Debates between Scott Mann and Holly Lynch during the 2019 Parliament

Tue 6th Sep 2022
Thu 7th Jul 2022
National Security Bill (First sitting)
Public Bill Committees

Committee stage: 1st sitting & Committee stage
Thu 7th Jul 2022

National Security Bill (Ninth sitting)

Debate between Scott Mann and Holly Lynch
Scott Mann Portrait The Lord Commissioner of Her Majesty’s Treasury (Scott Mann)
- Hansard - -

I beg to move,

That the Order of the Committee of 7 July 2022 be varied by the omission from paragraph 1(e) of the words “and 2.00pm”.

Holly Lynch Portrait Holly Lynch (Halifax) (Lab)
- Hansard - - - Excerpts

May I put on the record my great sense of regret and disappointment that the Committee is not progressing today? There is a great deal of support for the Bill, because we all recognise that our security services need the new measures to keep our country safe. At every opportunity, we the Opposition have sought to be constructive and to undertake our due diligence in providing the level of scrutiny that should come with the powers in a Bill such as this.

We have sought to work with the Government, but it is disappointing that we will now have a fourth person acting as Minister in a Bill Committee on the matter of national security. We very much look forward to meeting again on Thursday so that we have the appropriate opportunity to scrutinise and debate every last bit of the Bill and the new clauses, ensuring that the security services have what they need from us. Despite a real sense of disappointment, we look forward to ensuring that we meet again on Thursday to progress without any delay.

National Security Bill (First sitting)

Debate between Scott Mann and Holly Lynch
Scott Mann Portrait Scott Mann
- Hansard - -

Q The Bill allows for oversight of STPIMs. In your view, what is the strength of the independent function of your office?

Jonathan Hall: First, it is being able to go to the room where it happens—the meetings where these decisions are taken. When I review TPIMs, I have a completely free hand. I am able to interrogate officials and able to see whatever I want. That is really important. I am not just looking at judgments in courts, or just reading documents; I am actually there able to interrogate, test and challenge. That is what I do. Also, I think it is important that Parliament and the public have a sense of what is going on. Regrettably, because legal aid has not been made available in all cases for TPIMs, there are now fewer court cases, so general information about how this important but serious power is being exercised is relatively cut off. The independent reviewer can provide a lot of transparency about how it is operating.

Holly Lynch Portrait Holly Lynch (Halifax) (Lab)
- Hansard - - - Excerpts

Q Thank you ever so much for your time this morning. May I take you to clause 49, which refers to an independent reviewer carrying out a review of part 2 of the Bill? If it is appropriate for you to say so, have you been approached by the Government to consider how appropriate it would be for your office to take on that review of part 2? What is your assessment of how appropriate that would be compared with setting up a new independent reviewer for state threats legislation?

Jonathan Hall: It has been tentatively mentioned. Obviously, because the legislation has not been passed, I have not been formally asked whether I would do it, but it has been tentatively asked. My answer is that I think it actually is quite a good fit for the reviewer’s job, and I think it probably is right that the person who does the independent review of terrorism legislation should also do the state threats legislation. The reason is that this new legislation is really modelled on terrorism legislation. In crude terms, the concept of the foreign power condition sits in place of the purposes or acts of terrorism, and then there is the same framework in terms of very strong arrest power, detention up to 14 days, strong powers of cordons and search and investigations, and, of course, the PIMs. There are so many learning points between the two regimes that it does make sense.

--- Later in debate ---
Scott Mann Portrait Scott Mann
- Hansard - -

Q Just one final question for this witness, if I may. We have just had evidence from Jonathan Hall QC, who reflected that he did not think there was an operational need for part 3 of the Bill. Do you agree that it is legitimate for the Government to disrupt terrorist financing?

Sir Alex Younger: Yes.

