Cyber-security — [Hannah Bardell in the Chair]

– in Westminster Hall at 6:25 pm on 7 May 2024.

Alert me about debates like this

[Hannah Bardell in the Chair]

Photo of Mark Hendrick Mark Hendrick Labour/Co-operative, Preston 6:30, 7 May 2024

I beg to move,

That this House
has considered cyber security laws and tackling crime.

It is a pleasure to serve under your chairmanship, Ms Bardell. I am delighted to lead this debate on the important issue of cyber-security, particularly in relation to cyber-crime and the need to enhance the UK’s national cyber-resilience.

Cyber-security has a significant impact on society, the economy and individuals, as well as on both national and global security. The UK faces cyber-threats from a number of hostile actors, whether they are states, state-sponsored groups or criminal organisations motivated by money. Cyber-crime itself ranges from complex ransomware attacks to less sophisticated cyber-threats such as hacking and phishing, which many in their everyday lives. In today’s world, virtually every business, charity and public sector organisation is in some way digital, but, as high-profile incidents have shown, cyber-attacks exploiting that digitalisation can quickly undermine trust in our private and public sector institutions.

With a burgeoning cyber ecosystem, the UK is well placed to be a global leader on cyber-security, and I will come back to that point later. Often, however, we struggle to get the basics right, leaving citizens and businesses exposed as they move more and more of their lives and operations online. Last year, UK businesses experienced approximately 7.78 million cyber-crimes. Half of businesses and around a third of charities report having experienced some form of cyber-breach or attack in the last 12 months and such attacks have had a real impact on business and consumers.

A recent report by the think-tank the Royal United Services Institute brought to light some of the stark implications of cyber-crime, particularly in relation to ransomware, which is malware designed to deny a user or organisation access to their own data unless a ransom is paid to the attacker. RUSI’s report revealed the extent to which ransomware can ruin lives, with the harm going beyond financial and reputational costs for organisations. Victims and incident responders have revealed that ransomware creates both physical and psychological harms for individuals and groups, which have caused individuals to lose their jobs, evoked feelings of shame and self-blame, seeped into private and family life and contributed to serious health issues. Furthermore:

“The harm and cumulative effects caused by ransomware attacks have implications for wider society and national security, including supply chain disruption, a loss of trust in law enforcement, reduced faith in public services, and the normalisation of cybercrime. Ransomware also creates a strategic advantage for the hostile states harbouring the cyber-criminals who conduct such operations.”

Meanwhile, the threat landscape is changing and becoming more complex.

UK cyber firm NCC Group’s latest insights show that ransomware attacks increased by 84% last year, with the UK the second most targeted country for such attacks, only behind the US. Emerging technologies such as artificial intelligence have the potential to enable cyber-attackers to mount ever more sophisticated campaigns against organisations. AI is effectively lowering the barrier of entry into cyber-crime, making it easier for cyber-attackers to successfully target victims and widening the availability of voice cloning, deepfakes and social engineering bots. We are likely to see that manifest in a higher volume of cyber-attacks, an enhanced ability of cyber-criminals to generate malware and an improved success rate of social engineering and phishing attacks. With AI as an emerging threat, hacking as a service is being thought of as a growing market, whereby malware developers sell or lease cyber-attack tools and services to other cyber-criminals. Worryingly, such a business model extends cyber-attack capabilities to organisations and individuals that would not otherwise have known how to carry out attacks themselves.

Artificial intelligence is also advancing tactics that have been around for decades and, in its own way, evolving threats in line with technology. Deepfake phishing is just one example of a fast-growing threat that manipulates or confuses users in order to exploit their trust and gain access to their data. That can be done through emails or messages, video calls or voice messages, where personalisation and synthetic content can make the attack more credible.

Cyber-threats should be seen in the wider context of nation-state threats, too. The conflict in Ukraine has shown how cyber and kinetic attacks are increasingly interconnected in modern hybrid warfare. As thousands of lines of complex code control new and evolving physical functions and systems, such as in smart cities, cyber-security vulnerabilities can be exploited to effect change in the real world. Although we have not seen the so-called cybergeddon that some were expecting from the next big conflict on our globe, one thing is clear: cyber-warfare has proven itself to be a critical element in hybrid cyber-kinetic battlefields.

