Sir Mark Hendrick (Preston) (Lab/Co-op) I beg to move, That this
House has considered cyber security laws and tackling crime. It is
a pleasure to serve under your chairmanship, Ms Bardell. I am
delighted to lead this debate on the important issue of
cyber-security, particularly in relation to cyber-crime and the
need to enhance the UK's national cyber-resilience. Cyber-security
has a significant impact on society, the economy and individuals,
as well as on both...Request free trial
Sir (Preston) (Lab/Co-op)
I beg to move,
That this House has considered cyber security laws and tackling
crime.
It is a pleasure to serve under your chairmanship, Ms Bardell. I
am delighted to lead this debate on the important issue of
cyber-security, particularly in relation to cyber-crime and the
need to enhance the UK's national cyber-resilience.
Cyber-security has a significant impact on society, the economy
and individuals, as well as on both national and global security.
The UK faces cyber-threats from a number of hostile actors,
whether they are states, state-sponsored groups or criminal
organisations motivated by money. Cyber-crime itself ranges from
complex ransomware attacks to less sophisticated cyber-threats
such as hacking and phishing, which many in their everyday lives.
In today's world, virtually every business, charity and public
sector organisation is in some way digital, but, as high-profile
incidents have shown, cyber-attacks exploiting that
digitalisation can quickly undermine trust in our private and
public sector institutions.
With a burgeoning cyber ecosystem, the UK is well placed to be a
global leader on cyber-security, and I will come back to that
point later. Often, however, we struggle to get the basics right,
leaving citizens and businesses exposed as they move more and
more of their lives and operations online. Last year, UK
businesses experienced approximately 7.78 million cyber-crimes.
Half of businesses and around a third of charities report having
experienced some form of cyber-breach or attack in the last 12
months and such attacks have had a real impact on business and
consumers.
A recent report by the think-tank the Royal United Services
Institute brought to light some of the stark implications of
cyber-crime, particularly in relation to ransomware, which is
malware designed to deny a user or organisation access to their
own data unless a ransom is paid to the attacker. RUSI's report
revealed the extent to which ransomware can ruin lives, with the
harm going beyond financial and reputational costs for
organisations. Victims and incident responders have revealed that
ransomware creates both physical and psychological harms for
individuals and groups, which have caused individuals to lose
their jobs, evoked feelings of shame and self-blame, seeped into
private and family life and contributed to serious health issues.
Furthermore:
“The harm and cumulative effects caused by ransomware attacks
have implications for wider society and national security,
including supply chain disruption, a loss of trust in law
enforcement, reduced faith in public services, and the
normalisation of cybercrime. Ransomware also creates a strategic
advantage for the hostile states harbouring the cyber-criminals
who conduct such operations.”
Meanwhile, the threat landscape is changing and becoming more
complex.
UK cyber firm NCC Group's latest insights show that ransomware
attacks increased by 84% last year, with the UK the second most
targeted country for such attacks, only behind the US. Emerging
technologies such as artificial intelligence have the potential
to enable cyber-attackers to mount ever more sophisticated
campaigns against organisations. AI is effectively lowering the
barrier of entry into cyber-crime, making it easier for
cyber-attackers to successfully target victims and widening the
availability of voice cloning, deepfakes and social engineering
bots. We are likely to see that manifest in a higher volume of
cyber-attacks, an enhanced ability of cyber-criminals to generate
malware and an improved success rate of social engineering and
phishing attacks. With AI as an emerging threat, hacking as a
service is being thought of as a growing market, whereby malware
developers sell or lease cyber-attack tools and services to other
cyber-criminals. Worryingly, such a business model extends
cyber-attack capabilities to organisations and individuals that
would not otherwise have known how to carry out attacks
themselves.
Artificial intelligence is also advancing tactics that have been
around for decades and, in its own way, evolving threats in line
with technology. Deepfake phishing is just one example of a
fast-growing threat that manipulates or confuses users in order
to exploit their trust and gain access to their data. That can be
done through emails or messages, video calls or voice messages,
where personalisation and synthetic content can make the attack
more credible.
Cyber-threats should be seen in the wider context of nation-state
threats, too. The conflict in Ukraine has shown how cyber and
kinetic attacks are increasingly interconnected in modern hybrid
warfare. As thousands of lines of complex code control new and
evolving physical functions and systems, such as in smart cities,
cyber-security vulnerabilities can be exploited to effect change
in the real world. Although we have not seen the so-called
cybergeddon that some were expecting from the next big conflict
on our globe, one thing is clear: cyber-warfare has proven itself
to be a critical element in hybrid cyber-kinetic
battlefields.
