16
Examination of witnesses
Michael Brunton-Spall and Oliver Neuberger.
Q54 The Chair: Welcome, Mr Brunton-Spall and Mr Neuberger. We are very grateful for your time. Thank you for coming to help us with our inquiry into national resilience. I remind you that this is a public session that is being broadcast live. You will both receive a transcript in a day or two so that you will be able to make any small factual corrections for things that have come out wrong in the transcript. You are both more than welcome to submit any written evidence following today’s session if you think anything needs clarifying or you suddenly remember anything that should have been said that has not been said.
Apologies from the committee: this is a very awkward room, with all the members spread out over one side. The acoustics are not superb, so if you can make sure that you speak more loudly than you think you need to and directly into the mics, that would help us all. Thank you very much. We have a lot of questions to ask you. Before each of you answers for the first time, perhaps you could just introduce yourselves so that we have that for the tape.
I will kick off with the first question, which is to ask whether you could summarise what kinds of cyber risks the UK has experienced in recent years and what the balance might be between malign hostile state actors and common or garden criminals after a ransom, for example. Are there any indications of what vulnerable businesses do to make themselves more vulnerable, which could be avoided with knowledge and preparation? Perhaps, Mr Brunton-Spall, you could begin.
Michael Brunton-Spall: Thank you for having me here. I am the Deputy Director of Cyber Services in the Government Cyber Unit within the Department for Science, Innovation and Technology. I am also the Deputy Government Chief Information Security Officer—CISO. We are responsible for the Government’s cyber action plan, which is how the Government are protecting themselves against cyber threats.
We have been pretty clear and very public about the fact that the UK Government and public sector face critically high cyber and digital resilience risks as a result of an escalating threat environment, something that has changed significantly over the last few years, and extremely low levels of resilience across departments and the wider public sector. That was set out by the National Audit Office and Public Accounts Committee reports into government cyber resilience and our own departmental State of Digital Government Review, all of which were published in 2025.
Bringing it home a little more, more recently we have seen the real-life reality and impact of those risks when they materialise. Ransomware incidents that affect local councils incapacitate social care systems and leave front-line workers unable to access the vital information that they need to protect vulnerable individuals. When digital systems fail, whether it is through a malicious cyber attack or through a non-malicious outage, it causes immediate impacts that are profound and it erodes public trust in the institutions that run the country. The Government are committed to addressing those risks. The response from our sector is the Government Cyber Action Plan, published in January 2026, which sets out how we will rapidly improve cyber security and resilience of public services.
To go back to a couple of your core questions, the threat environment has changed and continues to change, and will continue to evolve over years to come. Criminals, nation states and all other attackers do not sit still; they do not keep trying the same thing over and again, they continue to evolve. We know that that threat environment is the most sophisticated that it has been, but it will continue to evolve in future. We need government to keep pace with that changing threat environment.
GovAssure is our cyber assurance scheme. The first two years of results showed us that there were significant gaps between departments’ cyber security resilience and widespread low maturity in some of the really fundamental controls that we expect to see around asset management, protective monitoring and response planning. Our State of Digital Government Review noted that nearly a third—about 28%—of the Government’s technology estate is estimated to be legacy technology. That stuff is incredibly difficult to defend against those kinds of attacks. It is very difficult to add those basic controls and that makes us vulnerable to malicious acts but also to failure and resilience issues, because attempting to fix those things can cause outages, et cetera.
We note in the cyber action plan that the responsibility for cyber risks has been unclear across all of government as to exactly who is responsible for those risks and who is responsible for the wider supply chain that feeds into government. The Government Cyber Action Plan sets out a much stronger accountability framework for managing that risk, for understanding the risk, for making it visible to the leaders and setting out the actions that they can take. I am happy to stop there and let you come in with more questions, rather than grandstand.
The Chair: Yes, I think you have covered a few of the subsequent questions as well. Mr Neuberger.
Oliver Neuberger: Thank you, Chair. Good morning. I am the Managing Director of Accenture and I lead the cyber security practice for comms, media and technology.
In answer to your question, the UK, as you will be very aware, is facing persistent high-volume cyber risks from many sources. Recent high-profile attacks on British businesses show how a single incident can impact thousands of people and suppliers. Incidents tend to exploit interdependence, dependence on the same technology, and the scale and complexity of legacy systems, as has just been mentioned.
