“(1) For the purposes of informing action taken under Part 4 of this Act, the Secretary of State must, by regulations, establish and maintain a register of foreign powers that the Secretary of State believes present a risk to the United Kingdom’s critical network and information systems within six months of the passing of this Act.

(2) Foreign powers designated by the Secretary of State under subsection (1) must include states –

(a) which have been confirmed by GCHQ as having—

(i) perpetrated, or attempted to perpetrate, a cyber-attack in the UK in the preceding seven years,

(ii) targeted, or intended to target, that attack at the network or information systems of one or more operators of an essential service or critical suppliers, or

(iii) carried out, or intended to carry out, that attack through a state department, agency or affiliate group,

(b) which GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.

(3) Regulations under this section are subject to the affirmative resolution procedure.

(4) In this section, “foreign power" means–

(a) the sovereign or other head of a foreign state in their public capacity;

(b) a foreign government, or part of a foreign government;

(c) an agency or authority of a foreign government, or of part of a foreign government;

(d) an authority responsible for administering the affairs of an area within a foreign country or territory, or persons exercising the functions of such an authority; or

(e) a political party which is a governing political party of a foreign government. A political party is a governing political party of a foreign government if persons holding political or official posts in the foreign government or part of the foreign government—

(i) hold those posts as a result of, or in the course of, their membership of the party, or

(ii) in exercising the functions of those posts, are subject to the direction or control of, or significantly influenced by, the party.”

This new clause would require the Government to maintain a register of state actors posing a threat to UK cyber security for the purposes of exercising the Secretary of State’s powers under Part 4 of the Act, which enable the giving of directions in the interests of national security.—(Dr Spencer.)

Brought up, and read the First time.

I beg to move, That the Clause be read a Second time.

With this it will be convenient to discuss the following:

New clause 3—Register of foreign powers for the purposes of Part 4: review of nature of risk—

“(1) For each foreign power added to the register established under section [Register of foreign powers for the purposes of Part 4], the Secretary of State must review the extent and nature of the risk posed to the network and information systems of operators of essential services and critical suppliers, including whether the risk arises –

(a) from activities undertaken outside of the UK, or

(b) from foreign owned or controlled infrastructure or locations within the UK.

(2) Within six months of the establishment of the register under section [Register of foreign powers for the purposes of Part 4(1)], the Secretary of State must lay before Parliament a report containing –

(a) the findings and conclusions of the review conducted under subsection (1), and

(b) the Government’s plan for addressing the risks identified.

(3) If the Secretary of State considers that laying a report, or any portion of a report, under subsection (2) would be contrary to the interests of national security, the Secretary of State must make a statement to Parliament confirming that –

(a) a review has been conducted under subsection (1), and

(b) that the report, or a portion of the report, cannot be laid before Parliament for reasons of national security.”

This new clause would require the Government to report on the risk to relevant network and information systems posed by foreign powers appearing on the register established by NC2 considering whether such risks arise from extra-territorial activities and infrastructure or premises owned or controlled by foreign powers.

New clause 13—Statement on risks posed to systems by foreign interference—

“(1) The Secretary of State must, within 12 months of the passing of this Act, publish a statement of the Government’s plans in relation to risks to the security and resilience of network and information systems arising from foreign interference.

(2) Any statement under this section must—

(a) set out the Government’s intentions to assess, manage and mitigate the risks posed, or which could potentially be posed, to the security and resilience of network and information systems by foreign interference in such systems;

(b) include risks associated with—

(i) hardware,

(ii) software,

(iii) supply chains,

(iv) procurement processes, and

(v) the use of, or reliance on, foreign technologies or systems;

(c) include a specific focus on government digital procurement processes.

(d) where risks are identified under (2)(b)(v), state whether the Government intends to address these risks by encouraging or supporting the use of domestic technologies or systems.”

This new clause would require the Government to publish a statement of how it intends to address and mitigate any risks to network and information systems posed by foreign interference.

New clause 15—Review of high-risk bodies—

“(1) The Secretary of State must, within six months of the passing of this Act, publish and lay before Parliament a review of the national security risks posed to relevant network and information systems by foreign state ownership or control of relevant bodies.

(2) A review under this section must assess—

(a) the number of relevant bodies which are owned, in whole or in part, by a foreign state or a foreign state-owned enterprise;

(b) the risk of such bodies being compelled to facilitate unauthorised access to, or surveillance of, network and information systems in the United Kingdom; and

(c) the adequacy of current powers under Part 4 (Directions for national security purposes) to mitigate such risks posed to the security and resilience of essential activities.

(3) In this section—

“relevant body” means—

(a) an operator of an essential service,

(b) a relevant digital service provider,

(c) a relevant managed service provider, or

(d) a critical supplier

within the meaning of the NIS Regulations.

“foreign state-owned enterprise” means a body corporate in which a foreign state has a controlling interest;

“network and information systems” has the meaning given by section 24(1).”

This new clause would require the Government to review the security risks posed by critical suppliers and essential service providers linked to foreign states and evaluate whether current powers are sufficient to address these threats.

New Clause 2 contains an obligation for the Secretary of State to establish and maintain by regulation a list of foreign powers presenting a significant cyber-security risk to the UK. The list must include states that have been confirmed by GCHQ as having perpetrated a cyber-attack, whether by a state department, agency or affiliate, on the UK in the preceding seven years. It must also include foreign powers that GCHQ has warned pose a risk to the security or resilience of the network or information systems of one or more operators of an essential service or critical suppliers.

