Asked by
To ask His Majesty’s Government what progress has been made in
implementing the recommendations on cybersecurity made by Sir
in his report
Pro-innovation Regulation of Technologies Review: Digital
Technologies, published in March.
The Parliamentary Under-Secretary of State, Home Office () (Con)
My Lords, in the Government’s response to the review, we set out
that the Home Office is taking forward work to consider the
merits and risks of the proposals made. We have created a group
that includes law enforcement agencies, prosecutors, the
cybersecurity industry and system owners to consider these issues
and reach a consensus on the best way forward.
(LD)
My Lords, Sir Patrick made a very clear recommendation to amend
the Computer Misuse Act to include a statutory public interest
defence for cybersecurity researchers and professionals carrying
out threat intelligence research. This has been extremely long
awaited. We finally had a review, which started in 2021 and
reported this year; we had a consultation, which concluded in
April; and now we have the steps that the Minister talked about.
What conclusion can we expect at the end of the day? Progress on
this has been totally glacial given the importance to innovation
and growth of this change to legislation.
(Con)
My Lords, I agree that there is an enormous necessity to get this
right, but that is part of the problem of why things are perhaps
not happening as fast as the noble Lord would like—progress is
far from glacial. These issues are incredibly complicated
because, as the noble Lord noted, the proposals would potentially
allow a defence for the unauthorised access by a person to
another’s property, and in this case their computer systems and
data, without their knowledge and consent. We therefore need to
define what constitutes legitimate cybersecurity activity, where
a defence might be applicable and under what circumstances, and
how such unauthorised access can be kept to a minimum. We also
need to consider who should be allowed to undertake such
activity, what professional standards they will need to comply
with, and what reporting or oversight will be needed. In short,
these are complex matters, and it is entirely right to try to
seek a consensus among the agencies I mentioned earlier.
(Con)
My Lords, I declare my interests as set out on the register. Does
my noble friend accept that it is very difficult for Governments
to keep up with the speed of change of technology in their
legislation? The Computer Misuse Act is now 33 years old. If
progress is not glacial, please could we have an injection of
urgency into the changes to it that we need?
(Con)
I agree with my noble friend that it is difficult for Governments
to keep up with the pace of technological change, but I also
reflect on the fact that much of the legislation going through
your Lordships’ House at the moment contains many efforts to
future-proof it in this area. As I said, I do not agree that this
is glacial. I know that the Act is old. The report was delivered
only earlier this year and the discussions are very complicated,
as I just highlighted.
(Lab)
My Lords, if it is not glacial, it is very slow. The point we
have heard from both noble Lords is that Sir made nine
recommendations; the Government have accepted them. We know that
cybersecurity is a real problem—the Government accept that—but
what everybody is waiting to hear is what the Government intend
to do and the timescale.
(Con)
My Lords, I am trying to answer this question. Sir reported in April; it is
now July. I do not think that is glacial or particularly slow.
The fact is that these are complicated matters that need to be
considered very carefully. They involve all sorts of different
implications for us all.
(CB)
My Lords, in addition to the amendment to the 1990 computer Act
and the opportunity the Minister will have to address that in due
course, will he reflect on what Sir Patrick said about
international harmonisation and the need for regulation of
significant emerging technologies to reflect what other countries
are doing, as well as what we are doing?
(Con)
The noble Lord makes a very good point, and one I inquired about
this morning. There is a considerable exchange of information
with our friends and allies and other interested countries across
the world. It is perhaps worth pointing out that the Department
of Justice in the States has just reissued guidelines for
prosecutions only. Guidance and prosecutorial discretion are
major features of the American way of doing it; we are going a
slightly different route and seeking consensus, but of course we
will consult.
(GP)
My Lords, the Minister may be aware of reports out this morning
that Barts Health NHS Trust has been hacked, potentially by a
ransomware group of thieves—I suppose that is the right word—and
that 7 terabytes of data may have been taken control of, which of
course may well involve confidential personal medical data. Does
the Minister agree that it is really important that the NHS
workforce plan includes and considers the NHS’s IT needs and IT
skill needs? Is that something the Minister is talking about with
the health department?
(Con)
I have not spoken about it directly with the health department,
but I note from other debates that we have had in your Lordships’
House over the past few months that a skills shortage in the area
of computers, data and whatnot is a problem across all economies,
not just ours.
(Lab Co-op)
My Lords, I thank the Minister and his colleagues in the Home
Office, and those in the Foreign, Commonwealth and Development
Office and the Ministry of Defence, for the excellent and
detailed briefings they give us on security issues, which are
really helpful. What precautions are taken to make sure that this
information is not passed, either deliberately or inadvertently,
to representatives of the Government of Russia?
(Con)
My Lords, I am afraid I have no idea; I will find out.
(Lab)
My Lords, I am a member of the Joint Committee on the National
Security Strategy. We are currently conducting an investigation
into ransomware and cybersecurity, which are very much at the
heart of this Question. I agree with the noble Lord opposite who
said that the Computer Misuse Act is now 33 years old—it is.
Heaven knows the world has changed since then. I agree with the
Minister that an enormous amount of co-ordination has to be done
within government to get this right. Can the Minister provide
some future opportunity in government time to have a more general
debate about the issues involved? Otherwise, knowing what this
House is like, it will take a year or more before the report that
the committee eventually introduces can be debated here.
(Con)
The noble Viscount makes a good point. I am obviously unable to
comment on the scheduling of parliamentary business but, when the
group that I referred to in my initial Answer has finished its
consultations and considerations and come to a consensus, we will
of course report back to Parliament. I imagine that will include
a debate.
(LD)
My Lords, does not everything that has been said on this Question
today demonstrate the importance of fresh intelligence work and,
therefore, the importance of changing the Computer Misuse Act?
(Con)
I do not think that anybody disagrees with that. I am just saying
that we need to get it right and do it properly.
(Con)
My Lords, the Vallance report talks about the fact that, under
the Computer Misuse Act, professionals conducting legitimate
cybersecurity research in the public interest currently face the
risk of prosecution. It asks us to look at the examples of
France, Israel and the United States. Is my noble friend the
Minister aware of any possible unintended consequences of
modifying the Act to align it with the changes in those
countries?
(Con)
Yes; one of the considerations that is being looked at is the
various potential unintended consequences of making some of these
changes. As I say, they involve a fairly significant invasion of
privacy—I suppose that is the right phrase. There may well be
circumstances in which that is appropriate but, obviously, who
does it and how they do it are incredibly difficult.
