions.

With a burgeoning cyber ecosystem, the UK is well placed to be a global leader on cyber-security, and I will come back to that point later. Often, however, we struggle to get the basics right, leaving citizens and businesses exposed as they move more and more of their lives and operations online. Last year, UK businesses experienced approximately 7.78 million cyber-crimes. Half of businesses and around a third of charities report having experienced some form of cyber-breach or attack in the last 12 months and such attacks have had a real impact on business and consumers.

A recent report by the think-tank the Royal United Services Institute brought to light some of the stark implications of cyber-crime, particularly in relation to ransomware, which is malware designed to deny a user or organisation access to their own data unless a ransom is paid to the attacker. RUSI’s report revealed the extent to which ransomware can ruin lives, with the harm going beyond financial and reputational costs for organisations. Victims and incident responders have revealed that ransomware creates both physical and psychological harms for individuals and groups, which have caused individuals to lose their jobs, evoked feelings of shame and self-blame, seeped into private and family life and contributed to serious health issues. Furthermore:

“The harm and cumulative effects caused by ransomware attacks have implications for wider society and national security, including supply chain disruption, a loss of trust in law enforcement, reduced faith in public services, and the normalisation of cybercrime. Ransomware also creates a strategic advantage for the hostile states harbouring the cyber-criminals who conduct such operations.”

Meanwhile, the threat landscape is changing and becoming more complex.

UK cyber firm NCC Group’s latest insights show that ransomware attacks increased by 84% last year, with the UK the second most targeted country for such attacks, only behind the US. Emerging technologies such as artificial intelligence have the potential to enable cyber-attackers to mount ever more sophisticated campaigns against organisations. AI is effectively lowering the barrier of entry into cyber-crime, making it easier for cyber-attackers to successfully target victims and widening the availability of voice cloning, deepfakes and social engineering bots. We are likely to see that manifest in a higher volume of cyber-attacks, an enhanced ability of cyber-criminals to generate malware and an improved success rate of social engineering and phishing attacks. With AI as an emerging threat, hacking as a service is being thought of as a growing market, whereby malware developers sell or lease cyber-attack tools and services to other cyber-criminals. Worryingly, such a business model extends cyber-attack capabilities to organisations and individuals that would not otherwise have known how to carry out attacks themselves.

Artificial intelligence is also advancing tactics that have been around for decades and, in its own way, evolving threats in line with technology. Deepfake phishing is just one example of a fast-growing threat that manipulates or confuses users in order to exploit their trust and gain access to their data. That can be done through emails or messages, video calls or voice messages, where personalisation and synthetic content can make the attack more credible.

Cyber-threats should be seen in the wider context of nation-state threats, too. The conflict in Ukraine has shown how cyber and kinetic attacks are increasingly interconnected in modern hybrid warfare. As thousands of lines of complex code control new and evolving physical functions and systems, such as in smart cities, cyber-security vulnerabilities can be exploited to effect change in the real world. Although we have not seen the so-called cybergeddon that some were expecting from the next big conflict on our globe, one thing is clear: cyber-warfare has proven itself to be a critical element in hybrid cyber-kinetic battlefields.

There is an opportunity here for the UK. To tackle cyber-crime, a close partnership between the public and private sectors is a critical part of the UK’s whole-society approach. In particular, the UK’s cyber industry is working closely with law enforcement, the public sector, academia and other private firms to ensure that the UK remains confident, capable and resilient in this fast-moving digital world. That includes vulnerability researchers, also known as ethical hackers, who identify security vulnerabilities in products, software and the UK Government. They rely on such researchers to identify bugs before they can be exploited by malicious actors for their nefarious purposes.

Meanwhile, threat intelligence researchers detect cyber-attacks and gain insight into attackers and victims. Researchers work with and pass on that important information to law enforcement and the intelligence agencies, enabling them to defend the UK against rising cyber-crime and geopolitical threat actors. Many of the recent takedown operations we have heard about, where law enforcement disrupted the servers or digital infrastructure that cyber-criminals used to conduct their illegal activities, were possible only because intelligence and insights about those cyber-criminals were shared across the public and private sectors. I firmly believe that there is an opportunity for the UK to play a significant leadership role in conducting the UK’s response, with the north-west cyber corridor at its heart.

