National Security Bill (Second sitting) Debate
Full Debate: Read Full DebateDepartment: Home Office
Scott Mann
Main Page: Scott Mann (Conservative - North Cornwall)Department Debates - View all Scott Mann's debates with the Home Office
National Security Bill (Second sitting)
Scott Mann ExcerptsThursday 7th July 2022
(1 year, 9 months ago)
Public Bill CommitteesRead Full debate National Security Act 2023 View all National Security Act 2023 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 7 July 2022 - (7 Jul 2022)
Scott Mann (North Cornwall) (Con)
Q
Sam Armstrong: My fundamental answer is yes. There are a number of good powers in the Bill. It does not address every issue that some of our allies have wrestled with, but in so far as there are powers in it, all of them are in my view good and helpful powers, which will greatly aid the security services in their important work keeping us all safe.
Carl Miller: I will restrict myself from any broad observations and will keep to the one area that I actually know something about, which is to do with information warfare and influence operations, especially over the internet and social media, and how that might impact things. In so far as that is the case—I am sure we will dig into this more in a second—I do not see the Bill as doing any harm. In fact, strangely, as a centre-left think-tank, we have long been calling for more direct state activity in this area. We have deferred far too much and far too often to the tech giants to try to sort these kinds of problems out for us. My fear, though, is about how the Bill will be enforced and deployed. I do not think that in and of itself, as it stands, it alone will be enough to secure—digitally secure—elections and quite a lot of other important moments, themes and aspects of life against the kinds of online influence that we have seen.
Scott Mann
Q
Carl Miller: If there is one thing to take away from any of my evidence it is probably this: we have completely misconceived—the Bill slightly, but generally in Government at the moment—the problem as one of disinformation. The problem is not overwhelmingly or primarily one of disinformation. When we pull apart these campaigns, ones that we know or highly suspect of being in one way or another sponsored or driven by, or of having interacted with, a foreign, usually autocratic state, we notice that disinformation is only one of a whole array of different methods that can be used to influence people. You can paint an extremely distorted picture of the world simply by amplifying some truths over others.
If we look at what is happening in Ukraine at the moment, it is as much about “Putin riding bear” memes as it is about explicit disinformation. Much of this interacts at the level of identity, belonging, kinship, friendship, reasons for getting up in the morning and the problems that people see in the world—hugely subtle. Even at the level of lying, it is less to do with the overt falsehood circulating on the internet and much more to do with the harnessing of false identities and false reasons for being involved in debates. I tend to view this as the emergence of a kind of shadowy tradecraft. It is one that can wrap together, yes, some disinformation, but also some black-hat search engine manipulation, the harnessing of outrage, things to do with identity, as I have been saying, and humour and comedy—all that is influential in different ways.
The way we often set up this problem is through a hyper-rationalist idea that there is this thing called disinformation that propagates online, people lacking digital literacy believe it, and that influences their behaviour and attitudes. I will shut up in a second. I rarely interview people, but I have interviewed some of the perpetrators that actually do these operations and they tell me one thing, time and time again. They say, “Carl, we don’t lie about the world to get people to change their minds. We tell people things they already think are true about the world and then guide that in a particular direction.”
The current influence operation in Ukraine is a brilliant example of that. What we are seeing is Russia or pro-invasion-linked influence operations targeting the global south, trying to portray the invasion as essentially being an anti-colonial gesture and tapping into deep-seated anti-western and anti-colonial attitudes within the audiences they are addressing.
Scott Mann
Q
Sam Armstrong: Yes. In a sense, the threat is changing less so than our recognition of the change. Increasingly, we are waking up to the threat of the more all-encompassing nature of interference launched or directed by branches of the Chinese Communist party. Unlike traditional Russian or Soviet Union espionage, this is not 100 or 200 individuals in the UK at any time running a network of agents in a very organised way. This is something more full-throated and all-encompassing—they call it the united front—in which people who would not ordinarily be, or who would not see themselves as being, operatives of a foreign intelligence state are being brought into it or are acting in it.
