Emily Darlington (Milton Keynes Central) (Lab)

- View Speech - Hansard -

Copy Link

- - Excerpts

I welcome the Bill and the cyber action plan for public services, which was published today. As we have heard from right hon. and hon. Members’ many great speeches today, this is so important to the UK economy and public.

Despite being one of the smaller countries in the world, we are still one of the biggest targets for cyber-attacks. In the past 12 months, there has been some good news: only four in 10 businesses and three in 10 charities have had cyber-security breaches—the figures are down on the previous year. However, there has been a huge increase in nationally significant cyber-incidents, which have more than doubled in the past year, including the malicious cyber-attacks on critical infrastructure by Russia and China.

These matters are important to companies based in Milton Keynes Central, where one in three jobs are in technology. Milton Keynes is a leader in the development of AI and tech services, including in legal services, financial services and autonomous vehicles. Those companies have experienced cyber-attacks, so the Bill is very welcome. The difficulty is that it misses a huge portion of the discussion, and Ministers have somewhat neglected to mention sovereign technology in their comments or in the strategy. I hope that they will do so in the wind-up.

One role of sovereign technology is to fight cyber-crime. There are many definitions of sovereign technology, so what does it actually mean? To me, most of the public and the industry, it means UK innovation and technology. It is developed in the UK and is UK-owned intellectual property. It means a company paying UK taxes. Most importantly, it means a UK company being accountable to the UK. The Government have talked a lot about their commitment to developing and securing sovereignty, but that needs to be extended to all critical technology and infrastructure. Not only is that important in cyber-security terms, but it has other advantages, too: it is good for the economy, creates innovation and sets the highest standards, and it thereby gets public support and confidence and achieves small business support for absorbing the innovation. It achieves growth by creating not only UK customers, but—ambitiously—worldwide customers.

The Government have done that quite well in the past. They have created safe and secure solutions. Crown Hosting Data Centres is a really good example of a joint venture between the Government and Ark Data Centres. Unfortunately, only 3% to 4% of Government servers actually use it, and we must ask why. What are we doing to promote safe and secure solutions in the UK that would help us to fight for cyber-security and ensure that it is promoted across the public sector, and to ensure that those solutions gain support in the private sector? Instead of using Crown Hosting Data Centres, many are using ones run by foreign firms with securities and standards developed outside the UK. Outages at Amazon Web Services in cloud hosting have cost business millions.

Let us look at other areas where the public rightly worry about cyber-attacks and cyber-security, such as NHS data. We have heard about the impact of cyber-crimes on the NHS and on lives, but it also impacts public confidence. Palantir has a £330 million contract to bring together all NHS data. That is a fantastic initiative and really important, and the public support it because they do not want to have to repeat their health story to each and every doctor, nurse or other health professional that they meet. The difficulty is that using a foreign firm with some questionable alliances has led to an erosion of public trust and to a lack of trust among doctors, slowing the take-up of this important innovation in NHS services. That is partly because the co-founder of Palantir called our pride in the NHS “Stockholm syndrome”. Unfortunately, he misunderstands the very body to which he is selling services and is thereby eroding public trust. I know many UK firms that could have done just as good a job—and probably better, because trust among the public and doctors would have increased.

We hear that Palantir has just won a £240 million contract with the Ministry of Defence for

“data analytics capabilities supporting critical strategic, tactical and live operational decision making across classifications”.

Again, it is hugely important that we are using the latest technology to promote our MOD and that we are tying all that up. I do not think anybody in this House has concerns about the MOD making these kinds of investments; it is who we choose to partner with that drives the concern.

As I have already argued, the reality is that cyber-security has to be UK-focused. We have to protect our national interest and ensure that our partners put our national interest and cyber-security first and foremost. The views of organisations such as Palantir on the NHS and its integration into US Immigration and Customs Enforcement—otherwise known as ICE—lead us to worry that it does not share UK values. It creates a strategic vulnerability. That is what the sector is saying to us, and we should listen to it. Cyber-security is not just about reporting; it is about the investments we make ahead of time. Imagine if those two contracts and their economic opportunities had been given to UK firms. There would be enhanced UK-based cyber-security and greater confidence in our most critical areas of health and the military.

Let me raise another example which, if The Daily Telegraph is correct, I am sure will raise significant public trust concerns. It has reported today that the Government are considering using Starlink for the emergency services network, replacing the existing radio set-up that is used by ambulances, police and the fire service in an emergency—our most critical infrastructure. This company is controlled by a man who has shown his willingness to turn off satellites in Ukraine at his own political whim.

Emily Darlington

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for raising that point. It is important to note that Elon Musk turned off Starlink at very strategic points for the Ukrainian military when it was advancing on Russian-held territory. It is not just that he chose to turn it off; he chose to turn it off at a critical time for the Ukrainian military. I worry that somebody who chooses to do that, and who encourages violence among the UK public at a far-right rally, at which he said,

“Whether you choose violence or not, violence is coming to you. You either fight back or you die”,

is not an appropriate or safe partner for our emergency services.

