Skip to main content

Security of Government Devices

Volume 729: debated on Thursday 16 March 2023

As this week’s integrated review refresh demonstrated, the Government are strongly committed to bolstering our national security to meet the challenges of both today and tomorrow. We take the security of Government devices very seriously, and we are constantly working to ensure that those devices remain as safe and secure as possible. As part of that effort, I recently commissioned a review by our cyber-security experts to assess the risks posed by certain third-party apps on Government devices and in particular the installation and use of TikTok. I know that there has been a lot of interest in this issue in the House, so I wanted to take this opportunity to update Members.

The review has concluded and it is clear that there could be a risk around how sensitive Government data is accessed and used by certain platforms. As many colleagues will know, social media apps collect and store huge amounts of user data, including contacts, user content and geolocation data. On Government devices, that data can be sensitive, and so today we are strengthening the security of those devices in two key respects.

First, we are moving to a system where Government devices will only be able to access third-party apps that are on a pre-approved list. This system is already in place across many Departments, and now it will be the rule across Government. Secondly, we are also going to ban the use of TikTok on Government devices. We will do so with immediate effect. This is a precautionary move—we know that there is already limited use of TikTok across Government—but it is also good cyber hygiene.

Given the particular risk around Government devices that may contain sensitive information, it is both prudent and proportionate to restrict the use of certain apps, particularly when it comes to apps where a large amount of data can be stored and accessed. This ban applies to Government corporate devices within ministerial and non-ministerial departments, but it will not extend to personal devices for Government employees or Ministers or the general public. That is because, as I have outlined, this is a proportionate move based on a specific risk with Government devices. However, as is always the case, we advise individuals to practise caution online and to consider each social media platform’s data policies before downloading and using it. Of course, it is the case that Ministers receive regular security briefings and advice on protecting data on their personal devices and on mitigating cyber threats.

We will also be putting in place specific, very limited exemptions for the use of TikTok on Government devices where it is required for operational reasons. Those exemptions will only be granted by security teams on a case-by-case basis, with ministerial clearance provided as appropriate. Overall, this approach aligns with action taken by allies, including the United States, Canada and the EU.

Our security must always come first. Today we are strengthening that security in a prudent and proportionate way, and I commend this statement to the House.

I welcome the statement and thank the Minister for advance sight of it. But once again the Government are late to the game. In August last year, Parliament closed its TikTok account. As the Minister has just said, in December the US banned TikTok from official devices, and nearly a month ago the European Commission followed suit. On 28 February, however, the Secretary of State for Science, Innovation and Technology said that the app was a matter of “personal choice.” She said, “We have no evidence”, and that a ban would be “very forthright”.

What has changed? Two weeks, two Ministers, two completely different policies later, and it is the same pattern over and over again: a Government behind the curve, with sticking-plaster solutions, forced to lurch into a U-turn at the last minute. We need a strong, clear- eyed and consistent approach—one that ensures that we can protect our national security and that puts us in a strong position to engage with states such as China where it is in our interest to do so, in areas such as climate change and trade.

The Minister announced a restriction on official devices to a pre-approved list of third-party apps and a ban on TikTok. How does the ban on TikTok differ from it simply not being on that approved list? Why is the ban limited only to central Government Departments? How will it apply, for example, to devolved Governments or Parliaments? Can the Ministry of Defence, for example, keep its account?

The Minister said that the TikTok ban is based on

“a specific risk with Government devices”.

Can he go a little further on that? What exactly is the specific risk and why does it apply only to official devices in central Government? Will the Minister tell us what advice has been issued to other Ministers, including those who already actively use TikTok? What criteria will be used for the list of pre-approved apps that he has announced today? Which apps will be included and which will not? On what grounds?

Today’s announcement feels like closing the stable door after the horse has bolted. If the Minister was serious about overhauling security at the heart of Government, why was the review limited only to the use of third-party apps on Government devices? Why not carry out a root-and-branch review of the technology used by his colleagues? The reality is that this Government’s track record of upholding security at the heart of Government is appalling, from their chronic use of private emails to the hacking of the phone of the former Foreign Secretary, the right hon. Member for South West Norfolk (Elizabeth Truss). Will the Minister say whether there were any discussions during this process about Ministers’ use of private messaging, such as WhatsApp, and email? Will he confirm that he will make it a priority to make good on promises to update the guidance on the use of private emails by Ministers, which is now a decade old?

