Oral evidence - 09 Jun 2026

HoC 85mm(Green).tif

Business and Trade Committee

Oral evidence: China and the UK economy, HC 124

Tuesday 9 June 2026

Ordered by the House of Commons to be published on 9 June 2026.

Members present: Liam Byrne (Chair); Chris Bloore; John Cooper; Sarah Edwards; Leigh Ingham; Justin Madders; Charlie Maynard; Mr Joshua Reynolds.

Questions 185 - 236

Witnesses

Professor Madeline Carr, Professor of Global Politics and Cyber Security, University College London, Department of Computer Science;
Charles Parton OBE, Associate Fellow, Council on Geostrategy;
Tor Indstøy, VP, Risk Management and Threat Intelligence, Telenor.

Examination of witnesses

Witnesses: Professor Madeline Carr, Charles Parton OBE and Tor Indstøy.

Q185 Chair: Welcome to today’s session of the Business and Trade Committee as we pursue our inquiry into the UK-China economic relationship.

Professor Carr, I am going to start with you. This year, 140,000 Chinese vehicles have been registered. The Jaecoo 7 is the third best-selling car in Britain. We are all becoming used to cheap Chinese tech. What is the upside for British consumers of their access to subsidised Chinese technology?

Professor Carr: I guess the upsides are probably pretty clear. Over the last decade, China has moved from copying and producing lower-quality technology to really leading in many sectors. As a developed country, we don’t necessarily want to cut ourselves off from that kind of world-leading technology.

There is also price, of course. Purchasing power parity in China is much lower than it is in western states, so they are able to develop technology very cheaply.

They have a very deep bench of technology research, which is also important for us, not just as consumers but for industry and research bases. In 2016, the Nature Index, which is one of many academic rankings, had I think one Chinese university in it—the rest were American and British, and maybe a university in Japan. In 2026, 10 years later, all but one is a Chinese university. Our first university comes in at 26th, and there are nine more Chinese universities before ours.

They are now graduating 70,000 STEM PhDs every year, which is more than the US and the UK put together. They have very significant research power there.

Q186 Chair: How should we as a Committee judge how pervasive Chinese tech is in UK national life now?

Professor Carr: That would be hard to say. There have been a lot of ways in which we have resisted that kind of Chinese technology—Huawei, for example, and restrictions on Chinese vehicles. I would say that there is less than maybe there would have been if it were just left to market forces, but I could not put a number on that.

Q187 Chair: I used the word “pervasive”. Would you use that word? Would you say Chinese tech is now pervasive in the UK?

Professor Carr: Yes.

Q188 Chair: So the way you would describe the benefit for UK consumers is cutting-edge technology and low cost—anything else?

Professor Carr: The future, basically. If we want to be part of a technology stream that is leading and that is futuristic, it will be important that we can somehow balance foreign suppliers. We do not want to cut ourselves off from that particular supplier.

Chair: Thank you very much. You have helped us set the stage.

Q189 Leigh Ingham: We know that Chinese firms accounted for 66.8% of the global CIM market in 2022. What vulnerabilities do you think that widespread use of the Internet of Things creates in terms of both the security and privacy of individual British citizens?

Professor Carr: The Internet of Things produces all kinds of vulnerabilities, for individuals, for industry and for the state itself. When we talk about the Internet of Things, we are not talking about any connected device. We are talking specifically about three components together: sensors in the built environment or even in human bodies; actuators, which will do something in the physical world; and data processing, which sits in between the sensors that gather information and the actuators that do something.

Sensors are almost completely insecure. They can be made secure, but they are tiny devices that would be in this building, for example. They do not accept software updates, and they do not have passwords. They are just little holes that we have embedded in our critical information infrastructure by putting them into our environment over the last 10 or 15 years without really thinking, and there is no way to get them back now. They are combined with actuators that do something. Of course, the example we are talking about today is connected vehicles, which are not just physical but a physical device that could bring about loss of life. They are a very serious IoT implementation. The data they gather, both on the person inside the car and people outside the car—pedestrians and other people in traffic—is all personally identifiable data that has to be anonymised, but the actual operation of the vehicle is critical to us. Yes, there are very significant security vulnerabilities.

Q190 Leigh Ingham: Charles, what risks are associated with Chinese-made cellular IoT modules specifically?

Charles Parton: Yes, I think we should broaden it out from automobiles, because I would say that cellular modules are in just about everything, from your white goods through your cars to massive manufacturing, logistics systems and aircraft, et cetera. It does not matter what they are.

Even when we talk about automobiles, it is very obviously the connectivity and the cellular module that are the villain of the piece. The Chinese aim to get a monopoly in the manufacture of cellular modules, and they are doing pretty well at that already. A number of western companies have either folded or given up and been bought. If we were to row forward and allow them to get a monopoly on the production of these components, then I think three threats follow, of which data and data security is probably the third most important.

