14
Joint Committee on the National Security Strategy
Oral evidence: Offensive Cyber
Monday 3 March 2025
5.20 pm
Members present: Matt Western (The Chair); Lord Boateng; Lord Browne of Ladyton; Bill Esterson; Baroness Fall; Lord Hutton of Furness; Baroness Kidron; Sir Julian Lewis; Edward Morello; Lord Sedwill; Lord Robathan; Tanmanjeet Singh Dhesi; Derek Twigg; Baroness Tyler of Enfield.
Evidence Session No. 1 Heard in Public Questions 1 - 10
Witnesses
I: Dr Andrew Dwyer, Lecturer in Information Security, Royal Holloway, University of London, and Lead of the Offensive Cyber Working Group; Dr Tim Stevens, Head of King’s College London Cyber Security Research Group.
Dr Andrew Dwyer and Dr Tim Stevens.
Q1 The Chair: Welcome back to this meeting of the Joint Committee on the National Security Strategy. We are now hearing from the second panel for today on the subject of offensive cyber. Can I ask the witnesses to introduce themselves, starting within the room?
Dr Andrew Dwyer: I am a lecturer in information security in the Information Security Group at Royal Holloway and the lead of the Offensive Cyber Working Group.
The Chair: And virtually?
Dr Tim Stevens: Good afternoon. I am an associate professor in international security in the Department of War Studies at King’s College London and I am the director of the KCL Cyber Security Research Group.
The Chair: Terrific. Thank you for joining us.
Q2 Derek Twigg: I am going to start with you, Dr Dwyer. If we are talking about offensive cyber tactics, what sort of operations are we talking about? How long have these types of operations been going on for?
Dr Andrew Dwyer: As you may imagine, there is a wide variety of different types of offensive cyber operations.
Derek Twigg: Could you give us the main highlights?
Dr Andrew Dwyer: I will give you the highlights, of course. The UK Government typically divide them into disrupting, denying or degrading particular adversaries in particular, but we also do that across many different domains. As we just heard about on the ransomware side, there is a focus on cybercriminal activity, adversary states and things around terrorism or child sexual exploitation. Where it is particularly difficult to use conventional types of operations, we will use offensive cyber instead to try to augment or replace what we cannot do elsewhere.
Derek Twigg: Do you know of any specific examples?
Dr Andrew Dwyer: If we are talking about military operations, for example, we can look at the evacuation from Afghanistan. The NCF provided support there on cybercriminal activity. They supported the National Crime Agency in disrupting cybercrime operations. They provided support against Daesh as well. There were reports around the NCF degrading drones, for instance, in that place.
Derek Twigg: Would you say we are as effective as our adversaries on cyber tactics?
Dr Andrew Dwyer: That is a great question. The UK is a particularly effective actor in terms of our organisation. We are somewhat ahead compared to many of our allies in terms of thinking about how to deploy offensive operations. Whether we are as effective as China or the US, for example, is a completely different matter. We are quite a small country. We have a reduced capability compared to those states. We do well with what we have.
Derek Twigg: We could do more.
Dr Andrew Dwyer: We can always do more.
Derek Twigg: There is a report in the Times today that the Americans are thinking about stopping their offensive cyber operations against Russia. Would that impact on us in any way?
Dr Andrew Dwyer: I did read that report as well. One can only speculate, but the US and the UK have a memorandum of understanding in terms of doing collective activity around operations. We and the US may have some deconfliction activities going on, where we will focus on some whereas the US may do others. If there is any reduction in the US’s activity against Russia, for example, as was claimed in the Times and elsewhere, that may affect our capability as well.
Derek Twigg: You are saying that it could have an impact on us.
Dr Andrew Dwyer: It could, but I cannot comment on the particulars.
Derek Twigg: Dr Stevens, I do not want to repeat all the questions, but you get the gist of where I am coming from.
