Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting) Debate
Full Debate: Read Full DebateDepartment: Department for Science, Innovation & Technology
Lincoln Jopp
Main Page: Lincoln Jopp (Conservative - Spelthorne)Department Debates - View all Lincoln Jopp's debates with the Department for Science, Innovation & Technology
Cyber Security and Resilience (Network and Information Systems) Bill (Fourth sitting)
Lincoln Jopp Excerpts(1 day, 11 hours ago)
Public Bill CommitteesRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Kanishka Narayan
I agree very much with the hon. Member’s point, and a similar sentiment is expressed elsewhere in the Bill, in that it ensures that the focus is primarily on large and medium-sized MSPs, and that small businesses and microbusinesses are dealt with in a deeply proportionate way. That is an important point to take into account.
Clause 11 defines what it means for a digital or managed service provider to be
“subject to public authority oversight”
under the NIS regulations. Public authority oversight is defined as “management or control” by “UK public authorities” or by a board where the majority of members are appointed by those authorities. Such MSPs are already subject to requirements in the Government cyber-security strategy, which is mandatory for Government organisations. That ensures that cyber-resilience standards remain strong for services linked to public functions, while preventing disproportionate burdens on providers already subject to public authority governance.
In response to points raised by hon. Members in prior Committee sittings, I flag the engagement that we have conducted in coming to the definition of MSPs in question. In particular, beyond the provisions of the 2022 consultation, prior to the introduction of the Bill, we conducted a range of bilateral meetings. We have had multiple conversations with the industry body techUK, roundtables with digital firms, and we engaged through the National Cyber Security Centre-led MSP information exchange with 40 providers in this context, and undertook market research mapping the MSP market. As a consequence, adjustments to the definitions at the heart of this provision have been agreed with incredibly deep and broad engagement across the industry to arrive at a widely-welcomed definition.
Lincoln Jopp (Spelthorne) (Con)
It is a pleasure to serve with you in the Chair, Ms McVey. Small and medium-sized enterprises are defined by the headcount of full-time employees, yet in the world of IT, particularly for managed service providers, data centres and digital service providers, that is not a helpful metric to understand size and scale. Did the Department consider reevaluating the size of digital and managed service providers based on the through-flow of transactions or data rather than headcount? When I worked in the world of tech, there was a ratio for headcount that was totally different from other sorts of businesses.
Kanishka Narayan
The hon. Member raises an important point about the operating leverage of technology businesses. The Bill directly focuses on size as one proxy for risk, but it is not a complete or perfect proxy. That is why, through the critical supplier provisions, it ensures that any smaller providers can be caught in scope as essential services.
Dr Spencer
The scope and breadth of the organisations regulated by these provisions is one of the most important parts of the debate. If the hon. Member can wait a moment, that point will form the bulk of my speech. It was also mentioned by my constituency neighbour, my hon. Friend the Member for Spelthorne.
The previous Government consulted on bringing MSPs within scope of regulation. Feedback on that consultation indicated strong support, with 86% of respondents in favour. As such, there is a sound policy rationale for imposing cyber-security and instant reporting regulations on MSPs over a certain threshold. Those MSPs will need to take appropriate and proportionate measures to manage risks to the security of the networks and information systems on which they rely to provide managed services in the UK.
However, as I said at the outset and as many people said during evidence, the devil really is in the detail as to whether the Bill is effective in protecting the sectors it seeks to regulate. Several industry stakeholders, including officers of MSPs and industry representation bodies, have raised concerns about the broad definition of MSPs in clause 9. As drafted, that definition has the potential to cause confusion among businesses as to whether they are in scope or not. These relevant provisions will be brought into force with secondary legislation before Royal Assent, allowing time for consultation with industry and specific duties. Could the Minister clarify whether his Department will respond to concerns by consulting on a refined definition of what constitutes an MSP, to provide much-needed certainty to businesses operating in the sector?
I will also take this opportunity to speak to amendment 10, which was tabled in the names of many Members, including the right hon. Member for Stone, Great Wyrley and Penkridge (Sir Gavin Williamson), who I know has a keen interest in this area. He represents an area in the west midlands, which, like many parts of the country, has suffered massively from the impact of the problems with Jaguar Land Rover. The amendment relates to legitimate concerns about the compound risk that could occur when MSP systems are accessed by malicious actors, and those MSPs are providing services to a large number of entities within a regulated sector. Clearly, there are many reservations about the desirability of this particular amendment, including its potential to interfere with customer choice and the inconsistency with the approach to freedom of enterprise in other regulated sectors in the Bill.
