Cyber Security and Resilience (Network and Information Systems) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Ian Murray
Main Page: Ian Murray (Labour - Edinburgh South)Department Debates - View all Ian Murray's debates with the Department for Digital, Culture, Media & Sport
Cyber Security and Resilience (Network and Information Systems) Bill
Ian Murray ExcerptsTuesday 6th January 2026
(2 days, 19 hours ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Minister for Digital Government and Data (Ian Murray)
I beg to move, That the Bill be now read a Second time.
A happy new year to you, Mr Speaker, and to all the House staff. This is the first opportunity I have had to say that to you.
On 3 June 2024, a busy Monday morning in south-east London, criminals attacked Synnovis, an organisation that processes blood tests on behalf of our national health service. They did not turn up physically, but logged on to computers thousands of miles away and set off ransomware—malicious software that encrypts files from afar, making them unusable. The attack had a ripple effect across London hospitals. It delayed 11,000 appointments, blood transfusions had to be suspended and the company lost tens of millions of pounds.
This was not an isolated case. In the year leading up to September 2025, the National Cyber Security Centre dealt with 204 “nationally significant” incidents, meaning that they seriously disrupted central Government or our critical public services. That is more than double the 89 incidents in 2024. No one disputes that we must do everything we can to protect the UK from these attacks. The UK is the most targeted country by cyber-attacks in Europe, and it was the fifth most targeted nation in 2024 by nation state-affiliated threat actors. In 2024, it is estimated that UK businesses experienced over 8.5 million cyber-crimes in the 12 months preceding the survey, and that in that year more than four in 10, or 43%, of UK businesses were subject to a cyber-attack, affecting more than 600,000 businesses in total.
Significantly, cyber-attacks are estimated to cost UK businesses almost £15 billion each year, equivalent to 0.5% of the UK’s annual GDP, notwithstanding the wider economic effects of intellectual property theft or the experience of patients, as in the first example. The average cost of a significant cyber-attack for an individual business in the United Kingdom is estimated to be just over £190,000. There has been a 200% increase in global cyber-attacks on rail systems in the past five years, increasing the likelihood of severe disruption to the economy and to people’s daily lives.
Chris Vince (Harlow) (Lab/Co-op)
Does the Minister agree that, as we become more and more reliant on IT systems—I am thinking in particular about the new patient registration system at the Princess Alexandra hospital in my constituency—it is more and more important that we combat potential cyber-attacks, particularly from foreign powers and enemies of this country? That is why the Bill is so crucial.
Ian Murray
I could not agree more. I gave the example of the Synnovis incident that brought blood transfusions in London to a halt, affecting thousands of patients. Our everyday lives are affected by this. As we modernise and digitise our economy and our Government, we have to ensure that our systems are as secure as possible, and cyber-security is right at the heart of that. This is not just a defensive issue; it is very much an economic growth issue as well, as we can see from the impact it has on our economy, our public services and the day-to-day lives of people, as in the example of our train systems that I just mentioned.
Mr Toby Perkins (Chesterfield) (Lab)
I am grateful to my hon. Friend for giving way, and it is great to see him in his post. On economic growth, how has he sought in the Bill to balance the absolute need for a regulatory framework that businesses can have confidence in alongside the ability to attract continued investment, and to ensure that we do not end up with an over-regulatory framework that stifles investment? How did he find that balance?
Ian Murray
The Bill builds on the 2018 regulations, which were a hangover from the EU when we adopted them in this country. The Bill expands on those. As my hon. Friend the Member for Harlow (Chris Vince) just suggested, this is about economic growth as well as protecting our systems, so we have to find a balance between ensuring that our regulators have the powers and tools to regulate properly and giving businesses and our public services the confidence to use digital technology knowing that we have the most secure cyber-security in Europe, if not the world. We are very good at this stuff, and that is the balance to be sought. This Bill is about economic growth rather than about the over-regulation of businesses. I do not say this flippantly, but cyber-security is one of those areas where if everything is working, nobody notices, but when it is not working, suddenly everyone notices and it is everyone’s problem. That is why we are bringing the Bill forward and extending the scope of the powers.
