Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Ben Spencer
Main Page: Ben Spencer (Conservative - Runnymede and Weybridge)Department Debates - View all Ben Spencer's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Ben Spencer Excerpts(1 day, 8 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Chair
I remind Members to send their speaking notes by email to Hansard and to switch electronic devices to silent. Tea and coffee are not allowed during sittings. I remind all Members, particularly the Minister and the shadow Minister, to speak loudly, slowly and clearly in support of others in the room.
Dr Ben Spencer (Runnymede and Weybridge) (Con)
On a point of order, Ms McVey. I seek your advice with reference to the debate on clause 43, on 10 February. I draw Members’ attention to my question to the Minister in Hansard about parliamentary scrutiny of directions:
“Even where they are redacted because of national security concerns, somebody, or some mechanism of Parliament, will be able to scrutinise them. Can the Minister confirm that?”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 10 February 2026; c. 212.]
The Minister responded: “Yes.”
We received a letter over the recess dated 19 February—we are very grateful to the Minister for writing to us—which states something slightly different:
“The Government’s default position is that copies of directions will be laid in Parliament, to enable all parliamentarians to scrutinise the Government’s use of…powers. Where this is not possible for national security reasons, alternative options for scrutiny could be used, such as allowing for directions to be read in private reading rooms or briefing individual shadow ministers. As such, we are confident that alternative options are available for scrutiny when directions cannot be laid in Parliament for national security reasons.”
“Will” is different from “could” and “are available”. Given that we have moved beyond the debate on clause 43, what options are there for the Minister to either clarify those remarks or correct the record?
The Chair
I thank the shadow Minister for getting those comments on the record. Would the Minister like to address those points?
Kanishka Narayan
It is a pleasure to serve with you in the Chair, Ms McVey.
I thank the shadow Minister, the hon. Member for Runnymede and Weybridge, for the new clauses in his name, which would require the Secretary of State to create a register of foreign powers that pose a threat to UK cyber-security, to review that register, and to lay a report before Parliament. This is intended to inform the use of powers granted under part 4 of the Bill. I empathise with the shadow Minister’s concerns that hostile foreign actors could target the network and information systems of operators of essential services or critical supplies. That is a clear risk, and one that we are addressing through the Bill.
As drafted, the Bill grants the Secretary of State new powers to issue national security directions to regulated entities or regulators where their compromise poses a national security risk. So long as those tests are met, the powers may be used by the Secretary of State irrespective of the actor that is causing the national security incident or threat.
New clause 2 would require the creation of a register of foreign states that pose a risk to the UK based on GCHQ advice. I reassure the shadow Minister that regardless of the proposed new clause, any decision to use the powers in this part of the Bill will be informed by expert national security advice from GCHQ. As a result, it is unclear what additional support the proposed register would provide to the Secretary of State when, for example, deciding whether to issue a direction to a regulated entity.
Additionally, the report required by new clause 3 would effectively be a list of the vulnerabilities of the network and information systems of our essential services, and would therefore be an asset to malicious actors. That would be counterproductive to national security. The new clause would allow the Secretary of State not to publish part or all of the report, if publishing would be contrary to the interests of national security. However, it is unclear how even part of the report could be published without harming national security, given its intended content.
Drafting a report of vulnerabilities that cannot be disclosed to Parliament without harming national security would simply duplicate existing assessments, and run the risk of distracting Government from more effective measures to protect from hostile foreign actors. That is not to say that we shirk transparency about these kinds of risk. The Government are already able to communicate with Parliament and the public about such cyber-security risks where it is appropriate to do so, through things such as the National Cyber Security Centre’s annual report and advisories. I therefore kindly ask that the shadow Minister withdraw the new clause.
I thank the hon. Member for Henley and Thame for the Liberal Democrat new clauses in his name, which would require the Secretary of State to publish a statement of how the Government intend to address risks posed by foreign actors to UK network and information systems, and to assess how many entities regulated by the NIS regime are owned in part or in full by foreign states.
