final logo red (RGB)

 

National Resilience Committee 

Uncorrected oral evidence

Thursday 9 July 2026

11.20 am

 

Watch the meeting 

Members present: Baroness Coussins (The Chair); Lord Farmer; Baroness Helic; Baroness Hunter of Auchenreoch; Lord Marland; Baroness Northover; Lord Oates; Baroness Paul of Shepherd’s Bush; Lord Peach; Lord Spellar; Baroness Winterton of Doncaster.

Evidence Session No. 19              Heard in Public              Questions 168 - 178

 

Witnesses

Baroness Neville-Jones, former Minister of State for Security and Counter-Terrorism; Paddy McGuinness CMG OBE, former Deputy National Security Adviser for Intelligence, Security and Resilience; Ed de Minckwitz, former Chief of Staff to the Deputy Prime Minister.

USE OF THE TRANSCRIPT

  1. This is an uncorrected transcript of evidence taken in public and webcast on www.parliamentlive.tv.
  2. Any public use of, or reference to, the contents should make clear that neither Members nor witnesses have had the opportunity to correct the record. If in doubt as to the propriety of using the transcript, please contact the Clerk of the Committee.
  3. Members and witnesses are asked to send corrections to the Clerk of the Committee within 14 days of receipt.

 


25

 

Examination of witnesses

Baroness Neville-Jones, Paddy McGuinness and Ed de Minckwitz.

Q168       The Chair: Good morning and thank you very much for sparing the time to come and help us with this important inquiry. I should remind you, although I am sure you are already aware, that this is a public session being broadcast live. In a couple of days you will receive a transcript of the session. If there are any inaccuracies that you spot there, that is the time to let us know about it. Equally, if you think of anything you wish you had said that is not in the transcript, we would welcome any supplementary evidence in writing if you would like to contact us then.

We have a lot of questions to ask each of you and it would be very helpful if, before the first answer that you give, you introduce yourself very briefly so that we have that on the public record as well.

I am going to kick off with the first question. We hear an awful lot about the need for a whole-of-society approach or total defence these days. In that context of needing a holistic response to what are now acknowledged as interconnected national and international risks, do you think the model of having a response mechanism based on the lead government department is still the right mechanism or strategy?

Baroness Neville-Jones: Good morning, everybody. I am a former Security Minister, which may be relevant, though resilience was not part of my portfolio at the time. I am really the author of the National Security Council. One reason that I dreamed up, in effect, that structure was because of the shortcomings of the lead department in decision-making.

To go to your question, a lot depends on what you actually mean by a whole-of-nation or whole-of-society approach. It is not clear to me that we in the UK have a definition of that that we agree on. Some of us take it to mean critical CNI properly protected and sinews of government functioning, but do not take it as far as involvement of the population in an active way or the imposition of new burdens on the population, such as some kind of national service, which could also be voluntary. We have a definitional problem to begin with. What do we, as a country, think we are talking about? I hope the committee will decide to give a definition to that of their own.

My own view is that we need to go further than simply the CNI and various other obvious weaknesses in the system and vulnerabilities that we need to deal with. We need to consider the role of the general public. Hitherto we have had the local resilience forums, which is the furthest extent that we, at the moment, have by way of definition of what the general public, or society more broadly, might contribute. I do not think that people have been idle, but most of our work is very much on the functioning of government, which has a long history. If you look at the way in which we dealt with the war, we certainly had measures to look after the population. I was involved in dismantling a lot of the wartime measures from the day of being able to liberate us from it, with German unification. I discovered that most of the measures were to do with the functioning of government, the protection of the head of state, the protection of Ministers and how the system and the wheels of government and its immediate surroundings would be able to work in a time of prolonged crisis. There was not a lot about the general public. We had an evacuation early on but society, other than rationing, continued as normally as it could. You want that in a society.

We have never gone down the road of the Finland experiment. It is not an experiment. It is permanent policy and it is very extensive. I understand that the committee is going to see that. It is a very different model. My own conclusion was that we would not go as far as that, but there is a lot that we can learn. We are getting into an international situation in which we will have to ask the general population to be actively involved. I am in favour of some kind of national service. It should be voluntary and involve both sexes.

Paddy McGuinness: The answer is yes. I will give you three reasons why.

The Chair: Is that yes to the lead government department?

Paddy McGuinness: You wanted to be brief, so yes. There are three reasons. The first one, and the most straightforward on sitting in Parliament, is that it is departments of state that have statutory powers and oversee arm’s-length bodies. Unless you are going to wholesale pick up those statutory powers and stick them in the hands of someone else, you have to work through government departments.

Secondly, there is a great risk, in dealing with crisis resilience questions and questions about national security, that we concentrate everything in one place. In order to respond to the range of events we need to deal with, we need a distributed response across different sectors of government, sectors of industry, parts of society and geographies. By saying, “No, we will not have lead government departments”—which is distributed—“We will rather bring it into a single place”, you run the risk of having a country that is able to do one thing at once. As we would observe, at any one time if you are Prime Minister you are dealing with multiple things. You should be able to chew gum and walk at the same time and not get fired up about whether you can use Defra’s powers to do something at the edge of the system, which is in response to a resilience event. It is about having an articulated system that can do multiple things.

The third one is something government departments find it very difficult to deal with, and I am happy to unpack which departments find it most difficult. At the moment, we have a system where, in extremis, we transfer tasks to the military from the civilian authority. The Home Secretary does so in extremis. On occasion, military support will be asked for for a civilian event. Think pumps pumping water off the Somerset Levels or something.

Lord Oates: Or the Olympic Games.

Paddy McGuinness: Foot and mouth—we could go on. Critically, the system finds it difficult to understand that, in real warfare or extreme hybrid warfare fighting, the civilian authorities will have to support the military. We are going to have to reverse MACA. That is what happened in the Second World War. Everything was subjugated in the United Kingdom to enabling war fighting. If we are going to fight a war, we are going to need to do that. That is going to need a distributed and articulated response, not a centralised one, so lead government departments are going to matter.

Ed de Minckwitz: Good morning. Thank you for inviting me to give evidence. I was chief of staff in the Cabinet Office, where I helped to write and implement the national resilience framework, the biosecurity strategy and parts of the cyber security strategy. I am currently director of policy at ServiceNow, where I should declare that we provide risk governance systems to government and the wider public sector, as well as AI governance systems. I am a senior fellow at Policy Exchange, working on the risks of AI to government and society.

The answer to your question is that I agree. Yes, it can be made to work, and it has to be made to work. I do not think that we are in a situation, either fiscally or in terms of state capacity, where we can either stand up a US-style FEMA system or undergo major shifts. The 2022 resilience framework was a sensible articulation of how, with proper governance co-ordination and oversight above the lead government department model, and the whole-of-society approach below it, it can be coherent.