New clause 3 would compel the Secretary of State to review and report to Parliament on the risk to networks and information systems posed by foreign powers appearing on the register under new clause 2, with specific regard to activities undertaken from abroad and the risk posed by locations or premises controlled by those states in the United Kingdom. New clauses 13 and 15, in the name of the hon. Member for Henley and Thame, look as if they have been tabled in the same spirit of genuine concern about the risk of foreign hostile state interference and control in critical systems and supply chains.

There is an established precedent in UK legislation for maintaining registers or lists of hostile state actors and other entities presenting a threat to our national security for use by Government. That includes the foreign influence registration scheme under the National Security Act 2023, which came into effect last year. Russia and Iran were placed on an enhanced tier of the scheme, which applies to foreign powers considered to pose a risk to the UK’s safety or interests. The Government said that that was in response to those countries being identified as presenting an elevated national security risk. China was conspicuous by its absence, despite the director of GCHQ having confirmed in 2024 that her organisation devotes more resource to China than to any other single mission.

New clause 2 would compel the Government formally to recognise what is readily apparent to His Majesty’s loyal Opposition, our security services and so many Members on both sides of the House, who have spoken with urgent concern about the security risk that China poses to the United Kingdom. In 2024, the NCSC confirmed that Chinese state-affiliated actors were responsible for cyber-attacks on the UK Electoral Commission and Parliament in 2021-22. China would therefore clearly meet the criteria to be included on the Secretary of State’s register under this clause.

The NCSC has also issued stark warnings about the cyber-security threat that China poses to critical sectors in the UK in its 2024 and 2025 annual reviews. The NCSC stated that the targeting of energy, transportation and water sectors could be laying the groundwork for future disruptive and destructive cyber-attacks and is a clear warning about China’s intent to threaten essential networks. Yet the Government remain reluctant to name China as a threat to UK national security, including during recent high-profile debates such as those relating to the profoundly regrettable decision to green-light the China super-embassy planning application.

The Shadow Minister will forgive me for taking the opportunity to defend the Government and the Prime Minister; I was not expecting to do that in this Committee this week. I reassure Members across the House that this Prime Minister and Government put national security first. The shadow Minister will know that intelligence agencies have been consulted about the relocation of the Chinese embassy. He will also be aware that the proposed new site at Royal Mint Court is actually further away from this place than the current site.

Frankly, I find it astounding that, according to my understanding, in response to the planning decision being granted our security services said that they would take measures to start moving sensitive digital cables. It strikes me that a decision about sensitive digital cables should have been pertinent to the planning application in the first place.

The Government remain reluctant to name China as a threat to UK national security, despite the overwhelming and growing portfolio of evidence. In case the Government are still in any doubt, we need look only at the oral testimony given to this Committee by the Inter-Parliamentary Alliance on China for a clear picture of the role of China and its state affiliates at the forefront of the cyber-security threats to our critical sectors.

Given that established and growing threat, new Clause 3 would compel the Secretary of State to review, among other matters, the cyber-security risk to surrounding critical networks in the vicinity of the super-embassy site in the City of London. In the Commons debate on the embassy application in June last year, my hon. Friend Kevin Hollinrake reminded the Minister for Housing and Planning that the Government’s own cyber-security experts, Innovate UK, have warned about the threat to the City of London from the embassy. My hon. Friend made specific reference to the Wapping telephone and internet exchange that would be surrounded on three sides by this new embassy—not to mention the fibre cables I referred to earlier, which carry highly sensitive information and run beneath this site.

I recognise that the Shadow Minister cares passionately about the security of this country—as do I, which is why we are discussing the Bill. But does he not recognise that the site was purchased by the Chinese Government in 2018? There is a potential threat whether or not the new embassy is built there.

I do not want to repeat the discussion that we had a moment ago. I think it is complete lunacy to permit the building of a super-embassy—one of the biggest in the region—next to highly critical data transmission. I am also concerned by media reports that the Prime Minister’s recent visit to China was greenlighted only following the final approval of the embassy. I am deeply depressed that, following the visit, Jimmy Lai has been effectively sentenced for life. I respect the tone and constructive way in which the hon. Member for Harlow approaches this debate, but it is fair to say that the Government are sadly weak on standing up to hostile state actors such as the Chinese Communist party.

As I said at the start, there is simply no point in granting the Secretary of State powers to issue directions on the basis of national security if the Government are not willing to be clear-eyed about the most critical cyber-security risks to the nation. I therefore submit that the new clauses are a vital addition to the Bill to focus the attentions of the Secretary of State to ensure that her functions under part 4 are carried out in the best interests of our national security. No responsible Government would or should vote against such provisions. Parliament should make it crystal clear that the Chinese Communist party is a threat to the United Kingdom. We must support new clauses 2 and 3.

Ordered, That the debate be now adjourned.— (Taiwo Owatemi.)

Adjourned till Tuesday 24 February at twenty-five minutes past Nine o’clock.

CSRB29 NCC Group (supplementary)

CSRB30 CrowdStrike

CSRB31 VIRTUS Data Centres

CSRB32 UK Cyber Security Council