Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Tim Roca
Main Page: Tim Roca (Labour - Macclesfield)Department Debates - View all Tim Roca's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Tim Roca Excerpts(1 day, 11 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Bradley Thomas
Q
Ian Hulme: At the moment, to give you a few broad numbers our teams are around 15 people, and we anticipate doubling that. In the future, with self-funding, we will be a bit more in control of our own destiny. It is a significant uplift from our perspective.
Natalie Black: The challenge is that the devil is in the detail. Until that detail has worked through secondary legislation, we will have to reserve our position, so that we give you accurate numbers in due course. From Ofcom’s point of view, it is about adding 10s rather than significant numbers. I do not think we are that far off the ICO.
But I want to emphasise that this is about quality, not necessarily quantity. Companies want to work with expert regulators who really know what they are doing. Ofcom is building on the work we are already doing under the Telecommunications (Security) Act 2021. It will be a question of reinforcing that team, rather than setting up a separate one. We want to get the best, high-quality individuals who know how to talk to industry and really know cyber-security, to make sure people have a good experience when engaging with us.
Ian Hulme: To add to that, the one challenge we will face as a group is that we are all fishing in the same pond for skills. MSPs and others will also be fishing in that pond from the sector side. There needs to be recognition that there is going to be a skills challenge in this implementation.
Stuart Okin: To specifically pick up on the numbers, we have a headcount of 43 who are dedicated within cyber regulation. That also includes the investment side. We also have access to the engineering team—the engineering directorate—which is a separate team. There is also our enforcement directorate, as well as the legal side of things. The scope changes proposed in the Bill are just the large load controllers and supply chain, so we are not expecting a major uplift. These will be small numbers in comparison. Unlike my colleagues, we are not expecting a big uplift in resourcing.
Tim Roca (Macclesfield) (Lab)
Q
Ian Hulme: There are two angles to that. From a purely planning and preparation perspective, it is incredibly difficult, without having seen the detail, to know precisely what is expected of MSPs and IDSPs in the future, and therefore what the regulatory activity will be. That is why, when I am answering questions for colleagues, it is difficult to be precise about those numbers.
Equally, we are hearing from industry that it wants that precision as well. What is the expectation on it regarding incident reporting? What does “significant impact” mean? Similarly, with the designation of critical suppliers, precision is needed around the definitions. From a regulatory perspective, without that precision, we will probably find ourselves in a series of potential cases arguing about the definition of an issue. To give an example, if the definition of MSP is vague, and we are saying to an MSP that we think it is in scope, and it is saying, “No, we are not,” then a lot of our time and attention will be taken up with those types of arguments and disputes. Precision will be key for us.
Tim Roca
Q
Ian Hulme: There is a balance to be struck. When something is written on the face of the Bill and things change—and we know that this is a fast-moving sector—it makes it incredibly difficult to change things. There is a balance to be struck between primary and secondary, but what we are hearing and saying is that more precision around some of the definitions will be critical.
Natalie Black: I strongly agree with Ian. A regulator is only as good as the rules that it enforces. If you want us to hold the companies to account, we need to be absolutely clear on what you are asking us to do. The balance is just about right in terms of primary and secondary, particularly because the secondary vehicle gives us the opportunity to ensure that there is a lot of consultation. The Committee will have heard throughout the day—as we do all the time from industry—that that is what industry is looking for. They are looking for periods of business adjustment—we hear that loud and clear—and they really want to be involved in the consultation period. We also want to be involved in looking at what we need to take from the secondary legislation into codes of practice and guidance.
Dr Spencer
Q
Natalie Black: That is a great question, and I am not at all surprised that you have asked it, given everything that is going on at the moment. As well as being group director for infrastructure and connectivity, I am also the executive member of the board, sitting alongside our chief executive officer, so from first-hand experience I can say that Ofcom really recognises how fast technology is changing. I do not think there is another sector that is really at the forefront of change in this way, apart from the communications sector. There are a lot of benefits to being able to sit across all that, because many of the stakeholders and issues are the same, and our organisation is learning to evolve and adapt very quickly with the pace of change. That is why the Bill feels very much like a natural evolution of our responsibility in the security and resilience space.
We already have substantial responsibilities under NIS and the Telecommunications (Security) Act 2021. We are taking on these additional responsibilities, particularly over data centres, but we already know some of the actors and issues. We are using our international team to understand the dynamics that are affecting the Online Safety Act, which will potentially materialise in the security and resilience world. As a collective leadership team, we look across these issues together. The real value comes from joining the dots. In the current environment, that is where you can make a real difference.
Bradley Thomas
Q
Chung Ching Kwong: The US is probably a good example. It passed Executive order 14028 in May 2021, which requires any software vendor selling to the US federal Government to provide something called a software bill of materials—SBOM. That is technically a table of ingredients, but for software, so you can see exactly what components the software is made of. A lot of the time people who code are quite lazy; they will pull in different components that are available on databases online to form a piece of software that we use. By having vendors provide an SBOM, when anything happens, or whenever any kind of vulnerability is detected, you can very easily find out what happened.
