Examination of Witness

National Security Bill – in a Public Bill Committee am 2:58 pm ar 7 Gorffennaf 2022.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Professor Ciaran Martin gave evidence.

Photo of Rushanara Ali Rushanara Ali Llafur, Bethnal Green and Bow 3:01, 7 Gorffennaf 2022

We will now start our next session and hear from Professor Ciaran Martin, professor of practice in the management of public organisations at the Blavatnik School of Government at the University of Oxford. We have until 3.20 pm, so if colleagues could keep the questions succinct, I would be very grateful—then we can get in as many of you as possible. Could you introduce yourself for our records, Professor?

Professor Ciaran Martin:

Thanks very much, Chair. My name is Ciaran Martin. As you say, I work at the Blavatnik School of Government at the University of Oxford. From 2014 to 2020, I served on the board of GCHQ, and I was the first chief executive of its National Cyber Security Centre.

Photo of Scott Mann Scott Mann Assistant Whip

Q Professor Martin, thank you very much for appearing in front of us today. You are credited with being a significant proponent of transforming the UK’s approach to cyber-security. Do you welcome the approach taken in this field to tackle all factors of hostile activity by foreign states?

Professor Ciaran Martin:

Thank you for your kind words. I broadly welcome this Bill. There are a serious of fairly antiquated pieces of legislation that—sometimes at the margin, sometimes a little more profoundly—inhibit the pursuit of hostile-state threats, because they are, in effect, pre-digital legislative frameworks, very simply. With some of the language, you are replacing words like “maps” with words like “data”, or at least adding words like “data” to words like “maps”. You are dealing with things such as the flying of unmanned drones over sensitive sites. Despite my previous experience on the inside of the national security side of Government, when I read the explanatory notes, it was a bit of a double-take to be reminded that we had to explicitly criminalise assisting a foreign intelligence service in this country.

I think it is a very sensible piece of legislation, with the modernisation and some of the tidying up. From listening to your exchanges with the Electoral Commission, I think the provisions around disinformation and interference in political and democratic processes are really difficult to get right, so I welcome this sort of process. I think the intent is obviously cross-party and commands widespread support. The intent and basic provisions should be uncontentious, but I think some of the detail is going to be quite tricky.

Photo of Scott Mann Scott Mann Assistant Whip

Q With your extensive knowledge in this space, it would be really interesting to have an understanding of how the threat has changed since you have been in your position.

Professor Ciaran Martin:

When I say scale, I actually mean scale in its very precise meaning about volume. Digital espionage involves the extraction of information on a scale that was hitherto inconceivable, and that has, therefore, extended the scope of that. For example, there are specific references in the legislation to commercial and trade; we have seen that.

One of the changes that digitisation has brought, in terms of hostile foreign intelligence, is that it is possible to inflict large-scale strategic damage on the UK remotely, but it is not always done remotely. There are hybrid elements—there can be activity on the ground in the UK that assists digital espionage and digital penetration of the UK. Our existing legislative framework does not allow for that to be prosecuted. Even when it is done entirely remotely—for example, the People’s Republic of China has done some of its operations entirely remotely—we have seen from the United States that, although it is not transformative, it is a useful policy lever to have a framework of criminal law that criminalises activity even in eventualities where you will not realistically be able to apprehend a named human being.

To be a bit more succinct, the large-scale extraction of and interference with data is essentially the risk. The willingness of nation states—principally Russia and China, to a lesser extent Iran, previously but not so much recently North Korea, and a bunch of up-and-coming potentially hostile states—to do that has been a very significant feature of the national security landscape over the past decade, as the head of MI5 and so forth emphasised.

Photo of Scott Mann Scott Mann Assistant Whip

Q How big is the risk to the UK of disinformation?

Professor Ciaran Martin:

One sees only the tip of the iceberg when there are major breaches. I will use a well-known example from the United States—a close ally that is perhaps easier to talk about because it does not involve disclosing sensitive things about the UK.

The hybrid operation against the United States in 2015, which the US Government at the time acknowledged formally was undertaken by the People’s Republic of China, involved the extraction of more than 20 million security clearance records from the United States Office of Personnel Management—effectively the civil service department of the US Federal Government. It was the security clearance application forms of everyone who had applied for security clearance from the US Federal Government in the first 14 years of the century. As a dataset, it is incredibly rich. For example, if you are part of a commercial data breach, it is likely to be just your name and email address—possibly a password, although perhaps not even that, and possibly the last four digits of a credit card. If you go through a Government security clearance process, it is everything.

