Examination of Witness

National Security Bill – in a Public Bill Committee am 12:00 pm ar 7 Gorffennaf 2022.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Paddy McGuiness gave evidence.

Photo of Rushanara Ali Rushanara Ali Llafur, Bethnal Green and Bow 12:40, 7 Gorffennaf 2022

Q We will now hear oral evidence from Mr Paddy McGuiness, former deputy national security adviser. For this session, we have until 1 pm. I would be very grateful if our witness could introduce himself for the record.

Paddy McGuinness:

My name is Paddy McGuiness, and I am currently an adviser with a critical issues firm called Brunswick Group. I was previously a national security official, latterly as the deputy national security adviser for intelligence, security and resilience in the Cabinet Office from 2014 to 2018. In that role, I oversaw hazards and threats affecting the UK homeland, including some aspects of counter-terrorism, alongside Sir Alex, and cyber-security programmes, offensive and defensive. I began the work on hostile states, and I also dealt with questions of broader resilience to natural hazard. For much of that time, I was also the Government’s chief security officer, overseeing matters of vetting, classification, investigation, and disciplinary and criminal proceedings to protect classified information.

Photo of Scott Mann Scott Mann Assistant Whip

Q Thank you for your service to the country. Your recent service as national security adviser gave you a valuable perspective on the current threats. Can you describe the extent to which the UK has the tools to deal with hostile acts from foreign states and the nature of how those threats have changed in your time in your job?

Paddy McGuinness:

I really welcome the way you framed that question, because when I thought to myself, “What am I going to say in front of this Committee?” that was absolutely at the centre of it. As the representative, in a policy sense, of the intelligence agency—Sir Alex and the others—and as a person trying to practise Government security and see through disciplinary and sometimes criminal investigations around compromise of classified material, my lived experience was that our legislation and regulations were, frankly, a Potemkin front, and that behind them there was not very much.

I would move in public or speak to Members of Parliament and Ministers, and they would say, “Ah, we have got the Official Secrets Act. We have got this and that,” and they would look at the terrorism powers, which Jonathan Hall described so fully, and the way they interplay with the powers proposed in the Bill, and they would assume we have similar powers, but as you see we had almost nothing. Where there were powers, very few of them crossed the serious crime threshold to engage the full range of intrusive investigative techniques and police time to pursue them. That was very disturbing at a time, certainly when I was deputy National Security Adviser and previously, when the impact on the digital age, as described by Sir David and Sir Alex, came to the fore, and when many states were messing, within the United Kingdom, with our institutions, corporate life and communities, over which they thought they had some share because those people came from that country of origin.

The answer is that I was left very disturbed. That is why under the coalition Government, the Cameron Administration and the May Administration—I left during that—I was, if you like, an apolitical advocate of new powers to shore up what was a weakness or shortfall in our national security capability.

Photo of Scott Mann Scott Mann Assistant Whip

Q That is really helpful. You mention cyber. From your perspective, what is the increasing relevance of cyber to state threats?

Paddy McGuinness:

Yes, and this is illustrative. In the other areas, as Sir Alex described and did fantastic service in countering terrorism, we have not had as much terrorist pressure on our societies and values as there might have been, because of the suppressive effect we have been able to have with our partners. That is because we had capabilities and powers. In the case of hostile state threats, we have some capabilities but perhaps not enough powers, and that is true in cyber. So we have left in front of people who wish to have purchase over our decision making, or to be able to influence us or possibly attack us, free space.

Inevitably, we concentrate on those that are most egregious. Sir David referred to the Lazarus Group in North Korea, and we might look at Iranian behaviours. Indeed, we might look at Russian or Chinese behaviours, particularly around intellectual property and technology, which are all very serious, but I refer you to the number of advanced persistent threats that are now listed because that gives you a description of the number of states that, unconstrained, are beginning to use these techniques for their policy purposes, whatever they are.

For me, almost the best example of this was in the covid pandemic, when there were intrusions and potentially damaging activity in the networks of international healthcare organisations that we needed to help us deal with the pandemic, such as the World Health Organisation. The APT—advanced persistent threat—identified was Vietnamese. I refer you to that list. We do not need to ask any former official to breach the confidentiality of high classification material to know that many states act in this space, and they have clear space in front of them in the cyber domain and in some of the techniques that are countered by the Bill.

Photo of Scott Mann Scott Mann Assistant Whip

May I have one final question?