In the Procurement Bill’s Second Reading debate, the Chair of the Foreign Affairs Committee, the hon. Member for Rutland and Melton (Alicia Kearns), described the Government’s approach to tracking down security threats in our supply chain as “relentless whack-a-mole”. She said we needed a more systematic and proactive approach to identifying risks in the UK’s supply chain, especially when it comes to goods and services bought with taxpayers’ money. I agree with her; does the Minister?

If the Minister is truly serious about national security at the heart of Government, why did he vote against Labour’s amendments to the Procurement Bill that would have mandated that suppliers that pose a risk to the UK’s national security must be excluded from being granted taxpayers’ money? The Government have a duty to uphold the highest standards of security at the heart of Government. Today’s announcement is nothing but a temporary fix—a sticking plaster—while gaping holes remain in our national security. We must fix this problem; is the Minister committed to doing so?

The right hon. Lady raised a large number of issues; I will try to address as many as I can and am happy to write to her on any that I do not cover.

First, the Government’s overall approach to national security is set out in the integrated review refresh that was published at the beginning of the week. In respect of China specifically, it sets out a three-pronged approach of protect, align and engage; this element of our activity clearly relates to protect.

The right hon. Lady asked why the decision has taken some time. We have always taken an evidence-based approach. I thought it was appropriate that we gather sufficient evidence and understand the nature of the problem. I did that in November. It is an appropriate way to deal with national security challenges and I will continue to take it.

The right hon. Lady asked about the limited list. We already have an approved list of apps but it does not apply to every Government Department. We are now ensuring that it applies across all Government Departments. I do not believe there is a risk extant at the moment; this is about ensuring that we continue to guard against risk on an ongoing basis.

The ban applies not just to central Government Departments but to all Government agencies, including arm’s length bodies. On the devolved Administrations, I have written to the leaders in Scotland and Wales and the appropriate officials in Northern Ireland.

In respect of Ministers, they receive extensive advice when they take office and are expected to follow that with all the devices they use. In respect of private messaging, we are updating the guidance on non-corporate communications to ensure that we have a consistent approach across Government, but, again, I do not believe that we have serious concerns on that.

Finally, on the right hon. Lady’s slightly overblown rhetorical point about Government taking action, I say gently to her that I have always been willing to take decisive action to protect national security. It is exactly the approach that I took in respect of banning Huawei from our 5G network before many of our allies did so. It is exactly the approach that I took within weeks of taking office in respect of Government surveillance devices on sensitive sites with Chinese technology on them. However, we must proceed with an evidence-based and proportionate approach. That is what will command public confidence and that is the approach that I am taking today.

Order. I would just like to say that, for those in their offices who wish to take part in the Budget debate, they really should start making their way towards the Chamber now.

Today’s ban is a welcome precautionary move. I congratulate my right hon. Friend because he did make the right decision on Huawei and, again, on surveillance, and, again, today. None the less, TikTok’s ability to act as a data Trojan horse is gravely concerning and the myriad data-exploiting technologies on our streets and in our pockets require a national discussion. That national discussion can start with the Procurement Bill. I welcome the right hon. Member for Ashton-under-Lyne (Angela Rayner) raising the amendments that I have laid to that legislation. We must protect ourselves from hostile states spyware. May I urge my right hon. Friend to personally put an eye to those? Hostile states will go to extreme lengths to spy on us. That is their job, and our job is to make sure that we protect ourselves and our people. Tackling techno-authoritarianism must be one of our foremost priorities if we are to deliver on the resilience piece that the Prime Minister set out in the integrated review.

As ever, my hon. Friend raises some very important points. On the Procurement Bill, of course we continue to engage with Members on both sides of the House as we approach Report. I know that Ministers in my Department are meeting the hon. Lady about the amendments that she proposes. In respect of this legislation, we have taken a very big step forward. For the first time, contracting authorities across the public sector can reject tenders from suppliers that pose a threat to national security, including where that threat arises from a parent or subsidiary company, so we are both lowering the bar and increasing the power. We did not have any of those powers when were in the European Union, so this is a significant step forward and I am very happy to look at further amendments that can build on those proposals.

