16
Examination of witnesses
Professor Lee Miles and Nihal Newman.
Q104 The Chair: Good morning, welcome, and thank you very much for your time and for coming to help us with our very challenging inquiry into national preparedness and resilience. We are very grateful for your time. We have you for about an hour. I remind you that this is a public session, which is being broadcast live. You will receive a transcript in a couple of days. If there are any minor inaccuracies or if you spot any gaps where you suddenly remember something you might have said that you did not, we always welcome supplementary evidence in writing if you would like to do that.
We have a number of questions to ask you both. When you give your first answer, please begin by introducing yourself briefly, so that we have that on the record as well. I will start with the first question, if I may, to set the scene. To what extent do you estimate that the public currently have awareness of interconnected national and international risks? Obviously, that includes the ones relating to communications networks, where your special expertise is important for us to hear about. What is the level of awareness of risks in those areas?
Nihal Newman: Thank you. I am the director of security and resilience policy at Ofcom. Communications infrastructure underpins our society and economy and our everyday lives. Ofcom’s role as a regulator is to enforce the relevant frameworks and legal frameworks that we have, and we monitor industry’s compliance against those frameworks. Therefore, Ofcom’s engagement is predominantly with the industry—with those organisations that we regulate—and there is limited direct engagement with the general public. However, there are some examples of where we do engage with the public and where we do communicate the risks that the telecommunications sector faces, such as our Connected Nations report. That is an annual publication where we set out the risks that the sector faces, plus what we are doing in that space. We also provide guidance and information for consumers. When we think about legacy networks such as the PSTN, we set out in our guidance the sorts of questions that consumers should be asking their operators to help prepare them for that transition, including for scams and fraud—practical tips for people to take; that is information that we make available on our website.
The more indirect engagement that we have with the public is through our compliance frameworks. When we consult on our guidance or policy proposals, that information is made available to the public. In those documents, we set out the risks that the sector faces. When there are some critical risks and we communicate with our sector, at that point we publish some of that correspondence on our website to raise awareness and to remind the sector of its obligations. For instance, in April, when there was quite a bit of media coverage around Mythos and the AI frontier models, we published that letter on our website.
The Chair: Thank you. Just before I move on to Professor Miles, could I just follow up something you said? One of your functions, you said, is to monitor industry compliance. How compliant is it?
Nihal Newman: At the moment we have two separate frameworks for the telecoms security sector. We have the Telecommunications (Security) Act. We set out the various measures that operators need to follow. It is a journey, and the threat landscape is evolving. We provide that report to the Secretary of State, and aspects of that have been published. We are seeing steps that industry is taking, and it is implementing the measures that we expect it to take in the sector.
Professor Lee Miles: Hello there. I am a professor of crisis and disaster management at Bournemouth University Disaster Management Centre, which has been around since 2001. I have worked on many aspects of resilience across the world, including in the UK. I am also associate dean for research, innovation and enterprise at Bournemouth University in the business school—the Faculty of Business and Law—so I come from the business side. I am also a director of a recent project funded by Innovate UK, which was on empowering everyday and household resilience and preparedness for it. It was a UK household study, a public study about levels of UK resilience in that space. Those are the three domains that I am here for.
I will answer the question by turning it to look particularly at the recipient of this, which is the public. You asked me the question, “How far is the public aware?” “Not very far at all” would be my immediate response to that. I think it is because, when we look at most of the data in terms of awareness, there is low awareness data among the public, particularly households, about particular types of risks. I shall give you an example. In the study that we did, something like 52% of households were aware of all the hazards that they faced in their households, but something like 21% did not think they had any risk at all. That is an illustration of that. The first thing is low awareness, which may be part of the argument. The second is what you might call disconnected priorities—the messaging around resilience coming from the resilience action plan, the national security strategy, the industry strategy and the whole of society.
What the data shows is that households, the public in particular, often see resilience in a very localised setting, often in their own personal dimension. In the survey study that we were involved in, something like the highest level of perceived threat were accidents at home, and the lowest level, at only 4%, was terrorism, and 5% on conflict and war. You see this disconnect of priorities. That is an important point. In effect, that leads to limited action. Something like 75% of households that we looked at in the study took no specific action at all in relation to climate change, for example, and those kinds of elements. There is a communication deficit here in relation to the sending and receiving of matters.
