Cyber Security and Resilience (Network and Information Systems) Bill — Written evidence submitted by Liberty and Privacy International (CSRB16)
Parliament bill publication: Written evidence. Commons.
Cyber Security and Resilience (Network and Information Systems) Bill (3rd February 2026)
Primary navigation
Home
Parliamentary business
MPs, Lords & offices
About Parliament
Get involved
Visiting
Education
House of Commons
House of Lords
What's on
Bills & legislation
Committees
Publications & records
Parliament TV
News
Topics
You are hereParliament home page
>
Parliamentary business
>
Publications and Records
>
Hansard
>
Commons Debates
>
Public Bill Committee Debates
>
Public Bill Committee
Session 2021-22
Cyber Security and Resilience (Network and Information Systems) Bill
Written evidence submitted by Liberty and Privacy International to the Cyber Security and Resilience (Network and Information Systems) Public Bill Committee (CSRB16)
INTRODUCTION TO ORGANISATIONS
1.
Liberty is an independent membership organisation. We challenge injustice, defend freedom and campaign to make sure everyone in the UK is treated fairly. We are campaigners, lawyers and policy experts who work together to protect rights and hold the powerful to account. Liberty welcomes the opportunity to submit evidence to the Public Bill Committee for the Cyber Security and Resilience Bill.
2.
Privacy International is a registered charity (no 1147471) that works globally at the intersection of modern technologies and rights. Established in 1990, PI undertakes research, litigation and advocacy to build a better future where technologies, laws and policies contain modern safeguards to protect people and their data from exploitation.
RECOMMENDATION
3.
Section 29 of this Bill gives the Secretary of State power to issue regulations to improve the security and resilience of key network and information systems, including to reduce the risks of "security or operational compromises".
4.
Subsection 5 defines "security or operational compromise" as "anything that compromises the security, availability, functionality or reliability of the system" and "any unauthorised access to, inference with or exploitation of the system or anything which enables such access, interference or exploitation".
5.
This part of the Bill – and indeed the Bill as a whole – is rightly concerned with ensuring the security and resilience of electronic communication networks that are essential to the UK. However, other powers held by the UK Government directly conflict with this objective. We refer in particular to the power to issue Technical Capability Notices (TCNs) under s.253 of the Investigatory Powers Act 2016.
6.
We recommend that the Government adds a subsection to this clause that specifies that a Secretary of State cannot use a Technical Capability Notice (TCN) to create a cybersecurity weakness in a network or information system.
7.
Last year, the Government used those powers to undermine end-to-end encryption (E2EE) by purportedly ordering Apple to create a backdoor in its cloud services to facilitate law enforcement access. Apple then withdrew their Advanced Data Protection for UK users, leaving UK users without essential cybersecurity protection.
8.
Undermining E2EE in this way can create a weakness in the encryption that could be exploited by hostile state actors and criminals. The Government is therefore using its TCN powers to
create
cybersecurity vulnerabilities in key informational infrastructure.
9.
The power to issue TCNs directly undermines the purpose of this Bill by allowing the Government to demand cybersecurity weaknesses be created for their benefit, despite the risk this creates for UK users and key UK digital infrastructure. Liberty and Privacy International strongly suggest that the Government uses the Cyber Security and Resilience Bill to close this loophole and ensure that any future Government cannot undermine key cybersecurity protections via the TCN regime. We recommend that the Bill be amended to specify that a Secretary of State cannot use a TCN to create a cybersecurity weakness in a network or information system. Such a provision would constitute an essential safeguard against future misuse and ensure UK residents have access to the best cyber security protections in a moment of heightened geopolitical instability.
BACKGROUND
10.
On 7 February 2025, the Washington Post reported that the Home Secretary had served Apple Inc. with a TCN under s. 253 of IPA 2016.
[1]
The TCN served on Apple reportedly targeted Apple’s Advanced Data Protection (ADP) service: an optional security feature for Apple users which provides end-to-end encrypted (E2EE) cloud storage which only the Apple user (and not Apple itself) can unlock. Such encryption is particularly important because it can protect highly sensitive documents, such as those of lawyers, activists and politicians. Because of how E2EE works at a technical level, weakening it is likely to provide a broad mechanism for a range of people and states to gain access to sensitive material.