Cloud adoption, as you will be aware, reduces some risks but concentrates others. The issue is that cloud technology on its own is not necessarily inherently risky—there is nothing novel or experimental about it—but it does represent a shared dependency across many different organisations that must be very actively managed to ensure resilience and help recovery. Recent cyber incidents that you will be aware of demonstrate that the attack surface is growing and continues to grow because of things such as cloud adoption, increased digital interconnection and interconnection of physical systems with industrial systems, and a greater reliance on increasingly complex third-party services.
We have seen a shift away from what we would term traditional perimeter-type attacks into much more complex attacks, which include things such as identity compromise, vulnerabilities in organisation supply chains, and cloud misconfiguration. To summarise, we think that the risk is high and it is continuing to grow and gather pace.
Q55 Baroness Hunter of Auchenreoch: This is a question for both of you, but perhaps more you, Mr Neuberger. It is something in your report, the background reading here from Accenture: “AI is anticipated to be the most significant driver of change in cybersecurity in the year ahead”. It is an area that I am not familiar with at all. AI is something that I am just getting to grips with in relation to cyber security. I have been reading as much as I can around it and I came across this speech—a lecture—that was recommended to me by a fellow Peer who I respect greatly. Have you heard of Rob Bassett Cross?
Oliver Neuberger: No, I have not.
Baroness Hunter of Auchenreoch: I highly recommend you get hold of him. He is the CEO and founder of Adarga, which is one of the UK’s leading developers of AI and a supplier to government. He is a former British Army intelligence officer and a senior fellow at the Atlantic Council at the Scowcroft Center for Strategy and Security, so I think respectable. He is very persuasive, anyway. I will circulate this, because I think you would be very interested in it. He basically says that such has been the speed of AI development and improvement that we are actually not far away from where AI’s reasoning capabilities, strategic thinking and planning will surpass those of humans, so that every move you make is met by a countermove by your opponents even before you have fully executed your own move. We are so far ahead there.
Going back to your Accenture report, you say: “AI is enabling attackers to bypass legacy systems and overwhelm security teams” and “The cyber threat landscape is being reshaped not only by technology, but by geopolitics”. Perhaps you could expand on that phrase and also explain what role AI can play in strengthening our systems going ahead.
Oliver Neuberger: Thank you, Lady Hunter. I might answer your second question first. It is absolutely our view that artificial intelligence lowers the barrier to entry for attackers. Tasks that traditionally would have been very manually intensive for an attacker, such as time spent in the reconnaissance phase of an attack, whereby they are researching targets and finding out as much as possible about an organisation—what tools they use, what technologies they use, what their form of words might be in an email, to create a convincing phishing attack—AI is very suitable. We have seen that already, where that has been automated to a very large extent by AI. That means that those kinds of attacks are much easier to launch, they are much less manually intensive and, critically, multiple attacks can be launched in parallel. Rather than just a very tailored attack on an organisation’s CEO, say, it is possible to deploy multiple attacks simultaneously, potentially at every member of staff of an organisation. Obviously, when you do that to a very large sample size, there is a very high likelihood of some form of engagement with that attack across a large sample group. Absolutely, we think artificial intelligence has made life easier in many ways for the attackers.
That also applies to software. Very recently we have seen artificial intelligence engines that are able to find what we would term zero-day vulnerability, so new and unknown vulnerabilities in existing pieces of software that human researchers may not have been able to find in such a short timeframe. Absolutely, artificial intelligence has changed the game from that point of view.
It is probably worth noting that artificial intelligence also has many beneficial advantages for defenders. A large amount of cyber security is associated with looking through large volumes of data to identify suspicious behaviour. That is something that has traditionally been done largely by human beings. There are inherent and obvious limitations to what a human can process in terms of data volumes, so there is a very significant role that AI can play in assisting defenders as well.
To turn to your question on AI and geopolitics, it has always been our view—and hopefully this is evident from the report—that cyber activity should be thought about as part of the wider strategic competition between state and non-state actors, and not just criminal behaviour. We expect to see a greater number of hybrid approaches: attacks that combine traditional cyber operations, information manipulation, potentially using AI, as we have seen, deep fakes, and physical capabilities as well. That is becoming very visible in the conflict context right now. For example, obviously drones and autonomous systems have already transformed that battlefield, as you will be very aware.
