(2 years, 3 months ago)
Public Bill CommitteesI beg to move,
That the Order of the Committee of 7 July 2022 be varied by the omission from paragraph 1(e) of the words “and 2.00pm”.
May I put on the record my great sense of regret and disappointment that the Committee is not progressing today? There is a great deal of support for the Bill, because we all recognise that our security services need the new measures to keep our country safe. At every opportunity, we the Opposition have sought to be constructive and to undertake our due diligence in providing the level of scrutiny that should come with the powers in a Bill such as this.
We have sought to work with the Government, but it is disappointing that we will now have a fourth person acting as Minister in a Bill Committee on the matter of national security. We very much look forward to meeting again on Thursday so that we have the appropriate opportunity to scrutinise and debate every last bit of the Bill and the new clauses, ensuring that the security services have what they need from us. Despite a real sense of disappointment, we look forward to ensuring that we meet again on Thursday to progress without any delay.
(2 years, 5 months ago)
Public Bill CommitteesQ
Jonathan Hall: First, it is being able to go to the room where it happens—the meetings where these decisions are taken. When I review TPIMs, I have a completely free hand. I am able to interrogate officials and able to see whatever I want. That is really important. I am not just looking at judgments in courts, or just reading documents; I am actually there able to interrogate, test and challenge. That is what I do. Also, I think it is important that Parliament and the public have a sense of what is going on. Regrettably, because legal aid has not been made available in all cases for TPIMs, there are now fewer court cases, so general information about how this important but serious power is being exercised is relatively cut off. The independent reviewer can provide a lot of transparency about how it is operating.
Q
Jonathan Hall: It has been tentatively mentioned. Obviously, because the legislation has not been passed, I have not been formally asked whether I would do it, but it has been tentatively asked. My answer is that I think it actually is quite a good fit for the reviewer’s job, and I think it probably is right that the person who does the independent review of terrorism legislation should also do the state threats legislation. The reason is that this new legislation is really modelled on terrorism legislation. In crude terms, the concept of the foreign power condition sits in place of the purposes or acts of terrorism, and then there is the same framework in terms of very strong arrest power, detention up to 14 days, strong powers of cordons and search and investigations, and, of course, the PIMs. There are so many learning points between the two regimes that it does make sense.
Q
Sir Alex Younger: Yes.
Q
Sir Alex Younger: First of all, I think it is a good idea, fundamentally, to require people to say if they are acting on behalf of a foreign power. I am supportive of that because I know how difficult it makes it for people intent on conducting operations against us to operate, and makes it much easier to prove. I am therefore instinctively supportive of that, and of a register, and I think that we should get on with that. I have talked to the Government about that; they are understandably cautious, given all the unintended consequences attached to it, and the fact that our adversaries use those techniques in a way that lacks good faith and is malicious. However, fundamentally, I am supportive of it.
I have to be honest; I am more ambivalent about the idea of distinguishing between nations. My view of legislation generally, but particularly when it comes to technology, is that it is a mistake to write things to the current circumstances. It is much better to write things to the principles that you are seeking to employ. I am not a lawyer or a member of the Government, but my recommendation would be that we go for a principles-based approach in so far as we can.
Q
Professor Sir David Omand: Probably not, but on the other hand you have to balance that against the risk that legislation would inadvertently catch, for example, academic activity in think-tanks. Alex Younger has referred to transparency and covertness. Where a foreign power is taking covert acts and dirty tricks in order to access our institutions, think-tanks and universities, that would be criminalised by the Bill.
Where a member of the embassy of any foreign state represented here attends, quite openly, think-tank meetings and so on—everybody knows who they are and they know they are on the guest list—that does not pose a direct harm. It would be a mistake to start to try to confuse those categories too much. However, what it comes down to is that this is a probabilistic business; this is doing things that increase the chances that we all protect the citizens and the interests of the state. This Bill alone is not going to prevent states from attempting harm against us, and it probably will not catch all those harms either, but it is a good start.
Q
Professor Sir David Omand: Well, there is a lot in the Bill. The move away from having to identify states as enemies, for example. States have interests of their own and they will promote those interests. If they are doing so openly through diplomatic and academic means, that is one thing, but if they are doing it, as some are, covertly, then although you might not categorise them as enemies, they are none the less conducting themselves in a way that causes harm. That is one of the examples where I think the Bill takes a more up-to-date view. It is not just nations with which we are at war or potentially could be at war.
(2 years, 5 months ago)
Public Bill CommitteesQ
Sam Armstrong: This Bill will do an awful lot to deal with it. There are some offences in the Bill that are drawn extremely broadly and will allow the security services to take a knife to whichever problems they would like.