Holly Lynch Portrait Holly Lynch
- Hansard - - - Excerpts

Q Thank you both very much for your time. To echo the Minister’s sentiments, we are grateful for your service to the country as well. Sir Alex, the measures in the Bill, particularly in clause 3 and some of the others on assisting a foreign intelligence service, do not make any attempt to distinguish between countries that are our allies or that we have friendly relations with—you talked about the Five Eyes partners, for example—and those countries that would seek to undermine us or are hostile states. Do you think it should attempt to distinguish between the two?

Sir Alex Younger: First of all, I think it is a good idea, fundamentally, to require people to say if they are acting on behalf of a foreign power. I am supportive of that because I know how difficult it makes it for people intent on conducting operations against us to operate, and makes it much easier to prove. I am therefore instinctively supportive of that, and of a register, and I think that we should get on with that. I have talked to the Government about that; they are understandably cautious, given all the unintended consequences attached to it, and the fact that our adversaries use those techniques in a way that lacks good faith and is malicious. However, fundamentally, I am supportive of it.

I have to be honest; I am more ambivalent about the idea of distinguishing between nations. My view of legislation generally, but particularly when it comes to technology, is that it is a mistake to write things to the current circumstances. It is much better to write things to the principles that you are seeking to employ. I am not a lawyer or a member of the Government, but my recommendation would be that we go for a principles-based approach in so far as we can.

--- Later in debate ---
Holly Lynch Portrait Holly Lynch
- Hansard - - - Excerpts

Q Sir David, following up on your points about the digitisation of information, Microsoft told me that a great deal of online state activity is around theft and access to data policy development, and think-tanks increasingly becoming a focus for attempts to have a look at and steal that type of work. Are those some of the things that you are seeing in terms of hostile state activity online, and do you think that the clauses in the Bill go far enough in protecting that type of policy work and data?

Professor Sir David Omand: Probably not, but on the other hand you have to balance that against the risk that legislation would inadvertently catch, for example, academic activity in think-tanks. Alex Younger has referred to transparency and covertness. Where a foreign power is taking covert acts and dirty tricks in order to access our institutions, think-tanks and universities, that would be criminalised by the Bill.

Where a member of the embassy of any foreign state represented here attends, quite openly, think-tank meetings and so on—everybody knows who they are and they know they are on the guest list—that does not pose a direct harm. It would be a mistake to start to try to confuse those categories too much. However, what it comes down to is that this is a probabilistic business; this is doing things that increase the chances that we all protect the citizens and the interests of the state. This Bill alone is not going to prevent states from attempting harm against us, and it probably will not catch all those harms either, but it is a good start.

Scott Mann Portrait Scott Mann
- Hansard - -

Q I did not get a chance to ask you a question at the start of the session, Sir David, so I feel I am slightly obligated to ask you a question at the end. In terms of the need for reform, some of the legislation that preceded this is very old. You have mentioned some of this already, but could you expand a little on how changing the legislation will address some of the current state threats? It is worth having that on the record again.

Professor Sir David Omand: Well, there is a lot in the Bill. The move away from having to identify states as enemies, for example. States have interests of their own and they will promote those interests. If they are doing so openly through diplomatic and academic means, that is one thing, but if they are doing it, as some are, covertly, then although you might not categorise them as enemies, they are none the less conducting themselves in a way that causes harm. That is one of the examples where I think the Bill takes a more up-to-date view. It is not just nations with which we are at war or potentially could be at war.

National Security Bill (Second sitting)

Debate between Scott Mann and Holly Lynch
Scott Mann Portrait Scott Mann
- Hansard - -

Q Will this Bill allow us to deal with that?

Sam Armstrong: This Bill will do an awful lot to deal with it. There are some offences in the Bill that are drawn extremely broadly and will allow the security services to take a knife to whichever problems they would like.

The Bill does not do certain things that other countries have done. For example, Australia introduced the Foreign Relations Act, which allowed the central Government to terminate relationships that public authorities had entered into with foreign states where they were undermining Australia’s foreign policy position. That is a power that I know Australian officials have been keen to encourage the British Government to replicate.