There is a very heavy reliance in all aspects of life, including modern conflict, on software connectivity and positioning systems. That creates a very tight cyber-physical crossover, which creates a lot of the resilience risk that we are talking about today. I hope that answers your question.
Baroness Hunter of Auchenreoch: It does. Yes, thank you very much.
The Chair: Lord Farmer, you wanted to come in on this topic.
Lord Farmer: Thank you, Chair. I think you touched on the Mythos and Anthropic problem, which is what we are right in the middle of at the moment. We have read that they are having emergency meetings in Washington with Treasury officials, and over here. I was recently reading what Jamie Dimon, the CEO of JP Morgan, was saying. What I understand is that Anthropic, as you have just said, can see thousands of vulnerabilities that we have not been able to see before. The scenario seems to be that it will get worse before we can strengthen ourselves for it to get better and then we can cope with it. It looks like we are going to go through a bad period where we could have cyber attacks and more vulnerability, which the bad guys will be taking advantage of. Could you talk about that time lapse or what is being done about Mythos and Anthropic at the moment?
Oliver Neuberger: Thank you, my Lord. It is a very interesting question. I think it illustrates very much the constant cat and mouse game, if you will, between attackers and defenders. Although that recent news item has been very headline grabbing, in my mind it is just one advance in a series of steps. As large language models and artificial intelligence become more capable, more able, we will see a continued shift towards strengthening the attackers, enabling the attackers.
I think it is incumbent on us—on government, on industry—to make sure that we are applying that same level of development and energy into employing the same technology from a defensive point of view. For example, in the point you raise, that same technology can also be used by a defender to conduct penetration testing on its own systems to ensure that those vulnerabilities are identified and addressed early. Obviously, the advance of AI will continue at its own pace, largely just in terms of how technology normally progresses, but it is incumbent on anybody who has any system that could potentially impact national resilience that they are using those tools as well from a defensive point of view to try to identify those vulnerabilities ahead of an attacker. They need to think from very much a wider resilience perspective of if those breaches occur, which they will, “How can we minimise the impact? How can we recover quickly? How can we identify them rapidly?”
It is a good reminder to us all that these breaches will happen. The rate of technology advancement is so fast, it is no longer an acceptable strategy to consider cyber security in isolation around preventing incidents because, as you rightly say, they will happen. Those tools are also available to defenders and I would encourage organisations to think about how they use those tools to try to spot those vulnerabilities early.
The Chair: Mr Brunton-Spall, did you have anything to add on that issue before we move on to another one?
Michael Brunton-Spall: Just to agree, and thank you for the question, Lord Farmer. AI has the possibility to both strengthen defences and advantage attackers. The UK has been tracking offensive AI cyber capabilities for the last two years. The AI Security Institute is the most advanced government capability in the world, dedicated to understanding and mitigating AI security and safety risks. We are literally world-leading in this space. Earlier this month the AI Security Institute tested Anthropic’s Mythos model before it was released; it was able to use it in advance. When provided with access to a simulated network and directed to attack that network, it was able to autonomously gain control through that. However, it should be noted that that is a deliberately vulnerable network. It behaved the same way that humans who are trained to carry out cyber attacks carry out those cyber attacks, but it is autonomously able to do so. It does not mean that AI models can attack networks without any human direction or without any existing accesses. Where it is directed against networks that are well secured, it does not seem to find new spaces that did not exist before, so it accelerates existing capability.
We think it is that investment now in cyber defence, in continuing to focus on baseline cyber hygiene and compliance with the NCSC Cyber Assessment Framework—CAF—as the foundation of resilience. The Secretary of State has published a letter on AI cyber attacks to UK businesses that emphasises exactly those points: you must take cyber security seriously; you have to get the basics right; and then look at the advice of our national authority, the National Cyber Security Centre, and follow it as much as possible. I will be writing to government leaders today with very similar advice, to say that this does accelerate the risk, but the advice remains the same for us—focus on the hygiene, focus on the basics and focus on ensuring that you are resilient to cyber attacks—because this is again a change in the pace of attacks. It is not a sudden change in that capability over time.
Baroness Hunter of Auchenreoch: May I just come back?
The Chair: Very quickly, please.
Baroness Hunter of Auchenreoch: You said we are the world leader in this. Are we?
