Matt Western (Warwick and Leamington) (Lab)

- View Speech - Hansard -

Copy Link

- - Excerpts

I start by welcoming the Bill, which is a serious step forward in protecting the United Kingdom from the great number of cyber-attacks that we face each day. As we have just heard from my right hon. Friend the Minister, this legislation is long overdue. A consultation started back in January 2022, and in April of that year, the then Government identified serious issues and limitations. I was slightly bemused that my hon. Friend the shadow Minister—I do consider her to be a friend—did not cover that in her speech. The previous Government then failed to act for over two years, and as my right hon. Friend the Minister illustrated in his speech, that has proven very costly.

Over the past couple of years, we have seen that cyber-security is not just paramount in our everyday lives; it is crucial. It ensures that there is food on our supermarket shelves and that the lights stay on. It is critical to every corner of the UK, but now we have to move at pace, and not just through this legislation—I urge us to go further. If we are to protect ourselves from our adversaries, we need to develop a true whole-of-society approach to cyber-security and start a national conversation on security at home. This legislation is clearly an important first step. It is a first chapter, but many more must be written if we are going to seriously address our national security, by which I mean our social and economic security.

Increasingly over the past decade, we have seen a blurring of war and peace, with the emergence of hybrid warfare and the widening of the grey zone. We are living in a cyber no man’s land where states or state-sponsored actors—proxies—can act with relative ease and impunity, leaving the world a more dangerous place. The cyber-realm is, and will remain, a key battleground, and it is one that we must seize. Every one of us in the United Kingdom needs to wake up to that fact, particularly with the development of AI and quantum computing and the extraordinary threats that will come from those developments. When it comes to being the target of cyber-attacks, the United Kingdom now ranks third among all nations. In 2024 alone, the NCSC handled an average of four major attacks every week—these are the really serious attacks—and the impact on the economy is staggering. In the same year, cyber-attacks cost the British economy £15 billion, or 0.5% of GDP. When we are trying to increase GDP by 1%, 2% or whatever it is, a hit of 0.5% is so significant.

While 43% of businesses have reported having any kind of security breach or attack over the past 12 months, that figure rises to 67% and 74% for medium and large businesses respectively. Every attack inflicts more pain on UK plc, meaning lower economic growth and lower tax receipts to fund our public services. As we heard earlier, the effects ripple through our whole society.

We have just been talking about the attack on Jaguar Land Rover this summer; that attack cost the company an estimated £500 million, affected over 5,000 businesses and put thousands of jobs at risk, with many of those employees based in my constituency of Warwick and Leamington. The impact was significant, whether it be on cafés, restaurants, pubs or shops, which were all affected by the downturn that immediately led from the shutdown of the factories.

The attack on Collins Aerospace was alluded to earlier. It crippled Heathrow airport, and I think Stansted was affected, too, but less so. It scuppered thousands of hard-earned family holidays in autumn last year, and the ramifications for the travel sector were significant.

It is not just businesses that have been affected. We have seen attacks on councils, as we have heard, and charities. Even the British Library was knocked out two years ago, which impacted so much of our research potential across our higher education institutions. It has significantly affected the UK. The Electoral Commission got knocked out by an attack by Chinese state-sponsored actors. There have been so many other attacks. Even our NHS is not safe. My right hon. Friend the Minister mentioned the attack on Synnovis. Last year, more than 11,000 NHS appointments were lost due to cyber-attacks. The attack in June 2024 on London hospitals by the Russian group Qilin saw 1,100 cancer treatments delayed, 2,000 out-patient appointments cancelled, more than 1,000 operations postponed and, tragically, the death of a patient. The message from across our international partners and the UK’s security services is clear.

Matt Western

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for sharing his lived experience. I can relate that to when I have spoken to organisations through the Business and Trade Committee and through my role on the Joint Committee for National Security Strategy. I have heard from organisations that have been impacted about how paralysing the immediate aftermath of such an attack is and how it challenges an organisation. It is crucial that these red team, blue team scenarios get played out, but when it is actually happening and a company is facing an entire shutdown of its systems, it is very difficult to navigate. Many have talked about the culture change that is needed, and we need to urgently embrace that change. The experience in the NHS that my hon. Friend mentions is a good example.

