Cyber Security and Resilience (Network and Information Systems) Bill (First sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Kanishka Narayan
Main Page: Kanishka Narayan (Labour - Vale of Glamorgan)Department Debates - View all Kanishka Narayan's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Kanishka Narayan Excerpts(1 day, 10 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Tim Roca (Macclesfield) (Lab)
Q
Jen Ellis: As a starting point, I will clarify that I am a fellow at RUSI. I work closely with Jamie, but I do not work for RUSI. I also take no responsibility for Jamie’s comments.
On the comparisons, David alluded to the fact that Europe is a little bit ahead of us. NIS2, its update to NIS1, came into force three years ago with a dangling timeline: nations had until October 2024 to implement it. My understanding is that not everybody has implemented it amazingly effectively as yet. There is some lag across the member states. I do not think we are too out of scope of what NIS2 includes. However, we are talking about primary legislation now; a lot of the detail will be in the secondary legislation. We do not necessarily know exactly how those two things will line up against each other.
The UK seems to be taking a bit of a different approach. The EU has very specifically tried to make the detail as clearly mandated as possible, because it wants all the member states to adopt the same basis of requirements, which is different from NIS1, whereas it seems as though the UK wants to provide a little bit of flexibility for the regulators to “choose their own adventure”. I am not sure that is the best approach. We might end up with a pretty disparate set of experiences. That might be really confusing for organisations that are covered by more than one competent authority.
The main things that NIS2 and CSRB are looking at are pretty aligned. There is a lot of focus on the same things. It is about expanding scope to make sure that we keep up with what we believe “essential” now looks at, and there is a lot of focus on increased incident reporting and information sharing. Again, the devil will be in the detail in the secondary legislation.
The other thing I would say goes back to the earlier question about what is happening internationally. The nations that David mentioned, like Australia or the jurisdiction around the EU, are really proactive on cyber policy—as is the UK. They are taking a really holistic view, which David alluded to in his introduction, and are really looking at how all the pieces fit together. I am not sure that it is always super clear that the UK is doing the same. I think there is an effort to do so, and UK policymakers are very proactive on cyber policy and are looking at different areas to work on, but the view of how it all goes together may not be as clear. One area where we are definitely behind is legislating around vendor behaviour and what we expect from the people who are making and selling technology.
The Parliamentary Under-Secretary of State for Science, Innovation and Technology (Kanishka Narayan)
Q
Jen Ellis: Again, that is a hugely complex question to cover in a short amount of the time. One of the challenges that we face in UK is that we are a 99% small and mediums economy. It is hard to think about how to place more burdens on small and medium businesses, what they can reasonably get done and what resources are available. That said, that is the problem that we have to deal with; we have to figure out how to make progress.
There is also a challenge here, in that we tend to focus a lot on the behaviour of the victim. It is understandable why—that is the side that we can control—but we are missing the middle piece. There are the bad guys, who we cannot control but who we can try to prosecute and bring to task; and there are the victims, who we can control, and we focus a lot on that—CSRB focuses on that side. Then there is the middle ground of enablers. They are not intending to be enablers, but they are the people who are creating the platforms, mediums and technology. I am not sure that we are where we could be in thinking about how to set a baseline for them. We have a lot of voluntary codes, which is fantastic—that is a really good starting point—but it is about the value of the voluntary and how much it requires behavioural change. What you see is that the organisations that are already doing well and taking security seriously are following the voluntary codes because they were already investing, but there is a really long tail of organisations that are not.
Any policy approach, legislation or otherwise, comes down to the fact that you can build the best thing in the world, but you need a plan for adoption or the engagement piece—what it looks like to go into communities and see how people are wrestling with this stuff and the challenges that are blocking adoption. You also need to think about how to address and remove those challenges, and, where necessary, how to ensure appropriate enforcement, accountability and transparency. That is critical, and I am not sure that we see a huge amount of that at the moment. That is an area where there is potential for growth.
With CSRB, the piece around enforcement is going to be critical, and not just for the covered entities. We are also giving new authorities to the regulators, so what are we doing to say to them, “We expect you to use them, to be accountable for using them and to demonstrate that your sector is improving”? There needs to be stronger conversations about what it looks like to not meet the requirements. We should be looking more broadly, beyond just telling small companies to do more. If we are going to tell small companies to do more, how do we make it something that they can prioritise, care about and take seriously, in the same way that health and safety is taken seriously?
David Cook: To achieve the outcome in question, which is about the practicalities of a supply chain where smaller entities are relying on it, I can see the benefit of bringing those small entities in scope, but there could be something rather more forthright in the legislation on how the supply chain is dealt with on a contractual basis. In reality, we see that when a smaller entity tries to contract with a much larger entity—an IT outsourced provider, for example—it may find pushback if the contractual terms that it asks for would help it but are not required under legislation.