My final point would be that, with the Iran war and so forth, there is a rising awareness of what you might call cascading effects. The public and households have become very much aware that geopolitics leads to higher energy prices, with implications for their standards of living. That is a causal economic relationship, which is wound up in resilience rather than necessarily different. There is a different interpretation about what is going on in Ukraine, which is seen as much more distant as a threat or dimension as it would be compared with the impacts. So that is the point I am trying to make here.
Lord Oates: You have highlighted the disconnect between those figures and the whole-of-society approach, but would you say that those figures were an accurate perception by the public of risks that they face?
Professor Lee Miles: That is a very good point to make, because there is often a difference between awareness, if you like, which is perception, action—preparedness—and, if you like, delivery or outcomes. If you try to follow those aspects through, because of the personalised nature of hazards and threats, there is always going to be a level of perception as to what affects people’s regional or community locality and is personal to them. That means that there is always going to be a disconnect between that. There is also a very strong regional difference between urban communities and rural communities, about how they would perceive communication around awareness of interconnected threats.
Q105 Baroness Northover: Slightly following on from Lord Oates, I suppose that, in fact, accidents in the home, especially with little children, would be high on the agenda and are most likely, so maybe that conclusion that people are coming to appears to be logical. But that then leads on to how we address what we are talking about here and therefore how the Government can communicate to the public in relation to this wider resilience challenge. With a fragmented media landscape, with audiences receiving information from different places, platforms, formats, and that changing as well and being likely to continue to change, how do you get the resilience or preparedness message across in that circumstance? Professor Miles?
Professor Lee Miles: It is an important point that you are making; it is very strong. Just to be very clear about the first obvious point: we have to recognise that households and the public are rational actors, for the most part. They are being perfectly rational in deciding what are the threats and hazards for them in their local community—in that dimension. There is always going to be a disconnect between the localisation of that and national strategy. There is always going to be a communication—if you like, a translation—point.
Basically, we need to focus on the concept of everyday resilience; in other words, what is the notion of everyday resilience that it has the pertinence that takes national priorities and makes it have resonance in the domestic and household landscape? Usually, I think there are four parts to that—the four Es, if you like. The first E is what you might call enlightened context, which is making it clear in government communications why that context is important for the public and the households, to take that domain. That is the why, if you like—why be involved in resilience and what the concept of resilience is.
The second element, after that enlightenment, is what you might call empowerment of choices. The important thing there is making communications that translate to people in their communities and households. Resilience is a choice about what they want to do and what they want to invest in. Do they want to invest in flooding, their houses, new technology, fire alarms or whatever, in relation to those kinds of elements? That is important for communication.
The third element is what you might call the enabling of actions. You can give people choice, but you also have to facilitate their actions. That might mean incentivising schemes, so that if they do resilience actions or buy different types of new technologies, they might see an insurance discount, premium or government scheme that might help with that.
The fourth and final element you might call the evaluation of outcomes to show that doing this actually leads to an outcome of better resilience.
Those four Es—enlightenment, empowerment, enablement and evaluation—provide the way in which you can communicate the message.
Baroness Northover: How do you do that, given that people are getting information from different places? In particular, as we heard in the previous session, 15 to 25 year-olds will be getting their information not from government or broadcasters and so on but from social media platforms. People may be getting their information in WhatsApp groups from their friends and relations and so on. Following up on your four Es, how do you get information over that is reliable, in our view, in those circumstances?
Professor Lee Miles: I would advocate a hub-and-spoke communications strategy. In effect, the hub is where you are providing a common agreement about what the communication of the threat should be—in other words, what the context should be. The spokes are the delivery of the different platforms according to the different audiences. There is an argument that we often use for our traditional information campaigns. We use websites as static places where the interested will go to find out more information. We have large elements of society in households that are not interested or engaged, and the platforms from which they gain information are anything from TikTok all the way through to Facebook and other social media, and anecdotal information, which might be the local community or family. The important thing to realise is that you need bespoke formats and delivery platforms to be able to achieve this. That means that communication on resilience, to put it bluntly, is not a cheap endeavour. It is quite sophisticated and requires a lot of resourcing to get the communication right.
