Thank you. My name is Ciaran Martin. I am currently a professor of practice at the Blavatnik School of Government at the University of Oxford, but until August of this year I was the founding chief executive of the National Cyber Security Centre and a member of the executive board of GCHQ, within the Government. I should also declare for these purposes, although I am not sure it is relevant, that I serve on the advisory board of a US venture capital company called Paladin.
Q Welcome, Ciaran; it is great to see you here. Thank you so much for sharing your expertise: as the founder of the National Cyber Security Centre, you have a great deal of expertise. I want to ask you to talk about a question that I have raised a number of times and that your expertise should be able to give us a real view on, which is about understanding the distinction, if there is a distinction, between national security and economic security concerns. You will be familiar with a number of cases, such as Arm and DeepMind, to name just two, that involved an economic security issue, you could argue—in terms of sovereign capability in artificial intelligence in the case of DeepMind, and of mobile silicon in the case of Arm—but that pretty swiftly turned into national security concerns. This Bill identifies a number of different sectors or areas—up to 17, I think— where a notification will be mandatory. How can we look at understanding or reflecting a distinction between evolving economic security and, ultimately, our national security?
Thank you for your comments, Ms Onwurah; it is nice to see you again. I speak as someone who thinks that the Government have broadly got this issue correct, in terms of their proposals in this Bill. That is not to underestimate the sheer complexity of dealing with the core, fundamental question that you rightly identify of balancing economic security and national security and of where one stops and the other begins. That is a very complicated and difficult thing to do. I think one starts with an attempt to define a core principle, which is essentially around the freedom to act. I think that if you look at something such as Arm—I would say this probably more in the case of Arm than DeepMind—and its potential ultimate sale to Nvidia, you see that the UK has less freedom of choice in a key strategic technology, which undermines its own ability.
I think there is an analogy with the little known but quite long-standing—for more than a century—work on sovereign cryptography. That is one of the areas that has long been covered by national sovereignty requirements. There are things in information security, as we used to call it, cyber-security, as we do call it, that have always needed to be fully sovereign, entirely British-made—they are not very many areas. The problem has been that as technology and communications have changed, it has been quite hard to keep up, and there are always pressures to expand that in a way that is economically harmful to competition and so on. So it needs a clever buyer within Government to identify what will be the strategic areas and what will not be.
In the area of sovereign cryptography, we end up trying to keep, depending on the era, around half a dozen or a dozen companies viable, because it is not a lucrative market. You can see the problem, but the key issue is whether there is enough, first, sovereign, but if not sovereign, friendly capability that allows us the freedom of choice to adopt key technologies. That means identifying the key technologies in the first place, evolving them over time and then having a very difficult to achieve but necessary intelligent function within Government that can evaluate the notifications that it gets. Of course, at the moment we do not have the power to do that, and that is what this Bill correctly seeks to remedy.
Q Thank you. I am very taken by your definition of sovereign and friendly capability. Indeed, that is exactly what we do not have in our 5G networks, hence the mess with Huawei.
Moving on slightly, a comment made numerous times on Second Reading was about the role of the intelligence services. Indeed, my right hon. Friend Mr Jones asked for more intelligence in the process. How can the Bill better ensure that the intelligence services, including the National Cyber Security Centre, have input and scrutiny and, indeed, provide their expertise as part of the process so that the appropriate decisions are taken?
I think the essential, principal requirement is not the intelligence services’ involvement—although that is important and I will come to that in a minute—but the understanding of technology and technological developments within Government. These are fundamentally economic issues as well. Apart from anything else, if you look at some of the reasons why the Bill has come about, you will see that, in strategically important technologies, the Government have invested heavily in university-sponsored research and in private sector research, only to see the fruits of that research sold off. Even if that did not impact on national security, which in most cases it does, it is not a good return for the taxpayer in terms of long-term UK involvement if the intellectual property ends up being monetised elsewhere.
I have enormous respect for Mr Jones and I think he is on to something in terms of involving the national security and intelligence services, but I do not think this should be intelligence-led. In my experience—obviously, I cannot go into detail on this particular aspect of it—secret intelligence adds relatively little to your knowledge of intent. If we take Russia and China, the two big strategic threats to the UK, Russia does not have a strategy in this space. We have to worry about Russia and cyber-security because it attacks us, but it attacks us on the internet that the west has built.