I do not underestimate that by any means, and we can go into it, but you are thoroughly dependent if you have a monopoly. If you think rare earths for missiles, aircraft and automobiles are a bad dependency on China, well, think even worse, because cellular modules are in everything. Depending on your policy on Taiwan or whatever, the Chinese can say to you, “Well, we don’t like your policy on this or that,” or, “You’re not allowing us to do this with your steel industry. You might want to think again, because some of our cellular module production facilities have hit a few problems.” You know how it goes.

So that is the first one, the dependency. I usually phrase it as three d’s. You have dependency, the worst one. Then destruction/degradation. That is what people normally call the kill switch, because the cellular module’s firmware itself is updated, let alone whatever software, and you cannot be confident that every update is screened sufficiently. If the Chinese wished to shut off all of your vehicles, it would not be difficult because they all have cellular modules. If the Chinese wanted to blow your grid, it could just instruct all your smart meters, which all have a cellular module in them, to behave in a certain way at the end of the cup final when everyone puts the tea on, or at the end of the world cup final when it’s even hotter, or whatever. You can blow the grid. Destruction is something that really needs to be thought about. The Government’s first duty to its citizens, and the reason why we pay tax, is defence of the realm and our way of life. If your economy can be brought to its knees pretty easily, I suggest that you are failing in that.

Thirdly, there is data, which can be very specific. In 2022 the Prime Minister’s car was emanating data to China through its cellular module—it was the Prime Minister’s car—or it could be the car of a Minister, a general or whatever. There are good reasons why the Ministry of Defence has reportedly banned Chinese cars from certain defence institutions.

However, another point I would like to make at this stage is that cars are fine and buses are important, but even more important are vans and trucks—and China is moving big time into the production of both. BYD was due to launch its van last October, I think. There are trucks, too, and the Chinese have announced that they are moving big time into connected electric trucks. Is it wise to put your logistics system in the hands of a hostile power? I would suggest not.

Q191 Chair: We will just come back to the question of the Prime Minister’s car, because you slipped that in. You are referring to the story about a Government car that was found to have a location-tracking device, and you are telling us that it was the Prime Minister's car?

Charles Parton: I am.

Q192 Chair: Do you want to say a word more about that?

Charles Parton: First of all, the journalist who reported the story is well aware of whose car it was. Secondly, a very senior member of the Government, who certainly knows whose car it was, told me.

Chair: Right, okay. Thank you. We have that on the record.

Charles Parton: It does not matter; the principle is there.

Chair: I just don’t think we had quite appreciated that.

Q193 Mr Reynolds: Tor, the company you work for recently took apart a Chinese electric vehicle and a Chinese electric bus. Some of the data they were gathering and sending back to China, and some of the implements that were inside those vehicles, seem incredibly concerning. Could you tell us a little more about that? What data was being sent back to China, who received that data and what could it have been used for?

Tor Indstøy: I have been running Project Lion Cage for three years. It started because the security community heard a lot of rumours about modern cars having a lot of cameras and microphones, both external and internal, and I wanted to assess that and get some more fact-based discussion going. We have now spent three years on this car. We have also supported the Norwegian Government on an additional four cars, along with one European bus and one Chinese bus, and those have been assessed through the same structure.

It started with me, and we are now 10 people working systematically on this. We have two different teams. One team is working on plausible scenarios. One is whether the car can be used for traffic sabotage. The second scenario is whether the car or bus can be used for surveillance, monitoring or the facial recognition of people passing by. Those are the things that we assess. There is a technical team that is going into detail on that.

On the technical side, I will briefly describe a modern connected vehicle. There are three aspects of complexity. First, a modern car consists of about 200 to 300 computer devices. A modern car does not have a connection between its steering wheel and the wheels. Honestly, you will be a passenger in your own car, because it is controlled by a computer. You might think that 200 to 300 computers is a lot. I have brought one of these computers to show you. It looks like a simple chip, but this is a system on a chip. This is a complete computer system that can be updated and remotely controlled by providers. Computers like this will control your headlights, for example. Thinking of a modern car as a mechanical device is gone. This is a rolling data centre that we are talking about. That is one complexity.

The second complexity is the interfaces. There is a lot of connectivity. There are sensors in the tyres that communicate with the car in case you have a flat. That can be used to stop a car, because it will stop itself if the tyre is flat. You can sabotage a car just by simulating and sending false signals. There is also wireless communication when you charge the car. The interface is a complexity.

Q194 Chair: Are you saying that it is possible to send signals to a car to make it crash, even if someone is driving it?

Tor Indstøy: It is evident, yes.

