Sarah Russell (Congleton) (Lab)

- View Speech - Hansard -

Copy Link

-

Happy new year to you, Madam Deputy Speaker, your team and everyone else in the House.

It is no overstatement to say that this is one of the most pressing issues of our time. I suspect that if we were not bringing forward this legislation it would only become apparent quite how pressing it had been when there was a major incident that lay it bare. I think it is one of the marks of successful government that we are, hopefully—I touch wood as I say this—managing to stay ahead of the curve on these incidents. There is nothing more important than national security relating to critical infrastructure. I think it is exactly what our constituents want to see us acting on, and I wish they saw more of us discussing issues on a cross-party basis, with broad agreement. It is welcome to see the Government taking these steps.

I particularly want to discuss the enhanced incident reporting duties on the digital service providers and the duties to inform customers. In short, I have real concerns about how those duties will play out in practice. From my experience of having advised whistleblowers in the financial sector, when there are obligations of this nature, some corporations unfortunately make more effort to avoid complying with them than to comply with them. It is an excellent piece of legislation, and I am not suggesting that the Government should have drafted it in any other way, but we need to look at our whistleblowing laws alongside it, because at the moment we do not have strong enough protections for whistleblowers within UK law. That applies both inside and outside employment settings—for example in relation to contractors and other third parties.

If we do not ensure that people have mechanisms by which they can anonymously report breaches of those sorts of obligations, and if we do not have the right protections for them when they are raising the concerns internally in the first place, we will not be able to make adequate use of the Bill’s excellent provisions. I want to impress upon the Minister how important it is that this legislation is looked at in that wider context.

Also within the wider context is a broader debate—lots of us have touched on this without specifically identifying it—about how we balance the risk across society and the cost of the risk. It is about the risk to individuals, national security, individual businesses and individuals within those businesses, such as directors or other senior leaders. It is about how we ensure that in our country we do not have large tech companies, major data centres and other big private sector businesses taking economic benefits without carrying risk. We need those businesses and they are crucial to us, but we do not want them taking the economic benefits of operating in our advanced economy while the Government and therefore the taxpayer carry all the risk and burden of the regulation.

It is great to see that the Bill contains provisions allowing for financial recovery in the enforcement action that we want to take. It is also fantastic that when it comes to the enforcement provisions and finances associated with it, we are looking at up to 4% of global turnover in terms of potential fines for not complying. My position as a former lawyer is always that I want to know that things are enforceable. There are good enforcement mechanisms in the Bill, and there is plenty of money that could potentially be at risk, which incentivises the kind of compliance that we want to see, but we need to look at the broader societal piece about how we balance the risks and opportunities in relation to tech in general.

I was going to talk quite a bit about my concerns about my local public services and how they can better manage cyber-security. The Legal Aid Agency cyber-attack enabled criminals to steal the details of anyone who had applied for legal aid between 2007 and 2025. The scale of the financial risks to those individuals cannot be overstated; the amount of personal data that that involved was absolutely huge. Six out of 10 secondary schools are now subject to cyber-attacks. The Cheshire Cyber Security Programme is in place to help local small businesses manage their cyber-risk. It provides training for up to five members of staff in small businesses. Our local police powers are being used to try to take proactive steps to improve the situation for our local small businesses.

Schools in academy trusts are spending quite a lot of money on cyber-insurance to try to protect against these risks. We have seen schools across the country shut down because they are unable to open following cyber-attacks. The public sector action plan that the Government published this morning is incredibly welcome in terms of cyber-risk, and I really look forward to the opportunity to go through it in more detail. We again need to look at the balance of cost within our society.

I would like to add to the comments of those who have suggested that we should review the Computer Misuse Act 1990 and the lack of current protections for researchers doing important work in this area. We obviously have several institutions that are currently engaged in cyber-security work, including the Alan Turing Institute and the National Cyber Security Centre. We need to make sure that they have the right remit, because this area is only going to expand when the complexities of AI are added. We must ensure that everyone is protected to do their job effectively. That means protecting individuals, businesses and our wider society.

Lastly, we need to move as quickly as we can on this. It is great that we are maintaining our EU alignment, because realistically the only way that we can continue to be a major player and have considerable influence over companies, many of which now have much larger budgets than major economies, is if we work in conjunction with other countries. That is what our ongoing relationship with the EU should be about.

I thank everyone who has been involved with work on the Bill. I think it is excellent, and it is completely the right direction of travel. It is a shame that the Government doing the right thing every day does not get more publicity, even when it is not likely to grab many headlines. It is about doing the work, getting the right structures in place and moving forward productively in a cross-party way where possible. It is about securing our nation and ensuring that our economy is on a strong footing. There is everything to be said in favour of that.

Sarah Russell (Congleton) (Lab)

- Hansard -

Copy Link

-

Q Obviously no one wants to put crippling costs on to businesses, but cyber-security costs money—there is no way of avoiding that. We only have to look at the JLR attack to see the scale of the impact on our economy when it does not work, and we are looking at only critical national infrastructure here. Have you had any information from business about whether and to what extent this will promote increased spending on cyber-security?

Jill Broom: We can assume that it will, because if you are in the supply chain or come within scope, you will have certain responsibilities and you will have to invest, not just in technology but in the skills space as well. How easy it is to do that is probably overestimated a bit; it is quite difficult to find the right skilled people, and that applies across regulators as well as business.