11.
Enabling ADP removes Apple's ability to access user data in plaintext (i.e. in a usable, unencrypted form). Once ADP is enabled, the customer takes control of the key used to encrypt/decrypt data, providing an end-to-end security of the data stored on Apple's servers. Without ADP enabled, Apple hold the key used to encrypt/decrypt the cloud storage and uses user authentication to grant access to that key. As Apple hold the key in this scenario, they can be compelled to disclose that key or the information protected by it.
12.
Giving users control over how their data is encrypted is crucial, particularly for those whose jobs, beliefs or characteristics require enhanced security and risk mitigation. Journalists, researchers, lawyers, civil society, and human rights defenders across the world rely on encryption because it protects them and their sources, clients and partners from surveillance, harassment and oppression.
13.
Indeed, the National Cyber Security Centre (NCSC), the UK Government authority on cybersecurity matters and a division of GCHQ, specifically recommended that all UK legal professionals enable ADP, given the particular and serious threats to lawyers posed by persons seeking to access privileged materials including nation state threats. Last year, they removed that advice – presumably because it is now inconsistent with the TCN.
[2]
Clearly, prior to this move, the NCSC agreed ADP was a key aspect of cybersecurity risk mitigation.
14.
On 21 February 2025, various news outlets (including the BBC, Financial Times, the Guardian, and Forbes) reported that Apple had publicly announced that it would be withdrawing its ADP services for UK-based Apple users. New users attempting to activate the service have been prevented from doing so. Current users have been notified that their future use will be prevented in due course.
15.
The UK Government’s alleged decision to serve a TCN on Apple has been widely criticised. By 24 February 2025, for example, the Global Encryption Coalition's joint letter had received 239 signatures from a variety of interested groups, including civil society organisations, companies, journalists, academics and cybersecurity experts. Indeed, the Financial Times even reported that, when questioned about the incident, the President of the United States of America likened the TCN to an act of Chinese surveillance, and the US Director of National Intelligence has also publicly criticised the TCN.
THE IMPORTANCE OF END-TO-END ENCRYPTION FOR CYBERSECURITY AND RESILIENCE
16.
A literature review by the defence and security think tank RUSI found that "there are clear and significant cyber security and privacy benefits to E2EE. Efforts to weaken or restrict its access would be a net loss for all."
[3]
They note that "E2EE is the cornerstone of strong cyber security" because it ensures data confidentiality, integrity, authentication, and non-repudiation.
[4]
They also note, "on a societal level, increased reliance on technology and the digitisation of critical sectors such as finance and energy mean that protecting the transfer of data has never been more important." E2EE is the best way to protect that highly sensitive data.
17.
Salt Typhoon
18.
In 2024, reports emerged of a severe cyberattack by the Chinese group Salt Typhoon which had compromised US telecommunications systems. At least 80 nations were also affected. The hackers were even able to access phones used by the Trump and Harris US presidential campaigns. One former senior FBI official estimated that China had collected data on almost every American.
[5]
19.
The hackers were able to get into US internet service provider systems used by US law enforcement and intelligence agencies to conduct court-authorised wiretapping (i.e. a backdoor).
20.
In response, Australia, Canada, New Zealand, and the United States issued communications security guidelines that recommended using E2EE. It recommended that network engineers "ensure that traffic is end-to-end encrypted to the maximum extent possible."
[6]
The UK notably did not join its allies in endorsing this guidance.
The cybersecurity challenges created by exceptional access mechanisms
21.
E2EE can create some (not insurmountable) obstacles for law enforcement and intelligence services in criminal investigations. However, we would reject the false dichotomy between public safety and the cyber security provided by E2EE. E2EE keeps our most personal information safe from criminals and hostile actors; it is foundational to public safety in a digitised world.
22.
