Security of Government Devices Debate

Full Debate: Read Full Debate
Department: Cabinet Office
Tuesday 21st March 2023

(1 year, 7 months ago)

Lords Chamber
Read Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Collins of Highbury Portrait Lord Collins of Highbury (Lab)
- Hansard - - - Excerpts

I did ask someone earlier what TikTok is—I thought I was a modern person, but clearly not.

Can the Minister tell us whether this sort of interpretation is going to involve a change in the Ministerial Code? A Minister may not think sharing a draft Written Ministerial Statement on personal email qualifies either as substantive business or as a security risk, but the Home Secretary was of course temporarily forced out after sending such material to the wrong people. Oliver Dowden also talked about the granting of exemptions for operational reasons. Can the Minister provide an example of why a banned app may be deemed necessary? If she cannot today, could she write with such an example?

This debate takes place in the context of wider concerns about some forms of Chinese-made technology, including CCTV camera systems. On 2 February, my noble friend Lord Bassam of Brighton asked when the Government would commence important product security provisions under the Product Security and Telecommunications Infrastructure Act, which is intended to protect users of smart products such as CCTV doorbells. The noble Lord, Lord Parkinson of Whitley Bay, was unable to provide any date. I hope the Minister can do so today. The Government said they intended to bring the first half of that Act into force as soon as practicable, so why are we still waiting?

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- View Speech - Hansard - -

My Lords, as a long-standing deputy chair of the all-party China group, I welcomed the proportionate approach taken in the Government’s statements in the integrated review refresh about relations with China. In the face of the current human rights position in Xinjiang and the situation in Hong Kong, however, this should not change any time soon.

On these Benches, we are in strong agreement with those who consider that the Government could and should have been a great deal more strategic about relationships with sensitive Chinese suppliers—whether internet or data based, hardware or software related—in the run-up to this Statement. This is a one-off Statement about TikTok, a social media company. It would be good to see the assessment and the evidence of potential cybersecurity issues which the Government have not yet—as far as I know—produced.

However, when it comes to makers of surveillance cameras, as the noble Lord, Lord Collins, said, the Government appear far more reluctant to act. The Surveillance Camera Commissioner, Professor Fraser Sampson, has been very clear in his warnings, in particular about Hikvision and Dahua cameras, which, as far as we know, are used extensively in Xinjiang for surveillance purposes and pose security risks here, even when live facial recognition is not enabled.

Just last week, we saw Tesco lead the way in the private sector and order the removal of these cameras from its stores. The Government have simply ceased to install them. Why are they not directing their removal, particularly in police forces? Have they mapped exactly where on the government estate and in other spaces these cameras remain?

Regarding TikTok, why act so late when the EU and US, as the noble Lord, Lord Collins, mentioned, acted earlier? Presumably they have the same security information. When did the evidence emerge that has led to this ban? Will the Government publish the review by cybersecurity experts which assesses the risks posed by these third-party apps on government devices?

As the noble Lord, Lord Collins, also mentioned, why are private devices used by government Ministers not covered? I note that Oliver Dowden repeated that position last week. After all, we know there has been extensive use of private devices by Ministers, particularly —dare I say—among former Health Ministers. What assessment of this aspect has been made? Which government departments and public bodies are actually covered? What is the process for drawing up the promised approved list of apps? What criteria will be used?

As many said in the Commons, this looks like whack-a-mole; the Statement is no substitute for a coherent cross-government strategy. Why do the Government not now move, for instance, to include the capture of biometric data in the definition of “critical national infrastructure”? Questions have been raised recently about Chinese cellular internet of things modules—CIMs—which are imbedded in many devices. What is the Government’s approach to this? Are they even aware of what CIMs are?

Finally, if the Government are concerned about information being harvested by social media and other apps, why is the Data Protection and Digital Information Bill, now before the Commons, widening the circumstances in which research data can be used for commercial purposes? Is this not a typical example of this Government’s incoherence and lack of co-ordination on issues such as this?

Baroness Neville-Rolfe Portrait The Minister of State, Cabinet Office (Baroness Neville-Rolfe) (Con)
- View Speech - Hansard - - - Excerpts

My Lords, I welcome the welcome for the Statement made by my right honourable friend the Chancellor of the Duchy of Lancaster last week. By way of background, I should explain that the Government commissioned a review by our cybersecurity experts of the risks posed by third-party applications, including TikTok. As a result, the review concluded that we needed further security measures to protect the data.

There is obviously a limit to what I can say due to the sensitive nature of the Government’s work, but we are taking what we believe is proportionate, considered action to strengthen the security of government devices, and we are doing that in two ways. First, as is already the case in many departments—and that includes my own, the Cabinet Office—all government departments will now move to a system where only the third-party mobile apps available on their devices are those which have been pre-approved for inclusion on a departmental “allow list”.

Secondly, as a precautionary measure, all government departments are now required to take action to prohibit TikTok on their devices with immediate effect. It is a prudent, proportionate step, and more broadly, we are absolutely committed to bolstering national security, of which this is an example. As I explained to the House about 10 days ago, new guidance on the use of non-corporate communications will be issued very shortly and will bear on some of the questions that have been raised.

I was asked about TikTok on Ministers’ personal devices. The Secretary for State for Energy Security and Net Zero, who has been quoted, supports our policy and has been very clear that he has never used TikTok on his government devices. On personal devices, it is more of a personal choice. As I have explained before, all Ministers are carefully trained in security when they are appointed, and they have a briefing from time to time to keep that up to date.

To answer the question about exemptions, the business justification for having TikTok on government phones is to my mind very limited, but there are a small number of cases where it is necessary. Examples would include security and law enforcement. I know that some of my colleagues who are involved in security may need to use TikTok to make observations. Marketing would be another area—I think that the Secretary of State for Energy Security and Net Zero, Grant Shapps, comes into that category. We need to have common sense and proportionality. Departments will be able to make exemptions on a case-by-case basis through a departmental approval process, but with ministerial clearance as appropriate and risk mitigation in place.

Regarding Chinese security cameras, we have acted— we have discussed this in this House many times. We are also strengthening the powers in our Procurement Bill, and suppliers will be considered for addition to the debarment list on the basis of a rigorous and fair policy. This policy is under development, so it is too early to say, but regarding the action we have taken, we are now working with departments to make sure that Hikvision cameras are phased out.

The noble Lord, Lord Clement-Jones, talked on a more strategic level about China, about which we need to be sober and realistic. Obviously, we do not dispute the importance of China, but it has become more authoritarian at home and more assertive overseas, which is of concern to the UK—our policies need to reflect that. In the integrated review refresh, which was published last week and is well worth a read—the noble Lord referenced it—the Prime Minister set out clearly the overall direction across government for a consistent, coherent and robust approach to China, rooted in the UK’s national interest and aligned with our allies. A proper, and properly resourced, approach to security is an important part of that.

I repeat that the Prime Minister set up a new department, and the Budget included a substantial pledge—£3.5 billion by 2030—to support the Government’s ambitions to make the UK a scientific and technology superpower. This is one of the Prime Minister’s five priorities. So we should take the steps we need to take for security, but we also need to be careful to encourage the positives of new technology, whether that is AI, quantum technologies or engineering biology. We seek an important balance here.