Jim Shannon (Strangford) (DUP)
I thank the Minister very much for what he is saying and bringing forward. There is much in the Bill that we should encourage. I know that he is a regular visitor to Northern Ireland, and Northern Ireland is home to 130 cyber-security companies with some 2,750 employees. It is therefore essential that this legislation protects those jobs and enhances the capacity for more. Does he believe that the Bill both protects us and provides the opportunity for growth in Northern Ireland and, indeed, across the whole of the United Kingdom?
Ian Murray
Indeed it does. It is one of a number of provisions that the Government are bringing forward to create growth across the country, not just in Northern Ireland. The Secretary of State’s passion is to make sure that those jobs are everywhere, right across the United Kingdom, including in Northern Ireland. The Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), has been in Belfast recently discussing this legislation and wider cyber-security issues with the industry in Northern Ireland, so I can assure the hon. Member for Strangford (Jim Shannon) that that is indeed the case.
Dame Meg Hillier (Hackney South and Shoreditch) (Lab/Co-op)
Hackney council was the subject of a major cyber-attack in 2020. It did a good job, though it was very slow because of the nature of the challenge of getting things back up and running. The Bill is therefore very welcome but, pursuant to the answer to my hon. Friend the Member for Chesterfield (Mr Perkins), there are challenges for some of the smaller companies. I represent Shoreditch, which has many tech companies that need to maintain a standard on cyber-security but are small. How is the Minister going to balance the regulation for those smaller companies to ensure that they can keep abreast of things but are not so dampened down that they cannot progress and grow?
Ian Murray
This is about making sure that we extend the scope of the 2018 regulations into other parts of the economy, and I will come on to that later in my contribution. It is about reporting things more quickly to ensure that the attacks can be seen and action can be taken more quickly. It is also about reporting to the regulators to give the regulators confidence and powers across a wider scope of sectors in the economy, and to give businesses the confidence that those sectors have to report to the regulators when things are going wrong so that swifter action can be taken. We can see from the host of recent high-profile issues, including at Hackney council, that it is important to ensure that this legislation goes through quickly and does the job that it is intended to do.
Chris Vince
I thank the Minister for giving way; I apologise for intervening again. Is there a piece of work we need to do on culture? When businesses or the public sector are victims of cyber-crime, there is a danger that employees may feel embarrassed or nervous about reporting their concerns. We need to encourage people if they are victims of cyber-crime to come forward quicker and to recognise the challenges, rather than trying to hide them away and the issue becoming worse.
Ian Murray
While physical security and national security are issues for all of us, so is cyber-security. The Bill builds on the 2018 regulations to widen the scope into other areas of the economy where such issues have become much more prevalent—for example, data centres. I hope that doing so will give industries and sectors, including their employees, the confidence to report things to the regulators. Giving powers to the regulators will give businesses the confidence that they can report stuff; it is not a regulatory heavy hand dampening businesses. I hope that I can assure my hon. Friend and the rest of the House on that.
Before that significant number of interventions, I was talking about why this issue matters and gave statistics for recent cyber-security activity in the United Kingdom. As a result of all that, one of the very first things we did as a new Government after the election was announce this new cyber-security Bill, just 10 working days in. Since then, the Department has been talking to cyber experts, businesses and regulators to turn these proposals into the comprehensive, serious and proportionate piece of legislation that we present for Second Reading today—one that protects the public and strengthens national security without placing undue burdens on businesses. I appreciate that that is a fine balance, but I think that this Bill finds that balance, so I am confident that the whole House will support it.
Pete Wishart (Perth and Kinross-shire) (SNP)
We support this Bill and its efforts to tackle cyber-security, but it does not address the mass unauthorised scraping of trusted news content by generative AI systems. That content, as the Minister knows, is often taken without consent or compensation. As the Bill progresses, will he be prepared to look at some measures—maybe something like a bot register where people have to declare their intent when it comes to this type of activity? Will the Government look at this seriously so that news can be protected in this new environment?