Q195 Mr Reynolds: You spoke about sabotage and surveillance. Are you telling us that the cars we are importing from China can be sabotaged to be deliberately crashed or stopped? I know that the Scottish Government have just ordered 334 buses from the same company as the one that you took apart. Will those buses use facial recognition that can be sent back to China as well?

Tor Indstøy: The Yutong bus does not have connected exterior or interior cameras, so they cannot be used for surveillance activities. But the finding on the Yutong bus is a component with a cellular modem that can be used for direct access to the battery or the engine system. Those buses can be stopped or manipulated directly from China. Yes, I am saying that.

Q196 Mr Reynolds: So the Chinese Government could decide that they want to turn off the country’s buses?

Tor Indstøy: Yes, that is evident.

Q197 Chair: That sounds quite alarming.

Tor Indstøy: Yes. As I mentioned, these buses and cars are normally regulated as a mechanical device. It is not a mechanical device any more. This is a rolling digital ecosystem that we are talking about. If you are going to regulate or manage a complex ecosystem, as this is, you need to regulate it as a data centre. We still perceive buses and cars as mechanical devices. They should be regulated and assessed as complex integrated ecosystems. My car weighs 2.5 tonnes and doing something wrong with that car has a societal impact. This is serious, and I guess that is why our project has received so much attention.

Q198 Mr Reynolds: Going back to the cars that you took apart, am I right in saying that the tyre pressure sensors that were sending data back and forth were unencrypted? Is that correct? Does that mean that anybody can access, change and manipulate that data with the correct software?

Tor Indstøy: Yes, with a laptop and a $10 component from eBay you can do that.

Q199 Mr Reynolds: How long would it take for an average person with a $10 component and a laptop to be able to tell my car that its tyre pressure is low and bring it to a stop?

Tor Indstøy: Using AI to help you out, I would say it is maybe a week’s work.

Q200 Mr Reynolds: So anybody with a week’s worth of time on their hands could stop all the Chinese cars in the country if they wanted to?

Tor Indstøy: You have to be close to the car.

Q201 Mr Reynolds: I could stand on a bridge over the M4, basically?

Tor Indstøy: Yes, that is something that can be done.

Q202 Mr Reynolds: Now that we have that knowledge, what are the Government doing about it? That is a massive concern when Chinese vehicles are the best-selling cars in the country.

Tor Indstøy: Obviously, this is a huge discussion in Norway as well. Others in my team are talking to the EU Commission today as well. This is about connectivity and data control.

Q203 Chair: Hang on to that point, because we will come to a bunch of questions on governance and security, which we would like to go into in a bit more detail. I have one more point to draw out: I think 90% of the data from the car that you took apart was going back to China. Is it true that that was on a server hosted by Tencent Cloud in Beijing?

Tor Indstøy: That is true, until they reprogrammed my car—so now they have hired a server in Frankfurt.

Q204 Chair: Okay. As Mr Reynolds said, it would therefore have been possible basically to hack that, like a teenager in a bedroom with an eBay modem.

Tor Indstøy: Correct.

Q205 Chair: Mr Parton has just told us that the Government vehicle with a Chinese locator was the Prime Minister’s car. Is the implication that it was planted, or would it have been part of the car’s infrastructure?

Charles Parton: That is the point I wanted to make: it is not just the Chinese cars that are a problem; it is the Chinese cellular module. If the Chinese cellular module is in a Jaguar Land Rover, the vulnerabilities that I talked about—the dependency, the destruction, the data—are still there. I think you would agree that the connectivity is the crucial bit. That is the point I wanted to make. The other thing to say is that if you really want to bring traffic to a halt in London, you could sabotage the cars, but personally I would have a go at the cellular modules in the traffic lights.

Chair: This is getting more alarming by the moment, isn’t it?

Q206 Justin Madders: They did that in “The Italian Job”. We don’t need Benny Hill, do we? Yes, this is obviously very alarming. On the point about non-Chinese manufacturers using components, is it correct that unless we have visibility of the entire supply chain, or unless we strip one of the vehicles, we will not know whether any of those vulnerabilities are present? Is it absolutely necessary to the functioning of the vehicle that it has that huge vulnerability that apparently anyone can hack into?

Charles Parton: When a car manufacturer designs a car, it outsources the design of the cellular module to one of the manufacturers; it does not have to be a Chinese manufacturer. Usually, the module is designed for that particular car. I think that the crucial question—again, I am not sure how the governance of it would work—is could you ban Chinese cellular modules from cars on sale in our country? That is a topical matter, because the American connected vehicle rule says that by the end of this year no Chinese software, and by the end of 2029 no Chinese hardware, may be in a car sold in America. Talking about the connectivity stuff, if we export—as we do—15% to 17% or 18% of our cars to America, are we going to close that or just not export to America any more? That is the implication if the Americans fully implement those laws. That may or may not happen under Mr Trump, but it will almost certainly happen after Mr Trump. I see no reason, actually, why it would not happen under Mr Trump.

