Cyber Security and Resilience (Network and Information Systems) Bill Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Oliver Dowden
Main Page: Oliver Dowden (Conservative - Hertsmere)Department Debates - View all Oliver Dowden's debates with the Department for Digital, Culture, Media & Sport
Cyber Security and Resilience (Network and Information Systems) Bill
Oliver Dowden ExcerptsTuesday 6th January 2026
(3 days, 22 hours ago)
Commons ChamberRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Ian Murray
The banking sector is obviously in the regulators’ scope for cyber-security, and there have been a number of outages, as my hon. Friend mentions. The general principle is that cyber-attacks no longer come in through the front door, but through third parties and suppliers. We have seen that, for example, in the recent incidents at Heathrow and in cloud outages with Amazon Web Services and other such companies. They are covered by their own regulations. As I said in answer to my hon. Friend the Member for Lichfield (Dave Robertson) about Jaguar Land Rover, those companies will not be in the scope of the Bill, but we hope that the financial services sector, which is a leader in cyber-security for a whole host of fairly obvious reasons, will take that forward.
The recent attacks on British icons such as Marks & Spencer and Jaguar Land Rover will loom large in people’s minds. Many Members across the Chamber have already mentioned them. Supply chains were thrown into chaos, with small businesses paying the price, which clearly shows the ripple effect across the economy—on other businesses, smaller businesses and patients, such as in the public service examples mentioned earlier—when one part of the system is attacked.
We are clear that all businesses—that covers financial services, Jaguar Land Rover, Marks & Spencer and others—must take immediate steps to protect themselves. That is why, in October, members of the Cabinet wrote to the FTSE 350 companies urging them to strengthen their defences by doing three things: first, to make cyber risk a board priority; secondly, to require suppliers to have a cyber essentials certificate; and thirdly to sign up to the early warning service. That was followed by a similar letter to entrepreneurs and small businesses in November with bespoke advice for smaller teams. We know that those actions work. Organisations with cyber essentials are 92% less likely to claim on cyber insurance than those that do not. Businesses know best how to protect themselves; we are not here to regulate for the sake of regulating.
Government are taking action too. As I announced this morning, the Government cyber action plan sets a radically new model for how Government will strengthen their cyber-resilience and is backed by over £210 million of investment. Government Departments will be held to standards equivalent to those set out in the Bill. That is why the public sector and the Government are not included in the scope of the Bill. The Government should not need to legislate for themselves; we should just get on with making sure that we are leading the charge and that the cyber action plan strengthens the Government’s cyber-resilience. [Interruption.] I do not know if that was an attempt at an intervention from the Opposition Front Bench, but I am happy to take it.
Sir Oliver Dowden (Hertsmere) (Con)
I welcome the Minister’s comments about the obligation on the public sector. However, I caution him that, in my experience, cyber-security is one of those things that Ministers talk about, but then other priorities overtake it. The advantage of legislative requirements is that they force Ministers to think about it. I urge the Minister to look at that point again as the Bill passes through Parliament. There is a case for putting more stringent requirements on the public sector in order to force Ministers’ minds on the point.
Ian Murray
The right hon. Gentleman would have had some involvement in this when he was in government; indeed, the 2018 regulations came from the previous Government. We are all trying to make sure that we are catching up with the technology as quickly as it moves. He makes a very interesting point that I am very conscious of and happy to take away. We are determined to deliver the cyber-security action plan, which is backed by £210 million.
The actions that the previous Government took did not come to fruition in terms of their 2030 target, which is why we have refreshed the action plan and brought it forward with some significant cash. It is important for Ministers to take that forward. I hope that the right hon. Gentleman will hold us to account to ensure that we are fulfilling that promise in the cyber-security action plan. Public services, and indeed central Government, must take the leading role to show businesses that the approach to take is to ensure that all our systems are as secure as possible, not just on economic grounds, but for the people that we all seek to represent.