In addition, the nature of the way that we have woken up to this threat means that there are individuals acting on behalf of the Chinese state quite explicitly and openly who are also employed concurrently, and declaredly so, by public authorities in the United Kingdom, most particularly at British universities, where we have Confucius centres. That is one well known example. They are a branch of the Chinese state and they often take money directly from the Chinese state for their operations. People are double-hatting in roles in the academy there and in the university. That means there is the bizarre case of the British Government—not the British Government as in Her Majesty’s Government, but public authorities at their largest—employing Chinese spies. The British state is certainly knowingly employing agents of the Chinese state.
Scott Mann
Q
Sam Armstrong: This Bill will do an awful lot to deal with it. There are some offences in the Bill that are drawn extremely broadly and will allow the security services to take a knife to whichever problems they would like.
The Bill does not do certain things that other countries have done. For example, Australia introduced the Foreign Relations Act, which allowed the central Government to terminate relationships that public authorities had entered into with foreign states where they were undermining Australia’s foreign policy position. That is a power that I know Australian officials have been keen to encourage the British Government to replicate.
In terms of assisting foreign intelligence services, which I think is by far and away the most broadly applicable offence in the Bill, and the trade secrets offence, there are broad powers there and the Government deserve commendation for bringing those powers before Parliament, although not before time. The security services have been keenly pushing for them and they will appreciate them in doing their work.
Holly Lynch (Halifax) (Lab)
Q
Carl Miller: That is a great question. We can start by cleaning up the grubby world of spam. Often, when talking about online influence operations and disinformation, we descend into this kind of rarefied world of grand geopolitics, but it has as much to do with a very wide array of services and companies. If anyone googles “buy retweets now”, you will be able to see what I am talking about.
There are a tonne of companies that operate in plain sight, selling social media manipulation as “social media services”. You can buy fake followers; you can buy fake engagement. I looked it up on the way here; as of about 10 minutes ago, there was a company selling positive comments in Ukrainian on Instagram—mostly, they claim, by users from Ukraine—for $78 per 1,000. That is on the light net; we are not even talking about the services that are cryptographically secured or anonymised.
There is an array of these kinds of operations. An almost shadowy grey-area marketplace has emerged, which radically lowers the barriers to entry into doing those kinds of activities. That has always been there, but the consensus has emerged among researchers like me that, over the last year or two, the actual number, sophistication and variety of those services has increased quite dramatically. To be honest, if we were to really try to genuinely start increasing the cost and penalties for the actors that do that kind of thing, we would have to target that entire industry as participants in it.
Lastly, in pulling apart some of the operations regarding Ukraine, our hunch is that state-backed activities have likely made use of those exact same services. We will see states maybe rolling out capability outside of state, setting up as private companies, and selling those capabilities back into state.
Scott Mann
Q
Louise Edwards: Of course. We are, fundamentally, an organisation that oversees the running of elections in the UK. We also have a role as the civil enforcement and regulator body for political finance in the UK. For foreign interference, that means that we are the experts on electoral law, electoral finance and the running of elections, and we offer that advice to law enforcement and indeed to the security services, on request. We are not a national security body per se. We do not have an intelligence function per se. It is really a question of working with the intelligence services or law enforcement where we can to offer them that advice.
Scott Mann
Q
Louise Edwards: As I said, we are not a national security body, so our knowledge of the threat of foreign interference in the UK is very much based on what law enforcement and the police tell us, essentially. If you think about elections in the UK, we have not been notified by the security services of any successful attempts at foreign interference in UK elections, and I think we take some confidence from that.
On the political finance side—the money that is going in and out of political parties, campaigners and others involved in our democracy—I caught the end of the previous session and there was reference to one notification from MI5 in that area. That is the only one that we are aware of. However, I would say that it is not a matter to be complacent about. There are things that could be done, particularly on the political finance side, to really modernise and improve the safeguards in the system, not just for foreign interference but for any kind of abuse or interference in the political finance regime.
Scott Mann
Q
Louise Edwards: There is a key principle here, which is that you could hope there is a link between increasing the penalty that can be imposed for an offence and therefore disincentivising or deterring people from committing that offence. That seems like an in-principle link that you would want to see made. That is what perhaps the Bill is aimed at creating.
The measures in the Bill—the offences relevant to elections that are in it—are offences that the police will have to investigate and that will then go through the courts for prosecutions, so really key to making the provisions work effectively is to ensure that the police have the capability and capacity to take them forward, investigating them and passing them on to prosecutors when appropriate.