There are a few caveats I would add. First, we cannot leave departments to mark their own homework. The Cabinet Office needs to have a role in co-ordinating and testing departments’ assumptions and lending its expertise, and doing that regularly and not just ad hoc. We need more exercising to do that as well.

The second thing that I would add is that the lead government department model is not the only government department model. There is sometimes an abrogation that, where a risk is owned by a lead government department, other departments therefore do not need to worry about the cascading impacts of that risk. There needs to be a proper understanding of those cascading impacts and the responsibilities that a subsequent department would have in those events.

Finally, and relatedly, I do think that, when catastrophic risks emerge, such as the pandemic, we should accept and prepare for the Cabinet Office, similar to what Paddy was saying, taking a role in leading the co-ordinated UK response, so that we do not have a situation, as we did, where a department suddenly feels that it is having to run a national response to a catastrophic crisis.

Q169       Baroness Northover: This is probably directed mostly to Baroness Neville-Jones, but all three of you may have comments. We are discussing here the need for co-ordination and driving this forward across government, as well as others. That has come across to us extremely strongly.

Baroness Neville-Jones, as you say, you played the key part in establishing, in 2010, the National Security Council, chaired by the Prime Minister and, as I understand it, drawing on lessons from the invasion of Iraq, where actions seem to have been taken without working out what would happen after the invasion or what the effect on the United Kingdom or its position in the world might be. All of these were interlinked risks that needed to be addressed.

Looking at this, what would you recommend should be the structure in terms of national resilience? We have heard proposals for a Minister. We have heard proposals for a Cabinet Minister, and also doubts that that would make a difference and that, therefore, it should be the Prime Minister or the Chancellor. They have many other responsibilities. How would you see this extremely important area being taken forward so that we have that co-ordination and drive that all three of you have just mentioned?

Baroness Neville-Jones: When I was in the Cabinet Office in the days before the National Security Council, what I discovered was that you would get agreement in the Cabinet Office between various departments involved in some subject where they all have an interest, but come the day when a national decision was taken, the Cabinet Minister of the lead department would decide that he was not going to do that at all and was going to do something quite different, which usually turned out to be something that omitted to take account of the interests of the other departments. This was a fairly frequent event, which meant that, very often, the Prime Minister was put in an embarrassing position of being briefed on one line of the country and discovering that the terrain looked quite different. I thought that that was an unsatisfactory way of running government.

Secondly, as mentioned by Baroness Northover, it also combines with the problem of the lead department not taking account of the interests of other parts of government or, indeed, of covering the subject as a whole. One of the classic examples is MI5, the security service, making the point to the Prime Minister about the likely increase in terrorism in the country, about which nothing happened, partly because there was not an easy machinery of government to deal with it. After that, we now have quite extensive machinery of government, which sprang out of that experience.

My conclusion is that I do not have an alternative, better solution than the lead government department, partly because of the constraints of the British constitution, whereby the money lies with the accountable Secretary of State, so it is difficult to shift that. What you can do, however, is involve other departments in a surer way in early decision-making, which is where the security council came into being, so that a given subject will be discussed not just with the lead department but with all other departments with an interest, so that you get early participation in the headline decisions, out of which you can then formulate the right bureaucratic response. Very often, but not always, it is found in the Cabinet Office, but you have a better chance of a Cabinet committee taking the topic more in the round than would otherwise have been the case.

Does it work perfectly? No. Is it an improvement? I think yes. One of my solutions to this problem is early involvement of other departments that have an interest. That applies also, in many cases, for resilience, to the private sector. You have to bring the private sector in. Resilience is a partnership issue. The private sector needs to be in there early.

The Chair: We will be coming back to the private sector in a bit more detail in a while. Mr Guinness and Mr de Minckwitz, do you have anything to add to that?

Paddy McGuinness: Forgive me; I should have introduced myself at the beginning. Some of you know me. I am a former civil servant and was deputy national security adviser between 2014 and 2018. I am now an adviser at Brunswick Group, where I work extensively with businesses that are in crisis. Some of that will become apparent. I am also an adviser to Pool Reinsurance, so you will hear a bit of insurance running through what I have to say.

There is an accountability issue. The Prime Minister holds Secretaries of State to account. The Prime Minister is enormously powerful in having the ability to influence their futures, and their budgets, in partnership with the Chancellor. There is no other way of getting Secretaries of State to behave in an appropriate way, as Baroness Neville-Jones has described. Therefore, you have to be speaking with the voice of the Prime Minister.

I had three powers when I was deputy national security adviser: I could call a meeting that people had to come to; I could speak to the Treasury and mess with their money; and I could get the Prime Minister to carpet the Secretary of State. That was it; there was no other power. That is how you make it work.

Ed de Minckwitz: I would just add that there should be a named Minister for resilience, and that Minister must have bandwidth to be reasonably able to be accountable for resilience. As Baroness Neville-Jones says, having worked in the Cabinet Office, whatever you think of the committee structures and their inefficiencies, they do have a driving force. They create a secretariat. They create accountability. It leverages the Cabinet Office’s convening power to raise issues to the top table, and that forcing mechanism is additive.

Resilience can so often be the poor relation to immediate crisis response, and so, if there was a resilience Minister, perhaps an NSCR, and perhaps Ministers in each department with resilience under their portfolio, who were convened twice a year, those structures would drive a conversation and a work programme in Cabinet Office that would elevate the case of resilience. Of course, having the Treasury around those tables, they would have to turn up, and that alone would be a worthwhile exercise.

Baroness Neville-Jones: I agree with that.

Paddy McGuinness: I do not, and, if I may, I will say why. There is a Minister for resilience, and it has been the Chancellor of the Duchy of Lancaster. That can have enormous effect within the system. It is all about how much authority that individual is given and how much they prioritise it. No disrespect at all to junior Ministers, but they cannot make government shift unless they have senior backing behind them. You can see that in the Security Minister role, which is sometimes extremely strong and sometimes not. The same would be true of the resilience adviser.

On the question of a further government committee, it is difficult to make even the National Security Council’s structure work. People meet. If you add, hanging off it, multiple other structures, they become redundant. That becomes apparent and has been reported to previous parliamentary committees, so there is a thing about ergonomy in terms of how you make something sufficiently tight that it will function, and that people turn up and take account of it, rather than having things that look fantastic on an organogram but no one engages through them to do the business.

Baroness Neville-Jones: I am not sure that there is a difference between those two descriptions. It is certainly the case that, if you want to have a driving force, you have to have a senior Minister. One of the best senior Ministers who I came across was Oliver Letwin, who really made things function. He was, I think, Chancellor of the Duchy of Lancaster at the time, and I agree that it needs to be a senior Minister, but that is precisely how you get the departments corralled under that authority to operate together. It is very much a question of who you put in the jobs rather than the design.

Paddy McGuinness: I would agree with you.

Baroness Neville-Jones: Who you put in the jobs is very important.