Nihal Newman: The only thing I would add is that Ofcom carries out consumer research, and there is some specifically around media nations. If the committee is interested, I can follow up and provide you with the information from that research, if it will be helpful.
The Chair: That would be very helpful, thank you. Lady Hunter.
Q106 Baroness Hunter of Auchenreoch: Thank you very much for bringing your knowledge and expertise to our committee. I do not want us to focus only on you, Professor Miles, but in the international context, I know that you have had dealings with Sweden. We heard from the Nordic countries on their communications strategies. I know that you have also been in Africa and the Caribbean. I wonder what you could bring to the UK: what experience have you seen out there that might be effective back here?
Professor Lee Miles: As a point of context, I was a professor in Sweden for 13 years. I worked in the resilience domain, on societal resilience aspects. There is a lot of emphasis on learning from international comparators, and we must do that; it is effective. Of course, the Nordic countries, including Sweden, are good places to start doing that.
However, it is important also to recognise that they have very good techniques because, in terms of the overall security and societal framework in which they operate, there has been a total defence strategy, non-alignment neutrality and a high level of cultural and societal trust in the workings of government. That allows for strategies such as hard-copy pamphlet templates, such as the famous In Case of Crisis or War piece from 2018, updated in 2024. That provides basic contextual information to the public about why they should know about these threats.
The other important point alongside that is that we can learn from places such as Sweden because they have also provided standards and incentivisation schemes to allow both households and communities to develop and move forward with various aspects. That includes everything from health service provisions in health trusts all the way through to local communities. They are building on the foundational strength of a rather wholesome society, if I can put it that way, with a very strong cultural identity around a particular type of policy. If you look there, it is often the case that citizen allegiance and trust in government are much higher than they would be in the UK context. We learn from that perspective, but we also have to recognise that the environmental conditions in the UK are very different. We are talking about a society that is not so wholesome at this point in time.
Nihal Newman: I will just add that Japan has an emergency alert system, and there is a similar facility in the UK, where we have our cell broadcast, which was launched in early 2003. It was tested and exercised in early 2024 when the Plymouth bomb evacuation needed to happen. I agree that there is a lot more to be done, but we do have some examples over here. The alert system is led by the Cabinet Office.
Baroness Hunter of Auchenreoch: How do they do it in Africa, where there have been all these floods and climate situations? How do they do it in the Caribbean, with their hurricanes?
Professor Lee Miles: I have been a professor working on disaster management, so I worked a lot in Sierra Leone, before, during and after the Ebola crisis in 2014-16. I worked very closely on many projects of that nature. The important thing to recognise is that when we build resilience and talk about using examples from other countries, we often go to European countries, where they might be investing in high-technology solutions to make sure that they have redundancy situations for cyber for communities. They have a lot of technological advantages in terms of satellite phones, satellite redundancy situations and mobile networks they can call on, or masts, if they are damaged. You do not have that in the African context.
The African context shows that there is also a very strong reliance on low-tech solutions. As we become more digitalised, the question of redundancy becomes really quite challenging. Where we would have used analogue phones, for example, for a digital breakdown in the UK, we may be moving away from having an analogue telecommunications system as it once was. That in itself creates challenges. Often you find that the strength is in having local communities that might have hailer systems, for example, and communication agreements about how to do it in the local setting. There are often low-tech solutions there. As part of building resilience, we should not forget that we do not just need to go high; we need to create redundancy which is lower, particularly in the parts of our communities that are rural and may be outside the communications networks.
The Chair: That answer leads logically on to Lord Farmer’s question.
Q107 Lord Farmer: Yes, it answers part of it. Perhaps it could be for Ms Newman. We heard in the last panel, as well as here, that all the information we are getting is dependent on internet communication. We have not really looked at the scenario of a total blackout in which it is lost for several days. In 2034, the digital terrestrial television signals will be switched off. What effect might that have on the ability to transmit emergency messaging to the whole population if there was a cyber attack causing a communications blackout? It is an extreme situation, but we need to look at what happens when we do not have any communications coming in.