Michael Brunton-Spall: The AI Security Institute was created two years ago as a follow-up to the AI Safety Summit. We were the first Government in the world to run the AI Safety Summit. We were the first people to create an institute that does this. The team have spent two years understanding and building these AI models. I think we have a capability that almost nobody else in the world has.
Baroness Hunter of Auchenreoch: More advanced than the Chinese, say?
Michael Brunton-Spall: I do not have any information on that, I am afraid.
The Chair: We need to move on to the next topic.
Lord Oates: I should declare an interest. I am CEO of a not for profit, United Against Malnutrition and Hunger, which has received pro bono support from Accenture Development Partnerships.
Before I ask my question—you touched a lot on AI, but we did not touch on quantum computing. Quantum computing, as I understand it, is a whole new level. I wondered whether you could comment in that context on the impact of quantum computing.
Oliver Neuberger: Yes, certainly. Quantum has been in the news a lot for various reasons. Our view right now is that quantum computing threats have sometimes been overstated in public debates. The notion of Q-Day, the point at which traditional encryption will become very vulnerable to quantum-type attacks, does not mean that traditional encryption will become instantly trivial to break. Experts may have disagreements on when Q-Day is coming, but the important point to take away is that the risk is uneven here and will affect certain types of very high-value, long-lived data, so data that is secret now and protected by encryption but will remain secret for very many years. We have seen “harvest now, exploit later” type attacks, where attackers have gained access to large amounts of very securely encrypted data, knowing full well that they cannot exploit it right now, but at some point in the future that will become an option.
Our advice to our clients right now is to think about how they can adopt a degree of quantum agility in their choice of encryption protocols, such that it is easy—or easier, should I say—for them to rotate encryption technologies to take advantage of techniques that are less vulnerable to quantum-style attacks. For example, in those organisations, the correct response right now is a very planned transition to that post-quantum cryptographic world, starting with those most high-risk sectors. Those would traditionally be areas such as defence, which have secrets that will remain secret for very many years. The risk is there; it is real. We do think it has been overstated to some degree and maybe sensationalised slightly, but it is something that organisations need to think about right now, because the exercise of migrating to those technologies is non-trivial for large, complex, interconnected organisations.
The Chair: Thank you. Before we get on to your substantive question, Lord Oates, Lady Winterton wanted to add a quick question about AI.
Baroness Winterton of Doncaster: It was not really AI, it was when we talked about the cyber threat landscape changing in the future, particularly with geopolitical dynamics. Do you have any insights on interference in democratic elections, as we have seen in Moldova and Romania? Anticipating something that you might come back to a later question, is there anything that needs to be done in legislation with regard to that? You might want to address later, but the immediate one is—
The Chair: Yes, hold back on the legislation issue.
Baroness Winterton of Doncaster: Yes, exactly, but this is just about the immediate changes in terms of democratic interference through cyber attacks.
The Chair: Would you like to start on that?
Michael Brunton-Spall: I am sorry, for my part, I do not have much information on that. We focus on the internals of government, so you would need to speak, I suspect, to the National Security Secretariat in its Defending Democracy capability, but we can write to you with more details, if needed.
The Chair: That would be very welcome, to have some written evidence following up that question. If you want to send that in to us after the session today, that would be great.
Michael Brunton-Spall: We will take that away.
Q56 Lord Oates: My question is directed mainly to Mr Neuberger. In your estimation, how far are private sector organisations of all sizes resilient to cyber threats at the moment and how can they improve this?
Oliver Neuberger: I think it varies enormously by sector. If we take certain sectors, they are very experienced at dealing with legislation and regulatory changes; financial services, for example, is what we would regard as a very heavily regulated sector. They are much mature in the way they deal with legislation and the requirement to comply and so forth. We are seeing other sectors grow in their maturity. For example, in telecoms, the recent Telecommunications (Security) Act placed, as you will know, requirements on telecom operators to increase the level of resilience of their networks, reflecting the very important role that they play in national resilience.
It varies enormously between sectors and also between large organisations and small to medium-sized enterprises—SMEs. Large organisations typically struggle with scale. They have complex legacy systems. They may have grown extensively through acquisition and over time the technologies on which they depend grow and grow. My experience is that they do not spend enough time refactoring and simplifying and, as a result, what we would term their attack surface is very complicated and very large. Insufficient effort, in our opinion, is spent on refactoring, simplifying and removing redundant technologies and trying to simplify as much as possible. Complexity of an estate plays very well into the arms of an attacker.
