- 12:38 pm
- (Urgent Question): To ask the Secretary of State for Business and Trade to make a statement on the cyber-attack on Jaguar Land Rover and on what assistance the Government are giving to businesses to help protect them against cyber-attacks.
- I welcome the Minister to his new job.
- Thank you, Mr Speaker. I fully recognise the anxiety and deep concern that employees at Jaguar Land Rover and across the supply chain will be feeling. The Government and the National Cyber Security Centre will do everything in our power to help resolve this as soon as possible. We are engaging with JLR on a daily basis to understand the challenges that the company and its suppliers are facing, and we are monitoring the situation closely. I have spoken to the company myself, and I will have a further meeting with the chief executive officer later this week. I understand that the company has also invited local MPs to a question and answer session this Friday.The National Cyber Security Centre has been working with Jaguar Land Rover since last Wednesday to provide support in relation to the incident. I am sorry that there is a limit to what I can say on the specifics because I do not want to prejudice the ongoing investigations.The cyber-security of the UK, however, is a key priority for the Government—crucial to protecting the public, our way of life and the successful growing economy. We have been taking significant action to help protect businesses against cyber-attacks. We are reducing cyber-risk across the economy by making technology more secure by design. That includes the Product Security and Telecommunications Infrastructure Act 2022, introduced by the previous Government, which requires manufacturers to build security into the manufacture and operation of internet-connected devices; the software security code of practice, which sets out how vendors and developers should make their software more secure; and the AI cyber-security code of practice, which sets out how AI developers should design and operate AI systems securely.We are also providing businesses with the tools, advice and support to protect themselves from cyber-threats. That includes the cyber governance code of practice, which shows boards and directors how to effectively manage the digital risks to their organisations; the highly effective cyber essentials scheme to prevent common attacks, reducing the likelihood of a cyber insurance claim by 92%; and a wide range of free tools and support from the National Cyber Security Centre, including training for boards and staff, the “Check Your Cyber Security” tools to test IT systems for vulnerabilities, and the early warning system to get notified about cyber-threats to networks. I urge all businesses to take up these tools and improve their cyber-defences.
- I am grateful to you, Mr Speaker, for granting this urgent question—as a north-west MP, you know what a large employer JLR is in the region. As we have heard, this serious cyber-attack on Jaguar Land Rover has stopped production and halted sales, and staff have been instructed to stay at home. The car plants at Halewood in my constituency and in Solihull, and other production facilities around the world, have been unable to operate. From what has been reported, JLR shut down its IT systems in response to the attack. I believe that dealerships have been unable to register new cars and—initially, at least—garages that maintain JLR vehicles were unable to order the parts they needed.The JLR Halewood plant in my constituency is an important and valued employer. Many of my constituents are employees, which is also the case for my neighbouring Merseyside MPs. Thousands of jobs in the supply chain have been affected. I am disappointed that despite the cyber-attack happening just over a week ago to one of our most important businesses, which has nearly 33,000 direct employees and, of course, a huge supply chain, no statement has been made to Parliament on what actions have been taken to help the company or to prevent future attacks.The latest attack raises wider issues following on from the attack on Marks & Spencer. The two instances in themselves are very worrying. One would like to believe that all companies reviewed their cyber-security after the M&S attack. If these attacks continue, there could be an ongoing and even more serious effect on our economy. What are the Government doing to help protect our businesses from cyber-crime? I have heard what the Minister has said today, but it is in our national security interest for them to work closely with business. Is there an underlying weakness in how business is dealing with cyber-security? In that regard, we heard from Ciaran Martin, former head of the National Cyber Security Centre, on the “Today” programme this morning, suggesting that companies are perhaps focusing more on protecting customer data at the expense of the security of their operations.
- First, I commend my hon. Friend on seeking this urgent question and you, Mr Speaker, on granting it. My hon. Friend makes the important point that Jaguar Land Rover is not only an iconic national brand, but a very significant employer—it employs 34,000 people in the UK, including in his constituency, and 39,000 worldwide. He is right that we need to ensure that cyber-security is something that every company in the land take seriously, and every public sector organisation. In my previous ministerial role I was conscious of the attack on the British Library, which was actually one of the most financially significant attacks heretofore, and it pointed the way for some of the other issues arising across the economy, which is why we have been keen to bring forward a Bill on this, as stated in the King’s Speech. We will introduce such a Bill “soon”—I think I can get away with that with the Chief Whip and the Leader of the House, although, in the words of Humpty Dumpty, when I use a word it means precisely what I choose it to mean, no more and certainly no less. As my hon. Friend says, there are serious issues that we need to address across the whole of the economy to ensure that we get this right.My hon. Friend pointed to one person; I point to another—Richard Horne, the chief executive officer of the National Cyber Security Centre—who recently stressed that the UK faces increasingly hostile activity in cyber-space. We simply cannot afford any degree of complacency in this. There are major criminals operating in this space, as well as some malicious state actors, and some 40% of companies in the UK reported last year that they had faced some kind of cyber-attack. It is a very important issue that we take seriously.
- I call the shadow Minister.
