Bradley Thomas

- Hansard -

Copy Link

- - Excerpts

Q Are you able to quantify that in any way?

Ian Hulme: At the moment, to give you a few broad numbers our teams are around 15 people, and we anticipate doubling that. In the future, with self-funding, we will be a bit more in control of our own destiny. It is a significant uplift from our perspective.

Natalie Black: The challenge is that the devil is in the detail. Until that detail has worked through secondary legislation, we will have to reserve our position, so that we give you accurate numbers in due course. From Ofcom’s point of view, it is about adding 10s rather than significant numbers. I do not think we are that far off the ICO.

But I want to emphasise that this is about quality, not necessarily quantity. Companies want to work with expert regulators who really know what they are doing. Ofcom is building on the work we are already doing under the Telecommunications (Security) Act 2021. It will be a question of reinforcing that team, rather than setting up a separate one. We want to get the best, high-quality individuals who know how to talk to industry and really know cyber-security, to make sure people have a good experience when engaging with us.

Ian Hulme: To add to that, the one challenge we will face as a group is that we are all fishing in the same pond for skills. MSPs and others will also be fishing in that pond from the sector side. There needs to be recognition that there is going to be a skills challenge in this implementation.

Stuart Okin: To specifically pick up on the numbers, we have a headcount of 43 who are dedicated within cyber regulation. That also includes the investment side. We also have access to the engineering team—the engineering directorate—which is a separate team. There is also our enforcement directorate, as well as the legal side of things. The scope changes proposed in the Bill are just the large load controllers and supply chain, so we are not expecting a major uplift. These will be small numbers in comparison. Unlike my colleagues, we are not expecting a big uplift in resourcing.

Dr Spencer

- Hansard -

Copy Link

- - Excerpts

Q Natalie, I am going single out Ofcom, which has a lot on its plate at the moment, particularly when it comes to the implementation of the Online Safety Act 2023 and all its other duties. Are you set up to administer your duties under the Bill? Are your resources siloed, given Ofcom’s competing considerations, particularly over the next few years?

Natalie Black: That is a great question, and I am not at all surprised that you have asked it, given everything that is going on at the moment. As well as being group director for infrastructure and connectivity, I am also the executive member of the board, sitting alongside our chief executive officer, so from first-hand experience I can say that Ofcom really recognises how fast technology is changing. I do not think there is another sector that is really at the forefront of change in this way, apart from the communications sector. There are a lot of benefits to being able to sit across all that, because many of the stakeholders and issues are the same, and our organisation is learning to evolve and adapt very quickly with the pace of change. That is why the Bill feels very much like a natural evolution of our responsibility in the security and resilience space.

We already have substantial responsibilities under NIS and the Telecommunications (Security) Act 2021. We are taking on these additional responsibilities, particularly over data centres, but we already know some of the actors and issues. We are using our international team to understand the dynamics that are affecting the Online Safety Act, which will potentially materialise in the security and resilience world. As a collective leadership team, we look across these issues together. The real value comes from joining the dots. In the current environment, that is where you can make a real difference.

Bradley Thomas

- Hansard -

Copy Link

- - Excerpts

Q For the avoidance of doubt, I will put on the record that I am a member of the IPAC caucus in this Parliament. Thank you for coming in to see us. You have spoken about the threats from hostile and adversarial states. Given the scope of what we are talking about, can you give us any insight on what comparable western nations are doing to protect themselves?

Chung Ching Kwong: The US is probably a good example. It passed Executive order 14028 in May 2021, which requires any software vendor selling to the US federal Government to provide something called a software bill of materials—SBOM. That is technically a table of ingredients, but for software, so you can see exactly what components the software is made of. A lot of the time people who code are quite lazy; they will pull in different components that are available on databases online to form a piece of software that we use. By having vendors provide an SBOM, when anything happens, or whenever any kind of vulnerability is detected, you can very easily find out what happened.