There is an opportunity here for the UK. To tackle cyber-crime, a
close partnership between the public and private sectors is a
critical part of the UK's whole-society approach. In particular,
the UK's cyber industry is working closely with law enforcement,
the public sector, academia and other private firms to ensure
that the UK remains confident, capable and resilient in this
fast-moving digital world. That includes vulnerability
researchers, also known as ethical hackers, who identify security
vulnerabilities in products, software and the UK Government. They
rely on such researchers to identify bugs before they can be
exploited by malicious actors for their nefarious purposes.
Meanwhile, threat intelligence researchers detect cyber-attacks
and gain insight into attackers and victims. Researchers work
with and pass on that important information to law enforcement
and the intelligence agencies, enabling them to defend the UK
against rising cyber-crime and geopolitical threat actors. Many
of the recent takedown operations we have heard about, where law
enforcement disrupted the servers or digital infrastructure that
cyber-criminals used to conduct their illegal activities, were
possible only because intelligence and insights about those
cyber-criminals were shared across the public and private
sectors. I firmly believe that there is an opportunity for the UK
to play a significant leadership role in conducting the UK's
response, with the north-west cyber corridor at its heart.
We are already seeing that public-private partnership in action
in wider Lancashire and in my own constituency of Preston through
the National Cyber Force, which will open its new home in
Samlesbury, Lancashire, in 2025. It is a partnership between
defence and intelligence, and already carries out cyber
operations daily to counter and contest the actions of those who
would harm the UK or our allies, to keep the country safe and to
protect and promote the UK's interests at home and abroad.
Furthermore, the Lancashire Cyber Partnership, or LCP, is a
strategic collaboration between Lancashire County Council, the
Lancashire Enterprise Partnership, the University of Central
Lancashire, Lancashire University and BAE Systems. In addition,
the National Cyber Force has its own role in shaping, supporting
and promoting the county's world-class cyber strengths and
fast-growing cyber ecosystem, becoming a destination for cyber
businesses, investors, careers training, academia and, indeed,
innovation. With a strong cyber industry, Lancashire and the
wider north-west are fostering the growth of the technology,
digital and defence sectors, as well as harnessing the
investment, jobs and benefits that come with a thriving cyber
economy.
We should be proud of the UK's role as a responsible global cyber
power, and we should also remember that there is widespread
cross-party and cross-societal consensus on the importance of
cyber-security as fundamental for thriving and prosperous digital
societies and economies. However, we cannot be complacent.
Research from the NCC Group has shown that citizens—our
constituents—expect us, as political decision-makers, to do what
we can to keep them safe and secure in cyber-space. We have
strong foundations to build on, but we must continue to do more
to take our cyber-security to the next level. Indeed, much more
can be done to ensure that regional cyber clusters, such as the
north-west, can play their part in making us all safer online,
while also enhancing national cyber-resilience.
I would like to move on to the issue of the UK's Computer Misuse
Act 1990. First and foremost, that Act, which is the main
cyber-security Act that regulates the UK's digital relationship
between individuals and malicious parties, needs bringing into
the 21st century. The Act was written more than 30 years ago when
just over 0.5% of the world's population had access to the
internet, and before the cyber industry—as we know it today—even
existed. As a result, the UK's cyber-defenders, such as the
vulnerability and threat intelligence researchers mentioned
earlier, are held back by that outdated law from doing all they
can to protect the UK. That is because the Act, which was written
over 30 years ago, has a blanket prohibition on all forms of
unauthorised access to computer material, irrespective of intent
or motive. In this day and age, where an individual desktop PC is
but a distant memory, where technologies are hyperconnected and
where cyber-crime is rampant, that approach simply does not
reflect the reality we live in. The legislation is no longer fit
for purpose, and, worse, it might be detrimental.
There have been calls from industry, led by the CyberUp Campaign,
to reform the law to include a defence for legitimate
cyber-security work. Sir called for such a defence
in the “The Pro-innovation Regulation of Technologies Review”,
and he recommended amending the 1990 Act to include a statutory
public interest defence that would provide stronger legal
protections for cyber-security researchers and professionals.
That would have a catalytic effect on innovation in a sector with
considerable growth potential. Countries such as France, Israel
and the United States have already updated their regulations to
provide that defence. I join Sir Patrick by agreeing that if the
UK cyber industry is to compete on a level playing field, the UK
Government should do the same. However, one year since Sir
Patrick published his recommendation, and three years since the
UK Government first launched their review into the Act, the
Government are yet to set out how they will address the legal
barriers that it presents to the UK cyber-security industry.