Let me reassure the hon. Member that the Government take the risks posed by foreign interference seriously. The NCSC’s annual reviews continue to highlight cyber-risks to the UK from foreign actors, as well as measures to mitigate those risks. We have robust processes for assessing such threats, drawing on the expertise of the intelligence community, including the National Cyber Security Centre and the National Protective Security Authority.
The measures introduced by the Bill will boost the security and resilience of network and information systems across essential services, managed services and relevant digital services, protecting them from the risks of foreign interference. Where that is not enough, the Bill provides a backstop: the new direction powers in the Bill will enable the Government to protect our critical services from exactly those kinds of national security risks. We will be able to require a regulated entity to undertake any action that is necessary and proportionate for national security in response to the threat of a compromise. Conducting assessments of the ownership structures of the many thousands of in-scope entities within six months would be disproportionately resource intensive, distracting Government from more effective measures to protect our services.
Publishing a review identifying national security risks caused by foreign state ownership, or assessing whether our powers are adequate, as the Opposition’s new clause 3 would require, would provide valuable insight to our adversaries. As I have previously set out, there is a clear pathway for Government to communicate with Parliament and the public about such cyber-risks where it is appropriate to do so, but where we identify specific concerns, it is right that we retain the ability to assess and respond without disclosing our conclusions to those who might exploit them.
Finally, it is worth pointing out that, as drafted, new clause 13 is not aligned with the intended scope of the Bill. The Bill is solely concerned with entities that are currently, or could one day be, regulated under the NIS regulations. This new clause would require a statement on the risks posed to all UK network and information systems, which is a significant broadening of the scope of NIS-regulated entities and sectors. Similarly, the focus on Government procurement seems outside that scope, given that Government network and information systems are not wholly regulated by the Bill. For those reasons, I ask that the hon. Member for Henley and Thame kindly consider not pressing his amendment.
Dr Spencer
I am grateful to the Minister for his response, but we have seen over the past six months, especially with the alleged spying incidents in Parliament, the Government’s resistance to recognising the Chinese Communist party as a threat. When it comes to our new clause 3 and concerns over transparency, we have also seen, in the last few weeks, that there are mechanisms—for example, the Intelligence and Security Committee—to ensure the disclosure of documents, while preserving national security. I would therefore like to press new clauses 2 and 3 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I beg to move, That the clause be read a Second time.
This new clause would require the Secretary of State to review the effect of existing information sharing and analysis centres, with a view to determining whether further such centres should be established. The financial services industry has successful voluntary schemes—the Cyber Defence Alliance, and the Financial Services Information Sharing and Analysis Centre—which act as hubs for collaboration on all matters relating to the prevention, detection, mitigation and investigation of cyber-threats and criminality impacting members. These organisations provide an essential alerting and co-ordinating role for their members, including providing intelligence and technical support during ongoing incidents. They can assist in building partnerships contextualised to particular sector risks.
According to Richard Starnes of the Worshipful Company of Information Technologists, companies
“may be competing with one another in their chosen businesses, but they are all in the same boat with regard to being attacked by whatever entities are attacking them.”
And he said that if the FS-ISAC were replicated
“on an industry-by-industry basis, particularly ones in CNI, that would be helpful. It would also help with information sharing with entities like NCSC and GCHQ.”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 64, Q75-76.]
Bradley Thomas (Bromsgrove) (Con)
On the point about information sharing with a view to bolstering resilience, Marks and Spencer reported to me that it was surprised to have received more information from the FBI on the origin and impact of the cyber-attack that it suffered than it received from UK authorities. That should adequately demonstrate why sufficient data sharing is required to underpin our resilience and bolster our strength.
Dr Spencer
That information is concerning. I entirely agree with my hon. Friend that information sharing is important when dealing with evolving threats.