There is an opportunity here for the UK. To tackle cyber-crime, a close partnership between the public and private sectors is a critical part of the UK’s whole-society approach. In particular, the UK’s cyber industry is working closely with law enforcement, the public sector, academia and other private firms to ensure that the UK remains confident, capable and resilient in this fast-moving digital world. That includes vulnerability researchers, also known as ethical hackers, who identify security vulnerabilities in products, software and the UK Government. They rely on such researchers to identify bugs before they can be exploited by malicious actors for their nefarious purposes.

Meanwhile, threat intelligence researchers detect cyber-attacks and gain insight into attackers and victims. Researchers work with and pass on that important information to law enforcement and the intelligence agencies, enabling them to defend the UK against rising cyber-crime and geopolitical threat actors. Many of the recent takedown operations we have heard about, where law enforcement disrupted the servers or digital infrastructure that cyber-criminals used to conduct their illegal activities, were possible only because intelligence and insights about those cyber-criminals were shared across the public and private sectors. I firmly believe that there is an opportunity for the UK to play a significant leadership role in conducting the UK’s response, with the north-west cyber corridor at its heart.

We are already seeing that public-private partnership in action in wider Lancashire and in my own constituency of Preston through the National Cyber Force, which will open its new home in Samlesbury, Lancashire, in 2025. It is a partnership between defence and intelligence, and already carries out cyber operations daily to counter and contest the actions of those who would harm the UK or our allies, to keep the country safe and to protect and promote the UK’s interests at home and abroad. Furthermore, the Lancashire Cyber Partnership, or LCP, is a strategic collaboration between Lancashire County Council, the Lancashire Enterprise Partnership, the University of Central Lancashire, Lancashire University and BAE Systems. In addition, the National Cyber Force has its own role in shaping, supporting and promoting the county’s world-class cyber strengths and fast-growing cyber ecosystem, becoming a destination for cyber businesses, investors, careers training, academia and, indeed, innovation. With a strong cyber industry, Lancashire and the wider north-west are fostering the growth of the technology, digital and defence sectors, as well as harnessing the investment, jobs and benefits that come with a thriving cyber economy.

We should be proud of the UK’s role as a responsible global cyber power, and we should also remember that there is widespread cross-party and cross-societal consensus on the importance of cyber-security as fundamental for thriving and prosperous digital societies and economies. However, we cannot be complacent. Research from the NCC Group has shown that citizens—our constituents—expect us, as political decision-makers, to do what we can to keep them safe and secure in cyber-space. We have strong foundations to build on, but we must continue to do more to take our cyber-security to the next level. Indeed, much more can be done to ensure that regional cyber clusters, such as the north-west, can play their part in making us all safer online, while also enhancing national cyber-resilience.

I would like to move on to the issue of the UK’s Computer Misuse Act 1990. First and foremost, that Act, which is the main cyber-security Act that regulates the UK’s digital relationship between individuals and malicious parties, needs bringing into the 21st century. The Act was written more than 30 years ago when just over 0.5% of the world’s population had access to the internet, and before the cyber industry—as we know it today—even existed. As a result, the UK’s cyber-defenders, such as the vulnerability and threat intelligence researchers mentioned earlier, are held back by that outdated law from doing all they can to protect the UK. That is because the Act, which was written over 30 years ago, has a blanket prohibition on all forms of unauthorised access to computer material, irrespective of intent or motive. In this day and age, where an individual desktop PC is but a distant memory, where technologies are hyperconnected and where cyber-crime is rampant, that approach simply does not reflect the reality we live in. The legislation is no longer fit for purpose, and, worse, it might be detrimental.

There have been calls from industry, led by the CyberUp Campaign, to reform the law to include a defence for legitimate cyber-security work. Sir Patrick Vallance called for such a defence in the “The Pro-innovation Regulation of Technologies Review”, and he recommended amending the 1990 Act to include a statutory public interest defence that would provide stronger legal protections for cyber-security researchers and professionals. That would have a catalytic effect on innovation in a sector with considerable growth potential. Countries such as France, Israel and the United States have already updated their regulations to provide that defence. I join Sir Patrick by agreeing that if the UK cyber industry is to compete on a level playing field, the UK Government should do the same. However, one year since Sir Patrick published his recommendation, and three years since the UK Government first launched their review into the Act, the Government are yet to set out how they will address the legal barriers that it presents to the UK cyber-security industry.