A second area where the Government must prioritise reform is in
updating the network and information systems regulations, which
set out the cyber rules for our critical infrastructure. Back in
2022, the Government announced their intention to legislate to
enable new sectors to be brought within the scope of the NIS
regulations, responding to the inevitable evolution of what
constitutes the UK's critical infrastructure, but those reforms
were not included in the most recent King's Speech. It is
critical that there are no further delays in bringing forward the
reforms, and that a Bill is prioritised. Failure to legislate
would leave a core part of the UK's critical infrastructure
exposed when others globally are already moving forward with new
laws to ensure that all relevant entities are appropriately and
proportionately regulated.
Outside the UK's critical infrastructure, we must look at how we
protect small businesses and charities, the backbone of the UK's
economy. Despite six in 10 small businesses being victims of a
cyber-attack last year, many lack the skills and budgets to
implement proportionate cyber-protections, leaving them exposed.
They can also be disproportionately affected, with cyber-attacks
sometimes posing an existential threat. A survey found that 90%
of European small and medium-sized enterprises believed that
cyber-security issues would have serious negative impacts on
their business within a week of the issues happening; 57% said
that they would most likely become bankrupt or go out of
business.
It is unrealistic to expect small firms to adhere to and invest
in the same cyber-resilience standards as larger firms such as
critical infrastructure firms. However, that leaves a significant
part of the economy vulnerable to cyber-attacks. To tackle that
problem, the Government should work with technology providers to
embed cyber-security in their products, particularly those most
relied on by small organisations. The Government should also look
at how they can support smaller firms' response to and recovery
from cyber-attacks. That could include establishing a “first
responder” service that provides proportionate—that is,
free-at-the-point-of-use—support to small businesses that have
been victims of cyber-attacks. That could include incident
response services and the triaging of further steps, such as
where victims could get the most effective help. Such a scheme
could learn lessons from our counterparts in Australia, who
recently announced a small business cyber-security resilience
service.
Finally, the Government must look at how they enhance the UK's
cyber skills. The issue of cyber skills is not just about
addressing the cyber industry's significant skills shortage,
although that is a critical part of it. It is also about
equipping individuals—across organisations of all sizes and at
all levels of seniority—with the cyber literacy that they need to
make decisions about their personal, organisational and even
national cyber-resilience. A national programme of cyber literacy
is needed to ensure that everyone, from preschoolers right
through to pensioners, is cyber-literate, no matter where they
are on their learning, career or retirement journeys. That could
include commissioning “Cyber Beebies”—keeping with the concept of
CBeebies, which
“helps pre-schoolers learn whilst they play fun games, watch
clips, sing songs and make things”—
in order to start cyber education and awareness in the earliest
years.
We could also look at including cyber-competence—covering safe
and secure online behaviours, privacy and use of technology
alongside broader technology and computing lessons—as a mandatory
part of the school curriculum. That should be reviewed and tested
with an industry advisory board regularly to ensure that it keeps
pace with technological developments and industry requirements.
Teachers must also be regularly supported to understand new
developments and how they should be reflected in the school
curriculum.
STEM—science, technology, engineering and maths—programmes
throughout the country have had a critical role in creating
opportunities for today's youth as they advance their education
and skillset. In my own constituency of Preston, I am very proud
of the work of Cardinal Newman College. One of the
highest-performing sixth form colleges nationally, it has
partnered with Lancaster University to harness the skills of
young people with a passion and aptitude for the study of maths
and science. In doing so, they have further developed the young
people's interest and education while providing them with
opportunities for their future, including—especially—in the field
of cyber at the new cyber defence centre.
I welcome the Minister, who is about to take his place in the
hall. I should like to ask him four questions. Will he join me in
praising and expressing pride in our UK cyber industry? Will he
acknowledge, as we all do, the role that our industry plays in
keeping us all safe and secure in cyber-space? Will he set out
the Government's further ambitions to take our cyber-security to
the next level and beyond what has been announced as part of the
national cyber strategy? Will he provide more information in
particular on the Government's plans to finally make progress on
introducing legal protections for legitimate cyber-security
activities as part of ongoing efforts to reform the Computer
Misuse Act? Will he set out the Government's views on following
the Australian example of introducing a cyber first responders
service for all our small businesses and charities, and set out
the Government's ongoing commitment to invest in our national
cyber-resilience?
I thank the Minister for engaging with me on this important
issue. It is good that there is cross-party consensus on a matter
of such importance, but it is clear that much more needs to be
done when it comes to cyber-crime and ensuring that Government
policy keeps pace with technology in the ever-changing cyber
landscape. The public need to be better educated and trained from
an early age in the use of computers. That will add to the
resilience the country needs to overcome the challenges of
cyber-crime for the purposes of cyber-security.
