Tim Roca vs Emily Darlington

Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)

Debate between Tim Roca and Emily Darlington

Committee stage
Tuesday 3rd February 2026

(3 days, 1 hour ago)

Public Bill Committees

Read Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)

Tim Roca

- Hansard - -

Q From the other perspective—I am thinking about a UK Government in the future overreaching—do you think there is any risk from this legislation?

Chung Ching Kwong: It is always a double-edged sword when it comes to regulating against threats. The more that the Secretary of State or the Government are allowed to go into systems and hold powers to turn off, or take over, certain things, the more there is a risk that those powers will be abused, to a certain extent, or cause harm unintentionally. There is always a balance to be struck between giving more protection to privacy for ordinary users and giving power to the Government so that they can act. Obviously, for critical infrastructure like the power grid and water, the Government need control over those things, but for communications and so on, there is, to a certain extent, a question about what the Government can and cannot do. But personally I do not see a lot of concerns in the Bill.

Emily Darlington

- Hansard - - - Excerpts

Q I want to move from software to hardware that is particularly vulnerable to potential cyber-attack, particularly from the integration of Chinese tech into SIPs, possibly making them vulnerable to cyber-attack by someone who knows the code into those bits of hardware. Should we be doing more to protect against that vulnerability? Should that be covered by the Bill?

Chung Ching Kwong: It should definitely be covered by the Bill, because if we are not regulating to protect hardware as well, we will get hardware that is already embedded with, for example, an opcode attack. Examples in the context of China include the Lenovo Superfish scandal in 2015, in which originally implemented ad software had hijacked the https certificate, which is there to protect your communication with the website, so that nobody sees what activity is happening between you and the website. Having that Superfish injection made that communication transparent. That was done before the product even came out of the factory. This is not a problem that a software solution can fix. If you were sourcing a Lenovo laptop, for example, the laptop, upon arrival, would be a security breach, and a privacy breach in that sense. We should definitely take it a step further and regulate hardware as well, because a lot of the time that is what state-sponsored attacks target as an attack surface.