A second area where the Government must prioritise reform is in updating the network and information systems regulations, which set out the cyber rules for our critical infrastructure. Back in 2022, the Government announced their intention to legislate to enable new sectors to be brought within the scope of the NIS regulations, responding to the inevitable evolution of what constitutes the UK’s critical infrastructure, but those reforms were not included in the most recent King’s Speech. It is critical that there are no further delays in bringing forward the reforms, and that a Bill is prioritised. Failure to legislate would leave a core part of the UK’s critical infrastructure exposed when others globally are already moving forward with new laws to ensure that all relevant entities are appropriately and proportionately regulated.

Outside the UK’s critical infrastructure, we must look at how we protect small businesses and charities, the backbone of the UK’s economy. Despite six in 10 small businesses being victims of a cyber-attack last year, many lack the skills and budgets to implement proportionate cyber-protections, leaving them exposed. They can also be disproportionately affected, with cyber-attacks sometimes posing an existential threat. A survey found that 90% of European small and medium-sized enterprises believed that cyber-security issues would have serious negative impacts on their business within a week of the issues happening; 57% said that they would most likely become bankrupt or go out of business.

It is unrealistic to expect small firms to adhere to and invest in the same cyber-resilience standards as larger firms such as critical infrastructure firms. However, that leaves a significant part of the economy vulnerable to cyber-attacks. To tackle that problem, the Government should work with technology providers to embed cyber-security in their products, particularly those most relied on by small organisations. The Government should also look at how they can support smaller firms’ response to and recovery from cyber-attacks. That could include establishing a “first responder” service that provides proportionate—that is, free-at-the-point-of-use—support to small businesses that have been victims of cyber-attacks. That could include incident response services and the triaging of further steps, such as where victims could get the most effective help. Such a scheme could learn lessons from our counterparts in Australia, who recently announced a small business cyber-security resilience service.

Finally, the Government must look at how they enhance the UK’s cyber skills. The issue of cyber skills is not just about addressing the cyber industry’s significant skills shortage, although that is a critical part of it. It is also about equipping individuals—across organisations of all sizes and at all levels of seniority—with the cyber literacy that they need to make decisions about their personal, organisational and even national cyber-resilience. A national programme of cyber literacy is needed to ensure that everyone, from preschoolers right through to pensioners, is cyber-literate, no matter where they are on their learning, career or retirement journeys. That could include commissioning “Cyber Beebies”—keeping with the concept of CBeebies, which

“helps pre-schoolers learn whilst they play fun games, watch clips, sing songs and make things”— in order to start cyber education and awareness in the earliest years.

We could also look at including cyber-competence—covering safe and secure online behaviours, privacy and use of technology alongside broader technology and computing lessons—as a mandatory part of the school curriculum. That should be reviewed and tested with an industry advisory board regularly to ensure that it keeps pace with technological developments and industry requirements. Teachers must also be regularly supported to understand new developments and how they should be reflected in the school curriculum.

STEM—science, technology, engineering and maths—programmes throughout the country have had a critical role in creating opportunities for today’s youth as they advance their education and skillset. In my own constituency of Preston, I am very proud of the work of Cardinal Newman College. One of the highest-performing sixth form colleges nationally, it has partnered with Lancaster University to harness the skills of young people with a passion and aptitude for the study of maths and science. In doing so, they have further developed the young people’s interest and education while providing them with opportunities for their future, including—especially—in the field of cyber at the new cyber defence centre.

I welcome the Minister, who is about to take his place in the hall. I should like to ask him four questions. Will he join me in praising and expressing pride in our UK cyber industry? Will he acknowledge, as we all do, the role that our industry plays in keeping us all safe and secure in cyber-space? Will he set out the Government’s further ambitions to take our cyber-security to the next level and beyond what has been announced as part of the national cyber strategy? Will he provide more information in particular on the Government’s plans to finally make progress on introducing legal protections for legitimate cyber-security activities as part of ongoing efforts to reform the Computer Misuse Act? Will he set out the Government’s views on following the Australian example of introducing a cyber first responders service for all our small businesses and charities, and set out the Government’s ongoing commitment to invest in our national cyber-resilience?

I thank the Minister for engaging with me on this important issue. It is good that there is cross-party consensus on a matter of such importance, but it is clear that much more needs to be done when it comes to cyber-crime and ensuring that Government policy keeps pace with technology in the ever-changing cyber landscape. The public need to be better educated and trained from an early age in the use of computers. That will add to the resilience the country needs to overcome the challenges of cyber-crime for the purposes of cyber-security.