Ian Murray
The hon. Gentleman is ingenious in the way in which he uses interventions on pieces of legislation. I know AI copyright is close to his heart as a former, or perhaps current, professional musician and, indeed, one of the key musicians in MP4—let’s not push that to a Division! AI copyright is, of course, a key issue that the Government are looking at. The Secretary of State for Science, Innovation and Technology and the Secretary of State for Culture, Media and Sport are working closely together on this issue. I think the legislation means that there has to be a report to Parliament in March—I am sure the hon. Gentleman will be very interested in that. We are bringing together the industry and tech companies to try to find a way through that particular issue. We know that it is a huge issue. It is not in the scope of this Bill, which has been kept very tight to deal with these specific and serious cyber-security issues.
As we know, the first duty of Government is to keep people safe. The question is how precisely the Bill will achieve that goal. The answer is simple. The UK’s main cyber-rules—the Network and Information Systems Regulations 2018, or the NIS regime—were first introduced seven years ago and have not been updated since. Those rules require operators of essential services such as energy, water and hospitals, as well as some digital service providers such as online search engines, to take steps to protect the services they provide and the data they hold from cyber-threats.
As Members might expect, a lot has changed in the cyber-landscape in the past eight years. We have had the rise of AI, which cyber-criminals are using to their advantage. Data centres have become a firm fixture of modern life, and we want to see more of them. Since the rules were introduced, criminals tactics have evolved to exploit loopholes in the regulations, as they did in the attack on the NHS supplier that I mentioned, which revealed how hackers can target third parties, such as IT companies, or supply chains as a back-door way to bringing down a wider system. As always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with.
Dave Robertson (Lichfield) (Lab)
My right hon. Friend is right to mention the impact on supply chains. In the west midlands, we recently had the cyber-attack on Jaguar Land Rover. That had a significant impact not just on that company, but on the supply chain, which has its roots right through the west midlands. That essential part of our economy was brought to a grinding halt by a cyber-attack. Will he confirm that this Bill will help prevent such instances from happening in the future?
Ian Murray
I thank my hon. Friend for all he did on the issues facing Jaguar Land Rover. I know that the matter is close to his heart and, indeed, it was a really big issue across the country, showing how a cyber-attack can affect not just one company, but has a ripple effect throughout the economy. Of course, the Government stepped in to unlock a £1.5 billion bolster to Jaguar Land Rover’s cash reserves to help it through that problem.
I should say to my hon. Friend, and I will come to it later, that Jaguar Land Rover and other private organisations are not in the scope of this Bill. The reason is that individual private companies should take their own cyber-security seriously and ensure that the risks of such incidents and threats are minimised as much as possible. The Bill widens the scope of the existing regulations, which do not include that, but of course the Government are working closely with Jaguar Land Rover, Marks & Spencer and other high-profile cases, because we know the impact they can have on our economy. Indeed, had the Government not stepped in and resolved that issue, the impact on Jaguar Land Rover, and the tens of thousands of employees at the plants and in the supply chain, would have been catastrophic and is not worth thinking about. I thank my hon. Friend for raising that issue.
As I said, as always, the story is one of technology and cyber-threats moving faster than policymakers can possibly keep up with, but today we are fixing that. The first change in the Bill is to widen the scope of the 2018 regulations. To keep up with the changes of the past eight years, we are adding a few new things to that list, starting with large-load controllers. That includes any organisation that manages a significant flow of electricity to or from a smart appliance. It might be a company that supports electric car charging, for example. Bringing these entities into scope will safeguard our power supply and give consumers confidence in using energy-smart appliances, all of which are critical as we advance towards our clean power 2030 mission and net zero.