In terms of assisting foreign intelligence services, which I think is by far and away the most broadly applicable offence in the Bill, and the trade secrets offence, there are broad powers there and the Government deserve commendation for bringing those powers before Parliament, although not before time. The security services have been keenly pushing for them and they will appreciate them in doing their work.

Holly Lynch Portrait Holly Lynch (Halifax) (Lab)
- Hansard - - - Excerpts

Q Carl Miller, you painted quite a distressing picture of the complexity and volume of the information that is being pushed online by foreign states. If it is not so much about disinformation or misinformation, but about the amplification of uncomfortable truths in a country, which then has a destabilising effect on society, how do we disrupt it?

Carl Miller: That is a great question. We can start by cleaning up the grubby world of spam. Often, when talking about online influence operations and disinformation, we descend into this kind of rarefied world of grand geopolitics, but it has as much to do with a very wide array of services and companies. If anyone googles “buy retweets now”, you will be able to see what I am talking about.

There are a tonne of companies that operate in plain sight, selling social media manipulation as “social media services”. You can buy fake followers; you can buy fake engagement. I looked it up on the way here; as of about 10 minutes ago, there was a company selling positive comments in Ukrainian on Instagram—mostly, they claim, by users from Ukraine—for $78 per 1,000. That is on the light net; we are not even talking about the services that are cryptographically secured or anonymised.

There is an array of these kinds of operations. An almost shadowy grey-area marketplace has emerged, which radically lowers the barriers to entry into doing those kinds of activities. That has always been there, but the consensus has emerged among researchers like me that, over the last year or two, the actual number, sophistication and variety of those services has increased quite dramatically. To be honest, if we were to really try to genuinely start increasing the cost and penalties for the actors that do that kind of thing, we would have to target that entire industry as participants in it.

Lastly, in pulling apart some of the operations regarding Ukraine, our hunch is that state-backed activities have likely made use of those exact same services. We will see states maybe rolling out capability outside of state, setting up as private companies, and selling those capabilities back into state.

--- Later in debate ---
Scott Mann Portrait Scott Mann
- Hansard - -

Q I have one more question, if I may. The Bill introduces a new offence of foreign interference, which will criminalise interference in the UK political process. Do you see value in increasing prosecuting options in that area?

Louise Edwards: There is a key principle here, which is that you could hope there is a link between increasing the penalty that can be imposed for an offence and therefore disincentivising or deterring people from committing that offence. That seems like an in-principle link that you would want to see made. That is what perhaps the Bill is aimed at creating.

The measures in the Bill—the offences relevant to elections that are in it—are offences that the police will have to investigate and that will then go through the courts for prosecutions, so really key to making the provisions work effectively is to ensure that the police have the capability and capacity to take them forward, investigating them and passing them on to prosecutors when appropriate.

Holly Lynch Portrait Holly Lynch
- Hansard - - - Excerpts

Q May I probe a little further to get a better understanding of the role of the commission sitting alongside enforcement agencies in this area? If you were to be made aware of a potential problem, where would the referral to you usually come from?

Louise Edwards: Do you mean a potential problem in the sense of a foreign state interference issue?

--- Later in debate ---
Scott Mann Portrait Scott Mann
- Hansard - -

Q How big is the risk to the UK of disinformation?

Professor Ciaran Martin: One sees only the tip of the iceberg when there are major breaches. I will use a well-known example from the United States—a close ally that is perhaps easier to talk about because it does not involve disclosing sensitive things about the UK.

The hybrid operation against the United States in 2015, which the US Government at the time acknowledged formally was undertaken by the People’s Republic of China, involved the extraction of more than 20 million security clearance records from the United States Office of Personnel Management—effectively the civil service department of the US Federal Government. It was the security clearance application forms of everyone who had applied for security clearance from the US Federal Government in the first 14 years of the century. As a dataset, it is incredibly rich. For example, if you are part of a commercial data breach, it is likely to be just your name and email address—possibly a password, although perhaps not even that, and possibly the last four digits of a credit card. If you go through a Government security clearance process, it is everything.