Small to medium-sized enterprises—SMEs—face slightly different challenges. Their estates are typically smaller and simpler to some degree, but they face challenges around cost, skills, time and access to expertise. It varies enormously between sector and company.
Lord Oates: Thanks very much. Do you think it would be helpful to either encourage or mandate companies to take out cyber insurance, particularly in the context that presumably insurance companies would insist on levels of cyber health, as it were?
Oliver Neuberger: You have touched on the most important benefit of cyber insurance, in many ways. Cyber insurance, in my mind, is a financial mitigation mechanism by which a company can transfer a degree of financial risk to a third party in the event of a cyber attack. In some instances it can provide a misguided sense of confidence, in the sense that the cyber insurance policy will deal with any resulting cyber attack. Obviously, as we all know, there are many things that cyber insurance cannot address, such as reputational damage, indirect losses and various other things that are frequently excluded from cyber insurance. It has a role to play in certain places, but its most important impact in terms of resilience per se—rather than simply financial clear-up after an attack—is those standards that cyber insurers will mandate, things that you have rightly touched upon: an insured party must have an incident response in place; they must have tried and tested protocols; they must adhere to certain security standards. That is a very useful aspect from a resilience point of view. Outside of that, it is potentially a positive financial impact rather than a resilience one.
Lord Spellar: Could I have a quick supplementary on that? Within such policies, is the payment of ransomware specifically excluded?
Oliver Neuberger: I would not like to generalise about what policies look like. I suspect they vary from insurer to insurer. I think we may be planning to talk about the government stance and potential policy around ransom payments. We could potentially cover that now, Chair, if you wanted to.
Baroness Northover: Shall I come in on that question?
The Chair: Yes.
Q57 Baroness Northover: There are two parts to this. Should organisations be compelled to publish cyber attacks on their networks for greater transparency and to make sure that it is better known that these are widespread? Also, on the point about paying ransoms, should they be prevented? Perhaps I could start with Mr Neuberger.
Oliver Neuberger: Certainly. Thank you for the question. As a general principle, the payment of ransoms is something we generally counsel against for several reasons; obviously, the first reason being that the payment of ransom to some degree incentivises and encourages that kind of behaviour, but additionally—and this is seldom thought about in some organisations—that the payment of a ransom is absolutely no guarantee that the damage done by a cyber attack will be successfully undone. It is important to realise that when you pay a ransom, you are essentially transferring potentially large volumes of bitcoin to some unknown email address. There is absolutely no guarantee that the payment of ransom will result in any kind of release from the pain you find yourself in from the cyber attack.
Often the kinds of cyber attacks we see—and there are many publicised examples of this—have just been blatant vandalism from a technology point of view and the payment of ransom would not fix that in any case. The payment of ransom can be a false safety blanket for organisations, where they think, “If it all gets really bad, we can negotiate and pay a ransom”. Often it is unsuccessful. You are not negotiating with a logical party in good faith, as you would in a traditional commercial negotiation. As a general principle, the payment of ransoms is something that should be avoided.
Baroness Northover: What about the transparency of us knowing what is happening in these cases? Should they be forced to do that?
Oliver Neuberger: For any organisation that provides technology that underpins national infrastructure and national resilience, there should be a general principle of transparency. The experience of an organisation that is subject to an attack that is the first of its nature, sharing that information can have a positive effect on the resilience of the rest of the United Kingdom, because we do see the same cyber techniques deployed in sequence against organisations within a given sector or a given geography. That said, it is important there are safeguards put around that transparency to ensure that organisations are not disincentivised to report, downplay or to underplay attacks they have been subjected to.
As a general principle, it is a thoroughly good thing, provided that the right guardrails are put around it—in particular, what is disclosed to the public to make sure it is not causing panic and is not being misrepresented by the media—and that it is done with the right intent; namely, to help defend parts of the critical national infrastructure that may benefit from understanding the tools, techniques and procedures that were used in that cyber attack.
Michael Brunton-Spall: It is a matter of policy that government organisations, arm’s-length bodies and public bodies that are funded solely by central government should not use central government funds to pay ransom extortion demands. In complete agreement, the Government’s position is that paying ransom to criminals is likely to encourage further criminal activity and it does not guarantee a successful outcome. It should be considered by the victim only as a last resort, and within government sanctioned with exceptional ministerial direction, so it is government policy to not pay ransoms wherever possible.