Nihal Newman: From the planning and preparedness side, I would like to break it down to what we currently have, and then talk about restoring the service. The planning and preparation and the work that Ofcom does in this space refers back to the resilience guidance we set for the operators. In there, we say to avoid single points of failure: build your infrastructure and architecture in a way that there is an aspect of redundancy; recognise the challenges with that; and, as part of that, have business continuity plans and disaster recovery plans. But within those plans, we say to be very clear what those processes are because often the processes can be there, but they are not understood and they are not tested. We make it clear that we expect the operators to do that. We also expect that there is power resilience. Where are the key sites that the operators should have the power backup? To build on that, for government, in the event of a national emergency situation, we have the Emergency Services Network. The Home Office is investing in this across the UK, and it is looking to further harden that network. There are also the satellite communication services available to the UK Government in the event of a national emergency. Our military has access to that, as Professor Miles was referring to.
With regards to what is available now when there is an incident and what the telecom operators can already do, they can deploy mobile cell sites. Where there is either a specific incident, an outage or damage to a subsea cable, they can deploy an interim mobile coverage solution for that area. They also have generators on wheels, so they can deploy generators in the areas that need it. Alongside that, we expect the operators to be transparent with the services that they offer and the processes that they use. Many operators publish this on their website. For example, BT publishes the very comprehensive set of steps that it takes so that there is an awareness of what it does in the event of an emergency.
There is action that operators can also take. Currently, in the event of an emergency, operators can roam on to different networks to make an emergency call. There are also satellite communication offerings now, with technology evolution that helps. We are getting a layer of resilience coming in—direct-to-device capability is there. In certain communities, such as the Shetland Islands, we are also seeing investment in satellite terminals that are available to the community. Again, when we talk about specific solutions available in certain communities, that is a great example where those localised opportunities need to be taken into account.
What we have seen, though, is that we can plan and prepare—we can have the solutions that we currently have—but to restore the power very swiftly is also very important. Ofcom has been working very closely with the energy sector and industry to establish how communication can improve when there is an incident. How can the telecommunications sector and energy sector engineers communicate and co-ordinate on the ground to ensure the services are restored very swiftly? That work still continues, but we are learning from what happened in Spain and Portugal, because that is a clear example that it is not if an incident such as that will happen but when. We are planning already and looking at those scenarios. But it is very important to not just work within our sector. It is a cross-sectoral challenge and there is interdependency with the energy sector.
Lord Farmer: If we had some satellite disruption—satellite warfare, for example—and all the satellites were destroyed, how does that leave us? You mentioned using various different networks.
Nihal Newman: The point is how wide, because it is a tiered level of resilience.
What is available in the fixed network? What is available in mobile? What is available in satellite? That is where the Government then step in from a national resilience perspective, rather than looking at it from a specific sectoral perspective. That is the role the Cabinet Office plays in this area.
Baroness Mobarik: To follow on from that, what proportion of the UK’s emergency communications capability is dependent on commercial telecommunications and satellite networks? What sovereign alternatives exist, should those networks fail? You mentioned the Shetland Islands but are there other examples? What kind of proportions are there?
Nihal Newman: On the facts about proportionality, I am happy to come back on that point. Sovereignty is a very interesting point and a discussion that is pretty alive at the moment. It comes down to what we mean by sovereignty. Are we talking about trusted partners and nations, or are we looking at just working within the jurisdiction of the nation? That dialogue is continuing at this moment, but we are seeing that in the UK we are building those layers of resilience for ourselves. We are building those necessary partnerships that the UK requires, which is the key thing for us.
Q108 Baroness Curran: Has Ofcom game-planned the possibility of a war situation, if we were attacked and it was a very serious attack on our communications? Do you have emergencies for that kind of extreme situation?
Nihal Newman: That takes place within government. DSIT is the policy owner for telecommunications and carries out the cross-sectoral risk scenario that you are describing. We join those conversations with DSIT and participate.
Baroness Curran: Have you done that? Has that been done?
Nihal Newman: We work with them in that space, including with the Cabinet Office and industry. We also work with the industry bodies that play a part in that. So, yes, we do engage in those conversations.
