Read Bill Ministerial Extracts
National Security Bill (Second sitting) Debate
Full Debate: Read Full DebateGary Sambrook
Main Page: Gary Sambrook (Conservative - Birmingham, Northfield)Department Debates - View all Gary Sambrook's debates with the Home Office
(2 years, 4 months ago)
Public Bill CommitteesYes, carry on.
Carl Miller: Partly it is to do with changing our national knowledge of where these threats are and who is doing them, so the integration of intelligence. Then, as I said, there should be a national risk register and possibly the creation of powers for parts of the intelligence establishment to undertake direct activity against some of the technical architectures that allow this to happen.
Sorry to delve into the technicalities for a second, but for instance residential proxy IP addresses are a very important way in which this stuff happens. Residential proxy IPs are toasters and fridges and stuff. Basically, they each have an IP address and many of them are hijacked. They are the kind of things you that you use if you want to fool a social media platform into thinking that you are 10,000 people from around the planet when you are not—you are one operator sitting in a particular country. These are criminal architectures that have been amassed and rented out and sold to people, and I am sure they are rented out by some of the actors who seek to do influence operations. These are the kinds of things that we need to target. Putting pressure on that kind of asset is the kind of thing that will probably not get rid of them, but will meaningfully increase the costs of this kind of activity.
Q
Sam Armstrong: Yes, I think so. Imposing a duty on the social media companies is one of the only immediate tools and levers we can pull. I take Carl’s point; I do not think it is going to be sufficient to deal with the hordes of people overseas who are, frankly, conducting quasi-military-type activities against the UK through cyber means here, because criminal law is not the tool for that. Should they exist and are they necessary? Yes. Are they sufficient? Probably not.
Carl Miller: It is just massively insufficient. The reason why is that the platforms, however rich, clever or large they are, cannot reach beyond the platforms themselves. That is the problem. The way we have tried to respond to this problem so far is to have Facebook take down accounts, but take-down is a very weak response. That is essentially being priced in to those kinds of activities. They have developed methodologies for setting up or acquiring new accounts as they go. In principle, I am not hostile to platform regulation across a range of online threats, but for those problems where we are dealing with a set number of actors who have specific capabilities and tap into a specific and constantly evolving tradecraft, I do not think it is going to be the tool to make much difference.
Q
Carl Miller: The main thing I would say that the state can step in to help with is around attribution. That is something that we cannot do without state powers. It is something that, at the moment, only the tech giants do, and that is only linked to take-down. If we were to have any prospect of either taking direct cyber-action, or actually bringing criminal prosecution, it would be something that we need. One big thing here is around data access—I am sure you have had other panellists talk to you about that before. To foreground that, I have come here as a researcher whose job it is to do that kind of research, and one of my main things is that we know so little. We know nothing about TikTok—it makes none of its data available. Facebook makes some of its data available, and that is why we have some picture of it. Twitter makes a lot of its data available, and that is why we have a bigger picture.
TikTok is enormous, likely very influential, anecdotally there is tonnes of Ukraine-invasion activity happening on it now, and it has absolutely no application programming interface available for researchers in any way, whatsoever. By the way, there are also rumours that Facebook is withdrawing some of the data access that it currently gives researchers. I am sorry; I know this is ranging far beyond the scope of the Bill. However, to put this on your radars, I think that legislators may have to step in sooner or later to compel platforms to maintain data availability. Otherwise, even the very small window we currently get is going to continually shrink.