I thank the Minister for advanced sight of his statement. I agree with other Members that this is a welcome and proportionate step by the Government. It is good to see that, in some areas, the UK Government are taking seriously the risk of highly sensitive data being accessed and used by bad actors. I wish to ask a couple of questions. First, how will the Government ensure that these guidelines are adhered to by Ministers and by civil servants using Government devices? Will the Government ensure that the information and evidence they have compiled is shared with Parliament’s security advisers to ensure that MPs are given the best and most up-to-date advice possible, in particular on apps that use geolocation data?

The Government have been dragging their heels around a number of security risks. A number of companies—including Huawei, TikTok and Hikvision—pose human rights risks and, in some cases, it has taken too long to close down or mitigate those risks. For example, Hikvision cameras are still being used, despite their being involved in human rights atrocities, for the facial recognition of Uyghur Muslims in mosques. The issue is not just the safety and security of our citizens but that taxpayers’ money is being used to fund companies that are committing atrocities. When will the Government take a look at the wider situation to ensure that we are not, by the back door, propping up regimes and companies that commit atrocities and human rights abuses?

I thank the hon. Lady for her questions. First, on how we ensure adherence, this instruction is going to Government Departments from the Cabinet Office, so we would expect that adherence to happen. We are one Government, and the Cabinet Office is responsible for co-ordination. Were there any evidence of non-compliance, I would take that up directly with the Ministers responsible for each of those Departments. I would expect them to take it seriously, as they have done in relation to previous guidance.

The hon. Lady raises an important point about the security of Members of Parliament. I discussed that with Mr Speaker prior to making this announcement, and there is already a high level of engagement between the Government and the parliamentary authorities, including through my right hon. Friend the Security Minister. Clearly, Parliament is independent of Government, but we are very willing to provide all necessary information to help parliamentarians make appropriate decisions.

On human rights abuses in China, that is something the Government have never been shy of calling out or engaging with the Chinese Government on, and we will continue to do so.

I say to my right hon. Friend—not to be churlish—so far, so good. Most of our allies have already done this, but I simply make the point to him that he cannot stop there. The reality is that, even though Government phones will have this taken out of them—this TikTok leak element—the key thing is that private telephones remain on Ministers’ desks and are used for communications. I honestly do not believe, whatever the complaints are, that in reality those private phones will never be used for Government business. They will be, they are, and there is no way of stopping that to some degree. Can he not now say that any Government Minister or senior official who has TikTok on their private phone should remove it, because that gets rid of the risk?

I have an amendment down concerning Hikvision cameras. I have never known it so difficult to drag any information out of Government as the sites at which they are using these cameras. They should now be removed from every single site that is a Government base, and the reality is that they are dragging their feet. Could he turn to that as well?

I thank my right hon. Friend for his questions. I will take the second point first. I am happy to meet him and provide further information about the sites where Hikvision is used. I should say that this point applies to surveillance technology from Chinese companies; it is not just about Hikvision.

The broader point my right hon. Friend makes is a legitimate one, and it is a balance that the Government have to try to get right. It is the case that many social media apps use huge amounts of data harvesting, and it is also the case that sophisticated foreign hostile state actors are perfectly capable of using many mechanisms to obtain bulk data aside from direct ownership. On balance, we believe that this is the correct approach.

Ministers of course need to exercise heightened caution in respect of the rules. It may be that communications devices are used for routine administration and so on, but substantive Government business should be conducted on Government devices. In addition, bespoke security advice is provided to Ministers, and they are expected to adhere to it.

I am slightly surprised at the delay in introducing this, because I was under the impression that we had been briefed nine to 12 months ago by the security services that there was such a risk from TikTok and so on that we were strongly advised to remove it if we had it on our phones. Given the Oakeshott papers and the amount of ministerial correspondence that seems to be going on, we do not know, when we get messages from a Minister, whether that is on a private phone or a Government phone. Will the Minister explain how we should know that in the future, and what the risk is of our data actually being drawn down by a ministerial phone?

On the first point, the Government already had a list of allowed apps, and TikTok was not on it. That was for most Departments, but some Departments do not adhere to it, so this is about ensuring that we close the remaining gaps.