Photo of Hannah Bardell Hannah Bardell Shadow SNP Spokesperson (Foreign Affairs Team Member), Shadow SNP Spokesperson (International Development Team Member)

Before I call the SNP spokesperson, I want to note that the Minister was not in his place, which is disappointing given the importance of the issue and the effort put in by the Member in charge. We have been grateful to Minister Opperman for sitting in, who is fortified with the relevant information. I am sure he will let his colleague copy his homework, so he is able to respond, if the Member in charge is happy with that.

Photo of Owen Thompson Owen Thompson SNP Chief Whip 6:51, 7 May 2024

It is a great pleasure to serve with you in the Chair, Ms Bardell. I commend Sir Mark Hendrick for securing this debate on such an important issue. The past few years have challenged us like no other time in recent history, but they have also served to highlight how critical digital technologies are to all our lives and to the functioning of society and the economy. Whether working or learning from home, running a business or keeping in touch with friends and family, digital technologies underpin and continue to support our critical national infrastructure. Nowadays digital appliances and smart tech are everywhere, and it is more and more common to find that a lack of an internet connection or a charger is becoming a major issue. When we consider the attacks, as outlined by the hon. Member, be they personal or on a national level, it is critical that we consider the resilience that each of us has individually in how we manage to protect ourselves from those who wish to do harm, but also collectively as we look to protect our society.

As the hon. Member has outlined, digital technologies cut across everything we do. The secure and resilient ways we use them cannot be an afterthought. Cyber-resilience cannot be viewed simply as an IT issue; it is the very backbone of every public service, business and community. It is also a critical part of our economic and societal recovery and renewal, especially in Scotland as we embrace new technologies, such as artificial intelligence, smart cities and 5G wireless networks. Those can all be positives, albeit there are clearly those out there who wish to use them to do harm.

Digital technologies are now at a stage where it is not simply enough to turn them off and on again to fix problems that arise. Cyber-resilience is key to operational resilience and business continuity, as well as our capacity to grow and flourish as we adapt to the demands of operating online. Our ability to deter, respond and recover from national cyber-attacks has to be a top priority, and we need a plan exercised and to reflect continually and collaboratively to ensure that we are prepared to withstand any such cyber-threats.

In Scotland, the strategic framework for our cyber-resilience sets out what we need to do to make us a digitally secured and resilient nation. It builds on the work of Scotland’s first cyber-resilience strategy published in 2015, and it expands on its achievements and addresses ongoing and new challenges because, as the hon. Member has outlined, the challenges are forever changing. This is an ever-changing landscape that we are dealing with.

The cyber-threats we face cannot be met by Government alone, and we have a role to play in protecting ourselves, our families and our communities. Our public sector, third sector and private sector organisations need to work together, with Government, to minimise the harm and disruption that can result from cyber-incidents. As Members of Parliament, some of our colleagues have been targeted and directly impacted by cyber-attacks, and we have seen what that has meant for them, as well as what it means for the rest of us collectively. We need to make the very most of technological advances and use them to protect ourselves as those who wish to do harm look to exploit loopholes in the system.

The recent pandemic reminded us of the importance of resilience and agility. The Scottish Government pledged to review the implementation of the framework regularly, monitoring indicators against the four outcomes and the action plans that will guide delivery. Scotland’s four key cyber-resilience outcomes are ensuring that our citizens have access to basic and specialist learning and skills to help keep safe and secure online; working with partners in the public, private and third sectors to enhance all our cyber-resilience; raising awareness of the importance of cyber-resilience and how to achieve it by providing easier access to advice and support; and taking advantage of the economic opportunities resulting from greater cyber-resilience. It is great if people have the knowledge and understanding to grasp those opportunities, but we have also to recognise that there are so many in our communities who want the massive benefits of taking advantage of our digital infrastructure but do not know where to turn. There is a massive job for all of us in making sure that that information is as widely available as it possibly can be.

On this issue perhaps more than many others, it is critical that any work is done in collaboration with other Governments. The problem is not unique to Westminster, Scotland or any of the devolved Parliaments; it affects us all, and it is only by working together that we can truly tackle it. The UK Government published the national cyber strategy in 2022. It describes the UK’s overarching cyber policy and, as noted, takes a whole of society approach, arguing that Government must work in partnership with private sector organisations and cyber-security professionals to improve cyber-security. Between 2017 and 2021, the Scottish and the UK Governments allocated £10.28 million under the UK national cyber security programme to support a programme of action on cyber-resilience.