Dr Tim Stevens: I could address the second issue, if I may. The report came out last week from a reputable source and has been picked up since by the mainstream news organisations. I am currently in the United States and, as you can imagine, this issue has come up in conversations. It has elicited a fair amount of both surprise and non-surprise. It is surprising because, as a strategic ambition or objective, it does not really fit with the national security objectives, but it may be less surprising on the political side.
Whether it is going to affect what the UK does is a really interesting question. Without knowing precisely the conversations that are happening behind closed doors it is very difficult to answer, but, to build on Andrew’s previous comments, the UK is attempting to find its own path through the use of offensive cyber. Its doctrine is slightly different from that of the United States. In some instances its relationships are different from those of the United States, particularly with our European partners.
I do not see any immediate reason why this would affect what the UK does in this space, but that really depends on what levers are pulled or what influence is exerted by the United States through the usual military and intelligence channels.
Derek Twigg: Could there could be some pressure put on us by the Americans?
Dr Tim Stevens: We have a very strong intelligence and military relationship with the US, with the relevant organisations that operate in this environment. Personnel are embedded—ours in the United States and theirs over here. It is a very strong and persistent relationship. I am absolutely certain that most people at the operational level will not be affected majorly by this, but it really depends.
In the past, we have seen the strength and direction of the US-UK intelligence relationship. It does shift and change. We saw that in the Huawei affair a few years ago, for example. We should be fairly confident for now that we can continue operating as we are, but I would not like to presume that that will remain the case for ever.
Derek Twigg: Before I finish, do you want to add anything else to the other questions about what sort of operations we have taken part in in terms of offensive cyber?
Dr Tim Stevens: Andrew is spot on. One of the issues that we have is that, as external observers, we do not always know precisely what operations have been undertaken. It is very difficult to evaluate from the outside, but Andrew has hit most of the main types of operations that the UK has undertaken and indeed in which the National Cyber Force has been involved.
Q3 The Chair: I am interested to hear what you think about the structure of our cyber force and how well resourced it is. In the previous session, we heard questions over whether we should be putting more resource into this area. How well does this fit with meeting or delivering against our strategic priorities. Dr Dwyer, maybe you could start.
Dr Andrew Dwyer: The NCF has an ambition, which was announced a few years ago, to grow to 3,000 personnel. In a force, 3,000 personnel is relatively limited. It sounds quite large, but you need to think about all the administrative roles, the number of checks that you may have to do and the development of exploits. As much as 3,000 sounds like a rather sizable force, compared to the US, for instance, which has a much larger capability in cyber command and elsewhere, the UK is relatively limited.
The Chair: What sort of size is the US force?
Dr Andrew Dwyer: I cannot remember exactly what size it is. I would have to provide to the committee what that number looks like, but it is several times of magnitude, for context.
The resource here sounds great, but it depends on what we want to do as a country. Building on what Tim was saying on the last question, what are our aims and ambitions? We have a really wide remit. It covers cybercrime, other types of law enforcement and integration with the military. The NCF has to look at an awful lot of different priority areas.
Trying to determine what is the reasonable resource is really hard from the outside because what we see is a huge scope but relatively limited capability in terms of number to achieve that. We have not seen in the public domain what that resolution particularly looks like.
Dr Tim Stevens: Structurally, the way that the NCF is organised makes an awful lot of sense. As it grew out of the National Offensive Cyber Programme prior to 2020, that harnessing or integration of military intelligence and other capability was already in place. Indeed, from my perspective, that is exactly where the expertise and capacity lies in the UK. The joint operating model or integrated structural component is as it should be. The relative weighting within that is something we do not have much visibility of. It is very difficult to comment on that.
In terms of where the NCF’s operations align with strategic objectives, again it is difficult to know for certain because we simply do not have transparency over precisely what the NCF does at all times. I have slightly lost the train of my thought there. I will blame jet lag, if I may.
This refers back to some previous questions in the last panel about what the NCF does and whether we are as effective as our competitors and adversaries in this space. The NCF operates under a very different legal and ethical framework from our adversaries. We cannot deploy the NCF to go and create mischief in enemy networks and interfere with civilian infrastructures, critical infrastructure and so on. We cannot do that. The NCF is inherently constrained by the specific context of UK law and, of course, the international law that we attempt to abide by at all times. That is the broader context of this.