On Government data used on private phones, we will shortly be issuing refreshed guidance on non-corporate communications. Essentially, substantive Government business should be conducted only on Government phones. If Members of this House are contacted about substantive Government business, that should be from a Government phone.

This seems like a sensible move, but of course, it is tackling only one part of the security and safety risks in the online world. Can I urge the Minister to get a move on with the Online Safety Bill, which contains other important safeguards to keep children safe online?

As my right hon. Friend knows, the Online Safety Bill is currently passing through Parliament, and does not directly fall under my jurisdiction as Chancellor of the Duchy of Lancaster. However, that Bill does introduce world-leading reforms, and we are making good progress.

Across the board, it is important for right hon. and hon. Members to appreciate that this is one small part of what the Government are doing. Through the National Cyber Security Centre, we genuinely have world-leading expertise, and we have countries from around the world coming to the United Kingdom to understand that expertise. All ministerial decisions are informed by that, but it is also the case that technology is moving very rapidly, so we have to constantly move to make sure that we deal with threats. We have to do so in a proportionate way, because we also have to recognise that there are many benefits from people using new forms of technology, and we do not want to stifle innovation and growth.

I congratulate the Minister on a quite remarkable achievement: he made that entire statement without once using the words “China” or “Chinese”, which I think tells us quite a lot about the way in which the Government approach matters like this. This is the right thing to do, but I have to say to him that playing whack-a-mole like this—one week it is Huawei, next week it is Hikvision, and the week after that it is TikTok—is no substitute for a coherent cross-Government strategy. If he really wants an evidence-led, proportionate piece of policy for Government, why do the Government not now move to include genomics in the definition of critical national infrastructure?

On the point about our approach to China, I gently say to the right hon. Gentleman that he should pick up a copy of the integrated review refresh. At pages 32 and 33, it sets out in explicit terms our approach to China. We are totally clear-eyed about the threat in respect of China: it has been, and remains, the most significant state threat faced by the United Kingdom, but it is also the case that China remains one of the largest economies in the world, so we cannot totally disengage from economic relations with China. The approach of “protect, align and engage” is a sensible and proportionate one that puts us very much at the front of the pack, alongside the United States and Japan, in the toughness and robustness of our approach to China.

I warmly welcome my right hon. Friend’s precautionary measure today. Does he agree that for members of the public, there is also the question of whether or not they use TikTok? The irony is that in China, it is not allowed to exist in the same format due to the country’s algorithm laws, so members of the public need to think quite carefully about whether or not they want to use TikTok.

My hon. Friend makes an important point. I also say to him that TikTok is not alone in harvesting vast amounts of data, so caution needs to be used in respect of all social media apps and other apps that harvest very large amounts of data. Many people do not realise quite how much data is being harvested—contacts, geolocation and so on. In respect of TikTok, there is of course an additional risk, given the ultimate ownership in China and China’s national security laws. It is due to a combination of both those factors that we believe, on a risk-based approach, that it is not appropriate to have it on Government devices, but we are not advising people against using it in a personal capacity, subject to the caution that should always be used in respect of social media. I believe that is an appropriate balance for us to take.

I align myself with the comments of the right hon. Member for Chingford and Woodford Green (Sir Iain Duncan Smith), in that these changes are broadly welcome as a set of measures, but are perhaps limited and should go further on the use of personal devices by Ministers. To that end, can the Minister tell us whether the Secretary of State for Energy Security and Net Zero will be leading by example and doing us all a favour by deleting his TikTok account?

Perhaps the Secretary of State is more au fait with social media than me, but I am confident that he will adhere to the guidance that he will receive as a Minister and that sensitive Government documents will be dealt with not on his personal device but on his corporate communications devices.

I welcome the continuation of the robust approach that the Minister took with Huawei and its application to TikTok. That is something that we should all welcome. He mentioned Government agencies. Does he agree that some of the most sensitive Government data is held by agencies, arm’s length bodies and, indeed, local government. Does he agree that they should all heed the advice that he has issued today?

The short answer is yes. What falls directly within my purview is Government Departments and arm’s length bodies. I have written to my colleagues in the devolved Administrations and I will be writing to relevant local authorities as well.