Asked by: Jim Shannon (Democratic Unionist Party - Strangford)
Question to the Department for Energy Security & Net Zero:
To ask the Secretary of State for Energy Security and Net Zero, whether her Department is taking steps to secure the (a) electricity grid and (b) electric vehicle infrastructure from remote disruption by foreign actors.
Answered by Justin Tomlinson - Minister of State (Department for Energy Security and Net Zero)
The Government takes the security of the electricity grid and electric vehicle infrastructure extremely seriously. The Department for Energy Security and Net Zero works closely with Ofgem, the National Cyber Security Centre, and operators to strengthen infrastructure against attacks, share threat intelligence, and set clear and robust regulatory standards that are enforced through the Network and Information Systems Regulations 2018.
The 2021 electric vehicle smart charge point regulations include cyber security requirements. These require that all private charge points meet physical tamperproof requirements, check regularly for security updates, and encrypt all communication to and from the charge point.
The Government has recently published a detailed consultation package, 'Delivering a smart and secure electricity system: implementation'. This sets out proposals for minimum security and grid stability requirements for Energy Smart Appliances and load controlling organisations to further mitigate risk.
Asked by: Gregory Campbell (Democratic Unionist Party - East Londonderry)
Question to the Home Office:
To ask the Secretary of State for the Home Department, how many major cyber crime incidents have been reported since the National Cyber Strategy was introduced.
Answered by Tom Tugendhat - Minister of State (Home Office) (Security)
Since the announcement of the National Cyber Strategy on 15 December 2021, the National Cyber Security Centre (NCSC) has received 71 reports associated with cyber crime activity, considered to be significant.
The NCSC categorise incidents based on numerous contemporaneous factors, including but not limited to, the technical impact of the incident, the nature of the affected organisation, and contextual considerations at the time of the incident report being received.
NCSC and law enforcement take action against cyber criminals by taking down their malicious URLs used to defraud people.
Asked by: Liam Byrne (Labour - Birmingham, Hodge Hill)
Question to the Department for Business and Trade:
To ask the Secretary of State for Business and Trade, what recent assessment she has made of the effectiveness of export controls on cyber-surveillance tools.
Answered by Alan Mak - Minister of State (Department for Business and Trade) (jointly with the Cabinet Office)
The UK already controls the export of a range of cyber-surveillance tools. Export licence applications for such items are rigorously assessed against the Strategic Export Licensing Criteria taking full account of risks to national security and human rights. The UK Government continues to work through the international export control regimes to ensure these controls remain up-to-date.
In assessing licences involving sensitive communications technology, the Export Control Joint Unit also takes advice from HM Government’s National Cyber Security Centre.
Asked by: Liam Byrne (Labour - Birmingham, Hodge Hill)
Question to the Department for Business and Trade:
To ask the Secretary of State for Business and Trade, what role the National Cyber Security Centre plays in facilitating export controls to prevent the proliferation of sensitive technology in the areas of (a) artificial intelligence, (b) quantum computing, (c) biometric tools and data and (d) intangible technology transfers.
Answered by Alan Mak - Minister of State (Department for Business and Trade) (jointly with the Cabinet Office)
The National Cyber Security Centre is HM Government’s national technical authority for information security and advises the Export Control Joint Unit, in the Department for Business and Trade, on export licence applications for goods involving sensitive communications or computer technology.
Asked by: Lord Bishop of St Albans (Bishops - Bishops)
Question to the Cabinet Office:
To ask His Majesty's Government whether they plan to ban Chinese-made electric cars from sensitive national infrastructure sites.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
The UK takes the security and resilience of critical infrastructure seriously. Each Critical National Infrastructure (CNI) sector has a Lead Government Department responsible for working with owners and operators to identify and mitigate risks to their sites. They are also supported by the National Cyber Security Centre and the National Protective Security Authority who provide expert advice and guidance to both public and private organisations to identify risks and vulnerabilities to the UK’s national infrastructure.
As set out in the Integrated Review Refresh, China under the Chinese Communist Party (CCP) poses an epoch-defining challenge and an economic threat to a range of government policy areas, including CNI. The Government actively monitors threats to UK critical national infrastructure, and will not hesitate to take further action if necessary to protect sensitive assets where appropriate to protect national security.
Asked by: Lord Bishop of St Albans (Bishops - Bishops)
Question to the Department for Transport:
To ask His Majesty's Government what assessment they have made of the potential impact upon national security of Chinese-made electric vehicles; and whether they plan to further investigate any risks that may arise.
Answered by Lord Davies of Gower - Parliamentary Under-Secretary (Department for Transport)
DfT co-chairs the UN Economic Commission for Europe (UNECE) group that developed two new international regulations related to connected vehicles – one on cyber security and one on software updates. The cyber security regulation sets out requirements to mitigate potential threats in vehicle construction, to monitor emerging threats and to respond to cyber attacks.
