Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting) Debate

Full Debate: Read Full Debate
Department: Department for Science, Innovation & Technology

Sarah Russell

Main Page: Sarah Russell (Labour - Congleton)

Department Debates - View all Sarah Russell's debates with the Department for Science, Innovation & Technology


Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)

Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)

Sarah Russell Excerpts

Railways Bill (Ninth sitting)
Committee stage
Tuesday 3rd February 2026

(1 day, 13 hours ago)

Public Bill Committees
Share Debate
Read Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
None Portrait The Chair
- Hansard -

We have only five minutes left for this session, so if we can have concise questions and answers we might get everyone in.

Sarah Russell Portrait Sarah Russell (Congleton) (Lab)
- Hansard -
-

Q One of the things talked about this morning was that the risk in these relationships and sectors will simply be managed down the supply chain until it is essentially contracted out of existence, because the smallest organisations that end up holding the risk will be incapable of effectively managing it. Should they fail, because they have not failed the risk and their liabilities become so big, they will just collapse. It will not be possible for you guys to manage the entirety of the supply chain down, so how do you see your enforcement capabilities and the adequacy or otherwise of the legislation in that context?

Stuart Okin: Essentially, we would not go all the way down the supply chain. First, the operators of essential services are defined very much by the thresholds. Ultimately, they are the first point of responsibility. On the critical third party suppliers that have been brought in by the Bill, there will be a small number of those that, for energy, are for the entire systemic system of the UK, not the smaller entities. So we will hold those to account. On the enforcement side of things, if and when it comes to that, they will be in the same situation as the current operators of essential services are today. We welcome the simplification in the Bill and bringing those into the same sectorial powers and the same types of fines that we see today. It will not go down to those minutiae of detail. Again, the secondary legislation gives you the ability to define that.

Natalie Black: To keep it brief, we welcome the supply chain being brought into scope because we are all well aware that the most high-profile recent incidents often emanated from the supply chain. That said, we should be very honest about the complexity of entering this space, exactly for all the points that you have alluded to in terms of volume and scale and everything. We are already using this time to work through what our methodology will be. Engaging with the operators of essential services who are ultimately the customer of these suppliers has to be a starting point in terms of who they are most worried about in their supply chain. As Stuart says, you will see some commonality across all our sectors, so the numbers might not be as big as we might at first think, but this is what we need to work through over the coming months.

Ian Hulme: From an ICO perspective, one of the big tasks that we are going to have in understanding the MSP market is what their supply chains look like. We are perhaps a little behind colleagues in other regulators because of the difference in the regulatory regime, but that is one of the tasks that we will have to get to grips with.

None Portrait The Chair
- Hansard -

I call Freddie van Mierlo. You have one minute.

--- Later in debate ---
Ben Spencer Portrait Dr Spencer
- Hansard -
- - Excerpts

Q Thank you for coming to give evidence this afternoon. I have a couple of questions. First, how can industry and cyber-security researchers collaborate more effectively to increase cyber-resilience in the network and information systems of regulated sectors? Secondly, and building on that, are there any model schemes or arrangements for reporting risks to affected companies that could incentivise legitimate research activities?

Professor John Child: My specialism is in criminal law, so this is a bit of a side-step from a number of the pieces of evidence you have heard so far. Indeed, when it comes to the Bill, I will focus on—and the group I work for focuses on—the potential in complementary pieces of legislation, and particularly the Computer Misuse Act 1990, for criminalisation and the role of criminalisation in this field.

I think that speaks directly to the first question, on effective collaboration. It is important to recognise in this field, where you have hostile actors and threats, that you have a process of potential criminalisation, which is obviously designed to be effective as a barrier. But the reality is that, where you have threats that are difficult to identify and mostly originating overseas, the actual potential for criminalisation and criminal prosecution is slight, and that is borne out in the statistics. The best way of protecting against threats is therefore very much through the use of our cyber-security expertise within the jurisdiction.

When we think about pure numbers, and the 70,000-odd cyber-security private experts, compared with a matter of hundreds in the public sector, police and others, better collaboration is absolutely vital for effective resilience in the system. Yet what you have at the moment is a piece of legislation, the Computer Misuse Act, that—perfectly sensibly for 1990—went with a protective criminalisation across-the-board approach, whereby any unauthorised access becomes a criminal offence, without mechanisms to recognise a role for a private sector, because essentially there was not a private sector doing this kind of work at the time.