China is very different. China has a technological, strategic dominance aim, but it is not a secret. It is published and has been translated into English in the Made in China 2025 strategy, as you know. Our knowledge about the precise, intricate details of how that is implemented gains relatively little from secret intelligence.
What secret intelligence does have, particularly in GCHQ and the NCSC within it, is a knowledge of how technology works in terms of the national security threat space. I think the UK has a head start on other countries, because the National Security Council innovations of the 2010s gave the intelligence services a much bigger voice at the table, and that is reflected in the structures that we have now. The UK should be well placed to be able to listen to the intelligence services, but I would encourage—not least to make sure that in this very delicate balance of trying to show that we still have an open economy and are not shutting the doors to investment—as much transparency as possible on the decision taking. It will not always be possible because GCHQ technologists will know about things—exploitations of particular bits of technology—that they cannot reveal. They will be able to tell that to secret forums within Government for consideration—I am quite confident about that: there will be a seat at the table for them.
My recommendation would be that, as far as can safely be done, the Government should be relatively open about why they make the judgements they make about strategic areas of technology and the interventions they will make once this Bill is passed—assuming that both Houses wish to pass it.
Q Professor, that was excellent and I am very grateful for it. I will follow on from that thought and ask about the proposed powers within the regime for the Secretary of State to gather that information, which, as you quite rightly remind us, is not necessarily secret but about understanding the technology, or a particular piece of the technology, within the sector. What are your thoughts on the regime for the Secretary of State to be able to gather that information to inform a decision or to call in witnesses, so that they are able to really understand that particular issue and therefore make a decision on it?
I suppose the mantra, if I had one, would be, “Broad powers, sparingly used, with accountability mechanisms”. It is incredibly hard to be specific about this, for two reasons: one is that new areas of technology crop up, as they invariably do, and the other is that sweeping categorisations are needed on the face of legislation.
I am not a deep technical expert—although others are available from my former organisation—but if you take sweeping, umbrella titles like “quantum” or “artificial intelligence”, there are huge swathes of that where, actually, not a lot of these powers in the Bill will be used. There will be companies that will be doing very interesting things—10 interesting things—of which only one would be caught by this Bill.
If you take areas like specialist quantum computing and so forth, I think the community of interest and expertise is actually relatively small and has relatively good relations with Government—not least because, again, while it is not perfect, the whole system of research council funding and Government investment in funding technological research is pretty good, by international standards—so you end up knowing these people. One of the reasons that this sort of policy evolution came about, which has led to the publication of the Bill before you—I remember this from discussions within Government—is that people were volunteering to come to us. World-leading experts, people who had been funded by the Government—I will not go into individual cases because it is commercially sensitive and possibly security sensitive—would come to Government and say, “Look, we’ve had this inquiry from a Chinese behemoth,” or even, “We’ve had this inquiry from a US company,” and so forth: “What do you guys think about this?” and, invariably, we would have to have an informal influencing discussion.
I do not think that some of the businesses to which this will apply will be screaming that this is horrible Government regulation and intervention in areas where that should not be made. There was already a dialogue; there was just no legislative framework. Of course, that meant that companies that felt a loyalty to the UK and so forth but that also had to look after their commercial interests were sometimes in a real bind.
To try to answer your question, I think that the powers should be fairly broad. I think there should be accountability and transparency mechanisms, so that there is assurance that they are being fairly and sparingly applied.
Q This is very interesting evidence. I want to ask you a little bit more about China. As you rightly pointed out, much of this is in the public domain, and the Made in China 2025 strategy is very clear about the objective, which is to achieve global technological dominance. Given your experience at the National Cyber Security Centre, can you share with us a little bit more about how that would manifest itself in practice? What do you see as China’s next moves, in terms of rewriting the rules on technology and on creating that dominant position that you have talked about? How do you see that manifesting itself?
I think there are broadly two or three areas in which China is very interested in doing that. I can make some comments on motivations, because I think they are very important, and then I will finish with how that manifests itself in UK casework.
Clearly, China has set out a stall, which it published in Made in China 2025, in which it said it wants to be the world’s pre-eminent leader in a number of key areas of technology. It mentioned artificial intelligence and quantum, and it is throwing vast sums of state money and long-term strategies at them, unencumbered by the need to seek re-election and popular consent, so it is a very powerful movement. That is the first thing: it is trying to build up its capability.