The Bill does not do certain things that other countries have done. For example, Australia introduced the Foreign Relations Act, which allowed the central Government to terminate relationships that public authorities had entered into with foreign states where they were undermining Australia’s foreign policy position. That is a power that I know Australian officials have been keen to encourage the British Government to replicate.
In terms of assisting foreign intelligence services, which I think is by far and away the most broadly applicable offence in the Bill, and the trade secrets offence, there are broad powers there and the Government deserve commendation for bringing those powers before Parliament, although not before time. The security services have been keenly pushing for them and they will appreciate them in doing their work.
Q
Carl Miller: That is a great question. We can start by cleaning up the grubby world of spam. Often, when talking about online influence operations and disinformation, we descend into this kind of rarefied world of grand geopolitics, but it has as much to do with a very wide array of services and companies. If anyone googles “buy retweets now”, you will be able to see what I am talking about.
There are a tonne of companies that operate in plain sight, selling social media manipulation as “social media services”. You can buy fake followers; you can buy fake engagement. I looked it up on the way here; as of about 10 minutes ago, there was a company selling positive comments in Ukrainian on Instagram—mostly, they claim, by users from Ukraine—for $78 per 1,000. That is on the light net; we are not even talking about the services that are cryptographically secured or anonymised.
There is an array of these kinds of operations. An almost shadowy grey-area marketplace has emerged, which radically lowers the barriers to entry into doing those kinds of activities. That has always been there, but the consensus has emerged among researchers like me that, over the last year or two, the actual number, sophistication and variety of those services has increased quite dramatically. To be honest, if we were to really try to genuinely start increasing the cost and penalties for the actors that do that kind of thing, we would have to target that entire industry as participants in it.
Lastly, in pulling apart some of the operations regarding Ukraine, our hunch is that state-backed activities have likely made use of those exact same services. We will see states maybe rolling out capability outside of state, setting up as private companies, and selling those capabilities back into state.
Q
Louise Edwards: There is a key principle here, which is that you could hope there is a link between increasing the penalty that can be imposed for an offence and therefore disincentivising or deterring people from committing that offence. That seems like an in-principle link that you would want to see made. That is what perhaps the Bill is aimed at creating.
The measures in the Bill—the offences relevant to elections that are in it—are offences that the police will have to investigate and that will then go through the courts for prosecutions, so really key to making the provisions work effectively is to ensure that the police have the capability and capacity to take them forward, investigating them and passing them on to prosecutors when appropriate.
Q
Louise Edwards: Do you mean a potential problem in the sense of a foreign state interference issue?
Q
Professor Ciaran Martin: One sees only the tip of the iceberg when there are major breaches. I will use a well-known example from the United States—a close ally that is perhaps easier to talk about because it does not involve disclosing sensitive things about the UK.
The hybrid operation against the United States in 2015, which the US Government at the time acknowledged formally was undertaken by the People’s Republic of China, involved the extraction of more than 20 million security clearance records from the United States Office of Personnel Management—effectively the civil service department of the US Federal Government. It was the security clearance application forms of everyone who had applied for security clearance from the US Federal Government in the first 14 years of the century. As a dataset, it is incredibly rich. For example, if you are part of a commercial data breach, it is likely to be just your name and email address—possibly a password, although perhaps not even that, and possibly the last four digits of a credit card. If you go through a Government security clearance process, it is everything.
Think of the current politics of the US and China, and think about the established fact that the Chinese Government have this dataset of US Government personnel, with lots of information about them. You can see the strategic impact that that can have. To the best of my knowledge, based on public scholarship and disclosures relating to that incident, it was a largely remote operation, but it did include some activity on the ground. You can see how the sort of legislation we are talking about here might be useful in at least deterring or being able to deal with that.
Q
Professor Ciaran Martin: I would say this, wouldn’t I, but there has been a reasonably decent trajectory of controlling it.
There is a challenge for defenders. If you are attacking—if you are Russia and you have a programme of destabilisation of the UK through these sorts of means—it is all the same programme to you. But if you are defending against it, the defence of the networks of a privately owned critical infrastructure company, such as the energy grid, is one problem, and the protection of sensitive Government networks—diplomatic cables and intelligence services—requires you to do something slightly different.
Disinformation is a different problem again, because historically under our laws, quite rightly, it has not been an offence to make up a lie and put it on the internet. That is different from a cyber-attack. Putting it under a single organisation is really quite hard.
Things were starting to get better around the time of the end of my Government service in 2020, although there is probably some way to go, on the synthesis of operational cohesion—the sharing of information—across these different parts. It is better than it is in quite a lot of other countries—it is less siloed—but I am sure, Ms Lynch, that there is plenty more that could be done to improve it.