Professor Lee Miles: This partly alludes to the previous question about international comparators. I fully support what Nihal is saying, but there are two important points we need to think about in terms of evidencing.
The first is about how long the outage would be. There are very good examples in the Caribbean of hurricanes that have knocked out entire communications networks for two weeks at a time. In the case of Cuba after Irma and Maria, there was a power outage for 80% of the island for eight months. One would have to talk about the extent to which there is a resourcing question. It comes down to the prioritising and resourcing of those two elements.
The other element in that is the expectations of the public—in my case, gleaned through household research—as to how long it is acceptable to be without communications, either by mobile phone or the internet. For many people—SMEs, the business community, local communities and households—the internet is not optional; it is a way of life and an essential service. We need to be very clear about treating the length of disruption to an essential service as something that requires management of expectations, both nationally and for our service providers.
The final point is to reiterate that in the resilience world, the vast majority of our recovery and response is delivered by private sector providers. It is often the case that 80% of recovery is provided by the private sector. The arrangements between those providers is important, not just over the short-term response phase but the longer-term recovery phase, because there are costs that have to be met commercially if those services are to continue to be provided beyond MoUs. Those are some of the issues that we need to think about.
Q109 Lord Oates: This is primarily for Professor Miles. Could you share your views about the role that the education sector, at all levels, should play in promoting preparedness and resilience to a wide audience?
Professor Lee Miles: Not surprisingly, I am going to say that it is essential that the education sector plays a fundamental role. I am not just saying that because I come from that background, but because it is essential both strategically and for implementation at all levels. For example, if we look at the school level, there are lots of initiatives and work on smart schools, in which the idea is to build resilience—understanding resilience, basic resilience, response ideas and how to do things—into the curriculum. That is very common in places such as the Caribbean where there is a continual threat. As we move towards many of our threats and hazards becoming business as usual rather than extraordinary matters, it becomes part of the citizenship training element.
There is a very important point behind that. Education provides not just good citizens and our expectations of the state; it is the influencer. We are generating the resilience managers of the future, and it often has an important impact at home, in the household, where resilience influencers are in the teenage group. From a school perspective, we need to understand that 14 to 25 year-olds—if I may use that age bracket, which is beyond full school age—are the future volunteers on whom resilience will be based.
The FE level has a substantial role in widening access. What I mean by that is that FE colleges and provision do not just teach key subjects such as geography, where things such as hurricanes and earthquakes are part of the normal curriculum. Think about the access and competence courses that are provided, from boot camps to widening-access courses. There is a very strong market, particularly among the, say, 55 to 70 generation, who are interested in those resilience courses. It might also be the place where you find first-aid courses and basic issues to do with training, competencies and skills.
To use an analogy, the school element is often where you might enlighten the contexts; the FE sector is where you might empower the choices for people in terms of what they do and what they know.
At university level, it is absolutely essential, because our role is providing research about resilience and how it is evaluated in that piece. It is about building the knowledge and thinking. I am also a professor at a disaster management centre who trains emergency planners across the world. Universities have a fundamental role in training emergency planners, having resilience degrees and providing the context and the cohorts of specialist experts of the future. That is important.
The final point is about the impact on resilience agendas through that research—working, as I do, with companies including SMEs through to large multinationals, on resilience projects where the public-private partnerships are critical in providing the knowledge with commercial opportunities to deliver the competencies, skills, toolkits and markets of the future. It is important to recognise that resilience is a market, not just an education. Therefore, the societal impact role is largely on the part of universities.
The Chair: Ms Newman, do you want to add anything to that?
Nihal Newman: No, I have nothing further to add on education.
The Chair: We will move on to Lord Peach’s question.
Q110 Lord Peach: If we turn to cybersecurity, on which the Government are proud of their efforts, do you agree that they should be? How does the telecommunications industry look? You have raised a couple of times what I might call exercising at the national level. Is that frequent enough and are the scenarios tough enough?
Nihal Newman: I would break this down into the telecommunications sector and the digital infrastructure sector—the internet infrastructure—because there are two different legal frameworks that we work to, and different levels of expectations that we place on the sectors. In the telecoms sector, we are proud of the Telecommunications (Security) Act because it is a key, comprehensive framework that we have in place. It was introduced in 2021 and came about off the back of a risk assessment and a threat assessment carried out by the National Cyber Security Centre.
