Matt Western (Warwick and Leamington) (Lab)

- View Speech - Hansard -

Copy Link

- - Excerpts

I start by welcoming the Bill, which is a serious step forward in protecting the United Kingdom from the great number of cyber-attacks that we face each day. As we have just heard from my right hon. Friend the Minister, this legislation is long overdue. A consultation started back in January 2022, and in April of that year, the then Government identified serious issues and limitations. I was slightly bemused that my hon. Friend the shadow Minister—I do consider her to be a friend—did not cover that in her speech. The previous Government then failed to act for over two years, and as my right hon. Friend the Minister illustrated in his speech, that has proven very costly.

Over the past couple of years, we have seen that cyber-security is not just paramount in our everyday lives; it is crucial. It ensures that there is food on our supermarket shelves and that the lights stay on. It is critical to every corner of the UK, but now we have to move at pace, and not just through this legislation—I urge us to go further. If we are to protect ourselves from our adversaries, we need to develop a true whole-of-society approach to cyber-security and start a national conversation on security at home. This legislation is clearly an important first step. It is a first chapter, but many more must be written if we are going to seriously address our national security, by which I mean our social and economic security.

Increasingly over the past decade, we have seen a blurring of war and peace, with the emergence of hybrid warfare and the widening of the grey zone. We are living in a cyber no man’s land where states or state-sponsored actors—proxies—can act with relative ease and impunity, leaving the world a more dangerous place. The cyber-realm is, and will remain, a key battleground, and it is one that we must seize. Every one of us in the United Kingdom needs to wake up to that fact, particularly with the development of AI and quantum computing and the extraordinary threats that will come from those developments. When it comes to being the target of cyber-attacks, the United Kingdom now ranks third among all nations. In 2024 alone, the NCSC handled an average of four major attacks every week—these are the really serious attacks—and the impact on the economy is staggering. In the same year, cyber-attacks cost the British economy £15 billion, or 0.5% of GDP. When we are trying to increase GDP by 1%, 2% or whatever it is, a hit of 0.5% is so significant.

While 43% of businesses have reported having any kind of security breach or attack over the past 12 months, that figure rises to 67% and 74% for medium and large businesses respectively. Every attack inflicts more pain on UK plc, meaning lower economic growth and lower tax receipts to fund our public services. As we heard earlier, the effects ripple through our whole society.

We have just been talking about the attack on Jaguar Land Rover this summer; that attack cost the company an estimated £500 million, affected over 5,000 businesses and put thousands of jobs at risk, with many of those employees based in my constituency of Warwick and Leamington. The impact was significant, whether it be on cafés, restaurants, pubs or shops, which were all affected by the downturn that immediately led from the shutdown of the factories.

The attack on Collins Aerospace was alluded to earlier. It crippled Heathrow airport, and I think Stansted was affected, too, but less so. It scuppered thousands of hard-earned family holidays in autumn last year, and the ramifications for the travel sector were significant.

It is not just businesses that have been affected. We have seen attacks on councils, as we have heard, and charities. Even the British Library was knocked out two years ago, which impacted so much of our research potential across our higher education institutions. It has significantly affected the UK. The Electoral Commission got knocked out by an attack by Chinese state-sponsored actors. There have been so many other attacks. Even our NHS is not safe. My right hon. Friend the Minister mentioned the attack on Synnovis. Last year, more than 11,000 NHS appointments were lost due to cyber-attacks. The attack in June 2024 on London hospitals by the Russian group Qilin saw 1,100 cancer treatments delayed, 2,000 out-patient appointments cancelled, more than 1,000 operations postponed and, tragically, the death of a patient. The message from across our international partners and the UK’s security services is clear.

Matt Western

- Hansard -

Copy Link

- - Excerpts

I thank my hon. Friend for sharing his lived experience. I can relate that to when I have spoken to organisations through the Business and Trade Committee and through my role on the Joint Committee for National Security Strategy. I have heard from organisations that have been impacted about how paralysing the immediate aftermath of such an attack is and how it challenges an organisation. It is crucial that these red team, blue team scenarios get played out, but when it is actually happening and a company is facing an entire shutdown of its systems, it is very difficult to navigate. Many have talked about the culture change that is needed, and we need to urgently embrace that change. The experience in the NHS that my hon. Friend mentions is a good example.

These attacks are the new normal and we must be better prepared. In September 2024, led by the FBI and the National Security Agency, the United Kingdom, Germany, Estonia, Canada and a plethora of other allies released their clearest articulation of the threat posed by Russia, and Putin in particular. They said that Russia is

“responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.”