It is noteworthy that several witnesses who gave evidence to the Committee pointed out the lack of skilled cyber-security professionals available in the UK employment market to help regulated entities with the effective implementation of the Bill. It is conceivable that many regulated businesses, particularly smaller ones, will be forced to look for external expertise to comply with their obligations, and we would not want to artificially restrict access to expertise, even when done with the best of intentions. The point is rightly made that large MSPs and those providing services to the most critical sectors should observe the highest cyber-security standards. A relevant MSP must have regard to any relevant guidance issued by the Information Commissioner when carrying out the duties imposed on it, so will the Minister confirm whether and to what extent the important issues raised by the amendment will be covered in consultation and industry guidance?
The amendment, and some of the debate that we have had, goes to the heart of some of the thresholds and metrics that are being used as gatekeepers in the Bill when an entity is or is not being regulated. As I mentioned this morning, at least 70% of Government cloud procurement goes to the three big US tech actors. Those are clearly huge operators, but when it comes to the criticality of an MSP, as my hon. Friend the Member for Spelthorne mentioned, size does not in itself necessarily indicate its essentialness in the system.
One can imagine that if a particular unique type of service was being offered, such as a cyber-security service, by a big company—Cloudflare and Salesforce, for example, had a substantial impact on the sector—not merely the size of an organisation, but what they provide, could be relevant in terms of producing systemic risks to our economy as a whole.
Lincoln Jopp
Having read the Bill, does my hon. Friend understand that if a managed service provider provides services to, say, a hospital—so it would be covered by the regulations—and a reportable event happens to the managed service provider, there is any obligation for the hospital trust to report it as well, or is it just the managed service provider that has the responsibility? If he is not clear on that, would he ask the Minister?
Dr Spencer
I thank my hon. Friend for the “get out of jail free” card that he gave me at the end of his question; indeed, I pass that question on to the Minister. The point is well made in terms of trying to dissect the interacting and relevant duties in the Bill. The Bill tries to chop up different actors in the digital ecosystem, as well as public an non-public organisations, although a commercial threshold is being used. The Bill also introduces confusion: it rightly tries to make a carve-out for Crown data centres, but what exactly is a Crown data centre? One could argue that a Crown service is something provided by the state. Is a data centre serving a hospital therefore a Crown data centre?
There are so many different components within the Bill. Not only are there 14 regulators, or however many are operating—earlier this week, Amazon told us in evidence that it is regulated by four regulators—there is also confidential information going through, as my hon. Friend the Member for Spelthorne pointed out. It gets even worse in the clause on critical supply networks. It is just incredibly confusing. The Committee—and, dare I say, the Government—should not ignore the evidence we have received from managed service providers time and again saying that although MSPs should be in scope and these regulations help, we need clarity on what exactly that means.
Dr Spencer
Irrespective of their size, whatever definition or metric we use, businesses operate on fine margins for the majority of the time. Regulatory burdens not only impact their ability to operate; they are yet another cost, which means that the cost of services increases. That has a deleterious effect on our economy more generally. Burdens on businesses are passed on to consumers. That makes it more expensive to do business unless there are customers to receive it.
Global business competitiveness, which we have not spoken about yet, is critical. I am very concerned about UK competitiveness in the digital and tech sector. It saddens me to say that we are dwarfed by US big tech in many areas. I want our digital and IT sector to be bigger and better than that of our competitors, but we need a framework to support it. Even for bigger businesses, the regulatory burden is critical, especially as they can choose, to a certain extent, where they incorporate and focus on doing business. We want to ensure that the UK has the best regulations, but the best regulations are often the ones that are least burdensome but that still provide certainty to allow businesses to operate. This is a highly competitive market.
Lincoln Jopp
I thank the shadow Minister for his reply to my hon. Friend the Member for Bognor Regis and Littlehampton. Is he as surprised as I am to read in the impact assessment that the hourly rate for a contract lawyer is to be £34 an hour rather than £300 to £500 an hour, which in my experience is the market rate?
Dr Spencer
I thank my hon. Friend for pointing out that discrepancy in the costings. It goes back to the key principle that business and business modelling are best left to businesspeople, not to Government. The Government have a facilitatory role, but fundamentally their role is to get out of the way of business so that it can succeed and our economy can thrive. We need to ensure, for the good of our economy as a whole, that the critical elements of it are regulated in that way.
Given the interconnected operation of MSPs in our digital sector, any burden that we put on business will limit the growth that we all need and will limit competitiveness. In this footloose market especially, that could result in organisations and companies operating in other sectors, notwithstanding the fact that they will have to comply with UK jurisdictional rules. As a general point, regulations will cause footloose industries to move and operate in different sectors, which will mean less taxation revenue and more costs for clients, making it more difficult to do business.