Lincoln Jopp (Spelthorne) (Con)
I am grateful to the shadow Minister for giving way, if only to repeat what my hon. Friend the Member for Bromsgrove has just said. The Minister and the Government Whip were both on their phones, and I do not think they were fully concentrating on the fact that M&S has reported that it got more information about its information loss from the FBI than from our own agencies. I repeat that for the record so that the Minister has a chance to concentrate on that very important information.
Dr Spencer
I thank my hon. Friend for his intervention, which is more for the Minister and the Government Whip’s benefit than mine.
Properly established ISACs will not only increase real-time awareness of cyber-risks and mitigations, but could also alleviate some of the burden on regulators in terms of sector-specific intelligence analysis. Industry feedback and experience from the adoption of the Network and Information Systems Regulations 2018 indicate that sectoral regulators are unlikely to have the capacity to assist with intelligence sharing in relation to real-time cyber-risks.
We know from the sectoral regulators’ oral evidence that building sufficient capacity for effective regulatory oversight is a challenge. Where we have models for sector-led and market-led good practice in hardening cyber-resilience, we should look at how it can be rolled out further. Seeing more of these organisations emerge could even lead to broader adoption beyond NIS-regulated areas to other industries. ISACs have the potential to become integral nodes in improving whole-of-society cyber-resilience, and it is an approach called for by many cyber industry stakeholders. I therefore commend new clause 4.
Kanishka Narayan
I thank the shadow Minister for this amendment, which would require the Secretary of State to review how information sharing and analysis centres support the functioning of the NIS regime and what steps the Government can take to improve them.
I recognise the intent of this new clause. These centres play a key role in promoting collaboration and co-ordination in the cyber-security space, allowing organisations to share information, intelligence and best practice. In fact, the UK already benefits from a range of such initiatives, many of which are facilitated by the National Cyber Security Centre. In its latest annual report, the NCSC noted that more than 200 companies now meet regularly in trust groups to exchange intelligence and best practice, and to support each other in incident response. NIS regulators also support organisations to share information with each other in sector-specific groups.
However, while I fully endorse the value of those initiatives, I do not believe it is the Government’s role to review how they operate or to mandate how or where they are established. Such centres are meant to be a forum in which organisations can voluntarily engage in the exchange of information. As such, they operate most effectively where the initiative for participation comes from the organisations themselves or from technical authorities such as the NCSC.
The Government are, of course, committed to ensuring that the information-sharing provisions within the Bill are effective, and that will be assessed through the formal review of the legislation already required under clause 40. I kindly ask the shadow Minister to withdraw the new clause.
Dr Spencer
In response to the Minister’s comments, clause 40 is about a review; it does not provide any direction, other than for the Secretary of State to do their job in reviewing this area. I will press new clause 4 to a vote.
Question put, That the clause be read a Second time.
Dr Spencer
I beg to move, That the clause be read a Second time.
The National Audit Office’s 2025 report on cyber-resilience highlighted that Government Departments and agencies are among the weakest links in the UK’s cyber-security ecosystem and lack a credible plan to become cyber-resilient in the short to medium term. The Government play a key role in the management of certain critical national industries, but the continuing cyber-security vulnerabilities in the IT systems used to operate CNI expose the UK to the threat of serious attacks that could undermine national security and the economy.
That is not to mention the risk to enormous amounts of highly sensitive data held on Government systems. Dr Sanjana Mehta of ISC2 said in her oral evidence that the Department for Work and Pensions administered £288 billion of benefits over the past year, with more than 23 million people claiming benefits of some kind. That activity involves processing vast amounts of personal, medical and financial data, which presents rich pickings for malicious actors.
The feedback from industry stakeholders, many of whom are being asked by the Government to take on onerous security and reporting obligations under this Bill, echoes those concerns regarding Government cyber-immaturity. There is a strong sentiment that the Government should be leading by example, as Chris Anley of the NCC Group commented in the Committee’s oral evidence sessions.
In view of the growing risk posed to UK cyber-security by hostile state actors, by their affiliates and by criminal gangs, improving Government cyber-security is urgent. It is clear from the NAO’s findings and other recent reports that Government Departments have lacked the clear goals and necessary accountability to incentivise tackling this significant challenge.