Holly Lynch
Q
Louise Edwards: Do you mean a potential problem in the sense of a foreign state interference issue?
The Chair
We will now start our next session and hear from Professor Ciaran Martin, professor of practice in the management of public organisations at the Blavatnik School of Government at the University of Oxford. We have until 3.20 pm, so if colleagues could keep the questions succinct, I would be very grateful—then we can get in as many of you as possible. Could you introduce yourself for our records, Professor?
Professor Ciaran Martin: Thanks very much, Chair. My name is Ciaran Martin. As you say, I work at the Blavatnik School of Government at the University of Oxford. From 2014 to 2020, I served on the board of GCHQ, and I was the first chief executive of its National Cyber Security Centre.
Scott Mann
Q
Professor Ciaran Martin: Thank you for your kind words. I broadly welcome this Bill. There are a serious of fairly antiquated pieces of legislation that—sometimes at the margin, sometimes a little more profoundly—inhibit the pursuit of hostile-state threats, because they are, in effect, pre-digital legislative frameworks, very simply. With some of the language, you are replacing words like “maps” with words like “data”, or at least adding words like “data” to words like “maps”. You are dealing with things such as the flying of unmanned drones over sensitive sites. Despite my previous experience on the inside of the national security side of Government, when I read the explanatory notes, it was a bit of a double-take to be reminded that we had to explicitly criminalise assisting a foreign intelligence service in this country.
I think it is a very sensible piece of legislation, with the modernisation and some of the tidying up. From listening to your exchanges with the Electoral Commission, I think the provisions around disinformation and interference in political and democratic processes are really difficult to get right, so I welcome this sort of process. I think the intent is obviously cross-party and commands widespread support. The intent and basic provisions should be uncontentious, but I think some of the detail is going to be quite tricky.
Scott Mann
Q
Professor Ciaran Martin: When I say scale, I actually mean scale in its very precise meaning about volume. Digital espionage involves the extraction of information on a scale that was hitherto inconceivable, and that has, therefore, extended the scope of that. For example, there are specific references in the legislation to commercial and trade; we have seen that.
One of the changes that digitisation has brought, in terms of hostile foreign intelligence, is that it is possible to inflict large-scale strategic damage on the UK remotely, but it is not always done remotely. There are hybrid elements—there can be activity on the ground in the UK that assists digital espionage and digital penetration of the UK. Our existing legislative framework does not allow for that to be prosecuted. Even when it is done entirely remotely—for example, the People’s Republic of China has done some of its operations entirely remotely—we have seen from the United States that, although it is not transformative, it is a useful policy lever to have a framework of criminal law that criminalises activity even in eventualities where you will not realistically be able to apprehend a named human being.
To be a bit more succinct, the large-scale extraction of and interference with data is essentially the risk. The willingness of nation states—principally Russia and China, to a lesser extent Iran, previously but not so much recently North Korea, and a bunch of up-and-coming potentially hostile states—to do that has been a very significant feature of the national security landscape over the past decade, as the head of MI5 and so forth emphasised.
Scott Mann
Q
Professor Ciaran Martin: One sees only the tip of the iceberg when there are major breaches. I will use a well-known example from the United States—a close ally that is perhaps easier to talk about because it does not involve disclosing sensitive things about the UK.
The hybrid operation against the United States in 2015, which the US Government at the time acknowledged formally was undertaken by the People’s Republic of China, involved the extraction of more than 20 million security clearance records from the United States Office of Personnel Management—effectively the civil service department of the US Federal Government. It was the security clearance application forms of everyone who had applied for security clearance from the US Federal Government in the first 14 years of the century. As a dataset, it is incredibly rich. For example, if you are part of a commercial data breach, it is likely to be just your name and email address—possibly a password, although perhaps not even that, and possibly the last four digits of a credit card. If you go through a Government security clearance process, it is everything.
Think of the current politics of the US and China, and think about the established fact that the Chinese Government have this dataset of US Government personnel, with lots of information about them. You can see the strategic impact that that can have. To the best of my knowledge, based on public scholarship and disclosures relating to that incident, it was a largely remote operation, but it did include some activity on the ground. You can see how the sort of legislation we are talking about here might be useful in at least deterring or being able to deal with that.