On the publishing of cyber attacks, for us it is a matter of policy generally that we do not publish details of cyber attacks, on national security grounds. That is because we do not want to tip our hand to adversaries about those we have detected and those we have not detected, which they may know. It is very hard for us to know which ones would be which. We do capture and share internally the knowledge of those attacks. They are shared with our Government Cyber Coordination Centre, which manages that across the government sector, exactly to manage the risk of sequencing of attacks within a sector. We would know if a department is attacked and then another department was attacked. We share that within departments, but public revelation of that would be against our policy on national security grounds. It is a very fine line to walk.
Baroness Northover: Do you think it would be nevertheless beneficial if companies did? Taking it out into the commercial, what would be the Government’s view of whether there should be more transparency in the commercial sector? I can see the national security argument within the government sector.
Michael Brunton-Spall: Unfortunately, I cannot comment on the Government’s policy on commercial organisations. I think when we come to the legislation, there is a section under the CSRB about what that might look like.
The Chair: Thank you. Lady Mobarik has the next question. Lord Marland has a supplementary.
Lord Marland: I was just going to make a comment on that, if I may, being in the insurance business. I will declare an interest, as I lead a consortium of investors in a cyber technical support business and I have interests in cyber insurance.
The insurance companies will simply not want it to be published that they offer insurance for cyber because it allows the attacker to know that they can attack the insurance company. It is the same with kidnap and ransom and other things like that, it will not be published. Sorry, Lady Mobarik, I just wanted to give some assistance.
Q58 Baroness Mobarik: This question is for Mr Neuberger. You have touched on what steps businesses should take to strengthen preparedness in data recovery, for example, in case of an attack and that it is a case of when, not if. There is lots of advice, perhaps surveys. out there, but I want to ask: what are the real, tangible tools, the nuts and bolts? What software is being developed to counter attacks or speed up data recovery, for example? There are lots of reports and most businesses do know their vulnerabilities, but SMEs just do not have those huge resources to sit and read those reports. What they need are the real tools that close that resilience gap.
Oliver Neuberger: Thank you for the question, Lady Mobarik. I will comment briefly on the point you made around organisations knowing their vulnerabilities. I would agree that is true to some degree. However, organisations often view their own vulnerabilities very differently from how an attacker sees them. For example, when a large organisation commissions a project to build a technology tool, it will typically have a security budget associated with that project. It will look at the piece of software, whatever it happens to be, that that project is developing from a security point of view, it will assess it and then it will go live.
An attacker obviously does not look at an organisation like that. It looks at an organisation holistically, at the entire attack surface and looks for vulnerabilities within that. We find that security arrangements for large enterprises in particular often mimic the organisation structure, which clearly creates vulnerabilities because it is in those gaps and those joins between the different organisation structures that the vulnerabilities exist.
On the first part of your question around what organisations can do and what role does tooling play, undoubtedly tooling does play a part in this. For example, we would encourage organisations to think very carefully about their backup policy, how they are creating what we would term immutable backups, backups that cannot be altered or interfered with by an attacker, such that they have various points in time that they can fall back on should the worst happen. It is also very important that those things are rehearsed. We have seen situations where backups are created and are assumed to be being created, and it is not discovered until a significant cyber breach has occurred that the backups were not working correctly and stopped working some time ago, they are significantly out of date or for other reasons are unusable.
There is a role that tooling plays in areas such as that, in things such as backup and in network segmentation. For example, assuming the principle that an attacker will get past your perimeter, how do you make sure that once they are inside lateral movement between systems is very difficult? For example, if your enterprise network—the means by which you email each other—is compromised, how do you make sure that the core network you provide your customers is not? That segmentation internally is very important. There are very many tools in the cyber security space right now and it is quite difficult for organisations to determine which tools will meet their need. They can often give a false sense of confidence, in the sense that deployment of a tool on its own is unlikely to result in an improved cyber security posture.
We would encourage organisations of all sizes—in particular the SMEs you talked about—to think very carefully about their plans in those instances, how they would respond, and, critically, to rehearse those plans as well. We sometimes see these things done in the boardroom, such as table-top exercises. That is helpful and it starts to get people to think how they would respond in certain situations, to understand what their role individually is in an incident and how they would make decisions, not just within the comfort of a boardroom but at 3 am when a breach has occurred. We think there is a very important role that tools play, as we touched on, but also the planning, the human side and the procedure side are equally important.