Think of the current politics of the US and China, and think about the established fact that the Chinese Government have this dataset of US Government personnel, with lots of information about them. You can see the strategic impact that that can have. To the best of my knowledge, based on public scholarship and disclosures relating to that incident, it was a largely remote operation, but it did include some activity on the ground. You can see how the sort of legislation we are talking about here might be useful in at least deterring or being able to deal with that.

Photo of Holly Lynch Holly Lynch Shadow Minister (Home Office)

Q Further to some of the points that you were making, I think it was the Russia report that identified that, as this hybrid activity becomes an emerging threat, we could be doing more internally and in Government to streamline Departments’ responsibilities for different areas of the response to cyber—whether it is policy development or offensive or defensive cyber—alongside some of the powers here. Do you think there is more we can do internally to try to get a grip and pull all that together?

Professor Ciaran Martin:

I would say this, wouldn’t I, but there has been a reasonably decent trajectory of controlling it.

There is a challenge for defenders. If you are attacking—if you are Russia and you have a programme of destabilisation of the UK through these sorts of means—it is all the same programme to you. But if you are defending against it, the defence of the networks of a privately owned critical infrastructure company, such as the energy grid, is one problem, and the protection of sensitive Government networks—diplomatic cables and intelligence services—requires you to do something slightly different.

Disinformation is a different problem again, because historically under our laws, quite rightly, it has not been an offence to make up a lie and put it on the internet. That is different from a cyber-attack. Putting it under a single organisation is really quite hard.

Things were starting to get better around the time of the end of my Government service in 2020, although there is probably some way to go, on the synthesis of operational cohesion—the sharing of information—across these different parts. It is better than it is in quite a lot of other countries—it is less siloed—but I am sure, Ms Lynch, that there is plenty more that could be done to improve it.

Photo of Holly Lynch Holly Lynch Shadow Minister (Home Office)

Q Given some of the conversations we have had with the prior witness panels, are there other examples of best practice from around the world in respect of the influence of foreign states, particularly online? Have other countries—other legislatures—got some of the answers that we perhaps do not have in this legislation?

Professor Ciaran Martin:

A lot of countries have struggled with it, and it goes beyond just legislation, if I am honest. In terms of things like disinformation, quite interesting were some of the things that the French did in 2017, when there was the Russian attempt to do something and they deliberately sort of cast doubt on the integrity of it. They knew the information was being, in effect, data dumped, but they are believed to have done some alterations so as to cast doubt on the authenticity of the whole thing.

In terms of civic society and discourse, in advance of the 2020 election the Washington Post editorial board did something really interesting. Although it did not come to pass in the way that it did in 2016, they issued a proactive statement to say that if they received very sensitive political information but from a suspect source that was likely to be a foreign intelligence service, they would treat it differently from, say, a leak from within the United States—they might sort of print it differently. There is a discussion about how we handle the outcomes of disinformation, on the assumption that it might happen. That is one idea.

On the other hand, on the duties to protect within Government, for example, we are not always very good at gradations of harm. When I started in the civil service at the end of the last century there was still this approach that any leak of any data was potentially quite serious. These days, there is far too much information to take that approach—things are going to leak all the time. We need to focus on an understanding of harm caused and the duty to protect the most sensitive information.

Photo of Antony Higginbotham Antony Higginbotham Ceidwadwyr, Burnley

Thank you for your time, Professor. We talked with a previous panel of witnesses about the so-called Confucius institutes, and there was discussion of the fact that the British state may be inadvertently employing agents of foreign powers. Given your work in academia, what are your views on those institutes? Do you think the Bill should seek to restrict or criminalise themQ ?

Professor Ciaran Martin:

It is for your detailed scrutiny to work out whether you think that activity that is clearly on behalf of a hostile state is adequately deterrable and punishable by this Bill. It is quite clear, from both my previous job and discussions and concerns in academia, that it is a target sector—of course it is—for hostile foreign powers, particularly China.

I have to say that even before I went to work for a university I thought it was a very, very hard thing to leave to universities to police. I am not a legal expert, so I do not know how this is going to work on the ground, but the question is: does this Bill provide a sufficient legislative framework to deter some of the actions? There is plenty in the Bill that says that damaging foreign intelligence activity in this country is unlawful, and that would obviously include the academic sector. Whether that sufficiently captures activity is an interesting question.