Where an organisation can rely on the GDPR, which has very specific requirements as to what contracts should contain, or the Digital Operational Resilience Act, which is a European financial services law and is very prescriptive as to what a contract must contain, any kind of entity doing deals and entering into a contract cannot really push back, because the requirements are set out in stone. The Bill does not have a similar requirement as to what a contract with providers might look like.
Pushing that requirement into the negotiation between, for example, a massive global IT outsourced provider and a much smaller entity means either that we will see piecemeal clauses that do not always achieve the outcomes you are after, or that we will not see those clauses in place at all because of the commercial reality. Having a similarly prescriptive set of requirements for what that contract would contain means that anybody negotiating could point to the law and say, “We have to have this in place, and there’s no wriggle room.” That would achieve the outcome you are after: those small entities would all have identical contracts, at least as a baseline.
Emily Darlington (Milton Keynes Central) (Lab)
Q
David Cook: The original NIS regulations came out of a directive from 2016, so this is 10 years old now, and the world changes quickly, especially when it comes to technology. Not only is this supply chain vulnerability systemic, but it causes a significant risk to UK and global businesses. Ransomware groups, threat actors or cyber-criminals—however you want to badge that—are looking for a one-to-many model. Rather than going after each organisation piecemeal, if they can find a route through one organisation that leads to millions, they will always follow it. At the moment, they are out of scope.
The reality is that those organisations, which are global in nature, often do not pay due regard to UK law because they are acting all over the world and we are one of many jurisdictions. They are the threat vector that is allowing an attack into an organisation, but it then sits with the organisations that are attacked to deal with the fallout. Often, although they do not get away scot-free, they are outside legislative scrutiny and can carry on operating as they did before. That causes a vulnerability. The one-to-many attack route is a vulnerability, and at the moment the law is lacking in how it is equipped to deal with the fallout.
Jen Ellis: In terms of what the landscape looks like, our dialogue often has a huge focus on cyber-crime and we look a lot at data protection and that kind of thing. Last year, we saw the impact of disruptive attacks, but in the past few years we have also heard a lot more about state-sponsored attacks.
I do not know how familiar everyone in the room is with Volt Typhoon and Salt Typhoon; they were widespread nation-state attacks that were uncovered in the US. We are not immune to such attacks; we could just as easily fall victim to them. We should take the discovery of Volt Typhoon as a massive wake-up call to the fact that although we are aware of the challenge, we are not moving fast enough to address it. Volt Typhoon particularly targeted US critical infrastructure, with a view to being able to massively disrupt it at scale should a reason to do so arise. We cannot have that level of disruption across our society; the impacts would be catastrophic.
Part of what NIS is doing and what the CSRB is looking to do is to take NIS and update it to make sure that it is covering the relevant things, but I also hope that we will see a new level of urgency and an understanding that the risks are very prevalent and are coming from different sources with all sorts of different motivations. There is huge complexity, which David has spoken to, around the supply chain. We really need to see the critical infrastructure and the core service providers becoming hugely more vigilant and taking their role as providers of a critical service very seriously when it comes to security. They need to think about what they are doing to be part of the solution and to harden and protect the UK against outside interference.
David Cook: By way of example, NIS1 talks about reporting to the regulator if there is a significant impact. What we are seeing with some of the attacks that Jen has spoken about is pre-positioning, whereby a criminal or a threat actor sits on the network and the environment and waits for the day when they are going to push the big red button and cause an attack. That is outside NIS1: if that sort of issue were identified, it would not be reportable to the regulator. The regulator would therefore not have any visibility of it.
NIS2 and the Bill talk about something being identified that is caused by or is capable of causing severe operational disruption. It widens the ambit of visibility and allows the UK state, as well as regulators, to understand what is going in the environment more broadly, because if there are trends—if a number of organisations report to a regulator that they have found that pre-positioning—they know that a malicious actor is planning something. The footprints are there.
The Chair
The witnesses need not feel obliged to answer every question; if colleagues could direct their questions to individual witnesses, we will get through quicker.
Stuart McKean: I think that the MSP definition is quite broad at the moment, so adding some clarity to it will help. At the moment, the key definition of an MSP is based on size, and whether you are a small, medium, large or even microenterprise. The reality is that only11%, I think, of MSPs are the large and medium-sized enterprises that are going to fall in scope of the Bill as a managed service provider. Although the definition might be quite broad, the clarity on the size of MSP is actually quite particular, and you will lose a lot of MSPs that will not be in scope.