(in the Chair)
Before I call the SNP spokesperson, I want to note that the
Minister was not in his place, which is disappointing given the
importance of the issue and the effort put in by the Member in
charge. We have been grateful to Minister Opperman for sitting
in, who is fortified with the relevant information. I am sure he
will let his colleague copy his homework, so he is able to
respond, if the Member in charge is happy with that.
Sir
Yes.
(in the Chair)
On that basis, we will proceed. I call SNP spokesperson .
6.51pm
(Midlothian) (SNP)
It is a great pleasure to serve with you in the Chair, Ms
Bardell. I commend the hon. Member for Preston (Sir ) for securing this debate on
such an important issue. The past few years have challenged us
like no other time in recent history, but they have also served
to highlight how critical digital technologies are to all our
lives and to the functioning of society and the economy. Whether
working or learning from home, running a business or keeping in
touch with friends and family, digital technologies underpin and
continue to support our critical national infrastructure.
Nowadays digital appliances and smart tech are everywhere, and it
is more and more common to find that a lack of an internet
connection or a charger is becoming a major issue. When we
consider the attacks, as outlined by the hon. Member, be they
personal or on a national level, it is critical that we consider
the resilience that each of us has individually in how we manage
to protect ourselves from those who wish to do harm, but also
collectively as we look to protect our society.
As the hon. Member has outlined, digital technologies cut across
everything we do. The secure and resilient ways we use them
cannot be an afterthought. Cyber-resilience cannot be viewed
simply as an IT issue; it is the very backbone of every public
service, business and community. It is also a critical part of
our economic and societal recovery and renewal, especially in
Scotland as we embrace new technologies, such as artificial
intelligence, smart cities and 5G wireless networks. Those can
all be positives, albeit there are clearly those out there who
wish to use them to do harm.
Digital technologies are now at a stage where it is not simply
enough to turn them off and on again to fix problems that arise.
Cyber-resilience is key to operational resilience and business
continuity, as well as our capacity to grow and flourish as we
adapt to the demands of operating online. Our ability to deter,
respond and recover from national cyber-attacks has to be a top
priority, and we need a plan exercised and to reflect continually
and collaboratively to ensure that we are prepared to withstand
any such cyber-threats.
In Scotland, the strategic framework for our cyber-resilience
sets out what we need to do to make us a digitally secured and
resilient nation. It builds on the work of Scotland's first
cyber-resilience strategy published in 2015, and it expands on
its achievements and addresses ongoing and new challenges
because, as the hon. Member has outlined, the challenges are
forever changing. This is an ever-changing landscape that we are
dealing with.
The cyber-threats we face cannot be met by Government alone, and
we have a role to play in protecting ourselves, our families and
our communities. Our public sector, third sector and private
sector organisations need to work together, with Government, to
minimise the harm and disruption that can result from
cyber-incidents. As Members of Parliament, some of our colleagues
have been targeted and directly impacted by cyber-attacks, and we
have seen what that has meant for them, as well as what it means
for the rest of us collectively. We need to make the very most of
technological advances and use them to protect ourselves as those
who wish to do harm look to exploit loopholes in the system.
The recent pandemic reminded us of the importance of resilience
and agility. The Scottish Government pledged to review the
implementation of the framework regularly, monitoring indicators
against the four outcomes and the action plans that will guide
delivery. Scotland's four key cyber-resilience outcomes are
ensuring that our citizens have access to basic and specialist
learning and skills to help keep safe and secure online; working
with partners in the public, private and third sectors to enhance
all our cyber-resilience; raising awareness of the importance of
cyber-resilience and how to achieve it by providing easier access
to advice and support; and taking advantage of the economic
opportunities resulting from greater cyber-resilience. It is
great if people have the knowledge and understanding to grasp
those opportunities, but we have also to recognise that there are
so many in our communities who want the massive benefits of
taking advantage of our digital infrastructure but do not know
where to turn. There is a massive job for all of us in making
sure that that information is as widely available as it possibly
can be.
On this issue perhaps more than many others, it is critical that
any work is done in collaboration with other Governments. The
problem is not unique to Westminster, Scotland or any of the
devolved Parliaments; it affects us all, and it is only by
working together that we can truly tackle it. The UK Government
published the national cyber strategy in 2022. It describes the
UK's overarching cyber policy and, as noted, takes a whole of
society approach, arguing that Government must work in
partnership with private sector organisations and cyber-security
professionals to improve cyber-security. Between 2017 and 2021,
the Scottish and the UK Governments allocated £10.28 million
under the UK national cyber security programme to support a
programme of action on cyber-resilience.
