Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, if he will make an assessment of the effectiveness of the Procurement Act 2023 for tackling cybersecurity threats in public tenders.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Procurement Act 2023 brings in new powers to exclude and debar companies from public procurement on grounds of national security. The new National Security Unit for Procurement (NSUP), in the Cabinet Office, will work across government to coordinate assessments of companies and support ministers in national security debarment decisions.
In addition, Procurement Policy Note 09/14 requires central government contracting authorities to ensure that for contracts with certain characteristics, suppliers must meet the technical requirements prescribed by Cyber Essentials, including where suppliers store, or process, personal information or data at Official level.
The Cabinet Office encourages all organisations to follow National Cyber Security Centre (NCSC) guidance which sets out the security matters to be considered during the procurement process. The National Protective Security Agency (NPSA) has also published guidance to prevent hostile actors exploiting vulnerabilities in supply chains.
The National Procurement Policy Statement sets out the national priorities that all contracting authorities should have regard to in their procurement where it is relevant to the subject matter of the contract and proportionate to do so. The current statement does not include cyber security as a separate, wider policy because the need for cyber security protection is fundamental to procurements where it applies and therefore built into the procurement process as described above. The new legislative statement that will come into force alongside the Procurement Act is currently being drafted and will be subject to a consultation process as set out in Section 13 of the Act.
Asked by: Julie Elliott (Labour - Sunderland Central)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, whether the implementation plan for a cyber resilient health and adult social care system in England has been published.
Answered by Andrew Stephenson - Minister of State (Department of Health and Social Care)
The purpose of the implementation plan is to provide details on how we are going to be delivering our strategy over the current spending period. The plan will be published in spring 2024, but we are already delivering on the strategy through an ambitious Cyber Improvement Programme, aiming to invest up to £147.6 million by April 2025.
This programme is looking to further strengthen existing national cyber security controls for health and care, which already includes cyber monitoring 24 hours a day, seven days a week, through NHS England’s Cyber Security Operations Centre, national-scale defences from cyberattack, such as Secure Boundary, and nationally provided cyber incident response contracts in the event of a cyber incident.
Asked by: Marquess of Lothian (Conservative - Life peer)
Question to the Department for Digital, Culture, Media & Sport:
To ask His Majesty's Government what assistance they intend to provide to the British Library to aid (1) its recovery from the ransomware attack on 31 October 2023, and (2) the continuation of its research services; and what additional measures they have put in place to assist British institutions to (a) improve overall resilience, and (b) defend against cyberattacks.
Answered by Lord Parkinson of Whitley Bay - Parliamentary Under Secretary of State (Department for Culture, Media and Sport)
The National Cyber Security Centre and the Department for Culture, Media and Sport have been working closely with the British Library since the cyber-attack it sustained in October 2023. DCMS formed an incident response team, providing security guidance, recommendations and support to the British Library, and officials from the Department continue to work with their counterparts at the British Library.
The British Library is working hard to restore its services and began a phased return of key services on 15 January 2024.
Despite the cyber attack, the British Library’s buildings have remained open and well-used throughout, and it has maintained some key services including reading room access for personal study and some limited collection item ordering, exhibitions, learning events, business support, and onsite retail. In the immediate aftermath essential services such as WiFi and event ticket sales were quickly re-established.
On 15 January, the British Library restored a searchable online version of its main catalogue, comprising records of printed books, journals, maps, music scores and rare books.
The Government Cyber Security Strategy sets out our plan significantly to harden the Government’s critical functions against cyber attacks by 2025, with all Government organisations across the public sector being resilient to known vulnerabilities no later than 2030. We are working closely with publicly-funded institutions to enhance their overall cyber-resilience and to ensure that these targets are met.
Asked by: Lord Kempsell (Conservative - Life peer)
Question to the Department for Digital, Culture, Media & Sport:
To ask His Majesty's Government what steps they are taking to improve the cybersecurity of publicly-funded cultural institutions after the recent cyberattack on the British Library.
Answered by Lord Parkinson of Whitley Bay - Parliamentary Under Secretary of State (Department for Culture, Media and Sport)
The Government Cyber Security Strategy sets out our plan significantly to harden the Government’s critical functions against cyber attacks by 2025, with all Government organisations across the public sector being resilient to known vulnerabilities no later than 2030. We are working closely with publicly-funded institutions to enhance their overall cyber-resilience and to ensure that these targets are met.
