Simon Fell (Barrow and Furness) (Con)

- Hansard -

Copy Link

-

I thank my hon. Friend the Member for Bridgend (Dr Wallis) for securing this debate. Once upon a time I also applied for it, so I am glad that one of us got through the lottery.

I am the chair of the all-party parliamentary group on cyber security, and this is an issue that we have looked at time and again. We have looked at specific reform of the CMA, and frankly, with almost any issue we concentrate on, we keep coming back to the challenges that the CMA brings up for professionals. As others have done, I thank CyberUp for the support it has given, both to the APPG and in advance of this debate. When reforms are made to the CMA, it will be due in no small part to the advocacy that CyberUp and industry have put behind this.

My view is that the CMA is holding the UK back and making us less secure. It needs reform, and the urgency is very keenly felt in the industry. It is frankly ridiculous that we are reliant on a piece of legislation that came into force at the time of Windows 3.0, before Google and Amazon, and crucially before the internet had come into common use.

In the last meeting of the APPG on cyber security we had Ciaran Martin, the former head of the National Cyber Security Centre, before us, and we asked his view. It is hard to articulate how much he rolled his eyes when I asked the question, but clearly the view of those who operate in this space is that the time for change is now.

As it is currently written—I apologise, Sir Mark, for going over some of the same ground—the CMA inadvertently criminalises a large proportion of vulnerability and threat intelligence research that UK cyber-security professionals must carry out to protect the UK from cyber-threats such as the one affecting No. 10 that is in the news today, ransomware attacks and those from state actors such as Russia.

Let us be clear: the legal jeopardy that cyber-security professionals face is not theoretical but very real. We have heard from professionals who have been at the sharp end of the law for merely doing their jobs—probing weaknesses in order to fix them. At a time when the world has never been more connected, and there is inter-reliance between news, messaging, shopping, banking, security and leisure—the web of systems that hold modern society together—we need to ensure that the laws are fit for purpose and fulfil the roles they were enacted to achieve. I firmly believe that this one does not and we are the poorer for it.

It is worth spending a little time putting this in context and detailing the main challenges of an unreformed CMA. Cyber-security professionals identify vulnerabilities in products and services and work with manufacturers and vendors to fix them. They detect cyber-attacks, gain insights into attackers and victims, lessen the impact of incidents and prevent future ones. The Government’s “National Cyber Strategy 2022” recognised the value of that important work. It committed to building valuable and trusted relationships with the cyber-security researcher community to deliver a reduction in those vulnerabilities. But the CMA is currently a block to that, irrespective of the intent or motive of those doing the work. That leaves the UK’s cyber defenders having to act with one hand tied behind their back, because much of their defensive work requires interaction with compromised victims’ and criminals’ computer systems where owners will not give access or explicitly permit such activities.

Another aspect is that the Act is having a really damaging impact on the cyber-skills pipeline. In 2018, the Joint Committee on the National Security Strategy concluded that a shortage of “deep technical expertise” was one of the greatest challenges faced by the UK in relation to cyber-security. This year’s national cyber-security strategy made explicit the need to grow and improve sectoral skills in order to build UK resilience to threats. But we should be clear about the chilling effect that the CMA is having on doing that and the challenges that it throws up. The sector needs a diverse range of minds in order to continue to grow and to adapt to a changing environment. High-profile prosecutions enabled by the CMA for little more than pursuing public interest investigations reinforce negative stereotypes that may deter some from pursuing a career in cyber-security. If the UK is to meet the challenge of closing the cyber skills gap, it needs to stop criminalising the activity, and ultimately talent, that is needed to promote the industry and grow its share of the global cyber-security services market, which is currently dominated by North America. That will not only grow cyber skills in our own economy, but help to build cyber resilience and better defend the UK.

As my hon. Friend the Member for Bridgend pointed out, there are relatively simple tweaks that we think could be made to this legislation that would make a big difference in this space. They would unlock huge opportunities for the sector and our national resilience. As has been mentioned, the inclusion in the CMA of a statutory defence, not a blanket one—I think my hon. Friend the Member for Boston and Skegness (Matt Warman) was absolutely right on that—would give cyber-security professionals acting in the public interest a clear defence from prosecution. That would provide legal clarity for individuals, the industry and the state. We can learn much from our international partners in this space about how to achieve a fair balance and enact safeguards to ensure that new freedoms are not abused by those who are not on the side of the angels. I am talking about a clear framework that measures the defensibility of an action, proportionality, intent and competence and looks at a harm-benefit profile. They are the sorts of principles that we should be considering when looking at reform.

It seems bizarre that as we launch the National Cyber Force in Lancashire and as my local town deal brings a university campus focused on cyber-security in Barrow, the legal framework that will enable these people to do their jobs and practise their craft is lagging behind. It is clear from the national cyber-security strategy that, as a country and a Government, we do not lack aspiration in this space, and that is a really good thing. It is the burden of advanced nations to have to defend these new frontiers, but we must ensure that the framework is in place to support our good efforts and deliver on the opportunities that the strategy speaks about. A very good step would be reforming this Act and ensuring that those acting in the public interest have protection from unjust litigation. Doing that would make us all safer.