In his letter of 19 February to members of the Committee, the Minister said:
“Government will be held to equivalent cyber security requirements that we expect of the essential and digital services in scope of the Cyber Security and Resilience (Network and Information Systems) Bill.”
But as matters stand, there are no effective legal mechanisms for accountability to Parliament on increasing Government cyber-resilience to the standards necessary to meet the intensifying threats facing our Government Departments and agencies.
New clause 5 would compel the Secretary of State to make yearly reports to Parliament setting out the Government’s progress towards meeting the recommendations of the National Audit Office’s 2025 report on Government cyber-resilience and towards meeting the standards they set themselves in their recent cyber action plan. Where necessary, the Secretary of State would have to account for failures to meet deadlines for implementation and issue a new plan to achieve compliance.
In moving this new clause, I am aware of the challenges that successive Governments have faced in driving up cyber-resilience standards. There are serious practical and budgetary obstacles that can impede progress, such as the vast amount of legacy IT equipment that remains in use, which is inherently more vulnerable to attack. Moreover, there is the ongoing problem of recruiting highly skilled cyber-security professionals to work in these roles, given the competition in the recruitment market and constraints on public sector salaries. Illustrative of that challenge is the worrying statistic, cited by Chris Anley of the NCC Group, that
“almost a third of cyber-security posts in Government are presently unfilled”.––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 24, Q29.]
None the less, the Government have now put in place a plan that they consider achievable, and they should be held to account for it. The new clause creates a mechanism for that much-needed accountability.
Lincoln Jopp
Does the shadow Minister agree that if Labour Members vote against new clause 5, it would be a classic case of “Do as I say, not as I do”? If they are happy to go on the record as voting it down on that basis, does the shadow Minister agree there would be an element of what is politely termed “variable geometry”? The more direct word is “hypocrisy”.
Dave Robertson (Lichfield) (Lab)
It is interesting to hear the hon. Member for Spelthorne say that this is apparently hypocrisy and the shadow Minister agree with him. The National Audit Office report was published on 29 January 2025, barely six months after the general election, so it was really commenting on 14 years of Conservative-led Governments. I think it is pertinent to put it on record there has been a lack of focus in this area for far too long, and I am glad that the Government are introducing legislation. If we are to have comments such as that made by the hon. Member for Spelthorne, I feel it is appropriate to have something on the record to counter it.
Dr Spencer
I agree about the importance of putting things on the record. Since the hon. Member obviously has not been listening to my speech, he can check it out on the record. I acknowledged the challenges in this area—[Interruption.] Does the Government Whip want to intervene, or was she just chuntering? I will continue.
Given that the Bill puts quite a burden on the private sector, as we discussed over several sittings before the parliamentary recess, I think it is important that the Government recognise, as my hon. Friend the Member for Spelthorne said, it would be pretty shameless not to vote for accountability for themselves while putting it on other people. Let us see how the vote goes. I commend new clause 5 to the Committee.
Kanishka Narayan
I thank the shadow Minister for moving new clause 5, which seeks to require annual reporting on progress towards meeting the recommendations of the National Audit Office’s report on Government cyber-resilience and meeting the implementation milestones of the Government’s cyber action plan.
We recognise the value of accessing the expertise of Parliament to hold the Government accountable for the changes required for our cyber-resilience. That is why, notwithstanding the hon. Member for Spelthorne acknowledging the embarrassment of the Conservative party owning its hypocrisy, this Government have already strongly welcomed the recent reports from the Public Accounts Committee and the National Audit Office on Government cyber-resilience.
David Chadwick
I beg to move, That the clause be read a Second time.
The purpose of new clause 10 is to ensure that regulatory authorities and regulated persons have adequate resources and capabilities to carry out their responsibilities. Fundamentally, this is a question of state capacity. Surely it is hard to disagree with that statement. We can pass legislation in this House, but if the regulators tasked with enforcing that legislation lack the resources and capabilities to fulfil their duties, and if the businesses subject to the new requirements lack clarity about what is required of them, the Bill will remain little more than words on a page.