I wholeheartedly agree with the hon. Member for Preston that there is an urgent need to seriously look at the Computer Misuse Act; that is long overdue. With that in mind, what plans do the Government have to review the Act, and what steps does the Minister feel are most urgent? Certainly, there are many.

Cyber, digital infrastructure and technology are not there just for the specialist few; they are there in the day-to-day lives of everyone in our communities, all our families and all our friends. More than ever, it is critical that we take whatever steps we can as legislators to ensure that protections are in place and information is there for everyone, so that we can protect ourselves from those who would look to use them for ill ends. On that note, I again thank the hon. Member for securing this important debate. I am sure that it will not be the last we hear of it.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security) 6:58, 7 May 2024

It is a pleasure to serve under your chairship, Ms Bardell. May I say how good it is to see the Minister in his place? I congratulate my hon. Friend Sir Mark Hendrick on securing this important debate. He is a long-standing and dedicated servant to his constituents and Lancashire more widely; any compliment about Lancashire does not come particularly easily from my side of the Pennines, but that is certainly one that my hon. Friend deserves for his very long-standing service for his constituents.

I pay tribute to the men and women who serve in the National Cyber Force, soon to be based in Samlesbury, and to those who serve across the security and intelligence services and in the cyber-security sector. They fight on the digital frontline day in and day out to detect, disrupt and deter individual and state-sponsored adversaries that threaten our cyber-security.

The cyber threat is constantly mutating and spreading. The latest crime survey for England and Wales shows a staggering 29% increase in computer misuse between 2022 and 2023. Computer misuse disrupts services, obtains information illegally and extorts individuals, meaning that personal information can be published online without consent, entire life savings can be lost due to fraud, and individuals, including children, can be blackmailed. The Government need to be increasingly ruthless in their approach to countering those threats and legislate for the challenges of today, not those of yesterday. Doing so will give cyber-security professionals the means to retain the advantage over those who seek to harm us and protect more people and organisations from cyber-crime.

Therefore, as Owen Thompson rightly said, the Computer Misuse Act needs updating to reflect the challenges of the cyber age, not those of the Ceefax age. Accelerating technological change means that outdated legislation is struggling to catch up with cyber-threats posed by the likes of artificial intelligence. That is why, on this side of the House, we have already proposed criminalising the programming of chatbots that radicalise and spread terrorist material. We also welcome the Government’s announcement last month of the criminalisation, through the Criminal Justice Bill, of the creation of sexually explicit deepfakes. Outdated legislation is at best restrictive and at worst punitive for cyber-security professionals in the UK who conduct ethical hacking to expose system vulnerabilities and protect us from harmful cyber-attacks.

The National Cyber Security Centre, which is home to exceptional men and women fighting cyber-crime, has said that ethical hacking reports by individual researchers provide valuable information that organisations can use to improve the security of their systems. That is why the Opposition tabled an amendment to the Criminal Justice Bill that would reform the CMA by introducing a statutory defence for cyber-security researchers and professionals involved in ethical hacking.

Our amendment comes after the Chancellor’s commitment to implement all of Sir Patrick Vallance’s recommendations on the regulation of emerging digital technologies published alongside last spring’s Budget, which included the introduction of a statutory defence. If this Government do not deliver, the next one should. Until that happens, the legislative lag will have consequences. Half of UK businesses and 32% of charities suffered a cyber-breach or attack in the last year alone. Breaches due to vulnerabilities in cyber-security drive some of the most pernicious types of criminality. According to the accounting firm BDO, fraud doubled in 2023.

Furthermore, the Joint Committee on the National Security Strategy warned in December that the Government could face a catastrophic ransomware attack at any moment. The sobering reality is that such attacks are already happening on the UK’s critical national infrastructure. Just today, it was reported that in response to a ransom not being paid, personal information illegally obtained by a ransomware attack on NHS Dumfries and Galloway has been published on the dark web—a truly despicable act that accompanies another deeply concerning development today: a hack into the Ministry of Defence’s payroll records by a malign actor.

Those are only two of the most recent examples, and they show that the threat landscape has never been more dangerous. However, progress on reforming the CMA has been buffering for three years since the Government first announced their review of the legislation. Despite two public consultations, a Home Office industry working group and several public commitments, the Government have not yet made progress and, as the Minister will know, we are fast running out of parliamentary time. Though time is in short supply, there is consensus on acting in the national interest to update the CMA, and the Opposition are keen to play our part.