A comprehensive exercise was carried out across the telecoms space by the UK’s technical authority to establish what threats the UK faces in that sector, and therefore what measures and steps need to be implemented. That was then baked into a legal framework. Ofcom has a key role in that space. We monitor industry compliance and report to the Secretary of State in DSIT on how the sector is performing. One thing that is important with that framework is that it is proportionate. The code of practice is not applicable to everybody, because there are large communication providers with turnovers greater than £1 billion, and much smaller operators as well. The UK Government segmented the market and said that the code of practice would be applicable to the large and medium-sized operators, because the risks they face are much larger and therefore there are different measures that they need to take and timetables that they need to follow.
That framework is already there and we have been monitoring it. What we are observing with those operators is a level of commitment to investing in the requirements that they have to follow. It is a journey—the risk landscape evolves and change—and we have to ensure that any framework we put in place moves with the threat landscape.
The code of practice was consulted on by the Government recently and will be published imminently as an update. We set out in a transparent way how we will monitor industry compliance and exercise our responsibilities in that area. On top of that, we have our own resilience guidance, which I mentioned earlier.
There are also high-risk vendors. The UK Government now have powers to deal with high-risk vendors—they have designated a vendor—but Ofcom does not have a very big role in that space. The enforcement sits with DSIT. We monitor how the sector is doing and provide that report to the Government, who carry out the necessary enforcement steps.
Looking at the critical national infrastructure across the UK, we have the network and information systems regulations, which are currently being strengthened on the points about where cybersecurity is, how we are preparing ourselves for the evolving risk landscape and how technology is evolving, not only thinking about the hardening of the frameworks within each sector but across the sector.
We welcome the Cyber Security and Resilience (Network and Information Systems) Bill, currently making its way through Parliament. Ofcom is responsible for the digital infrastructure sector. We are expecting data centres to come in, and they will be a key part of that value chain. When we think about communications, we think about subsea cables, satellite communications, terrestrial networks and, now, data centres, as they come in. What is important when we think about cybersecurity is that there needs to be a baseline expectation as well. That is one of the things being proposed in the cyber Bill—all the sectors will need to work to an aspect of baseline, then the sectors can come and implement something specific to their sector.
We work very closely with other regulators. In the energy sector, with Ofgem, we work with the Information Commissioner’s Office. We work with the CAA in the aviation sector. Nationally, we are working across the board, and we also work with international partners. Late last year, we convened Five Eyes, where we share our learnings and see what they are doing. I was involved earlier this year in international cyber regulation conversations at Wilton Park. Again, that is a great learning opportunity for us. We cannot operate in a silo, so we need to learn and hear what other nations are doing and what our partners are doing in other countries, while working very closely with the Government. Ultimately, it is a collective challenge that we need to work on and it is a team sport. We need to make sure we are evolving and moving with time.
Q111 Baroness Winterton of Doncaster: This is absolutely fascinating. You have mentioned the Cyber Security and Resilience (Network and Information Systems) Bill, which is, as you say, going through Parliament. It will be coming to the Lords fairly shortly, I imagine. You have just given a very good description of everything already covered by legislation. You talked about data centres. It is not quite clear to me why a data centre needs to be in legislation, but you might expand on that a little. Do either of you have reflections on that Bill? Crucially, what extras will it bring? Is the requirement for everybody to reach a certain baseline in legislation? You described guidelines before that. Is there anything more that should be in this legislation, particularly in light of the international experience you just referred to?
Professor Miles, you mentioned the training that you are already doing for the emergency planners and so on. Is there anything else that could be done to encourage skills development and engagement at senior level, given what you have already said about the extensive training that is there?
Nihal Newman: I will pick up the data centre point first. The data infrastructure sector was designated as critical national infrastructure. It is pivotal for us in the UK when we think about AI and our AI growth and ambitions in that space. So, having an aspect of security and resilience oversight is important for us.
Baroness Winterton of Doncaster: It is the oversight that is in the legislation.
Nihal Newman: It is the oversight that has been proposed in the legislation. Ofcom is named as the regulator in the legislation. I will give you three specific examples of what is different.
