National Security Bill – in a Public Bill Committee at 2:30 pm on 12 July 2022.
Clause 12 is a substantial addition to the Bill so warrants further consideration. It introduces a new bespoke offence of state-sponsored sabotage, capturing activity conducted for, on behalf of or for the benefit of a foreign power, resulting in damage to property, sites and data affecting the UK’s interests and national security, which we are happy to support. What has taken the Government so long? It is an extremely welcome provision.
The need for a specific criminal offence of sabotage on the UK’s statute books is long overdue. The necessity for it has increased over time. Over recent years, the nature of sabotage—most notably, the nature of cyber-attacks and sabotage—has changed rapidly. Subsection (3) outlines all the ways in which the act of sabotage can manifest. Subsection (1)(b) is explicit, covering a person’s intent and whether they are
“reckless as to whether their conduct will result in damage”.
As MI5 director general Ken McCallum highlighted,
“cyber is no longer some abstract contest between hackers in it for the thrill or between states jockeying for position in some specialised domain...cyber consistently bites on our everyday lives.”
I was struck by the evidence provided by Paddy McGuinness, the former deputy national security adviser, when I asked him about clause 12 last week. He said:
“one of the difficulties with this grey space activity…is that if you have a presence for an intelligence purpose, you can flick it over and turn it into a disruptive or destructive attack. That is where that preparatory bit is quite important, too: understanding that the simple fact of engaging and being present quickly takes you towards sabotage. I think these are absolutely vital powers.”––[Official Report, National Security Public Bill Committee,
The sense that someone engaged in espionage on behalf of a hostile state could just as easily be instructed to engage in sabotage reminds us why the new offences are necessary as a package of measures. A report published by Lloyd’s of London only last month crystalises the threat posed by cyber-attacks and sabotage. The report, entitled “Shifting powers: Physical cyber risk in a changing geopolitical landscape” and written in partnership with the Centre for Risk Studies at the University of Cambridge, warned that:
“Whilst most cyber-attacks are digital, physical cyber-attacks–defined as virtual attacks which trigger physical disruption–are becoming increasingly commonplace. The rise of state-sponsored cyber-attacks is a significant focus for businesses and governments, driven by an evolving geopolitical landscape in the wake of Russia’s invasion of Ukraine.”
The UK’s national cyber strategy, published in February this year, also demonstrates the potential threat posed by cyber-sabotage. It states:
“The threats we face in and through cyberspace have grown in intensity, complexity and severity in recent years. Cyber attacks against the UK are conducted by an expanding range of state actors, criminal groups (sometimes acting at the direction of states or with their implicit approval) and activists for the purpose of espionage, commercial gain, sabotage and disinformation.”
From this, we can see that cyber-activity could be prosecutable under a number of the new offences, but I know that the ability to robustly take on sabotage with clause 12 is welcome to those on the frontline of mounting the UK’s defences.
Although outside of scope of the Bill, I will briefly make the point that the Computer Misuse Act 1990, which was the first major legislative attempt to tackle cyber-crime and criminalise hacking, is now also long overdue an update. May I suggest that we have another look at that legislation alongside the Bill and the provisions in this clause, to ensure that we are meeting the cyber-challenges we face as a nation as robustly as is required?
Existing legislation largely fails to accommodate for state-sponsored acts of sabotage. The Criminal Damage Act 1971 defines sabotage as:
“A person who without lawful excuse destroys or damages any property belonging to another intending to destroy or damage any such property or being reckless as to whether any such property would be destroyed or damaged shall be guilty of an offence.”
We therefore welcome the foreign power condition in subsection (1)(d), which will allow police to bring to justice those who work for or conspire with hostile Governments to prejudice the safety or interests of the UK.
We welcome that the offence will link to the preparatory conduct offence to give law enforcement and the intelligence agencies the powers to intervene at an early stage. Despite the changing nature of sabotage, we also welcome that the clause contains provisions to tackle acts of physical damage on sensitive sites, such as critical national infrastructure, property belonging to Her Majesty’s Government, military buildings and sites, other defence assets, or acts that impact goods, systems or services supplying the UK, such as data centres or undersea cable infrastructure. If I have not been clear enough, we very much welcome the addition of clause 12 to the Bill.
I echo much of what the shadow Minister, the hon. Member for Halifax, said. As ever, I have slight concerns about the breadth of the foreign power condition and how that might interact with sabotage—for example, if a protest on behalf of one of the aforementioned non-governmental organisations causes some damage to a site. Of course, such protestors should face criminal law, but I would hope it would be general criminal law rather than the sabotage offence set out in clause 12 and the heavy sentence that comes with that.
