Jaguar Land Rover Cyber-attack Debate
Full Debate: Read Full DebateDepartment: Department for Business and Trade
Lindsay Hoyle
Main Page: Lindsay Hoyle (Speaker - Chorley)Department Debates - View all Lindsay Hoyle's debates with the Department for Business and Trade
Jaguar Land Rover Cyber-attack
Lindsay Hoyle Excerpts(1 day, 23 hours ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Urgent Questions are proposed each morning by backbench MPs, and up to two may be selected each day by the Speaker. Chosen Urgent Questions are announced 30 minutes before Parliament sits each day.
Each Urgent Question requires a Government Minister to give a response on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Derek Twigg (Widnes and Halewood) (Lab)
(Urgent Question): To ask the Secretary of State for Business and Trade to make a statement on the cyber-attack on Jaguar Land Rover and on what assistance the Government are giving to businesses to help protect them against cyber-attacks.
The Minister of State, Department for Business and Trade (Chris Bryant)
Thank you, Mr Speaker. I fully recognise the anxiety and deep concern that employees at Jaguar Land Rover and across the supply chain will be feeling. The Government and the National Cyber Security Centre will do everything in our power to help resolve this as soon as possible. We are engaging with JLR on a daily basis to understand the challenges that the company and its suppliers are facing, and we are monitoring the situation closely. I have spoken to the company myself, and I will have a further meeting with the chief executive officer later this week. I understand that the company has also invited local MPs to a question and answer session this Friday.
The National Cyber Security Centre has been working with Jaguar Land Rover since last Wednesday to provide support in relation to the incident. I am sorry that there is a limit to what I can say on the specifics because I do not want to prejudice the ongoing investigations.
The cyber-security of the UK, however, is a key priority for the Government—crucial to protecting the public, our way of life and the successful growing economy. We have been taking significant action to help protect businesses against cyber-attacks. We are reducing cyber-risk across the economy by making technology more secure by design. That includes the Product Security and Telecommunications Infrastructure Act 2022, introduced by the previous Government, which requires manufacturers to build security into the manufacture and operation of internet-connected devices; the software security code of practice, which sets out how vendors and developers should make their software more secure; and the AI cyber-security code of practice, which sets out how AI developers should design and operate AI systems securely.
We are also providing businesses with the tools, advice and support to protect themselves from cyber-threats. That includes the cyber governance code of practice, which shows boards and directors how to effectively manage the digital risks to their organisations; the highly effective cyber essentials scheme to prevent common attacks, reducing the likelihood of a cyber insurance claim by 92%; and a wide range of free tools and support from the National Cyber Security Centre, including training for boards and staff, the “Check Your Cyber Security” tools to test IT systems for vulnerabilities, and the early warning system to get notified about cyber-threats to networks. I urge all businesses to take up these tools and improve their cyber-defences.
It is not for me to announce future business of the House, but when parliamentary time allows the Government will introduce the cyber-security and resilience Bill to raise cyber-security standards in critical and essential services, such as energy, water and the NHS.
Chris Bryant
First, I commend my hon. Friend on seeking this urgent question and you, Mr Speaker, on granting it. My hon. Friend makes the important point that Jaguar Land Rover is not only an iconic national brand, but a very significant employer—it employs 34,000 people in the UK, including in his constituency, and 39,000 worldwide. He is right that we need to ensure that cyber-security is something that every company in the land take seriously, and every public sector organisation. In my previous ministerial role I was conscious of the attack on the British Library, which was actually one of the most financially significant attacks heretofore, and it pointed the way for some of the other issues arising across the economy, which is why we have been keen to bring forward a Bill on this, as stated in the King’s Speech. We will introduce such a Bill “soon”—I think I can get away with that with the Chief Whip and the Leader of the House, although, in the words of Humpty Dumpty, when I use a word it means precisely what I choose it to mean, no more and certainly no less. As my hon. Friend says, there are serious issues that we need to address across the whole of the economy to ensure that we get this right.
My hon. Friend pointed to one person; I point to another—Richard Horne, the chief executive officer of the National Cyber Security Centre—who recently stressed that the UK faces increasingly hostile activity in cyber-space. We simply cannot afford any degree of complacency in this. There are major criminals operating in this space, as well as some malicious state actors, and some 40% of companies in the UK reported last year that they had faced some kind of cyber-attack. It is a very important issue that we take seriously.