Q170       Lord Spellar: All of that leads on to my question. How you get Ministers to make decisions is probably something that we should be addressing in our report. That leads exactly to the question that Paddy McGuiness raised about MACA—military aid to the civil authorities. In my experience as a Minister at the Ministry of Defence, what MoD brought was not primarily manpower or machinery. It was mindset. It was the ability to sum up a situation on the information available, as quickly as possible, to make a decision and move rapidly towards implementation, and to be prepared to change if that did not work or if circumstances changed.

Therefore, even with an extreme situation, that is still going to be the situation, and you will need that mindset of decision-making and operational, because of the consequences of not making decisions. The consequences of not making a decision in the civil world are much less or not so immediately apparent, whereas, in the military, they have to make those decisions, and their training directs towards that. We cannot take that military mindset out of that if we are going to do this effectively.

Paddy McGuinness: I am strongly supportive of that. One is very conscious, when one is chairing an officials’ COBRA during a crisis, of which bits of government work with the kind of agility and alacrity that you need, and which do not. The answer is that you go to the military; you go to the intelligence agencies; you go to the police and fire services. There are some departments of state that have pockets of high-performing, fast-moving people, but not many, so it is a bit unnerving, and so you do turn to the military.

There is, however, in this question of resilience, a really significant British disease and risk, which is that we have excellent Special Forces. We have an excellent RAF. We have an excellent Navy. We have excellent intelligence services. We have excellent emergency response. However, we do not have much of them, and we tend to make use of them on every occasion, rather than distributing capability to do good enough provision widely. Some of that has changed. You see it in the distribution of armed policing in terms of moving away from the requirement for special forces to always respond to a terrorist incident when a high level of firepower is present.

That is an example of where we have distributed it, but, on the whole, we do not. That creates enormous risk at a time of hybrid warfare and when there is a greater range of hazard events happening to us, because we end up using, or trying to use, the same capability more times than it can bear, and it is not available for its core task.

Going back to that whole-of-society approach, there has to be a hardening of the minds and responsiveness more broadly in society. Otherwise, despite the excellence of our elite forces and capabilities, they will fail.

The Chair: Do we have agreement or dissent this time on the rest of the panel?

Ed de Minckwitz: I would just say something on metrics. If the question is how to make Ministers make decisions, it has to be easier for them to make a decision than not to. The inherent problem with resilience is that you can note risk, and it is difficult to prove the negative as to whether you have done something about it. The resilience framework talked a lot about metrics for business. We introduced GovAssure for the cyber side of resilience. Ministers can then be held to account for where things were versus where they are, and that forces the decision-making process. I would just bring that in.

Baroness Neville-Jones: There are different kinds of decisions, and it is absolutely the case that, when you have a crisis, you very often turn to the military. They are the most efficient. They burn cows in piles much faster than the police, which is what happened in that particular crisis.

There are other decisions. For instance, in a crisis of resilience, what may be at stake is the amount of power that the UK can produce. That involves NESO; it involves the grid; it involves private sector companies. That is not Ministry of Defence terrain.

It depends on what you are talking about. In both of those cases, you have to have people who are effectively informed as well as being in charge of their particular area. Part of the problem with government, particularly when you have external bodies and the private sector involved, is government not releasing information to outside parties. It hugs it to itself, which is a serious failing of British government generally. All I would say is that what Paddy says is undoubtedly right in certain circumstances, but it does not cover all of them.

The Chair: The release of information is a perfect link to Lord Oates’ next question.

Q171       Lord Oates: Good morning, and thank you for your evidence so far. It is absolutely compelling and I could listen to it all day, but, unfortunately, we do not have all day.

We have had evidence, particularly from the energy sector, that limited visibility on classified threat information compromises their ability to make long-term investment decisions and plan for resilience. I wonder if you could say a little bit about how you think structures can be made to work—or set up, if necessary—to ensure that that data is shared for long-term resilience, but that also, in a national emergency situation, data is shared at speed without undue restrictions of classified information, while protecting national security.

Paddy McGuinness: Classified information covers a wide range of things. There will be some material where the sources and methods that have generated production, and the reliance of other bits of our warfighting or geopolitical capability as a nation, mean that we have to protect it. It is going to be difficult to distribute, and we have to leave in the hands of those who generate it the responsibility for making decisions about distribution. That is quite a small portion of the data that should be available, in my view. We are capable—we see it in a variety of, for instance, counterterrorism but also countering hostile state activity—of moving from very high classification into broad distribution of low-classification material, so that it can be made use of by the authorities or external partners.

I am not familiar with the specifics of the problem that the energy sector said that it had. It is hard to believe that it is not possible to have an interface, given the problem that they have raised with you, perhaps through the National Protective Security Authority or another body that was consciously trying to make as much as possible available.

In a number of areas to do with resilience—cyber stands out—there is a belief that there is some thing that you could know about threat information that would enable you not to be at risk, but that is very rarely true. Threat information of a high-classification kind might allow you to tune what you do, but it does not resolve the issue for you. I am afraid that, on occasion, it is faulty thinking as opposed to making proper preparations for a range of things that may happen to you. Rather than saying, “If you tell us what we have to prepare for, we will prepare for it”, your job is to deliver a service. There are a variety of things that may interfere with them. Some of them are threats. Some of them are hazards. Live with it. I am slightly sceptical, but, if there is a specific issue, it could be worked through via the existing mechanisms if they were told to.

Lord Oates: Baroness Neville-Jones, in asking that, we have heard that 80% of critical national infrastructure is owned privately. What constraints would the Government find in sharing that information?

Baroness Neville-Jones: To turn to your first question, there are sometimes real constraints, and one cannot entirely get round that. The assessments machinery inside the Cabinet Office takes intel, analyses and assesses it and comes out with something that is capable of wider distribution. It seems to me that you do not have to be in possession of the raw intelligence in order to be in a position where you have a very good clue as to the issue that you have to solve. It is a skilled activity, but it works. I am not impressed by the notion that somehow you are in possession of such delicate information that you are paralysed from taking the necessary decisions. I think that the machine can cope with that.

Your second question was on the private sector, and that is one of the real issues about resilience. A very serious proportion of the means of making the country resilient are, indeed, in corporate business. As a general proposition, the Government need to be closer to corporate business than they are. They need to do a lot more partnership. Cyber security started out as a partnership. The latest measures reduce the level of partnership, which I think is a mistake. You have to have partnership.

What does partnership mean? It means that the two sides have to talk to each other—and I mean talk. In the past, I have been in Ministry of Defence meetings where the Ministry of Defence did the talking and the companies listened. That is not a partnership, and I do not think that it is the nature of the relationship these days, because we have moved from, “I am going to tell you what equipment I need, and you will tell me whether you can do it and at what price”, to, “I have a problem. How can we solve it?” That is now very much more how government should approach things, and they are more likely to anyway because they do not have the solutions within their means.

