Ian Murray

- Hansard -

Copy Link

-

This is about making sure that we extend the scope of the 2018 regulations into other parts of the economy, and I will come on to that later in my contribution. It is about reporting things more quickly to ensure that the attacks can be seen and action can be taken more quickly. It is also about reporting to the regulators to give the regulators confidence and powers across a wider scope of sectors in the economy, and to give businesses the confidence that those sectors have to report to the regulators when things are going wrong so that swifter action can be taken. We can see from the host of recent high-profile issues, including at Hackney council, that it is important to ensure that this legislation goes through quickly and does the job that it is intended to do.

Ian Murray

- Hansard -

Copy Link

-

I thank my hon. Friend for all he did on the issues facing Jaguar Land Rover. I know that the matter is close to his heart and, indeed, it was a really big issue across the country, showing how a cyber-attack can affect not just one company, but has a ripple effect throughout the economy. Of course, the Government stepped in to unlock a £1.5 billion bolster to Jaguar Land Rover’s cash reserves to help it through that problem.

I should say to my hon. Friend, and I will come to it later, that Jaguar Land Rover and other private organisations are not in the scope of this Bill. The reason is that individual private companies should take their own cyber-security seriously and ensure that the risks of such incidents and threats are minimised as much as possible. The Bill widens the scope of the existing regulations, which do not include that, but of course the Government are working closely with Jaguar Land Rover, Marks & Spencer and other high-profile cases, because we know the impact they can have on our economy. Indeed, had the Government not stepped in and resolved that issue, the impact on Jaguar Land Rover, and the tens of thousands of employees at the plants and in the supply chain, would have been catastrophic and is not worth thinking about. I thank my hon. Friend for raising that issue.

As I said, as always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with, but today we are fixing that. The first change in the Bill is to widen the scope of the 2018 regulations. To keep up with the changes of the past eight years, we are adding a few new things to that list, starting with large-load controllers. That includes any organisation that manages a significant flow of electricity to or from a smart appliance. It might be a company that supports electric car charging, for example. Bringing these entities into scope will safeguard our power supply and give consumers confidence in using energy-smart appliances, all of which are critical as we advance towards our clean power 2030 mission and net zero.

The second change is that we are adding large data centres in recognition of their growing importance to our day-to-day lives and to the economy. These are vast digital warehouses for the United Kingdom, home to servers that host everything from patient records to their bank details. This is the data that underpins modern life and all our lives and communities, and it must be protected.

We are expanding the scope of the regulations to include managed service providers as well. Those are organisations that provide ongoing functions, such as an IT help desk, to an outside client. Their access makes them an attractive target for cyber-attacks as criminals can find one weak spot and bring countless organisations down. For example, in 2014, an attack on a service provider for the Ministry of Defence compromised the personal data of around 270,000 people—military personnel, reservists and veterans. As organisations rely more and more on outsourced tech, we have to close this gap. In fact, weaknesses in the supply chain have become such a risk that we will go even further by allowing regulators to designate certain organisations as critical suppliers. That includes certain suppliers to essential services that could have a significant impact on the economy or society as a whole—for example, key suppliers to water companies, grid operators or air traffic control. These critical suppliers will be subject to cyber-security duties, which we will set out in secondary legislation.

Ian Murray

- Hansard -

Copy Link

-

The banking sector is obviously in the regulators’ scope for cyber-security, and there have been a number of outages, as my hon. Friend mentions. The general principle is that cyber-attacks no longer come in through the front door, but through third parties and suppliers. We have seen that, for example, in the recent incidents at Heathrow and in cloud outages with Amazon Web Services and other such companies. They are covered by their own regulations. As I said in answer to my hon. Friend the Member for Lichfield (Dave Robertson) about Jaguar Land Rover, those companies will not be in the scope of the Bill, but we hope that the financial services sector, which is a leader in cyber-security for a whole host of fairly obvious reasons, will take that forward.