The first is supply chain risks. We are seeing supply chains and the compromise of our supply chains filtering through all different industries. That is one aspect coming through in the Cyber Security and Resilience (Network and Information Systems) Bill. We are not just thinking about critical suppliers within our sectors but also across the sectors. At the moment, we look at our suppliers within our sectors. The Bill looks at not only the risks within your sector and your critical suppliers, but also across the sectors. What does that mean? Where are the interdependencies?
Baroness Winterton of Doncaster: Is it regulation or monitoring that is in the Bill?
Nihal Newman: The detail will come in secondary legislation. The proposals at this moment involve looking at the risks around supply chains. The Government’s ambition is dealing with those risks. They are also looking at the specific requirements. Where the Bill reflects on existing frameworks, the National Cyber Security Centre has the cyber assessment framework, which is peppered throughout the cyber Bill. It has been in the ambition, the policy responses and the Bill proposals. Again, once those proposals start making their way through Parliament, we will see what the detail is. But we are seeing that, at this moment in time, the Government’s ambition is to strengthen cyber resilience in the UK.
Finally, learning from other countries, incident reporting is important. If we do not have the data in a timely fashion, we do not have that evidence and we do not know where our risks are. That is another proposal that the Government have put in the Bill.
Q112 Baroness Mobarik: I believe you said that your focus is on the security of the larger telecoms providers, but we have heard that there is an increasing level of threat to SMEs. Are you looking at that? How are you proposing to strengthen that?
Nihal Newman: The Telecommunications (Security) Act is applicable to all security operators. Our focus is on those operators that have a turnover greater than £50 million, because the code of practice is designed for that size of operations. But at the same time, where there are opportunities, we engage with the smaller operators, even through industry bodies, and encourage them to look at the code of practice. There is also quite a bit of information and guidance for smaller operators, which the NCSC publishes on its website. When there is an issue, concern or incident, we engage with the smaller operators as well. I spoke to the smaller operators at an industry round table last week, to see what guidance we can give them. So, it is not that we do not engage with them at all. The focus is mainly on the major operators where the code of practice is concerned but, where the opportunity arises, we also engage with the smaller ones. I spoke to the smaller operators at an industry round table last week, to see what guidance we can give them. So, it is not that we do not engage with them at all. The focus is mainly on the major operators where the code of practice is concerned but, where the opportunity arises, we also engage with the smaller ones.
Professor Lee Miles: I have two points, which might be on the next step after this, from my role as a professor, where I look at these kinds of things. The Bill is encouraging in having baseline expectations and creating sector standards, which are very important—and inter-sector standards, which is the implication of what is being talked about. The important thing to also recognise is that the codes of practice that follow need to be agile enough to take into account that the sector itself is moving at great pace, particularly around AI and other domains. For example, I was struck that most recent data shows that 60% to 70% of SMEs in the UK have experienced a cyberattack, but I looked at the IBM threat intelligence report, and there is a massive increase of something like 44% in AI-accelerated attacks or attacks that do not even involve passwords, where the AI systems or the cybersecurity is about not just defence but maintenance. The codes of practice are really important in having that agility and flexibility. From my perspective at the Bournemouth University Disaster Management Centre, we train around those codes of practice and build simulations and exercises to be able to test the adherence to plans and workarounds in this agile space. In answer to the question put forward about the strategic value for senior policymakers, there is a big piece of work not just about how we train or exercise the Bill and its implications but about educating our senior management teams in the strategic value of investment beyond the regulation. That is very important.
Q113 Baroness Winterton of Doncaster: That was on my question about what else could be done. A slight worry is developing in me: if we are waiting for all this secondary legislation, and if training will not start until the secondary legislation is there, I am a bit anxious as to whether that becomes a delay. Is there any danger in that? You have described what you feel could be done almost now, but then you say it has to be geared to the codes of practice. That is a little worry that you might like to comment on.