The NCF was set up, as Andrew indicated, to counter threats from terrorists, criminals and so on who might do harm to the UK and our allies, to counter cybersecurity threats in general and to contribute to UK defence. We get indications that the NCF is being deployed precisely to do those things.
In terms of the broad direction of emphasis and focus of the NCF, yes, it is aligning with broader strategic objectives. It is a separate question as to whether and how it is enabling those objectives.
Q4 Tanmanjeet Singh Dhesi: In 2021, academics in London, including your good selves, recommended that close scrutiny of the National Cyber Force’s effectiveness was needed, perhaps through the Prime Minister’s Implementation Unit, the National Audit Office or the Intelligence and Security Committee of Parliament. Is that scrutiny happening now, Dr Dwyer?
Dr Andrew Dwyer: The National Cyber Strategy has a really helpful diagram at the end that gives some sense of what authorisations look like, albeit at a very high level. Your question is not about authorisations in particular, but I will get to your point very quickly.
The Foreign Secretary and Defence Secretary can authorise operations due to the dual nature of the organisation. What is really unclear is how the National Security Adviser and the government cyber advisory board come together to look at what is happening there. There is not a clear direction on where the NCF sits within that. There used to be a sub‑committee that focused directly on cyber, but this does not exist in the same way. It comes under resilience in the most recent framework that we see. We cannot quite see where cyber sits within that.
The authorisation can be complex, especially if the NCF is doing operations with the NCA, which would then come under the purview of the Home Secretary. You have very different parallel lines there. It is not clear how that co-ordination work occurs explicitly within the model that we see.
Tanmanjeet Singh Dhesi: Dr Stevens, is scrutiny happening of the National Cyber Force, in your estimation?
Dr Tim Stevens: There is a difference between formal and informal scrutiny and internal and public scrutiny. Certainly within HMG there is an awful lot of thought about what the NCF is doing, how it is structured, how it is resourced, how it is acting and, as was just suggested in the previous question, how it is helping to achieve UK national objectives.
On the public scrutiny side, as Andrew suggested, there are various lines of reporting and accountability. Traditionally, of course, defence and foreign affairs issues have combined in the body of the Intelligence and Security Committee of Parliament, which, for various reasons that you will all be aware of, has not really functioned in an optimal fashion now for some time. That makes the work of a committee like this one all the more important.
In the round, there is an awful lot of internal scrutiny, as it were, on the more informal HMG internal side, but the public scrutiny side is currently lacking. That is not to say there is anything terribly wrong with the NCF, but how would the public know? Certainly, the current status of the ISC is not particularly helpful in that respect.
Q5 Edward Morello: Dr Stevens, I would just like to follow up on the point that you were making about the internal thinking that is happening within HMG about the role of the National Cyber Force. We have a lot of reviews going on at the moment. We have the strategic defence review; we also have the upcoming cyber security and resilience Bill. To what extent should or is the National Cyber Force feeding into those processes and informing Government of what it thinks it can and should do, versus its role to respond to what the Government think it can and should do?
Dr Tim Stevens: As an academic who is not employed by Government, it is difficult to know precisely what the nature of those conversations is, but my feeling is that those are precisely the conversations that are happening.
We have this capability. We have had it for five years. We have a distinct institutional entity that has a very publicly avowed mission across those three pillars that I mentioned earlier.
We are wondering what we are doing with it, whether we are doing as much as we can, whether we are doing it as well as we can and how to build out resource. Andrew mentioned earlier the various lines of resources that are required. It is not just about front-line operators. It is about support staff, capability development and so on.
You mentioned our report from 2021. In that report, we asked—it remains an open question—what the identity of the National Cyber Force is. Where does it see itself in the wider landscape of UK defence and security? That has not yet been answered. We would not necessarily expect quite a young organisation to have that distinct sense, but, if you want unity of mission and unity of purpose, those conversations are, at the moment, moot.