The National Cyber Security Centre and the Department for Culture, Media and Sport have been working closely with the British Library since the cyber-attack it sustained in October 2023. The British Library is working hard to restore its services and began a phased return of key services on 15 January 2024.
Asked by: Julian Knight (Independent - Solihull)
Question to the Home Office:
To ask the Secretary of State for the Home Department, what steps he is taking to tackle cyber-related crime in Solihull constituency.
Answered by Tom Tugendhat - Minister of State (Home Office) (Security)
Tackling cyber crime is at the heart of the Government’s National Cyber Strategy 2022-25, which is supported by £2.6 billion of investment through the National Cyber Fund.
Key to delivery is ensuring that local policing has the resources needed to deal with the cyber threats we face. In 2023/24, the Home Office is receiving £18 million from the National Cyber Fund to provide a range of capabilities and resource to tackle and respond to cyber crime. This funding is supplemented by a further £16 million of Home Office funding through the Police Settlement Programme.
This funding continues to build law enforcement capabilities at the national, regional, and local levels to ensure they have the capacity and expertise to deal with the perpetrators and victims of cyber crime. We directly fund a specialist Cyber Crime Unit at West Midlands Police, which covers Solihull, and another, more specialist team, at the West Midlands Regional Organised Crime Unit (ROCU). This ROCU team is integral to our response to high-harm, high-impact crimes like cyber extortion.
This Regional Cyber Crime Unit for West Midlands (RCCUWM) also works with businesses and organisations based in Solihull, across the private and public sectors, and at community level. Under the Local Resilience Forum, RCCUWM work with Solihull Council, amongst others, to build stronger cyber security and resilience. A key part of RCCUWM’s work is to ensure the integrity of our Critical National Infrastructure providers, and they have a long-standing partnership with NHS Birmingham Solihull (BSOL) Integrated Care System and NHS England.
We have also rolled out Regional Cyber Resilience Centres in London and each of the nine policing regions, including the West Midlands. These are a collaboration between the police, public, private sector and academic partners to provide cyber security advice to Small and Medium Sized Enterprises so that they can protect themselves better in a digital age. Details of the Cyber Resilience Centre for the West Midlands can be found at Cyber Resilience | The Cyber Resilience Centre For The West Midlands (wmcrc.co.uk)
All vulnerable victims of fraud and cyber crime in Solihull receive contact and Protect advice from law enforcement, specifically aimed at helping them to protect themselves in future from revictimization.
The specialist RCCUWM Prevent Team also work to intervene if people are deemed at risk of becoming involved in cyber offending. RCCUWM deliver the National Cyber Choices programme and have delivered multiple initiatives across Solihull, including working with schools to help them identify those at risk. Solihull local police officers support these important safeguarding interventions.
Asked by: Chris Bryant (Labour - Rhondda)
Question to the Department for Science, Innovation & Technology:
To ask the Secretary of State for Science, Innovation and Technology, what steps her Department is taking to (a) ensure the security of network infrastructure and (b) prevent unauthorised access to fibre lines during the (i) installation and (ii) utilisation of Openreach ducting.
Answered by Julia Lopez - Minister of State (Department for Science, Innovation and Technology)
The Department for Science, Innovation and Technology (DSIT) works with Ofcom, UK technical authorities (the National Cyber Security Centre and the National Protective Security Authority) and industry to identify risks and ensure the security of telecoms network infrastructure.
Through the Telecommunications (Security) Act 2021 and working with the National Cyber Security Centre and Ofcom, we have one of the toughest telecoms cyber security regimes in the world with the Electronic Communications (Security Measures) Regulations 2022 and Code of Practice. These place stringent obligations on providers of public telecoms networks to protect those networks against security threats. The Act also created new national security powers to manage and control the use of high-risk vendors in the UK’s telecoms network.
DSIT also works with the National Protective Security Agency (NPSA) in developing telecoms security policies. The NPSA advises government and industry on the physical security of infrastructure, including its installation.
DSIT will continue to develop policies to address significant risks to the cyber, physical and personnel security of telecoms infrastructure where necessary, based on advice from the NPSA and NCSC.