Holly Lynch
Q
Professor Ciaran Martin: I would say this, wouldn’t I, but there has been a reasonably decent trajectory of controlling it.
There is a challenge for defenders. If you are attacking—if you are Russia and you have a programme of destabilisation of the UK through these sorts of means—it is all the same programme to you. But if you are defending against it, the defence of the networks of a privately owned critical infrastructure company, such as the energy grid, is one problem, and the protection of sensitive Government networks—diplomatic cables and intelligence services—requires you to do something slightly different.
Disinformation is a different problem again, because historically under our laws, quite rightly, it has not been an offence to make up a lie and put it on the internet. That is different from a cyber-attack. Putting it under a single organisation is really quite hard.
Things were starting to get better around the time of the end of my Government service in 2020, although there is probably some way to go, on the synthesis of operational cohesion—the sharing of information—across these different parts. It is better than it is in quite a lot of other countries—it is less siloed—but I am sure, Ms Lynch, that there is plenty more that could be done to improve it.
The Chair
We will now hear from Dr Nicholas Hoggard, Professor Penney Lewis and Mr Rich Owen. We have until 4 o’clock for this session. I would be very grateful if the witnesses introduced themselves for the record.
Dr Nicholas Hoggard: Hello, I am Dr Nick Hoggard. I was the lead lawyer for the Protection of Official Data project at the Law Commission, which was the project referred to us by the Cabinet Office. It informs a number of the offences in part 1 of the National Security Bill.
Professor Penney Lewis: I am Professor Penney Lewis. I am the criminal law commissioner at the Law Commission, so I led that project in its latter stages.
Rich Owen: I am Rich Owen. I am here today in my capacity as the chair of the access to justice committee for the Law Society. I am also director of a pro bono law clinic, the Swansea Law Clinic, which is part of Swansea University, and the chair of a regional advice network for Swansea, Neath and Port Talbot, which was set up by the Welsh Government.
Scott Mann
Q
Professor Penney Lewis: That is a great question. This Bill implements the first part of our report, which was concerned with the espionage offences. I think it is worth saying that we did not envisage that any one statute would implement all the recommendations that we made in that report, even were the Government minded to accept them all.
The second and third parts of the report concern unauthorised disclosure and the role of the public interest in relation to unauthorised disclosures. We understand that the Government are still considering those recommendations. But in relation to the espionage recommendations, yes, this Bill implements our recommendations. There are minor differences, which is to be expected as part of the parliamentary drafting process, but we are very pleased that the Government have accepted those recommendations.
We had several concerns about the existing offences; as the previous witness mentioned, they were not fit for the current threat. The focus, for example, on enemies was unhelpful. It did not—does not—fully reflect the nature of the threat against the UK. It also risks causing offence to states with which we are not at war. We had concerns about the territorial ambit of the offences, which are addressed by this Bill—the offences in part 1. We were also concerned that there were not sufficient culpability thresholds, such that individuals might be prosecuted for the existing offences without being sufficiently culpable. We are pleased to see that those thresholds have been raised in the offences in the Bill.
Dr Nicholas Hoggard: As a matter of generality, I think Penney has it absolutely right: the offences reflect well the recommendations that we made. As Penney said, there are some differences that will arise naturally in the course of drafting and negotiating with parliamentary counsel, but our view is that the spirit of our recommendations has very much been carried through. There is probably not much more I need to add at this point.
Scott Mann
Q
Professor Penney Lewis: I am afraid that I will be less happy about that question. The Law Commission was asked to look at the Official Secrets Act. The project’s terms of reference focused on official Government data, so we have not looked at those matters. There are a number of matters contained in the Bill that were well outside the scope of our project, and I am afraid that we just cannot comment on them.
Holly Lynch
Q
Dr Nicholas Hoggard: Yes, I think we are. One of our concerns about the existing offences in the 1911 Act was that the existing prohibited places—though extensive; it is an extensive and complicated piece of drafting—have a strong military focus, and they do not necessarily reflect the way that critical national infrastructure, for example, or sensitive information is held by the Government.