We are already seeing that public-private partnership in action in wider Lancashire and in my own constituency of Preston through the National Cyber Force, which will open its new home in Samlesbury, Lancashire, in 2025. It is a partnership between defence and intelligence, and already carries out cyber operations daily to counter and contest the actions of those who would harm the UK or our allies, to keep the country safe and to protect and promote the UK’s interests at home and abroad. Furthermore, the Lancashire Cyber Partnership, or LCP, is a strategic collaboration between Lancashire County Council, the Lancashire Enterprise Partnership, the University of Central Lancashire, Lancashire University and BAE Systems. In addition, the National Cyber Force has its own role in shaping, supporting and promoting the county’s world-class cyber strengths and fast-growing cyber ecosystem, becoming a destination for cyber businesses, investors, careers training, academia and, indeed, innovation. With a strong cyber industry, Lancashire and the wider north-west are fostering the growth of the technology, digital and defence sectors, as well as harnessing the investment, jobs and benefits that come with a thriving cyber economy.

We should be proud of the UK’s role as a responsible global cyber power, and we should also remember that there is widespread cross-party and cross-societal consensus on the importance of cyber-security as fundamental for thriving and prosperous digital societies and economies. However, we cannot be complacent. Research from the NCC Group has shown that citizens—our constituents—expect us, as political decision-makers, to do what we can to keep them safe and secure in cyber-space. We have strong foundations to build on, but we must continue to do more to take our cyber-security to the next level. Indeed, much more can be done to ensure that regional cyber clusters, such as the north-west, can play their part in making us all safer online, while also enhancing national cyber-resilience.

I would like to move on to the issue of the UK’s Computer Misuse Act 1990. First and foremost, that Act, which is the main cyber-security Act that regulates the UK’s digital relationship between individuals and malicious parties, needs bringing into the 21st century. The Act was written more than 30 years ago when just over 0.5% of the world’s population had access to the internet, and before the cyber industry—as we know it today—even existed. As a result, the UK’s cyber-defenders, such as the vulnerability and threat intelligence researchers mentioned earlier, are held back by that outdated law from doing all they can to protect the UK. That is because the Act, which was written over 30 years ago, has a blanket prohibition on all forms of unauthorised access to computer material, irrespective of intent or motive. In this day and age, where an individual desktop PC is but a distant memory, where technologies are hyperconnected and where cyber-crime is rampant, that approach simply does not reflect the reality we live in. The legislation is no longer fit for purpose, and, worse, it might be detrimental.

There have been calls from industry, led by the CyberUp Campaign, to reform the law to include a defence for legitimate cyber-security work. Sir Patrick Vallance called for such a defence in the “The Pro-innovation Regulation of Technologies Review”, and he recommended amending the 1990 Act to include a statutory public interest defence that would provide stronger legal protections for cyber-security researchers and professionals. That would have a catalytic effect on innovation in a sector with considerable growth potential. Countries such as France, Israel and the United States have already updated their regulations to provide that defence. I join Sir Patrick by agreeing that if the UK cyber industry is to compete on a level playing field, the UK Government should do the same. However, one year since Sir Patrick published his recommendation, and three years since the UK Government first launched their review into the Act, the Government are yet to set out how they will address the legal barriers that it presents to the UK cyber-security industry.

A second area where the Government must prioritise reform is in updating the network and information systems regulations, which set out the cyber rules for our critical infrastructure. Back in 2022, the Government announced their intention to legislate to enable new sectors to be brought within the scope of the NIS regulations, responding to the inevitable evolution of what constitutes the UK’s critical infrastructure, but those reforms were not included in the most recent King’s Speech. It is critical that there are no further delays in bringing forward the reforms, and that a Bill is prioritised. Failure to legislate would leave a core part of the UK’s critical infrastructure exposed when others globally are already moving forward with new laws to ensure that all relevant entities are appropriately and proportionately regulated.