Attempts to undermine E2EE are particularly problematic because of how the encryption technology works. It is not possible to limit access only to ‘good actors’: once an alternative way in has been created, others will seek to exploit that access for their purposes. It creates vulnerabilities in the system.
23.
Cyber security technologists Susan Landau, Matt Blaze and Steven Bellovin note in a recent
Lawfare
article: "Third-party exceptional access mechanisms have sometimes been proposed for enabling government access to encrypted communications."
[7]
This is allegedly what the Government’s TCN order to Apple aims to do. They continue, "it has been known for decades […] that this is simply not a viable or practical solution."
[8]
24.
To get into individual devices with legal authorisation, the UK government could require Apple to create an "exceptional access" mechanism, where copies of users’ decryption keys are held by a "trusted" third party. Landau et al note, "A special government-only decryption key is a deliberate breach of the security barrier that encryption provides; no one knows how to do this in a way that ensures only legally authorised parties have access to the data."
[9]
The result is that creating the technical possibility of exceptional access opens up a route through the security barrier that untrusted actors (such as hackers and rogue states) can – and will – seek to exploit.
25.
In a seminal paper by Harold Abelson and colleagues called "Keys Under Doormats", they found that several proposed exceptional access systems rely on modifying end-to-end encryption to make it less secure for users.
[10]
One such method would create a central key repository to store keys for exceptional use. This is "very likely to introduce serious security problems" because the central database of decryption keys becomes a highly attractive target for hackers – especially to state actors.
[11]
26.
As Professor Ciaran Martin (formerly head of the NCSC) has put it, the reality is that senior politicians, officials (and spies) use, and need to use, ordinary and widely available E2EE products which are not subject to government-mandated backdoors – even as they push for policies that would undermine that protection. He notes that in this use of E2EE products his "friends and colleagues are acting rationally, not hypocritically: their important work can, sometimes, be better protected in this way. That’s why this revolution in digital security cannot, Canute-like, be wished away, any more than public key cryptography could be held back indefinitely… It is now national and international imperative that our increasingly digital societies are increasingly digitally secure."
[12]
That means the reliable availability of E2EE services.
27.
Martin also adds that if the Government were approaching this key cybersecurity issue responsibly, "there should be more openness […] about what sort of Technical Capability Notices are needed, why, and how they are applied. If we learned anything from Snowden, it’s that the state needs to seek informed consent for what they do in this space."
[13]
PROPOSED SOLUTION
28.
The UK faced some of the most debilitating hacks in its history in 2025. The Jaguar Land Rover hack cost the British economy £1.9 billion and affected over 5,000 British organisations.
[14]
The Government had to step in and underwrite a loan to help JLR get back on its feet.
[15]
This summer’s hacks of the retail sector including M&S and Co-op cost between £270 million and £400 million.
[16]
29.
This problem will only get more acute. Significant cyber incidents have increased by 50% from last year according to the NCSC.
[17]
The 2024 MI5 threat lecture noted that hostile state actors have been investing heavily in cyber operations and "their targets include sensitive government information, our technology, our democracy, journalists and defenders of human rights."
[18]
The July 2025
OBR analysis
of fiscal risks estimates that a cyberattack on critical national infrastructure could increase borrowing by 1.1% of GDP.
[19]
30.
In this environment, it is essential that the UK Government equips its citizens, businesses, and organisations with the best possible tools to protect ourselves. End-to-end encryption will be essential to ensure our information stays secure and safe.
31.
Liberty and Privacy International therefore strongly recommend that the Public Bill Committee introduce an amendment to the Cyber Security and Resilience Bill that protects Britons’ access to end-to-end encryption. We recommend an amendment that would remove the Secretary of State’s ability to issue a Technical Capability Notice that would undermine end-to-end encryption by demanding tech companies create an exceptional access mechanism for law enforcement. This should be added in a sub-section to section 29 of this Bill – see the relevant section below.
SUGGESTED AMENDMENT
Relevant section of the Bill
"Grant the Secretary of State powers to direct regulated organisations and regulators to take specified actions in the interests of national security.