Dame Harriett Baldwin (West Worcestershire) (Con)
I congratulate the hon. Member for Widnes and Halewood (Derek Twigg) on securing this important urgent question. I welcome the Minister to his new role, although I will never be able to rival his literary quotations.
This attack on Jaguar Land Rover is extremely concerning. The impact on that world-leading business, and on its suppliers and workers, has been significant. I hope that the whole House agrees that we must use the full force of the state to crack down on cyber-criminals. I appreciate that the Minister is constrained in what he can say, but when were the Government and the National Cyber Security Centre informed of the attack? What kind of support are the Government and law enforcement agencies able to offer Jaguar Land Rover? How much longer do the Government expect the disruption, which is impacting on the supply of vehicles, to continue?
The attack is just another in a series against British brands and iconic institutions—the Minister says that 40% of our businesses have been affected—including the attack earlier this year on Marks & Spencer. Will he elaborate on what the Government are doing to prevent future attacks? Has he identified who is responsible for the attack? Can he rule out its being a state-sponsored attack? If the group responsible for the attacks on Jaguar Land Rover and Marks & Spencer are linked, what progress have law enforcement agencies made in pursuing them?
Chris Bryant
She is not; I will not welcome her to her new role, then—I welcome her to the Dispatch Box none the less. She asked a series of questions, and I will try to answer those that I can as precisely as possible.
First, the shadow Minister asked when the NCSC was notified and engaged. It has been engaged since last Wednesday. We have an undertaking that when people get in touch with the NCSC, the response will be very immediate.
The shadow Minister asked what engagement there is from the Government. The primary engagement is through the NCSC, which is fully engaged and devoted to the work. It is also in the public domain that the Information Commissioner’s Office was notified. I should clarify that that was not because JLR was certain that there had been a data breach, but it wanted to ensure that it had dotted every i and crossed every t, which is why it notified the Information Commissioner’s Office.
The shadow Minister asked about a timeline for getting this resolved. I wish that I could provide one, but I cannot. I think she will understand why: this is a very live situation that has been ongoing for a week. I note the points that JLR has been making. As I say, there will be an invitation for all local MPs—my hon. Friend the Member for Widnes and Halewood (Derek Twigg) should already have had one—for a Q&A session on Friday morning, when JLR hopes that it will be able to provide more information.
The shadow Minister asked what else we are doing. This summer, the Home Office undertook a consultation on our policy on ransomware. I am not saying that that relates specifically to this case—we do not know that yet and I am not coming to any foregone conclusions—but that is one of the things that we must address, and it was heartening to see resolute support from the vast majority of companies in the UK for our ransomware policy. Maybe we will come to that later.
The hon. Lady asked whether I can say who is responsible. I am afraid that I cannot. I note what is in the public domain, but I have no idea whether that is accurate and I do not want to impede the investigation. She asked whether the attack was state sponsored. Again, I do not want to jump to conclusions, and I can neither confirm nor deny anything. She also asked whether the case is linked with that of M&S. Again, I cannot answer that as fulsomely as I would wish, simply because I do not know, and I do not think anybody has come to any secure decisions on that. In one sense, all cyber-attacks are linked, in that it is the same problem, which is relatively new. The previous Government were seeking to tackle it, and we are seeking to tackle it in broadly the same way. Some of the techniques used are remarkably old-fashioned, such as ringing up helplines, which are designed to be helpful. That is exactly the same as when News of the World was ringing up mobile companies and trying to get PINs to hack other people’s phones. This is an old technique. The new bit is that sometimes people use AI-generated voices, which are remarkably accurate and can lead to further problems. I am not saying that that is what happened in this case, but some of the patterns are across the whole sector.
Liam Byrne (Birmingham Hodge Hill and Solihull North) (Lab)
I congratulate my hon. Friend the Member for Widnes and Halewood (Derek Twigg) on securing this urgent question, and warmly welcome the Minister to his new role. This is an extraordinarily serious issue, and the Business and Trade Committee will soon table its recommendations on tackling economic harms such as this. Many companies such as JLR now confront a much bigger threat surface, and the peril of state-backed threats. That is why this will be a much bigger issue in the future, and why companies in this country will need more than new laws. They will need new investment incentives to clean up legacy infrastructure that is currently not safe enough.
When we took evidence from Archie Norman and Marks & Spencer in the wake of that cyber-attack, we were given a distinct impression that more could have been done by agencies to help M&S. Will the Minister reassure the House that all the lessons from how the M&S case was handled have been learned, and that the state will bend over backwards to ensure that JLR has every assistance it needs to get back up and running, and to prosecute the guilty?