The second change is that we are adding large data centres in recognition of their growing importance to our day-to-day lives and to the economy. These are vast digital warehouses for the United Kingdom, home to servers that host everything from patient records to their bank details. This is the data that underpins modern life and all our lives and communities, and it must be protected.
We are expanding the scope of the regulations to include managed service providers as well. Those are organisations that provide ongoing functions, such as an IT help desk, to an outside client. Their access makes them an attractive target for cyber-attacks as criminals can find one weak spot and bring countless organisations down. For example, in 2014, an attack on a service provider for the Ministry of Defence compromised the personal data of around 270,000 people—military personnel, reservists and veterans. As organisations rely more and more on outsourced tech, we have to close this gap. In fact, weaknesses in the supply chain have become such a risk that we will go even further by allowing regulators to designate certain organisations as critical suppliers. That includes certain suppliers to essential services that could have a significant impact on the economy or society as a whole—for example, key suppliers to water companies, grid operators or air traffic control. These critical suppliers will be subject to cyber-security duties, which we will set out in secondary legislation.
Dame Meg Hillier
Last year, the Treasury Committee wrote to the top 10 banks in the UK because there had been a number of outages. There was no suggestion that cyber-security attacks were involved in most cases. A trend in the responses was that third-party software providers are often the source of the issue. What is the Minister’s thinking about how to involve the banking sector in the scope of the Bill?
Ian Murray
The banking sector is obviously in the regulators’ scope for cyber-security, and there have been a number of outages, as my hon. Friend mentions. The general principle is that cyber-attacks no longer come in through the front door, but through third parties and suppliers. We have seen that, for example, in the recent incidents at Heathrow and in cloud outages with Amazon Web Services and other such companies. They are covered by their own regulations. As I said in answer to my hon. Friend the Member for Lichfield (Dave Robertson) about Jaguar Land Rover, those companies will not be in the scope of the Bill, but we hope that the financial services sector, which is a leader in cyber-security for a whole host of fairly obvious reasons, will take that forward.
The recent attacks on British icons such as Marks & Spencer and Jaguar Land Rover will loom large in people’s minds. Many Members across the Chamber have already mentioned them. Supply chains were thrown into chaos, with small businesses paying the price, which clearly shows the ripple effect across the economy—on other businesses, smaller businesses and patients, such as in the public service examples mentioned earlier—when one part of the system is attacked.
We are clear that all businesses—that covers financial services, Jaguar Land Rover, Marks & Spencer and others—must take immediate steps to protect themselves. That is why, in October, members of the Cabinet wrote to the FTSE 350 companies urging them to strengthen their defences by doing three things: first, to make cyber risk a board priority; secondly, to require suppliers to have a cyber essentials certificate; and thirdly to sign up to the early warning service. That was followed by a similar letter to entrepreneurs and small businesses in November with bespoke advice for smaller teams. We know that those actions work. Organisations with cyber essentials are 92% less likely to claim on cyber insurance than those that do not. Businesses know best how to protect themselves; we are not here to regulate for the sake of regulating.
Government are taking action too. As I announced this morning, the Government cyber action plan sets a radically new model for how Government will strengthen their cyber-resilience and is backed by over £210 million of investment. Government Departments will be held to standards equivalent to those set out in the Bill. That is why the public sector and the Government are not included in the scope of the Bill. The Government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the Government’s cyber-resilience. [Interruption.] I do not know if that was an attempt at an intervention from the Opposition Front Bench, but I am happy to take it.
Sir Oliver Dowden (Hertsmere) (Con)
I welcome the Minister’s comments about the obligation on the public sector. However, I caution him that, in my experience, cyber-security is one of those things that Ministers talk about, but then other priorities overtake it. The advantage of legislative requirements is that they force Ministers to think about it. I urge the Minister to look at that point again as the Bill passes through Parliament. There is a case for putting more stringent requirements on the public sector in order to force Ministers’ minds on the point.
