To ask Her Majesty’s Government what assessment they have made of the reports of spyware sold by NSO Group to Governments around the world and the uses to which such software has been put.
My Lords, the UK Government are aware of companies selling high-end, state-like cyber capabilities to Governments. We believe that the use of cyberespionage tools against civil society and political groups is unacceptable. It is essential that nation states and other cyber actors use capabilities in a way that is legal, responsible and proportionate.
My Lords, the leaked target list of 50,000 people includes UK politicians and journalists. Clearly, all our mobile devices are at risk of being hacked—a huge danger to press freedom and democracy. What is the NCSC doing to counter this, particularly since the whole Civil Service has now moved over to the iPhone? Why has the Home Office given the NSO Group a marketing platform at events such as a security and policing trade fair last year?
My Lords, Her Majesty’s Government are committed to defending the UK from online threats and boosting national resilience to cyberattacks, which the noble Lord rightly asks about. In the past five years, the national cybersecurity strategy has begun to transform the UK’s fight against cyber threats. We do not comment on individual cases or intelligence matters, as noble Lords will know, but while we cannot comment on the specifics, for operational reasons, I underline to your Lordships that we very strongly condemn the targeting of UK individuals.
My Lords, the National Action Plan for the Safety of Journalists was, coincidentally, published yesterday. It says that
“A world where journalists are silenced by either fear or censorship is a much poorer one.”
It also says that the Government are committed to keeping journalists “as safe as possible”. It has a number of initiatives, which are to be welcomed, but it is silent on the question of the NSO spyware just referred to, which clearly poses exactly these threats. What plans do the Government have to protect our journalists from such spyware in future?
My Lords, I reiterate the Government’s determination within the cyber strategy to protect all our citizens. I strongly agree with the noble Lord that freedom of the press is an integral part of the United Kingdom’s democratic processes. The Government are committed in every way to protecting the rights and values we hold dear, including the protection of journalists.
My Lords, in the wrong hands Pegasus is a weapon of war against democratic institutions. I did not believe the NSO Group when it told me that Pegasus is used exclusively on serious criminals and terrorists; now we have the proof that that was untrue. It is perfectly possible that Pegasus has already been injected into the phones of Members of this House and the other place. Can the Minister assure the House that the British Government have not deployed, and will not deploy, Pegasus or similar software except when investigating serious crime or terrorism?
My Lords, again, I cannot comment on operational specifics, but I assure the noble Lord that our intelligence agencies are governed by a robust regulatory framework to ensure that any capabilities are always used in a way that is legal, necessary and proportionate—something we ask of all nations. We do not support the commoditisation of cyber capabilities. We continue promoting, with our international partners, the need for tighter export controls to ensure their use legally and responsibly.
I am as appalled as other noble Lords by the revelation about the use of NSO spyware against over 50,000 people across the world. How long have the Government known about the use of this law enforcement-grade software by authoritarian Governments in surveillance of their opponents and journalists across the world, and what have they done about it?
My Lords, again, I cannot comment on intelligence and operational specifics. I am obviously aware of the issues raised in the reports, which in the first instance are all with the company and Israeli authorities. But we have raised our concerns several times with the Government of Israel about NSO’s operations.
My Lords, what assurance can the Minister give us that no journalist, politician or campaigner in the UK has been affected by this software? Would the Government contact anyone who was so targeted? What UK diplomatic channels are being used to ask questions of the countries identified by these leaks?
My Lords, again, I cannot comment on individuals, but I underline what I have said about this Government’s deploring of any effort to target UK individuals, the representations that we have made and the commoditisation of this kind of spyware. Unfortunately, the commercial cyber capability industry is global. We are seeking in many ways to try to secure better control and have legal, proportionate and proper use of any such devices, and better control of exports.
My Lords, I realise that the Minister is under some constraint here, so let me try to put this in a slightly more philosophical sense. Is there not a somewhat justifiable element of fearing what we wish for, not unlike in the Huawei dilemma? In other words, do we need and use this technology and what it covers, and in so doing might we be lowering our own defences to it?
My Lords, I have said something about the controls on our own intelligence framework. As the noble Lord will know, the UK’s use of any investigative powers—I am obviously going much wider than this Question—including equipment interference, is governed by the Investigatory Powers Act. That provides extensive and robust safeguards and oversight that is judicial, political and parliamentary.
My Lords, in the light of the targeting of human rights activists, journalists—including 200 reporters from 21 countries—and lawyers, will the Government consider raising the use of this Pegasus malware at the United Nations Human Rights Council, of which we are a member, and confronting authoritarian Governments with violations of the Universal Declaration of Human Rights, specifically Article 19 on the right to have unimpeded access to information and comment? Specifically, will they commit to examining the targeting of people close to Jamal Khashoggi, who was murdered in October 2018 while visiting the Saudi embassy in Istanbul, where his body was dismembered, and whose wife and the Turkish prosecutor investigating his death have been targeted by this malware?
My Lords, again, I cannot follow a specific case, but I fully endorse the sentiment of the noble Lord’s question. I repeat that we believe that the use of cyberespionage tools against civil society and political groups, including human rights activists, is unacceptable. I can assure the House that the UK continues to champion human rights, at home and abroad, and that where we have concerns on human rights issues we do not and will not shy away from raising them.
My Lords, all supplementary questions have been asked.