China is also trying to change, at least for itself—we will come to that in a minute—the way the internet works. It was reported earlier this year that Huawei and other major companies in these international standards bodies are looking at something called new IP protocols, among many other things. To give you a sense of what the motivations behind that are, at the minute when traffic flows around the internet, despite some popular impressions to the contrary, it is actually pretty hard to work out what is going through it. Therefore, it is relatively difficult to censor, although China has managed it in some ways. The new IP protocol will make it much easier to work out what sort of traffic is going through and being rerouted, so it makes it much easier to control. China is trying to dominate and essentially get a lead in the strategic technology, and also to change the character and culture of the technological age from one that started off fairly anarchic to one that is much easier to control. That is what it is trying to do.
Why is China trying to do that? A lot of this is about the assertion of its own power for itself—the regime, power, Chinese nationalism and so forth. I think it does intend to extend its sphere of influence, but I have never seen that as the primary motivation. One of the interesting things, post the pushback from the Trump Administration and the US sanctions on Huawei, is the extent to which China will now accelerate its desire for self-sufficiency, and the extent to which that leads to a separate pole of technological influence that may become less interested in countries such as the UK, European Union countries and North America.
To date, how has that manifested itself in cases in the UK? Ms Onwurah has already mentioned the Huawei controversy. If you take Huawei as a company, I think it shows the different ways in which this can manifest. The Huawei 5G controversy is going to be dealt with by a Bill that I believe is coming to the House next week, not this one. The 5G controversy was not about investment; it was about selling to British companies to build stuff. Obviously, that case has been very heavily analysed.
I think that the more interesting case in the last 10 years involving Huawei was its acquisition in 2012 of the Centre for Integrated Photonics—a world-leading British firm in a really key area of technology. That, in my view, was pretty strategically damaging. If we had our time over again, that is the sort of thing that the Bill might well notify. I know you have taken evidence from the likes of Charles Parton and people with huge China expertise. The fact that the acquisition of the Centre for Integrated Photonics did down Britain’s technological development was probably a by-product. The point is that Huawei could buy world-leading research, which China could then take and appropriate for itself very cheaply. That is what it will continue to do to build up its own capabilities.
Q Given what you just said about the nature of the threat, how should that inform the composition of the investment security unit, which is going to be placed in BEIS and will be the primary locus for the screening of acquisitions? Would you say that it needs to have absolutely leading expertise in technology in the issues that you mentioned—quantum and so on? Should it also have China experts and people who speak Mandarin?
One of the reasons that this is so difficult, as I said in my first answer to Ms Onwurah, is that I can think of at least three areas of expertise that the unit is going to need to draw on. Technological, yes, because of what technologies will matter. Geopolitical, yes, and I do not have a strong view on whether it needs Mandarin speakers because the UK has a strong and intelligent foreign service mission in country in China and all over the place that can provide input. But the third thing is actually quite a lot of commercial nous—patent laws and so forth.
This is where there is a distinction. This is not all about China. It is layered, and there will be things that we would not want to see going even to quite friendly countries. Arm is a case in point, with the concentration of power in a couple of US companies—particularly when one of them is derived from UK technology. That is not comparable as a strategic threat to Chinese dominance—I hope the Committee does not think I am saying that—but there are times when it would be a damaging foreclosure, if you like, of UK freedom of action and freedom of choice. We know that the US has a strong and sometimes aggressively used extraterritorial legal system in which it can use the power of US companies and block trading with US companies and so on, so we need people who understand those areas where we think, “We are not sure we would want that to leave the country at all” as well as people who understand Chinese. That involves a lot of expertise in things like patents, international law, US commercial law, sanctions and so on.
Professor Martin, I have been listening with interest—it has been fascinating—especially when you were talking about the need to balance national security, Q the national interest and economic security. I have been reading the very good briefing by the Law Society of England and Wales, which suggests that the Bill could be improved by the insertion of a definition of national security. Do you agree?
I do not vehemently disagree with that suggestion, but I am not persuaded by it. It is not a new issue. I remember cases—they have nothing to do with this—going back to the aftermath of the so-called global war on terror, with demands during inquiries for definitions of national security. I am not sure what that would achieve other than it would be heavily litigated. In terms of both definitions of national security and the categories of technology, a better answer is a drumbeat of reviewable activity, which is by definition transparent, about how the Government interpret the scope of the Bill, if it becomes an Act, and the sort of cases it applies to so that, over time, you build up a broadly accepted framework—of course, not everyone will accept it—that is seen to be fair and rational.