29) Regulations relating to security and resilience of network and information systems
(1) The Secretary of State may by regulations make provision for the purposes of or in connection with the following objectives-
(a) the identification, management and reduction of risks of security or operational compromises in relation to relevant network and information systems;
(b) the mitigation of adverse impacts resulting from such security or operational compromises
(2) Provision for the purposes of or in connection with the objectives mentioned in subsection (1) may in particular include provision with a view to strengthening the resilience of relevant network and information systems and the resilience and security of their surrounding physical environment."
Suggested amendment
Amendment to ensure TCNs cannot undermine encryption:Section 253, Investigatory Powers Act 2016, after subsection (9), insert –
"(10) A technical capability notice may not-
(a) require a relevant operator to design, develop, modify, or maintain any telecommunications service, apparatus, software, or system in a manner that would-
(i) weaken, undermine, or compromise the integrity, effectiveness, or security of any encryption, authentication, or other key security feature applied by or on behalf of the operator, or
(ii) create or facilitate a security or operational compromise or systemic vulnerability, backdoor, or other means of circumvention capable of being exploited beyond the specific assistance required in relation to a relevant authorisation; or
(b) require the removal of electronic protection within the meaning of subsection (5)(c) where such removal would have the effect described in paragraph (10)(a)(i)."
January 2026
[1]
Jospeh Menn, "UK orders Apple to let it spy on users’ encrypted accounts",
The
Washington Post
, 7 February 2025.
[2]
Alec Muffet, "NCSC, GCHQ, UK Gov’t expunge advice to "use Apple encryption" for Barristers, Solicitors (etc…) co-incidental with Apple lawsuit against HMG’s demanding a backdoor in the same",
Dropsafe by Alex Muffet,
05/03/2025.
[3]
Chamin Herath and Sneha Dawda, "Balancing End-to-End Encryption and Public Safety",
RUSI Occasional Paper,
April 2022.
[4]
Ibid.
[5]
Adam Goldman, "‘Unrestrained’ Chinese Cyberattackers May Have Stolen Data From Almost Every American",
New York Times
, 4 September 2025.
[6]
"Enhanced Visibility and Hardening Guidance for Communications Infrastructure", Cybersecurity and Infrastructure Security Agency,
cisa.gov website
, 4 December 2024.
[7]
Susan Landau, Matt Blaze and Steven Bellovin, "The U.K.’s Plan for Electronic Eavesdropping Poses Cybersecurity Risks",
Lawfare
, 8 January 2026.
[8]
Ibid.
[9]
Ibid.
[10]
Harold Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Michael A. Specter, Daniel J. Weitzner, "Keys under doormats: mandating insecurity by requiring government access to all data and communications",
Journal of Cybersecurity
, Volume 1, Issue 1, September 2015, Pages 69–79.
[11]
Landau et al, "The UK’s Plan".
[12]
Ciaran Martin, "End-to-end encryption: the (fruitless?) search for a compromise",
Bingham Centre for the Rule of Law
, lecture delivered at Jones Day, Tudor Street, London, November 2021.
[13]
Martin, "End-to-end encryption".
[14]
"Cyber Monitoring Centre Statement on the Jaguar Land Rover Cyber Incident – October 2025",
Cyber Monitoring Centre
, 22 October 2025.
[15]
Ruth Comerford and Rachel Clun, "Government to guarantee £1.5bn JLR loan after cyber shutdown",
BBC News
, 27 September 2025.
[16]
"Cyber Monitoring Centre Statement on Ransomware Incidents in the Retail Sector – June 2025",
Cyber Monitoring Centre
, 20 June 2025.
[17]
"NCSC Annual Review 2025",
National Cyber Security Centre,
14 October 2025.
[18]
Ken McCallum, "Director General Ken McCallum gives latest threat update",
Security Service MI5
, 8 October 2024.
[19]
"Fiscal risks and sustainability",
Office for Budget Responsibility
, July 2025.
Prepared 3rd February 2026
Footer links
A-Z index
Glossary
Contact us
Freedom of Information
Jobs
Using this website
Copyright
Privacy notice
Cookie policy
Cookie Manager