- I congratulate the hon. Member for Widnes and Halewood (Derek Twigg) on securing this important urgent question. I welcome the Minister to his new role, although I will never be able to rival his literary quotations.This attack on Jaguar Land Rover is extremely concerning. The impact on that world-leading business, and on its suppliers and workers, has been significant. I hope that the whole House agrees that we must use the full force of the state to crack down on cyber-criminals. I appreciate that the Minister is constrained in what he can say, but when were the Government and the National Cyber Security Centre informed of the attack? What kind of support are the Government and law enforcement agencies able to offer Jaguar Land Rover? How much longer do the Government expect the disruption, which is impacting on the supply of vehicles, to continue?The attack is just another in a series against British brands and iconic institutions—the Minister says that 40% of our businesses have been affected—including the attack earlier this year on Marks & Spencer. Will he elaborate on what the Government are doing to prevent future attacks? Has he identified who is responsible for the attack? Can he rule out its being a state-sponsored attack? If the group responsible for the attacks on Jaguar Land Rover and Marks & Spencer are linked, what progress have law enforcement agencies made in pursuing them?
- I am not sure whether the shadow Minister is in a new role—
- indicated dissent.
- She is not; I will not welcome her to her new role, then—I welcome her to the Dispatch Box none the less. She asked a series of questions, and I will try to answer those that I can as precisely as possible.First, the shadow Minister asked when the NCSC was notified and engaged. It has been engaged since last Wednesday. We have an undertaking that when people get in touch with the NCSC, the response will be very immediate.The shadow Minister asked what engagement there is from the Government. The primary engagement is through the NCSC, which is fully engaged and devoted to the work. It is also in the public domain that the Information Commissioner’s Office was notified. I should clarify that that was not because JLR was certain that there had been a data breach, but it wanted to ensure that it had dotted every i and crossed every t, which is why it notified the Information Commissioner’s Office.The shadow Minister asked about a timeline for getting this resolved. I wish that I could provide one, but I cannot. I think she will understand why: this is a very live situation that has been ongoing for a week. I note the points that JLR has been making. As I say, there will be an invitation for all local MPs—my hon. Friend the Member for Widnes and Halewood (Derek Twigg) should already have had one—for a Q&A session on Friday morning, when JLR hopes that it will be able to provide more information.The shadow Minister asked what else we are doing. This summer, the Home Office undertook a consultation on our policy on ransomware. I am not saying that that relates specifically to this case—we do not know that yet and I am not coming to any foregone conclusions—but that is one of the things that we must address, and it was heartening to see resolute support from the vast majority of companies in the UK for our ransomware policy. Maybe we will come to that later.
- I call the Chair of the Business and Trade Committee.
- I congratulate my hon. Friend the Member for Widnes and Halewood (Derek Twigg) on securing this urgent question, and warmly welcome the Minister to his new role. This is an extraordinarily serious issue, and the Business and Trade Committee will soon table its recommendations on tackling economic harms such as this. Many companies such as JLR now confront a much bigger threat surface, and the peril of state-backed threats. That is why this will be a much bigger issue in the future, and why companies in this country will need more than new laws. They will need new investment incentives to clean up legacy infrastructure that is currently not safe enough.When we took evidence from Archie Norman and Marks & Spencer in the wake of that cyber-attack, we were given a distinct impression that more could have been done by agencies to help M&S. Will the Minister reassure the House that all the lessons from how the M&S case was handled have been learned, and that the state will bend over backwards to ensure that JLR has every assistance it needs to get back up and running, and to prosecute the guilty?
- The single most important thing we can do is ensure that we end up prosecuting the guilty and that people are sent to prison, such as the gentleman—well, the person—in the United States of America who was recently sent down for 10 years as part of one of these networks, which was important. I am a Minister in the Department for Business and Trade, but the Minister for Security, my hon. Friend the Member for Barnsley North (Dan Jarvis), and the Under-Secretary of State for Science, Innovation and Technology, my hon. Friend the Member for Vale of Glamorgan (Kanishka Narayan), who is on the Front Bench, are actively engaged in these discussions, and we must ensure a cross-Government approach. I look forward to what we will hear from the Business and Trade Committee. I was intrigued by what my right hon. Friend was saying about investment incentives, and I hope he might come up with some clever idea that we could put into practice once he has produced his report.On the main point about whether we have learned all the lessons from M&S, I certainly think we have. I have read Archie Norman’s evidence to the Committee, and I hope that M&S has also learned the lessons that he laid bare. I hesitate in trying to make too immediate a connection between one case and another, because as my right hon. Friend will know, I do not want to prejudge what has happened in this particular set of circumstances.
- I call the Liberal Democrat spokesperson.
- I welcome the Minister to his new role. There has been a spate of cyber-attacks on important UK companies such as Jaguar Land Rover, on supermarkets and on the Legal Aid Agency. What are the Government doing to restore public and, just as importantly, international trust in the UK’s cyber-security networks? Do the Government think that the attacks have come from overseas?
- That is the second time I have been asked whether this attack has come from overseas, although I suppose that is a slightly different question from one about state actors. Again, I am not going to prejudge the investigation—I can tell that the hon. Gentleman knows that, because he is smiling. He referred to UK companies, but were I speak to any of my counterparts in Europe, or in most countries in the world, I would find that they are going through exactly the same issue. Qantas, Pandora, Adidas, Chanel, Tiffany & Co., Cisco—all those companies have had major attacks over the past months, and unfortunately that is simply a part of modern business. It is a despicable practice and a set of criminal actions. We must prosecute those who are responsible and ensure that they go to jail for a very long time, so that we can protect our industry in the UK, and co-operate with other international agencies to ensure that we do the same around the world.