The recent attacks on British icons such as Marks & Spencer and Jaguar Land Rover will loom large in people’s minds. Many Members across the Chamber have already mentioned them. Supply chains were thrown into chaos, with small businesses paying the price, which clearly shows the ripple effect across the economy—on other businesses, smaller businesses and patients, such as in the public service examples mentioned earlier—when one part of the system is attacked.

We are clear that all businesses—that covers financial services, Jaguar Land Rover, Marks & Spencer and others—must take immediate steps to protect themselves. That is why, in October, members of the Cabinet wrote to the FTSE 350 companies urging them to strengthen their defences by doing three things: first, to make cyber risk a board priority; secondly, to require suppliers to have a cyber essentials certificate; and thirdly to sign up to the early warning service. That was followed by a similar letter to entrepreneurs and small businesses in November with bespoke advice for smaller teams. We know that those actions work. Organisations with cyber essentials are 92% less likely to claim on cyber insurance than those that do not. Businesses know best how to protect themselves; we are not here to regulate for the sake of regulating.

Government are taking action too. As I announced this morning, the Government cyber action plan sets a radically new model for how Government will strengthen their cyber-resilience and is backed by over £210 million of investment. Government Departments will be held to standards equivalent to those set out in the Bill. That is why the public sector and the Government are not included in the scope of the Bill. The Government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the Government’s cyber-resilience. [Interruption.] I do not know if that was an attempt at an intervention from the Opposition Front Bench, but I am happy to take it.

Ian Murray

- Hansard -

Copy Link

-

We are concerned about the higher education system in Scotland at the moment, and this Government will do everything it can to support it. Let us work through that particular point, because it is important. The main driver for Scottish universities being in the place they are is the funding model they have been forced into having. It caps Scottish students going to university. That means the universities are completely and utterly underfunded, so their business model has had to reach into international waters to bring in much greater numbers of international students to balance the books. That model is completely broken if those international students decrease in number for a whole host of economic and other reasons. We end up in a situation whereby the whole financial issue is completely and utterly broken. To show the sums of money we are talking about, Edinburgh University is not in deficit—and it is important to say that—but it will be if it does not take action, and the deficit will be £140 million. That is a direct result of the Scottish Government’s funding of higher education.

Beyond that, the Migration Advisory Committee has also noted that the scale of migration needed to try to address depopulation would be significant, but that Scotland’s labour market needs are broadly similar to those elsewhere in the UK. The committee has highlighted in its work notable similarities and differences within nations and regions of the UK, and its ambition is to produce an analysis that is localised, but as rigorous as possible. We look forward to seeing that. However, the committee’s geographic focus has at times been limited by the reliability or availability of regional data. It will work with stakeholders to improve the geographical migration data they use, with a view to enabling greater improvement in localised insights.

Beyond this Bill, the proposals of the party of the hon. Member for Arbroath and Broughty Ferry in recent years include an expanded skilled worker visa for Scotland, a bespoke Scottish visa, a Scottish graduate visa and a remote rural partnership scheme. In relation to a Scottish rural visa pilot, the Migration Advisory Committee has noted that both Australia and Canada have place-based immigration programmes, but it is suggested that these schemes may not be a long-term solution to rural depopulation. We heard from the former Chair of the Scottish Affairs Committee, the hon. Member for Perth and Kinross-shire, that depopulation in Scotland has been a century long and therefore any scheme will not be a long-term solution to that kind of rural depopulation.

Ian Murray

- Hansard -

Copy Link

-

Absolutely, and the biggest grappling that we have to do as a Government and a country is resolve the disconnect between immigration, skills, opportunities for young people and the way in which our economy works across every single part of the United Kingdom.

One of the Migration Advisory Committee’s key concerns about some of these schemes is the efficiency of any rural visa, primarily the ability to incentivise migrants to remain located in rural areas after any visa requirements to do so lapse, especially given that the UK is a geographically much smaller country than Australia or Canada—and I mentioned the issue with regard to Quebec. Migrants moving to rural areas would be subject to the same factors driving non-migrant populations to relocate, such as inadequate health services, which is right at the top of the agenda in Scotland.