Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Home Office:
To ask the Secretary of State for the Home Department, what steps she is taking to improve (a) cyber security and (b) security of personal data in police forces.
Answered by Chris Philp - Minister of State (Home Office)
The Government Cyber Security Strategy sets out how we will ensure that all government organisations - across the whole public sector - are resilient to the cyber threats we face.
While individual Chief Constables are responsible for their own cyber security and the security of personal data in their own force, the Home Office is taking action to support them.
This includes supporting Police Digital Service (PDS) through the National Management Centre, which provides dedicated cyber protection to police forces across the UK against cybercrime, and its Cyber Security Services, to manage the risk and impact of cyber security and information security threats for UK policing. Following recent data breach incidents, I have written recently to Chief Constable, Jo Farrell, Chair of the NPCC DDaT Co-ordination Committee, to seek assurance that all Chief Constables have sufficiently robust processes and systems in place to address any further cases of data breach.
Asked by: Bridget Phillipson (Labour - Houghton and Sunderland South)
Question to the Department for Education:
To ask the Secretary of State for Education, if she will publish a table of the number of schools in England reporting serious cyber incidents in each of the last five years; and if she will make a statement.
Answered by Nick Gibb
The Department does not hold a comprehensive list of ransomware attacks on schools or colleges in each Local Authority in each of the last three years.
It is the responsibility of academy trusts to be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred. The Education and Skills Funding Agency (ESFA) supports the National Crime Agency’s recommendation not to encourage, endorse, or condone the payment of ransom demands.
To support schools, the Department released Cyber Security Standards in October 2022. These standards provide a base level requirement for good cyber security practices in schools, helping to raise resilience across the sector and make schools harder targets. Many of the areas suggested for improvement are low cost or free to implement.
Additionally, the National Cyber Security Centre’s Cyber Security for Schools web page provides practical resources, including training and guidance, on how schools can avoid cyber security threats. The web page can be found here: https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools.
Asked by: Bridget Phillipson (Labour - Houghton and Sunderland South)
Question to the Department for Education:
To ask the Secretary of State for Education, what estimate her Department has made of the number of ransomware attacks on (a) schools and (b) other educational settings in each local authority in each of the last three years.
Answered by Nick Gibb
The Department does not hold a comprehensive list of ransomware attacks on schools or colleges in each Local Authority in each of the last three years.
It is the responsibility of academy trusts to be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred. The Education and Skills Funding Agency (ESFA) supports the National Crime Agency’s recommendation not to encourage, endorse, or condone the payment of ransom demands.
To support schools, the Department released Cyber Security Standards in October 2022. These standards provide a base level requirement for good cyber security practices in schools, helping to raise resilience across the sector and make schools harder targets. Many of the areas suggested for improvement are low cost or free to implement.
Additionally, the National Cyber Security Centre’s Cyber Security for Schools web page provides practical resources, including training and guidance, on how schools can avoid cyber security threats. The web page can be found here: https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools.
Asked by: Bridget Phillipson (Labour - Houghton and Sunderland South)
Question to the Department for Education:
To ask the Secretary of State for Education, what estimate her Department has made of the cost to schools of ransomware attacks in each of the last three years.
Answered by Nick Gibb
The Department does not hold a comprehensive list of ransomware attacks on schools or colleges in each Local Authority in each of the last three years.
It is the responsibility of academy trusts to be aware of the risk of cybercrime, put in place proportionate controls and take appropriate action where a cyber security incident has occurred. The Education and Skills Funding Agency (ESFA) supports the National Crime Agency’s recommendation not to encourage, endorse, or condone the payment of ransom demands.
To support schools, the Department released Cyber Security Standards in October 2022. These standards provide a base level requirement for good cyber security practices in schools, helping to raise resilience across the sector and make schools harder targets. Many of the areas suggested for improvement are low cost or free to implement.
Additionally, the National Cyber Security Centre’s Cyber Security for Schools web page provides practical resources, including training and guidance, on how schools can avoid cyber security threats. The web page can be found here: https://www.ncsc.gov.uk/section/education-skills/cyber-security-schools.
Asked by: Lord Bassam of Brighton (Labour - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government how many (1) successful, and (2) unsuccessful, cyberattacks have been identified in each government department over the past 12 months.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
The government does not comment on issues concerning national security.
The Government Cyber Security Strategy, published in January 2022, sets out how we will build and maintain our cyber defences. A key objective of the strategy covers how the Government will minimise the impact of cyber security incidents. Departments will need to prepare for incidents, be able to respond and contain when they inevitably do happen and learn the lessons from them after the event.
Asked by: Lord Stevenson of Balmacara (Labour - Life peer)
Question to the Home Office:
To ask His Majesty's Government what contribution they are making to international efforts to (1) identify, (2) and counter, cybercriminal gangs who target networks and users in the UK.
Answered by Lord Sharpe of Epsom - Parliamentary Under-Secretary (Home Office)
The UK is a world leader in cyber security. Our operational agencies, such as the National Cyber Security Centre (NCSC) and National Crime Agency (NCA) are a source of international best practice, and we strongly support international cooperation to tackle cyber crime. The Government’s approach to countering this threat is set out in the National Cyber Strategy (2022), under the pillar of detecting, disrupting and deterring our adversaries.