Dr Andrew Dwyer: Just referring back to it being a relatively younger organisation, yes, we know there are conversations that have been happening internally, but, on the outside, what that means in terms of the licence to operate, to use Fleming’s recent term, around offensive cyber is somewhat unclear.
Examples have been provided in the Responsible Cyber Power in Practice primer, for want of a better word, of the NCF trying to articulate this, but we have not seen much development since that around 18 months ago.
Edward Morello: On the broader issue of how the National Cyber Force operates, are we promoting responsible offensive and defensive cyber processes internationally? How do we align with other countries? I am also thinking a little bit about the private sector here. There have been some questions about whether the current legal framework in the UK stops white-hat or friendly cyber hackers being able to do the same things that similar organisations in other countries can do. In terms of what we are doing as a national organisation in promoting good security and our own legal framework, how do we align internationally?
Dr Andrew Dwyer: A lot of that has been done with the Computer Misuse Act. There has been some reform around that, especially for white‑hat hacking, as you say.
In terms of responsibility, the UK has been exceptionally good, with the FCDO and its cyber policy department, at trying to articulate what responsibility looks like. When cyber power was the organising concept for the way the UK does this, responsible and democratic cyber power was a way of thinking about this.
We have seen the “democratic” element slowly fall out of the lexicon in the discussions around this and we have been left with “responsibility”. This is because it fits in with much broader UN discussions on responsible state behaviour in cyberspace. In the Responsible Cyber Power in Practice primer, we are trying to articulate what this would actually look like.
One of the reasons why the UK, I believe, wanted to talk about responsible cyber power is to distinguish itself from the cyber power of Russia or China. The UK wants to be responsible. It is about following the principles of accountability and precision. It is about targeting and ensuring there are no significant side effects from your operations. The UK has done a significant amount of work to try to articulate what this is.
Edward Morello: How do we do that internally when it comes to responsibility? You have already mentioned that the responsibility is split between Home Office and FCDO. Given that certainly some of our adversaries have a far looser sense of what is responsible, as well as the difficulty in identifying a national player versus subcontracted work by a national player, how does the Home Office, the FCDO or any other part of UK Government decide that action is legal when they are directing the national cyber agency?
Dr Andrew Dwyer: I will build on what Dr Stevens mentioned around these internal discussions. There will be some process—from the outside, we do not know exactly what it is—where a collection of people will make that decision. That is something that was mentioned in the cyber primer. We do not know the precise details of what that looks like.
One of the reasons why the NCF was created is because we needed to get a cross-agency and departmental view on who should do offensive operations. That has helped centralise the decision-making, so you are able to deconflict and work out what is “responsible” vis-à-vis the capabilities that you have.
It will sometimes be the case that you will decide not to use an offensive cyber operation and use a different type of capability, according to those decisions around responsibility. If there is going to be too much of a significant potential negative externality to a cyber operation, you may look at different options.
Dr Tim Stevens: The UK has tried exceptionally hard—I do not use the word “exceptionally” lightly; it has led the way—to think through very carefully and articulate equally carefully what it means to exercise responsible cyber power.
The basic principle is that what we do is just as important as what we say. What we do must be consistent with democratic values and principles, which is why, when it comes to any form of military targeting or indeed intelligence work, the lawyer is always in the room. If the lawyer thinks that, as Andrew says, there are negative externalities to a particular operation, it simply will not go ahead.
What I would say about that—this is one of the issues that you might want to think about as a committee—is, if the public does not know what the NCF does, how can we ensure there is alignment there? Is there a say/do gap? We are making a good story; we are talking a good talk. What is the NCF doing in practice? There is an opportunity for the NCF and HMG more widely to tell that story. You do not have to reveal sources and methods; you do not have to expose operators to harm.