For all the reasons set out by the shadow Minister, we support the inclusion of clause 12. The Minister moved the clause formally, but it would be useful for us to talk it through because this is a new departure for us, and it would be interesting to hear the Government’s thoughts on the nature of the offence.
I will go through clause 12 in a bit more detail. As hon. Members have outlined, the clause makes provision for an offence of sabotage. It is designed to capture intentional reckless activity resulting in damage to assets including property, sites and electronic systems where the person is acting in a way that they know or should know is prejudicial to the UK’s safety and interests.
A state-linked saboteur poses as much of a potential risk to the UK’s national security as someone undertaking terrorist activities. Working to further the interests of a foreign state by damaging something of importance to the UK is sabotage and therefore should be reflected as such.
Although there are offences in legislation that cover similar activities, sabotage as a crime is not an offence under domestic legislation, which was a surprise to me. The existing related offences were not developed to address the specific threat of state-linked sabotage, and the new offence more appropriately addresses the threat that this type of state threat poses. For example, none of the existing offences has a link to a foreign power. Clause 12 resolves those issues by giving law enforcement and the intelligence agencies the tools to tackle sabotage that is carried out for a purpose that the saboteur knows, or should know, prejudices the UK’s safety or interests.
Subsection (1) provides that an offence is committed where a person engages in conduct that results in damage to any asset and the person intends their conduct to, or is reckless as to whether it will, result in damage to an asset. In addition, the person’s conduct must be for a purpose that they know, or ought reasonably to know, is prejudicial to the safety or interests of the United Kingdom, and the foreign power condition must be met in relation to the person’s conduct. The clause is structured so that each of the four limbs must be met for the offence to apply.
Sabotage may be conducted directly by members of a foreign intelligence service, but it could also be conducted by agents, co-optees, or other individuals or organisations working for, on behalf of, or with the intention to benefit, a foreign state. Sabotage could be caused by cyber-means, such as by overriding critical systems, but would also include the deletion or corruption of data, the installation of malware or the introduction of vulnerabilities into systems or ransomware. As those can also be put in place without being implemented, the offence will link to the preparatory conduct offence, to give law enforcement and the intelligence agencies the powers to intervene at an early stage.
Sabotage is often conducted through the use of cyber-actions and physical damage. Sabotage can be conducted from anywhere in the world but still prejudice the UK’s safety or interests. Subsection (2) addresses this issue, which is why the offence applies whether the person’s conduct takes place in the UK or elsewhere, or whether the asset is located in the UK or elsewhere. The sabotage offence aims to tackle damage that might take place in sensitive locations, such as critical national infrastructure, or that impacts goods, systems or services supplying the UK, such as data centres or undersea cable infrastructure.
Subsection (3) provides non-exhaustive definitions of “asset” and “damage”. An asset can be tangible or intangible, and that includes real and personal property, electronic systems, and information. We considered listing assets such as water systems, nuclear, and transportation, but considered that to be too restrictive. Damage is not defined exhaustively, but includes destruction, alteration, contamination, interference, loss of or reduction in access or availability, and or loss of or reduction in function, utility or reliability. This applies whether the damage is temporary or permanent, which allows us to tackle cyber-activity that results in, for example, the temporary loss of access to data.
Clause 12 does not specify a level of damage. Defining the asset and damage in this way provides flexibility for investigating saboteurs and adds a degree of future-proofing. Well-resourced states will find ways around our legislation if we define things too narrowly, such as the types of assets that they may target by conducting sabotage. The assets targeted by foreign powers for sabotage could change, and the way in which they are damaged could also evolve beyond a narrow definition.
We need a bespoke, modern offence to tackle a modern and evolving threat. A person’s conduct must meet the “prejudicial to the safety or interests of the United Kingdom” test in subsection (1), which is designed to capture harmful activity such as a cyber-attack on Her Majesty’s Government data, or a physical attack on data servers resulting in widespread disruption and damage to national security, not legitimate protesting. Clause 12 makes provision for a maximum penalty of life imprisonment or a fine, or both. A fine is included to allow the prosecution of a company if it engages in conduct amounting to an offence. We expect the maximum penalties to apply only in the most serious cases, such as where an act of sabotage has resulted in a threat to or loss of life, or damage to UK critical infrastructure that compromises our national security. This is in line with existing maximum penalties in comparative legislation and the proposed penalty in clause 1.
Clause 12 will provide law enforcement and the intelligence agencies with a vital tool against harmful state-linked sabotage. It makes provision for an offence that reflects the global threat posed by saboteurs through cyber-means, as well calling out physical damage for what it is.