Generally speaking, yes, I think it will be costly, but there are things that could probably help smaller organisations: techUK has called for things such as financial incentives, or potentially tax credits, to help SMEs. That could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first.

Dr Sanjana Mehta: If I may expand on that, we have been consulting our members and the wider community, and 58% of our respondents in the UK say that they still have critical and significant skills needs in their organisations. Nearly half of the respondents—47%—say that skills shortages are going to be one of the greatest hurdles in regulatory compliance. That is corroborated by evidence, even in the impact assessment that has been done on the previous regulatory regime, where I think nearly half of the operators of essential services said that they do not have access to skills in-house to support the regulatory requirements. Continuing to have sustained investment in skills development is definitely going to require funding. Taking it a step back, we need first of all to understand what sort of skills and expertise we have to develop to ensure that implementation of the Bill is successful.

Sarah Russell (Congleton) (Lab)

- Hansard -

Copy Link

-

Q One of the things talked about this morning was that the risk in these relationships and sectors will simply be managed down the supply chain until it is essentially contracted out of existence, because the smallest organisations that end up holding the risk will be incapable of effectively managing it. Should they fail, because they have not failed the risk and their liabilities become so big, they will just collapse. It will not be possible for you guys to manage the entirety of the supply chain down, so how do you see your enforcement capabilities and the adequacy or otherwise of the legislation in that context?

Stuart Okin: Essentially, we would not go all the way down the supply chain. First, the operators of essential services are defined very much by the thresholds. Ultimately, they are the first point of responsibility. On the critical third party suppliers that have been brought in by the Bill, there will be a small number of those that, for energy, are for the entire systemic system of the UK, not the smaller entities. So we will hold those to account. On the enforcement side of things, if and when it comes to that, they will be in the same situation as the current operators of essential services are today. We welcome the simplification in the Bill and bringing those into the same sectorial powers and the same types of fines that we see today. It will not go down to those minutiae of detail. Again, the secondary legislation gives you the ability to define that.

Natalie Black: To keep it brief, we welcome the supply chain being brought into scope because we are all well aware that the most high-profile recent incidents often emanated from the supply chain. That said, we should be very honest about the complexity of entering this space, exactly for all the points that you have alluded to in terms of volume and scale and everything. We are already using this time to work through what our methodology will be. Engaging with the operators of essential services who are ultimately the customer of these suppliers has to be a starting point in terms of who they are most worried about in their supply chain. As Stuart says, you will see some commonality across all our sectors, so the numbers might not be as big as we might at first think, but this is what we need to work through over the coming months.

Ian Hulme: From an ICO perspective, one of the big tasks that we are going to have in understanding the MSP market is what their supply chains look like. We are perhaps a little behind colleagues in other regulators because of the difference in the regulatory regime, but that is one of the tasks that we will have to get to grips with.

Sarah Russell

- Hansard -

Copy Link

-

Q Professor Child, I note that you are very supportive of legal reform in quite a number of areas. With emphasis on the Computer Misuse Act, surely the reality is that the Crown Prosecution Service will never conclude that it is in the best interests of the country to prosecute any of the behaviours that people are concerned about, which we recognise as positive and helpful. Is there a need for legal reform?

Professor John Child: Yes. It is not the easiest criminal law tale, if you like. If there were a problem of overcriminalisation in the sense of prosecutions, penalisation, high sentences and so on, the solution would be to look at a whole range of options, including prosecutorial discretion, sentencing or whatever it might be, to try to solve that problem. That is not the problem under the status quo. The current problem is purely the original point of criminalisation. Think of an industry carrying out potentially criminalised activity. Even if no one is going to be prosecuted, the chilling effect is that either the work is not done or it is done under the veil of potential criminalisation, which leads to pretty obvious problems in terms of insurance for that kind of industry, the professionalisation of the industry and making sure that reporting mechanisms are accurate.

We have sat through many meetings with the CPS and those within the cyber-security industry who say that the channels of communication—that back and forth of reporting—is vital. However, a necessary step before that communication can happen is the decriminalisation of basic practices. No industry can effectively be told on the one hand, “What you are doing is vital,” but on the other, “It is a criminal offence, and we would like you to document it and report it to us in an itemised fashion over a period of time.” It is just not a realistic relationship to engender.

The cyber-security industry has evolved in a fragmented way both nationally and internationally, and the only way to get those professionalisation and cyber-resilience pay-offs is by recognising that the criminal law is a barrier—not because it is prosecuting or sentencing, but because of its very existence. It does not allow individuals to say, “If, heaven forbid, I were prosecuted, I can explain that what I was doing was nationally important. That is the basis on which I should not be convicted, not because of the good will of a prosecutor.”

Sarah Russell (Congleton) (Lab)

- Hansard -

Copy Link

-

On a point of order, Mr Stringer. I am not sure whether this strictly meets the criteria for a point of order, but it is clear that some people in the room cannot hear what is happening. I know the convention is that only the Whips and Ministers sit on the front row, but if those who are struggling to hear wish to sit closer, could we abandon that convention? It would be a reasonable adjustment so that everyone can participate properly, because this is discriminatory.