Q I understand the reluctance to have an explicit legal definition of national security, but would there be a benefit in having an “except for” clause that makes it clear that certain activities do not come under the category of a threat to national security? Would that help to allay fears about infringements of rights of democratic participation—the right to protest and so on?
I certainly would not be against things like that, if it could be done in a way that did not compromise the wider use of the Bill, because I do not think there is intent to interfere in the democratic process. I think the intelligence services take that pretty seriously. I remember in other contexts, when asked to co-operate on cyber-security with other countries, given that some cyber-security capabilities—by no means all—can be intrusive, that a lot of due diligence is always done on whether they could be turned by more authoritarian regimes against their own people. I would not object to that in principle. I do not know whether you have a case in mind when you say that might be necessary, but I have an open mind on that.
Q There has been some discussion of whether the investment security unit is best placed within BEIS, the business Department. Do you have a view on that? Does it matter where in government it is based? If it does, would BEIS be your preferred location, or do you think it should be based elsewhere?
In general terms—this is a personal view, for what it is worth—I do not think the location of most government functions matters a great deal. Perhaps I am just a bit of a contrarian on that point, and always have been. The Government is the Government. Institutions do have cultures. I do not know whether the Government or the intelligence services have offered a formal view, but personally I would be reluctant to put it within the national security estate, first, because it has to be economically literate, and secondly, because it has to justify its existence and use. A strong national security input is important, but I would not leave it in the national security community.
I am sorry to sound like a broken record on this point, but I think the more important force in function is some form of reviewable transparency requirement. If you set it up and let it go away, first, you take away pressure to perform well, and secondly, you take away pressure to justify the decisions that are made.
This is a really hard problem. When I was still in government and there were discussions around it, this was not the sort of Bill that most Ministers and politicians came into Government to want to pass. It is a necessity of a bunch of case work that we have become concerned about that has required us to do this. It is sort of the least bad option. The country wants to be open to investment—we are all mindful of the impression it may give that it is trying to deter investment—so it is probably the least bad option, as I say.
I do not think there is any arrogance in government or belief that a bunch of civil servants assembled in BEIS or another Department will make infallible judgments on individual cases, but what is the alternative way to stop the sort of things we have seen happening—world-class taxpayer-funded research in key strategic technologies that are going to be vital for national security being sold for a song to potentially hostile regimes?
I will leave it there, Sir Graham. I may want to come back later, but I will let someone else in now.
Q Thank you for your excellent evidence, Professor Martin. You said, if I understood you correctly, that the process needs to be relatively open about why it is making decisions, but I foresee problems, particularly where there are issues of confidentiality and national security. Would you explore that a little? I note that within the terms of the Bill, decisions will be subject to judicial review or appeal, and the Government will be able to apply for a closed material procedure to protect sensitive matters in such proceedings. It seems to me that there is a potential problem there in relation to commercial and national security information sensitivity, so the “openness” of the system might be fairly limited and it might not be as respected as it could be.
I get that completely. I do not think 100% transparency will be possible in this case. Obviously, it will be judicially reviewable, but I am entirely unsurprised that there is an explicit provision for closed material procedures. It will be a minority, but there will be cases in which the reason why a particular aspect of a particular piece of technology is really sensitive—it will probably be highly specialised, and there might be a dozen people, of whom four serve in government, who actually understand why—cannot be published. Then, of course, there will be commercial sensitivities.
Having said all that, if you take, for example—these are real examples—the current debate around the potential use of offensive cyber, or the sort of allegations Edward Snowden made against Five Eyes countries in 2013, or some of the defences that the Government had to use in the 2000s about their role in the aftermath of 9/11 and Iraq and co-operating with US forces, in my view there is a clear distinction between being able to describe the operating environment and the sorts of thematic issues that you are dealing with, versus individual cases, which often contain extremely sensitive detail. National security organisations can say much more about the former than historically they have been willing to do.
In something like this, where we are talking about business confidence and how the country looks to potentially very friendly and helpful outside investors who like the UK, want to come here, want to put money here and like the high-quality research and the brilliant innovators and individuals, it should be possible to give them something that says, “In the course of the last year, we have looked at quantum resistant cryptography and here are the types of aspects of this that we are reserving and here are the bits that are more open” or that sort of thing, without disclosing anything sensitive. That is all you need to be able to say—these are the judgments. Let us say that the Bill becomes law in the middle of 2021, for sake of argument. By 2025 and the beginning of the next Parliament, the tech landscape will look very different. You will not want investors to be looking back at the debates you are having in the House now as a guide to the latest way in which the Government are applying this, or looking at drip feeds of information. You will want something official. It should be possible to do that.