Chair: Mr Reynolds, do you have any more alarming questions on that subject?

Q207 Mr Reynolds: From what you said, Charles, it seems to be that we are going to have to catch up with those American rules, or our production facilities will have to have two different lines, one for America and one for not America. Is the EU doing something similar to America? Are we going to be the outliers?

Charles Parton: I do not think the EU is. I have not spoken to the EU about cellular modules for a year or two, but its recognition of the problem is still as rudimentary as ours. Also, of course, even if the EU itself becomes increasingly involved in understanding the problems, which I think it is, that is EU. We have to talk about the member states, of course.

Q208 Mr Reynolds: If not from China, where would we buy such modules? I assume that they will be significantly more expensive from countries that are not China.

Charles Parton: Other companies manufacture them. I think the biggest non-Chinese one is called Telit Cinterion, which was a merger of Telit with the French company Thales. There is a Japanese one and another American one. The Americans have just started up one called Eagle Electronics. It remains to be seen whether that is actually a trusted supplier, because it uses Chinese technology, although it is adamant that it has ways around that. I think that calls into question the whole business of how you define a trusted supplier and how you certify that it is one, which is a very important question. If it is able to do that, that is fine. There are also Korean manufacturers. It is not difficult or particularly expensive technology—it would not be hard to do what Eagle Electronics has done.

Chair: Let’s get into how we mitigate this.

Q209 John Cooper: Touching on data collection, there seems to be an incredible ability to harvest data; there may be little indication that they are doing much with it, but the ability certainly is there. How much of a risk is that? Mr Parton, I think you have talked about this previously. Tor, are there implications for national security and personal data security?

Tor Indstøy: In the age of AI, the quality of data is what matters. We are in times when large countries like China are collecting good data to be used later. Even though it is not evident, I believe that this is also linked to a larger discussion on future capabilities and collecting good data.

Collecting data is one thing; the other thing is being able to use something in a negative way. Sending a message that is popularly called a kill switch to stop vehicles is very doable. We should not underestimate the importance of data collection when it comes to how the AI engines are operating. The quality of modern AI engines is dependent on the quality of the data. That link is relevant in this discussion.

Q210 John Cooper: It is obvious that if you were able to harvest secret data from another country, that could be usable. What possible uses could any state actor have for information about us as individuals? I am not quite clear on that. I hope we are not going to hear that you can send a kill switch out for an individual person. If they are tracking data on individuals, how would they be able to use or weaponise that?

Tor Indstøy: It can be used to control your life. Your whereabouts, what you are doing and what your interests—all this information can be turned against you. Classic intelligence operations do that. Using knowledge about people or a society as an asset in a negative operation is a widely known thing.

Q211 John Cooper: Charles, I will come to you on this. We are basically riding our luck at the moment; we are trusting the Chinese Communist party not to do anything with this data. We know they have it, and we do not really seem to be able to stop them from having it, so we are hanging on and hoping that they do not use it in a bad way.

Charles Parton: We could stop them if we recognised the problem clearly and put measures in. Let’s not forget that the Chinese fully understand the problem and they take measures to ensure that we cannot do to them what they are doing unto us.

I will give you a couple of examples. You ask about individuals; you could do a very close study of an individual if you wish to blackmail a Minister, for example, about their personal life, where they go, who they see, when they see them and so on. That could include lots of facial recognition tech identifying who the other person is or whatever it is. That is perfectly possible.

In terms of national security, we were talking outside about DJI drones, for instance, which use cellular modules but in themselves are quite dangerous. If you use DJI drones, as power companies do to check their networks, and all that information is going to Beijing, then Beijing has a blueprint of your pylons and your grid. If other aspects of your grid use these cellular modules, there is plenty of data that can go up. You may remember the publicity about what was dubbed the Volt Typhoon attack, which was the scoping out of American and European critical national infrastructure. I think we should be very wary of that and take measures to stop it, as indeed I think the Government may have done in the case of Ming Yang and not allowing that investment to go forward.

Q212 Sarah Edwards: This has been fascinating and terrifying in equal measure. What struck me is that the 2010 Stuxnet cyber-weapon, widely considered to be the first cyber-weapon, is so associated with defence and the MOD. We know that they regularly assess supply chains and they think about that, but what we have been talking about is the everyday Internet of Things, the ordinary consumer products that we buy and how those things are suddenly becoming potentially extremely dangerous. I am interested in understanding where we are in the Government’s remit of being able to assess that. The MOD naturally does that—that is their thing—but many other Departments and aspects of Government will need to start to fold this into their working. We have talked about trucks and logistics, and we had cyber-attacks on our food companies last year and earlier on, so we can see where this can go. Does the panel think the current structures are working? How do they mitigate the danger? Where do we have holes? You are nodding quite a lot, Professor Carr, so maybe you would like to start us off on where you think we are right now.

