Cyber Security and Resilience (Network and Information Systems) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Matt Western
Main Page: Matt Western (Labour - Warwick and Leamington)Department Debates - View all Matt Western's debates with the Department for Digital, Culture, Media & Sport
Cyber Security and Resilience (Network and Information Systems) Bill
Matt Western ExcerptsTuesday 6th January 2026
(3 days, 5 hours ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Matt Western (Warwick and Leamington) (Lab)
I start by welcoming the Bill, which is a serious step forward in protecting the United Kingdom from the great number of cyber-attacks that we face each day. As we have just heard from my right hon. Friend the Minister, this legislation is long overdue. A consultation started back in January 2022, and in April of that year, the then Government identified serious issues and limitations. I was slightly bemused that my hon. Friend the shadow Minister—I do consider her to be a friend—did not cover that in her speech. The previous Government then failed to act for over two years, and as my right hon. Friend the Minister illustrated in his speech, that has proven very costly.
Over the past couple of years, we have seen that cyber-security is not just paramount in our everyday lives; it is crucial. It ensures that there is food on our supermarket shelves and that the lights stay on. It is critical to every corner of the UK, but now we have to move at pace, and not just through this legislation—I urge us to go further. If we are to protect ourselves from our adversaries, we need to develop a true whole-of-society approach to cyber-security and start a national conversation on security at home. This legislation is clearly an important first step. It is a first chapter, but many more must be written if we are going to seriously address our national security, by which I mean our social and economic security.
Increasingly over the past decade, we have seen a blurring of war and peace, with the emergence of hybrid warfare and the widening of the grey zone. We are living in a cyber no man’s land where states or state-sponsored actors—proxies—can act with relative ease and impunity, leaving the world a more dangerous place. The cyber-realm is, and will remain, a key battleground, and it is one that we must seize. Every one of us in the United Kingdom needs to wake up to that fact, particularly with the development of AI and quantum computing and the extraordinary threats that will come from those developments. When it comes to being the target of cyber-attacks, the United Kingdom now ranks third among all nations. In 2024 alone, the NCSC handled an average of four major attacks every week—these are the really serious attacks—and the impact on the economy is staggering. In the same year, cyber-attacks cost the British economy £15 billion, or 0.5% of GDP. When we are trying to increase GDP by 1%, 2% or whatever it is, a hit of 0.5% is so significant.
While 43% of businesses have reported having any kind of security breach or attack over the past 12 months, that figure rises to 67% and 74% for medium and large businesses respectively. Every attack inflicts more pain on UK plc, meaning lower economic growth and lower tax receipts to fund our public services. As we heard earlier, the effects ripple through our whole society.
We have just been talking about the attack on Jaguar Land Rover this summer; that attack cost the company an estimated £500 million, affected over 5,000 businesses and put thousands of jobs at risk, with many of those employees based in my constituency of Warwick and Leamington. The impact was significant, whether it be on cafés, restaurants, pubs or shops, which were all affected by the downturn that immediately led from the shutdown of the factories.
The attack on Collins Aerospace was alluded to earlier. It crippled Heathrow airport, and I think Stansted was affected, too, but less so. It scuppered thousands of hard-earned family holidays in autumn last year, and the ramifications for the travel sector were significant.
It is not just businesses that have been affected. We have seen attacks on councils, as we have heard, and charities. Even the British Library was knocked out two years ago, which impacted so much of our research potential across our higher education institutions. It has significantly affected the UK. The Electoral Commission got knocked out by an attack by Chinese state-sponsored actors. There have been so many other attacks. Even our NHS is not safe. My right hon. Friend the Minister mentioned the attack on Synnovis. Last year, more than 11,000 NHS appointments were lost due to cyber-attacks. The attack in June 2024 on London hospitals by the Russian group Qilin saw 1,100 cancer treatments delayed, 2,000 out-patient appointments cancelled, more than 1,000 operations postponed and, tragically, the death of a patient. The message from across our international partners and the UK’s security services is clear.
Matt Turmaine (Watford) (Lab)
On the attack on the NHS, I worked for 10 years in health and social care prior to being elected to this place, so I witnessed that attack taking place, and nothing could give a starker demonstration of the impact on productivity that cyber-attacks have on our country and our society. There was a meeting of senior clinical commissioning group and other health trust executives in Hertfordshire at the time, and one by one they were forced to leave the room like lights blinking out as the impact of the attack became clear. Does my hon. Friend agree that this Bill is essential to keep our legislation up to date with the new methods of attack that bad actors are using on our state and infrastructure as online technology evolves?
