Kanishka Narayan MP gave evidence.

We will now hear oral evidence from the Minister for AI and Online Safety, Kanishka Narayan. For this session, we have until 5.10 pm.

Q Thank you, Minister, for giving evidence this afternoon. I have a couple of questions. The first is about the definitions in the Bill, whether of MSPs or otherwise. All day long we have heard from representatives of different sectors of the industry, and pretty much everyone has talked about the importance of consultation on the definitions and when they are applied in secondary legislation. A certain amount of that stuff will be in primary legislation, so what consultation have you had with industry in setting up the definitions in the Bill in the first place?

Kanishka Narayan:

Thank you for the question on definitions. I have two things to say on that. First, observing the evidence today, it is interesting that there are views in both directions on pretty much every definitional question. For example, on the definition of “incident thresholds”, I heard an expert witness at the outset of the day say that it is in exactly the right place, precisely because it adds incidents that have the capability to have an impact, even if not a directness of impact, to cover pre-positioning threats. A subsequent witness said that they felt that that precise definitional point made it not a fitting definition. The starting point is that there is a particular intent behind the definitions used in the Bill, and I am looking forward to going through it Clause by clause, but I am glad that some of those tensions have been surfaced.

Secondly, in answer to your question on consultation, a number of the particular priority measures in the Bill were also consulted on under the previous Government. We have been engaging with industry and, in the course of implementation, the team has started setting up engagement with regulators and a whole programme of engagement with industry as well.

Q Thank you, Minister, but I am not sure that you answered my question. What engagement have you had in terms of consulting with industry in setting those definitions?

Kanishka Narayan:

I have met a number of companies, but the relevant Minister has also had extensive engagement with both companies and regulators, including on the question of definitions. I do not have a record of her meetings, but if that is of interest, I would be very happy to follow up on it.

Q I assume that you are referring to the previous Minister, who you took over from?

Kanishka Narayan:

I am referring to the Minister for Digital Economy, who is in the other place.

Q Do you not think that, as the Minister taking this through the Commons, you should have also had some of those meetings and consultations?

Kanishka Narayan:

I have had some meetings but, as the Minister in charge of this Bill, she has been very engaged with businesses, so I think that is fitting. We have obviously worked very closely together, as we normally do, in the course of co-ordinating across the two Chambers.

Q What conversations have you had with the Secretary of State regarding guardrails on the extensive powers in this Bill that were referred to earlier?

Kanishka Narayan:

I have spoken to the Secretary of State about the Bill, including the reserve powers, and we have agreed that the policy objective is very clear. I do not think I am in a position to divulge particular details of policy discussions that we have had; I do not think that would be either appropriate or a fitting test of my memory.

Q Do you think there is a potential need for guardrails?

Kanishka Narayan:

I think the guardrails in the Bill are very important, absolutely. The Bill provides that, where there is an impact on organisations or regulators, there is an appropriate requirement for both deep consultation and an affirmative motion of the House. I think that is exactly where it ought to be, and I do not think anything short of that would be acceptable.

Q Thank you for your time, Minister. Listening to the evidence and looking at the Bill, what strikes me is that this is about a balance between the importance of flexibility—particularly given the increase in threat and the complexity of the issues we face—and businesses wanting certainty. Do you feel confident that the Bill strikes that balance, and how have you sought to ensure that it does?

Kanishka Narayan:

The primary thing to say is that the range of organisations—commercial ones as well as those from the cyber-security world more generally—coming out to welcome the Bill is testament to the fact that it is deeply needed. I pay tribute to the fact that some of the provisions were engaged on and consulted on by the prior Government, and there is widespread consensus across industry and in the regulatory and enforcement contexts about the necessity and the quality of the Bill. On that front, I feel we are in a good place.

On specific questions, of course, there is debate—we have heard some of that today—but I am very much looking forward to going through Clause by clause to explain why the intent of the Bill is reflected in the particular definitions.

Q Would the cyber-attacks on JLR and M&S that took place last year be in the scope of this Bill?

Kanishka Narayan:

I am shy of making comments on specific incidents, but as a broad brush, clearly the food supply or automotive manufacturing sectors are not directly in scope of the Bill, for reasons I am very much happy to discuss.

Q Do you think they should be within scope?