That is due to a hack in 2021, in which a tiny, free piece of code called Log4j was found to have a critical vulnerability. It was buried inside thousands of commercial software products. Without that list of ingredients, it would be very difficult for people who had been using the software to find out, because, first, they may not have the technological capabilities and, secondly, they would not even know if their software had that component. This is one of the things the US is doing to mitigate the risks when it comes to software.
Something that is not entirely in the scope of the Bill but is also worth considering is the US’s Uyghur Forced Labour Prevention Act. That is designed to prevent goods made with forced labour from entering the supply chain. The logic of preventing forced labour is probably something that the UK can consider. Because the US realised that it could not inspect every factory in Xinjiang to prove forced labour, it flipped the script: the law creates a rebuttable presumption that all goods from that region are tainted, so the burden of proof is now on the importer to prove, with clear and convincing evidence, that their supply chain is clean.
A similar logic could be considered when it comes to this Bill to protect cyber-security. Any entities that are co-operating with the PLA—the People’s Liberation Army—for example, should be considered as compromised or non-trustworthy until proven otherwise. That way, you are not waiting until problems happen, when you realise, “Oh, this is actually tainted,” but you prevent it before it happens. That is the comparison that I would make.
Tim Roca
Q
Thank you for speaking to us today. May I turn the conversation a little on its head? We have been talking about national security and the threat from China and others. You were an activist in Hong Kong and made a great deal of effort to fight the Chinese Communist party’s invasion of privacy—privacy violations using the national security law—and other things. Do you see any risk in this legislation as regards civil liberties and privacy? We have had a bit of discussion about how much will go into secondary legislation and how broad the Secretary of State’s powers might be.
Chung Ching Kwong: The threat to privacy, especially to my community—the Hong Kong diaspora community in this country—will be in the fact that, under clause 9, we will be allowing remote access for maintenance, patches, updates and so on. If we are dealing with Chinese vendors and Chinese providers, we will have to allow, under the Bill, certain kinds of remote access for those firms to maintain the operation of software of different infrastructures. As a Hongkonger I would be worrying, because I do not know what kind of tier 2 or tier 3 supplier will have access to all those data, and whether or not they will be transmitted back to China or get into the wrong hands. It will be a worry that our data might fall into the wrong hands. Even though we are not talking specifically about personal data, personal data is definitely in scope. Especially for people with bounties on their head, I imagine that it will be a huge worry that there might be more legitimate access to data than there is right now under the Data Protection Act.
Tim Roca
Q
Chung Ching Kwong: It is always a double-edged sword when it comes to regulating against threats. The more that the Secretary of State or the Government are allowed to go into systems and hold powers to turn off, or take over, certain things, the more there is a risk that those powers will be abused, to a certain extent, or cause harm unintentionally. There is always a balance to be struck between giving more protection to privacy for ordinary users and giving power to the Government so that they can act. Obviously, for critical infrastructure like the power grid and water, the Government need control over those things, but for communications and so on, there is, to a certain extent, a question about what the Government can and cannot do. But personally I do not see a lot of concerns in the Bill.
Emily Darlington
Q
Chung Ching Kwong: It should definitely be covered by the Bill, because if we are not regulating to protect hardware as well, we will get hardware that is already embedded with, for example, an opcode attack. Examples in the context of China include the Lenovo Superfish scandal in 2015, in which originally implemented ad software had hijacked the https certificate, which is there to protect your communication with the website, so that nobody sees what activity is happening between you and the website. Having that Superfish injection made that communication transparent. That was done before the product even came out of the factory. This is not a problem that a software solution can fix. If you were sourcing a Lenovo laptop, for example, the laptop, upon arrival, would be a security breach, and a privacy breach in that sense. We should definitely take it a step further and regulate hardware as well, because a lot of the time that is what state-sponsored attacks target as an attack surface.
Bradley Thomas
Q
Kanishka Narayan: This is a great question. There are two things on my mind. One is that the Government have published a cyber action plan, the crux of which is to make sure that, from the point of view of understanding, principles, accountability and, ultimately, skills, there is significant capability in the public sector. The second thing to say is that we have a very broad-based plan on skills more generally across the cyber sector, public and private. For example, I am really proud of the fact that, through the CyberFirst programme, some—I think—415,000 students right across the country have been upskilled in cyber-security. It is deeply important that the public sector ensures that we are standing up to the test of hiring them and making the attraction of the sector clear to them as well. There is a broad-based plan and a specific one for the public sector in the Government context.
Tim Roca
Q
Kanishka Narayan: That is a great question. Broadly, the Bill takes a risk-based and outcomes-focused approach, rather than a technology-specific one. I think that is the right way to go about it. As we have heard today and beyond, there are some areas where frontier technology—new technology such as AI and quantum, which we talked about earlier today—will pose specific risks. There are other areas where the prevalence of legacy systems and legacy database architectures will present particular risks as well.
The Bill effectively says that the sum total of those systems, in their ultimate impact on the risk exposure of an organisation, is the singular focus where regulators should place their emphasis. I would expect that individual regulators will pay heed to the particular prevalence of legacy systems and technical debt as a source of risk in their particular sectors, and as a result to the mitigations that ought to be placed. I think that being technology agnostic is the right approach in this context.
Lincoln Jopp
Q
Kanishka Narayan: Do you mean operators of essential services, or critical suppliers, as in the third party element?