I wholeheartedly agree with the hon. Member for Preston that
there is an urgent need to seriously look at the Computer Misuse
Act; that is long overdue. With that in mind, what plans do the
Government have to review the Act, and what steps does the
Minister feel are most urgent? Certainly, there are many.
Cyber, digital infrastructure and technology are not there just
for the specialist few; they are there in the day-to-day lives of
everyone in our communities, all our families and all our
friends. More than ever, it is critical that we take whatever
steps we can as legislators to ensure that protections are in
place and information is there for everyone, so that we can
protect ourselves from those who would look to use them for ill
ends. On that note, I again thank the hon. Member for securing
this important debate. I am sure that it will not be the last we
hear of it.
6.58pm
(Barnsley Central) (Lab)
It is a pleasure to serve under your chairship, Ms Bardell. May I
say how good it is to see the Minister in his place? I
congratulate my hon. Friend the Member for Preston (Sir ) on securing this important
debate. He is a long-standing and dedicated servant to his
constituents and Lancashire more widely; any compliment about
Lancashire does not come particularly easily from my side of the
Pennines, but that is certainly one that my hon. Friend deserves
for his very long-standing service for his constituents.
I pay tribute to the men and women who serve in the National
Cyber Force, soon to be based in Samlesbury, and to those who
serve across the security and intelligence services and in the
cyber-security sector. They fight on the digital frontline day in
and day out to detect, disrupt and deter individual and
state-sponsored adversaries that threaten our cyber-security.
The cyber threat is constantly mutating and spreading. The latest
crime survey for England and Wales shows a staggering 29%
increase in computer misuse between 2022 and 2023. Computer
misuse disrupts services, obtains information illegally and
extorts individuals, meaning that personal information can be
published online without consent, entire life savings can be lost
due to fraud, and individuals, including children, can be
blackmailed. The Government need to be increasingly ruthless in
their approach to countering those threats and legislate for the
challenges of today, not those of yesterday. Doing so will give
cyber-security professionals the means to retain the advantage
over those who seek to harm us and protect more people and
organisations from cyber-crime.
Therefore, as the right hon. Member for Midlothian () rightly said, the Computer
Misuse Act needs updating to reflect the challenges of the cyber
age, not those of the Ceefax age. Accelerating technological
change means that outdated legislation is struggling to catch up
with cyber-threats posed by the likes of artificial intelligence.
That is why, on this side of the House, we have already proposed
criminalising the programming of chatbots that radicalise and
spread terrorist material. We also welcome the Government's
announcement last month of the criminalisation, through the
Criminal Justice Bill, of the creation of sexually explicit
deepfakes. Outdated legislation is at best restrictive and at
worst punitive for cyber-security professionals in the UK who
conduct ethical hacking to expose system vulnerabilities and
protect us from harmful cyber-attacks.
The National Cyber Security Centre, which is home to exceptional
men and women fighting cyber-crime, has said that ethical hacking
reports by individual researchers provide valuable information
that organisations can use to improve the security of their
systems. That is why the Opposition tabled an amendment to the
Criminal Justice Bill that would reform the CMA by introducing a
statutory defence for cyber-security researchers and
professionals involved in ethical hacking.
Our amendment comes after the Chancellor's commitment to
implement all of Sir Patrick Vallance's recommendations on the
regulation of emerging digital technologies published alongside
last spring's Budget, which included the introduction of a
statutory defence. If this Government do not deliver, the next
one should. Until that happens, the legislative lag will have
consequences. Half of UK businesses and 32% of charities suffered
a cyber-breach or attack in the last year alone. Breaches due to
vulnerabilities in cyber-security drive some of the most
pernicious types of criminality. According to the accounting firm
BDO, fraud doubled in 2023.
Furthermore, the Joint Committee on the National Security
Strategy warned in December that the Government could face a
catastrophic ransomware attack at any moment. The sobering
reality is that such attacks are already happening on the UK's
critical national infrastructure. Just today, it was reported
that in response to a ransom not being paid, personal information
illegally obtained by a ransomware attack on NHS Dumfries and
Galloway has been published on the dark web—a truly despicable
act that accompanies another deeply concerning development today:
a hack into the Ministry of Defence's payroll records by a malign
actor.
Those are only two of the most recent examples, and they show
that the threat landscape has never been more dangerous. However,
progress on reforming the CMA has been buffering for three years
since the Government first announced their review of the
legislation. Despite two public consultations, a Home Office
industry working group and several public commitments, the
Government have not yet made progress and, as the Minister will
know, we are fast running out of parliamentary time. Though time
is in short supply, there is consensus on acting in the national
interest to update the CMA, and the Opposition are keen to play
our part.