Kanishka Narayan:

Let me place the focus of this Bill in the global context. As we have heard, there is a range of legislative as well as non-legislative measures on cyber-security. It is deeply important that every organisation, whether in scope of the Bill or not, acts robustly, and we will look at that, not least through the cyber action plan, which I know industry welcomed earlier today and which we are looking forward to publishing very soon.

The particular focus of this Bill is on essential services, the disruption of which would pose an imminent threat—for example, to life and to our economy—in the immediate context. For reasons that we can dive into, if you look at a market such as food supply, the diversity, competitive nature and alternative provision in that market are so obvious that to designate it as fitting the definitional scope I have just highlighted would not be an evidence-led way of engaging.

Q But would you like to see a Bill that goes further and has broader scope?

Kanishka Narayan:

As I have said, this legislative vehicle is focused on really high standards of rigour for essential services. I am very keen to ensure that, in the first instance, we are engaging with those companies through the cyber action plan and the National Cyber Security Centre’s framework and to ensure that, as a consequence of those, they are in a robust place.

Q With regard to skills, given the acute shortage and the growth of this industry, what do you propose to ensure that the public sector is adequately resourced, given what will undoubtedly be a very lucrative private sector appeal for that talent?

Kanishka Narayan:

This is a great question. There are two things on my mind. One is that the Government have published a cyber action plan, the crux of which is to make sure that, from the point of view of understanding, principles, accountability and, ultimately, skills, there is significant capability in the public sector. The second thing to say is that we have a very broad-based plan on skills more generally across the cyber sector, public and private. For example, I am really proud of the fact that, through the CyberFirst programme, some—I think—415,000 students right across the country have been upskilled in cyber-security. It is deeply important that the public sector ensures that we are standing up to the test of hiring them and making the attraction of the sector clear to them as well. There is a broad-based plan and a specific one for the public sector in the Government context.

Q The Committee heard this morning about the public sector’s level of technical debt. This Bill is important in terms of safeguarding essential services, but we heard that an important factor—notwithstanding this Bill—is tackling the enormous number of legacy systems. How do you see us running the two in parallel?

Kanishka Narayan:

That is a great question. Broadly, the Bill takes a risk-based and outcomes-focused approach, rather than a technology-specific one. I think that is the right way to go about it. As we have heard today and beyond, there are some areas where frontier technology—new technology such as AI and quantum, which we talked about earlier today—will pose specific risks. There are other areas where the prevalence of legacy systems and legacy database architectures will present particular risks as well.

The Bill effectively says that the sum total of those systems, in their ultimate impact on the risk exposure of an organisation, is the singular focus where regulators should place their emphasis. I would expect that individual regulators will pay heed to the particular prevalence of legacy systems and technical debt as a source of risk in their particular sectors, and as a result to the mitigations that ought to be placed. I think that being technology agnostic is the right approach in this context.

Q Going back to our conversation with the head of IT security and compliance at NHS Greater Glasgow and Clyde and what could be designated an operator of essential services, and our subsequent conversation with Palo Alto, how do you envision that bit of the Bill working? Taking Glasgow as an example, while neither of us are doctors, we both broadly know what happens in hospitals—and there is also a doctor sitting to my right on the Committee, should we need one. On the example that I gave, given what is written in the Bill, how do you think it should work?

Kanishka Narayan:

Do you mean operators of essential services, or critical suppliers, as in the third party element?

I meant operators of essential services.

Kanishka Narayan:

The Bill effectively specifies operators of essential services as large participants in the essential services sectors. I think that that definition is very straightforward. The hospital in this question would be an operator of an essential service. If the question extends to critical third party suppliers—

Q Sorry, I misspoke. I mean an SME that is deemed a critical supplier. Who is going to deem them so? Which of the many regulators at play in that hospital is going to decide who is a critical supplier?

Kanishka Narayan:

There are two things to say on this. There is at least a four-step test on the face of the Bill for what would qualify as a critical supplier. First, a critical supplier has to supply to an operator of an essential service, in this case the hospital. Secondly, the supplier itself must engage with important network and information systems. Thirdly, the disruption to that third party supplier would have to cause a material disruption to the operator in question—in this case, if the third party supplier falls over from a cyber-security point of view, there would be material and business continuity disruption to the hospital. Fourthly, not only that, but that disruption would have to be sufficiently severe in its impact to be in scope. That is one set of things. Underlying that is a further test in the Bill, whereby alternative provision of that third party supply could not be secured in a practicable way. The combination of those tests means that the scope set out for the critical third party suppliers is extremely tight and robust.