When the NCA has conducted counter-ransomware operations either individually or more often in partnership with allies, whether they are part of Europol, Interpol or military intelligence allies, it has told the story. There is an opportunity for the NCF to do something similar. As Andrew mentioned, it has been quite a while now since we have heard from the NCF about what it does and how that aligns with what it says. There are some things to perhaps watch out for in that space.
Q6 Lord Robathan: I want to ask a very quick question. You may tell me it is nothing to do with offensive cyber, but last week I read in the newspapers—the newspapers are always true—that the North Koreans have made $1.5 billion out of cyberattacks on some sort of bitcoin or whatever it was. What we are talking about is international. This is the North Korean state—I do not believe there are many individuals in North Korea behaving independently—attacking somebody, probably individuals, and stealing their cyber coins. Could offensive cyber deal with that?
Dr Andrew Dwyer: We know that North Korea uses cyber capabilities to generate revenue. In terms of response, what would you do in North Korea? What are you trying to show? This is one of those things where you might think there is not much utility in using a cyber operation in that particular case.
Lord Robathan: That is a very fair point. Dr Stevens, do you have any comments from America? I guess a lot of this is coming from America.
Dr Tim Stevens: I do not claim to represent the Americans in this respect. As a general principle, one of the reasons why the NCF was set up was to enable the degradation of infrastructure that enables state and non-state actors to conduct these types of operations.
The consideration in this case is a little bit after the event, as Andrew suggests, but the principle is sound. If UK interests or the interests of our allies and partners are going to be harmed by these types of operations—I do not know whether they are in this case—there is a potential role for the NCF in conducting or supporting operations against the infrastructure of those threat actors. There is a hypothetical use case there. Whether this particular scenario is one in which it would be deployed I am unsure, but the principle remains.
Q7 Lord Boateng: Is an international agreement on the principles of the responsible use of cyber power needed, or does existing international law suffice? Reference has been made to democratic values and principles. Given the current state of the so-called rules-based international order, is there the slightest possibility of such an agreement being reached? If it were, would it require a regulator to oversee its implementation? Dr Stevens, you are in the home of the international rules-based order at the moment. Do you have any insights that you are able to share with us?
Dr Tim Stevens: This is a really interesting question. I suspect there are more international lawyers in that room than in this one. This is one of the questions that has been asked about cybersecurity in general for many years. The international community has singularly failed to provide or generate a specific international mechanism that is legally binding on any countries that might sign it.
That is not to say there have not been significant efforts and significant achievements in that space, such as the 11 norms of responsible state behaviour in cyberspace, which were negotiated at the UN; the very long-standing Convention on Cybercrime; the Paris call; or many of the other mechanisms. The difficulty, as it always is with international treaty mechanisms, is in enforcement, verification, monitoring and all the rest of it, which we are all too familiar with from, say, arms control through the Cold War and beyond.
There is a political problem here, which is implicit in your answer, Lord Boateng. If you are going to include “democratic” in a potential mechanism like this, you are going to find it very hard to get a certain number of countries on board. I suspect that language would be stripped out. Even if we were to do that, the secondary question would be, “What values and principles does the international community share?” and so on and so forth.
You might end up with a very watered-down mechanism or something like the recent UN Convention against Cybercrime. To enable it to pass, the UN General Assembly had to include within it certain principles and articulations that do not align with our national interest at all. Beyond all that, how would you bind member states to it? If you could figure out a form of words to which everyone could agree, you end up with that say/do gap again. We know that from agreements, treaties and so on in this space already. You can say one thing and do another and get away with it with relative impunity.
There are all sorts of problems, but it is a great question and a very large topic for discussion.
Dr Andrew Dwyer: Drawing on the “democratic” component again, this is why we do not see responsible democratic cyber power as clearly being UK strategy anymore. The Foreign Office said, “This is not working with a lot of middle-ground states and some allies where this maybe is not the type of language they use”.
In terms of the future development of an international mechanism, this is what Russia and China want. At the last open-ended working group at the UN, which finished last month, they said, “Let us do this in our future permanent mechanism. Let us work out how to have a legally binding instrument”. The UK Government’s position is not to do this.
