Asked by: Julie Elliott (Labour - Sunderland Central)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, whether the implementation plan for a cyber resilient health and adult social care system in England has been published.
Answered by Andrew Stephenson - Minister of State (Department of Health and Social Care)
The purpose of the implementation plan is to provide details on how we are going to be delivering our strategy over the current spending period. The plan will be published in spring 2024, but we are already delivering on the strategy through an ambitious Cyber Improvement Programme, aiming to invest up to £147.6 million by April 2025.
This programme is looking to further strengthen existing national cyber security controls for health and care, which already includes cyber monitoring 24 hours a day, seven days a week, through NHS England’s Cyber Security Operations Centre, national-scale defences from cyberattack, such as Secure Boundary, and nationally provided cyber incident response contracts in the event of a cyber incident.
Asked by: Julie Elliott (Labour - Sunderland Central)
Question to the Department of Health and Social Care:
To ask the Secretary of State for Health and Social Care, whether a supplier working group to better facilitate ongoing communication and dialogue with industry relating to health and social care data and cyber security has been established.
Answered by Andrew Stephenson - Minister of State (Department of Health and Social Care)
We have multiple mechanisms for engaging and working closely with suppliers, including supplier summits, direct relationships and through local organisations. In addition, we will shortly be launching the Cyber Suppliers Network to facilitate dialogue and visibility of ongoing efforts to more effectively secure data and manage cybersecurity.
Asked by: Marquess of Lothian (Conservative - Life peer)
Question to the Department for Digital, Culture, Media & Sport:
To ask His Majesty's Government what assistance they intend to provide to the British Library to aid (1) its recovery from the ransomware attack on 31 October 2023, and (2) the continuation of its research services; and what additional measures they have put in place to assist British institutions to (a) improve overall resilience, and (b) defend against cyberattacks.
Answered by Lord Parkinson of Whitley Bay - Parliamentary Under Secretary of State (Department for Culture, Media and Sport)
The National Cyber Security Centre and the Department for Culture, Media and Sport have been working closely with the British Library since the cyber-attack it sustained in October 2023. DCMS formed an incident response team, providing security guidance, recommendations and support to the British Library, and officials from the Department continue to work with their counterparts at the British Library.
The British Library is working hard to restore its services and began a phased return of key services on 15 January 2024.
Despite the cyber attack, the British Library’s buildings have remained open and well-used throughout, and it has maintained some key services including reading room access for personal study and some limited collection item ordering, exhibitions, learning events, business support, and onsite retail. In the immediate aftermath essential services such as WiFi and event ticket sales were quickly re-established.
On 15 January, the British Library restored a searchable online version of its main catalogue, comprising records of printed books, journals, maps, music scores and rare books.
The Government Cyber Security Strategy sets out our plan significantly to harden the Government’s critical functions against cyber attacks by 2025, with all Government organisations across the public sector being resilient to known vulnerabilities no later than 2030. We are working closely with publicly-funded institutions to enhance their overall cyber-resilience and to ensure that these targets are met.
Asked by: Lord Taylor of Warwick (Non-affiliated - Life peer)
Question to the Cabinet Office:
To ask His Majesty's Government, further to reports that spending on overseas cyber security programmes doubled last year, what assessment they have made of the impact of that increased spending on the cyber safety of (1) citizens, and (2) businesses.
Answered by Baroness Neville-Rolfe - Minister of State (Cabinet Office)
Programming on cyber security plays an important role in protecting commercial opportunities and sustaining UK competitiveness in a key growth sector as well as helping organisations and citizens better manage cyber risks. The Financial Year 2022/23 Annual Report on the Conflict, Stability and Security Fund highlighted increased spending and the transfer of a wide range of skills overseas to support UK cyber security objectives. This included public awareness campaigns and training with national Computer Security Incident Response Teams, ensuring critical assets overseas are better protected from cyber-attacks. As a result, UK Government-funded projects have led to the arrest of cyber criminals across Africa, improved threat intelligence sharing in the Indo Pacific, and supported the implementation of a new national Cyber strategy in Georgia.
Asked by: Seema Malhotra (Labour (Co-op) - Feltham and Heston)
Question to the Department for Education:
To ask the Secretary of State for Education, what recent estimate she has made of how many (a) colleges and (b) universities offer Higher Technical Qualifications (i) nationally and (ii) in each English region.
