Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Freddie van Mierlo
Main Page: Freddie van Mierlo (Liberal Democrat - Henley and Thame)Department Debates - View all Freddie van Mierlo's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Freddie van Mierlo Excerpts(1 day, 8 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Freddie van Mierlo (Henley and Thame) (LD)
I rise to speak to new clauses 13 and 15, standing in my name.
New clause 13 would require the Secretary of State to publish, within 12 months, a comprehensive statement on how the Government intend to manage the risks of foreign interference in our critical systems. It calls for steps to be taken to assess the need for a digital sovereignty strategy. We need to know not just how we will fight cyber-threats but whose technology we will rely on to do it. The new clause would force the Government to set out a plan to explicitly assess risks in hardware, software and supply chains.
We should ask what is being done to support UK tech and home-grown cyber-security. We cannot claim to be serious about national resilience if the very infrastructure protecting our critical systems is outsourced abroad to vendors we cannot fully trust. New clause 13 would require the Government to explain how they intend to mitigate the risks associated with reliance on foreign technologies. It would also require the Government to assess the need to encourage and support the use of domestic technologies. That would turn cyber-security into an engine for growth. By identifying high-risk foreign vendors, and pivoting to trusted, home-grown alternatives, we could improve our security and create high-skilled jobs here in the UK. For those reasons, I will press new clause 13 to a vote.
I now turn to new clause 15. How can we be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad? New clause 15 would ensure transparency and force the Government to look at the threat of foreign ownership. The threat to British democracy from foreign interference is clear and present. From Russian money flooding into politics, and Chinese surveillance and intimidation, to foreign oligarchs buying influence, our democratic institutions are under sustained attack. The previous Conservative Government failed the UK. They failed to take the threat posed by Russia seriously, they weakened the Electoral Commission and they allowed foreign money to distort our politics. They withdrew from international commitments at precisely the wrong moment.
This Government have made some welcome moves, but they do not go far enough. Over the last few years, we have seen a rise in cyber-attacks on critical infrastructure. Across the country, schools have closed, airports have been shut, local councils have been hacked and retail stores have been crippled. New clause 15 would require the Government to review the security risks posed by critical suppliers and essential service providers, and to flag which of those are linked to foreign states. It would also push the Government to evaluate whether current powers are sufficient to address these threats. I intend to push new clause 15 to a vote.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.
We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.
The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.
In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.
Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.
Freddie van Mierlo
I beg to move, That the clause be read a Second time.
The new clause would place a statutory duty on the Secretary of State to establish a support service dedicated to improving the resilience of small and medium-sized enterprises and, crucially, to provide them with assistance when the worst happens. SMEs are the backbone of our economy. Their growth and continue operation are essential to a strong economy. We heard evidence that even large corporations find it hard to justify the investment in cyber-security and resilience when faced with competing priorities and investment needs. It forms the rationale of the Bill putting this need on a statutory footing, but small and medium-sized businesses undoubtedly find it even harder to make the investments required in cyber-security.
I know from having worked in SMEs at the start of my career that companies experience growing pains and need support in navigating complex statutory requirements. It is not just support for SMEs before an attack takes place that the clause would provide for, but also after. For SMEs, a cyber-attack is not just a disruption; it can be an existential threat to their existence. The clause would ensure that when an SME is hit, they have access to the support they need.
Bradley Thomas
Given that the threshold for a significant impact event will likely be much lower for an SME than for a larger corporation, and while acknowledging and agreeing that SMEs are the backbone of the economy and make up the vast majority of companies that employ people in this country, how does the hon. Gentleman propose to strike the relevant balance between ensuring that SMEs are supported, and at the same time that they are not inundated and overwhelmed as a result of that significant impact threshold likely being much lower for SMEs?
Freddie van Mierlo
The thresholds have been set out in the new clause. Australia already provides support for small businesses during and after attacks. The clause would simply bring the UK up to speed with international partners, ensuring our businesses are not at a competitive disadvantage on cyber-security support. If Australia can support its SMEs, why can we not? It is only fair that if we are increasing the regulatory burden, the Government provide the support required to navigate it. I will press the new clause to a vote.