Asked by: Dan Jarvis (Labour - Barnsley Central)
Question to the Home Office:
To ask the Secretary of State for the Home Department, if he will make an assessment of the prevalence of imported cellular internet of things modules in equipment used by fire services; and what steps his Department is taking to ensure the security of such equipment.
Answered by Chris Philp - Minister of State (Home Office)
Each fire and rescue authority and police force is responsible for identifying and planning for the foreseeable risks in their area, including risks relating to organisational security.
Operational security decisions are made independently by Fire and Police chiefs, who are consistently seeking to identify, plan for, and mitigate against reasonably foreseeable operational risks.
The Government provides guidance on best practice and due diligence to the public sector, for the procurement of supplier contracts through Governments Model Services Contract Guidance.
The Home Office works closely with the National Cyber Security Centre (NCSC) in relation to the cyber security of Fire and Police Services. This includes the provision of active cyber defence services, guidance and best practice advice, and the response to cyber security.
Asked by: Dan Jarvis (Labour - Barnsley Central)
Question to the Home Office:
To ask the Secretary of State for the Home Department, if he will make an assessment of the prevalence of imported cellular internet of things modules in equipment used by police forces; and what steps his Department is taking to ensure the security of such equipment.
Answered by Chris Philp - Minister of State (Home Office)
Each fire and rescue authority and police force is responsible for identifying and planning for the foreseeable risks in their area, including risks relating to organisational security.
Operational security decisions are made independently by Fire and Police chiefs, who are consistently seeking to identify, plan for, and mitigate against reasonably foreseeable operational risks.
The Government provides guidance on best practice and due diligence to the public sector, for the procurement of supplier contracts through Governments Model Services Contract Guidance.
The Home Office works closely with the National Cyber Security Centre (NCSC) in relation to the cyber security of Fire and Police Services. This includes the provision of active cyber defence services, guidance and best practice advice, and the response to cyber security.
Asked by: John Hayes (Conservative - South Holland and The Deepings)
Question to the Department for Environment, Food and Rural Affairs:
To ask the Secretary of State for Environment, Food and Rural Affairs, what steps he is taking to work with (a) the agriculture sector and (b) farmers to (i) raise awareness of cyber security and (ii) tackle cyber crime.
Answered by Mark Spencer - Minister of State (Department for Environment, Food and Rural Affairs)
Defra works closely with the National Cyber Security Centre to engage with industry partners and provide guidance on cyber security. Additionally, Defra engages across Government to mitigate the impacts of a cyber incident affecting agriculture and food supply.
Defra and the Food Standards Agency are producing dedicated advice for the food and drink industry to help guard against cyber attacks. This is expected to be published next year and will support businesses across the food supply chain.
Asked by: Dan Jarvis (Labour - Barnsley Central)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what steps his Department is taking to protect critical national infrastructure from cyber attacks.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government works constantly to strengthen the security and resilience of UK Critical National Infrastructure (CNI).
The Cabinet Office works closely with Lead Government Departments to understand, manage and mitigate the impacts of cyber risk to their corresponding CNI sectors. Each CNI sector's security and resilience is overseen by a Lead Government Department, and it is that Department's Minister that will hold overall accountability for that CNI sector. The UK Government also works closely with the National Cyber Security Centre (NCSC), the UK's national technical authority. NCSC are working with CNI operators to help them find the cyber exercising and incident management services they need from the marketplace by expanding the NCSC’s accredited scheme for Cyber Incident Response and introducing a new scheme for exercising.
At Cyber UK 2023, the Deputy Prime Minister announced that we have set specific and ambitious cyber resilience targets for all critical national infrastructure sectors to meet by 2025. This is alongside examining plans to bring more private sector businesses working in critical national infrastructure within the scope of cyber resilience regulations. This work will further our ambition to understand and manage cyber risk.
Through the National Cyber Strategy, the Government is working to improve resilience to cyber risks across the UK economy and drive organisations to take action themselves as part of a whole of society approach. Over the past year, the Cabinet Office has been progressing foundational work to support the creation of common but flexible resilience standards across CNI and do more on the assurance of CNI, including cyber assurance preparedness by 2030.