Then there is still the question, having gone through that five-step test, of the particular burden placed on relevant suppliers in scope. My expectation and hope would be that regulators take a much more proportionate approach there than to set the precise same conditions on those suppliers as they do on the operator in question; in particular, that the burden on them is placed specifically in sight of the directional risk that they pose to the operator, rather than the risk in sum for that third party supplier.

The first thing is therefore that the Bill clearly specifies a very tight scope. The second is that it does not seem to me, as a relative novice to both the medical world and cyber-security, unusual to have a specification of this nature in a Bill. Given my professional context, I am particularly conscious of the very clear and critical third party comparable requirement in the Financial Services and Markets Act 2000, which focuses on both cyber-security and supply chain risks. That has worked relatively proficiently in that context, so I hope that there are some good lessons to learn from that.

Q That is a very clear answer on the steps that have to be followed. Do you envisage that each regulator in, for example, the NHS Greater Glasgow and Clyde will follow the steps from their perspective? The first one might produce 20 SMEs that need to be in scope, and the next one might produce another 20, and so on. There might be a bit of overlap. Is that the way it is meant to work, or are all the regulators meant to get together and say that they have looked at it holistically, done the step test, and now have the answer?

Kanishka Narayan:

The way in which I would envisage it is that each individual regulator assesses the critical nature of the risk posed to its regulated operators. If a hospital has a third party supplier, and the presence and nature of its supply means that there is a critical risk exposure for the hospital, that would be in scope for some degree of regulation in the Bill. To your question, if there is a comparable but separate hospital in a part of England that is separately regulated, but has the same third party supplier, there is obviously a question of whether that third party supplier would end up being regulated twice if the criticality threshold is met. In that instance, and in other similar instances of multiple regulators covering the same third party supplier, I would expect a high degree of co-ordination. In fact, the provisions in the Bill, as well as my hopes for subsequent guidance, are focused on our efficiency and proportionality when there are multiple regulators. However, I think the assessment has to be undertaken by each regulator on a separate basis, because the question being assessed is not the nature, the sum risk, of the third party supplier in itself, but the risk posed by its relationship to the operator it is providing to—if that makes sense.

Q To be very clear, the three regulators we had here today were the Information Commissioner, Ofgem and ofcom. If they thought that they had a locus because of something that that hospital did, all three would do the step test, they would come up with their bucket of SMEs that they wanted to bring into scope, and those would be added together and that would be the impact.

Kanishka Narayan:

Yes, I guess, added together in the sense that they would be separately regulated, but they would all come within the scope of the regulations. Where there is an overlap in the party being regulated, my hope is that the Bill provides for individual regulation, but is very much open to the prospect of a lead regulator engaging in a softer way with the other regulators, as long as each regulator feels that that has assured them of the risk.

Q We have heard evidence today about the appropriateness of individual sectoral regulators being responsible for this, versus a single regulator. Perhaps unsurprisingly, the sectoral regulators were in favour of a sectoral approach, and we heard differing views from other people. The hon. Member for Bromsgrove already covered the point about whether there are sufficient skills available to staff up all the sectoral regulators to the appropriate level to adequately cover this function.

We have heard quite a bit about how important it will be, if taking a sectoral approach, to make sure that sharing information between regulators works smoothly, and that there are no information silos. The witness from ofcom talked about an annual report to the National Cyber Security Centre. That sent chills down my spine, though I am sure she did not mean it quite in that way. How will you ensure that there is an adequate flow of information between regulators in a timely manner? They might not realise that there is cross-sectoral relevance, but when that information is provided to another regulator, it might turn out that there is. How do you address the importance of a single point of reporting that we heard about time and again from witnesses today?

Kanishka Narayan:

Those are really important points. In terms of supporting the quality, frequency and depth of information sharing, first, the Bill provides the legal possibility of doing that in a deeper way. It gives the permission and the ability to do that across regulators.

Secondly, in the light of the implicit expectation of that information sharing, the National Cyber Security Centre already brings together all the relevant regulators for deeper conversation and engagement on areas of overlap, best practice sharing, and particularly the sharing of information related to incidents and wider risk as a result. I hope that will continue to be systematic.