Q
Professor Penney Lewis: I am afraid that I will be less happy about that question. The Law Commission was asked to look at the Official Secrets Act. The project’s terms of reference focused on official Government data, so we have not looked at those matters. There are a number of matters contained in the Bill that were well outside the scope of our project, and I am afraid that we just cannot comment on them.
Q
Dr Nicholas Hoggard: Yes, I think we are. One of our concerns about the existing offences in the 1911 Act was that the existing prohibited places—though extensive; it is an extensive and complicated piece of drafting—have a strong military focus, and they do not necessarily reflect the way that critical national infrastructure, for example, or sensitive information is held by the Government.
There are some powers for the Secretary of State that exist under the 1911 Official Secrets Act, but they are quite restricted. What is good to see about the powers under this Bill is they are quite principled powers. The basis on which the Secretary of State can define something as a protected place is much more transparent. There are just three limbs that are easy to understand. That basis for affording the Secretary of the State the power is much more useful. It is more transparent, but it also enables us to capture within the offence places where there is actually a real risk of harm arising from hostile state activity.
On that front, I would say the power is good in so much as it aligns with the spirit of our recommendation. The fact that there will be parliamentary oversight of this process is important. It was a fundamental feature of our recommendations, and the negative resolution procedure is an important part of that process. The Secretary of State’s powers are more effective than is permitted under the current law, but also there is sufficient oversight.
Q
Poppy Wood: Obviously, you have heard from much greater experts than me about hack-and-leak operations et cetera, and I refer you to their remarks about that. In terms of co-ordinated disinformation campaigns, as I said we have seen that in the US election, with really targeted approaches to particular groups that people wanted to divide. When I mentioned that the US Senate said that African-American electors were being targeted, it was clear that the Russians wanted to stir up tensions within that group and between that group and white police. They would really push Ku Klux Klan narratives, false images and all sorts to make sure that those groups were infighting. I would absolutely expect to see that here as well.
Political ads are also a really big issue. I cannot work out whether they are dealt with in the Bill, but they are certainly not dealt with in the Online Safety Bill. The Cabinet Office seems to own the political ads regime, but we are seeing shell companies buying these ads purely to stoke division and tension, and we would expect to see that again. One of the problems with not having a grip of the issue, particularly as we could go into an election period in the UK at any point, is that we need someone to comprehensively pull this all together.
The Russians and the Iranians often leave quite a lot of fingerprints on their work, sometimes intentionally. I know that Ken McCallum, who is director general of MI5, and the FBI discussed the threat from China yesterday. They did not mention disinformation, which I thought was interesting, but the Chinese have historically been much better at not leaving their fingerprints on things, so I cannot really speak to some of their activity. However, we have seen it time and time again.
It is probably best not to talk about the Brexit referendum, but we all know what happened there with the engagement from foreign actors. We should not be surprised to see disinformation. We are vulnerable in the UK because of our role in supporting Ukraine, and we have to pull it all together. If the Online Safety Bill, combined with the National Security Bill, does not do so, I do not know what will.
Q
Poppy Wood: We have to be careful not to try to define disinformation. There is some language in the Bill about misrepresentation, and the idea of intentionally misrepresenting is important. We will never get a grip on exactly what disinformation is, because it is a shapeshifter.
On the first part of your question, it is about the system of amplifying and the ease with which people with malicious intent can manipulate systems by creating fake accounts, not verifying IDs and exploiting the recommender algorithms so that they hook you with one piece of content. We see this time and time again. One piece of bad content is not the problem, but they hook you on it, which then leads you down a rabbit hole to something much darker and more radical. It does not even have to be radical; it can be the sort of stuff that we were talking about with the Scotland referendum. It can be innocuous, such as stories about what the royal family are doing. It is about sowing seeds and exploiting cognitive dissonance, which bad actors are very good at and which social media is absolutely weaponised to make the most of, because of the pace and amplification of the content.
The Online Safety Bill goes part of the way there; it is imperfect, partly because it is so hard to define disinformation. There is very little in the Online Safety Bill on disinformation. There is an advisory committee that is years down the road. It is ironic that the National Security Bill is about trying to rein in certain types of transparency. Transparency is a really big part of all this, so it is about trying to find out who is behind things and what the data patterns really look like, and building in researchers. I think that was something Ken McCallum said last year. A holistic approach is a cross-Government approach, but it also involves industry, civil society, journalists and researchers. Everyone has to focus on this. Both Bills could go further on systems and, as I say, the co-ordinated inauthentic behaviour language just is not there either.