We need to make sure that our economy is as nimble and free as possible, both for those trading as an MSP and more generally. I cannot labour the point enough: the costs that we impose on businesses under the Bill, in particular in the cyber-security and tech sector, will be felt by our economy as a whole. We will have to pay for that through increased inflation in food, energy or anything else that our critical suppliers provide. Even our NHS provision costs will increase as a consequence of the regulatory burden on businesses as disparate and distant from the NHS as those that we see in the Bill.
Kanishka Narayan
I am happy to proceed and to focus on Crown ownership of data centre provision to others. For those reasons, I continue to commend clauses 9 to 11 to the Committee.
Lincoln Jopp
Will the Minister please clarify whether he thinks that, as page 102 of the impact assessment states, the hourly rate for a lawyer changing a contract is £34?
Kanishka Narayan
I simply point out to the hon. Member that the pricing for law varies materially. I hope that, with the benefit of technology, it continues to be very accessible to all relevant providers.
Lincoln Jopp
I am sorry, but that is nonsense. The footnote on the page that cites £34 an hour for a contract lawyer directs us back to the Office for National Statistics. I hope that the Minister lives in the real world—he has clearly worked in the business world—so he knows that that is nonsense. Does he agree that that pretty well undermines that section of the impact assessment?
Kanishka Narayan
Having closed the debate, I am happy to conclude.
Question put and agreed to.
Clause 9 accordingly ordered to stand part of the Bill.
Alison Griffiths
The clause merits close scrutiny, because it is the point in the Bill where risk is supposed to be addressed beyond the individual operator and into the supply chain. In plain terms, clause 12 will allow the regulator to designate a supplier as critical where disruption to that supplier would have a significant impact on the delivery of an essential or digital service. The trigger is impact, not size or sector. That approach is sensible, but I want to stress-test how it works in the context of operational technology.
Across power, telecoms, transport, water and industry, many essential services rely on the same family of industrial control equipment. Substations, signalling systems and industrial plants may look different, but they often run on identical controlled devices and firmware supplied by a very small number of manufacturers.
The risk is not hypothetical. A single vulnerability in widely deployed OT equipment can create a common mode failure across multiple sectors at the same time, even where each operator is individually compliant with its duties. At the moment, the Bill places obligations squarely on operators of essential services, but in OT environments, operators do not control the design of equipment, the firmware, the vulnerability disclosure process or the remote access arrangements that vendors often require as a condition of support.
As Rik Ferguson highlighted in written evidence to this Committee, uncertainty about how and when suppliers might be brought into scope can lead to defensive behaviour and late engagement. The risk is amplified in OT, where suppliers may discover vulnerabilities before operators do, and where one operator may report an issue, while others in different sectors, using identical equipment, remain unaware.
There is also a traceability problem. OT equipment is frequently sold through integrators and distributors. Manufacturers may not have a clear picture of where the equipment is ultimately deployed. Without that visibility, national-scale vulnerability notification and co-ordinated response become very difficult.
UK Finance has also drawn attention to the complexity of multi-tier supply chains and the need for clear accountability when regulatory reach extends upstream. The clause recognises that reality, but its effectiveness will depend on how consistently and predictably designation decisions are made across sectors.
My concern is not about the existence of the power. It is about whether, in practice, the power will be used early enough and clearly enough to address shared OT risks before they become cross-sector incidents. Operational resilience today depends less on individual sites and more on the security practices of a relatively small— I would say very small—number of OT suppliers that sit behind them. The clause has the potential to address that, but only if its application is focused on genuine systemic risk and supported by clear signals to suppliers and operators alike. For those reasons, the clause warrants careful consideration as the Bill progresses.
Lincoln Jopp
To understand the impact of what we are discussing, we obviously look at the impact assessment. We in this place are often accused of simply making rules and passing laws with no real sense of the impact downstream, particularly on small businesses. Having worked in the tech sector for 10 years, with data centres and managed service providers, and worked to try to grow many small and medium-sized enterprises, I am acutely conscious of the need not to overburden them. It is clearly hugely important that the Government take account of the impact of the measures they are taking and the burdens they are imposing on small and medium-sized enterprises.
To understand the impact of this measure, it is important to know two things: first, how many companies will be impacted and, secondly, how much it is going to cost. While I am sure that the Minister will say that this provision on critical suppliers is great, and all very clear, it cannot really be that clear. Page 110 of the impact assessment states:
“DSIT is not able to estimate at this stage the number of SMEs or SME DSPs that will be designated as critical suppliers”;
so we cannot tell how many there are. The same page also states:
“Specific duties will be set through secondary legislation so the exact cost of security measures is not possible to estimate.”