There are some powers for the Secretary of State that exist under the 1911 Official Secrets Act, but they are quite restricted. What is good to see about the powers under this Bill is they are quite principled powers. The basis on which the Secretary of State can define something as a protected place is much more transparent. There are just three limbs that are easy to understand. That basis for affording the Secretary of the State the power is much more useful. It is more transparent, but it also enables us to capture within the offence places where there is actually a real risk of harm arising from hostile state activity.
On that front, I would say the power is good in so much as it aligns with the spirit of our recommendation. The fact that there will be parliamentary oversight of this process is important. It was a fundamental feature of our recommendations, and the negative resolution procedure is an important part of that process. The Secretary of State’s powers are more effective than is permitted under the current law, but also there is sufficient oversight.
The Chair
Q
Poppy Wood: Good afternoon, everyone. My name is Poppy Wood, and I lead on UK public policy for an organisation called Reset. We are a philanthropic organisation that focuses on digital threats to democracy. We have a particular interest in disinformation. I was a civil servant about 10 years ago, and have worked in tech and, at times, in cyber-security over the past decade. I am pleased to be here today to talk about some of our work as it relates to the Bill, particularly our research on disinformation and state actors.
Scott Mann
Q
Poppy Wood: That is a good question, and one I hope is being asked every time that we are looking at new versions and new clauses of the Bill. When the consultation came out last year, those of us who had worked in state-backed disinformation for a while were delighted to see some of the questions being asked, at least in the first instance, about the role of state actors and about foreign interference.
When Ken McCallum said last year in his annual threat report that our adversaries are really good at using co-ordinated behaviour to probe UK vulnerabilities, and that we in return really need a holistic response to that—that was about a year ago—a lot of us thought, “But we’re not. It’s great that they are, but we certainly aren’t. No one is really gripping this.” That echoed language from the ISC report in 2020—the Russia report, which said that co-ordinated disinformation and state-backed interference is a really hot potato. No one wants to grip it—not GCHQ, not DCMS, not the other security services. It is too difficult, so we were really relieved to see the Bill come forward, and the consultation late last year.
We were even more relieved earlier this week to see that there will be a link between this Bill and the Online Safety Bill. I have not yet seen that amendment brought forward by the Government; I am hoping that is happening now, because we expected to see it yesterday—I hear the Government have been quite busy this week. That is really about saying that the Home Office and DCMS recognise the role of social media in pushing these co-ordinated campaigns, that electoral interference and foreign state interference is a priority, and that we are seeing platforms being weaponised in order to push the sort of disinformation you mentioned in your question.
We have seen that time and again. In the Scottish referendum in 2014, the Free Scotland 2014 campaign turned out to be backed by Russian and Iranian actors. They were massively weaponising social media by putting up inauthentic accounts and Facebook pages, with mocked-up pictures of the royal family, saying they wanted to take all the money from Scotland and buy new houses. It was complete nonsense, the aim of which was to destabilise the Union.
The Free Scotland 2014 campaign was called out by Twitter and Facebook in 2018. So four years later they said, “Hey, we’ve just found all these accounts that were trying to destabilise the Union four years ago”, and we were going, “But what did you do about that four years ago?” I think we are going to see that again in Northern Ireland, we saw it in the US elections in 2016 and 2020, when the US Senate said that Russia was targeting African- American electors as a priority, to drive division in the States, and we will see that in any election we have in the UK.
I am really pleased to see that the Government are trying to link the two Bills. I think there are three words missing from both the Bills, and they are “co-ordinated inauthentic behaviour”. This Bill and the Online Safety Bill might be getting towards those words, but one of them has to say them, because we are talking about individuals and organisations in this Bill and social media in the Online Safety Bill, but the examples I have just given are absolutely about co-ordination.
It will be hard to find one person. The extra-territoriality provisions in this Bill are good, but we should not be measuring the success of this Bill as people in prison. This is all about troll armies abroad, so the link is important, but I think it needs to go further on specifically calling out co-ordinated inauthentic behaviour in either or both of these pieces of legislation.