Think of the current politics of the US and China, and think about the established fact that the Chinese Government have this dataset of US Government personnel, with lots of information about them. You can see the strategic impact that that can have. To the best of my knowledge, based on public scholarship and disclosures relating to that incident, it was a largely remote operation, but it did include some activity on the ground. You can see how the sort of legislation we are talking about here might be useful in at least deterring or being able to deal with that.

Holly Lynch Portrait Holly Lynch
- Hansard - - - Excerpts

Q Further to some of the points that you were making, I think it was the Russia report that identified that, as this hybrid activity becomes an emerging threat, we could be doing more internally and in Government to streamline Departments’ responsibilities for different areas of the response to cyber—whether it is policy development or offensive or defensive cyber—alongside some of the powers here. Do you think there is more we can do internally to try to get a grip and pull all that together?

Professor Ciaran Martin: I would say this, wouldn’t I, but there has been a reasonably decent trajectory of controlling it.

There is a challenge for defenders. If you are attacking—if you are Russia and you have a programme of destabilisation of the UK through these sorts of means—it is all the same programme to you. But if you are defending against it, the defence of the networks of a privately owned critical infrastructure company, such as the energy grid, is one problem, and the protection of sensitive Government networks—diplomatic cables and intelligence services—requires you to do something slightly different.

Disinformation is a different problem again, because historically under our laws, quite rightly, it has not been an offence to make up a lie and put it on the internet. That is different from a cyber-attack. Putting it under a single organisation is really quite hard.

Things were starting to get better around the time of the end of my Government service in 2020, although there is probably some way to go, on the synthesis of operational cohesion—the sharing of information—across these different parts. It is better than it is in quite a lot of other countries—it is less siloed—but I am sure, Ms Lynch, that there is plenty more that could be done to improve it.

--- Later in debate ---
Scott Mann Portrait Scott Mann
- Hansard - -

Q One final question from me: I would welcome your reflections on some of the new powers to address some of these state threats, particularly the investigatory powers and STPIMs.

Professor Penney Lewis: I am afraid that I will be less happy about that question. The Law Commission was asked to look at the Official Secrets Act. The project’s terms of reference focused on official Government data, so we have not looked at those matters. There are a number of matters contained in the Bill that were well outside the scope of our project, and I am afraid that we just cannot comment on them.

Holly Lynch Portrait Holly Lynch
- Hansard - - - Excerpts

Q Thank you for your time today. Can I take you through some different parts of the Bill for your assessment? Perhaps Dr Nicholas Hoggard could answer, as I have had a good look through the chunky read that is the “Protection of Official Data” report and given your work on it. Clause 8 gives the Secretary of State the ability to designate somewhere as being a prohibited place to protect the safety or interests of the UK. Are you comfortable with some of the definitions and powers there?

Dr Nicholas Hoggard: Yes, I think we are. One of our concerns about the existing offences in the 1911 Act was that the existing prohibited places—though extensive; it is an extensive and complicated piece of drafting—have a strong military focus, and they do not necessarily reflect the way that critical national infrastructure, for example, or sensitive information is held by the Government.

There are some powers for the Secretary of State that exist under the 1911 Official Secrets Act, but they are quite restricted. What is good to see about the powers under this Bill is they are quite principled powers. The basis on which the Secretary of State can define something as a protected place is much more transparent. There are just three limbs that are easy to understand. That basis for affording the Secretary of the State the power is much more useful. It is more transparent, but it also enables us to capture within the offence places where there is actually a real risk of harm arising from hostile state activity.

On that front, I would say the power is good in so much as it aligns with the spirit of our recommendation. The fact that there will be parliamentary oversight of this process is important. It was a fundamental feature of our recommendations, and the negative resolution procedure is an important part of that process. The Secretary of State’s powers are more effective than is permitted under the current law, but also there is sufficient oversight.