Outside the UK’s critical infrastructure, we must look at how we protect small businesses and charities, the backbone of the UK’s economy. Despite six in 10 small businesses being victims of a cyber-attack last year, many lack the skills and budgets to implement proportionate cyber-protections, leaving them exposed. They can also be disproportionately affected, with cyber-attacks sometimes posing an existential threat. A survey found that 90% of European small and medium-sized enterprises believed that cyber-security issues would have serious negative impacts on their business within a week of the issues happening; 57% said that they would most likely become bankrupt or go out of business.

It is unrealistic to expect small firms to adhere to and invest in the same cyber-resilience standards as larger firms such as critical infrastructure firms. However, that leaves a significant part of the economy vulnerable to cyber-attacks. To tackle that problem, the Government should work with technology providers to embed cyber-security in their products, particularly those most relied on by small organisations. The Government should also look at how they can support smaller firms’ response to and recovery from cyber-attacks. That could include establishing a “first responder” service that provides proportionate—that is, free-at-the-point-of-use—support to small businesses that have been victims of cyber-attacks. That could include incident response services and the triaging of further steps, such as where victims could get the most effective help. Such a scheme could learn lessons from our counterparts in Australia, who recently announced a small business cyber-security resilience service.

Finally, the Government must look at how they enhance the UK’s cyber skills. The issue of cyber skills is not just about addressing the cyber industry’s significant skills shortage, although that is a critical part of it. It is also about equipping individuals—across organisations of all sizes and at all levels of seniority—with the cyber literacy that they need to make decisions about their personal, organisational and even national cyber-resilience. A national programme of cyber literacy is needed to ensure that everyone, from preschoolers right through to pensioners, is cyber-literate, no matter where they are on their learning, career or retirement journeys. That could include commissioning “Cyber Beebies”—keeping with the concept of CBeebies, which

“helps pre-schoolers learn whilst they play fun games, watch clips, sing songs and make things”—

in order to start cyber education and awareness in the earliest years.

We could also look at including cyber-competence—covering safe and secure online behaviours, privacy and use of technology alongside broader technology and computing lessons—as a mandatory part of the school curriculum. That should be reviewed and tested with an industry advisory board regularly to ensure that it keeps pace with technological developments and industry requirements. Teachers must also be regularly supported to understand new developments and how they should be reflected in the school curriculum.

STEM—science, technology, engineering and maths—programmes throughout the country have had a critical role in creating opportunities for today’s youth as they advance their education and skillset. In my own constituency of Preston, I am very proud of the work of Cardinal Newman College. One of the highest-performing sixth form colleges nationally, it has partnered with Lancaster University to harness the skills of young people with a passion and aptitude for the study of maths and science. In doing so, they have further developed the young people’s interest and education while providing them with opportunities for their future, including—especially—in the field of cyber at the new cyber defence centre.

I welcome the Minister, who is about to take his place in the hall. I should like to ask him four questions. Will he join me in praising and expressing pride in our UK cyber industry? Will he acknowledge, as we all do, the role that our industry plays in keeping us all safe and secure in cyber-space? Will he set out the Government’s further ambitions to take our cyber-security to the next level and beyond what has been announced as part of the national cyber strategy? Will he provide more information in particular on the Government’s plans to finally make progress on introducing legal protections for legitimate cyber-security activities as part of ongoing efforts to reform the Computer Misuse Act? Will he set out the Government’s views on following the Australian example of introducing a cyber first responders service for all our small businesses and charities, and set out the Government’s ongoing commitment to invest in our national cyber-resilience?

I thank the Minister for engaging with me on this important issue. It is good that there is cross-party consensus on a matter of such importance, but it is clear that much more needs to be done when it comes to cyber-crime and ensuring that Government policy keeps pace with technology in the ever-changing cyber landscape. The public need to be better educated and trained from an early age in the use of computers. That will add to the resilience the country needs to overcome the challenges of cyber-crime for the purposes of cyber-security.

Sir Mark Hendrick

- Hansard -

Copy Link

- - Excerpts

Yes.