I would be grateful if the Minister would answer the following
questions. He will know that they are meant in the constructive
spirit in which we always seek to engage on these important
matters. First, will he give an assurance that the proposed
legislation, as outlined in the Government's response to the CMA
consultation, will be introduced in this Parliament?
Progress on legislation requires political leadership. However,
the JCNSS report on ransomware said that the leadership by a
former Home Secretary did not treat it as a priority. The
Minister will remember that I wrote to him in January about this
matter and others identified in the JCNSS report. Can he give a
further assurance that his Department and other Departments are
now prioritising ransomware by confirming that they will finally
respond to the consultation on unauthorised access to online
accounts and personal data, which was published in September
2022?
On public sector payments to ransomware, the Deputy Prime
Minister responded to me at Cabinet Office questions on 25 April
by saying that that “is not something” that he would “rule out
totally”. However, the Security Minister's written answer to me
on the same question on the same day was much more resolute about
the policy not to pay ransoms.
The Minister for Security ()
Listen to me.
I am listening to the Minister. I do not know whether the Deputy
Prime Minister is; that is possibly the problem.
It would be really helpful if the Minister would say whether a
new approach to the public sector paying ransoms will be included
in any update to the CMA. These assurances and clarifications
matter, as the Home Office is part of a cross-Government response
to countering cyber-threats, joining the Department for Science,
Innovation and Technology, the MOD, the Foreign, Commonwealth and
Development Office and the Cabinet Office in driving policy to
detect, disrupt and deter cyber-criminality.
As the Minister will know, the fulcrum of such activity is the
National Security Council, but he will also know that, while it
has a sub-committee for economic security, there is not a
dedicated equivalent for cyber-security. Has consideration been
given to the creation of a dedicated sub-committee of the NSC for
policy responses to intermediate and long-term cyber
challenges?
Another long-term challenge, which the Minister will be familiar
with, is the retention of our best and brightest in fighting
cyber-crime, both in the security and intelligence services and
in the cyber-security sector. Do our modern-day Alan Turings, who
play a vital role in keeping our country safe, feel that the most
innovative and effective work can happen in the UK under current
cyber-security legislation? The answer, sadly, is likely to be
no: 60% of respondents to a recent cyber-ops survey said that the
CMA is a barrier to their work in threat intelligence and
vulnerability research, and 16,850 cyber-defenders—the equivalent
of two GCHQs—are estimated to have been lost due to outdated
cyber-security laws. The Minister knows that criminals profit the
most from poor retention and recruitment, so has he considered
how changes to the CMA could unlock the cyber-security sector's
huge potential to protect our country's cyber-space better?
This debate has not just been about protecting our cyber-space
through effective legislation; it has been about the principle of
legislation retaining the advantage over malign actors intent on
harming us. I said at the start of my speech that there are
exceptional men and women working to defend our cyber-security,
who are very much at the cutting edge of efforts to detect,
disrupt and deter myriad threats. As legislators providing the
legal framework for that crucial work, we must now all play our
part.
7.09pm
The Minister for Security ()
It is a great pleasure to see you this evening, Ms Bardell—as
ever, the surprise only adds to the joy—and to respond to the
hon. Member for Preston (Sir ), who is quite right to have
secured this debate. The challenge that he talked about and the
ways of addressing it are fundamental not just to his
constituents and the National Cyber Force, which he rightly paid
tribute to and will be hosting in his constituency, but to the
very nature of our country.
It is interesting to note that over the last 200 years, the
British economy has been based on many things: the ingenuity and
brilliance of our people; the rule of law and the ability to
predict the future based on prior agreement; the genius of
economic reforms innovated out of Edinburgh and Glasgow; and the
ability to keep trade moving. For most of our existence, that
trade has been maritime trade of various descriptions. It has
been guaranteed not just by an extraordinary industry of sailors
and shipwrights who have created the vehicles of commerce, but by
the Royal Navy, which has kept the sea lanes open, the sailors
safe and the goods moving.
The truth is that over the last few years, the nature of that
commerce—that commercial gain and exchange—has changed. We have
gone from sea lanes to e-lanes. We have gone from looking at the
red ensign as a guarantee of security at sea, to looking at GCHQ
and the National Cyber Security Centre as a guarantee of security
on the internet and in cyber-space. Those changes have been
fundamental. They have enabled us to do things that are frankly
quite remarkable. Look at the change in the way communication
works that our country has been through in the four years since
covid struck us. With so many of our lives going online—even this
place went online briefly, although we seem to have forgotten how
convenient that was—many of us have been able to transform the
businesses that we were working in from local or national to
global.