Q I want to refer back to some earlier questions about the skills within the investigatory unit that would be within BEIS. With your knowledge of Government, do you see any sort of experiences that can be carried over from the export control joint unit within the Department for International Trade? They do not have all the skills there, but they draw on skills from other Departments, particularly when it comes to arms export control and the eight consolidated criteria. Do you think there is potentially an opportunity in the day-to-day structure of the investigations unit for some lessons to be learned and carried across from the ECJU? Or do you think that is irrelevant?
I do not know the ECJU that well, but it is relevant. I remember, although it was some time ago, being asked for specific inputs into that sort of point. The important thing is that the unit achieves a prominence and reach across the Government, because bits of Government will have to be involved occasionally and there will be bits that will be embedded. It needs a home—in our system of government, every organisation needs a home with a responsible Minister and an accounting officer and all that. However, I do think this needs to be broadly based and multidisciplinary. Export controls are one of the few areas where we have had to do that consistently for a number of years, so I agree that it is well worth a look.
Do you think it should be formalised or do you think an informal relationship with other Government Departments will be adequate?Q
I think it should be formal. The Government are not new to this. There should be some sort of review board to make sure that it has the right resources, the right performance, the right skillset and so forth. I would encourage ministerial interest. It may be something that the National Security Council wants to periodically review. In my time in national security, there were standing issues that the Government would come back to twice a year, whether there was anything interesting happening on them or not, just to take stock. That might be an issue. In answer to the previous question about transparency, there may be a case for a formal presentation, secret detail and all, to the National Security Council every year, which would include all the potentially covert and sensitive stuff. It really needs to work with the grain of ministerial thinking as well. That will need to be done collectively, at some point, so there may be a role for the NSC.
Q Good afternoon, Professor Martin. As part of the provisions for transparency and parliamentary oversight of the way the powers in the Bill would be used, the Bill would require the Secretary of State to have a statement approved by Parliament and then reviewed at least once every five years. Does that time period seem reasonable to you? Is there an argument for a shorter review period, especially in the early days when everybody will be feeling their way as to how the Bill works?
There is a reasonable case for a more frequently reviewable point. There is also a cultural point about the way in which the political processes work. There are aspects of government about which questions are not routinely asked in Parliament, because they seem to be too secret. Again, it is a point about casework versus framework.
To my mind, there is no reason why the Secretary of State for BEIS could not be asked from time to time to update on this or why questions in the House should not be asked. I do not think technology changes fast enough that the whole framework of categories of regulated activity and so forth have to be updated more than every five years, but there will be a possibility of more frequent updates on working, approving listings and that sort of thing.
To be fair, there is nothing to stop MPs from asking questions about international security, but the chances of us ever getting an answer may be somewhat less.
Q You have placed a lot of emphasis on the right technological skills and said that they should be forward looking, for a number of reasons, including identifying new technologies, but also giving clarity and certainty to businesses. Where do you see those tech skills being located? How can the Bill ensure adequate appropriate access to them?
I am not sure if the Bill will get in the way or help, one way or the other. I think Government technological nous across the civil service needs to be invested in properly. There is a deep, fairly sizeable reservoir in GCHQ. Again, without going into too much detail, more and more people are being transferred and seconded from there into other areas. That is a good thing, and we should welcome that rather than cast aspersions on this being all secret state stuff. It should be permeating normal Government activity.
There will be issues about how to pay for some of the specialists that are needed. I do not think we will ever compete with the big tech companies, but there may be scope for paying some specialists a bit more and bringing them in here. There is something about creating a career path for technologists in Government. There are big issues for the heads of the civil service and the permanent secretaries. If I were heading it, I would want an immediate infusion of seconded talent and private sector buy-ins relatively quickly. Government can do that quite well some- times, and sometimes not so well. There also needs to be a long-term strategy for technologists in Government.
I will now thank you very much, Professor Martin, for giving your time so generously and being of such assistance to the Committee. Given that the next witness is not due to give evidence until 2 pm, I invite the Government Whip to propose the adjournment.