I am hopeful about partnership, but I do think that it is essential and that it needs to start early. That is why I come back to what I was saying about needing top-level involvement. Power is very important, because it is going to come up and be under stress, and so you need to have a regular dialogue between the companies and the Government on how things are going and where the next problems might arise. You can think of other sectors where that needs to be the case. I think that that is, in a sense, a classic Cabinet Office committee function, and it could be made to work very well. If the corporates are involved at an early stage, they are then much better equipped to respond to the measures that are then going to be taken down the line about what we do.

Ed de Minckwitz: I will make three quick points. First, the resilience framework committed the Government to coming forward with an action plan on data sharing in times of crisis, which I am not sure they have. If they do, forgive me, but that is a piece of work that would be worthwhile and that the National Situation Centre should be engaged with.

Secondly, as Baroness Neville-Jones says, our culture around data sharing in general needs to change. I totally agree. I think that it is the intention of the cyber security and resilience Bill that, if we lift the tide on the resilience of CNI across the piece, the public sector and Government would have more confidence in sharing that data.

I would recommend that the committee look at international best practice here. South Korea has a red-lighting approach to data sharing as opposed to our current green-lighting, so there is an assumption that you would share data. Singapore has a system whereby, as long as you have a reasonable rationale, with seven criteria, you can see the data, so it is a much more seamless flow, and I think that the UK needs to follow that model. Otherwise, as we saw in Covid, you have the ridiculousness of the DWP wanting to give payments to vulnerable people, but the DH not being allowed to tell them who the vulnerable people were.

Q172       Lord Farmer: Building on what you have been saying, we have had evidence to say that there really should be a middle layer between the strategic level and the operational level, so that you have the intelligence services on top, with COBRA, and then you have the police and emergency services, and the private sector underneath. You have touched on this. Should there be a middle layer? I was just thinking today that, for instance, drones are a big area. I am involved in prisons, which have drones above them the whole time, and nets to catch them. Would it be wise to have a middle layer that would just advise local services that the hostile activity that could be seen would be sudden drone warfare and, therefore, “Be prepared. It probably will not happen, but just be prepared”?

Ed de Minckwitz: The test of any layer, especially an additional one, should be whether it is making the response more co-ordinated and faster. If you were to map out the layers that we already have in terms of local government, which, we assume, is about to be handed more powers, local resilience fora, government departments and local and up to national emergency services, you have an architecture that is already multilayered. The focus needs to be on the connective tissues between those layers, and those sinews need to be exercised, stress-tested and improved.

There is absolutely a place for expert evidence at parts of those layers, and the Cabinet Office has a role in bringing those experts to bear. I would suggest that local resilience fora, if they were working well, would also do that. I am not convinced that an extra layer beyond those that I have already set out would be additive, but I would be interested to see what it would look like in exercise.

The Chair: Mr McGuinness, you looked a bit cynical about the idea of a middle layer as well.

Paddy McGuinness: I had three quick thoughts. I worked for many years in the Middle East, in the foreign service. There was a category of state in the Middle East—I will not say which—when I was serving there, which were referred to as dawlat al-mukhabarat, which are intelligence states, where the intelligence service is at the core of and are the titanium endoskeleton of those states. We can think of which they are. You could argue that Russia is one, with the Chekists at the core of it.

I am really unnerved at the idea that we have a structure, at the top of which are the intelligence services, given that we have to deal with a whole variety of things that may happen to us, which our enemies are seeking to exploit. We are dealing with natural hazard, and one of the characteristics of Russian hybrid warfare technique is that you exploit things that are happening, rather than causing things to happen. The tools that we have for responding to everything are part of our hybrid warfare response.

The intelligence services provide us with a tiny bit of information and framing that can be helpful for strategic decision-making. One of the answers to your question is that it seems to me that, in the private sector—and, in particular, in almost every organisation now that is data-enabled—it is your ability to bring together and analyse, increasingly using artificial intelligence or Agenticly, although that is a bit cutting-edge, all of that data to form a view on what is happening to you, of which the really sensitive parts may be very small.

One of the risks of our conversation here is that we are backward-looking, with a way of doing business that is behind us in the private sector, including, incidentally, in the energy sector. When I worked with major American energy providers, their knowledge of what was happening within their networks, or how everything was running, far outstripped what we seemed to be able to bring together, so there is an issue there.

On the middle layer, I would note two things. First, no one has said the word “devolved”. When I used to convene a National Security Council resilience committee, I had with me representatives of the devolved Administrations, as well as all of the government departments and relevant arm’s-length bodies, which was quite a large meeting, as you can imagine, that would do something around resilience. We have to think of the devolved Administrations.

As a final thought for you, it seems to me that both the National Cyber Security Centre, which has some structural issues, and the National Protective Security Authority are significantly under-tasked and held to account—in other words, “What are they meant to do for us? What do we expect of them?”—and underresourced as a result. In terms of giving them the resource and holding them to account, it does feel to me that a body like the National Protective Security Authority, possibly not in MI5 but somewhere else, should have a more significant role in closing that gap between local resilience fora and what happens at the top in terms of preparedness.

Baroness Neville-Jones: What has been said makes a great deal of sense. You gave us notice of that question, and I had difficulty dealing with it. I did not really know what it was aimed at. What has been said rather demonstrates that we should structure it differently. In the end, we want two things. First, we want a lot of trust between those who are involved. We have to learn to give trust to each other. Secondly, we want something that operates fast, so having something multi-layered reduces your speed.

Q173       Lord Peach: Thank you very much for coming, and for this conversation. My question involves the supply chains, at every level. First, do you think, based on your experience, that the private sector is sufficiently concerned about the key risks that Paddy has so eloquently laid out? We did a little war game, and there was a strong belief that the supply chains would be robust and would work, almost regardless. You had to make the scenario incredibly favourable to Russia before people started to accept the threats and risks.

We know that it is a national conversation, and there is some government action towards solving that issue, but do you think that, generally, from your experience, there is enough understanding in supply chains on two issues? One is the general health of the supply chain. While they own great chunks of infrastructure and manage a great element of our national resilience, there might be vulnerabilities in their supply chain that they are keeping quiet about. As a committee, we think that that is now probably highly likely. Therefore, do the Government give enough guidance to these private sector entities on how they should and can behave with their own supply chains, some of which are very exposed to people who may wish us harm?

Baroness Neville-Jones: There seem to be two questions there. First, do the Government give enough guidance on the risks? Does corporate business take notice of it, take it seriously and act? On the first, it is patchy. In some areas, we do quite well. The NCSC is an excellent organisation and a very good development from GCHQ. Is it active enough? Could it do more? I believe so. How would it do it? One of the criticisms that I have of our discussion of the cyber security Bill that is coming forward is that it virtually ignores the private sector. It brings it in insofar as corporate suppliers of service providers will now be regulated, but the fortunes and the security of the private sector in companies such as JLR, which has had a nasty experience, are ignored.