I would be grateful if the Minister would answer the following questions. He will know that they are meant in the constructive spirit in which we always seek to engage on these important matters. First, will he give an assurance that the proposed legislation, as outlined in the Government’s response to the CMA consultation, will be introduced in this Parliament?

Progress on legislation requires political leadership. However, the JCNSS report on ransomware said that the leadership by a former Home Secretary did not treat it as a priority. The Minister will remember that I wrote to him in January about this matter and others identified in the JCNSS report. Can he give a further assurance that his Department and other Departments are now prioritising ransomware by confirming that they will finally respond to the consultation on unauthorised access to online accounts and personal data, which was published in September 2022?

On public sector payments to ransomware, the Deputy Prime Minister responded to me at Cabinet Office questions on 25 April by saying that that “is not something” that he would “rule out totally”. However, the Security Minister’s written answer to me on the same question on the same day was much more resolute about the policy not to pay ransoms.

Photo of Dan Jarvis Dan Jarvis Shadow Minister (Home Office) (Security)

I am listening to the Minister. I do not know whether the Deputy Prime Minister is; that is possibly the problem.

It would be really helpful if the Minister would say whether a new approach to the public sector paying ransoms will be included in any update to the CMA. These assurances and clarifications matter, as the Home Office is part of a cross-Government response to countering cyber-threats, joining the Department for Science, Innovation and Technology, the MOD, the Foreign, Commonwealth and Development Office and the Cabinet Office in driving policy to detect, disrupt and deter cyber-criminality.

As the Minister will know, the fulcrum of such activity is the National Security Council, but he will also know that, while it has a sub-committee for economic security, there is not a dedicated equivalent for cyber-security. Has consideration been given to the creation of a dedicated sub-committee of the NSC for policy responses to intermediate and long-term cyber challenges?

Another long-term challenge, which the Minister will be familiar with, is the retention of our best and brightest in fighting cyber-crime, both in the security and intelligence services and in the cyber-security sector. Do our modern-day Alan Turings, who play a vital role in keeping our country safe, feel that the most innovative and effective work can happen in the UK under current cyber-security legislation? The answer, sadly, is likely to be no: 60% of respondents to a recent cyber-ops survey said that the CMA is a barrier to their work in threat intelligence and vulnerability research, and 16,850 cyber-defenders—the equivalent of two GCHQs—are estimated to have been lost due to outdated cyber-security laws. The Minister knows that criminals profit the most from poor retention and recruitment, so has he considered how changes to the CMA could unlock the cyber-security sector’s huge potential to protect our country’s cyber-space better?

This debate has not just been about protecting our cyber-space through effective legislation; it has been about the principle of legislation retaining the advantage over malign actors intent on harming us. I said at the start of my speech that there are exceptional men and women working to defend our cyber-security, who are very much at the cutting edge of efforts to detect, disrupt and deter myriad threats. As legislators providing the legal framework for that crucial work, we must now all play our part.

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security) 7:09, 7 May 2024

It is a great pleasure to see you this evening, Ms Bardell—as ever, the surprise only adds to the joy—and to respond to Sir Mark Hendrick, who is quite right to have secured this debate. The challenge that he talked about and the ways of addressing it are fundamental not just to his constituents and the National Cyber Force, which he rightly paid tribute to and will be hosting in his constituency, but to the very nature of our country.

It is interesting to note that over the last 200 years, the British economy has been based on many things: the ingenuity and brilliance of our people; the rule of law and the ability to predict the future based on prior agreement; the genius of economic reforms innovated out of Edinburgh and Glasgow; and the ability to keep trade moving. For most of our existence, that trade has been maritime trade of various descriptions. It has been guaranteed not just by an extraordinary industry of sailors and shipwrights who have created the vehicles of commerce, but by the Royal Navy, which has kept the sea lanes open, the sailors safe and the goods moving.

The truth is that over the last few years, the nature of that commerce—that commercial gain and exchange—has changed. We have gone from sea lanes to e-lanes. We have gone from looking at the red ensign as a guarantee of security at sea, to looking at GCHQ and the National Cyber Security Centre as a guarantee of security on the internet and in cyber-space. Those changes have been fundamental. They have enabled us to do things that are frankly quite remarkable. Look at the change in the way communication works that our country has been through in the four years since covid struck us. With so many of our lives going online—even this place went online briefly, although we seem to have forgotten how convenient that was—many of us have been able to transform the businesses that we were working in from local or national to global.