Matt Western
I thank my hon. Friend for sharing his lived experience. I can relate that to when I have spoken to organisations through the Business and Trade Committee and through my role on the Joint Committee for National Security Strategy. I have heard from organisations that have been impacted about how paralysing the immediate aftermath of such an attack is and how it challenges an organisation. It is crucial that these red team, blue team scenarios get played out, but when it is actually happening and a company is facing an entire shutdown of its systems, it is very difficult to navigate. Many have talked about the culture change that is needed, and we need to urgently embrace that change. The experience in the NHS that my hon. Friend mentions is a good example.
These attacks are the new normal and we must be better prepared. In September 2024, led by the FBI and the National Security Agency, the United Kingdom, Germany, Estonia, Canada and a plethora of other allies released their clearest articulation of the threat posed by Russia, and Putin in particular. They said that Russia is
“responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020.”
The NCSC annual review in 2024 called the landscape “diffuse and dangerous”, while the 2025 review could not have been clearer in saying “It’s time to act” in the defining text on the front cover. Richard Horne, head of the NCSC, said:
“Empty shelves and stalled production lines are a stark reminder that cyber attacks no longer just affect computers and data, but real business, real products, and real lives… The recent cyber attacks must act as a wake-up call.”
Just last week, Andrew Bailey, the Governor of the Bank of England, said that cyber-attacks were one of the biggest threats to UK financial stability and stressed the critically important need for collaborative defence.
The reality should be clear to everyone here. The frontline is everywhere. It is our phone, it is at our desk, it is our businesses, it is our infrastructure and it is even here at the heart of our democracy. Such a threat requires a whole-of-society response. We are not the first to have been targeted. Back in 2007—18 years ago—Russia launched a determined cyber-attack on Estonia. It was damaging and debilitating to Estonia’s society and economy. The cyber-attack was a call to action for Estonia and it responded at pace. It brought about cultural change, which was talked about earlier in the debate. Estonia overhauled its legal, political and strategic framework—even looking at its education system—and adopted a whole-of-society approach to cyber-security, developing a serious public-private partnership to counter the threats posed by Russia. No doubt the Minister will have looked at this case in more detail to understand what learnings could be applied here and to our cyber-security strategy more widely to ensure whole-of-society resilience.
The reality is that cyber-attacks target the weakest link. It was welcome to hear my right hon. Friend the Minister talk about the initiatives with the FTSE 350 companies and some of the smaller businesses about how they should be engaging with these threats. It cannot be acceptable that the most popular password in the United Kingdom is “password”. It is ridiculous. Every one of us must act as guardian against our cyber-adversaries.
The Bill lays out valuable and desperately needed provisions. Its extent and scope are hugely welcome, bringing in data centres, large load controllers and managed service providers under the network and information systems regulations protects more of the economy from cyber-attacks. I am particularly pleased to see the inclusion of managed service providers, given the vulnerabilities that organisations often face from external IT suppliers or their supply base.
The amendments to the regulatory framework are a positive step. Improving the reporting of incidents will allow the Government to respond at pace and be agile to the evolving threats and shared vulnerabilities. That said, during the last Parliament, the Joint Committee on the National Security Strategy, which I now chair, called for one cross-sector cyber regulator, and I echo those calls, as I believe that would enable far greater regulation and enforcement. Finally, the improved resilience and security enabled through additional powers granted to the Secretary of State are crucial in enabling the Government to act quickly in real times of crisis.
Despite all the positive aspects of the Bill—I congratulate Ministers after the years of dithering by their predecessor Government—it does leave large parts of the economy outside its scope. As I have mentioned already, how can we incorporate a whole-of-society approach to cyber-security like that of Estonia? There will be many different levers for the Government to pull. This Bill is just one part, and I trust that others will follow swiftly. It is worth noting that the EU’s NIS2 directive is broadly parallel to the Bill before us. However, the EU goes further on cyber-resilience, having added sectors such as manufacturing, food distribution and waste water. Having witnessed such devastating attacks in these sectors in the past year, I urge us to act swiftly with further legislation to address those areas.
