Asked by: Lord Foster of Bath (Liberal Democrat - Life peer)
Question to the Department for Digital, Culture, Media & Sport:
To ask His Majesty's Government what assessment they have made of the growing market for peer-to-peer trading on platforms such as Steam, which allow for games to be uploaded to people that are located nearby, and what steps they are taking to regulate that market.
Answered by Lord Parkinson of Whitley Bay - Parliamentary Under Secretary of State (Department for Culture, Media and Sport)
Platforms including Steam allow users to trade games from one personal computer to another over a local area network. Default settings on Steam are for transfers only to be enabled in and out of personal computers where a user’s own account is logged in. In order to be in receipt of a game file transfer, users must opt in to share with other users.
As a trader operating an online platform which facilitates the sale and supply of gaming products to consumers, Steam has legal responsibilities under consumer law.
The transfer of data over any network needs to be done securely. HM Government is working with software vendors to set minimum standards which should be expected when delivering secure software. All technology should be built in line with the Secure by Design principles available on the National Cyber Security Centre’s website.
All online platforms likely to be accessed by children must conform with the children’s code and apply measures to protect the data rights of children. For example, children’s geolocation data should not be shared by default and children’s accounts should have the highest privacy settings enabled by default.
The Government continues to monitor this market and will consider any emerging evidence on this issue.
Asked by: Alyn Smith (Scottish National Party - Stirling)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what assessment his Department has made of the potential merits of participating in the EU’s Cyber Rapid Response Teams and Mutual Assistance in Cyber Security Permanent Structured Cooperation project.
Answered by James Heappey
Our priority is to finalise entry into the PESCO Military Mobility project before considering involvement in other projects. However we continue to assess that the EU's existing 'third country' terms of participation for PESCO projects, involving capability development or procurement, place significant restraints on UK involvement in other PESCO projects.
We continue to constructively engage with the EU to ensure its initiatives are complementary to NATO and supportive of meaningful third country participation.
Asked by: Jo Stevens (Labour - Cardiff Central)
Question to the Home Office:
To ask the Secretary of State for the Home Department, what steps he is taking to help tackle cyber-related crime in (a) Cardiff Central constituency, (b) Cardiff local authority area and (c) Wales.
Answered by Tom Tugendhat - Minister of State (Home Office) (Security)
Tacking cyber crime is at the heart of the Government’s National Cyber Strategy 2022-25, which is supported by £2.6 billion of investment through the National Cyber Fund.
Key to delivery is ensuring that local policing has the resources needed to deal with the cyber threats we face. In 2023/24, the Home Office is receiving £18 million from the National Cyber Fund to provide a range of capabilities and resource to tackle and respond to cyber crime. This funding is supplemented by a further £16 million of Home Office funding through the Police Settlement Programme.
This funding continues to build law enforcement capabilities at the national, regional, and local levels to ensure they have the capacity and expertise to deal with the perpetrators and victims of cyber crime. We directly fund a specialist Cyber Crime Unit at South Wales Police, and more specialist teams at the TARIAN Regional Organised Crime Unit (ROCU). This ROCU team is integral to our response to high-harm, high-impact crimes like cyber extortion, and is a multi-disciplinary team of police officers and police staff seconded from the three forces of South Wales, Gwent and Dyfed-Powys.
TARIAN ROCU works closely with South Wales Police Cyber Crime Unit and work to intervene if people are deemed at risk of becoming involved in cyber offending. This includes working with young and vulnerable individuals offering other intervention and diversion opportunities to young people outside of cyber education, such as life skills, and job interview skills. South Wales Police Cyber Crime Unit engage with all local authorities within the area to ensure effective delivery.
Businesses and organisations based in Wales work closely with ROCUs across the private and public sectors, and at community level. Additionally working collaboratively with the Welsh Government to support the offer of funding to Small and Medium Sized Enterprises (SMEs) for Cyber Essential training, which is a government backed scheme that helps protect organisations against a range of cyber attacks.
We have also rolled out Regional Cyber Resilience Centres in Wales and in each of the other nine policing regions. The Centres are a collaboration between the police, public, private sector and academic partners to provide cyber security advice to SME’s so that they can protect themselves better in a digital age. Details of the Cyber Resilience Centre for Wales can be found at www.wcrcentre.co.uk
All vulnerable victims of fraud and cyber crime in Wales receive contact and PROTECT advice from law enforcement, specifically aimed at helping them to protect themselves in future from revictimization.
Asked by: Elliot Colburn (Conservative - Carshalton and Wallington)
Question to the Department for Education:
To ask the Secretary of State for Education, what discussions she has had with Cabinet colleagues on developing tech skills in the workforce.
Answered by Robert Halfon
Science, technology, engineering and mathematics (STEM) talent and skills are a vital strand of the government’s UK Science and Technology Framework, published in 2023, which aims to cement the UK’s status as a science and technology superpower by 2030.
The department is working with the Department for Science, Innovation and Technology, including through government-industry groups such as the Digital Skills Council. This brings together government and industry to address current and future demand for digital skills, including promoting routes into digital careers and the range of opportunities to re-skill and up-skill.
The department is making it easier for people of all ages and backgrounds to access the STEM training they need through the ladder of opportunity provided by our skills system reforms, including:
There are over 350 high-quality, employer-designed STEM apprenticeships and from 2024 students will be able to apply for apprenticeships on the UCAS website. The number of digital, ICT practitioner apprenticeship starts have increased year-on-year since 2019/20, with 24,140 starts in the 2022/23 year (over 40% increase compared to starts in the 2019/20 year).
Over 1,000 Skills Bootcamps are available across the country, offering training in tech subjects such as software development, cyber security and data analytics.