That change has been a phenomenal blessing, but none of it would have been possible without the dedication and brilliance of some remarkable individuals who have kept us safe. Those individuals started off being headquartered solely in Cheltenham. Those of who have had the privilege to visit Cheltenham know that the extraordinary brilliance and genius of those remarkable people has been fantastic not just for our country but for many partners and allies around the world.

What we see today is that it is not just the Government who need to be kept safe. The reality is that companies and individuals guarantee that security in many different ways. What we are talking about this evening is how the wider economy is defended. That is where the Government have made some important changes, which I hope will be built on in coming years. The cyber-security force that we have created is an essential part of keeping the UK’s commercial interests safe. It is a fundamental building block of our economy not just today but for the future.

The way that has worked with the National Cyber Security Centre is essential, because the reality is that the economy of Britian is not guarded simply by the Government, and national security is not limited to the arms of the state. It is fundamentally true that many suppliers to Government and many different institutions that connect to Government are also important. More than that, every single aspect of our lives is a part of keeping our country safe. Although it is true that the Government do not provide the food, the supermarkets that feed us every day are part of our national security. Although it is true that the Government do not move the money, the banks that keep us fluid in that sense are absolutely part of our national security. It is therefore true that all those capabilities—all the cyber-defence that goes into the wider economy and into our lives—keep us all safe. Sadly, one of the things that has distressed me most in this job is discovering the level of abuse that I am afraid is now prevalent online. Hon. Members will not require me to tell them this, but we see an explosion in online bullying and abuse, and sadly we have seen an explosion in online harm that has taken not just many young people, but many people from across every walk of life, to dark places—and in some cases, very sadly, cost lives.

The cyber work that we do is about protecting not just the state, the Government or even the economy, but homes and families across the United Kingdom. That is why the work that we are doing in the reform of the Computer Misuse Act is so important, because, as Dan Jarvis and particularly as the hon. Member for Preston put it, the changes we have seen online in the last 20 or 30 years since the Act was passed are phenomenal. The Act was passed before the internet, the iPhone and social media. It is, in a modern sense, historical; it is dated and based on an era when to hold data was to hold it on a solid drive in a computer, not in the ether or on the cloud. The nature of intervention to keep cyber-defences alive and test them was very different, and the Act was drafted for that era. That is why the work of Sir Patrick Vallance and the way in which he has approached it have been so important, and it is why we have been looking so carefully at what he recommends and at how to get the best answer out.

The truth is that any decision we make is going to be difficult. It is going to raise questions about the ways in which businesses work and partner with others around the world. Owen Thompson asked about ransomware and the way in which it is changing. That is where the direction that we take it so important—for example, the counter-ransomware initiative that the United Kingdom led and changed in various ways, and the approaches we have taken to ensure that we are properly structured to get its benefits. The reason I am confident that we are going in the right direction is that we are setting the agenda.

In the 18 months since I had the privilege of becoming the Security Minister, we have launched at least two actions. Forgive me as I try to remember how many were public and how many were private; hon. Members will appreciate that in this job it is probably best to get that distinction right. I will say that we have launched at least two public actions alongside partners on counter-ransomware actions. Noticeably, one from about a year ago was against various Russian targets who had decided that it was to their advantage to try to extort and exploit organisations in the United Kingdom and United States. Our reactions—the ways in which we have partnered with allies and friends—have ensured that we are able not just to defend ourselves, but to make the punishment fit the crime. We are putting in place sanctions, closing down accounts and ensuring that we have those resources in partnership with organisations like the FBI to resist those different areas.

This subject also raises some questions about the state, which were hinted at. I will go a little further into it, because this is not just about individual actors, those in the so-called troll farms or the Internet Research Agency, which was so famously used by Russia recently; it is also about states themselves. Sadly, we are seeing states trying to use these forms of exploitation as means of profit. We have seen one state in particular, North Korea, seeking to quite literally use them as a cash cow—as a way of paying for its nuclear weapons programme, extorting money out of individuals around the world to advance its own hostile interests.

This is where some of the changes we have been able to make—alongside the hon. Member for Barnsley Central, to whom I pay tribute, and with support from parties on all sides—will, I think, make a substantial difference in the years to come. Those changes include the National Security Act 2023, which, through the various different elements of co-operation with foreign states, makes criminal actions that formerly would have merely been assisting or would have been hard to define; they may not necessarily have been breaches of the Official Secrets Act, or empowering or profiting a foreign state in a direct sense and in a way that would have been criminal. The National Security Act has been essential in making sure that espionage is properly punished and that the support of hostile states is now criminalised. I am grateful for the support of the hon. Member for Barnsley Central and others, because that legislation has been an important change that has enabled us to make a difference.