We do not know how many there are or how much the measure is going to cost, but Government Members will be whipped to say, “That’s okay—that can be done by someone else at another time.” We do not really have a strong sense of the impact on real-world businesses of what we are doing here. We also talked about the legal costs in an earlier sitting. I look forward to hearing the Minister’s reassuring words about how very clear the clause is and how it is not just a blank cheque, even though we do not know how many people it will affect or how much it will cost them.
Dr Spencer
This clause is one of the provisions that has given rise to widespread industry concern regarding its scope and implications. Business supply chains, particularly for large operators of essential services and multinational companies, are becoming ever more complex. The increased digitisation of service provision across the board means that the delivery of essential services can be vulnerable to severe disruption when the systems of critical supply chain entities are interrupted by cyber-attacks.
The Government have pointed to the 2024 cyber-attack on Synnovis, a pathology lab provider serving several London hospitals, as an example of the severe consequences that can flow from a cyber-attack on a key supply chain provider. In that case, the suspension of Synnovis services caused disruption to more than 11,000 appointments and operations. The attack caused at least two cases of serious harm to patients and, tragically, one patient’s death was attributed to the long wait for blood test results. Estimated financial losses from the attack exceeded £30 million.
The previous Government were conscious of intensifying supply chain risk, and consulted on measures to enable regulators to designate individual suppliers as critical if they provided an IT service on which an OES or RDSP was dependent for the provision of its essential service. The response to that consultation showed overwhelming support for the proposal, but stakeholders argued that the designation process would need to be transparent and based on engagement with industry. It is those vital elements of transparency and engagement, or rather the current lack of them, that are causing high levels of concern among supply chain entities that stand to be brought within scope of regulation when these provisions come into effect.
To break that down, preserving agility for the Secretary of State and regulators to respond to emerging risks has been recognised as both a strength and a weakness of the Bill. However, lack of certainty is a particular concern in a context of critical supplier designation, especially as this part of the Bill has the potential to bring in large numbers of small and even microbusinesses within the scope of regulation, potentially by multiple regulators. That is a daunting prospect for smaller companies, even taking into account the caveated duty on competent authorities to co-ordinate in the approach to regulation of critical suppliers in the proposed new paragraph 14L of the NIS regulations.
Several witnesses in oral evidence, including techUK and ISC2, made strong arguments that SMEs often lack the financial and human resources to develop cyber-security expertise and comply with regulation. Those organisations will need additional time to prepare, and a better indication of the criteria that might be used by regulators to determine which supply chain providers are critical. Industry bodies have called on the Government to ensure meaningful consultation on secondary legislation and guidance, to ensure that the measures are fit for purpose and capable of practical implementation. As part of the planned consultation, will the Minister commit to considering whether there are alternative approaches to regulation for increasing cyber-resilience in companies below a certain size?
Lincoln Jopp
I do not want to add spurious hypotheticals, so I will talk about the real world. I visited the Maypole special school in my constituency the other day. It has 20 members of staff and 18 pupils. It has people coming from as far away as Wandsworth. It books the transport, and the transport is paid for by the local education authority in which the pupil lives. It is clearly critical that children get to the school—just as it would be for a hospital. Would it be up to members of staff at the Maypole school to find out whether Addison Lee used a managed service provider or a data centre? That seems quite a tricky thing to know about and then to fulfil.
Dr Spencer
I really appreciate my hon. Friend’s intervention. It goes incisively to the heart of the concern about how these provisions are currently drafted. I really struggle to see how an OES that is providing a service to another OES could effectively argue that it is not within the full scope of these regulations. We have a lot of OESs in this country. It may be the Minister’s and the Government’s intention to essentially have a proxy regulatory framework for suppliers to OESs going forward—it is being kept very loose, because there is some flexibility in that, but that in itself will be a problem.
I worry that a lot of providers are going to think to themselves, “Why should we provide to an OES when we might be at risk of being designated as a national critical supplier?” Surely that is a concern that will have a chilling effect on organisations supplying to OESs, because of the risk of being found within the scope of this additional regulatory burden.
Don’t get me wrong; as I have said, companies should be taking cyber-security seriously, as should everyone. However, not everyone should be subject to the various regulations and data-sharing requirements that this Bill provides for. I suspect that many organisations will be very concerned. If there is a risk of designation as a critical supplier, companies will already be instructing lawyers and other organisations to manage that corporate risk.