Jill Broom: Although some of our members are content with the definition of managed service provider, others feel that, as Stuart said, it is too broad. It continues to cause a little bit of confusion, since it is likely to encompass virtually any IT service. Probably some further work needs to be done and further consultation. There will be some further detail in the secondary legislation around that definition. I wanted to highlight that a lot of detail is coming in secondary legislation, which can make it quite difficult to scrutinise the primary legislation. A broad call-out for ensuring mandatory and meaningful consultation on that secondary legislation and associated guidance would be really welcome.
We are already working with the Bill team to put some of the pre-consultation engagement sessions in place, but we would call for the consultation to be brought forward to help us to understand some of the detail. The consultation period on the secondary legislation is currently estimated to happen towards the end of the summer, but we would like that to be brought forward, where possible. That consultation is going to cover a lot of detail, so it needs to be a substantial amount of time to allow us to comment. We are keen to be involved in that process as much as possible.
Kanishka Narayan
Q
Stuart McKean: You are going to hear the word “complex” a lot in this session. It is hugely complex. I would almost say that everyone likes to dabble. Everyone has little bits of expertise. Certain companies might be cloud-focused, or focused on toolsets; there are a whole range of skillsets. Of course, the larger organisations have multiple teams, multiple scopes and much more credibility in operating in different areas. As that flows down the supply chain, in many cases it becomes more difficult to really unpick the supply chain.
For example, if I am a managed service provider delivering a cloud service from a US hyperscaler, who is responsible? Am I, as the managed service provider, ultimately on the hook, even though I might be using a US-based hyperscaler? That is not just to pick on the hyperscalers, by the way—it could be a US software-based system or a set of tools that I am using. There are a whole range of parts that need to become clearer, because otherwise the managed service community will be saying, “Well, is that my responsibility? Do I have to deliver that?”.
You are then into the legislation side with procurement, because procurement will flow down. Although I might not be in scope directly as a small business, the reality is that the primes and Government Departments that are funding work will flow those requirements down on to the smaller MSPs. Although we might not be in scope directly, when it comes to implementing and meeting the legislation, we will have to follow those rules.
Dr Gardner
Q
Jill Broom: With the board, historically, cyber has not been viewed as a business risk, but as a technical problem to be addressed by the technical teams, instead of being a valuable, fundamental enabler of your business and a commercial advantage as well, because you are secure and resilient. That has been a problem, historically. It is about changing that culture and thinking about how we get the boards to think about this.
I think a fair amount of work is happening; I know the Government have written to the FTSE 350 companies to ask them to put the cyber governance code of practice into play. That is just to make cyber a board-level responsibility, and also to take account of things such as what they need to do in their supply chain.
The Chair
I should say to the witnesses: do not feel obliged to answer each question if you do not feel that you have anything material to add.
Matt Houlihan: It is very tempting to answer the question on AI, but thank you for the question on managed service providers. It is right that managed service providers are looked at in this Bill. An increasing amount of the work of managing IT services is clearly now outsourced to managed service providers. There needs to be some scrutiny and some baseline of cyber-security with those. I would say a couple of things on what guidance is needed. We broadly support the definition in the Bill. I appreciate the comments in the previous session that suggested that the definition was a little too broad and could be refined, which I think is fair, but when you compare the definition in the CSRB with the definition of managed service providers used in the NIS2 legislation, a couple of bits of clarity are provided in the CSRB. First, the managed service provider needs to provide an
“ongoing management of information technology systems”.
We feel that word “ongoing” is quite important. Secondly, it has to involve
“connecting to or…obtaining access to network and information systems relied on by the customer”.
We feel that
“connecting to or…obtaining access to”
the network is an important part of the definition that should be put forward. One area where more tightness can be provided is where, in the Bill, there is a non-exhaustive list of activities that an MSP could be involved in, such as
“support and maintenance, monitoring, active administration”.
The Bill then says, “or other activities”, which adds quite a bit of uncertainty on what is and is not an MSP.
The other area I would like to highlight and link to Ben’s answer on AI is that the “active administration” activity raises a question about the extent to which AI-enabled managed services would come under that definition. I am sure that lots of managed service providers will use AI more and more in the services that they provide to their end customers; to what extent does “active administration” involve an AI-related service?
To end on that specific question, the Information Commissioner’s Office will, I believe, issue guidance for managed service providers once the Bill is passed. That guidance will be the critical thing to get right, so there should be consultation on it, as my colleague from techUK suggested earlier. I would also suggest that that guidance cannot be a simple check-box list of things that have to be done. We should shift our thinking to have more of an ongoing appreciation of what cyber-security involves in practice for MSP or other regulated entities under the Bill. Making sure there is an ongoing process and that there is effective enforcement will be important.