Sir Oliver Dowden (Hertsmere) (Con)
It is a pleasure to follow the hon. Member for Newcastle upon Tyne Central and West (Dame Chi Onwurah), who has brought tremendous expertise to this debate. In my previous role overseeing national resilience and cross-Government co-ordination of national security threats, cyber-security was probably the one area that caused me the greatest number of sleepless nights. There has been a lot of talk in recent months and years about the increased need to defend the realm and the steps that need to be taken to address the defence of the realm.
We all know from past experience that the first line of any attack on the defence of the realm is highly likely to be through cyber-attacks. Indeed, in a completely different context, we need only to look at the public comments made by the President of the United States a couple of days ago about the first steps that the United States took in its intervention in Venezuela: he talked about the United States’ capability to knock out the power supply there. If we look at our adversaries, particularly Russia, North Korea and Iran, we can see that they are actively inculcating and encouraging environments in which cyber-attacks can be planned and take place. Whether that is done explicitly by private sector individuals or with the connivance of the state, a deliberate grey zone is created, with the desire to increase knowledge of cyber-risks to the United Kingdom and our allies, and to carry out penetrative attacks to that effect. We are likely to see this grey zone warfare continue to increase as a result of the actions that we see in Ukraine and elsewhere.
We just have to look at our own experience. Many hon. Members have made the point that the initial attack on JLR rapidly cascaded and affected many others in the supply chain. From the Government’s own research and testing—this is in the public domain—one sees that a cyber-attack can rapidly cascade into other areas. For example, when we test the impact of a cyber-attack on our electricity system, it rapidly cascades into our water system, which is dependent on electricity. Clearly, it also rapidly cascades into our transport system. Before long, a small cyber-attack becomes a very, very large cyber-attack. In common with all other advanced countries, the United Kingdom is highly exposed to cyber-attacks—a point that I made repeatedly from the Dispatch Box.
I welcome this legislation and the steps that the Minister has outlined today, but I gently caution against what he said. I do not think it was his intention, but he said that this legislation will fix the cyber-security problem. It will not fix the cyber-security problem. No single piece of legislation is ever going to fix the cyber-security problem, nor is this a question of good guys and bad guys or of, “The last Government did nothing, and this Government are doing something.” Each Government must have a fresh look at the challenges of cyber-security, and take necessary and proportionate steps to address the risks.
Matt Western
Given the right hon. Gentleman’s extensive experience, it is very interesting to hear what he says. If he had his time again—this is not to criticise the previous Government, but to ask about the here and now—would he think that this area needs an absolute focus from across Government and across society, because it is such a crucial part of our defence?
Sir Oliver Dowden
Yes, I totally agree. Indeed, that is why the National Cyber Security Centre, working in conjunction with the last Government and now the current Government, has set out the whole-of-Government approach. It cannot just be about the actions of individual Government Ministers or individual actors in the private sector; the whole of Government need to act together.
On the further steps we could and should have taken—this goes back to my intervention on the Minister—I do think that more pressure needs to be brought to bear on Ministers in terms of their accountability for cyber-security, and I fear that if we do not put this into primary legislation, it can slip further and further down Ministers’ in-trays. Although Ministers have a desire to address it, more pressing and immediate problems distract their attention.
I have some constructive suggestions about how we can improve the proposed legislation. The first is about many of the powers being delegated to secondary legislation or ministerial direction. I do not have a problem with that, because it is essential that we have a framework piece of legislation and then the flexibility to allow secondary legislation to be brought forward to address challenges as they arise, but I urge Ministers to undertake a meaningful and mandatory consultation on any secondary legislation that comes forward, so that businesses and others can contribute to it.
I also caution against Ministers devolving to regulators their duties in respect of cyber-security. Too often—again, this applies to Governments of both colours—regulators are empowered to address cyber-security problems or any other problems. They then charge off in one direction and fail to take into account questions such as proportionality—the impact of the regulations versus their economic burden—and Parliament and Ministers cease to have a significant role. I urge Ministers to keep a tight grip on regulators and on the instructions that they give them.