At this stage, given that there is not clear alignment, it makes sense to say, “We already have international law that most states that publicise this say applies. Why do we need a separate mechanism beyond what we already have?”
Lord Boateng: Does the US have a position?
Dr Andrew Dwyer: The US generally supports the UK position on this, but that was in the previous Administration. I cannot comment on what is currently happening.
The Chair: That takes us neatly to you, Baroness Fall.
Q8 Baroness Fall: Yes, it does follow on neatly. We have talked about different actors and the fact that the cyber centre basically acts as a point of triage and brings different agencies together. Are there very different operational techniques in dealing with organised crime versus state actors? That does beg the question as well as to whether we know which one it is, because I presume that sometimes the state actors are hiding behind the criminal gangs.
Dr Andrew Dwyer: It is very difficult to know what the NCF is doing operationally for obvious reasons. In many senses, when we look at reports on cyber operations in other states, the techniques can look quite similar. You might be exploiting the same commercial products, for example, to get access to a state or to a cybercriminal group or vice versa. In terms of access or using your capability, it sometimes does not look that different.
In terms of identifying who you are trying to target, this is where you need your supplementary activities. That is why the NCF does not just operate as a function of defence or intelligence. Sometimes you might need some more detail or some in-person intelligence to say, “Yes, this is the right target”. Typically, you need to combine those different activities to ensure you know whether you are trying to disrupt a cybercriminal gang or a state enterprise.
Baroness Fall: Dr Stevens, do you have any views on whether some of these state actors act differently? We know there are a lot of Russian state actors, but we are beginning to see more from China and Iran. Is there a difference between them?
Dr Tim Stevens: Yes, there is. They have different national objectives. They have different skill sets. Sometimes they have different needs. You mentioned North Korea earlier. The principal purpose of its cyber operations is sanctions evasion. For China, that is not the case. Russia is a country at war. It has different priorities too. There are also different strategic cultures, as we would call them in academic jargon. Those determine what types of operations are preferred, what targets might be desirable and how we conduct those operations.
There are very great differences between national postures in this environment. Of course, they are very different from other actors in this environment, including cybercriminals. As you mentioned, there are complex connections between criminal and non-state groups and states in particular cases.
This all goes to what Andrew was talking about in terms of intelligence. As a community or the wider industry, and certainly in government, we develop very specific understandings of the various threat actors in this environment and tailor our counteroperations accordingly. This is captured by the NCF’s principles of precision and calibration. We are not just conducting quasi-random operations against these actors. They are very tailored. They are intelligence-driven; they are specific.
They do not just look at the target but at the effects. What are the effects to those targets? What are the second and third-order effects too? We have to understand the threat actors, the way they operate and how they think—that comes back to intelligence—way before we think about the types of capabilities we might use against them.
Baroness Fall: Can I ask one more question? Just to focus on criminal gangs for a moment, is there more of a level playing field? Do criminal gangs across different nations use more similar tactics than state actors? Do criminal actors in Russia act differently to criminal actors in, say, China and Iran?
Dr Tim Stevens: The obvious difference is that cybercriminals in Russia are effectively afforded the protection of the Russian state, which is not always the case in other jurisdictions. I have been talking to colleagues here in the United States who have conducted longitudinal studies of ransomware operations over the last five years. They are very clear that when it comes to ransomware, which was the discussion in the previous panel, it is not really a technical problem, first and foremost; it is a Russia problem.
When we are thinking about cybercriminality, yes, the tactics, the tools and the capabilities are broadly similar across all jurisdictions. The geographical or jurisdictional location of those cybercrime groups affords them greater latitude of movement, which is why we see almost no ransomware attacks coming from the United States, for example. They do not operate in that environment. Criminals do not operate in the same environment as they do in Russia, where they are effectively told, “You can do whatever you want as long as it does not blow back on Russian targets”.