Cyber-resilience cannot be achieved through legislation alone, poor and weak though this piece of legislation is; it must be delivered by regulators with properly trained staff, clear guidance and sustained investment in enforcement and oversight. Without that foundation, even the strongest legal framework risks becoming ineffective. The new clause would create a vital statutory reality check. It would require the Secretary of State within one year of the Act coming into force to consult with regulators and regulated organisations, and report to Parliament on whether the regulatory system is equipped to function under the new rules. The new clause asks a simple but essential question: do the bodies responsible for protecting our critical digital infrastructure have the people, funding, tools and skills that they need to succeed?
Laws work only if the people enforcing them have the time, money, expertise and systems to do so properly. The scale of the challenge is already clear. Research from ISC2 shows that 88% of organisations that have suffered cyber-incidents link those breaches directly to skills shortages. If regulators themselves face similar skills or operational shortages, enforcement will be slow, inconsistent and ultimately ineffective, and may leave businesses facing uncertainty about what is required of them.
The new clause would help to ensure that issues are identified early and addressed proactively, rather than after a major cyber-security incident exposes weaknesses in our regulatory system. For this legislation to work, it requires fully funded and effective regulators. That is why I will press the new clause to a vote.
Dr Spencer
This new clause, tabled by the hon. Member for Brecon, Radnor and Cwm Tawe, would require the Secretary of State to consult and report within one year on whether regulatory authorities and regulated persons have sufficient resources and capabilities to meet their statutory obligations. Historical levels of regulatory oversight and enforcement in relation to the NIS regulations 2018 have fallen short of what is necessary to achieve meaningful cyber-resilience across regulated sectors. The second post-implementation review of the NIS regs 2018, conducted in 2022, found that incident reporting on the part of regulated entities was very low, with only 13, 12 and 22 NIS incidents reported in 2019, 2020 and 2021 respectively.
A review conducted by the Worshipful Company of Information Technologists identified a near total absence of formal financial sanctions under the NIS regulations, with zero confirmed major penalties from 2021 to 2024. The model has not been conducive to effective discharge of regulatory responsibilities, with knock-on effects for cyber-resilience and regulated industries, yet regulators will be expected to oversee a far larger pool of regulated bodies and process a far larger number of incident reports under the Bill’s provisions. It is therefore right for us to scrutinise carefully whether regulators are in a position to meet these obligations.
In the evidence sessions, many of my questions to witnesses, including those from Ofgem, Ofcom and the Information Commissioner’s Office, focused on their preparations to meet the demands of their expanded roles. It was clear from feedback that although regulators understand what they need to do to prepare, the practical challenges associated with securing sufficient resource are far from resolved. I would therefore be grateful if the Minister could clarify his plans to review regulators’ progress and what the key milestones will be to ensure that regulators can discharge their new duties alongside their existing ones when these provisions come into effect.
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clause, which seeks to require a consultation on the resourcing and capabilities of regulators and regulated entities, assessment on whether additional Government support is needed, and a report on the findings. I reassure the hon. Gentleman that the Bill was developed in close collaboration with regulators and industry to ensure that regulators have the right information and tools to implement it.
The Bill already requires the Government to produce two regular reports to monitor the effectiveness of the legislation, and those would naturally include reviews of whether resourcing and capability were impacting on the effectiveness of the regime. The first of those is the annual report on regulator activities in relation to the statement of strategic priorities. The second is the report on the operation of the legislation, which must take place at least every five years.
Freddie van Mierlo
The thresholds have been set out in the new clause. Australia already provides support for small businesses during and after attacks. The clause would simply bring the UK up to speed with international partners, ensuring our businesses are not at a competitive disadvantage on cyber-security support. If Australia can support its SMEs, why can we not? It is only fair that if we are increasing the regulatory burden, the Government provide the support required to navigate it. I will press the new clause to a vote.