We have seen various different ways in which states have used these sorts of powers. For example, I am afraid that we have seen the various different ways in which Beijing has been ordering different threats against us. I will not comment on things that are being gossiped about in different places—in main Chambers rather than in Westminster Hall—but I will say that the state-affiliated cyber group APT31 has been, and consistently remains, a threat targeted against the UK. I am afraid that we have seen that again and again, and we have had to take action to ensure that we are able to protect ourselves. This is one of those areas where the work of the National Cyber Security Centre has been so incredibly important in protecting not just the state but our wider economy—and that is where we have a wider mission, because the truth is that protecting the wider economy is about protecting not just all those areas, but families and individuals across our country.

I am proud of some of the work we have done alongside businesses, some of which are from the UK and some of which are international, which has enabled us to change some of the incentives and pressures on them. We have brought down fraud in the last year; 16% is not as far as I would like it to go, and I am sure that others in the House will recognise that there is further to go, but that is a hell of an achievement by some fantastically dedicated law enforcement professionals and their cyber partners to make sure that homes and families across the United Kingdom are safer.

We are moving further online. For instance, one can look at the national health service today, and see the amazing investment in technology and in the changing way in which we communicate with our doctors. As many of us know, the NHS app—which, I think I am right in saying, has been downloaded by about three quarters of all adults in the United Kingdom, although I will have to check that—is a fantastic way in which we can communicate across the medical professions. However, all of this means that we have wider vectors of attack, which means that it is enormously important to ensure that we are working together. That is why—I correct the hon. Member for Barnsley Central—although the National Security Council may not have a cyber element in that sense, there is a ministerial cyber board, which meets on a similar basis except that it is chaired by the Deputy Prime Minister and brings together Departments from all across Whitehall. That is an extraordinarily important place where we set the policy and make sure that it works together, because the UK Government are already doing a huge amount.

The hon. Member for Barnsley Central asked about the policy of paying ransomware. We have set out that no public body should be using state money to pay ransomware. We have set out this agenda with the national health service and have been very clear to organisations, including the British Library, that it should not be happening. That policy has been made clear. It is also clear that some ransomwares that are being used for profit are being closed down. I do not know if Members are aware of the LockBit sanctions, but they have been incredibly important; in the last few days we have not just taken over the LockBit site—a brilliant piece of work by the National Crime Agency and others, including the FBI—but exposed the people behind it. That is an extremely important way in which we are taking the fight directly to the criminals who are challenging us and making sure that the National Cyber Force, which is soon to be wonderfully homed in Preston—

Photo of Thomas Tugendhat Thomas Tugendhat Minister of State (Home Office) (Security)

Many of its people will be homed around there, I am sure, though they may work in other parts. That force is a fantastically important element in our national defence. While once we flew the white ensign to protect sea lanes, today we fly a different sign —a national cyber-security sign; and with wider British Government protection, we can protect our e-lanes of communication that keep us not just safe but free.

Photo of Mark Hendrick Mark Hendrick Labour/Co-operative, Preston 7:26, 7 May 2024

I thank those who have taken part in the debate, principally from the Front Benches, for their contributions and thoughts on the way forward with legislation in this area. We did not get a direct response from the Minister on whether there would be any attempt to amend the Computer Misuse Act 1990 this side of the election, but as my hon. Friend Dan Jarvis said, we look forward to that at some stage. I cannot remember all the questions I posed—Hansard may now have disposed of them—but they are still pending with the Minister, so I hope he can write to me with answers. I look forward to hearing from him again.

I do feel very strongly about this issue, because apart from British Aerospace—BAE Systems, as it is now—and the new cyber centre that people are working away at, many of the important educational, technological and industrial developments taking place in and around my constituency in Lancashire are very important for local jobs and the economy, and in the national context. As all the Front-Bench contributors have said, the industry is a key part of keeping Britain and our constituents safe, and making sure that we continue to thrive in economic, political and democratic terms.

Thank you for chairing this debate, Ms Bardell. I am pleased that it has taken place, and hope it is a seed for further action in the coming weeks and months.

Question put and agreed to.

Resolved,

That this House
has considered cyber security laws and tackling crime.

Sitting adjourned.