Answered by Robert Halfon
The department is delivering reforms to increase profile, prestige, and uptake of higher technical education. Central to these reforms is the introduction of Higher Technical Qualifications (HTQs). HTQs are level 4 and 5 qualifications (such as HNDs and Foundation Degrees) that have been approved against employer-developed standard and quality marked by the Institute for Apprenticeships & Technical Education (IfATE). This means students and employers can have confidence that HTQs provide skills employers need.
HTQs are currently available across the country and are being taught in colleges, universities, Institutes of Technology’s (IoTs), and Independent Training Providers (ITPs) across Digital, Construction and Health & Science subjects. These qualifications give the learner the skills for a range of great jobs including Cyber Security, Quantity Surveying, Sports Coaching and Nursing Associate.
There are 140 providers approved to begin teaching of HTQs in the 2023/24 academic year available at: https://www.gov.uk/government/publications/list-of-higher-technical-qualifications. The published list can be broken down by provider type and includes 111 FECs and 18 HEIs which are able to deliver HTQs from the 2023/24 academic year. While the data cannot be broken down by region, it is instead broken down by postcode and location. The department is updating the list of approved providers as new HTQs enter the market and more providers are onboarded to deliver the qualifications. An updated list will be ready in Spring 2024.
To support HTQ provision, £115 million in funding has been provided to colleges, universities, IoTs and ITPs to help grow provision across the country, on top of up to £300 million to create a network of 21 Institutes of Technology.
To date 172 qualifications have been approved as HTQs across seven occupational routes (Digital, Construction & the Built Environment, Health & Science, Business & Administration, Education & Early Years, Engineering & Manufacturing and Legal, Finance & Accounting), for first teach beginning between September 2022/20 to 2024.
To help HTQs be studied flexibly and around other commitments, since September 2023, HTQ learners are eligible for both tuition fee and maintenance loans whether they are studied full or part-time, on the same basis as degree level courses. HTQs will also be among the first courses eligible for modular funding when the Lifelong Learning Entitlement launches in the 2025/26 academic year.
Asked by: Maria Eagle (Labour - Garston and Halewood)
Question to the Ministry of Defence:
To ask the Secretary of State for Defence, with reference to page 50 of the Defence Equipment & Support Annual Report and Accounts 2022-23, what steps the DE&S Digital team have taken to deliver (a) internal information assurance and (b) the application of defence information assurance mechanisms across the supply chain.
Answered by James Cartlidge - Minister of State (Ministry of Defence)
The Defence Equipment and Support (DE&S) Digital team follows the ISO (International Organization for Standardization) 27001 international standard for information assurance. This measures the maturity of, and informs improvements to, the cyber security controls across business Information Technology systems. Through this process, DE&S is annually audited by an external body and remains certified following the most recent audit in late 2023. Observations from ISO27001 audits are included into mitigation plans which are then delivered through either an internal team of security professionals, or by industry partners on their behalf.
Security Assurance of MOD information across the supply chain is conducted as part of the Defence Cyber Protection Partnership (DCPP), a joint MOD and industry initiative to improve the protection of the defence supply chain from cyber threat. Through this process, DE&S contracts undergo a risk assessment and apply a cyber security control set proportionate to the sensitivity of the information held. DE&S Digital have an ongoing program of work to increase awareness and compliance to DCPP across the business, as well as participating in internal audits to check project compliance status so that improvements can be made where required.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what recent assessment his Department has made of the level of cyber threat posed to public (a) services and (b) institutions.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
Government and the wider public sector remain an attractive target to a broad range of cyber threat actors of every level of capability and motivation from nation states to cyber criminals.
In December last year, the UK and its allies exposed a series of attempts by the Russian Intelligence Services to target high-profile individuals and entities through cyber operations.
The Government Cyber Security Strategy (2022) includes as its key objectives 'protect against cyber attack', 'detect cyber security events', and 'develop the right cyber security skills, knowledge and culture' in order to ensure that the Government’s critical functions are cyber resilient.
The NSCS Active Cyber Defence (ACD) programme has several core services, including the Takedown Service and Protective Domain Name Service or PDNS. In 2022, the total number of takedowns conducted by the Takedown Service was 2.4 million. The same year, PDNS blocked over 5 million requests for domains associated with ransomware, a significant contribution to protecting UK organisations from this threat.
We have a comprehensive approach to attract and develop new talent, and to upskill cyber professionals. This includes the cyber apprenticeship and Fast Stream programmes. Cross-government awareness campaigns and training courses are available for all civil servants, including accredited and examination-based learning. We were recently recognised amongst the 2023 Top 100 Apprenticeship Employers nationally. We provide training for specific cyber roles and mid-career switchers with a high level of core skills.
