Ben Lake (Ceredigion Preseli) (PC)

- View Speech - Hansard -

Copy Link

-

It is a pleasure to speak on Second Reading of the Bill. I am very pleased to say that I support the Government’s introduction of the Cyber Security and Resilience (Network and Information Systems) Bill and welcome it as a very important first step in strengthening the protections of the UK’s critical national infrastructure and because it addresses many of the gaps that have been identified in numerous implementation reviews in recent years.

Other right hon. and hon. Members have made the point that the risk and harm inflicted by cyber-attacks are significant and very real. Others have cited their impact on a whole host of businesses and industrial sectors and on society. We have heard about the harm inflicted on NHS services, for example, and many Members have referred to the attacks on JLR, the Co-op and Marks & Spencer. The impact that the attacks had on not only those businesses, but the wider supply chains and local economies, is significant. As the Minister said when he opened the debate, it is estimated that some £14.7 billion is lost to the UK economy annually due to cyber-attacks, which is the equivalent of 0.5% of GDP, so it is right that the Government act to address these risks and harms.

In doing so, the Government comply with one of the calls of the strategic defence review, which stated that the world has changed and, in listing the other, more conventional threats that the country faces, specified that daily cyber-attacks at home are something we need to take very seriously. The Government are right to bring forward the Bill. As other Members have made very clear, the nature of cyber-crime and cyber-attacks and the threat that they pose are ever evolving, so I have a great deal of sympathy with the Government as they endeavour to keep up with what is a very rapidly developing industry and nature of threat.

Although I support the Bill and look forward to working with Ministers as it passes through the House, there are two points on which I would welcome clarity or further consideration by Ministers. A few Members have mentioned the importance of looking at our cyber-resilience in a more holistic manner. Although technical security and safety are very important, and the Bill goes a long way to addressing those matters, it could perhaps be strengthened by looking at our digital sovereignty. Other Members have made the important point that we need to consider supplier concentration in this field and domestic capability. If we fail to do so, we risk long-term dependency.

There are a few examples that I could draw on, but I will use that of Microsoft deciding to suspend the use of some of its services for justices in the International Criminal Court. I am not saying that Microsoft is going to threaten the UK Government or any of our services, but that example illustrates the risk that if we, or aspects of our economy or businesses, are overly dependent on certain suppliers, we are vulnerable. It is right that the Government have a way of preparing contingency plans for that or, at the very least, that they consider the potential impact of over-dependence on certain suppliers.

I wonder whether that consideration could be included as part of the statement of strategic priorities that part 3 of the Bill stipulates will be made by Ministers. The statement could then look not only at technical security as part of its cyber-resilience approach, but at digital sovereignty and domestic capability. In that regard, it would be not too dissimilar to some of the efforts we are starting to see from European partners. France and Germany are starting to undertake similar strategies and reviews of their domestic capability and potential over-reliance on certain suppliers.

My second and final point is to seek clarity from the Minister when he sums up on the directions to certain bodies and persons for national security purposes in part 4 of the Bill. If we accept that the nature of the cyber-threat and the risk to cyber-security are ever evolving, it will be impossible for any one piece of legislation to encompass all the possible dangers we may face. In order to try to future-proof the Bill, especially against national emergencies or crises, I wonder whether Ministers should consider even further last-resort powers, particularly to enable them to direct the shutdown of any domestic data centres or AI systems in the event of a security or operational emergency. I ask that because I am not entirely clear whether the powers already listed in the Bill allow Ministers to do that. If they do not, I ask the Government to consider such powers, so that they are able to intervene appropriately in the event of a future national crisis or emergency caused by AI systems in particular data centres. Such events could cause large-scale harm to the public, especially in the very rare but hopefully unlikely scenario in which the designated persons who are otherwise responsible for those systems refuse to co-operate with the Government.

Having raised those two points, I wish to underline my support for the Government’s efforts in this regard. I very much welcome the Bill and its Second Reading.