Damian Hinds

- Hansard -

Copy Link

- - Excerpts

Prosecuting authorities have to make judgments. The Bill is specifically about national security, but within that it is about countering state threats. It gives us a whole new set of tools and weapons to add to our arsenal, and, notwithstanding the right hon. Gentleman’s body language, I think that that is much to be welcomed.

My hon. Friend the Member for Wycombe (Mr Baker) asked a specific question about police stations. Because of the new arrest power in the Bill that can last up to 14 days, the Secretary of State may be required to designate specialist sites to meet the operational need, but I want to reassure my hon. Friend that this has nothing to do with extraordinary rendition. The provision mirrors those in the Police and Criminal Evidence Act 1984 and the Terrorism Acts to ensure that appropriate facilities are available. However, it is not possible to designate such a place outside the United Kingdom. The Government are clear about the fact that torture, mistreatment and arbitrary detention are contrary to human rights law.

Damian Hinds

- Hansard -

Copy Link

- - Excerpts

I have not finished my speech, but go on.

Damian Hinds

- Hansard -

Copy Link

- - Excerpts

I do not think that this is an appropriate forum in which to discuss the detail of such measures, but I hope I can reassure my hon. Friend on that particular point. As I have said, this is to allow for cases in which such capacity is required owing to operational need, and it cannot be outside the United Kingdom.

A number of Members on both sides of the House have referred to the so-called STPIMs. These are a tool of last resort to prevent, restrict and disrupt an individual’s involvement in state threats activity. In the most serious cases, that could include restricting where an individual can reside, whom they can associate with, and where they can work and study. An STPIM will be used when intelligence exists to confirm that highly damaging threat activity is planned or being undertaken but prosecution is not realistic. As my hon. Friend said, with such measures it is extremely important to have the appropriate safeguards.

I want to reassure the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) that STPIMs will not be imposed through ministerial decision making alone. There will be a process through the courts. A decision by the Secretary of State to impose an STPIM, once they are satisfied that the five conditions set out have been met, will be referred to a judge, and the court’s permission will be sought before an order can be made. The court is specifically tasked with checking that the ministerial decision is not flawed.

My right hon. and learned Friend the Member for Kenilworth and Southam (Sir Jeremy Wright) and others spoke about civil legal aid for terrorists. Through the Bill, we will take action to restrict access to civil legal aid in England and Wales for individuals convicted of terrorism or terrorism-connected offences since 2001. However, I can assure my right hon. and learned Friend, my hon. Friend the Member for Bromley and Chislehurst (Sir Robert Neill), the hon. Member for Garston and Halewood (Maria Eagle) and others who have spoken about this that the restriction of access of civil legal aid applies only to offences involving a sentence of more than two years. In any event, all individuals subject to the restriction can apply for exceptional case funding, and applications will be assessed according to the legislative framework of whether an individual’s human rights may be breached without legal aid. The type of terrorism offence that had been committed would not have bearing on the exceptional case funding decision.

I need to spend a couple of minutes going through the amendments to the Serious Crime Act 2007, an important subject that a number of colleagues have brought up, including my right hon. Friend the Member for Haltemprice and Howden (Mr Davis) and my hon. Friend the Member for Wycombe. The context, of course, is that our intelligence and security services and armed forces do and must work in close partnership with international partners to maximise UK capabilities and their ability to protect national security on our behalf. A key part of that is sharing intelligence and data to support joint objectives.

However, it is possible that such intelligence, when shared in good faith and in accordance with all domestic and international law, could still be capable of contributing, even in a very small or indirect way that was not intended at the time it was shared, to an international partner’s engaging in activity that the UK would not support. The Serious Crime Act 2007 creates an offence where an act is done that is

“capable of encouraging or assisting…an offence”.

That means that in this scenario there is a risk of individuals facing criminal liability, even when they have operated in good faith and in accordance with the guidance and proper authorisation.

Put simply, the Government believe it is not fair to expect the liability for that unforeseen eventuality to sit with an individual officer of our intelligence services or member of the armed forces who is acting with wholly legitimate intentions. Instead, the liability should sit with the UK intelligence community and the military at an institutional level, where they are subject to executive, judicial and parliamentary oversight. The amendment at clause 23 therefore removes that liability for individuals, but specifically only where the activity is necessary for the proper exercise of the functions of the security and intelligence services or the armed forces. It does not remove liability at an institutional level for any activity.