Chris Bryant
The single most important thing we can do is ensure that we end up prosecuting the guilty and that people are sent to prison, such as the gentleman—well, the person—in the United States of America who was recently sent down for 10 years as part of one of these networks, which was important. I am a Minister in the Department for Business and Trade, but the Minister for Security, my hon. Friend the Member for Barnsley North (Dan Jarvis), and the Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), who is on the Front Bench, are actively engaged in these discussions, and we must ensure a cross-Government approach. I look forward to what we will hear from the Business and Trade Committee. I was intrigued by what my right hon. Friend was saying about investment incentives, and I hope he might come up with some clever idea that we could put into practice once he has produced his report.
On the main point about whether we have learned all the lessons from M&S, I certainly think we have. I have read Archie Norman’s evidence to the Committee, and I hope that M&S has also learned the lessons that he laid bare. I hesitate in trying to make too immediate a connection between one case and another, because as my right hon. Friend will know, I do not want to prejudge what has happened in this particular set of circumstances.
Clive Jones (Wokingham) (LD)
I welcome the Minister to his new role. There has been a spate of cyber-attacks on important UK companies such as Jaguar Land Rover, on supermarkets and on the Legal Aid Agency. What are the Government doing to restore public and, just as importantly, international trust in the UK’s cyber-security networks? Do the Government think that the attacks have come from overseas?
Chris Bryant
I pay tribute to my right hon. Friend for all the work that she and I did together, particularly on space, in my old job and in hers. She was an excellent Minister to do business with, and I slightly fear having her on the Back Benches as she is a very redoubtable person. Many suppliers, including Evtec, WHS Plastics, Sertec, OPmobility and a series of others, are in an even more complex situation than Jaguar Land Rover, and I will try to co-ordinate the activity that we are doing in our Department to ensure that we provide every possible support to them. I note the tone in which my right hon. Friend said that MPs were getting a half-hour Zoom call on Friday. I will try to ensure that all MPs get the support they need, so that they can do the job of reassuring their constituents. Earlier today I made that point forcibly to JLR, and as I say, I intend to have a meeting with its chief executive later this week. When I possibly can I want to keep MPs updated, either individually in constituencies, or the whole House.
Sir Edward Leigh (Gainsborough) (Con)
I congratulate the hon. Gentleman on surviving the reshuffle. This Minister adds to the general merriment of the nation, so we will miss him when he’s gone—[Laughter.] We’re all mortal. May I ask a serious question about the public sector? As it happens, I am an enthusiast for the Prime Minister’s idea of a national digital ID card as a means of countering illegal working, but it raises a whole new spectre if tens of millions of people have an ID card on their mobile phone in their pocket and malign forces—Russia and elsewhere—seek to attack us. What work are the Government doing with their Bill and in the National Cyber Security Centre to try to get this right?
Chris Bryant
Ah, she is. I saw the nod. I am not sure how Hansard records a nod, other than the fact that I have now said it. The important point is making sure that everybody has an understanding that cyber-security is important to every single organisation, big or small, and the services of the state are there to help.
Richard Foord (Honiton and Sidmouth) (LD)
The Minister talked about a cross-Government approach, and last week the Ministry of Defence stood up the cyber and specialist operations command, building on the foundations of strategic command and bringing together more than 26,000 specialists. Can the Minister comment on what collaboration exists between officials at the Department for Business and Trade and those working in this area in the MOD?
Chris Bryant
The primary relationship is between my Department, because we have responsibility for businesses and making sure that they can prosper in the future, the Department for Science, Innovation and Technology, as represented by my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan) here, and the Minister for Security in the Home Office, but the hon. Member makes a good point. The MOD has an equal responsibility for ensuring that we are all secure.
Mr Speaker, I am sure that some kind of digital identification service will be available for identifying the right MP to call.
Jim Shannon (Strangford) (DUP)
Always rear gunner. I am pleased to see the Minister in his position. It is well earned, and we are pleased to see him where he is. He will be aware that cyber-attacks on Marks & Spencer and Co-op have left many people concerned about the security of their information online. This attack on Jaguar will heighten those concerns, and businesses in my constituency have told me that. I have been contacted by people who are concerned about the ramifications of a cyber-attack on the Government’s systems, particularly in health. What discussions have been held with Cabinet colleagues on the robustness of cyber-defence, and what information can be shared with private businesses to help them defend themselves against these criminals that we all fear?