The Government are now introducing something called a pledge. I do not think that this is the game. We want industry to be much more organised, in the way that banking is. That is to say you have a very close relationship between the regulator, or the Bank, and the banks themselves. It is a relationship of confidence. That does not mean to say that they do not get a nasty rap over the knuckles from the Bank of England from time to time. Nevertheless, this is a co-operative relationship.

In banking, you can imagine that it is pretty close. I do not suppose that all industries need to operate like that, but banking is one that has competition, so they have managed to make it work. It should be looked at as a means of infiltrating into the corporate sphere more earlier advice from the NCSC than is the case at the moment. I would like to see a real change there, which does involve creating structures. Those structures, it seems to me, can and should be funded by the private sector, but the counterpart is that the Government then take them seriously and feed them really good info that they get.

The corporates themselves get information, and the whole system is stronger when the corporates are also feeding in, so it is both necessary and possible to create a situation in which both parties perform better. That is to say that the Government give more information and the corporates take the thing seriously. It is a habit of working and a habit of mind that you need to develop.

My experience of companies is that they are patriotic. Apart from anything else, they stand to lose if they are not well informed. They know that they are vulnerable. I do not think that there is much unwillingness to come forward in order to be more secure. It is very often a practical problem. Companies should be made responsible for the security of their supply chains. That is where it lies. The big ones do have to take care of the smaller ones. The smaller ones need better access. This comes back to the distribution of information. It is possible to make this system cohere while maintaining the separate roles of the parties, and to attain a much higher level of confidence in our level of security.

Ed de Minckwitz: This was a question that we asked in government about resilience of supply chains. We felt that there was not enough bandwidth or resource being devoted to understanding the supply chains as they relate to the critical risks on the risk register, and that is work that should be done and expedited. I am aware that you have heard from the National Preparedness Commission, which does some of that work, and there is a role for experts to be brought in.

The proof point is that, when we did need a supply chain in terms of ventilators during Covid, the question that went out to business was, “What is the supply chain? What can you do?” That was a success and there was, as Baroness Neville-Jones says, a patriotic response, but we perhaps need to be a little bit more strategic for the next crisis and the critical risks.

There is more guidance and the developments are welcome, but it is very much self-service. It goes to the cultural point that we might come on to discuss in terms of feeling a shared purpose, in that business, private citizens and the Government have a shared responsibility for our resilience.

I noted Rishi Sunak’s comments about the Covid bailouts at the weekend. Without commenting on that, it speaks to the culture that businesses can abrogate responsibility, to some extent, to government, but cyberattacks alone cost the economy, if you believe KPMG, £14.7 billion a year. Together, we have to work out a way of getting to a culture where we prioritise resilience more because it needs to be that shared endeavour. Government could push a lot of their offer, such as the UK Resilience Academy, which offers world-leading training. People come from all over the world to be trained there, but how many of our businesses are aware of that offer and are putting their people through it?

Q174       The Chair: Are there any particular measures that you think the Government should be taking to support SMEs in particular, whose sustainability might be more precarious than the big multinational companies and that find it harder to afford some obvious resilience measures such cyber insurance? How can or should the Government be focused on helping SMEs?

Paddy McGuinness: That is a wonderful question, because they are a significant source of vulnerability. As we hear, not least from their representatives, it is a particularly difficult time for them to find the space, investment or time to do these additional things. The role of insurance is potentially very significant.

For SMEs, thinking about my role with Pool Re, there is very poor take-up of terrorism insurance or cyber insurance. It is between 5% and 7%. If you have a big drive, you might get another per cent. It does feel as if, when you get below a certain size, there should be a standard insurance packet that you receive as an SME, which, incidentally, other companies will have an interest in. In other words, they will have an interest in SMEs functioning, and the Government have an interest in it too.

That would also drive preparedness. If one thinks of preparedness, response and recovery, the one that we tend to neglect is recovery. We do a certain amount around preparedness, and place requirements on businesses to do stuff. We do a lot of work on response, and so do businesses, because they think, “We will respond to this crisis”. Recovery is the thing that really kills you, and it particularly kills you in an SME, when small amounts of money can make a really significant difference. Having insurance set up to support instinctively, with a degree of automaticity, SMEs that have certain categories of risk eventuate would make a material change.

On the question of supply chains, any serious business is getting a deeper and deeper knowledge of their supply chain. Some of that is technologyenabled, because it is easier to map them now. Interestingly, it is easier for outsiders to map them as well. By that, I mean regulators and others. One sees this in, for instance, something such as CFIUS in the United States, or the Investment Security Unit here, which can look down a supply chain and say when they hit something that it does not like.

On the whole, our high-performing providers, such as the food retailers—the supermarkets—do not want the Government coming and advising them how to optimise their supply chain, because not only do they feel that they can do it, but they also say, “We did it for Covid, so we know that we can do this”. Stuart Machin from M&S would probably say, “Even when I had a major cyberattack, there was still food in my stores, I still turned over, and I was still reasonably well performing on the stock exchange”.

There is a thing about thinking about which sectors need to change their game and where the significant vulnerabilities are, and it is possible for the Government to map those out and have a dialogue in those areas, rather than doing something that smears across otherwise profitable and effective businesses that we should leave to get on, because they have a motivation to get their supply chain right.

The Chair: Can I just check, before Lord Oates comes in with a quick supplementary, that you do not all have to leave on the dot of 12.30? We have three more questions to get through, which we would like to ask you.

Baroness Neville-Jones: Can I say something about SMEs just before we leave?

The Chair: Yes, but can you just tell me if you can stay after the dot of 12.30?

Baroness Neville-Jones: Yes, I can. There are organisations called CRCs. I am afraid that I have forgotten what those letters stand for, but they are regional organisations for business. They are led at the moment by the police. There is also something called a ROCU, which is avowedly about cybercrime. I do not think that they are very high-powered, but they are a basis on which to build regional dissemination of information to SMEs that do not have time to come to London every other day.

I would like to see a greater spread of guidance and help out to where the SMEs really are. I am pretty clear that, if you convene a meeting for info, people will come. That is one of the things that we should try to do. I have forgotten what the other point was that I was going to make, but do not worry. Regional help is quite important, and perhaps Manchesterism can be the solution here.

Paddy McGuinness: Now that we have said that we are going to stay after 12.30, I can say one more thing, which is that one of the features of what banking regulation does with the larger end of the financial industry, because it has a long tail and you can get into many more funds and insurance firms and other things that are not as secure as the big banks, for instance, is that it has picked up and is using methodology from the aviation industry.

CBEST is a testing of the resilience of banks in the round to breaking point. What they end up with is a definition of when McGuinness Bank fails. They do not walk away. They go all the way until the point at which they say, “Then you fail”. That is not a common feature, and there is also not really any blaming.