The Minister for Security and Borders (Damian Hinds)

- Hansard -

Copy Link

- - Excerpts

It is a pleasure to serve under your expert chairmanship, Sir Mark. I thank my hon. Friend the Member for Bridgend (Dr Wallis) for securing today’s debate and bringing this important issue to Westminster Hall. I am also grateful to all colleagues who have taken part. It strikes me that this is a good example of bringing to bear on Parliament not just opinions or political points but real depths of expertise from the outside world. I think it has been a very good debate.

I thank the SNP spokesman, the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald), and the Opposition spokesperson, the hon. Member for Halifax (Holly Lynch), for the constructive way that they engaged with the important discussion. I reassure everybody that it will feed into the review, which I will come back to later. I confirm to my hon. Friend the Member for Bridgend that I would be pleased to meet with him and a group of colleagues to discuss the issue further—I look forward to it.

As the Minister for Security and Borders, I am keenly aware of the scale of the cyber-crime threat facing our citizens and businesses. Keeping them safe is a key priority for the Government and our operational agencies and I take this opportunity to thank all those who work tirelessly to protect the public.

The threat from cyber-crime has intensified over the last couple of years. As the hon. Member for Halifax said, the pandemic meant that even more of our lives were spent online, and, inevitably, criminals have sought to exploit that shift. The statistics bear out the scale of the threat, with computer misuse now accounting for an estimated 15% of all crime. That opportunism is despicable and underlines how crucial it is that we have a robust and effective response. The Computer Misuse Act is primarily about hacking into someone else’s computer, but clearly there are more crimes that involve misusing computers for criminal means—most fraud, for example. Later today we have the Second Reading of the Online Safety Bill, which is an ambitious and forward-looking piece of legislation that will tackle online harms around fraud and fraudulent advertising.

I turn to some of the points made by the hon. Member for Strangford (Jim Shannon) about protecting individuals and small businesses. I reassure him that comprehensive advice is available from Cyber Aware. We encourage everybody to act on that, starting with three key things: protecting email security with a password made up of three random words; using two-factor authentication where that is available; and keeping operating systems up to date—often when an update comes around it is to see off some weakness that has been found.

I want to note important steps taken by industry that can make what hacking yields of less utility—things such as the banking sector’s deployment of the confirmation of payee system. We have sector charters in place with key industries, including retail banking. While Northern Ireland has a different policing arrangement, in this part of the UK we have the regional and national cyber-resilience centres, supported by policing, to help give extra support and guidance to small businesses that may have less wherewithal to invest in cyber-security expertise.

I also want to respond to my hon. Friend the Member for Barrow and Furness (Simon Fell) about skills; he is absolutely right that although the issue is about machines, it is ultimately about people. It is people who improve our defences. There are key pathways and standards in the Institute for Apprenticeships and Technical Education system, including under the cyber-security technologist umbrella and more broadly with the introduction of T-levels. Indeed, the critical T-level is digital business services, which includes a minimum of nine weeks of industry placement. I strongly encourage firms operating in the area—in cyber-security and in-house digital technology—to support that to make sure we all work together to bring on that next generation of experts who will help keep us all safer.

Damian Hinds

- Hansard -

Copy Link

- - Excerpts

I am grateful to my hon. Friend. I shall add that to my bedtime reading list, which is not uncrowded at present. I will look forward to getting to that.

In the last year, we saw a number of high-profile ransomware attacks around the world, including attacks on local authorities and schools in the UK. The National Cyber Security Centre has reported that in just the first four months of 2021, it handled the same number of ransomware incidents as for the whole of 2020. The National Cyber Security Centre has improved our understanding of the threat and provides a unified source of advice and support to Government and business.

I am afraid that the threat posed by cyber-attacks continues to grow in scale and complexity. That is why the national cyber strategy, mentioned by a number of colleagues and published in December, sets out how the Government will invest £2.6 billion over the next three years to develop a whole-of-society approach to increasing national cyber-security and resilience, including reducing the risk and opportunity for cyber-crimes and disrupting cyber-criminals. As part of that funding, we will continue to invest in the law enforcement cyber-crime network at national, regional and local level. In the face of such a broad and complex threat picture, law enforcement agencies must have the powers they need to investigate online criminality. It is also essential that we have robust legislation in place to enable action to be taken against the perpetrators.

My hon. Friend the Member for Wycombe (Mr Baker) was right about how much has changed since 1990, and my hon. Friend the Member for Barrow and Furness pointed out that the world is more interconnected than ever. Next year, it will be even more interconnected again. All that is correct and we must make sure we are up to date and up to pace. However, as my hon. Friend the Member for Boston and Skegness (Matt Warman) pointed out, it is also the case that over the last 30 years, the Computer Misuse Act has generally proven to be a far-sighted piece of legislation for tackling unauthorised access to systems. As the threat has changed, so too has the Act, which has been updated a number of times—most recently in 2015, where the offence of unauthorised acts causing, or creating risk of, serious damage was introduced.

