(2 years, 4 months ago)
Public Bill CommitteesQ
Professor Ciaran Martin: I do not mean to be flippant, but obviously there could be as many different opinions as there are academics. I think that Government providing clear frameworks, laws and guidance to universities without infringing on academic freedom is where I would want to be. I do not think that it is fair to rely on universities to police this activity. It is extremely difficult in open and collaborative research environments like universities to be able to identify what is malevolent activity. If they do, it is extremely difficult to know where to go, what the relevant laws are, and so forth. The combination of a clear legal framework and clear guidance to universities is something that I personally would welcome. I imagine quite a few people, particularly in sensitive areas like technological research, would absolutely welcome that.
Q
Professor Ciaran Martin: They are not mutually exclusive. The thing about offensive capabilities is that they are sometimes seen as almost symmetrical—cyber is a sort of enclosed boxing ring, where you have offence versus defence—but offensive cyber can be used for anything. Our own British Government’s one declared offensive cyber-operation was against so-called Islamic State, not against the cyber-capabilities of another state.
I need to be reasonably careful about what I say here, but if you think that the US’s offensive cyber-capabilities are largely in the Cyber Command and the UK’s in the National Cyber Force, the GCHQ-MI6-Ministry of Defence partnership, one would expect that the operational security of those capabilities to be pretty good and therefore make quite hard targets for other actors. Similarly, some of China and Russia’s offensive cyber-capabilities against us will have quite good operational security, which will make them hard targets. We cannot rely on offensive cyber-capabilities to stop other people, particularly at the top end of the spectrum, at the elite nation- state level.
There is no magic panacea in the Bill, because no magic panacea is available. Even in the areas we were talking about, such as completely remote activity, one of the things that we saw anecdotally—there is some emerging research to support this—was that when the US in particular had a legal framework, where it can prosecute and indict people in absentia, in China and to some extent Iran, that did have some impact for some time. It did not solve everything, but it did affect the behaviour of some actors—they could not travel to the west, most practically, because they were under indictment by the US and therefore all the US’s allies. It meant that the associates of these people, because digital infrastructure is global, could get arrested.
Some people working with Russian groups have been arrested in eastern European countries with which we can co-operate in law enforcement terms. Strengthening that sort of legal framework gives you something. It is probably more incremental than transformative, but it is still something.
(2 years, 4 months ago)
Public Bill CommitteesQ
Paddy McGuinness: I would expect it to be a dynamic process. I think you will be looking at further legislation; let us hope you have a long life as an MP, but in your time as an MP I would expect you to have to look at this again.
To Sir David’s point, I do not think we should delay for a moment fixing the things that the Bill fixes because of the fact that technologies develop dynamically. There is a lag. I can remember—I think I was actually working at GCHQ at the time—us thinking about what was happening with Facebook as it emerged as a widely used platform. Here we are with the Online Safety Bill, about 13 years later. There is a natural and quite proper lag between rapid technology innovation and slow and considered regulation and legislation, and we are going to have to live with that. I think this is good. It provides a basis, and I think the extraterritoriality is particularly important, as is the way in which sabotage is broadly defined to allow you to deal with the kind of range of things that I have been talking about, given that the opponent will move through those spaces.
Q
Paddy McGuinness: I think it does a very significant thing in the way in which it criminalises specifically the trade secrets aspect, which covers a very broad range. Again, we may have to return to this. This kind of legislation and the type of work that Sir Alex and his successors in MI5, MI6 and GCHQ are doing has Darwinian effect, so I have no doubt that as companies have got better at certain kinds of protection advised by the interaction with the CPNI and the National Cyber Security Centre, so the opponents have got better at it. And we will have to go on doing it.
It does not feel as though we have quite the same volume of opencast mining of our intellectual property and economic value that we had, as was described previously by General Keith Alexander, the head of the National Security Agency in the US. He described the enormous volume—trillions of value—taken out of our economies. There still is a very high level, though, so there is more work to do on this, and it is a significant challenge to the corporate sector to do the right thing in this space, because of the difficulty that it represents. The Bill provides a really solid basis for that discussion, because of the criminalisation of the trades secrets aspect.