When we think about potential collaboration, first and foremost for me—from a criminal law perspective—we should make sure we are not criminalising effective cyber-security. The reality is that, when we look at the current system, if any authorised access of any kind becomes a criminal offence, you are routinely criminalising engagement in legitimate cyber-security, which is a matter of course across the board. If you are encouraging those cyber-security experts to step back from those kinds of practices—which may make good sense—you are also lessening that level of protection and/or outsourcing to other jurisdictions or other cyber-security firms, with which you do not necessarily have that effective co-operation, reporting and so on. That is my perspective. Yes, you are absolutely right, but we now have mechanisms in place that actively disincentivise that close collaboration and professionalisation.

Sarah Russell Portrait Sarah Russell
- Hansard -
-

Q Professor Child, I note that you are very supportive of legal reform in quite a number of areas. With emphasis on the Computer Misuse Act, surely the reality is that the Crown Prosecution Service will never conclude that it is in the best interests of the country to prosecute any of the behaviours that people are concerned about, which we recognise as positive and helpful. Is there a need for legal reform?

Professor John Child: Yes. It is not the easiest criminal law tale, if you like. If there were a problem of overcriminalisation in the sense of prosecutions, penalisation, high sentences and so on, the solution would be to look at a whole range of options, including prosecutorial discretion, sentencing or whatever it might be, to try to solve that problem. That is not the problem under the status quo. The current problem is purely the original point of criminalisation. Think of an industry carrying out potentially criminalised activity. Even if no one is going to be prosecuted, the chilling effect is that either the work is not done or it is done under the veil of potential criminalisation, which leads to pretty obvious problems in terms of insurance for that kind of industry, the professionalisation of the industry and making sure that reporting mechanisms are accurate.

We have sat through many meetings with the CPS and those within the cyber-security industry who say that the channels of communication—that back and forth of reporting—is vital. However, a necessary step before that communication can happen is the decriminalisation of basic practices. No industry can effectively be told on the one hand, “What you are doing is vital,” but on the other, “It is a criminal offence, and we would like you to document it and report it to us in an itemised fashion over a period of time.” It is just not a realistic relationship to engender.

The cyber-security industry has evolved in a fragmented way both nationally and internationally, and the only way to get those professionalisation and cyber-resilience pay-offs is by recognising that the criminal law is a barrier—not because it is prosecuting or sentencing, but because of its very existence. It does not allow individuals to say, “If, heaven forbid, I were prosecuted, I can explain that what I was doing was nationally important. That is the basis on which I should not be convicted, not because of the good will of a prosecutor.”

Allison Gardner Portrait Dr Gardner
- Hansard -
- - Excerpts

Q I have a couple of unconnected questions. We have asked a couple of times whether senior board members should have legal, statutory responsibility for cyber. The pros are that it is not seen as a priority, and culture change has to be top-down. However, there are issues with smaller companies bearing a responsibility that is diffused along the supply chain. Also, boards that tend to have a focus on providing returns for shareholders may not be investing in this complex arena. I am interested in your thoughts on whether the Bill does enough to make senior executives responsible for their organisations’ cyber-security.

Professor John Child: I think the Bill does a lot of things quite effectively. It modernises in a sensible way and it allows for the recognition of change in type of threat. This goes back to my criminalisation point. Crucially, it also allows modernisation and flexibility to move through into secondary legislation, rather than us relying purely on the maturations of primary legislation.

In terms of board-level responsibility, I cannot speak too authoritatively on the civil law aspects, but drawing on my criminal law background, there is something in that as well. At the moment, the potential for criminalisation applies very much to those making unauthorised access to another person’s system. That is the way the criminal law works. We also have potential for corporate liability that can lead all the way up to board rooms, but only if you have a directing mind—so only if a board member is directing that specific activity, which is unlikely, apart from in very small companies.

You can have a legal regime that says, whether through accreditation or simple public interest offences, that there are certain activities that involve unauthorised access to another person’s system, which may be legitimate or indeed necessary. However, we want a professional culture within that; we do not want that outsourced to individuals around the world. You can then build in sensible corporate liability based on consent or connivance, which goes to individuals in the boardroom, or a failure-to-prevent model of criminalisation, which is more popular when it comes to financial crimes. That is where you say, “If this exists in your sector, as an industry and as a company, you can be potentially liable as an entity if you do not make sure these powers are used responsibly, and if you essentially outsource to individuals in order to avoid personal liabilities”.

Return to start of debate - Return to top of page