Dr Spencer
New clause 14, tabled by the hon. Member for Henley and Thame, addresses concerns regarding the capacity of SMEs to comply with their regulatory obligations, should they be brought within the scope of the Bill. That matter has been discussed on several occasions by the Committee. That is only right given that, according to figures provided by NCC Group, SMEs make up over 99% of businesses in the UK but too often lack the skills and budgets to implement proportionate cyber-protections, leaving them particularly exposed.
SME cyber assistance schemes akin to the one proposed by the new clause have been rolled out in Scotland on a limited basis and in Australia, where the Government are investing 8 million Australian dollars over three years to provide free person-to-person support for small businesses during and after a cyber-attack. Those schemes have enjoyed some success in hardening cyber-resilience among SMEs that have been able to access them. That can only be welcomed.
There is a case for looking more closely at whether regulation is the appropriate first step to address the cyber-resilience of the smallest organisations that might be brought within the scope of regulation, as legal compliance efforts could detract from already pressured operational defence budgets. In giving evidence to the Committee, Jill Broom of techUK called for strategies
“such as financial incentives, or…tax credits”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 18, Q20.]
to help SMEs improve their cyber-resilience, and techUK has suggested that funding or relief could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first. In the light of those considerations, what analysis has the Minister’s Department conducted of the likely return on investment, in terms of sustainability and growth among smaller companies, of a cyber support service for UK SMEs?
The Chair
With this it will be convenient to discuss new clause 19—Vulnerability research: review of the merits of a statutory defence—
“(1) The Secretary of State must, within twelve months of the passing of this Act, review the extent to which an amendment to section 1 of the Computer Misuse Act, with the effect of introducing a statutory defence available to individuals undertaking ethical vulnerability research, would improve the security of the network and information systems of relevant bodies.
(2) A review under this section must consider whether a statutory defence would enable relevant bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
(3) For the purposes of this section—
(a) ‘ethical vulnerability research’ means access, whether authorised or otherwise, to computer material with the intention of identifying vulnerabilities to cyber attacks, where—
(i) the research is aimed at enhancing the resilience of the network and information system of a relevant body or relevant bodies, and
(ii) the findings of the research are kept securely, shared only with those responsible for the security or resilience of the network and information system concerned, and shared solely for the purpose of enhancing the security or resilience of the network and information system concerned;
(b) ‘relevant bodies’ means operators of essential services, critical suppliers, digital service providers or managed service providers, as defined by the NIS Regulations.”
This new clause would require the Government to review whether the resilience of relevant organisations could be enhanced by introducing a statutory defence to s1 of the Computer Misuse Act, so that a person could be deemed not guilty if they engage in vulnerability research in the public interest.
Freddie van Mierlo
New clause 18 would place a duty on the Government to review within 12 months whether our over-30-year-old Computer Misuse Act is holding back the very cyber-resilience that the Bill seeks to build. The Government’s own impact assessment for the Bill identifies a key market failure: imperfect information. It states that businesses lack awareness of their own cyber-risks, leading to under-investment in security. We must ask why that information is imperfect. We believe that it is partly because the Computer Misuse Act 1990 prevents cyber-security professionals from undertaking legitimate public interest activity to identify those risks, so ethical hackers cannot provide the necessary information.
New clause 18 ties the review specifically to the security and resilience of network and information systems regulated by the Bill. It asks a simple question: does the Computer Misuse Act 1990 help or hinder the resilience of our critical infrastructure? For that reason, I wish to seek a vote on new clause 18.
Kanishka Narayan
My hon. Friend is absolutely right to recognise the shared sense on the principle of reforming the Computer Misuse Act. Although I am not in a position to give him a specific timeline, I absolutely take into account his recognition that the work needs to proceed at pace. Having held an industry engagement recently on specific proposals, with more than 75 attendees from a range of cyber-security organisations, the Home Office is now reviewing specific feedback as a particular proposal. The question is not whether we will reform the Computer Misuse Act, but simply how.
Freddie van Mierlo
I am grateful to the Minister for his reassurances on the ongoing review of the Computer Misuse Act. On that basis, I would like to say that I will withdraw the new clause.
Kanishka Narayan
I thank the shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.
In that spirit, I thank hon. Members for their work on this question of the amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.
Freddie van Mierlo
I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
Bill, as amended, to be reported.