Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, pursuant to the answer of 2 September 2024 to Question 2301 on Cyber-security: EU law, whether the National Cyber Security Centre has made an assessment of the potential risks to (a) public and (b) private sector cyber security of his policy on kernel level software; and whether he plans to amend that policy.

Technical experts at the National Cyber Security Centre (NCSC) have reviewed this issue, including in the context of the global IT outage that occurred in July. Allowing third party software into the kernel is still necessary to ensure a vibrant, diverse, effective and adaptive cyber security ecosystem on some platforms. This is because not all operating systems provide non-kernel routes to get the data that third party security tools need for their analyses. Vendors that have a genuine need to run code in the kernel have a responsibility for doing that in the lowest risk way that they can. This includes running thorough tests on new versions of that code, keeping the kernel code simple, and moving code out of the kernel that doesn't need the full power, or justify the associated risk, that such access offers.