If an organisation starts supplying to a hospital trust, or to whoever it may be, it might think, “Actually, we’re likely at risk of being designated, so we need to start doing some work and investment, either to challenge that designation or begin doing the preparatory work.” Maybe that is the intention: to effectively regulate the entire sector providing to OESs without actually lifting a finger in terms of regulation through this Bill. If that is the case, I am sort of sad, because I think it is better to be clear-cut about it. I would be grateful if the Minister answered that point directly.
Finally, in terms of OESs, we have already mentioned the fact that Government and local authority IT infrastructure and services are among the biggest risks in our system. I was really struck by the evidence from the NHS on Tuesday, in which our witnesses described data-sharing operations with adult social care, which is of course provided by local authorities.
It seems quite perverse, if I may say so, that a GP surgery, which is a private organisation, could be deemed a critical supplier to a hospital in terms of patient information sharing. Quite frankly, I would like the Minister to answer the question specifically: does he envisage primary care GPs being in scope because of data sharing of hospital records with NHS trusts? GPs could fall within scope as critical suppliers, while social care records, which are provided by local authorities, would not. There are all these weird situations that could emerge because of the scope and the looseness of these provisions, with all the consequent harms and problems. I look forward to hearing the Minister’s responses to my points.
Kanishka Narayan
First, I will respond to the apt and thoughtful points from the hon. Member for Bognor Regis and Littlehampton on operational technology. I can confirm to her that both vendors and providers of operational technologies will be covered by the provision of the five-step test for critical supplier designation. That is an important aspect when thinking about supply chains and the presence of operational technology where it is of critical interest.
The hon. Member for Spelthorne raised a very accurate point about proportionality in the provisions of the Bill, and in particular the impact assessments, statements, or limited statements on critical supplier impacts. As he will know very well, the Bill takes a very nuanced position on proportionality. When a sector is designated, there will be total clarity on the number of suppliers affected and on the ultimate impact. We will have sight of that.
The provision on critical suppliers was asked for by industry. The reason why the Bill does not specify critical suppliers is that it is simply not for the Government to specify how a business can or cannot continue. It is for businesses and regulators to work that through by understanding the depth of expertise that businesses have. We have started to do that, but that is precisely why the critical suppliers provisions have been delegated to secondary legislation and subsequent guidance.
Kanishka Narayan
I commit to giving way to the hon. Gentleman at the end of my speech. He asked about schools. I am happy to confirm that schools are not in the scope of the Bill.
In response to the shadow Minister, I highlight that the five-step test is cumulative: a business must meet all the conditions to be designated as critical, not just one. I think that answers the series of logical puzzles that he tied himself up in.
I am very happy to confirm to the Committee that it is expected that regulators will use information gathered from their oversight of operators of essential services, relevant managed service providers and relevant digital service providers to identify potential critical suppliers for designation. They can also ask organisations for more information to support their assessments. Future supply chain duties will also require organisations to share supply chain risk assessments with regulators. A supplier can be designated only after the regulator has completed an investigation process, including serving notices and holding a consultation, and confirmed that the criteria are met. Designated suppliers will also have the right to challenge decisions through an independent appeals process.
Kanishka Narayan
I commit to giving way at the end of my speech to the shadow Minister and the hon. Member for Spelthorne.
On the question of consultation, I am happy to confirm that the team in question has set up an implementation-focused effort. We have started to engage with regulators already, and there will be an extensive process of engagement on the Bill with business, as has been conducted historically.
The shadow Minister highlighted a number of logical puzzles. I have worked in a range of businesses and public sector organisations, and most have business continuity services. His hypothetical idea that businesses do not understand alternative provision, and whether they are or are not in a position of exposure, is well solved in the real world. I would give more credit to our expert witnesses from NHS Scotland than he did in recognising that they said that they frequently deal with the question of critical suppliers in co-ordination with competent authorities.
Lincoln Jopp
The Minister came back with an answer on proportionality, saying that it is not for Government to decide what is essential. He missed out the next bit, which is, “We’re just going to regulate critical suppliers and pass laws about them, but we don’t know how many there are, and we don’t know how much the policy is going to cost.” Would he accept that characterisation as the logical conclusion of what he said?
The Minister also said that schools were not covered by the Bill. As far as I am aware, patient data and children’s data are two of the most precious things that we have, so I would like to know why schools are not covered by the Bill.
Kanishka Narayan
On the first point, I am afraid that I do not think that was an appropriate characterisation, because where the sectoral scope is clear and where there is a clear risk of critical national infrastructure and essential services being directly exposed, we have specified that in the Bill. We have looked at the impacts set out in the impact assessment. For the critical suppliers in those sectors—I would expect them to be very limited in number—we have made sure that regulators and businesses have the flexibility to set the requirements directly, rather than them being set here in Parliament.