Ian Murray
The right hon. Gentleman would have had some involvement in this when he was in government; indeed, the 2018 regulations came from the previous Government. We are all trying to make sure that we are catching up with the technology as quickly as it moves. He makes a very interesting point that I am very conscious of and happy to take away. We are determined to deliver the cyber-security action plan, which is backed by £210 million.
The actions that the previous Government took did not come to fruition in terms of their 2030 target, which is why we have refreshed the action plan and brought it forward with some significant cash. It is important for Ministers to take that forward. I hope that the right hon. Gentleman will hold us to account to ensure that we are fulfilling that promise in the cyber-security action plan. Public services, and indeed central Government, must take the leading role to show businesses that the approach to take is to ensure that all our systems are as secure as possible, not just on economic grounds, but for the people that we all seek to represent.
Dame Chi Onwurah (Newcastle upon Tyne Central and West) (Lab)
I thank the Minister for the excellent points he is making on the importance of cyber-security and the cyber-security action plan. Can he say a little bit about how the success of the cyber-security action plan will be measured, monitored and communicated to the House? He is probably aware that only 33,000 cyber essentials certificates were issued in 2024, for example, so an increased take-up of cyber essentials and the guidance in the action plan are essential.
Ian Murray
There are some key dates to monitor progress in the action plan itself. I wrote to my hon. Friend, the Chair of the Science, Innovation and Technology Committee, this morning on the publication of the action plan to lay out some of those issues; the letter will be landing soon. I would be happy to discuss that in front of the Committee in more detail. I hope that the Committee, and indeed the Opposition and our own Labour Members, hold us to account for delivering on this, because it is fundamentally important to Government, whether it be digitisation, modernising Government or winning the case with the public about why digitisation is so important and why Government should be as secure as possible and lead the charge on that across the whole economy. I hope that we and the Committee can take that forward in the weeks and months ahead.
As I said, the Government cyber action plan launched this morning is backed by over £210 million of investment and Government Departments will be held to standards equivalent to those set out in the Bill. I hope that that partially answers the question from my hon. Friend the Chair of the Science, Innovation and Technology Committee. Although the focus of the Bill is on essential services, it will also indirectly help businesses, including those damaged by the recent attacks, and Government. Almost all organisations today rely on data centres, outsourced IT or some kind of external supplier. By extending the Bill’s oversight, we are preventing attacks that could, in theory, reach thousands of organisations.
The Bill also gives new powers to regulators responsible for enforcing the NIS framework. Effective compliance is crucial to the success of any regime. These reforms could be world-leading on paper, but without proper enforcement they are meaningless.
David Reed (Exmouth and Exeter East) (Con)
We have talked about the regulators having new powers to designate critical national infrastructure in regard to cyber-security threats, but who actually has accountability? The Bill refers to
“regulations made by the Secretary of State.”
Which Secretary of State is that, given that this is a cross-departmental and cross-Government approach?
Ian Murray
Cyber-security is the responsibility of the Department for Science, Innovation and Technology, but the Cabinet Office has a clear resilience issue as well, as we heard from the right hon. Member for Hertsmere (Sir Oliver Dowden), who was in the Cabinet Office previously. The DSIT Secretary of State will make those regulations, but a plethora of regulators are involved in this process—energy, water and data centres all have different regulators. The regulators that regulate those sectors are being empowered through the expanded number of sectors being brought into the legislation to take the responsibility.
Sir Julian Lewis (New Forest East) (Con)
I am extremely grateful to the Minister for giving way. On the point about regulators, the industry has issued a brief, which points out, quite sensibly, that these regulators are going to have a lot of extra duties to perform and they will therefore need extra resources to be able to perform those duties, but the extra resources they require will only be unlocked when the Bill has passed. Is there not a danger of a transition period where duties will be laid on regulators to fulfil their role before they have the resources to carry it out?