Chair: Feel free to reflect back on the conversation about the national security perils from data collection as well.

Professor Carr: I would say that they intersect. This is why we look at these everyday consumer devices. It is not the only reason; we are concerned about consumer welfare and the everyday flow of society, but we also look at them from the perspective that Mr Parton and Mr Indstøy have been speaking about and how these things could be misused. There are a couple of points to build on to what has been said already. The issue with connected vehicles or other connected IoT systems or devices is not something new. We have been working in the UK on the security of connected vehicles for probably 10 years. There is nothing surprising about the data from a vehicle going back to the manufacturer; that is what happens. It is not a Chinese vehicle data flow; it is a vehicle data flow. That is what happens—the data does go back. I guess Tor’s work looks at which data is sensitive and which is just vehicular data that needs to go back to the manufacturer.

Q213 Sarah Edwards: Can I check on that? We understand there is an adequacy test that the UK uses and has a list of jurisdictions that comply with that, but China is not on the UK list. Is it specific types of data? You said there might be things that can go back. Is there a way of deciding which bits of data are and are definitely not being sent back? Maybe we can get an answer to that in a moment.

Professor Carr: That is probably more one for Tor. I also want to make the point that all connected vehicles, whether they are BMWs, BYDs or Jeeps, are all vulnerable not necessarily to a state actor but to any hacker. Any device that is connected to the internet is vulnerable. That is why we look at them. Charlie Miller, a famous American cyber-security practitioner did a very famous video—it must be at least 10 years ago—of making a Jeep Cherokee drive off the road remotely, so the issues and concerns are very well understood. The data one is one where we can unpack which data is going back that we do not allow. As you say, it needs to be identified. Also, let’s not forget phones and other personal devices. If we need to know where someone was, that is a much easier way to do it.

Q214 Chair: Can you just pause on that for a second? How clear is the list of things that we should worry about? Smart toasters are one thing, but our cars are another; one is definitely more dangerous than the other. Is there a list of perils?

Professor Carr: We think about devices that could cause loss of life, but in a way, you could say, “Well, a toaster could cause a fire.”

Chair: In the wrong hands.

Professor Carr: Yes, in the wrong hands, but a vehicle is obviously more straightforward. The whole reason why Internet of Things security is interesting and important is because, as we understood data security in the past, we may have lost money or sensitive information, which could have been very serious, but with the IoT, we are now talking about the potential for loss of life. That is why the security paradigm changes.

I want to make sure that I answer your question directly. Where are we now? We are in a world where everything is connected, and I do not think we are really looking to go back to old legacy systems. The task for us is to consider what are the insecurities that we can cope with, what are the insecurities that we cannot tolerate and how can we mitigate the risk from those?” Some of the solutions may be technological, and some will have to be policy and legal solutions. There is lots of interesting work happening on how to do that.

Q215 Sarah Edwards: Tor, do you want to come in on which parts of the data we might think is okay to send back, and which parts we do not? How do we think the Government are doing on being able to assess that, alongside some of the other mitigations? Do they have enough tools, or do they need more?

Tor Indstøy: First, I would like to say to all of you that I believe the UK has the ability to manage this. You have all the institutions with the knowledge to be able to do this thoroughly, and the discussion should be about how you get all this knowledge to give you a good, informed answer on the level of risk.

When we enter this building, we have to go through a thorough physical security check, but the same thing should be done with communications going in and out of our cellular devices—that is doable. My project clearly shows it is okay that the vendor can get the battery status out of the car, but it is not okay that they can remotely crash my car. That communication, or the separation, is very doable, but it is not something that is discussed or regulated today.

Q216 Chair: I just want to make sure that we do not slide past that. For all the perils that we have just discussed, are you saying that it is not adequately regulated or safeguarded today?

Tor Indstøy: I am not seeing any signs of good regulation to protect society from the impacts that we believe can be conducted, based on the work that we have done.

Q217 Sarah Edwards: Picking up on that point about regulation, we have the product security and telecommunications infrastructure regulations that govern this type of thing at the moment, and we have the Cybersecurity and Resilience Bill coming through, which will add a few layers. What is the panel’s view of those pieces of legislation, one of which is in force and one in the making? Obviously, if you are saying that it is not regulated, I am assuming that you are not very impressed with the product safety regulations and how they deal with this. Do you have hope that it is coming, or will it still lack some of the things that we need?