On the question of a single reporting avenue, the National Cyber Security Centre, from an incident and operational point of view, is clearly the primary and appropriate location during the implementation of the Bill. From my conversations with the centre and its conversations with the regulators, I know there has been engagement to ensure that it remains a prompt venue for regulators to feed in their information.

Q With respect, Minister, that sounds like quite a lot of, “This is what I hope will happen and this is what I wish to happen.” How will you mandate that it happens? Does there need to be something in the legislation to ensure that there is a duty of candour between regulators?

Kanishka Narayan:

The Bill currently says, “We are now giving you the power to be able to do information sharing.” The Bill, as well as other specific bits of wider legislation, has clear expectations on regulators to carry out their regulatory duty. If there appears to be a challenge in the frequency and quality of information sharing, we will of course look at whether we need to go further, but at the moment, giving them substantive permission and the fact that they have clear regulatory responsibilities individually is a very powerful combination.

I think this might be the last question to the Minister.

Q I have two questions. Why have electoral services provided by local authorities not been considered as critical infrastructure?

Kanishka Narayan:

As I mentioned at the outset, the scope of the sectors is focused on a specific test: are they essential services, the disruption to which could cause an immediate threat to life or have an extremely significant impact on the day-to-day functioning of the country? I do not mean to diminish the significance of electoral services, but, notwithstanding their significant impact on me as a candidate on election day, the test does not appear to be met.

Q Got it. The other question is about board-level responsibility. Numerous witnesses said that they would like to see more on board-level responsibility and people working within organisations, particularly chief information security officers, to strengthen their hands and make sure cyber-security measures are in place. What is your response to that?

Kanishka Narayan:

It is absolutely critical that boards take their responsibilities to the organisation and the consequences of being in a regulated sector very seriously. The scope of the Bill has been mentioned. The Secretary of State wrote to FTSE 350 businesses, as well as a range of small businesses, to make that point very clear. The cyber assessment framework has particular requirements for boards to take their cyber-security responsibilities seriously. In the course of implementing the Bill and in the secondary legislation process, we will look to ensure that specified security and resilience activities, including the possibility of specific responsibilities, are set out very clearly.

Dr Allison Gardner, you have two minutes.

Q I will be quick. Much of my question was already asked. I will just say that proportionality is a known principle within regulation and I take that into account. I want to push on an issue that was raised. When you are dealing with different regulators with a cross-regulatory theme, you often get conflicting guidelines. It is a big headache for people. Again, you get the gaps and the duplication. To ensure my understanding, who will oversee making sure that the regulators align with each other to make it easier for people working within the sectors? Otherwise, they will go to one regulator and it will say one thing, and another will say another thing.

Kanishka Narayan:

It is an important point. We know that the quality of current regulation for cyber-security varies across regulators. As an earlier panellist said, there is virtue in the fact that we have not set an effective cap on where regulators can go by having a single standard. At the same time, we need to make sure that we are raising a consistent floor of quality and proportionality judgments.

First, there is obviously constant oversight of each regulator through the lead Departments. In my case, for example, we consistently engage with ofcom on a range of areas, including this one, to ensure the quality of regulation and that proportionality judgment is appropriately applied. Secondly, there is a clear commitment in the Bill for the Secretary of State to report back, on a five-year basis, on the overall implementation of the regime proposed in the Bill. That will be when we can get a global view of how the whole system is working.

That brings us to the end of the time allotted for the Committee to ask questions, and to the end of the sitting. On behalf of the Committee, I thank the Minister for his evidence.

Ordered, That further consideration be now adjourned. —(Taiwo Owatemi.)

Adjourned till Thursday 5 February at half-past Eleven o’clock.

CSRB01A Rob Newby (on the Energy sector)

CSRB01B Rob Newby (on the Retail sector)

CSRB02 Rik Ferguson

CSRB03 Fortaegis

CSRB04 Open Rights Group

CSRB05 ISACA

CSRB06 UK Cyber Security Council (UK CSC)

CSRB07 Richard Holland

CSRB08 Institution of Engineering and Technology (IET)

CSRB09 PauseAI UK

CSRB10 ISC2

CSRB11 Doctors Lam and Seifert

CSRB12 Zurich UK

CSRB13 Philip Virgo

CSRB14 UK Finance

CSRB15 Cybersecurity Business Network

CSRB16 Liberty and Privacy Internationals

CSRB17 iProov

CSRB18 CyberUp Campaign

CSRB19 Infoblox

CSRB20 Natural Gas