Dr Spencer
New clause 14, tabled by the hon. Member for Henley and Thame, addresses concerns regarding the capacity of SMEs to comply with their regulatory obligations, should they be brought within the scope of the Bill. That matter has been discussed on several occasions by the Committee. That is only right given that, according to figures provided by NCC Group, SMEs make up over 99% of businesses in the UK but too often lack the skills and budgets to implement proportionate cyber-protections, leaving them particularly exposed.
SME cyber assistance schemes akin to the one proposed by the new clause have been rolled out in Scotland on a limited basis and in Australia, where the Government are investing 8 million Australian dollars over three years to provide free person-to-person support for small businesses during and after a cyber-attack. Those schemes have enjoyed some success in hardening cyber-resilience among SMEs that have been able to access them. That can only be welcomed.
There is a case for looking more closely at whether regulation is the appropriate first step to address the cyber-resilience of the smallest organisations that might be brought within the scope of regulation, as legal compliance efforts could detract from already pressured operational defence budgets. In giving evidence to the Committee, Jill Broom of techUK called for strategies
“such as financial incentives, or…tax credits”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 18, Q20.]
to help SMEs improve their cyber-resilience, and techUK has suggested that funding or relief could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first. In the light of those considerations, what analysis has the Minister’s Department conducted of the likely return on investment, in terms of sustainability and growth among smaller companies, of a cyber support service for UK SMEs?
Emily Darlington (Milton Keynes Central) (Lab)
The new clauses raise a really important point about security by design implemented within companies, and within the companies that provide cyber-security technology to them. An hon. Friend of mine tabled an amendment, which we are not speaking about today, on a similar subject.
Security and safety by design is something that we talk about quite often in this area. It may not be appropriate for this Bill, but I am keen to hear how we will progress those discussions, because ultimately we do want to prevent cyber-attacks. We need to make sure that companies, small and medium-sized enterprises, major infrastructure and local government all have access to technology and infrastructure that looks at security by design in its own design right from the outset, because that is what makes us most secure.
How will we take forward those discussions, and extend the idea that already exists in legislation, through the Online Safety Act 2023, about safety by design, in order to ensure that products around cyber-security have this at their heart, and deliver the prevention mechanism that I think we all want to see—especially the small businesses and organisations that are victims of such attacks?
Dr Spencer
New clause 16 would require active board oversight of security and resilience measures and accountability for board members where they fail in those oversight duties, whereas new clause 17 would require regulated entities to carry out proportionate, periodic testing of the security and resilience of their network and information systems, and provide the results to regulatory bodies upon request.
On board accountability, as we have already discussed in this Committee, the existing regulatory model under NIS regulations has not been sufficiently effective in driving up cyber-resilience standards to meet emerging threats. Board engagement is a key part of that, but the stat I quoted previously in this Committee indicates that engagement is going in the wrong direction. What assessment has the Minister made of the potential advantages and disadvantages of direct accountability in the adoption of effective cyber-resilience measures, based on a roll-out of the NIS2 regulations?
Proportionate testing of systems may be a useful tool in detecting and managing cyber-security risk. What consideration has the Minister’s Department given to how that topic should be approached in the Secretary of State’s code of practice?
Kanishka Narayan
I thank the hon. Member for Brecon, Radnor and Cwm Tawe for his new clauses. I will speak first to new clause 16, which seeks to require boards or equivalent management bodies of operators of essential services, relevant digital service providers, relevant managed service providers and critical suppliers to take specific measures to oversee the security and resilience of their network and information systems.
Board-level engagement is a necessary part of proactively and effectively managing cyber-risks. That is why we published the cyber governance code of practice last spring, as part of a wider package of action to support boards in more effectively governing digital risks to enhance their organisation’s cyber-resilience. More recently, the Secretary of State, together with the Chancellor, the Business Secretary, the Security Minister, and leaders of the NCSC and NSA, wrote to the CEOs and chairs of the UK’s leading organisations, asking them to make cyber-risk a board level priority.