Q9 Lord Sedwill: Given the dispersed nature of the criminal threat that we heard about in the earlier session—I know you were both listening to that—and the way you have both described the state threat, do we have the capability and capacity within the National Cyber Force to do all those things all at once, or should it prioritise? If so, what should it prioritise?
Dr Andrew Dwyer: Again, going back to the start of the session, we said it has a wide scope. This is why working with allies is so important for us. It is about having that force multiplier as much as possible. It means you can focus, with Five Eyes allies or whoever else, on operations in your specialist area. It means you can share the intelligence that you get or disrupt cybercriminal activities, for instance.
It is not necessarily about choosing which actor. It is about saying, “What can we do? What type of effects do we want to shape?” Do we want to disrupt cybercriminals’ trust in their own infrastructure, for example? That can be shared out among different allied nations to work on what is going on there.
In terms of state activity, different agencies, intelligence agencies and others have a capability in certain areas. In cyber operations, we tend to see that people are laying on top of one another in terms of their activities on certain networks. Deconflicting is a very important part of how you ensure effective cyber operations as well.
Lord Sedwill: As a supplementary, would you expect, therefore, to see recommendations on the capability of the National Cyber Force in the strategic defence review?
Dr Andrew Dwyer: I would be surprised if that distinction was made precisely because you want to ensure that your cyber force can move agilely between different targets. As it says in the Responsible Cyber Power in Practice primer, the NCF creates general kits of capabilities and then adjusts those capabilities according to the target. You do not necessarily want to hinge yourself on particular types of actors.
As much as a cyber operation needs time to develop and can be targeted, you can manoeuvre between actors in some ways. As I said to the previous question, the entry points can be quite similar.
Dr Tim Stevens: I would agree with that. I would not expect to see the overall mission and remit of the NCF unnecessarily constrained or attention drawn to specific sets of capability within the broad overall operating posture of the NCF.
Since the NCF was set up we have seen world events shift and change in various ways. Like any other element of UK defence and security, the NCF needs to be flexible, mobile and as agile as possible. In fact, that is probably one of the strengths of the UK generally and the NCF in particular. It is able to pivot, depending on what particular mission objectives are set for it by persons higher up the chain and by the simple exigencies of world affairs. I would not expect to see a major adjustment in the defence review, no.
Q10 The Chair: I just have one point of qualification, if I may, for Dr Stevens. We were talking about scrutiny of the National Cyber Force earlier, and you were saying that—I will try to quote you correctly—the current structure or form of the ISC is “not particularly helpful”. If I have slightly quoted you incorrectly, apologies. Can you just qualify that?
Dr Tim Stevens: It was not about the structure of the ISC. It was about the tempo of its operations and reporting. There is a suspicion—you may hold a different perspective; I am rather channelling the community here—or an impression that the ISC is not as active or as robust as it might be in terms of hearings and reports. It has been quite punctuated, you would probably all agree, over the last quite a few years now. Given that it reports on the SIAs and on defence and the like, it is the obvious place for that kind of public scrutiny.
The other place that you might find it—it was mentioned earlier—is the National Audit Office: “Is the NCF meeting its stated objectives? Is it value for money?” and so on and so forth. It was not really about the structure of the ISC. It was more about the tempo of scrutiny itself.
Sir Julian Lewis: Speaking as a former chairman of the Intelligence and Security Committee, if the ISC had even a fraction of the resources of the National Audit Office, I am quite sure you would be impressed by the greater tempo of output.
The second thing that people have to bear in mind is that there is a problem with any committee that is proposing to publish reports that are initially written on a highly classified basis. With most committees, when you produce a draft report you are 90% of the way to publication. When the Intelligence and Security Committee produces a draft report, because of the extensive redaction process it has to go through, you are probably 45% of the way to publication.
The Chair: Thank you for that. That concludes today’s session. Thank you to both our witnesses. Thank you, Dr Dwyer, for being here. Dr Stevens, thank you very much for joining us from the United States despite your jet-lagged-ness, not that it showed. Thank you both for your informed contribution to our session today.