Ian Murray
We have to pass the legislation first. It may be amended during its passage through both Houses. Therefore, the regulators will not know what they are regulating until the Bill has passed. However, as I mentioned at the start of my contribution, we have been working with regulators, businesses, organisations and cyber-security experts in the run-up to producing the Bill to make sure that it is in the right place—that it is proportionate on businesses and regulators—and that it is effective, which is the most important thing. I am sure that we will have debates on those kinds of issues as we go through Committee and on to Third Reading, but I very much acknowledge what the right hon. Gentleman said.
The Bill will strengthen the powers of the NIS regulators, ranging from Ofgem to the Civil Aviation Authority, which work together to uphold the UK’s cyber rules across those different sectors—I may have taken the previous intervention 10 seconds too early! We are raising the maximum fine that they can impose, for example, while simplifying the penalty bands to make them clearer. The key driving force for this measure is not to punish rulebreakers or raise revenue, but to incentivise firms to be vigilant. Our goal is 100% compliance and zero fines.
We will also ask regulated organisations to change the way they report attacks and expand both the types of instance they have to report and the timeframe in which they have to report them. This is a small but crucial change. Under the current rules, regulators get notified about a breach only once it has already caused significant disruption—when traffic lights have failed or the heating has shut off. The system does not include cases with the potential to cause a crisis much later, like a hospital’s computer system quietly being spied on as hackers wait for their moment to strike. Under the Bill, if an organisation is within scope, it will have to tell its regulator and the National Cyber Security Centre about these types of breaches within 24 hours and provide a full report within three days. Pace and speed are of the essence. This will not only give us better information, but help agencies to warn others, should they need to, before they become the next targets.
The Bill will also allow the Government to set clear and consistent outcomes for regulations to work towards. One of the virtues of having a regime enforced by different agencies is that each has sector-specific expertise—Ofgem understands the complex digital systems that underpin the national grid, and the Civil Aviation Authority knows the precise threats to air traffic control, for example—but that approach has sometimes led to inconsistencies in how the regime is applied. Some bodies interpret the rules differently from others. The Bill aims to fix that with a single set of objectives issued by central Government and applied across the board. That will send the message that no sector is an easy target in the UK.
We will also improve the way in which regulators, intelligence agencies and law enforcement share information with each other by providing greater clarity on what regulators can share and receive. It is important that regulators have the resources to do their job, as the right hon. Member for New Forest East (Sir Julian Lewis) said. The Bill will also give them new powers to cover the full costs associated with their regulatory duties. To ensure transparency, regulators will consult on how fees are calculated and publish a statement each year to show how the funds are being used. Together, the measures add up to a much more consistent and effective regime with better reporting and much clearer guidance for all involved.
The Bill ensures that the UK’s cyber-security regime is not only fit for today but flexible enough to head off future threats as well. I have mentioned a few things that have changed in the past eight years—shifts in technology and the nature of cyber-attacks, artificial intelligence, data centres and the economy—but one of the biggest changes was, of course, Brexit. Since our exit from the European Union in January 2020, we have been unable to amend the NIS regulations without primary legislation, because the rules were originally part of European Union law. That has slowed the process and made it difficult for us to keep pace with new emerging threats and technology. Meanwhile, Brussels is pressing ahead with NIS2—its forward-looking update—while we lag behind.
That procedural quirk has left essential UK services more exposed, which perhaps tells us something about why the UK has such appalling figures compared with some of our EU counterparts, as hackers and cyber criminals exploit gaps in our dated laws. That is an unacceptable risk, so the Bill includes new powers for the Government to update the NIS regime via secondary legislation, to make it quicker and more agile for dealing with evolving technologies—we might need to respond quickly to a new type of cyber-threat, for example. That is not in order to override Parliament; in almost all cases, the Government will still be required to consult on any changes, and Parliament will have the final say on any legislation made under the power. However, delegated powers are essential for keeping us as responsive as possible. When national security is on the line, we need the ability to act fast and decisively.
In fact, in extreme cases some threats emerge so rapidly that even secondary legislation is too slow; if an ally were to be invaded by a hostile state, for example, the cyber risk to the UK would suddenly escalate. The Government will therefore also be given powers to direct regulators or regulated entities where national security is threatened—to issue specific cyber-security guidance in a crisis, for example. Those powers are intended as a last resort to protect our national security, and safeguards will go into the Bill to ensure that they are used accordingly.