The Government takes national security extremely seriously. The Department for Transport (DfT) works closely with the transport sector and the National Cyber Security Centre (NCSC), and other Government departments, including the Department for Business and Trade (DBT) and Department for Science Innovation and Technology (DSIT), to understand and respond to cyber vulnerabilities associated with all connected vehicles, including electric vehicles.
Asked by: Baroness Manzoor (Conservative - Life peer)
Question to the Department of Health and Social Care:
To ask His Majesty's Government what steps they have taken to ensure that patient records and personal data are only accessible to those who need to view them, and to ensure connections between software systems in health facilities include suitable control measures for this risk.
Answered by Lord Markham - Parliamentary Under-Secretary (Department of Health and Social Care)
National IT systems must ensure that users can be identified correctly, and are given appropriate access. This is achieved using identity verification capabilities, including creating a national digital identity for each authorised user.
Each local National Health Service organisation which requires access to the national IT systems is required to set up its own local Registration Authority (RA) which consists of people and processes who are trained to create identities and grant access for their staff to the national IT systems. NHS England has published the RA Policy requirements with which every local NHS organisation that has an RA must comply. This reflects current best practice for identity and access management as informed by the National Cyber Security Centre (NCSC) guidance.
The RA Policy also allows non-NHS health and care organisations providing direct care to run their own RA service. RA hosting is subject to meeting requirements and assessment criteria, which are soon to be published.
The RA process includes the use of RA codes, assigned to professional users’ smartcards to give them access to the correct information within national IT systems.
The RA codes which are assigned for a specific user will allow that user to create and process referrals appropriately depending on their job role.
Local organisations which have an RA function are required to have an RA audit policy and conduct annual audits on NHS Smartcard usage as part of their RA governance. RA Managers (those responsible for administering the RA function within an organisation) must implement a process to run the RA reports on a regular basis.
Asked by: Lord Alton of Liverpool (Crossbench - Life peer)
Question to the Foreign, Commonwealth & Development Office:
To ask His Majesty's Government what assessment they have made of the report by the Coalition on Secure Technology, Chinese cellular (IoT) modules: Countering the threat, published in March, and its conclusions that Chinese-made cellular internet of things modules should be banned from UK critical national infrastructure.
Answered by Lord Ahmad of Wimbledon - Minister of State (Foreign, Commonwealth and Development Office)
The security of the UK's critical national infrastructure is of utmost importance to the Government. We continue to monitor potential security threats, including the unique challenges posed by cellular internet-of-things (IoT) modules. The National Protective Security Authority (NPSA) and The National Cyber Security Centre (NCSC) produce advice and guidance on the security implications of internet connected components, which the Government follows where appropriate.
Existing legislation such as the Telecommunications (Security) Act 2021 and Product Security and Telecommunications Infrastructure Act (PSTI) 2022 are designed to address the emerging security threats posed by IoT technologies. These include a range of measures that can be employed even in an evolving threat landscape. Any action is only taken after a rigorous assessment.
The UK's approach to China is to enhance our national security protections, align with our partners, and to engage where it is in the UK's national interest.
Asked by: Lord Browne of Ladyton (Labour - Life peer)
Question to the Department for Science, Innovation & Technology:
To ask His Majesty's Government what steps they are taking to support businesses seeking to adopt process improvement programmes for their organisational cyber-resilience.
Answered by Viscount Camrose - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)
The government is inviting views on a proposed Cyber Governance Code of Practice until 19th March. This is part of a package of action in the £2.6 billion National Cyber Strategy to drive up improvements in organisational cyber resilience. Co-designed with the National Cyber Security Centre (NCSC) and industry experts, the Code consolidates critical cyber governance areas for directors' ownership. As part of this package, the NCSC revised their Board Toolkit (BTK) and intends to develop an online Cyber Governance Training Pack for Boards, integrating the Code and BTK. This comprehensive package will help boards ensure that cyber resilience is embedded throughout their organisation, including its people and processes.
Asked by: Andrew Rosindell (Conservative - Romford)
Question to the Department for Education:
To ask the Secretary of State for Education, whether she has had discussions with Cabinet colleagues on cyber security threats to educational institutions.
Answered by Damian Hinds - Minister of State (Education)
The UK government takes cyber threats to our public institutions very seriously and this threat has been highlighted in both the published Integrated Review and the Government Cyber Security Strategy, which show the cross-government approach the department has to tackling these threats. The Integrated Review is accessible at: https://www.gov.uk/government/collections/the-integrated-review-2021. The Government Cyber Security Strategy is accessible at: https://www.gov.uk/government/publications/government-cyber-security-strategy-2022-to-2030.
The department cyber team continues to work closely with colleagues across government, including those at the National Cyber Security Centre, to manage its cyber risk across educational institutions.