Tor Indstøy: Working at a telco, we process the information coming to and from all these vehicles, but we are not required to notify you if we see that somebody is remotely trying to do something negative to your car. That is a discussion I believe we should have. All the communications are there, and it is possible to do things about this, but it needs to be actively managed. That is the level at which I believe a responsible structure should be based, so that it is actually able to be proactive in supporting you and telling you when something is wrong.

Q218 Sarah Edwards: Do you think that you could do that through guidelines or best practice? Or does it have to be through regulation, given your example that, if you see that there is a malign actor trying to control something, you do not currently have to contact the cyber-security team in Government?

Tor Indstøy: Speaking from a Norwegian perspective, we are not allowed to do it, as it is now. There are conflicting regulations on this topic.

Q219 Sarah Edwards: Did you want to add anything, Mr Parton?

Charles Parton: I would quite like to step back, actually, and ask, “What are the Government doing and how could they do it better?” What you just said was at quite a technical level, but it strikes me that this Government do not really recognise what China is doing through using science and technology as a geopolitical tool—one might even say weapon. I do not think there is enough research, support for research or, indeed, connectivity between Government research—if it is going on; if there is any on cellular modules, for instance, I am not aware of it—and the private sector. There is very little. It is great that Tor does it, but in the UK, where is the research?

This is a broader problem, but where is the ministerial and official continuity? Most people seem to change jobs every few months. Someone in the FCDO said to me the other day, “In your day, you stayed quite a long time—two years. We can move after every year.” I said, “Two years? It was three years and sometimes longer.” That is another thing.

Then, where is the joining up between Departments? At the scientific knowledge level, are all the scientific advisers really coming together to say that we can or cannot allow a certain technology, or find it sensitive or not? How do they then disseminate their decisions—if they are given the power of making a decision—throughout the Ministries?

Even going one step further back, to what extent are our Ministries, Ministers and senior officials talking of the same thing on China? The economic Ministries and security Ministries seem to be talking past each other, and someone has to reconcile those, because they are always going to be in tension. You are going to have to make some compromises on security because of the economy and vice versa, but who has the structure to do that? I do not really see it at the moment.

Q220 Chair: Just answer this basic question: who is the cyber-security police in this country?

Charles Parton: You have the National Cyber Security Centre; it is extremely good. It is the open arm of GCHQ on these hacking things, but we are talking much more about the systems and the technology, and I do not think that is its business.

Q221 Chair: Whose business is it?

Charles Parton: That is the point. I do not think it is anybody’s at the moment. Maybe it is a reflection of my ignorance, but I would have hoped that I would be slightly clear about it if it truly existed. You have something, for instance, buried in the bowels of the Security Service called the Joint State Threats Assessment Team. Who knows what it does? No one has ever heard of it. Given that the science and technology threat from China is probably one of the biggest we face, there should be something like that informing Government and the public, but I do not necessarily see it.

There is a lot more that could be done in terms of the way that Government is shaped. Indeed, we have some good laws: the National Security and Investment Act, the Procurement Act and so on. Some of those things could be, and are, used to protect ourselves, but I do not think they are implemented with sufficient rigour. The Procurement Act has a debarment list in it—those technologies that are a threat to national security. Are any cellular modules on that? No. Is anything on it? I think it was passed in December 2023. No—nothing is on the list. It is a great law, but where is the implementation?

Charlie Maynard: I draw Members’ attention to my entry in the Register of Members’ Financial Interests and the company I founded in ’96, BDA Partners. It took me to China, where I met Charles back in Beijing in 2012 and 2014.

Chair: Thank you. That is on the record.

Q222 Charlie Maynard: Professor Carr, which country is most on this track of figuring out what a framework is and what path there is to resolving some of these things? It requires willpower, and it is obviously expensive. Leaving aside whether you have the willpower or not, there is also brainpower, in terms of what we would need to do if we are going to address this. Is there a paper published by somebody, or is there a country that is particularly on the case on this?

Professor Carr: This is probably an impolitic answer, but the country that has the best grip on cyber-security, in my view, is China.

Q223 Charlie Maynard: Beyond that? We can always talk about China too.

Professor Carr: I have spent the last few years intensively looking at how they handle these kinds of technology security issues. They obviously have similar concerns to us: they worry about the security of connected vehicles, data breaches and crime. It is a very different ecosystem, so I am not suggesting that lessons learned there can be transplanted here, but we should spend more time looking carefully at how they have protected their ecosystem. There are some transferable lessons from that.

It is a very different ecosystem, because the trust in China is in the Government, rather than in the private sector. They rely on the Government to get the private sector to care for their data and produce devices and systems that are trustworthy, so it is a different scenario there, but they are doing some very interesting things. One that is relevant for us is that they are developing free data ports, because they understand the value of data flowing across borders—

Q224 Chair: Sorry, but what is a free data port?