These attacks are the new normal and we must be better prepared. In September 2024, led by the FBI and the National Security Agency, the United Kingdom, Germany, Estonia, Canada and a plethora of other allies released their clearest articulation of the threat posed by Russia, and Putin in particular. They said that Russia is

“responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.”

The NCSC annual review in 2024 called the landscape “diffuse and dangerous”, while the 2025 review could not have been clearer in saying “It’s time to act” in the defining text on the front cover. Richard Horne, head of the NCSC, said:

“Empty shelves and stalled production lines are a stark reminder that cyber attacks no longer just affect computers and data, but real business, real products, and real lives… The recent cyber attacks must act as a wake-up call.”

Just last week, Andrew Bailey, the Governor of the Bank of England, said that cyber-attacks were one of the biggest threats to UK financial stability and stressed the critically important need for collaborative defence.

The reality should be clear to everyone here. The frontline is everywhere. It is our phone, it is at our desk, it is our businesses, it is our infrastructure and it is even here at the heart of our democracy. Such a threat requires a whole-of-society response. We are not the first to have been targeted. Back in 2007—18 years ago—Russia launched a determined cyber-attack on Estonia. It was damaging and debilitating to Estonia’s society and economy. The cyber-attack was a call to action for Estonia and it responded at pace. It brought about cultural change, which was talked about earlier in the debate. Estonia overhauled its legal, political and strategic framework—even looking at its education system—and adopted a whole-of-society approach to cyber-security, developing a serious public-private partnership to counter the threats posed by Russia. No doubt the Minister will have looked at this case in more detail to understand what learnings could be applied here and to our cyber-security strategy more widely to ensure whole-of-society resilience.

The reality is that cyber-attacks target the weakest link. It was welcome to hear my right hon. Friend the Minister talk about the initiatives with the FTSE 350 companies and some of the smaller businesses about how they should be engaging with these threats. It cannot be acceptable that the most popular password in the United Kingdom is “password”. It is ridiculous. Every one of us must act as guardian against our cyber-adversaries.

The Bill lays out valuable and desperately needed provisions. Its extent and scope are hugely welcome, bringing in data centres, large load controllers and managed service providers under the network and information systems regulations protects more of the economy from cyber-attacks. I am particularly pleased to see the inclusion of managed service providers, given the vulnerabilities that organisations often face from external IT suppliers or their supply base.

The amendments to the regulatory framework are a positive step. Improving the reporting of incidents will allow the Government to respond at pace and be agile to the evolving threats and shared vulnerabilities. That said, during the last Parliament, the Joint Committee on the National Security Strategy, which I now chair, called for one cross-sector cyber regulator, and I echo those calls, as I believe that would enable far greater regulation and enforcement. Finally, the improved resilience and security enabled through additional powers granted to the Secretary of State are crucial in enabling the Government to act quickly in real times of crisis.

Despite all the positive aspects of the Bill—I congratulate Ministers after the years of dithering by their predecessor Government—it does leave large parts of the economy outside its scope. As I have mentioned already, how can we incorporate a whole-of-society approach to cyber-security like that of Estonia? There will be many different levers for the Government to pull. This Bill is just one part, and I trust that others will follow swiftly. It is worth noting that the EU’s NIS2 directive is broadly parallel to the Bill before us. However, the EU goes further on cyber-resilience, having added sectors such as manufacturing, food distribution and waste water. Having witnessed such devastating attacks in these sectors in the past year, I urge us to act swiftly with further legislation to address those areas.

In summary, I just restate that I absolutely welcome the Bill and the three key pillars of the legislation—the expanded scope, improving regulation and strengthening resilience—are hugely welcome, as is the importance of experience reporting and sharing by victims. The cyber-attacks we have suffered this past year must be our inflection point—our call to action. Like Estonia in 2007, we have an opportunity to reinvigorate our cyber-defences and ensure the whole of society is resilient. The shadow Minister mentioned digital ID, and I gently say that that opportunity was seized upon by Estonia at the time and it has since introduced digital ID. It is secure, as it is in Denmark. Estonia looked at the opportunity presented by that challenge and that attack that they faced, and those systems work. That has been demonstrated by both those countries. As the annual review from the National Cyber Security Centre rightly asserts,

“the UK’s cyber security is… a shared responsibility where everyone needs to play a part.”