Cyber-crime is a global threat. Criminals and the technical infrastructure they use are often based in uncooperative jurisdictions, making international collaboration essential. Across our law enforcement network, we seek to maximise international links as part of our response to criminal activity. Alongside working closely with UK police and regional organised crime units, the NCA have built crucial relationships with partners such as Europol, the FBI, and the US Secret Service to assess cyber crime risks, share intelligence and coordinate action.
The NCA works to identify cyber criminals impacting the UK, wherever they are in the world. Working with international partners to target and disrupt cyber criminal gangs and the illicit cyber crime ecosystem that supports them. For example, in February 2023, we announced sanctions against seven Russian cyber criminals involved in the notorious organised crime group behind many of the most damaging ransomware groups in the last few years involving TRICKBOT, CONTI and RYUK ransomware. A second wave of sanctions was announced in September demonstrating the NCA’s unrelenting targeting of cyber-criminals.
The UK continues to shape the global conversation at multilateral forums and bilaterally to drive cooperation to deter malicious cyber activity. We have promoted the Budapest Convention on Cybercrime since it was agreed in 2001, and we are taking an active role in the development of the proposed UN treaty on cybercrime, to ensure that it supports international cooperation on tackling crimes that all countries face, while protecting human rights.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Foreign, Commonwealth & Development Office:
To ask the Secretary of State for Foreign, Commonwealth and Development Affairs, whether he has had discussions with his counterpart in China on attempts made by cyber attackers based in China to unlawfully access UK Parliament systems.
Answered by Anne-Marie Trevelyan - Minister of State (Foreign, Commonwealth and Development Office)
We continually monitor threats to our national security and do not hesitate to take action when necessary. During his recent visit, the Foreign Secretary challenged his Chinese counterparts on a number of areas of disagreement, including calling on China to cease its malign activities in cyberspace. Building strong defences and resilient systems remains the best way of countering malicious cyber activity, and we continue to invest in the National Cyber Security Centre. We have also implemented deterrents to prevent foreign actors conducting hostile acts against the UK, including through the Defending Democracy Taskforce and the newly established National Security Act.
Asked by: John Healey (Labour - Wentworth and Dearne)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, whether any documents (a) concerning and (b) from his Department were accessed by hackers during cyber attack on the supplier Zaun.
Answered by James Heappey
The investigation into the impact of this incident is in progress. Zaun Limited is not a contractor to the Ministry of Defence (MOD), and does not hold any classified MOD information. The company does not therefore hold any information that concerns MOD projects, capabilities, sites or personnel, other than that which may be in the public domain already.
If, at the conclusion of the investigation, the position alters, an update will be provided.
Asked by: Dawn Butler (Labour - Brent Central)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Technology and Innovation, whether her Department has made an assessment of the potential impact of a cyber attack on the rollout of the Digital Voice services.
Answered by John Whittingdale
Ofcom is responsible for ensuring telecoms providers adhere to their regulatory obligations throughout the migration process. Ofcom has published guidance which states that providers must take steps to identify and protect at-risk consumers who are dependent on their landline. Providers have a range of solutions to ensure vulnerable consumers receive additional support. These options include, among others, free battery back-up units to engineer supported installations or hybrid landline phones. The Government is working together with Ofcom to ensure customers receive appropriate levels of communication and vulnerable consumers are protected.
Furthermore, the Department meets regularly with Communications Providers to discuss the progress made in migrating their customers, and to ensure they have adequate plans in place to inform and protect vulnerable consumers.
While the PSTN migration is an industry-led process, industry is accountable to Ofcom in ensuring the security of any new technologies used in their network.
The Government is committed to ensuring the security and resilience of the UK’s telecommunications networks and services. Since October 2022, public telecommunications providers have been required under the Communications Act 2003 (as amended by the Telecommunications (Security) Act 2021) to identify and reduce the risk of a wide range of security compromises. The specific requirements providers must follow are set out in the Electronic Communications (Security Measures) Regulations 2022, with accompany technical guidance in a code of practice. Ofcom has also been given powers and duties to investigate, rectify, and penalise any infringement of the statutory security and resilience obligations of network providers.
DSIT also works closely with the National Cyber Security Centre, the UK’s technical authority for cyber security, on issues related to the cyber security of the UK's telecoms network. The NCSC is responsible for helping to protect the UK’s critical services from cyber attacks, manage major incidents, and improve the underlying security of the UK's telecoms networks through technological improvement and advice to citizens and organisations. The NCSC issues a range of guidance on its website to support organisations in ensuring secure design and management of their networks.
Asked by: Julian Knight (Independent - Solihull)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what assessment he has made of the implications for his policies of the cyber attack on the Electoral Commission from August 2021; and what steps the Commission have taken to protect voters information.
Answered by Jeremy Quin
Since the Electoral Commission reported the incident to the National Cyber Security Centre, the government has worked closely with the Commission to provide it with all the expertise and support required to deal with this incident and protect voters’ information.
The cyber attack experienced by the Electoral Commission and other recent incidents demonstrate just how real the threat is. This government has already identified the challenge we face and is delivering greater cyber resilience through both the National Cyber Strategy and the Government Cyber Security Strategies which were launched in 2022.