The NCSC annual review in 2024 called the landscape “diffuse and dangerous”, while the 2025 review could not have been clearer in saying “It’s time to act” in the defining text on the front cover. Richard Horne, head of the NCSC, said:

“Empty shelves and stalled production lines are a stark reminder that cyber attacks no longer just affect computers and data, but real business, real products, and real lives… The recent cyber attacks must act as a wake-up call.”

Just last week, Andrew Bailey, the Governor of the Bank of England, said that cyber-attacks were one of the biggest threats to UK financial stability and stressed the critically important need for collaborative defence.

The reality should be clear to everyone here. The frontline is everywhere. It is our phone, it is at our desk, it is our businesses, it is our infrastructure and it is even here at the heart of our democracy. Such a threat requires a whole-of-society response. We are not the first to have been targeted. Back in 2007—18 years ago—Russia launched a determined cyber-attack on Estonia. It was damaging and debilitating to Estonia’s society and economy. The cyber-attack was a call to action for Estonia and it responded at pace. It brought about cultural change, which was talked about earlier in the debate. Estonia overhauled its legal, political and strategic framework—even looking at its education system—and adopted a whole-of-society approach to cyber-security, developing a serious public-private partnership to counter the threats posed by Russia. No doubt the Minister will have looked at this case in more detail to understand what learnings could be applied here and to our cyber-security strategy more widely to ensure whole-of-society resilience.

The reality is that cyber-attacks target the weakest link. It was welcome to hear my right hon. Friend the Minister talk about the initiatives with the FTSE 350 companies and some of the smaller businesses about how they should be engaging with these threats. It cannot be acceptable that the most popular password in the United Kingdom is “password”. It is ridiculous. Every one of us must act as guardian against our cyber-adversaries.

The Bill lays out valuable and desperately needed provisions. Its extent and scope are hugely welcome, bringing in data centres, large load controllers and managed service providers under the network and information systems regulations protects more of the economy from cyber-attacks. I am particularly pleased to see the inclusion of managed service providers, given the vulnerabilities that organisations often face from external IT suppliers or their supply base.

The amendments to the regulatory framework are a positive step. Improving the reporting of incidents will allow the Government to respond at pace and be agile to the evolving threats and shared vulnerabilities. That said, during the last Parliament, the Joint Committee on the National Security Strategy, which I now chair, called for one cross-sector cyber regulator, and I echo those calls, as I believe that would enable far greater regulation and enforcement. Finally, the improved resilience and security enabled through additional powers granted to the Secretary of State are crucial in enabling the Government to act quickly in real times of crisis.

Despite all the positive aspects of the Bill—I congratulate Ministers after the years of dithering by their predecessor Government—it does leave large parts of the economy outside its scope. As I have mentioned already, how can we incorporate a whole-of-society approach to cyber-security like that of Estonia? There will be many different levers for the Government to pull. This Bill is just one part, and I trust that others will follow swiftly. It is worth noting that the EU’s NIS2 directive is broadly parallel to the Bill before us. However, the EU goes further on cyber-resilience, having added sectors such as manufacturing, food distribution and waste water. Having witnessed such devastating attacks in these sectors in the past year, I urge us to act swiftly with further legislation to address those areas.

In summary, I just restate that I absolutely welcome the Bill and the three key pillars of the legislation—the expanded scope, improving regulation and strengthening resilience—are hugely welcome, as is the importance of experience reporting and sharing by victims. The cyber-attacks we have suffered this past year must be our inflection point—our call to action. Like Estonia in 2007, we have an opportunity to reinvigorate our cyber-defences and ensure the whole of society is resilient. The shadow Minister mentioned digital ID, and I gently say that that opportunity was seized upon by Estonia at the time and it has since introduced digital ID. It is secure, as it is in Denmark. Estonia looked at the opportunity presented by that challenge and that attack that they faced, and those systems work. That has been demonstrated by both those countries. As the annual review from the National Cyber Security Centre rightly asserts,

“the UK’s cyber security is… a shared responsibility where everyone needs to play a part.”

We parliamentarians have a duty to raise the salience of the issue, and to bring about a national conversation to ensure that everyone plays their part.

Finally, may I gently encourage the Minister to go further and faster, and to look at the broader cyber-landscape, as Estonia did and as the European Union is doing with its NIS2 legislation? May I encourage him to consider introducing legislation to cover food production and distribution, manufacturing and other critical sectors? As I have said, however, the Bill is an important first step, and I look forward to working constructively with him to ensure that the UK and its citizens are secure from, and resilient to, any future cyber-attacks.