Photo of Rushanara Ali Rushanara Ali Llafur, Bethnal Green and Bow

I will bring you back in later. I call the shadow Minister.

Photo of Holly Lynch Holly Lynch Shadow Minister (Home Office)

Q Thank you, Mr McGuinness, for your service and for keeping us and our communities safe. The Bill creates a new offence of sabotage. Is that something that you felt had been missing from previous legislation?

Paddy McGuinness:

It was quite extraordinary that we had a range of different possible offences that relate to the kinds of things that a hostile state would commit in order to sabotage, for instance, critical national infrastructure—a target entity in the UK—and that it was not coherent. What I would put in front of the Committee when you are thinking about this is: the most common thing that I find now in corporate life, but also in Government or in policy space—and in Parliament where I do a bit of advisory work—is stovepiping.

You say “cyber” or “cyber-security” and people immediately think of cyber-security issues, or you say “insider issues” and they say they will deal with that, or they think of physical attacks or physical disruption and they deal with that. They do not understand that this is a playbook, which, if you are a Russian commander, you put together, and you have a choice of what you do.

So you go in an escalation route from, “Can we access this remotely through the internet? Is there another way of accessing it electronically? Do we have a spy within it? Can I send someone from the embassy to go and get close to it and do something to it? Shall I send in Spetsnaz covertly—you know, go to Salisbury and poison some people? Or shall I go to war?” You have that whole range of things and they all relate to each other. And all of them relate to sabotage. We need to approach this by understanding what the adversary is doing and not having little bits of powers in some criminal damage legislation, or in the Computer Misuse Act. That will not do because that is not the purpose of the opponent.

I have described it for disruption and destruction in a sense of warfare, and I have used a kind of Gerasimov Russian example. It is very interesting when one looks at the way in which intellectual property has been stolen. There are a few cases where we see the end-to-end Chinese state effort, where you begin with remote cyber-attacks in close proximity—the case I am thinking of was in the United States—and an inability to get in by those means. Eventually, the subversion and recruitment of a member of staff operating in Switzerland provided them with the intellectual property, which they were not able to access using the cyber techniques. All the way through they were intervening in the networks and activities of that company.

One final thought on this: one of the difficulties with this grey space activity, as Sir Alex described it, is that if you have a presence for an intelligence purpose, you can flick it over and turn it into a disruptive or destructive attack. That is where that preparatory bit is quite important, too: understanding that the simple fact of engaging and being present quickly takes you towards sabotage. I think these are absolutely vital powers.

Photo of Holly Lynch Holly Lynch Shadow Minister (Home Office)

Q That is incredibly helpful and interesting; thank you very much for that insight. Can I take you from that to a slightly different issue? You heard the previous conversation with Sir Alex and Sir David about hostile state interference and making sure we have protected our democratic processes from that possible risk. How satisfied are you that UK elections are secure from foreign interference?

Paddy McGuinness:

The Clerks may have told you, or it may be in my bio, I do not know, but after I left Government I was asked by the Oxford Internet Institute to join them in a thing called the Oxford Technology and Elections Committee, prior to the 2019 elections—with an urgency because of what had happened in the United States in 2016—to come up with some practical suggestions for what we might do to protect our elections. I refer you to it: it is a great bit of work, and the Oxford Internet Institute has gone on doing that work. I am no longer as involved, but there is good work there.

The way I would frame it is this: it is a bit like what I said about the powers that we have. Because we do not occupy the space, others step into it, so because there are not strong controls and real clarity about what is happening around our electoral processes, people mess about in that space. It is really important—this rather echoes something Sir Alex said—that we do not take messing about in the electoral space as being the same thing as delegitimising an election. We have a strong tradition in the United Kingdom of being able to make judgments about whether the way in which candidates have behaved or the way in which money has been spent in a given constituency makes an election void, and you possibly have to run it again. We are used to making that judgment.

One of the risks that I note in this space—again, this is a point Sir Alex made very nicely about Vladimir Putin’s intent, which is to have us off balance—is that if the Russians do hack into a political party’s servers and mess about within them, and maybe mess with the data or interfere, or if they play games with a technology platform that people rely on for information and put out information, and we decide as a result that we cannot trust a referendum or an election, they succeed. That is success for them, so I think what really matters in this space is the ability to measure the impact that state activity has on the democratic process we are looking at, and—as Sir Alex said—that there is bright transparency so we know who is doing what.