Professor Carr: They have implemented this in a few places in China. They have basically established a parcel of land, and the internet into that land is beyond the Chinese border gateway control—so it is beyond the Chinese internet, but it is on Chinese land. They have industrial partners there. Tesla is a big partner in this. Tesla need to send data back to the United States for the cars they sell in China. They need to be able to do that without breaking Chinese law—they need to adhere to China’s very strict data protection laws.

China are experimenting with this data free port in Lin-gang. They are working out this problem that all of us will face—the free flow of data for our economies and our security—and are coming up with solutions. I don’t know whether it will work—nobody knows yet—but they are working with industrial partners to solve that problem. They are doing a lot of that kind of thing.

China are very agile and flexible in policy terms. They will often implement something at a city level. They will trial it in a city to see whether it works. If it works, they may roll it out; if it doesn’t work, they kill it and try something else. They are churning through a lot of innovation in policy and regulation. As I said, I would never suggest that that can be picked up and transplanted, but there are more useful lessons that we could glean, just as we do from looking at what the Australians, the EU or the Americans do.

Q225 Charlie Maynard: Running with the US, you mentioned software and hardware between next year and 2029 or 2030. Do you think that is the right way to be going? By virtue of the US doing that, does that solve everybody else’s problem, because the US is such a big market and the Chinese will have to adapt their export products to serve the US if they want to be in there?

Professor Carr: The big market is not the US; the big market is China and the developing world. Everyone in the US already owns a car. Of course, that is a significant market—so is Europe—but there are 1.5 billion people in China, and they don’t all have cars.

Q226 Charlie Maynard: Yes, but they are exporting 7 million cars a year, so the scale of it is relevant. What models do you see outside China that you think are interesting, in terms of exploring this?

Professor Carr: I think Australia have also been very innovative, in terms of their tech policy. They have been quite bold. They haven’t always succeeded—they have gone up against big American firms like Facebook, and they haven’t always succeeded—but they are quite bold for such a small market. They are quite innovative; maybe there is something about being a smaller country that allows them to push the boat out a little more.

Q227 Charlie Maynard: Tor and Charles, any particular views on places to look for solutions?

Charles Parton: I wouldn’t look to Australia on the car side, as they don’t produce any cars.

Professor Carr: No, I am just talking generally in terms of technology.

Charles Parton: I would just make that point. It depends whether you are interested in cars.

Charlie Maynard: Broadly.

Charles Parton: If you are looking at the way that people react to the China technology challenge generally, I would certainly look to Taiwan, to the frontline, that is for sure. You have to keep very closely aligned with America and the EU, because they are very big markets for us. We can’t ignore them, whether that is automobiles or other things.

With connected vehicles, there was an intention or plan, which has not got very far, as far as I can see, to widen that from vehicles to other sectors in America. That would be quite something but, again, it might affect the way we export. I don’t see that coming at the moment. Not much is coming out of America in terms of China measures while Mr Trump is pursuing his personal, deep friendship with Xi Jinping. But he won’t be there forever, and generally the mood in the States is fairly, shall we say, concerned about China.

Tor Indstøy: It is wise in this discussion to split between the understanding of the technology and its vulnerabilities and the threats that we perceive. In my head, I believe in an integrated world where we can use components from all over the world, if we are smart. If we can do that and get good connectivity control and cyber-security measures into that discussion, we can have an integrated society.

But it is important that this comes with a cost. It is a large operation to do this. One thing from a regulatory perspective is that people need to be engaged in this discussion. We can have an innovative future where we can work with integration between countries, if we are able to use cyber-security measures systematically, splitting technologies from the understanding of threats and geopolitical intentions. Those two dynamics should be discussed separately, if we are to get a responsible approach to this dilemma.

Q228 Justin Madders: Most of the points I was going to ask about have been covered, in terms of the sub-optimal framework we have at the moment for decision making. But I want to ask you, Tor, about your comment that some of the regulations around the threat assessments in the decision-making framework are inconsistent and in conflict. Could you say a little more about that, please?

Tor Indstøy: What we have done in this project is isolate the vehicle and look at all the communication we see. We can assess in quite a lot of detail what commands have been sent to and from the car. We are able to pinpoint this directly. The communication from these vehicles is going through telcos all around the world, but I am not aware of any telcos actively using this information to support the security of society. There is a gap there, and that is the connectivity discussion.

It is also a discussion when it comes to the devices in the vehicle itself, right? I really believe that there should be way more systematic work in this manner. If you look at a traditional telco, there is some development to protect you if there is, for example, mobile fraud affecting you. I believe we should have the same discussion about a connected vehicle or anything that is connected, and it should be linked to the damage potential related to the device that we are trying to protect against, differentiating a 2.5-tonne car and a toaster. That is the discussion we should have, to be able to use this knowledge in the discussion of national security, and find the right, more precise measures that should be connected.

