Lord Stirrup (CB)

- Hansard -

Copy Link

-

My Lords, let me say at the outset that I welcome the proposition that underpins the Bill—the proposition that we need to act to protect our critical national infrastructure from the possibility of malign actions by external agents operating under the cover of legitimate businesses. We live in an era when those who wish us ill will not confine themselves to traditional forms of confrontation; they will seek to exploit weaknesses in the fabric of our social and economic structure. Technological advances bring with them exciting opportunities to do new things, or to do old things in new ways, but unfortunately, they also introduce new vulnerabilities, and the more complex and interconnected society becomes, the more vulnerable it is to shocks. It is this vulnerability that we must address.

The proposed involvement of Huawei in the UK’s 5G network certainly brought the issue to the fore, and although there were some exaggerations on both sides of the argument, people were right to be worried about the involvement of a foreign Government—the claim that Huawei is a private company free from any influence of the Chinese Government is, frankly, risible—in such a crucial part of our infrastructure. So, in my view there is certainly a serious problem that needs to be addressed. The question is how well this Bill contributes to that process. It is, I think, a good starting point, but we need to take care that it does not end up being more of a hindrance than a help.

I return to my central point: those things that advance the capabilities of our society introduce new vulnerabilities. However, the reverse is also true: those things that introduce new vulnerabilities also advance the capabilities of our society. The free flow of ideas, inward investment, the introduction of new business processes; all these things contribute to the health of our economy, to the opportunities within society and, indeed, to aspects of our national security. So, in constraining a laissez-faire approach—and it does need to be constrained—we must be careful lest we do more damage than we prevent. Our constraints need to be carefully balanced and well targeted, which of course begs the question of how we decide on that balance and on the appropriate targets.

Key to that is our definition of national security and our judgment of how far it needs to be applied to business questions. In thinking about this, we should realise that in our world, there is no such thing as perfect protection. We cannot foresee, let alone protect against, all eventualities. We will make mistakes, since error is a fundamental part of the human condition, and these will undoubtedly come back to haunt us. With that in mind, we should take as our aim not the complete elimination of danger but the creation of resilience.

Resilience depends, in part, upon redundancy. In order to provide such redundancy within critical sectors of our society, we may well need to broaden, rather than narrow, the involvement of overseas companies and inward investors. We must be careful that, in seeking to exclude potentially malign actors, we do not also deter those whose involvement would actually improve our national security. Resilience also depends upon agility, the ability to react swiftly and decisively to changing circumstances, or to challenges that we did not or could not foresee. The potential danger lurking within the Bill is that it could create a rather sclerotic bureaucratic process. Taken together, the mandatory and voluntary schemes are likely to result in a flood of applications. If the mechanisms set up to implement the measures in the Bill become clogged with endless paperwork and ponderous deliberations, we risk a situation where the focus is on process rather than results. Nothing could be further removed from the kind of agile, responsive system that we need. We would not only hamper innovation and flexibility within business, we would also increase, rather than reduce, the risk of a successful attack by a potential and perceptive enemy.

For me, the Bill is not about principle but about practice. How will applications be triaged so that effort is focused on the true risks? How will judgments be reached that strike the appropriate balance? How will they be monitored in a rapidly changing world, and how will they be adapted to take account of such changes? My concern is that government departments are not traditionally good at responsiveness and agility. It seems to me that the composition of the investment security unit within the Department for Business, Energy and Industrial Strategy will be an important factor in this regard. If it operates as a fairly standard departmental committee, I fear we will not see the outcome intended in the Bill. To what extent will the new unit draw in external expertise from both the business and security sides of the equation? To what extent will it be able to maintain a long-term view of issues? Will it be able to form a cumulative picture of risk, rather than just looking at each matter on an individual basis? How will its work be audited, assessed and reported?

I support the Bill, but before it is passed into law, I believe we need some firm assurances that the mechanisms and processes set up to give it effect will be fit for purpose in this complex and dynamic world.