Chris Anley: On the NAO report , the cyber action plan and public sector cyber-security, you are absolutely right to point out that the NAO report identifies serious issues. The Government recently acknowledged that they are likely to miss their 2030 cyber-resilience targets. It is also important to point out that the cyber action plan lays out an approach with many very positive elements such as an additional £210 million in central funding. There are many benefits to that, including a centralised provision of services at scale, a concentration of expertise and a reduction of costs.
Then there are other broader initiatives in the cyber action plan. The UK software security code of practice, which has been mentioned several times in these sessions, is a voluntary code that organisations can use as a tool to secure their supply chain. Cisco and NCC Group are ambassadors for that scheme and voluntarily comply with it, and it improves our own resilience.
Whether the cyber action plan goes far enough is a very difficult question. The NAO report also points out the extreme complexity of the situation. Within the budgetary constraints, I think it is fair to say that the steps in the plan seem reasonable, but there is a broader budgetary conversation to be had in this area. Two of the most significant issues identified in the report are the skills shortage, which has come up in these sessions—almost a third of cyber-security posts in Government are presently unfilled, which is dangerous—and the fact that Departments rely on vulnerable, outdated legacy IT systems, which may be the cause of an incident in their own right and would certainly make an incident much more severe were one to occur. The problem is that those are both largely budgetary issues. Successive Governments have obviously focused on delivering taxpayer value, as they should—we are all taxpayers—but over a period of a decade or more, that has led to a position where Departments find it difficult to replace legacy IT systems and fill these high-skill, high-cost cyber-security positions. There is very much a broader discussion to be had, as has been raised in these sessions, about where we should be in terms of the budget. You are absolutely right to raise the public sector issues. Although the Bill focuses on the private sector, the public sector obviously must lead by example.
Dr Ian Levy: We think the current definitions of critical suppliers are probably overly broad and risk bringing in SMEs, when you really do not want to do that. That said, we need to think about the transitive nature of supply chains. With previous regulations that talk about cyber-security, we have seen a flow-down of requirements through contracting chains. There is a question about how far it is reasonable to go down those contracting chains. In my experience, the value of the contract and the potential impact are not necessarily correlated. We certainly saw that when we were giving evidence for the Telecommunications (Security) Act 2021.
There is a real question about how you define what supply chain you mean. You mentioned that AWS has a complex supply chain. We certainly do—it is astoundingly complex—but the important thing is that we control the really important parts of that. For example, we build our own central processing units, graphics processing units, servers, data centres and so on. The question then becomes: how does that translate out to customers? If a customer is using a partner’s service running on AWS, where does the liability accrue? I do not think that is adequately covered in the Bill.
In terms of certainty and foreseeability, the Bill as it stands admits a single entity being regulated multiple times in multiple different ways. We are subject today to at least four different sets of regulations and regulators. Some of them conflict, and some of them are ambiguous. As this expands out, a single reporting regime—a lead regulator model—would take some of that ambiguity away so that you have more foreseeability and certainty about what you are trying to do.
There are things in the current drafting of the Bill that we think need some consultation. There are things in primary legislation, such as the Secretary of State’s powers, that seem to be unbounded—that is probably the best way to describe it—and that seems dangerous. We understand the necessity for powers around national security, but we think there need to be some sort of safeguards and consultation about how they are used in practice. For any multinational company, something that is effected in the UK is likely to affect all our customers, so some real constraint is needed around that.
Kanishka Narayan
Q
Chris Anley: By our calculation, as you say, the number of organisations that fall under the scope of the Bill in terms of the Government’s impact assessment is 0.1% of the private sector, which is one one-hundredth of the tip of the iceberg. We are going to have to adopt a whole-of-economy approach if we are going to secure the UK—we have already talked about the public sector issues.
On the Bill itself, we have three main comments. First, the secondary legislation forms the bulk of the technical measures, so we are calling for early consultation on that. Secondly, the Bill imposes additional reporting obligations, adding to an already complicated situation for reporting cyber-incidents in the UK. The reporting obligations trigger at a time of great complexity for an organisation, so we are calling for a single point of contact for reporting all cyber-security incidents in the UK and a single timeline. That may sound like a big ask—an impossible dream. Australia has already done it, and the EU is in the process of doing it in its digital omnibus streamlining package.