I want to offer the committee a word that is a feature of resilience work, and especially cyber, and that is “blame-storming”. Something happens and you all gather around and think, “Who is to blame for this? Who got this wrong?”, rather than resolving the issue. I would suggest to you that there is a lot of coverage of the moment of a set of generative AI vulnerability mapping tools, such as Mythos or ChatGPT 5.6, which are really causing concern in business, partly because they do not have access to them, so they do not know what the consequence is.

I note commentary from the National Cyber Security Centre and from the Department for Science, Innovation, and Technology of a plan to have a national look at vulnerability. What they will highlight is notional vulnerabilities on networks. All devices, including the phones in your pocket, your computers at home, your routers and everything else, live with vulnerabilities. All distributed network systems are risk-managed. Unless they are the nuclear firing chain, they are not perfectly secure.

We are at a really interesting moment where, if we are not really hard-minded about how we do this, there is going to be a new tool that illuminates apparent vulnerability, and we are going to blame-storm. The effect is not going to be to improve our security, but to improve our costs and the difficulties that you have in communicating public to private, or central to devolved government, et cetera.

The Chair: You have remembered your second point.

Baroness Neville-Jones: I have. It is about insurance, which is an important part of the coming picture. Perhaps you are going to talk to the insurance industry. I have two points about that. It is fairly new, and there are still a relatively a small number of companies that have taken out insurance. Part of the problem has been that this is new for the insurance industry, and it has had to develop models. They are not particularly easy to develop, so it is also partly a learning exercise for them.

The time is coming when we do need to think about whether you need to have a licence to drive, and you are only part of the system if you do have insurance. That is quite hard at the moment at the SME level, but, as you go up the line, the whole business of having an insurance policy, which is then closely linked to how you report on your state of security to your shareholders and so on, is all part of a corporate way of behaving.

The insurance companies are also very helpful in getting companies to set up a proper recovery routine, which most companies fail to do in the absence of having an incentive of that kind, which is likely then to make their premium reasonable. There is some very useful progress that can be made on reducing the level of vulnerability by getting people to have blocked some of the risks that they are otherwise not taking notice of.

Q175       Lord Oates: Some of this has been covered, but it is related to this illusion on the banking system. You have the stress tests, but you also have the capital adequacy requirements about the capital that has to be held against it. Is there some sort of parallel in terms of the private sector that is critical in a national emergency situation, whereby you had some risk assessment of their supply chains and required them to do certain things on the back of it? That seems to have driven a lot in the banking sector.

Baroness Neville-Jones: What you are saying, in effect, if I am translating that through, is, “What about the regulator?” Of course, the regulator is emerging as an important force in cyber, because the Government are putting the regulators in as a major piece of control machinery. It may well be that, in the course of wider resilience, we will find the regulator appearing in recovery. It is certainly a possibility.

It raises obvious questions, because the Bank is not just a regulator. It is a guide. It is a protector of the industry. It is all sorts of other things, so the relationship with the Bank is much fuller than companies would like to have with a normal regulatory body. It does raise the question of, “Where does the regulator fit in?” It seems to me that, when you do have a serious recovery, it is almost inevitable that the regulator will be part of the outcome, because they are going to be the one that levies a fine, if there is one.

Ed de Minckwitz: It is partly, as I say, about ensuring that those CNI providers have appropriate governance and auditing structures baked into their systems, which are secure by design, and that they have metrics. The GovAssure framework can be applied to assess where they are in terms of their resilience, and then the question is whether the measures in the cyber security and resilience Bill can be brought to bear to hold people to account.

Paddy’s point about CBEST is a really good one as well, because, under NIS2, there is something about testing the assumptions, whereas, in our Bill, as currently proposed, the plans have to be there, but there is nothing to mandate that they are tested at all.

Paddy McGuinness: Baroness Neville-Jones touched on something really important. The Australian Cyber Security Centre was given a role to assist industry and found that it could not do so. The Department of Home Affairs set up a cyber unit to do something about it. Something different has happened here. As I go about, with business, looking at the way in which they are regulated, there are really strong points in Ofcom, Ofgem, Ofwat and the FCA. There are some really significant technology figures operating within that, managing technology risk, some of whom have a workforce that is working with their clients to improve preparedness, response, and recovery.

Hidden beneath the surface of our regulators, there are little strong points that are dealing with the most egregious difficulties that they have by sector. Some sectors have significant egregious difficulties. Some—one thinks of telecommunications—are somewhat more used to this and more part of the collective effort. You do not want to lose sight of that and put all the responsibility on NCSC, but, at the same time, we should reward the regulators for what they are doing behind the scenes.

Q176       Baroness Hunter of Auchenreoch: Thank you for coming. I am a relatively new Member of the House of Lords, and this is my first committee that I have sat on. I have to say that I am incredibly reassured by your wisdom, expertise and experience, so thank you very much.

I am not so reassured on the whole of society’s awareness. I do not think that they are even aware of the notion of resilience or preparedness. There is the Government’s Prepare website, which is perfectly good but nobody knows about it. What are your views on what we communicate to the whole of society and how we communicate it, especially in this new landscape of influencers? People know an influencer more than they know a national broadcaster. They know the name of that person. What are your views on where we should now go in this, but without following the Denmark model, which is perhaps too extreme?

Paddy McGuinness: You have touched on a really significant point about how the Government communicate. One has to communicate where people are receiving. I noted that the Government are not terribly happy using TikTok, when a very significant proportion—more than half—of the British population has a TikTok account. It is madness. They do communicate and they are present there, but, because we have got ourselves all tied up in a knot about the Chinese having access to data, we are somehow not using the main source of information and news that the younger generations have, so we have to balance that somehow. There is a really interesting communications point, and it does feel like Government are behind the curve on that.

I want to claim credit for almost everything. I very much enjoyed being the senior civil servant who faced Oliver Letwin as he did all of his shaking of the system to try to make resilience higher up the agenda when he was Chancellor of the Duchy of Lancaster, and that was a great effort by him. Even he found it difficult to get to the point where we would put out advice of the kind that Sweden, or any of the Nordic or Baltic states, or the Poles, would put out about what is expected of you in your home, or how you should prepare yourself and the rest of it, or, indeed, to have alerting systems through GSM.

We have made progress on that and we do now have alerting systems, but we are not yet at a point when we are talking fully enough about this, and there is a reticence about it: “We must not spook the public”. The public will not thank us the day after a really bad thing happens to them when the Government have not bothered telling them something that the Government know, or have not said it clearly enough. If you want to alienate the public, that is the route to it, so there is a major communication task to be done.

There is then a thing about consistency of communication going down from central government through the locality. Again, I go back to my thing that it cannot be that it is solely or mainly people in uniform who communicate about risk. It cannot only be the Armed Forces, the Ministry of Defence, the police service or the fire service. They must communicate, but everyone must communicate about it.

Ed de Minckwitz: I do not disagree with the challenges on the channels question. That is absolutely right, but, before that, there absolutely are cultural permissioning and messaging challenges. Having launched the national alert system and the new website, the battles that we had internally to talk about those mechanisms were intense. There is a culture within government and, indeed, wider society that people do not want to hear about these measures.