There are some questions about case law linked to the Online Safety Bill and the National Security Bill. In the amendments, we are expecting, hopefully today, for foreign interference to be listed as a priority harm in the Online Safety Bill. The question arises of how social media platforms, which will now effectively be given the power to police these kinds of things, will catch foreign interference when, as the Online Safety Bill says, the
“content amounts to an offence”.
How can a social media platform judge how content would amount to a criminal offence?
We need to think about some of the language around how people identify that criminal offence. I think Carnegie UK, or another group, has suggested something along the lines of illegal content meaning content that the provider has “reasonable grounds to believe” amounts to a relevant offence. I do not think that “amounts to” has the precedent, and it is going to be hard, particularly in content law, to catch that.
The other thing about the Online Safety Bill and the National Security Bill is that we may end up seeing the case law being made in the civil courts, because we will see Ofcom taking a case against a platform, that platform appealing and the case being handled in the civil court, even if it involves foreign interference and a criminal offence. That needs to be thought about. I certainly do not have a solution, but I just want to flag it as a risk of linking these two Bills but not thinking about how they are fully linked.
However, going back to my first point, we were delighted to see that the Government are taking this really seriously.
Scott Mann
Q
Poppy Wood: Obviously, you have heard from much greater experts than me about hack-and-leak operations et cetera, and I refer you to their remarks about that. In terms of co-ordinated disinformation campaigns, as I said we have seen that in the US election, with really targeted approaches to particular groups that people wanted to divide. When I mentioned that the US Senate said that African-American electors were being targeted, it was clear that the Russians wanted to stir up tensions within that group and between that group and white police. They would really push Ku Klux Klan narratives, false images and all sorts to make sure that those groups were infighting. I would absolutely expect to see that here as well.
Political ads are also a really big issue. I cannot work out whether they are dealt with in the Bill, but they are certainly not dealt with in the Online Safety Bill. The Cabinet Office seems to own the political ads regime, but we are seeing shell companies buying these ads purely to stoke division and tension, and we would expect to see that again. One of the problems with not having a grip of the issue, particularly as we could go into an election period in the UK at any point, is that we need someone to comprehensively pull this all together.
The Russians and the Iranians often leave quite a lot of fingerprints on their work, sometimes intentionally. I know that Ken McCallum, who is director general of MI5, and the FBI discussed the threat from China yesterday. They did not mention disinformation, which I thought was interesting, but the Chinese have historically been much better at not leaving their fingerprints on things, so I cannot really speak to some of their activity. However, we have seen it time and time again.
It is probably best not to talk about the Brexit referendum, but we all know what happened there with the engagement from foreign actors. We should not be surprised to see disinformation. We are vulnerable in the UK because of our role in supporting Ukraine, and we have to pull it all together. If the Online Safety Bill, combined with the National Security Bill, does not do so, I do not know what will.
Holly Lynch
Q
Poppy Wood: We have to be careful not to try to define disinformation. There is some language in the Bill about misrepresentation, and the idea of intentionally misrepresenting is important. We will never get a grip on exactly what disinformation is, because it is a shapeshifter.
On the first part of your question, it is about the system of amplifying and the ease with which people with malicious intent can manipulate systems by creating fake accounts, not verifying IDs and exploiting the recommender algorithms so that they hook you with one piece of content. We see this time and time again. One piece of bad content is not the problem, but they hook you on it, which then leads you down a rabbit hole to something much darker and more radical. It does not even have to be radical; it can be the sort of stuff that we were talking about with the Scotland referendum. It can be innocuous, such as stories about what the royal family are doing. It is about sowing seeds and exploiting cognitive dissonance, which bad actors are very good at and which social media is absolutely weaponised to make the most of, because of the pace and amplification of the content.
The Online Safety Bill goes part of the way there; it is imperfect, partly because it is so hard to define disinformation. There is very little in the Online Safety Bill on disinformation. There is an advisory committee that is years down the road. It is ironic that the National Security Bill is about trying to rein in certain types of transparency. Transparency is a really big part of all this, so it is about trying to find out who is behind things and what the data patterns really look like, and building in researchers. I think that was something Ken McCallum said last year. A holistic approach is a cross-Government approach, but it also involves industry, civil society, journalists and researchers. Everyone has to focus on this. Both Bills could go further on systems and, as I say, the co-ordinated inauthentic behaviour language just is not there either.