In summary, I just restate that I absolutely welcome the Bill and the three key pillars of the legislation—the expanded scope, improving regulation and strengthening resilience—are hugely welcome, as is the importance of experience reporting and sharing by victims. The cyber-attacks we have suffered this past year must be our inflection point—our call to action. Like Estonia in 2007, we have an opportunity to reinvigorate our cyber-defences and ensure the whole of society is resilient. The shadow Minister mentioned digital ID, and I gently say that that opportunity was seized upon by Estonia at the time and it has since introduced digital ID. It is secure, as it is in Denmark. Estonia looked at the opportunity presented by that challenge and that attack that they faced, and those systems work. That has been demonstrated by both those countries. As the annual review from the National Cyber Security Centre rightly asserts,
“the UK’s cyber security is… a shared responsibility where everyone needs to play a part.”
We parliamentarians have a duty to raise the salience of the issue, and to bring about a national conversation to ensure that everyone plays their part.
Finally, may I gently encourage the Minister to go further and faster, and to look at the broader cyber-landscape, as Estonia did and as the European Union is doing with its NIS2 legislation? May I encourage him to consider introducing legislation to cover food production and distribution, manufacturing and other critical sectors? As I have said, however, the Bill is an important first step, and I look forward to working constructively with him to ensure that the UK and its citizens are secure from, and resilient to, any future cyber-attacks.
Madam Deputy Speaker (Judith Cummins)
I call the Liberal Democrat spokesperson.
Sir Oliver Dowden (Hertsmere) (Con)
It is a pleasure to follow the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), who has brought tremendous expertise to this debate. In my previous role overseeing national resilience and cross-Government co-ordination of national security threats, cyber-security was probably the one area that caused me the greatest number of sleepless nights. There has been a lot of talk in recent months and years about the increased need to defend the realm and the steps that need to be taken to address the defence of the realm.
We all know from past experience that the first line of any attack on the defence of the realm is highly likely to be through cyber-attacks. Indeed, in a completely different context, we need only to look at the public comments made by the President of the United States a couple of days ago about the first steps that the United States took in its intervention in Venezuela: he talked about the United States’ capability to knock out the power supply there. If we look at our adversaries, particularly Russia, North Korea and Iran, we can see that they are actively inculcating and encouraging environments in which cyber-attacks can be planned and take place. Whether that is done explicitly by private sector individuals or with the connivance of the state, a deliberate grey zone is created, with the desire to increase knowledge of cyber-risks to the United Kingdom and our allies, and to carry out penetrative attacks to that effect. We are likely to see this grey zone warfare continue to increase as a result of the actions that we see in Ukraine and elsewhere.
We just have to look at our own experience. Many hon. Members have made the point that the initial attack on JLR rapidly cascaded and affected many others in the supply chain. From the Government’s own research and testing—this is in the public domain—one sees that a cyber-attack can rapidly cascade into other areas. For example, when we test the impact of a cyber-attack on our electricity system, it rapidly cascades into our water system, which is dependent on electricity. Clearly, it also rapidly cascades into our transport system. Before long, a small cyber-attack becomes a very, very large cyber-attack. In common with all other advanced countries, the United Kingdom is highly exposed to cyber-attacks—a point that I made repeatedly from the Dispatch Box.
I welcome this legislation and the steps that the Minister has outlined today, but I gently caution against what he said. I do not think it was his intention, but he said that this legislation will fix the cyber-security problem. It will not fix the cyber-security problem. No single piece of legislation is ever going to fix the cyber-security problem, nor is this a question of good guys and bad guys or of, “The last Government did nothing, and this Government are doing something.” Each Government must have a fresh look at the challenges of cyber-security, and take necessary and proportionate steps to address the risks.
Matt Western
Given the right hon. Gentleman’s extensive experience, it is very interesting to hear what he says. If he had his time again—this is not to criticise the previous Government, but to ask about the here and now—would he think that this area needs an absolute focus from across Government and across society, because it is such a crucial part of our defence?
Sir Oliver Dowden
Yes, I totally agree. Indeed, that is why the National Cyber Security Centre, working in conjunction with the last Government and now the current Government, has set out the whole-of-Government approach. It cannot just be about the actions of individual Government Ministers or individual actors in the private sector; the whole of Government need to act together.
On the further steps we could and should have taken—this goes back to my intervention on the Minister—I do think that more pressure needs to be brought to bear on Ministers in terms of their accountability for cyber-security, and I fear that if we do not put this into primary legislation, it can slip further and further down Ministers’ in-trays. Although Ministers have a desire to address it, more pressing and immediate problems distract their attention.