We are firmly and fully committed to ensuring the legislative framework that underpins our efforts to address cyber-crime remains relevant and effective. That is why last May the Home Secretary announced a review of the Computer Misuse Act. The Home Office subsequently launched a call for information, which marked the first step in that process. The purpose of the call for information was to seek views of interested stakeholders across the piece, including in industry, academia and the agencies, on the Act and the associated investigative powers available to law enforcement. The Home Office has received responses covering a range of interesting and complex issues and we are grateful to those who have sent in their views. We are considering the feedback submitted and continue to engage with partners to determine whether changes are needed. We will provide an update on the initial findings of the review shortly.

I want to touch on a couple of key points directly relating to the Act that will influence the approach we take on defences. First, the Act is based on the principle that the owner of the computer and computer data has the right to say who can access it. I want to stress that point, which was made repeatedly during the development of the Act. Authorisation to access a system is the prerogative of the owner. It is that person who is responsible for the operation of the system and bears the cost of securing it.

Equally, the Government are rightly seeking to ensure that system owners take more responsibility for the security of their systems and the content held on them. Therefore it is right that the system owner has the protection of the law from those who obtain or attempt to obtain unauthorised access to computers and their data. We encourage firms to agree to having their systems tested for vulnerabilities by third parties but the fundamental point is that it is the choice of the legal property owner to determine that.

Secondly, we need to ensure that the Act continues to criminalise those who take unauthorised action against computer systems and provides the legal basis for relevant legal authorities to act.

In launching the review, we have been clear that we are open to changes to the Act that enhance our approach to that threat. However, I must also emphasise that any such changes should be well-considered and well-evidenced. We must guard against taking any action that would undermine the ability of law enforcement agencies and prosecutors to investigate criminals and prosecute them.

I have heard the views of Members on defences. My hon. Friend the Member for Boston and Skegness identified the nuance very well, as my hon. Friend the Member for Wycombe did the nuance of the registration of industry professionals. We are still considering the question of defences, but I am sure that Members would agree with me that we cannot put in place measures that would act as a mechanism for criminals and state actors to hide behind. That is why we need to tread cautiously. An ill-conceived defence could leave prosecutors with the burden of trying to prove a negative, for example, in needing to prove that cyber-attacker X was not, in fact, intending to protect a computer system when they attempted to access it without permission.

It is also worth pointing out that there are already defences in the Act that apply to cyber-security activity. If a person has the authorisation of the system owner to access the system, no offence is committed. In addition, any decision on prosecution is a matter for independent law enforcement and prosecuting agencies who take into account all relevant facts of the case. We must also ensure that any changes to the Act do not permit or encourage retaliatory cyber-activity, sometimes known as “hack back”. There is a danger that such a defence could embolden so-called hacktivists, or commercial entities who wish to offer such services, if they believe their actions could be protected under the law. The UK does not condone unlawful cyber-attacks of any kind.

Some responses to the call for information set out proposals for a review of sentences, and we have also had suggestions for new powers for law enforcement agencies to take action against criminals online. We are considering them as part of the review, including whether sentencing guidelines are needed to ensure that the harms caused by those committing Computer Misuse Act offences are appropriately considered during sentencing.

The hon. Member for Halifax asked a direct question and yes, state threats in this area are absolutely a prevalent and growing issue. I know she would not expect me to give a commentary on a specific security matter, but I want to reassure her and the House that the Government take extremely seriously the question about state capability in this area.

There is absolutely no doubt that the UK needs a Computer Misuse Act that is fit for purpose and can rise to the challenges of the present day. As colleagues know, the Home Office is engaged in a review that is charged specifically with ensuring exactly that.

The context of the war in Ukraine makes that work more important than ever, as the shadow Minister said quite rightly. I am acutely conscious of that, but we cannot rush this. That would only serve to help our adversaries. We are, therefore, approaching the exercise with the careful consideration that the public would expect and which these sometimes complex issues demand. Through the review, and as part of business as usual, we are listening attentively to law enforcement agencies and National Cyber Security Centre experts on what is most likely to enhance our national cybersecurity. Of course, we are also studying the approaches of other countries.

I thank my hon. Friend the Member for Bridgend for securing the debate, which has been interesting and insightful. I am grateful to have had the opportunity to outline our activity in the space and, as I said at the start of my remarks, I look forward to meeting my hon. Friend and colleagues to discuss it further.