Asked by: Baroness Manzoor (Conservative - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government what steps they have taken to ensure that patient records and personal data are only accessible to those who need to view them, and to ensure connections between software systems in health facilities include suitable control measures for this risk.
Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)
National IT systems must ensure that users can be identified correctly, and are given appropriate access. This is achieved using identity verification capabilities, including creating a national digital identity for each authorised user.
Each local National Health Service organisation which requires access to the national IT systems is required to set up its own local Registration Authority (RA) which consists of people and processes who are trained to create identities and grant access for their staff to the national IT systems. NHS England has published the RA Policy requirements with which every local NHS organisation that has an RA must comply. This reflects current best practice for identity and access management as informed by the National Cyber Security Centre (NCSC) guidance.
The RA Policy also allows non-NHS health and care organisations providing direct care to run their own RA service. RA hosting is subject to meeting requirements and assessment criteria, which are soon to be published.
The RA process includes the use of RA codes, assigned to professional users’ smartcards to give them access to the correct information within national IT systems.
The RA codes which are assigned for a specific user will allow that user to create and process referrals appropriately depending on their job role.
Local organisations which have an RA function are required to have an RA audit policy and conduct annual audits on NHS Smartcard usage as part of their RA governance. RA Managers (those responsible for administering the RA function within an organisation) must implement a process to run the RA reports on a regular basis.
Asked by: Lord Alton of Liverpool (Crossbench - Life peer)
Question to the Foreign, Commonwealth & Development Office:
To ask His Majesty's Government what assessment they have made of the report by the Coalition on Secure Technology, Chinese cellular (IoT) modules: Countering the threat, published in March, and its conclusions that Chinese-made cellular internet of things modules should be banned from UK critical national infrastructure.
Answered by Lord Ahmad of Wimbledon - Minister of State (Foreign, Commonwealth and Development Office)
The security of the UK's critical national infrastructure is of utmost importance to the Government. We continue to monitor potential security threats, including the unique challenges posed by cellular internet-of-things (IoT) modules. The National Protective Security Authority (NPSA) and The National Cyber Security Centre (NCSC) produce advice and guidance on the security implications of internet connected components, which the Government follows where appropriate.
Existing legislation such as the Telecommunications (Security) Act 2021 and Product Security and Telecommunications Infrastructure Act (PSTI) 2022 are designed to address the emerging security threats posed by IoT technologies. These include a range of measures that can be employed even in an evolving threat landscape. Any action is only taken after a rigorous assessment.
The UK's approach to China is to enhance our national security protections, align with our partners, and to engage where it is in the UK's national interest.
Asked by: Maria Eagle (Labour - Garston and Halewood)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, what the cost to the public purse was of spending on the cyber security programme at the Defence Science and Technology Laboratory in each financial year since 2019-20.
Answered by James Cartlidge - Minister of State (Ministry of Defence)
Dstl works with industry, academia and Government to make sure the UK has the right defence science and technology capabilities, and to deliver work for our customers in the Ministry of Defence and the rest of Government.
Dstl provides summary information on its Science and Technology Programmes on its website to inform the public of the nature of the work it is undertaking. Detailed Programme costs cannot be provided in the interests of National Security.
Asked by: Lord Browne of Ladyton (Labour - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government, with regard to their Government Cyber Security Strategy: 2022–2030, published on 25 January 2022, what assessment they have made of the UK Cyber Security Council’s progress in developing consistent taxonomies, standards and pathways for the cyber security profession across the UK.
Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The UK Cyber Security Council was established to develop professional standards so that cyber security can be appropriately recognised as a profession, similar fields such as accounting and engineering. In October 2023, the Council announced that over 100 cyber security practitioners had been awarded professional titles (including chartered status) and this number is increasing. The Council has used its standards to outline pathways into and through the cyber security profession by creating a Cyber Careers Framework. The Council continues to work with stakeholders in government, industry, and academia to ensure that the standards it sets are relevant, accessible, and demand consistent high quality from cyber security practitioners throughout the UK.
Asked by: Lord Browne of Ladyton (Labour - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what steps they are taking to support businesses seeking to adopt process improvement programmes for their organisational cyber-resilience.
Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government is inviting views on a proposed Cyber Governance Code of Practice until 19th March. This is part of a package of action in the £2.6 billion National Cyber Strategy to drive up improvements in organisational cyber resilience. Co-designed with the National Cyber Security Centre (NCSC) and industry experts, the Code consolidates critical cyber governance areas for directors' ownership. As part of this package, the NCSC revised their Board Toolkit (BTK) and intends to develop an online Cyber Governance Training Pack for Boards, integrating the Code and BTK. This comprehensive package will help boards ensure that cyber resilience is embedded throughout their organisation, including its people and processes.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government, following the data breach experienced by Southern Water as a result of a cyber-attack, what assessment they have made of the adequacy of existing cyber security regulations for UK critical infrastructure.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
The National Cyber Strategy 2022 set outcomes for critical national infrastructure (CNI) (in the private and public sector) to better understand & manage cyber risk and minimise the impact of cyber incidents when they occur. In addition, at CyberUK 2023, the Deputy Prime Minister announced specific and ambitious cyber resilience targets for all CNI sectors (public and private sector) to meet by 2025.
Over the past year, the Cabinet Office has been progressing foundational work to support the creation of common but flexible resilience standards across CNI and do more on the assurance of CNI, including cyber assurance preparedness, by 2030. This includes work to evaluate the impact and effectiveness of all regulation that applies to CNI, including (but not limited to) NIS regulations, and to bring more private sector businesses working in CNI within the scope of cyber resilience regulations.
The Government is also committed to ensuring cyber security in the public sector, which is why GovAssure was launched in April 2023. Under GovAssure, government organisations regularly review the effectiveness of their cyber defences against common cyber vulnerabilities and attack methods. We are currently evaluating the first year’s assessments. GovAssure will enable government organisations to accurately assess their levels of cyber resilience across their critical services, highlight priority areas for improvement and provide the Government with a strategic view of cyber capability, risk and resilience across the sector.
Asked by: Lord Browne of Ladyton (Labour - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government what assessment they have made of the efficacy of existing cyber-resilience regulations relating to the UK’s critical national infrastructure.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
The National Cyber Strategy 2022 set outcomes for critical national infrastructure (CNI) (in the private and public sector) to better understand & manage cyber risk and minimise the impact of cyber incidents when they occur. In addition, at CyberUK 2023, the Deputy Prime Minister announced specific and ambitious cyber resilience targets for all CNI sectors (public and private sector) to meet by 2025.
Over the past year, the Cabinet Office has been progressing foundational work to support the creation of common but flexible resilience standards across CNI and do more on the assurance of CNI, including cyber assurance preparedness, by 2030. This includes work to evaluate the impact and effectiveness of all regulation that applies to CNI, including (but not limited to) NIS regulations, and to bring more private sector businesses working in CNI within the scope of cyber resilience regulations.
The Government is also committed to ensuring cyber security in the public sector, which is why GovAssure was launched in April 2023. Under GovAssure, government organisations regularly review the effectiveness of their cyber defences against common cyber vulnerabilities and attack methods. We are currently evaluating the first year’s assessments. GovAssure will enable government organisations to accurately assess their levels of cyber resilience across their critical services, highlight priority areas for improvement and provide the Government with a strategic view of cyber capability, risk and resilience across the sector.
Asked by: Lord Harris of Haringey (Labour - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what steps they are taking to help businesses provide advanced cyber skills training to staff.
Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The National Cyber Strategy sets out the importance of reducing cyber risks to businesses. To do this, the Government is supporting the UK Cyber Security Council to define the skills and knowledge needed for cyber roles. The Government is also funding numerous targeted training initiatives such as Cyber Ready and Upskill in Cyber to upskill and retrain those in the workforce, as well as the government-funded Skills Bootcamp opportunities highlighted through our recent Advanced Digital Skills campaign. This is alongside our Cyber Essentials scheme which supports businesses to implement essential technical controls on cyber security.
Asked by: Siobhain McDonagh (Labour - Mitcham and Morden)
Question to the Department for Energy Security & Net Zero:
To ask the Secretary of State for Energy Security and Net Zero, how many breaches of (a) physical and (b) cyber security there were at Sellafield in each year since 2015.
Answered by Andrew Bowie - Parliamentary Under Secretary of State (Department for Energy Security and Net Zero)
I will write to the hon. Member on this matter, and place a copy of my letter in the Library of the House.
Asked by: Andrew Rosindell (Conservative - Romford)
Question to the Department for Education:
To ask the Secretary of State for Education, whether she has had discussions with Cabinet colleagues on cyber security threats to educational institutions.
Answered by Damian Hinds - Minister of State (Education)
The UK government takes cyber threats to our public institutions very seriously and this threat has been highlighted in both the published Integrated Review and the Government Cyber Security Strategy, which show the cross-government approach the department has to tackling these threats. The Integrated Review is accessible at: https://www.gov.uk/government/collections/the-integrated-review-2021. The Government Cyber Security Strategy is accessible at: https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030.
The department cyber team continues to work closely with colleagues across government, including those at the National Cyber Security Centre, to manage its cyber risk across educational institutions.