I would also be a little cautious about some of the arguments made by hon. Members about the need constantly to expand the scope of this legislation to further areas of the private sector. It is very easy for us in this Chamber to talk about the need for further legislation, but when a small business is faced with a huge Act and required to interpret it, it looks a very daunting prospect. My preference would be to continue the sort of co-operation that we have seen through the whole-of-society approach advocated by the NCSC.
On proportionality, I urge Ministers to embrace AI. There are opportunities to use AI to triage incoming attacks and avoid duplication, for example, and a lot of streamlining of the system can be done in that area. On the flipside of AI, we must take very seriously the risk of cyber-attacks posed by agentic artificial intelligence. It appears that we reached an inflection point in November 2025, when Anthropic reported disrupting what it described as the first large-scale cyber-espionage campaign executed largely via agentic AI. We are likely to see much more of this. I would welcome the Minister saying in his concluding remarks what the Government intend to do to ensure that we keep up with this threat, because we are only in the foothills of the risk posed by agentic AI.
Further to the point about the role of the public sector, 40% of incidents handled by the National Cyber Security Centre when I was the Minister responsible were from the public sector, so I question the exclusion of the public sector. I appreciate that the Government have announced a plan. I have not had a chance to look at it, but I can imagine what it contains broadly. The key thing is what stick is applied to public officials and Ministers, outside the core responsible Government Departments, to make sure that they take their responsibilities seriously, so I think some legislative proposals may be needed in that area.
Similarly on budgets, again the core responsible Departments—the Cabinet Office and the Department for Science, Innovation and Technology—will prioritise cyber-security. I fear that other Departments may not, so there is a strong argument for ringfencing cyber-security budgets for all Departments so that money cannot be transferred to more pressing short-term problems, as has often been the case, particularly, for example, in the NHS.
It is very important that we do not overlook the basics. It is very easy to talk about legislation or to talk in high-level terms about threats, but probably the single biggest thing we could do to deal with cyber-risks in this country is to make sure that every time every single business and private individual gets one of those annoying pings on their phone saying that they need to upgrade their software to the latest operating system—it is the same with their PCs, iPads and so on—they do so. That is done by providers, because they know that there is a cyber-risk, and there is a patch to address it. If the patch is applied immediately, that can have a huge effect on the resilience of the whole of society, and the NCSC constantly puts out that message.
We need to look at our resilience in society as a whole when we have a major cyber-attack. We have had major cyber-attacks, but they have tended to be in just one sector, albeit with cascading effects, as with JLR. We have not yet had a whole of society cyber-attack—either one that flows out of control from a criminal attack, or a deliberate attack from a hostile state cascading widely across all of society—affecting our electricity, water supplies and so on. I fear that it is only a matter of time before that happens, and we need to look at the resilience of individuals, including the ability to have analogue systems such as battery-powered torches, rather than electric torches, and so on. I started the work on that as a Minister, and I think more needs to be done in that space.
We also need to look at the question of emergency communications. It was certainly my experience that public sector broadcasters—such as, I think, the BBC—are not required to take emergency communications from the Government in such situations. I think that is a loophole that could be exposed in such a situation.
On resilience more broadly, we are in the foothills of the impact of AI. We are going to see vast impacts on employment and how people lead meaningful lives as AI advances more and more rapidly. For the resilience of our society, this House needs to have a much wider debate—not on this Bill, but more generally—about how we address the epoch-changing challenges we are facing.
In conclusion, I think this is a welcome piece of legislation and an important step forward. My hon. Friend the Member for Hornchurch and Upminster (Julia Lopez) correctly highlighted the very important challenges, and they will need to be addressed as this Bill passes through the House. I think it is an important step forward, but it is only one step, and once this legislation is enacted, we will need to be prepared to return to this issue again and again.