That change has been a phenomenal blessing, but none of it would
have been possible without the dedication and brilliance of some
remarkable individuals who have kept us safe. Those individuals
started off being headquartered solely in Cheltenham. Those of
who have had the privilege to visit Cheltenham know that the
extraordinary brilliance and genius of those remarkable people
has been fantastic not just for our country but for many partners
and allies around the world.
What we see today is that it is not just the Government who need
to be kept safe. The reality is that companies and individuals
guarantee that security in many different ways. What we are
talking about this evening is how the wider economy is defended.
That is where the Government have made some important changes,
which I hope will be built on in coming years. The cyber-security
force that we have created is an essential part of keeping the
UK's commercial interests safe. It is a fundamental building
block of our economy not just today but for the future.
The way that has worked with the National Cyber Security Centre
is essential, because the reality is that the economy of Britian
is not guarded simply by the Government, and national security is
not limited to the arms of the state. It is fundamentally true
that many suppliers to Government and many different institutions
that connect to Government are also important. More than that,
every single aspect of our lives is a part of keeping our country
safe. Although it is true that the Government do not provide the
food, the supermarkets that feed us every day are part of our
national security. Although it is true that the Government do not
move the money, the banks that keep us fluid in that sense are
absolutely part of our national security. It is therefore true
that all those capabilities—all the cyber-defence that goes into
the wider economy and into our lives—keep us all safe. Sadly, one
of the things that has distressed me most in this job is
discovering the level of abuse that I am afraid is now prevalent
online. Hon. Members will not require me to tell them this, but
we see an explosion in online bullying and abuse, and sadly we
have seen an explosion in online harm that has taken not just
many young people, but many people from across every walk of
life, to dark places—and in some cases, very sadly, cost
lives.
The cyber work that we do is about protecting not just the state,
the Government or even the economy, but homes and families across
the United Kingdom. That is why the work that we are doing in the
reform of the Computer Misuse Act is so important, because, as
the hon. Member for Barnsley Central () and particularly as the hon. Member for Preston put
it, the changes we have seen online in the last 20 or 30 years
since the Act was passed are phenomenal. The Act was passed
before the internet, the iPhone and social media. It is, in a
modern sense, historical; it is dated and based on an era when to
hold data was to hold it on a solid drive in a computer, not in
the ether or on the cloud. The nature of intervention to keep
cyber-defences alive and test them was very different, and the
Act was drafted for that era. That is why the work of Sir and the way in which he
has approached it have been so important, and it is why we have
been looking so carefully at what he recommends and at how to get
the best answer out.
The truth is that any decision we make is going to be difficult.
It is going to raise questions about the ways in which businesses
work and partner with others around the world. The right hon.
Member for Midlothian () asked about ransomware and
the way in which it is changing. That is where the direction that
we take it so important—for example, the counter-ransomware
initiative that the United Kingdom led and changed in various
ways, and the approaches we have taken to ensure that we are
properly structured to get its benefits. The reason I am
confident that we are going in the right direction is that we are
setting the agenda.
In the 18 months since I had the privilege of becoming the
Security Minister, we have launched at least two actions. Forgive
me as I try to remember how many were public and how many were
private; hon. Members will appreciate that in this job it is
probably best to get that distinction right. I will say that we
have launched at least two public actions alongside partners on
counter-ransomware actions. Noticeably, one from about a year ago
was against various Russian targets who had decided that it was
to their advantage to try to extort and exploit organisations in
the United Kingdom and United States. Our reactions—the ways in
which we have partnered with allies and friends—have ensured that
we are able not just to defend ourselves, but to make the
punishment fit the crime. We are putting in place sanctions,
closing down accounts and ensuring that we have those resources
in partnership with organisations like the FBI to resist those
different areas.
This subject also raises some questions about the state, which
were hinted at. I will go a little further into it, because this
is not just about individual actors, those in the so-called troll
farms or the Internet Research Agency, which was so famously used
by Russia recently; it is also about states themselves. Sadly, we
are seeing states trying to use these forms of exploitation as
means of profit. We have seen one state in particular, North
Korea, seeking to quite literally use them as a cash cow—as a way
of paying for its nuclear weapons programme, extorting money out
of individuals around the world to advance its own hostile
interests.