The introduction of a Lifelong Learning Entitlement will transform access to FE and HE, offering all adults the equivalent of four years’ worth of student loans to use flexibly on quality education and skills training over their lifetime.
These programmes are achieving the vision set out in the UK Science and Technology Framework to boost the supply of tech skills.
Asked by: Tulip Siddiq (Labour - Hampstead and Kilburn)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what steps his Department is taking to ensure that Government data which is shared with third-party organisations is protected.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Central Digital and Data Office, in the Cabinet Office, sets the policy and leads the cross-government approach to the safe, ethical, legal and secure sharing of government data. They work with the Government Security Group, who also lead on the topic of Supply Chain Security.
When sharing personal data with third party organisations, departments must make sure data is used fairly, lawfully and transparently, in compliance with the data protection principles set in UK GDPR and the Data Protection Act 2018. This includes having the requisite data protection controls and governance in place and working with vendors and partners to identify and remediate any risks. All government contracts with suppliers must consider the security of all information and set expectations for how it should be protected.
Departments are responsible for managing their security risks, including the risks to their information that is held and processed by authorised third-parties. The Government Security Standard, local security policies and assurance frameworks such as the Cyber Assessment Framework set out how they should do this. These frameworks and good practice have been collaboratively developed by the Cabinet Office, the National Cyber Security Centre and Departments themselves.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what assessment he has made of the potential impact of incorporating device security in public sector risk management strategies.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government Cyber Security Standard requires government organisations to meet or exceed the security outcomes specified in the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC).
One of the four objectives which make up the CAF is managing security risk; this objective covers a range of security outcomes in relation to organisations’ internal processes for managing security risk, accountability and decision-making and managing assets such as corporate devices. The CAF also includes specific security outcomes in relation to the secure configuration and management of devices.
In November 2023 we published the cross-government Mobile Device Management (MDM) policy to help government organisations and their Arms Length Bodies keep their corporately owned mobile devices secure and prevent data breaches. This policy is mandatory for all government organisations and Arms Length Bodies. It requires them to manage corporately owned mobile phones and tablets which access, process or store OFFICIAL government and/or citizen data via critical systems using an appropriate MDM solution.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what recent assessment he has made of the effectiveness of the Government's cyber security measures in protecting public sector organisations.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government prioritises public sector cyber security, which is why in April 2023 GovAssure was launched. Under GovAssure, government organisations regularly review the effectiveness of their cyber defences against common cyber vulnerabilities and attack methods. We are currently evaluating the first year’s assessments.
GovAssure will enable government organisations to accurately assess their levels of cyber resilience across their critical services, highlight priority areas for improvement and provide the Government with a strategic view of cyber capability, risk and resilience across the sector.
With its foundations in the National Cyber Security Centre’s Cyber Assessment Framework, GovAssure will help us to understand our risk at scale and put us on the pathway to reducing it, as well as aligning Government with the best practice in management of wider UK Critical National Infrastructure sectors.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what his Department's policy is on the security requirements for endpoint devices procured by the public sector.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government Cyber Security Standard requires government organisations to meet or exceed the security outcomes specified in the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC). This includes specific security outcomes in relation to the secure configuration and management of devices.
As the CAF is outcomes-based, it does not specify which commercially available devices meet these security requirements or which vendors government organisations should buy their devices from. That is a matter for government organisations to determine locally, in consultation with their commercial, security and IT teams, based on their organisation’s business needs, risk tolerance and threat profile.
In addition, in November 2023 we published the cross-government Mobile Device Management policy to help government organisations and their Arms Length Bodies keep their corporately owned mobile devices secure and prevent data breaches. NCSC also provides guidance on how to securely configure devices from each of the most commonly used platforms.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what criteria his Department uses to determine the security standard of hardware devices before they are purchased by Government.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government Cyber Security Standard requires government organisations to meet or exceed the security outcomes specified in the Cyber Assessment Framework (CAF) developed by the National Cyber Security Centre (NCSC). This includes specific security outcomes in relation to the secure configuration and management of devices.
As the CAF is outcomes-based, it does not specify which commercially available devices meet these security requirements or which vendors government organisations should buy their devices from. That is a matter for government organisations to determine locally, in consultation with their commercial, security and IT teams, based on their organisation’s business needs, risk tolerance and threat profile.
In addition, in November 2023 we published the cross-government Mobile Device Management policy to help government organisations and their Arms Length Bodies keep their corporately owned mobile devices secure and prevent data breaches. NCSC also provides guidance on how to securely configure devices from each of the most commonly used platforms.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what assessment he has made of the effectiveness of the Procurement Act 2023 on strengthening cyber security requirements for public tenders.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Procurement Act 2023 brings in new powers to exclude and debar companies from public procurement on grounds of national security. The new National Security Unit for Procurement (NSUP), in the Cabinet Office, will work across government to coordinate assessments of companies and support ministers in national security debarment decisions.
In addition, Procurement Policy Note 09/14 requires central government contracting authorities to ensure that for contracts with certain characteristics, suppliers must meet the technical requirements prescribed by Cyber Essentials, including where suppliers store, or process, personal information or data at Official level.
The Cabinet Office encourages all organisations to follow National Cyber Security Centre (NCSC) guidance which sets out the security matters to be considered during the procurement process. The National Protective Security Agency (NPSA) has also published guidance to prevent hostile actors exploiting vulnerabilities in supply chains.
The National Procurement Policy Statement sets out the national priorities that all contracting authorities should have regard to in their procurement where it is relevant to the subject matter of the contract and proportionate to do so. The current statement does not include cyber security as a separate, wider policy because the need for cyber security protection is fundamental to procurements where it applies and therefore built into the procurement process as described above. The new legislative statement that will come into force alongside the Procurement Act is currently being drafted and will be subject to a consultation process as set out in Section 13 of the Act.