Question to the Department for Science, Innovation & Technology:

To ask His Majesty's Government what assessment they have made of the effectiveness of cybersecurity legislation for AI-associated cyber threats; and what steps they are taking to improve legislation to address those threats.

A range of existing rules already apply to artificial intelligence (AI) systems, such as data protection, competition, equality legislation, and online safety. The Department for Science, Innovation and Technology (DSIT), in close collaboration with the National Cyber Security Centre (NCSC), has created a voluntary Software Security Code of Practice which enables software vendors to secure software at all stages of their lifecycle.

As a government, we have also committed through the AI Action Plan to work with regulators to boost their capabilities, and DSIT and NCSC have taken a leading role in the development of the world's first published global standard for AI cyber security in ETSI (EN 304 223), which sets minimum-security requirements to help secure AI models and systems.

The Cyber Security and Resilience (Network and Information Systems) Bill does not specifically bring large language models or AI companies into scope. However, where organisations in scope of the Bill use AI models and systems, that organisation will need to take appropriate and proportionate steps to manage the risks to these from hackers. This would include large language models which are used as part of the day-to-day software available to staff in a hospital.

The practices recommended to protect against AI-driven cyber threats are essentially the same as those recommended for protecting against “traditional” cyber threats, which are to get good cyber hygiene measures in place, such as using the government’s Cyber Essentials scheme, and managing digital risks by using the Cyber Governance Code of Practice.