Nihal Newman: The framework that is proposed, and is peppered into the CSRB, is the cyber assessment framework. We already apply that framework, so we are already setting those expectations in the way we are engaging with our sector, and other sectors are adopting the framework, because NCSC developed it a couple of years ago. We want to make sure that these frameworks are put on a legal footing, but that does not mean we have not been using them. That is the key difference. It has already started to be applied. The other thing I want to pick up on is technology evolution, specifically AI, and ensuring that we keep an eye on our regime. This is where Ofcom is on the front foot. We recently published our approach to AI, and in there is a piece of work that we are doing around looking at our existing regimes to ensure that we are not creating inadvertent barriers around the adoption of AI as defensive tools. We are doing that piece of work this year. Again, we are always proactive and ensuring we are on the front foot to say, “Okay, that technology is coming. What can we do to ensure that we are not creating inadvertent barriers?”.
Professor Lee Miles: It is not a case of it having not started; it is already going all the time, because cybersecurity threats are a constant aspect in relation to that. Of course, as the legislation moves forward, this creates new environments and new expectations, so it is about raising that game. But I also think that, from this perspective, it is about the linkage between what you might call resilience management—training managers in the industry of the value of cybersecurity and the investment—with the operational aspects of defending and operationalising it.
Baroness Winterton of Doncaster: Do you think you can get the two tracks running together?
Professor Lee Miles: They have to run together. At Bournemouth University, if I may use my own example, we have the Disaster Management Centre and the Cyber Competence Centre, and we run operational and strategic courses where we build scenarios that go up and down the management chain to understand that investment and value opportunity.
Q114 The Chair: Thank you. Before I turn to Baroness Helic to ask a final question, I think there is time for me to squeeze in one of my own, which I have been wanting to ask. May I ask you both whether you think that this plan to switch off digital terrestrial television in a few years’ time is sensible or completely undesirable, given the concern expressed that it would reduce universal access to information and have a particularly disproportionate adverse impact on certain vulnerable communities or groups of people, such as older people who do not necessarily know what to do with broadband and or do not have very good internet connections? Is this a sensible thing? Are we past the point of no return on the proposal? Is it reversible, and should it be? I would like very quick answers, please.
Professor Lee Miles: From my perspective as a professor of crisis and disaster management, I am always interested in two aspects. One is the communication of resilience and, therefore, as we talked about, a bespoke approach of using different landscapes and different formats to hit different audiences. There is, no doubt, a challenge if you remove that terrestrial facility, which is used by a large demographic of society; we would need to have very clear assurances as to what it would be replaced with as an effective strategy for resilience. However, I go back to this as my second point: if you want resilience to work, it has to be resilience every day. There are many communication channels, which affect rural communities and local communities, where you have dead spots and issues to do with digital delivery. We would have to considerably raise our expectations around a 24/7 delivery or a delivery of core services that is robust enough to provide redundancy if that system is taken out.
Nihal Newman: To add to the professor’s points, I would say that there are two things. Technology is evolving, and that is the key thing: we need to look at how it is, what the opportunities are and how we can harness those. The second, I agree, is around ensuring the resilience of whatever we roll out, looking at what the different areas and communities require and targeting any additional enhanced resilience requirements for those as well.
Q115 Baroness Helic: With the wealth of all your experience, if there were one recommendation that you could make to the Government on resilience and preparedness, what would that be?
Nihal Newman: From my perspective, with the evolving threat landscape, the complexity of the risks we are facing and the sense of urgency, as I mentioned earlier, resilience is a team sport. We cannot work within our silos. We need to continue to work across the sector, and with communities, industry and academia. My recommendation would be that we need to be clear what we mean by the whole-society approach and we need to bring everybody around the table to work together.
Professor Lee Miles: My recommendation would be that, if we want a whole-of-society approach to work and be effective, we have to deal with the question of building trust, which is central to this. What I mean by that is, effectively, that we have a society that has issues of trust in messaging and communication from our institutions. We need to invest and understand what we mean by everyday resilience that makes sense to the households and the publics of our country and, on the basis of that, most importantly, can build trust. Without trust, there is no point in looking at states such as Sweden or others. We need to understand how a whole-of-society approach can work in a society that may not necessarily be whole.
The Chair: That is a great and important point to end on, and a great challenge to us in coming up with our recommendations to government. Thank you both very much indeed for your time this morning. It has been really enlightening and extremely helpful.