We parliamentarians have a duty to raise the salience of the issue, and to bring about a national conversation to ensure that everyone plays their part.

Finally, may I gently encourage the Minister to go further and faster, and to look at the broader cyber-landscape, as Estonia did and as the European Union is doing with its NIS2 legislation? May I encourage him to consider introducing legislation to cover food production and distribution, manufacturing and other critical sectors? As I have said, however, the Bill is an important first step, and I look forward to working constructively with him to ensure that the UK and its citizens are secure from, and resilient to, any future cyber-attacks.

Henry Tufnell (Mid and South Pembrokeshire) (Lab)

- Hansard -

Copy Link

- - Excerpts

It is a pleasure to serve under your chairmanship, Mr Mundell. I thank my hon. Friend the Member for South Norfolk (Ben Goldsborough) and the hon. Member for Harrogate and Knaresborough (Tom Gordon) for their excellent speeches.

For millions across the UK, video games are more than just entertainment. They are a creative outlet, a way to unwind and a means of connecting with other gamers across the world. As a cornerstone of our creative industries, the UK is one of the largest video game markets in the world, with sales reaching nearly £4.3 billion in 2024. From Harry Potter and James Bond to British premiership football, some of the most popular games worldwide are rooted in British culture. I am delighted that this Labour Government are backing the sector’s continued growth, investing £40 million in start-up video game studios and expanding creative industry tax reliefs to incentivise further innovation and investment.

The Welsh Labour Government are also championing our creative industries through their dedicated economic development agency Creative Wales, which supports creatives across the country, including the brilliant Goldborough Studio, an independent game developer based in Lawrenny in my constituency of Mid and South Pembrokeshire.

Some of my constituents are concerned that consumer rights in this space have not kept up with advancing technology, leaving gamers in danger of losing out. As Members have set out already, the publishers of online video games can, at their discretion, shut down the servers that keep the games running. When that happens the games become unplayable, leaving consumers who have paid for them without access to the digital worlds in which they have invested their time, imagination and money.

Under the Consumer Rights Act 2015, digital content must be as described by the seller. If the game is sold without clear information about its support, lifespan or potential server shutdowns, consumers are entitled to a repair, a replacement or a refund. A recent example is “Concord”, a game released for PlayStation 5 and Windows in August 2024. Following a disappointing launch, Sony Interactive Entertainment made a commercial decision to shut it down. To its credit, Sony refunded all purchases, but that is not always the case.

Members will agree that if publishers fail to make the lifespan of a game clear at the point of sale, they must be held accountable, which is why I welcome the strengthened consumer protections in the Digital Markets, Competition and Consumers Act 2024, which came into force earlier this year. The legislation rightly requires traders to provide clear, timely and accurate information to consumers, including in respect of the longevity and functionality of digital products.

More broadly, my constituent Stewart Coombes raised an important cultural point. Video games are unique creative works that blend music, design, storytelling and interactivity in ways that no other medium can. They allow players to inhabit imagined worlds and engage with complex narratives.

Henry Tufnell

- Hansard -

Copy Link

- - Excerpts

I agree with my hon. Friend about the extent to which games have a cultural identity, and that to take them down erases a cultural and artistic heritage that is vital to society and to the wider industry as well. As campaigners have rightly argued, if every copy of a book, film or song were destroyed, we would see it as a cultural tragedy. We should view the loss of video games in the same light, so I thank my hon. Friend for his timely intervention. Does the Minister agree that video games are a vital part of our creative and cultural landscape? Will she commit to exploring how we can better protect consumers and preserve access to digital works even after commercial support ends?

Hon. Members

- Hansard -

Copy Link

No.

Mr Alaba

- Hansard -

Copy Link

- - Excerpts

Oh, guys. I am more excited to hear the thoughts of other Members present, because I know that they bring insights into their communities from which we can all benefit.

Sir Jeremy Wright (in the Chair)

- Hansard -

Copy Link

- - Excerpts

If she can limit herself to one minute, I call Catherine Fookes.