I absolutely support the comments made by my right hon. Friend the Member for Oxford East (Anneliese Dodds) about transparency, and about some of the actions being taken by those who have been willing to stand up to these companies and demand transparency. While that is probably not the subject of today’s debate, I think we must take those actions as a warning for what is to come.

I welcome the Bill and the action plan, but to truly make the UK safe and secure from state-sponsored or criminal cyber-attacks, we need to ensure that there is a UK sovereign infrastructure, capacity and capability. The Government can lead the way through their own procurement practices by making sure we are partnering with UK sovereign firms. That is good for security, good for protecting us against cyber-attacks, and good for the economy and public trust.

Andrew Cooper (Mid Cheshire) (Lab)

- View Speech - Hansard -

Copy Link

- - Excerpts

It is a privilege to follow my hon. Friend the Member for Milton Keynes Central (Emily Darlington), who made a fantastic speech. I do not think mine will be of quite the same quality, but I will do my best.

Having spent my career prior to entering this place as a software developer, it is perhaps not so much a pleasure as a blast of nostalgia to be speaking on this Bill today. The Bill provides for an important and long-overdue update to the NIS regulations, and provides the means to keep those regulations up to date more quickly as new threats emerge. That was a massive gap in our capability left behind by the rather haphazard and cavalier manner of our departure from the EU, and it is absolutely right that we resolve it as soon as we can.

It is a cliché to say that the nature of the threats we face has changed. Whether it is state-sponsored cyber-attacks, hacktivism, identity theft or ransomware attacks, those threats can have a widespread and significant impact on people’s lives, on the wider economy, and on our safety and security. Many Members from across the House have noted the cyber-attack on Jaguar Land Rover —which led to that company posting a loss of £485 million last year and, as I think we heard earlier, to a £2 billion impact on the wider economy—and the Co-op infiltration, which cost that retailer at least £206 million. However, this is not a new issue, and virtually no area of the economy has not experienced attempts to penetrate its systems and cause disruption or steal data.

Andrew Cooper

- Hansard -

Copy Link

- - Excerpts

I thank the hon. Member for his intervention. I confess that I am not an expert on the IT of Gloucester city council, but I am sure the Minister has heard his intervention, and may wish to respond in his summing up.

I welcome the measures in the Bill to bring managed service providers and data centre infrastructure into scope. When I began my career working on hotel reservation systems, legacy on-premise infrastructure was the standard operating practice. Some organisations would develop their own line of business systems and some would buy in, but virtually all would be hosted on their own servers, often with clever names such as Spartacus, Xena or Buffy the Vampire Slayer—names that I worked with over the years.

That situation changed for a whole pile of reasons, such as the need to support more public access, the requirement to facilitate more home working, huge increases in the speed of domestic and business broadband, the need to provide failover, redundancy and scaling, the shift away from big capital investment towards infrastructure as a service, and wanting to benefit from more rapid roll-out of features and applications that require significant server infrastructure behind them, such as we have seen more recently with AI. Systems have been moving virtually wholesale to those that are managed remotely and sandboxed to multiple organisations, and towards virtual servers or services in data centres, rather than on-premise tin.

Bringing these two areas into scope is obvious, and it is long overdue. I offer a note of caution about this part of the Bill, and it relates to the threshold at which the regulations apply. For managed service providers, we need to ensure that we are providing appropriate levels of cyber-security without blocking new entrants to the market. That applies to critical suppliers, too. The risk is that we end up boosting the hegemony of the big outsourcers and IT suppliers, rather than being able to support new domestic entrants. There is a risk of vendor lock-in, as we have heard several times today. Equally, the threshold on data centres appears to have been set so high that only larger ones will be in scope. I hope that the Minister will keep both of those points under review as the Bill progresses and think about how we can strengthen this provision to strike the right balance.

The other area of the Bill that I want to talk about relates to the regulators. The Minister set out in his opening remarks why he believes a sectoral approach is appropriate, and there is merit to that argument. Sectoral regulators have deep, long-standing institutional knowledge and they understand how the processes work in their sector. However, as I touched on earlier, the consequences of failure are enormous, with real-world impacts on people’s everyday lives. We should not expect an overarching cyber regulator to have the domain-specific knowledge of the water sector or the air traffic control sector, and nor should we expect every sectoral regulator to carry the expertise of how modern scalable data centres that detect faults automatically and automatically failover to different regions or different jurisdictions work. We just need to think about what the priority of an individual sectoral regulator will be, because it will not necessarily be cyber-security. We have to get the balance right, and we need to listen to the sectoral expertise on that.

In conclusion, this Bill is an important and long-overdue update to the UK’s cyber-security framework. I look forward to working with the Government to get the scope and scale of these regulations right and to ensure that all the systems that we rely on every day are secure in the face of current and emerging threats.