Q59 Lord Peach: The changing nature of the threat landscape you have brought out for us already, with the scale and frequency of attacks and arguably the sophistication of those attacks. My question, primarily for Mr Brunton-Spall, is: do we have the right structure in government, do we have the right funding and are we prepared to change that to meet the changing threat? Feel free, both of you, to comment.
Michael Brunton-Spall: It is a great question. It gets to the heart of the 2025 recommendations. When we published the Government Cyber Security Strategy in 2022, we had developed an understanding of government cyber resilience, but by 2025 I think we realised that we did not have the right accountability structures in place to deliver on that. The work that we have done at pace in 2025 to develop and pilot that approach is defined in the Government Cyber Action Plan. It is focused on the successful implementation and delivery of rapidly increasing cyber resilience and resilience across government. It was developed in partnership with international partners. We looked at some of the best models from some of the partners that we had access to, and we worked with industry to see what models work effectively in industry. It builds on that best practice and we feel that it helps us deliver the right accountability structures across government to hold the departments to account for their ability to deliver on that.
On the funding, the cyber action plan is backed by over £210 million of central investment, which is to establish the Government Cyber Unit in the Department for Science, Innovation and Technology, and enables us to invest in a set of scalable central services, interventions, support and response capability that can rapidly increase that pace of transformation and get us ready for that changing environment. That includes covering not just what we will do proactively within services and the support that we provide but the incident response co-ordination to the Government Cyber Coordination Centre, which is exactly for things that cover the ability to both respond and recover rapidly.
It is very much about trying to push down the likelihood that an incident happens, but also ensuring that when it happens, it is less severe and it is able to be recovered very quickly, which is to exactly that point. We hope that it will allow us to better utilise scarce and expensive cyber skills far more effectively at the centre. It enables a structure to drive those changes across government and do that once and well for all of government. I hope—I think—that answers your questions.
The Chair: Do you have anything to add to that?
Oliver Neuberger: No. I agree with everything that has been said so far. From a legislation point of view the challenge, as you will be very familiar, is the difficulty with keeping pace with technology change, so in my opinion the important part is the principles and fundamentals that are mandated on the private sector to ensure that that legislation and those requirements can stand the test of time as much as possible, because, as we have talked about, the advancement of the capabilities of the attackers is moving so quickly.
Lord Peach: More a comment than a question, but you may want to comment on the comment: can we keep cyber skills in government or are they lured to higher salaries in the private sector?
Michael Brunton-Spall: This is a day-to-day concern for me. The development of a cyber profession in government is one of the features of the Government Cyber Action Plan. I think it will always be a tension for us, that industry will always be able to outpay the Civil Service. We have a unique and bold mission in the Civil Service in protecting government. That is attractive to a large number of those people. It helps. We have good relationships with industry; we have abilities for people to second in and out, which helps transfer those skills forwards and backwards. We have a plan to build and develop that cyber profession. The Prime Minister’s commitment to include one in 10 civil servants with technology skills across the Civil Service includes cyber skills. We are looking for an increasingly skilled Civil Service, but it is a significant challenge for us and will remain so.
Q60 Lord Marland: As you know, there is some legislation going through at the moment. Interestingly, it is eight years since the last legislation, but we are in the fast-changing world of cyber security. What extra things do you think we should be thinking about in terms of legislation and how can it help incentivise investment in cyber security and resilience? I refer to my earlier comment about my own interests.
Michael Brunton-Spall: From our perspective, legislation is an important tool in improving cyber resilience across multiple sectors. Government recognises the robust protections for digital services that are essential to our society and economy. That is why we introduced the Cyber Security and Resilience Bill on 12 November 2025, which is going through the process. As the digital centre for government, the Department for Science, Innovation and Technology recognises the step change in cyber and digital resilience that is required across the public sector.
For the government sector, we do not need to wait for legislation to take action. Our Government Cyber Action Plan holds government to the same or a higher standard that we are asking of others. The Bill does ask other sectors to set, and hold themselves to, those standards, but within government that Government Cyber Action Plan is a mandated framework with very clear expectations, targets and milestones. It is not a voluntary programme for the government sector. I hope that answers the main thrust of it.