I think it does help, but it is probably quite tricky to specify, if you like, academic institutions as distinct from general malevolent activity in whatever the sector may be. It is a question worth asking, though, because the sector that I work in now is clearly of significant interest to hostile intelligence services in all sorts of different ways, including in respect of people and individual areas of research. That is one of the key threats that legislation like this is designed to counter.

Photo of Antony Higginbotham Antony Higginbotham Ceidwadwyr, Burnley

Q Given your role in academia now, do you think the sector would welcome the Bill providing more clarity on the legal position?

Professor Ciaran Martin:

I do not mean to be flippant, but obviously there could be as many different opinions as there are academics. I think that Government providing clear frameworks, laws and guidance to universities without infringing on academic freedom is where I would want to be. I do not think that it is fair to rely on universities to police this activity. It is extremely difficult in open and collaborative research environments like universities to be able to identify what is malevolent activity. If they do, it is extremely difficult to know where to go, what the relevant laws are, and so forth. The combination of a clear legal framework and clear guidance to universities is something that I personally would welcome. I imagine quite a few people, particularly in sensitive areas like technological research, would absolutely welcome that.

Photo of Sally-Ann Hart Sally-Ann Hart Ceidwadwyr, Hastings and Rye

Q You said earlier, looking at the increasing concerns about China and cyber-espionage, that the Bill will be useful against the threat from China, but do you think that the Bill will make the UK safer from the cyber-espionage threat from China, or will we require enhanced offensive capabilities?

Professor Ciaran Martin:

They are not mutually exclusive. The thing about offensive capabilities is that they are sometimes seen as almost symmetrical—cyber is a sort of enclosed boxing ring, where you have offence versus defence—but offensive cyber can be used for anything. Our own British Government’s one declared offensive cyber-operation was against so-called Islamic State, not against the cyber-capabilities of another state.

I need to be reasonably careful about what I say here, but if you think that the US’s offensive cyber-capabilities are largely in the Cyber Command and the UK’s in the National Cyber Force, the GCHQ-MI6-Ministry of Defence partnership, one would expect that the operational security of those capabilities to be pretty good and therefore make quite hard targets for other actors. Similarly, some of China and Russia’s offensive cyber-capabilities against us will have quite good operational security, which will make them hard targets. We cannot rely on offensive cyber-capabilities to stop other people, particularly at the top end of the spectrum, at the elite nation- state level.

There is no magic panacea in the Bill, because no magic panacea is available. Even in the areas we were talking about, such as completely remote activity, one of the things that we saw anecdotally—there is some emerging research to support this—was that when the US in particular had a legal framework, where it can prosecute and indict people in absentia, in China and to some extent Iran, that did have some impact for some time. It did not solve everything, but it did affect the behaviour of some actors—they could not travel to the west, most practically, because they were under indictment by the US and therefore all the US’s allies. It meant that the associates of these people, because digital infrastructure is global, could get arrested.

Some people working with Russian groups have been arrested in eastern European countries with which we can co-operate in law enforcement terms. Strengthening that sort of legal framework gives you something. It is probably more incremental than transformative, but it is still something.

Photo of Damian Hinds Damian Hinds Minister of State (Home Office) (Security)

Q Professor Martin, one of the core aims of this legislation is to bring our counter-espionage capability up to date with the modern world. You spoke a little earlier about data theft in the context of the US Government and police. Will you briefly say something about how technology has changed states’ espionage capabilities and how we need to respond?

Professor Ciaran Martin:

Why is so-called data sovereignty such an issue? There are all sorts of reasons in economics, but one of them is that the location of the storage of data is really important. Data centres are massive strategic assets and a vulnerability for any sort of country, and you can see that combined effort. Why did we have such a big debate about the role of Chinese technology in UK infrastructure? It is because of the potential—never mind 5G and so on, but rather in things like smart cities—for data to be siphoned off covertly and so forth. It is possible.

There are stats to show, if you had compromised the International Atomic Energy Agency in Vienna and you went in there, how much you could photocopy versus how much you could steal electronically. There is now the possibility and, in some cases, the practice of comprehensive strategic compromise of huge, important datasets and sensitive strategic knowledge across all sorts of sectors by a combination of mostly digital but sometimes human-enhanced means. Until now, as you say, Mr Hinds, we have not really had a legislative framework for it. This Bill does provide a no doubt improvable such foundation.

Photo of Rushanara Ali Rushanara Ali Llafur, Bethnal Green and Bow

That brings us to the end of this section of questions. On behalf of the Committee, I thank our witness, Professor Ciaran Martin. Thank you very much.