Whether it is British stoicism, fatalism or exceptionalism, we do not seem to be able to have a national conversation on a sensible level about the level of threats that we face and what we should do about them. That conversation has to be led by the Prime Minister and senior Ministers. Long before it is led by influencers, the media or the Army, it has to come from the top. We have to strike a tone so that Ministers feel able to be honest without fear, frankly, of political attack, because these issues transcend politics.

As a final observation, I find it extraordinary that we live in a country where, last year, there was a poll that suggested 50% of young people would not fight for their country, and yet, at the same time, on our continent, we have young people, some of them conscripted, fighting because their land is being taken, and their livelihoods and their lives are under threat. We have culturally got to a situation where, as a nation, we can indulge in the fantasy that somehow we are immune or naturally resilient, whereas we have to recognise the immediacy of the threats that we face around our immediate neighbourhood, not just in the wider world.

Baroness Neville-Jones: Your question is one of the most important ones facing Government. We have a deadline. That deadline is what NATO says about the threat to us. It put a date on it of 2030. What are we now? 2026. That is not a lot of time to bring about a much more informed public that is also not content but understands and is supportive of what is being said to it. Those are all quite big tasks.

Part of the problem is that not all the work is being done. There is quite a lot of work to do on resilience to put some of it into law. We do not have a resilience Bill. When are we going to have one? Secondly, partly because of that, the Government do not know what they want to say. Are they going to launch into the question of a national service of some kind, or are they going to treat resilience as strengthening the CNI? They absolutely have to have a goal. They have to decide what picture they want to paint. That is a very big question.

The first thing that has to happen, it seems to me, is a dialogue inside the Government. They need to decide what it is it that they are trying to do. Then I agree, absolutely, that it needs to be led by the Prime Minister. If I were doing this, I would start with the threat and involve people other than the Government—people who are respected in our society, including the corporate sector—to talk about the world that we are entering. They can mix it with all sorts of other things that people are interested in, such as AI. Get the yeast going of what the issues are and, out of that, it would then be easier to identify how far to take the debate in things that are more sensitive.

I do think that we need to raise the question of some kind of national service. On the whole, we would be wise to make it voluntary, but there would be takers. I do not think that this is an impossible task, but it is an important and a big one, and it needs to start now. We do not have a lot of time.

Paddy McGuinness: I am loath to, but I disagree with Baroness Neville-Jones, and I disagree in this way. In my experience, in particular with business, a threat-based conversation results in them looking at the specificity of the threat and then making a judgment about whether it is likely. A service-based conversation—i.e. “You must continue to deliver your service”—makes them think about being resilient.

I am rather in favour of focusing on what we expect from citizens, businesses and different levels of government in terms of continuity, regardless of the threat or hazard confronted. We will end up, therefore, with common solutions, which may reflect Russian interference, a weather event, civil disobedience or whatever it is that is causing the problem, and a common approach to it. If you do threat-based things, people say, “Yes, that is not very likely and probably will not happen to us”.

Baroness Neville-Jones: I think that you have to have a reason when you want people to do things.

Ed de Minckwitz: If I can just make a small practical suggestion on this point, it is that the Government, when they go through their exercising programme, publish something around the outcomes of the exercise, and an action plan for how they are going to address the deficiencies that they have found through that exercise. I participated in Operation Mighty Oak, which exercised a national power outage. That was extremely illuminating for where the vulnerabilities would emerge first, and there were huge lessons learned.

I understand that there are obviously things that cannot be said in public around those exercises, but there is much more that could be said, which, again, would contribute to the national conversation and have some metrics that people could be held to account to through parliamentary processes.

The Chair: Thank you. We are going to move on. We have already touched quite a bit on cyber security, but Lady Winterton has a very specific question.

Q177       Baroness Winterton of Doncaster: Thank you all for the fascinating evidence. I am particularly interested because all of you will have worked with a close eye on the legislative framework, if not devising the legislation itself. First of all, I wanted to ask whether you felt that the cyber action plan and the cyber security and resilience Bill were up to addressing the severity of the threats that we face. I am very aware that Baroness Neville-Jones has said that she feels that it ignores the private sector, and Ed thought that it was a bit lacking in terms of accountability, but is there anything else on that?

I also wondered whether you have any sense of whether the legislation that we have in overall resilience at the moment is confused or whether it should be streamlined. Again, Baroness Neville-Jones mentioned the resilience Bill. A question that I always pose is whether we are sure that we need to legislate for everything, given that Governments do have a tendency to over-legislate. Should we be doing more without legislation?

Baroness Neville-Jones: On the cyber Bill and the cyber action plan, I have already said that my main anxiety about the Bill is the fact that the private sector does not appear. What I do not want to do is impose obligations on it for the sake of it. What I want to see happen is much more partnership with it, and information flow both ways. That is my main concern. It should feature in the Bill, and I would like to see some structures created to enable that to happen.

On the cyber action plan, I suspect that my companion is going to disagree with what I am about to say, which is that I have to confess that I find it slightly odd that DSIT finds itself at the centre of regulating and designing the structure. In my view, DSIT is a department that certainly has a big job in promoting science, technology and innovation. I am less convinced that it is the department that should set up and monitor the structures, and deal with the problem of other government departments and the lead government department. It seems to me that it is much more naturally a central government function and would sit more naturally in the Cabinet Office, where I suspect resilience is going to be. I do not think that we are going to now change the locus of the national risk register, the Amber Book, and all the things that go with the foundations of resilience.

Where there is a great deal more policymaking, even if you do not put it into legislation, that needs to be either done by Government or adopted. The National Preparedness Commission has done a great deal of excellent work. Quite a lot of it is pretty oven-ready and it would not be difficult to profit from all of that. The Government can make some quite quick progress in some of the areas, and they certainly do need to, because we need a government resilience agenda, which, at the moment, we do not have. That should be located in the Cabinet Office, alongside government departments. The Cabinet Office should not do everything, but it is inevitable, when you have several departments involved, that you are going to have to have the Cabinet Office there as well to make sure that everybody is participating, coming back to the old problem.

I am not suggesting that we now try to change what is happening in DSIT. That design has been passed by the House of Commons, and we must let it go ahead. It is not where I would have put it. Nevertheless, let us make it work. It is a hard read, but, if you look at the detail, there is a lot of detailed work that has gone into it. People really have thought about it. You can see the homework that is going to have to be done, but it is there, and so I am very reassured by that.

The Chair: What about the over-legislation part of Lady Winterton’s question?

Baroness Neville-Jones: I was thinking about that. It will depend on how much you think you need to be able to oblige people to do things, as distinct from relying on their voluntary co-operation. I do not think that all detail needs to go into law, but it seems to me that the spine of people’s obligations probably does need to be there. They have to be able to justify these actions to their shareholders, because it involves costs, so there does need to be some legislation. The point about not over-legislating is a really good one, and I am in the same corner on that.