That is due to a hack in 2021, in which a tiny, free piece of code called Log4j was found to have a critical vulnerability. It was buried inside thousands of commercial software products. Without that list of ingredients, it would be very difficult for people who had been using the software to find out, because, first, they may not have the technological capabilities and, secondly, they would not even know if their software had that component. This is one of the things the US is doing to mitigate the risks when it comes to software.

Something that is not entirely in the scope of the Bill but is also worth considering is the US’s Uyghur Forced Labour Prevention Act. That is designed to prevent goods made with forced labour from entering the supply chain. The logic of preventing forced labour is probably something that the UK can consider. Because the US realised that it could not inspect every factory in Xinjiang to prove forced labour, it flipped the script: the law creates a rebuttable presumption that all goods from that region are tainted, so the burden of proof is now on the importer to prove, with clear and convincing evidence, that their supply chain is clean.

A similar logic could be considered when it comes to this Bill to protect cyber-security. Any entities that are co-operating with the PLA—the People’s Liberation Army—for example, should be considered as compromised or non-trustworthy until proven otherwise. That way, you are not waiting until problems happen, when you realise, “Oh, this is actually tainted,” but you prevent it before it happens. That is the comparison that I would make.

Emily Darlington

- Hansard -

Copy Link

- - Excerpts

Q I want to move from software to hardware that is particularly vulnerable to potential cyber-attack, particularly from the integration of Chinese tech into SIPs, possibly making them vulnerable to cyber-attack by someone who knows the code into those bits of hardware. Should we be doing more to protect against that vulnerability? Should that be covered by the Bill?

Chung Ching Kwong: It should definitely be covered by the Bill, because if we are not regulating to protect hardware as well, we will get hardware that is already embedded with, for example, an opcode attack. Examples in the context of China include the Lenovo Superfish scandal in 2015, in which originally implemented ad software had hijacked the https certificate, which is there to protect your communication with the website, so that nobody sees what activity is happening between you and the website. Having that Superfish injection made that communication transparent. That was done before the product even came out of the factory. This is not a problem that a software solution can fix. If you were sourcing a Lenovo laptop, for example, the laptop, upon arrival, would be a security breach, and a privacy breach in that sense. We should definitely take it a step further and regulate hardware as well, because a lot of the time that is what state-sponsored attacks target as an attack surface.

The Chair

- Hansard -

Copy Link

I call Tim Roca.

Bradley Thomas

- Hansard -

Copy Link

- - Excerpts

Q With regard to skills, given the acute shortage and the growth of this industry, what do you propose to ensure that the public sector is adequately resourced, given what will undoubtedly be a very lucrative private sector appeal for that talent?

Kanishka Narayan: This is a great question. There are two things on my mind. One is that the Government have published a cyber action plan, the crux of which is to make sure that, from the point of view of understanding, principles, accountability and, ultimately, skills, there is significant capability in the public sector. The second thing to say is that we have a very broad-based plan on skills more generally across the cyber sector, public and private. For example, I am really proud of the fact that, through the CyberFirst programme, some—I think—415,000 students right across the country have been upskilled in cyber-security. It is deeply important that the public sector ensures that we are standing up to the test of hiring them and making the attraction of the sector clear to them as well. There is a broad-based plan and a specific one for the public sector in the Government context.

Lincoln Jopp

- Hansard -

Copy Link

- - Excerpts

Q Going back to our conversation with the head of IT security and compliance at NHS Greater Glasgow and Clyde and what could be designated an operator of essential services, and our subsequent conversation with Palo Alto, how do you envision that bit of the Bill working? Taking Glasgow as an example, while neither of us are doctors, we both broadly know what happens in hospitals—and there is also a doctor sitting to my right on the Committee, should we need one. On the example that I gave, given what is written in the Bill, how do you think it should work?

Kanishka Narayan: Do you mean operators of essential services, or critical suppliers, as in the third party element?