Photo of Sally-Ann Hart Sally-Ann Hart Ceidwadwyr, Hastings and Rye

Q We heard from the previous witnesses about the challenges of online harm—sabotage and dis, mis and malinformation—and the Bill seeks to modernise the espionage regime to meet the challenge of the digital age. Do you think it will achieve that aim and where are the gaps, if any?

Paddy McGuinness:

I would expect it to be a dynamic process. I think you will be looking at further legislation; let us hope you have a long life as an MP, but in your time as an MP I would expect you to have to look at this again.

To Sir David’s point, I do not think we should delay for a moment fixing the things that the Bill fixes because of the fact that technologies develop dynamically. There is a lag. I can remember—I think I was actually working at GCHQ at the time—us thinking about what was happening with Facebook as it emerged as a widely used platform. Here we are with the Online Safety Bill, about 13 years later. There is a natural and quite proper lag between rapid technology innovation and slow and considered regulation and legislation, and we are going to have to live with that. I think this is good. It provides a basis, and I think the extraterritoriality is particularly important, as is the way in which sabotage is broadly defined to allow you to deal with the kind of range of things that I have been talking about, given that the opponent will move through those spaces.

Photo of Antony Higginbotham Antony Higginbotham Ceidwadwyr, Burnley

TheQ other day the director-general of MI5 and the director of the FBI said that most of what is at risk by quantity is not what the state does, but the technology, research and development and commercial advantage developed by our businesses and academic institutions. Does the Bill do enough—I am thinking mainly about the offences part of it—to protect against that risk?

Paddy McGuinness:

I think it does a very significant thing in the way in which it criminalises specifically the trade secrets aspect, which covers a very broad range. Again, we may have to return to this. This kind of legislation and the type of work that Sir Alex and his successors in MI5, MI6 and GCHQ are doing has Darwinian effect, so I have no doubt that as companies have got better at certain kinds of protection advised by the interaction with the CPNI and the National Cyber Security Centre, so the opponents have got better at it. And we will have to go on doing it.

It does not feel as though we have quite the same volume of opencast mining of our intellectual property and economic value that we had, as was described previously by General Keith Alexander, the head of the National Security Agency in the US. He described the enormous volume—trillions of value—taken out of our economies. There still is a very high level, though, so there is more work to do on this, and it is a significant challenge to the corporate sector to do the right thing in this space, because of the difficulty that it represents. The Bill provides a really solid basis for that discussion, because of the criminalisation of the trades secrets aspect.

Photo of Antony Higginbotham Antony Higginbotham Ceidwadwyr, Burnley

Q That is really helpful. They also said in the same speech that our opponents have a whole-of-state approach to further their aims—you touched on this. Does the Bill do enough to join us up and ensure that we have got that whole-of-state view on how we defend against espionage, sabotage and so forth? Or is that not realistic because of the evolving threat?

Paddy McGuinness:

One must constantly avoid complacency, but one of the strengths of the British state is the way in which institutions and agencies work together pragmatically and practically—within the bounds of law, obviously. That is how we have managed to get this far, with a lack of powers, without something going catastrophically wrong. It has felt really nerve-wracking doing it. As the person who had to represent it to Prime Ministers and the National Security Council, my word I was nervous about this. I was much more confident in other areas of my responsibilities, because there was a real shortfall. The Bill closes out quite a lot of that.

I would note something that I think reads across several of the points that have been made by the previous witnesses that I have heard today that it is important for the Committee to understand and for me to represent. When you are dealing with state threats, and in particular against really capable actors, that is a different task from dealing with terrorism or serious and organised crime, because we must work on the assumption that some of our communications, some of our computers and some of our people are under their control.

When I look at, for instance, the STPIM powers, I reflect that it is much more difficult still to bring prosecutions in this area than it is for terrorism and for serious and organised crime, where sometimes people have been suborned by the crime group. This is all together more serious, and it would be naive to think that no one spies for a foreign country, no communications are intercepted and no one is in any of our computers. That just raises the level of difficulty that we have got in this space.

Photo of Rushanara Ali Rushanara Ali Llafur, Bethnal Green and Bow

Thank you very much. That brings us to the end of the morning sitting and the time allocated. On behalf of the Committee, I thank Mr McGuinness for giving evidence today.

Ordered, That further consideration be now adjourned. —(Scott Mann.)

Adjourned till this day at Two o’clock.