Paddy McGuinness: The answer to your core question about whether it is adequate to the severity of the cyber threat is no. I was responsible for the second half of one cyber security strategy in the national cyber security programme, and the first half of another one. It is never a good sign when you have a set of strategies and then you change their name into something else by calling it a plan; it is a bad sign.

I have had to sit in front of the Public Accounts Committee and give an account of how we spent the money, and we spent some of the money well. In terms of the National Cyber Security Centre, we are in a better place than we were previously. We have a focal point and the rest of it. It is not what we hoped it would be, and I fear that it is overmatched by what we are dealing with now. I do not know why we think that the action plan will be any different than the previous three strategies. It may be; it may not be.

Baroness Neville-Jones: It is very detailed.

Paddy McGuinness: It needs close interrogation as to whether it will deliver something. The Bill is tactical. It is a globbing together of things. The reality is that what happened to us in this country last year, with multiple major cyber events caused by the ease with which ransomware attackers could attack, but also by the complexity of the systems that were being operated and which needed to be shut down, revealed a very great deal about the problems that we have. I do not see that the Bill is materially going to change that, and I have some misgivings about some aspects of the Bill.

Baroness Neville-Jones: It does not ban ransom payments, but I think that it needs to.

Paddy McGuinness: I disagree, but, on the question of overregulation or over-legislation, I would say a couple of things. First, if you run a listed company, you have a fiduciary duty. Something that disrupts your business impacts directly on your duty within the company, and on your interest and your purpose. That is the best driver for getting listed private sector companies, or those privately owned with investor funds within them, to innovate and to do what you require. Additional legislation, in my view, is probably unhelpful in terms of complicating that duty.

In the cyber space, I see a critical role for regulators. One of the most interesting things when you are a senior civil servant and working with regulators, where you want a business in particular, or part of society, to do something, is what I call Al Capone powers. If you are a bank and the Financial Conduct Authority writes to you and says, “It would be really nice if you did X”, you tend to think you might do X.

In particular, if the PRA writes to you, my word, you would think, “Hang on a minute. We would like to remain being a bank. We might take account of their views”. That is far more powerful than clauses in an Act, which then become a subject of an internal self-licking lollipop interaction between those who hold to account and those who are held to account, which is what very often happens.

Baroness Neville-Jones: That is not in the Bill.

Paddy McGuinness: No, but we are talking about whether we need more legislation, and I am saying that I do not think that we do. We need to think about what mechanisms exist already, which is a very British thing to do, that allow us to achieve our outcome. They exist, and we want to use those rather than unnecessarily spending a lot of your time putting together things that do not result in an improvement in our resilience. If our rubric is that we wish to be more resilient, you can have any number of Acts, if you like, but, if it does not ultimately result in improved resilience, you are probably making things worse.

Baroness Neville-Jones: The Government are scared to use sector regulation.

The Chair: Hold on, Lady Neville-Jones. Let Mr de Minckwitz get a word in between the spat here between you two.

Ed de Minckwitz: I would agree with Paddy that the answer is no. We have spent years now warning about a challenge that is growing. In terms of the capability of AI models, it is growing exponentially, but the barrier to entry in terms of perpetrating cyberattacks is lowered, and the severity and regularity is increasing, so the threat and risk picture is moving to the left pretty rapidly, but the Government’s ambition is moving to the right.

I do not want to be alarmist or shrill, but, in the Government’s own language in the cyber action plan, they are calling for a radical shift and talking about the scale of the challenge, but then, in the next breath, taking the 2030 target for government organisations to be resilient, which we were criticised for saying was not ambitious enough, and moving it to the right.

Paddy talked about that time to exploit. That has moved from nine months in 2022 to nine hours today, and that is only going to decrease. As Paddy says, there were 204 significant cyberattacks last year, which was more than double from the year before. I do not think that we would bet against that doubling again, so I have to say that we need to take it more seriously.

In terms of whether there is too much regulation or legislation, we should ask ourselves whether the voluntary approach worked. You talk about a fiduciary duty in the private sector, and yet we see cyberattacks costing the economy £14.7 billion a year. The public sector is not, of course, included in the Bill. It is extraordinary for the Government to ask the private sector to be statutorily responsible for a standard that it is not prepared to impose on itself, while, in the same breath in the cyber action plan, admitting that GovAssure and the voluntary approach has not succeeded in the Government and public sector meeting the appropriate standard.

I hope that, in the time that is left in the Bill, it can be toughened up, particularly in terms of the private sector, and both the exercising and the sectoral scope. I note that Andy Burnham, in his op-ed, mentioned JLR. I think we mentioned that earlier this morning, and yet, of course, manufacturing is not in scope at the moment, so there is more that could be done.

Q178       Baroness Paul of Shepherd's Bush: I have the final question. You have been very clear and vocal in your thoughts about some of the changes that we need to make. What one recommendation would you make to the Government about preparedness and resilience? What is the thing that keeps you up at night or the one thing that you want us to take away from your thoughts?

The Chair: Just one.

Baroness Neville-Jones: I want some firm resilience proposals from the Government. Note that I said “proposals”, not “law”.

Paddy McGuinness: I would advocate a fuller role for the insurance industry. The Government make a mistake of thinking that they must do things. While the Treasury may wish to deny it, the Government are the insurer of last resort. We saw that during Covid and, my word, we wasted an enormous amount of money making payments to people who maybe were not even people or did not deserve them, and we did not have a mechanism for doing that.

We are excellent in the insurance sector in this country, dare I say. I always think “world-leading” is an indicator of something that is going to go wrong, so I am not going to use that term. None the less, we are excellent in the insurance sector, and we have a history of innovating, with Pool Reinsurance, around significant breaks in the market. I am not saying necessarily that what we should do is pick up that model and just expand it, but there is a really interesting opportunity to think about how we structure ourselves so that insurance gives us channels, drives preparedness, and builds the resilience, response and recovery industry that we want, which it does when there is assured payment.

We see it in the cyber area. You end up with people who will respond and help you recover. It can drive excellence. It can reinforce small and medium enterprises with assurance through specific insurance. It has a potential, outside government, to give us a structure that gives us a measure of the risk and how resilient we are. It is very difficult for the Government to order that. We have excellent risk management, whichever direction it is, just a couple of miles away.

Ed de Minckwitz: My recommendation would be to talk about it, to be honest about the threats that we face, and to make a virtue of the measures that we are taking to mitigate and respond to them. As we have said, the only people who can start that national conversation are the senior members of the Government. That would be my one recommendation.

The Chair: Thank you. We made it to the end of the list of questions. Your evidence has been immensely helpful. Thank you so much. We appreciate your time, including the extra time. We will ponder very carefully everything that you have said, including the things that you disagree about and the things that you agree about. Thank you very much.