Finally, in terms of cyber professionals, the passage of a cyber-security Bill through Parliament is a golden opportunity to address the serious problems with the Computer Misuse Act 1990. Cyber professionals who are defending the UK cannot currently do so without risking criminal prosecution. We cannot carry out basic identification and verification actions without potentially committing the offence of unauthorised access to computer material, because a ransomware gang, for example, is unlikely to give us authorisation to identify the command and control system they are using to attack the UK.
We support the CyberUp campaign, which is proposing an amendment to the Computer Misuse Act to provide a statutory defence, resting on four strong safeguarding principles. We believe that that would help to protect our defenders while maintaining the integrity of the law. Based on the campaign’s research into the size of the cyber-security industry in the UK, the amendment would not only help to prevent incidents and mitigate incidents in progress, but add 9,500 highly skilled jobs and over £2.5 billion in revenue to the UK economy. Other nations are already benefiting from this type of safeguard, including our oldest ally, Portugal, which has implemented them in its recent amendments to NIS2, which is the exact legislative equivalent of the process we are in today. In summary, please help us to defend the UK by protecting our defenders.
Dr Ian Levy: To follow up on what Chris says, we strongly agree on early consultation on the technical detail of the secondary legislation. Somebody said in the previous session that, in security, the devil is always in the detail. Well-meaning text can be massively misinterpreted. We need to be very careful about that, so wide, early consultation is key.
On incident reporting, I will make two points. Chris made the point that when you are being asked to report, you are at your most desperate, because you have just found out that you have been attacked and you do not know what is going to happen. A lot of legislation accidentally ignores the victim. When we set up the NCSC, one of the primary things was that we were there to support the victims. I urge you not to lose sight of that. Absolutely, go after and find the culprits later, but in the moment, the victims are absolutely key to this.
The second part of that, about a single reporting timeline and a single reporting route, is that it is not just good for the victims but the only way that we generate strategic intelligence. That is one of the things that is missing in the UK—and has been for decades. We have five, six or seven different reporting portals that all characterise things differently and take different types of information, and bringing them together to have a single picture about the actual threat to the UK is incredibly difficult. A single reporting forum could fix that.
Ben Lyons: I might distinguish between what organisations need to do and whether organisations are in scope. In terms of what they need to do, the outcomes-based approach is sensible. If you think about when the Johnson Government were consulting on the measures that would go on to form this Bill, that was a time when ChatGPT had not been invented and the geopolitical environment was very different. The world is moving fast, and I think that the cyber assessment framework is a good starting place for what a code of practice could look like, because it is already understood by industry and is outcomes-driven.
I agree with the previous comments about incident reporting. I think that there is a lot of merit in the suggestion around a shared portal so that it is easier to report incidents in that moment of dealing with a cyber-attack. Within the regime as envisaged, probably the most important bit with reference to reporting is about improving that early clarity and visibility for the NCSC so that they can help. That is probably where I would place the emphasis, more than on regulators having that information within 24 hours. In that context, an approach that recognises best efforts in that first 24 hours but is focused on tackling the problem will be important for dealing with the issue.
On the supply chain, I would say—and we have heard about this before—that there could be more clarity there in terms of who would be in scope for designated suppliers. Thinking a bit around both systemic dependency and the potential for wider disruption would be important factors to give it more clarity.
Matt Houlihan: To round off the responses, on the question about finding the balance between specificity and agility, the Bill does a reasonable job at that. We can totally see the need to keep some of the doors open, because not only is the nature of the threat changing rapidly but the nature of technology—and of our capabilities to defend—is changing as well. We have already talked about AI, and we have lots of quantum research taking place as well that will have a big bearing on cyber-security.
It is right that the Bill has some agility in it, but it is clear from the responses today that there is a need to tighten it up in certain places. We talked about incident reporting, and having a simpler, more co-ordinated system for regulated entities to work with so that that reporting process is easier. The definition of “incident” itself needs to be looked at, we believe. The idea of an instance not only having, but being capable of having, an adverse effect on information systems opens the door very widely to lots of potential incidents that may need to be reported on. Having a tighter definition there would be very useful.
To touch on the point about Secretary of State powers, we feel that the door is a little bit too wide. If you look at legislation such as Australia’s cyber-security legislation from 2018, the Security of Critical Infrastructure Act, that also has some good Secretary of State powers, but there are lots of guardrails contained in it that make it clear that it is a power of last resort, where the entity is unwilling or unable to carry out the remedial action itself. There are also other guardrails contained in that legislation. We urge the Committee and the Government to look at that Act and take inspiration from it to think about where those guardrails could be worked into the UK law.
The Chair
Four colleagues wish to ask questions, and they have only 20 minutes in which to ask them, so I appeal for brevity, both in the questions and, if you do not mind, in the answers.