This is where some of the changes we have been able to
make—alongside the hon. Member for Barnsley Central, to whom I
pay tribute, and with support from parties on all sides—will, I
think, make a substantial difference in the years to come. Those
changes include the National Security Act 2023, which, through
the various different elements of co-operation with foreign
states, makes criminal actions that formerly would have merely
been assisting or would have been hard to define; they may not
necessarily have been breaches of the Official Secrets Act, or
empowering or profiting a foreign state in a direct sense and in
a way that would have been criminal. The National Security Act
has been essential in making sure that espionage is properly
punished and that the support of hostile states is now
criminalised. I am grateful for the support of the hon. Member
for Barnsley Central and others, because that legislation has
been an important change that has enabled us to make a
difference.
We have seen various different ways in which states have used
these sorts of powers. For example, I am afraid that we have seen
the various different ways in which Beijing has been ordering
different threats against us. I will not comment on things that
are being gossiped about in different places—in main Chambers
rather than in Westminster Hall—but I will say that the
state-affiliated cyber group APT31 has been, and consistently
remains, a threat targeted against the UK. I am afraid that we
have seen that again and again, and we have had to take action to
ensure that we are able to protect ourselves. This is one of
those areas where the work of the National Cyber Security Centre
has been so incredibly important in protecting not just the state
but our wider economy—and that is where we have a wider mission,
because the truth is that protecting the wider economy is about
protecting not just all those areas, but families and individuals
across our country.
I am proud of some of the work we have done alongside businesses,
some of which are from the UK and some of which are
international, which has enabled us to change some of the
incentives and pressures on them. We have brought down fraud in
the last year; 16% is not as far as I would like it to go, and I
am sure that others in the House will recognise that there is
further to go, but that is a hell of an achievement by some
fantastically dedicated law enforcement professionals and their
cyber partners to make sure that homes and families across the
United Kingdom are safer.
We are moving further online. For instance, one can look at the
national health service today, and see the amazing investment in
technology and in the changing way in which we communicate with
our doctors. As many of us know, the NHS app—which, I think I am
right in saying, has been downloaded by about three quarters of
all adults in the United Kingdom, although I will have to check
that—is a fantastic way in which we can communicate across the
medical professions. However, all of this means that we have
wider vectors of attack, which means that it is enormously
important to ensure that we are working together. That is why—I
correct the hon. Member for Barnsley Central—although the
National Security Council may not have a cyber element in that
sense, there is a ministerial cyber board, which meets on a
similar basis except that it is chaired by the Deputy Prime
Minister and brings together Departments from all across
Whitehall. That is an extraordinarily important place where we
set the policy and make sure that it works together, because the
UK Government are already doing a huge amount.
The hon. Member for Barnsley Central asked about the policy of
paying ransomware. We have set out that no public body should be
using state money to pay ransomware. We have set out this agenda
with the national health service and have been very clear to
organisations, including the British Library, that it should not
be happening. That policy has been made clear. It is also clear
that some ransomwares that are being used for profit are being
closed down. I do not know if Members are aware of the LockBit
sanctions, but they have been incredibly important; in the last
few days we have not just taken over the LockBit site—a brilliant
piece of work by the National Crime Agency and others, including
the FBI—but exposed the people behind it. That is an extremely
important way in which we are taking the fight directly to the
criminals who are challenging us and making sure that the
National Cyber Force, which is soon to be wonderfully homed in
Preston—
Sir
Just next door.
Many of its people will be homed around there, I am sure, though
they may work in other parts. That force is a fantastically
important element in our national defence. While once we flew the
white ensign to protect sea lanes, today we fly a different sign
—a national cyber-security sign; and with wider British
Government protection, we can protect our e-lanes of
communication that keep us not just safe but free.
7.26pm
Sir
I thank those who have taken part in the debate, principally from
the Front Benches, for their contributions and thoughts on the
way forward with legislation in this area. We did not get a
direct response from the Minister on whether there would be any
attempt to amend the Computer Misuse Act 1990 this side of the
election, but as my hon. Friend the Member for Barnsley Central
() said, we look forward to that at some stage. I cannot
remember all the questions I posed—Hansard may now have disposed
of them—but they are still pending with the Minister, so I hope
he can write to me with answers. I look forward to hearing from
him again.
I do feel very strongly about this issue, because apart from
British Aerospace—BAE Systems, as it is now—and the new cyber
centre that people are working away at, many of the important
educational, technological and industrial developments taking
place in and around my constituency in Lancashire are very
important for local jobs and the economy, and in the national
context. As all the Front-Bench contributors have said, the
industry is a key part of keeping Britain and our constituents
safe, and making sure that we continue to thrive in economic,
political and democratic terms.
Thank you for chairing this debate, Ms Bardell. I am pleased that
it has taken place, and hope it is a seed for further action in
the coming weeks and months.
Question put and agreed to.
Resolved,
That this House has considered cyber security laws and tackling
crime.
|