I have some constructive suggestions about how we can improve the proposed legislation. The first is about many of the powers being delegated to secondary legislation or ministerial direction. I do not have a problem with that, because it is essential that we have a framework piece of legislation and then the flexibility to allow secondary legislation to be brought forward to address challenges as they arise, but I urge Ministers to undertake a meaningful and mandatory consultation on any secondary legislation that comes forward, so that businesses and others can contribute to it.
I also caution against Ministers devolving to regulators their duties in respect of cyber-security. Too often—again, this applies to Governments of both colours—regulators are empowered to address cyber-security problems or any other problems. They then charge off in one direction and fail to take into account questions such as proportionality—the impact of the regulations versus their economic burden—and Parliament and Ministers cease to have a significant role. I urge Ministers to keep a tight grip on regulators and on the instructions that they give them.
I would also be a little cautious about some of the arguments made by hon. Members about the need constantly to expand the scope of this legislation to further areas of the private sector. It is very easy for us in this Chamber to talk about the need for further legislation, but when a small business is faced with a huge Act and required to interpret it, it looks a very daunting prospect. My preference would be to continue the sort of co-operation that we have seen through the whole-of-society approach advocated by the NCSC.
On proportionality, I urge Ministers to embrace AI. There are opportunities to use AI to triage incoming attacks and avoid duplication, for example, and a lot of streamlining of the system can be done in that area. On the flipside of AI, we must take very seriously the risk of cyber-attacks posed by agentic artificial intelligence. It appears that we reached an inflection point in November 2025, when Anthropic reported disrupting what it described as the first large-scale cyber-espionage campaign executed largely via agentic AI. We are likely to see much more of this. I would welcome the Minister saying in his concluding remarks what the Government intend to do to ensure that we keep up with this threat, because we are only in the foothills of the risk posed by agentic AI.
Further to the point about the role of the public sector, 40% of incidents handled by the National Cyber Security Centre when I was the Minister responsible were from the public sector, so I question the exclusion of the public sector. I appreciate that the Government have announced a plan. I have not had a chance to look at it, but I can imagine what it contains broadly. The key thing is what stick is applied to public officials and Ministers, outside the core responsible Government Departments, to make sure that they take their responsibilities seriously, so I think some legislative proposals may be needed in that area.
Similarly on budgets, again the core responsible Departments—the Cabinet Office and the Department for Science, Innovation and Technology—will prioritise cyber-security. I fear that other Departments may not, so there is a strong argument for ringfencing cyber-security budgets for all Departments so that money cannot be transferred to more pressing short-term problems, as has often been the case, particularly, for example, in the NHS.
It is very important that we do not overlook the basics. It is very easy to talk about legislation or to talk in high-level terms about threats, but probably the single biggest thing we could do to deal with cyber-risks in this country is to make sure that every time every single business and private individual gets one of those annoying pings on their phone saying that they need to upgrade their software to the latest operating system—it is the same with their PCs, iPads and so on—they do so. That is done by providers, because they know that there is a cyber-risk, and there is a patch to address it. If the patch is applied immediately, that can have a huge effect on the resilience of the whole of society, and the NCSC constantly puts out that message.
We need to look at our resilience in society as a whole when we have a major cyber-attack. We have had major cyber-attacks, but they have tended to be in just one sector, albeit with cascading effects, as with JLR. We have not yet had a whole of society cyber-attack—either one that flows out of control from a criminal attack, or a deliberate attack from a hostile state cascading widely across all of society—affecting our electricity, water supplies and so on. I fear that it is only a matter of time before that happens, and we need to look at the resilience of individuals, including the ability to have analogue systems such as battery-powered torches, rather than electric torches, and so on. I started the work on that as a Minister, and I think more needs to be done in that space.
We also need to look at the question of emergency communications. It was certainly my experience that public sector broadcasters—such as, I think, the BBC—are not required to take emergency communications from the Government in such situations. I think that is a loophole that could be exposed in such a situation.
On resilience more broadly, we are in the foothills of the impact of AI. We are going to see vast impacts on employment and how people lead meaningful lives as AI advances more and more rapidly. For the resilience of our society, this House needs to have a much wider debate—not on this Bill, but more generally—about how we address the epoch-changing challenges we are facing.
In conclusion, I think this is a welcome piece of legislation and an important step forward. My hon. Friend the Member for Hornchurch and Upminster (Julia Lopez) correctly highlighted the very important challenges, and they will need to be addressed as this Bill passes through the House. I think it is an important step forward, but it is only one step, and once this legislation is enacted, we will need to be prepared to return to this issue again and again.