At a national level, the Government is supporting the demand for skilled people in the strong and growing cyber industry with a diverse range of skills interventions. The Government is also looking at long-term solutions, including through the Digital and Computing Skills and Education Taskforce and support for the UK Cyber Security Council.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what steps he is taking to improve cyber security (a) training and (b) awareness in public sector organisations.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
Government and the wider public sector remain an attractive target to a broad range of cyber threat actors of every level of capability and motivation from nation states to cyber criminals.
In December last year, the UK and its allies exposed a series of attempts by the Russian Intelligence Services to target high-profile individuals and entities through cyber operations.
The Government Cyber Security Strategy (2022) includes as its key objectives 'protect against cyber attack', 'detect cyber security events', and 'develop the right cyber security skills, knowledge and culture' in order to ensure that the Government’s critical functions are cyber resilient.
The NSCS Active Cyber Defence (ACD) programme has several core services, including the Takedown Service and Protective Domain Name Service or PDNS. In 2022, the total number of takedowns conducted by the Takedown Service was 2.4 million. The same year, PDNS blocked over 5 million requests for domains associated with ransomware, a significant contribution to protecting UK organisations from this threat.
We have a comprehensive approach to attract and develop new talent, and to upskill cyber professionals. This includes the cyber apprenticeship and Fast Stream programmes. Cross-government awareness campaigns and training courses are available for all civil servants, including accredited and examination-based learning. We were recently recognised amongst the 2023 Top 100 Apprenticeship Employers nationally. We provide training for specific cyber roles and mid-career switchers with a high level of core skills.
At a national level, the Government is supporting the demand for skilled people in the strong and growing cyber industry with a diverse range of skills interventions. The Government is also looking at long-term solutions, including through the Digital and Computing Skills and Education Taskforce and support for the UK Cyber Security Council.
Asked by: Keir Mather (Labour - Selby and Ainsty)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, with reference to his oral contribution of 18 January 2024, Official Report, column 1003, what recent comparative assessment his Department has made of the effectiveness of steps being taken to understand the risks associated with (a) cyber security and (b) red-rated computer systems in (i) the UK and (ii) other countries.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The National Cyber Strategy 2022 sets out the Government’s ambitions to raise levels of resilience across all sectors by 2025, with a particular focus on our Critical National Infrastructure and making government an exemplar. We are also strengthening protections to online services and connected consumer devices to reduce the cyber security burden on UK citizens.
We continually assess cyber risk and the implementation of the National Cyber Strategy. In August 2023, we published the first Annual Progress Report for the National Cyber Strategy 2022. The report demonstrates our progress against the five strategic objectives, demonstrating how we have adapted to a significantly shifting geopolitical landscape. It supports our aim to be transparent in the way we work and reinforces the UK’s status as a leading, responsible and democratic cyber power. The report highlighted the success in improving cyber resilience through the NCSC Cyber Action Plan and Cyber Essentials as well as disruptions such as the first tranche of cyber sanctions and the takedown of the GENESIS marketplace, a go-to service for cyber-criminals.
During the formulation of the Legacy IT Assessment Risk Framework, input was sought from various commercial and governmental entities to gather insights. These comparative assessments, conducted during the framework's design phase, aimed to strike a balance between aligning with industry standards for user familiarity and addressing the specific requirements of a standardised cross-government framework for evaluating risks associated with legacy digital technology assets.
Asked by: Tanmanjeet Singh Dhesi (Labour - Slough)
Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, whether his Department is taking steps to engage with the private sector to improve the cyber resilience of public services.
Answered by Alex Burghart - Parliamentary Secretary (Cabinet Office)
The Government is working with the private sector as part of our whole-of-society approach to delivering the National Cyber Strategy. The Strategy sets out the Government’s ambitions to raise levels of resilience across all sectors by next year, with a particular focus on our Critical National Infrastructure (CNI) and making government an exemplar.
As announced by the Deputy Prime Minister at the CyberUK conference in April 2023, the Government has set ambitious targets for all CNI sectors to strengthen their cyber resilience and plans to bring private sector businesses working in CNI within the scope of cyber resilience regulations.
The Government also works closely with the private sector through a range of advisory groups. The National Cyber Advisory Board, co-chaired by the Deputy Prime Minister invites senior leaders across the cyber ecosystem to support and inform the Government’s implementation of the National Cyber Strategy. The Board allows the Government to hear alternative viewpoints, invite challenge, and harness networks within the cyber sector and beyond.
The Government Cyber Security Advisory Board brings together leading cyber professionals from industry and academia to provide expertise and constructive challenge, as the Government delivers the Government Cyber Security Strategy.