Oliver Neuberger: I agree with those points. Our view is that legislation can absolutely improve resilience by providing clarity around minimum expectations, potentially extending coverage to previously unregulated parts of the ecosystem and improving the visibility of risk.
On the second part of your question on incentivising investment, investment obviously requires predictability and clarity. Organisations will typically invest when expectations are stable, clear and uniformly and predictably applied from an enforcement point of view. Good practice should be visibly recognised and made obvious, rather than just purely a compliance cost. Conversely, overprescriptive or unevenly applied regulation would divert risks away and point more towards a compliance-type exercise, rather than something that will genuinely improve resilience.
Lord Oates: On the previous question about transparency, I think there was a sense that too much transparency might give hints to cyber criminals and other actors, but do you think there is a case for legislation to make cyber attacks on commercial businesses like a notifiable disease—something that is confidential but needs to be notified to government so that other organisations can learn from those attacks?
Oliver Neuberger: Yes, I think there is a good argument for that. I think it underpins the need for very close and continued co-operation between private enterprise and, for example, the National Cyber Security Centre to ensure that those disclosures are treated with the appropriate level of protected marking, shared only with those individuals who hold the appropriate clearances and that the information that is shared, which is in itself very sensitive, is shared on a need to know basis. That is a sound principle. I think the principle of transparency, with appropriate guardrails, would be the most appropriate response.
Michael Brunton-Spall: I am struggling to remember the details, and I do not want to misspeak so I am very happy to write to you with more details about that, but it is definitely a conversation that has happened within the CSRB process.
The Chair: That would be helpful. Lady Curran.
Q61 Baroness Curran: Thank you. If you had the good fortune to get one minute’s time with the Prime Minister face to face and he asked you, “What would be your one priority to improve the UK’s resilience?” what would you say?
Oliver Neuberger: Thank you for the question, it is a good one. I would recommend that cyber resilience is treated as a core national preparedness issue that is measured, exercised and led at the most senior levels. The responsibility for cyber resilience should be very much seen as a board-level topic, something the CEO worries about, rather than if we rewind maybe 10 years, where it was regarded as a technology-type topic, something that a CTO or a CIO might worry about, looking at it purely as a technology exercise to prevent an attack. It needs to be regarded as something that a CEO needs to be thinking about in every aspect and every decision that they make regarding their enterprise.
Baroness Curran: Do you think he would say yes to that?
Michael Brunton-Spall: I think it would mirror exactly what is in the Secretary of State’s letter, which is to take cyber security seriously.
Baroness Curran: You are a good civil servant.
Michael Brunton-Spall: Yes. It would be to take cyber security seriously, like all organisations need to take it seriously, and to focus on the basics. It is very easy to get taken down lots of rabbit holes, but the basic cyber hygiene is the thing that matters. It is the hardest thing. It is basic, not simple, but it is the most important thing to focus on.
Baroness Curran: Does that imply ministerial responsibility directly, like having a named Minister with that very specific requirement?
Michael Brunton-Spall: I do not quite understand the—
Baroness Curran: In a sense, do we need to up our ministerial chain of command with more specific responsibilities so it is more politically understood where the chain of accountability lies?
Michael Brunton-Spall: I do not quite follow the chain of reasoning. All Ministers are responsible for the cyber security of their department and their sector. It is part of running a large organisation and being responsible for that area.
The Chair: Would it help if we had a Minister with designated responsibility for national resilience?
Michael Brunton-Spall: I cannot comment on that, I am afraid. I do not know.
The Chair: Anybody else? No. Thank you both very much. That has been extremely helpful and we are very grateful for your time. As I said at the beginning, if there is anything that you want to write to us about as a follow-up, please do. That would be very welcome. Thank you. I can now close the public—
Baroness Hunter of Auchenreoch: Just before you do, there is a thing that Vladimir Putin said. He said, “Whoever becomes the leader in this sphere”—he means the cyber security sphere—“will become the ruler of the world”.
Oliver Neuberger: Food for thought.
The Chair: Is that something else you are not prepared to comment on? Unless you want to. No?
Oliver Neuberger: A brave person would respond to that. I think it just illustrates the interdependence and the borderless nature of global technology infrastructure and the vulnerability we all face, not just nationally, but globally.
The Chair: That is a realistic note to end on. Thank you very much.
