To ask His Majesty’s Government what progress has been made in implementing the recommendations on cybersecurity made by Sir Patrick Vallance in his report Pro-innovation Regulation of Technologies Review: Digital Technologies, published in March.
My Lords, in the Government’s response to the review, we set out that the Home Office is taking forward work to consider the merits and risks of the proposals made. We have created a group that includes law enforcement agencies, prosecutors, the cybersecurity industry and system owners to consider these issues and reach a consensus on the best way forward.
My Lords, Sir Patrick made a very clear recommendation to amend the Computer Misuse Act to include a statutory public interest defence for cybersecurity researchers and professionals carrying out threat intelligence research. This has been extremely long awaited. We finally had a review, which started in 2021 and reported this year; we had a consultation, which concluded in April; and now we have the steps that the Minister talked about. What conclusion can we expect at the end of the day? Progress on this has been totally glacial given the importance to innovation and growth of this change to legislation.
My Lords, I agree that there is an enormous necessity to get this right, but that is part of the problem of why things are perhaps not happening as fast as the noble Lord would like—progress is far from glacial. These issues are incredibly complicated because, as the noble Lord noted, the proposals would potentially allow a defence for the unauthorised access by a person to another’s property, and in this case their computer systems and data, without their knowledge and consent. We therefore need to define what constitutes legitimate cybersecurity activity, where a defence might be applicable and under what circumstances, and how such unauthorised access can be kept to a minimum. We also need to consider who should be allowed to undertake such activity, what professional standards they will need to comply with, and what reporting or oversight will be needed. In short, these are complex matters, and it is entirely right to try to seek a consensus among the agencies I mentioned earlier.
My Lords, I declare my interests as set out on the register. Does my noble friend accept that it is very difficult for Governments to keep up with the speed of change of technology in their legislation? The Computer Misuse Act is now 33 years old. If progress is not glacial, please could we have an injection of urgency into the changes to it that we need?
I agree with my noble friend that it is difficult for Governments to keep up with the pace of technological change, but I also reflect on the fact that much of the legislation going through your Lordships’ House at the moment contains many efforts to future-proof it in this area. As I said, I do not agree that this is glacial. I know that the Act is old. The report was delivered only earlier this year and the discussions are very complicated, as I just highlighted.
My Lords, if it is not glacial, it is very slow. The point we have heard from both noble Lords is that Sir Patrick Vallance made nine recommendations; the Government have accepted them. We know that cybersecurity is a real problem—the Government accept that—but what everybody is waiting to hear is what the Government intend to do and the timescale.
My Lords, I am trying to answer this question. Sir Patrick Vallance reported in April; it is now July. I do not think that is glacial or particularly slow. The fact is that these are complicated matters that need to be considered very carefully. They involve all sorts of different implications for us all.
My Lords, in addition to the amendment to the 1990 computer Act and the opportunity the Minister will have to address that in due course, will he reflect on what Sir Patrick said about international harmonisation and the need for regulation of significant emerging technologies to reflect what other countries are doing, as well as what we are doing?
The noble Lord makes a very good point, and one I inquired about this morning. There is a considerable exchange of information with our friends and allies and other interested countries across the world. It is perhaps worth pointing out that the Department of Justice in the States has just reissued guidelines for prosecutions only. Guidance and prosecutorial discretion are major features of the American way of doing it; we are going a slightly different route and seeking consensus, but of course we will consult.
My Lords, the Minister may be aware of reports out this morning that Barts Health NHS Trust has been hacked, potentially by a ransomware group of thieves—I suppose that is the right word—and that 7 terabytes of data may have been taken control of, which of course may well involve confidential personal medical data. Does the Minister agree that it is really important that the NHS workforce plan includes and considers the NHS’s IT needs and IT skill needs? Is that something the Minister is talking about with the health department?
I have not spoken about it directly with the health department, but I note from other debates that we have had in your Lordships’ House over the past few months that a skills shortage in the area of computers, data and whatnot is a problem across all economies, not just ours.
My Lords, I thank the Minister and his colleagues in the Home Office, and those in the Foreign, Commonwealth and Development Office and the Ministry of Defence, for the excellent and detailed briefings they give us on security issues, which are really helpful. What precautions are taken to make sure that this information is not passed, either deliberately or inadvertently, to representatives of the Government of Russia?