I agree with the hon. Member that going further on board-level responsibility is necessary. That is why we will introduce security and resilience requirements in secondary legislation, following consultation. We will consult on proposals that are consistent with the NCSC’s cyber assessment framework, as we confirmed in our policy statement last year. The cyber assessment framework includes comprehensive measures on good cyber governance, including clear board level responsibility. It is important that industry is consulted on those measures, that they form part of a holistic package on security and resilience, and that they can be updated flexibly over time. We intend to consult on proposals for security and resilience requirements and wider implementation plans later this year.
New clause 17 seeks to require all organisations in scope of the Bill to test the security and resilience of their network and information systems. We agree that proportionate cyber-security testing is critical to identifying and mitigating vulnerabilities in systems and networks. Organisations in scope need to take appropriate and proportionate measures to manage risks to network and information systems on which they rely, and that can include testing of network and information systems. In particular, relevant digital service providers are already required to account for testing as part of their overarching security duty. Additionally, all regulators can use their powers to mandate testing by an inspector, or by the regulated entity, to verify compliance or investigate potential failures.
I reassure the hon. Member that we are going further. We will be updating and providing more detail on the measures that regulated entities need to take, as well as setting strategic objectives for regulators. As I have said before, our proposals for the security and resilience requirements in secondary legislation will be consistent with the NCSC’s cyber assessment framework, which includes measures on appropriate testing.
Dr Spencer
I will speak to new clause 19, tabled in my name on behalf of His Majesty’s official Opposition. The new clause would compel the Secretary of State, within 12 months of Royal Assent, to review the need for a statutory defence, encompassing legitimate cyber-research activities, to criminal offences under clause 1 of the Computer Misuse Act 1990, which is about unauthorised access to computer programs.
The campaign for reform in this area, CyberUp, has argued that, in its current form, the CMA inadvertently criminalises critical activity such as vulnerability research and threat intelligence, both of which are essential for defending the nation’s digital systems. The new clause would also require the Secretary of State’s review to evaluate whether the creation of such a defence would enable regulated bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
New clause 18, tabled by the hon. Member for Henley and Thame, relates to the same important topic and would require the Secretary of State to review, and report to Parliament within 12 months of the Bill’s entering into law, whether amending the Computer Misuse Act could improve the resilience of network and information systems.
Hon. Members will recall the insightful oral evidence of Professor John Child of the University of Birmingham. Professor Child made a clear and compelling case for the need to amend the Computer Misuse Act to provide statutory defences for legitimate cyber-research—sometimes called ethical hacking activities. Likewise, campaign groups, industry specialists and parliamentarians have all argued that the Computer Misuse Act, which was written before the modern internet, is no longer fit for purpose.
At present, the Act fails to distinguish between malicious attackers and cyber professionals acting in the public interest, inadvertently criminalising a large proportion of research that UK cyber-security professionals can carry out to protect UK critical infrastructure and the UK’s technological ecosystem. This means that cyber-security professionals working to defend UK organisations from real-world threats risk prosecution. That has created a chilling effect—talent is being lost, investment is stifled and security gaps are going unidentified.
If we are to have true UK cyber-resilience—not just among regulated sectors, but across businesses of all types and throughout society—we need a multifaceted approach. Industry and private sector-led initiatives will play a strong role in that. Professor Child made clear that countries that have implemented more favourable regimes, such as the US and Israel, are benefiting from increased cyber-resilience as a result of cyber-research activity.
The Government have acknowledged that reform of the CMA is a pressing issue. Indeed, the Home Office has been reviewing that question for some time. Further, the Minister for Security, the hon. Member for Barnsley North (Dan Jarvis), highlighted the urgent need for changes to the law in this area in a recent speech, stating that Government have
“heard the criticisms about the Computer Misuse Act, and how it can leave many cyber security experts feeling constrained in the activity that they can undertake.”