--- Later in debate ---
Scott Mann Portrait Scott Mann
- Hansard - -

Q You mentioned some of the cyber-threats to elections. Could you expand on the kind of cyber-threats that are posed to national security in the wider sense?

Poppy Wood: Obviously, you have heard from much greater experts than me about hack-and-leak operations et cetera, and I refer you to their remarks about that. In terms of co-ordinated disinformation campaigns, as I said we have seen that in the US election, with really targeted approaches to particular groups that people wanted to divide. When I mentioned that the US Senate said that African-American electors were being targeted, it was clear that the Russians wanted to stir up tensions within that group and between that group and white police. They would really push Ku Klux Klan narratives, false images and all sorts to make sure that those groups were infighting. I would absolutely expect to see that here as well.

Political ads are also a really big issue. I cannot work out whether they are dealt with in the Bill, but they are certainly not dealt with in the Online Safety Bill. The Cabinet Office seems to own the political ads regime, but we are seeing shell companies buying these ads purely to stoke division and tension, and we would expect to see that again. One of the problems with not having a grip of the issue, particularly as we could go into an election period in the UK at any point, is that we need someone to comprehensively pull this all together.

The Russians and the Iranians often leave quite a lot of fingerprints on their work, sometimes intentionally. I know that Ken McCallum, who is director general of MI5, and the FBI discussed the threat from China yesterday. They did not mention disinformation, which I thought was interesting, but the Chinese have historically been much better at not leaving their fingerprints on things, so I cannot really speak to some of their activity. However, we have seen it time and time again.

It is probably best not to talk about the Brexit referendum, but we all know what happened there with the engagement from foreign actors. We should not be surprised to see disinformation. We are vulnerable in the UK because of our role in supporting Ukraine, and we have to pull it all together. If the Online Safety Bill, combined with the National Security Bill, does not do so, I do not know what will.

Holly Lynch Portrait Holly Lynch
- Hansard - - - Excerpts

Q We have heard in some of the previous contributions that hostile states’ use of disinformation does not always cross the thresholds that we are talking about, and that sometimes it is about the amplification of uncomfortable truths. You used the example of pitting different elements of society against each other in the US elections. To what extent do you think we need to improve some of our definitions and understanding, so that we can start looking at how we disrupt disinformation?

Poppy Wood: We have to be careful not to try to define disinformation. There is some language in the Bill about misrepresentation, and the idea of intentionally misrepresenting is important. We will never get a grip on exactly what disinformation is, because it is a shapeshifter.

On the first part of your question, it is about the system of amplifying and the ease with which people with malicious intent can manipulate systems by creating fake accounts, not verifying IDs and exploiting the recommender algorithms so that they hook you with one piece of content. We see this time and time again. One piece of bad content is not the problem, but they hook you on it, which then leads you down a rabbit hole to something much darker and more radical. It does not even have to be radical; it can be the sort of stuff that we were talking about with the Scotland referendum. It can be innocuous, such as stories about what the royal family are doing. It is about sowing seeds and exploiting cognitive dissonance, which bad actors are very good at and which social media is absolutely weaponised to make the most of, because of the pace and amplification of the content.

The Online Safety Bill goes part of the way there; it is imperfect, partly because it is so hard to define disinformation. There is very little in the Online Safety Bill on disinformation. There is an advisory committee that is years down the road. It is ironic that the National Security Bill is about trying to rein in certain types of transparency. Transparency is a really big part of all this, so it is about trying to find out who is behind things and what the data patterns really look like, and building in researchers. I think that was something Ken McCallum said last year. A holistic approach is a cross-Government approach, but it also involves industry, civil society, journalists and researchers. Everyone has to focus on this. Both Bills could go further on systems and, as I say, the co-ordinated inauthentic behaviour language just is not there either.