The UK’s cyber sector is the third largest in the world, as we heard from our friend from Northern Ireland, the hon. Member for Strangford (Jim Shannon). It achieves double-digit growth year on year. We have fast-growing clusters of expertise in Cheltenham and Manchester. This legislation will supercharge that success, doubling down on one of our nation’s greatest assets. At its core, the Bill is about protecting the essential services that we all rely on, so that the lights always stay switched on, clean water always runs in our taps, and hospitals are always safe and secure. Those are the real life community issues that we and our constituents all encounter every single day.
This is more than a technical upgrade; it is a bold commitment from the Government to protect one of our biggest economic strengths and keep the UK safe in a rapidly evolving digital world. Together, we are working towards a future in which security is not a hope but a guarantee. I commend the Bill to the House.
Julia Lopez
As my right hon. Friend is aware, local government is outside of the scope of the Bill, but it is a very juicy target—much of the public sector remains a very juicy target. In acknowledgment of that, the Government whipped out a strategy very quickly this morning that is meant to give us assurances about the public sector’s cyber-resilience. I am not sure that that strategy will provide much reassurance, which is why it is important to understand that this Bill can only be one part of a much wider arsenal to tighten gaps where they exist, in both the private and public sectors.
Ian Murray
It is worth clarifying for the House that we brought forward the Government cyber-security strategy this morning because the 2022 consultation undertaken by the previous Conservative Government was not acted upon. This Government are acting on those threats, bringing forward a plan that we will subsequently see through, and I think the hon. Lady should acknowledge that.
Julia Lopez
I welcome the strategy, but I have not yet had a chance to have a good look at it, because the Government always seem to publish these sorts of documents right at the last minute. The only way to get any information out of this Government is to apply some pressure in this House, and then, remarkably, things come flying out of the cupboard.
I will be very interested to see what the strategy looks like and whether it is up to the challenge we now face. The problems and risks of cyber have increased markedly since we were in Government because of the advent of AI technology—that technology is changing the picture very rapidly, just as the defence picture is changing very rapidly. My concern is that this Government are not taking seriously enough the various defence and security challenges that this House faces; they are prioritising spending on welfare payments, union payments and all manner of other things. It is one thing to get a strategy out of the door; it is another to put in place the measures that will implement that strategy. Basically, all we have seen over the past 18 months is strategy documents, without a great deal of delivery. That is one of the reasons why the Government are so rapidly losing public confidence.
In conclusion, we support this cyber Bill in principle—the threat is real and growing, and it demands action. However, it is only a tool, not a cure-all. A Government who are trying to close down gaps in one place while wilfully opening up huge new risks in a different corner are being negligent in their approach. Furthermore, if this legislation is to command confidence, it must be practical, proportionate and genuinely effective. Without meaningful improvements, the Bill risks placing new burdens on business while delivering only marginal gains for our national resilience. Cyber-security is a shared responsibility between Government, regulators, industry and the public, but leadership must come from the top, and that is where this Bill currently falls short.
With the private sector taking the lion’s share of the load while gaping holes remain in public sector cyber-defences, the Bill begs obvious questions about the confidence that citizens should have in flagship Government projects such as the Prime Minister’s mandatory digital identity system. As it stands, the Bill would not have prevented high-profile cyber-shutdowns such as Jaguar Land Rover’s, it does little to address the chronic vulnerabilities in the public sector, and it certainly will not make Labour’s dodgy ID database any more secure. That is why, as the Bill progresses through Parliament, we will be pressing this Government to ensure that it delivers genuine security, proper accountability and raised cyber-defences across the board, while taking them to task on major mistakes such as mandatory ID. Cyber-security is no longer a niche compliance exercise; it is about protecting the fundamental economic and defence interests of our nation.