He went on to say:
“These researchers play an important role in increasing the resilience of UK systems, and securing them from…vulnerabilities.
We shouldn’t be shutting these people out, we should be welcoming them and their work.”
Yet the Home Office has brought forward no specific proposals for reform. Parliament is unlikely to legislate again in the cyber-security domain for some considerable time; we cannot afford to kick the can down the road on this vital issue any longer if we are to have a credible plan for whole-of-society cyber-resilience.
David Chadwick
Can the hon. Gentleman address the point of who he thinks would benefit if that Act was repealed?
Dr Spencer
I am a bit unclear about the hon. Gentleman’s intervention. The point I was making was that there is legitimate concern that people doing research into this area and doing threat assessments risk prosecution, so, across the whole of our society, that work is not being done. We have heard quite a lot of evidence from cyber campaigns about the benefits that changes to this law would make to the system, which is why we tabled the new clause. I commend new clause 19 to the Committee. I hope the Minister agrees that now is the time to address the issue.
I suspect that this will be my last, or penultimate, time speaking to the Committee, so I would like to finish by thanking Members on both sides of the Committee for a fun and, at times, robust debate over the past month. I thank the Chairs, the Clerks and all the teams working on the Bill—and Sophie Thorley from my office, who has done incredible research on the Bill.
Kanishka Narayan
I thank hon. Members for their new clauses; I recognise the strong feeling and thoughtful contributions about reforming the Computer Misuse Act.
I speak first to new clause 18, which seeks to place a duty on the Secretary of State to review whether amendments to the Computer Misuse Act could support the security and resilience of network and information systems used for carrying out essential activities. I assure the hon. Member for Runnymede and Weybridge that the Government remain committed to ensuring that the Act remains up to date and effective.
The Home Office is already conducting a review of the Computer Misuse Act, and is developing proposals that arise from its findings. That includes careful consideration of proposals to introduce a statutory defence that would allow researchers to spot and share vulnerabilities. It will provide an update as soon as the proposals are finalised. However, limiting a defence to only the sectors covered by the NIS regime would be impractical. Any package of workable defence would need to be broad enough to apply economy-wide.
New clause 19 raises the introduction of a statutory defence to the Computer Misuse Act. I acknowledge the strong sentiment regarding reform of the CMA. There is no doubt that UK cyber-security professionals play a significant role in maintaining the country’s overall security and resilience. Supporting them is vital.
I agree with the principle behind the new clause: that a defence to section 1 of the Computer Misuse Act could strengthen the resilience of network and information systems by allowing researchers to spot and share vulnerabilities. The Government are already conducting a review of the Computer Misuse Act, and we have made significant progress in developing a proposal for a limited defence to the offence provided for in section 1 of the Computer Misuse Act.
Kanishka Narayan
Sure. I would not wish to define it technically, but my understanding is that it is research aimed at ethical hacking. It is effectively trying to find vulnerabilities through simulated attack systems, which can broaden our understanding of risks and vulnerabilities and allow us to mitigate them accordingly.
I return to new clause 19. Limiting a defence to just the sectors covered by the NIS regime would be impractical; any proposal for a workable defence needs to be broad enough to apply across the economy. That is why we are making sure that, through the Home Office, we are working as promptly as possible to ensure a proposal that is strong in its safeguards to prevent misuse. Engagement, including with the cyber-security industry, is already under way to refine our approach.
Dr Spencer
We are a responsible Opposition and we are pleased to hear about the work that the Minister and his Department have been doing and about the shared purpose in getting this done and getting it right. Would he give us a bit more detail of the timescales and plans for public consultation? I understand that he has been doing some personal consultation in private, but will there be a public consultation? Given that the reform crosses two Departments, which Department will be taking it forward? What I am really looking for from him is a confirmation at the Dispatch Box that he is personally committed to getting this piece of work over the line during this parliamentary term.
Kanishka Narayan
I thank the shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.
In that spirit, I thank hon. Members for their work on this question of the amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.