Skip to main content


Volume 831: debated on Monday 3 July 2023


Asked by

To ask His Majesty’s Government what progress has been made in implementing the recommendations on cybersecurity made by Sir Patrick Vallance in his report Pro-innovation Regulation of Technologies Review: Digital Technologies, published in March.

My Lords, in the Government’s response to the review, we set out that the Home Office is taking forward work to consider the merits and risks of the proposals made. We have created a group that includes law enforcement agencies, prosecutors, the cybersecurity industry and system owners to consider these issues and reach a consensus on the best way forward.

My Lords, Sir Patrick made a very clear recommendation to amend the Computer Misuse Act to include a statutory public interest defence for cybersecurity researchers and professionals carrying out threat intelligence research. This has been extremely long awaited. We finally had a review, which started in 2021 and reported this year; we had a consultation, which concluded in April; and now we have the steps that the Minister talked about. What conclusion can we expect at the end of the day? Progress on this has been totally glacial given the importance to innovation and growth of this change to legislation.

My Lords, I agree that there is an enormous necessity to get this right, but that is part of the problem of why things are perhaps not happening as fast as the noble Lord would like—progress is far from glacial. These issues are incredibly complicated because, as the noble Lord noted, the proposals would potentially allow a defence for the unauthorised access by a person to another’s property, and in this case their computer systems and data, without their knowledge and consent. We therefore need to define what constitutes legitimate cybersecurity activity, where a defence might be applicable and under what circumstances, and how such unauthorised access can be kept to a minimum. We also need to consider who should be allowed to undertake such activity, what professional standards they will need to comply with, and what reporting or oversight will be needed. In short, these are complex matters, and it is entirely right to try to seek a consensus among the agencies I mentioned earlier.

My Lords, I declare my interests as set out on the register. Does my noble friend accept that it is very difficult for Governments to keep up with the speed of change of technology in their legislation? The Computer Misuse Act is now 33 years old. If progress is not glacial, please could we have an injection of urgency into the changes to it that we need?

I agree with my noble friend that it is difficult for Governments to keep up with the pace of technological change, but I also reflect on the fact that much of the legislation going through your Lordships’ House at the moment contains many efforts to future-proof it in this area. As I said, I do not agree that this is glacial. I know that the Act is old. The report was delivered only earlier this year and the discussions are very complicated, as I just highlighted.

My Lords, if it is not glacial, it is very slow. The point we have heard from both noble Lords is that Sir Patrick Vallance made nine recommendations; the Government have accepted them. We know that cybersecurity is a real problem—the Government accept that—but what everybody is waiting to hear is what the Government intend to do and the timescale.

My Lords, I am trying to answer this question. Sir Patrick Vallance reported in April; it is now July. I do not think that is glacial or particularly slow. The fact is that these are complicated matters that need to be considered very carefully. They involve all sorts of different implications for us all.

My Lords, in addition to the amendment to the 1990 computer Act and the opportunity the Minister will have to address that in due course, will he reflect on what Sir Patrick said about international harmonisation and the need for regulation of significant emerging technologies to reflect what other countries are doing, as well as what we are doing?

The noble Lord makes a very good point, and one I inquired about this morning. There is a considerable exchange of information with our friends and allies and other interested countries across the world. It is perhaps worth pointing out that the Department of Justice in the States has just reissued guidelines for prosecutions only. Guidance and prosecutorial discretion are major features of the American way of doing it; we are going a slightly different route and seeking consensus, but of course we will consult.

My Lords, the Minister may be aware of reports out this morning that Barts Health NHS Trust has been hacked, potentially by a ransomware group of thieves—I suppose that is the right word—and that 7 terabytes of data may have been taken control of, which of course may well involve confidential personal medical data. Does the Minister agree that it is really important that the NHS workforce plan includes and considers the NHS’s IT needs and IT skill needs? Is that something the Minister is talking about with the health department?

I have not spoken about it directly with the health department, but I note from other debates that we have had in your Lordships’ House over the past few months that a skills shortage in the area of computers, data and whatnot is a problem across all economies, not just ours.

My Lords, I thank the Minister and his colleagues in the Home Office, and those in the Foreign, Commonwealth and Development Office and the Ministry of Defence, for the excellent and detailed briefings they give us on security issues, which are really helpful. What precautions are taken to make sure that this information is not passed, either deliberately or inadvertently, to representatives of the Government of Russia?

My Lords, I am a member of the Joint Committee on the National Security Strategy. We are currently conducting an investigation into ransomware and cybersecurity, which are very much at the heart of this Question. I agree with the noble Lord opposite who said that the Computer Misuse Act is now 33 years old—it is. Heaven knows the world has changed since then. I agree with the Minister that an enormous amount of co-ordination has to be done within government to get this right. Can the Minister provide some future opportunity in government time to have a more general debate about the issues involved? Otherwise, knowing what this House is like, it will take a year or more before the report that the committee eventually introduces can be debated here.

The noble Viscount makes a good point. I am obviously unable to comment on the scheduling of parliamentary business but, when the group that I referred to in my initial Answer has finished its consultations and considerations and come to a consensus, we will of course report back to Parliament. I imagine that will include a debate.

My Lords, does not everything that has been said on this Question today demonstrate the importance of fresh intelligence work and, therefore, the importance of changing the Computer Misuse Act?

I do not think that anybody disagrees with that. I am just saying that we need to get it right and do it properly.

My Lords, the Vallance report talks about the fact that, under the Computer Misuse Act, professionals conducting legitimate cybersecurity research in the public interest currently face the risk of prosecution. It asks us to look at the examples of France, Israel and the United States. Is my noble friend the Minister aware of any possible unintended consequences of modifying the Act to align it with the changes in those countries?

Yes; one of the considerations that is being looked at is the various potential unintended consequences of making some of these changes. As I say, they involve a fairly significant invasion of privacy—I suppose that is the right phrase. There may well be circumstances in which that is appropriate but, obviously, who does it and how they do it are incredibly difficult.