Q229 Justin Madders: Where else do you see gaps?

Tor Indstøy: It is a huge problem that connected vehicles are regulated as mechanical devices, not as data centres. In security we use the term “layered security”: having barriers before you get to sensitive information. There is no such thing in connected vehicles or buses today. Providers have direct access to the inner, sensitive areas of vehicles. To me, that is sad. From a security point of view, it is unacceptable.

Q230 John Cooper: You have touched on the approach of other countries to all this and what they are doing. Both Europe and America have been mentioned as, obviously, very close partners. The US has gone down the route of the Connected Vehicle Security Act, which specifically targets vehicles from named countries. That looks fairly watertight and, as we have heard, it might cause problems for us exporting there. Europe has taken a slightly different and I think wider view. Its Cybersecurity Act does not name specific countries; in fact, it does not mention China at all. What can we learn from those Acts, and which is the more efficacious? Obviously, the American Act is aimed specifically at the vehicles that you have talked about, Tor. Should we take a wider view?

Tor Indstøy: I believe that we should have a risk-based approach to that. If we are going to manage cyber, we need to work on cyber-related regulations. A risk-based approach is the correct way to deal with the challenge because we can then get innovation and collaboration but not be naive; we can take informed decisions. I believe that the UK has excellent institutions with competence for diving into this, but it needs to discuss how to actually understand it systematically.

Cyber-threats are mixing with physical threats in this area, so it is a hybrid challenge—that is what is being discussed. Stuxnet is an excellent example of a hybrid attack where cyber is used with physical measures. We can learn a lot from hybrid incidents such as that to make more focused regulations. Normally, you have people working on cyber-security isolated from the people working on physical security or road security. Those worlds need to be able to merge together, and that is the main challenge. The competencies exist, but the bridge between those silos is not there. Professor Carr, you had an excellent paper on collaboration within threat intelligence: how do we understand people trying to attack us? Your finding was that such collaboration almost does not exist, even though 94% believe that we would gain a lot of efficiency if we were able to collaborate better.

Q231 John Cooper: May I come to you on that point, Professor Carr? The Committee constantly hears about Government working in silos. This seems to be another case of that, where different people in different parts of the forest are beavering away doing very good work individually but, without joining it up, it is all ultimately rather a waste of time. What are your thoughts on that? Is this hopeless? Is the genie out of the bottle and we have really had it, or can we push back even at this eleventh hour?

Professor Carr: The reason cyber-security feels hopeless or overwhelming is that it is. That is a consequence of 25 years of rapid digitalisation and of largely leaving cyber-security to market forces. Those market drivers just have not really emerged in the way that we expected them to or hoped them to. That is why we have things like the PSTI and the Cyber Security and Resilience (Network and Information Systems) Bill: we are now having to take regulatory steps.

On the argument about working in silos, I do not know that there is an answer to that. I think there are good reasons why our Government work in that compartmentalised way. Obviously, this Committee has particular interests; a different Committee or a Department has different interests. The idea is that they work together in some kind of synchronicity, but it is not really the expectation that everyone—every Department or every representative—sees things the same way and drives towards that; the idea is that you have different interests represented widely enough.

Q232 Chair: That points to a question at the core of this: how do the Government integrate a threat assessment and benefit analysis? Where does that holistic assessment happen in Government?

Professor Carr: I genuinely do not know if that is even possible. It is about trade-offs, isn’t it? And there is no—

Q233 Chair: But where are the trade-offs made in Government?

Professor Carr: Where should they be made or where are they made?

Chair: Where are they made today?

Professor Carr: I guess they are made in budget terms, or in how Departments are organised and where the power flows through the different Ministries. I guess you would know better than me.

Q234 Chair: I do not know the answer either, but I have some Ministers coming in front of us soon, and I will put the question to them. The fact that neither of us knows is, I think, revealing.

Professor Carr: It is revealing, and it is difficult to maintain relationships because, as Charles was just saying, people in these roles move very quickly. There are a few things that could help us to work more holistically, such as being able to find out who is working on what. Every year or so we get someone from DSIT to come to our research group to explain to us how things have been reorganised. Obviously, that is a new, very dynamic Department, and it should be dynamic in changing, but we do not know who is working, what new teams have been stood up or what their interests are. There is quite a lot, perhaps, that scientific advisers could do, as liaisons. I guess they all work together already at that level, but—

Q235 Chair: The big conclusion coming out of this panel is that we have a really serious threat and none of us is very clear about who is in charge of policing it.

Professor Carr: That is probably true, yes.

Charles Parton: Can I just answer—

Chair: We are slightly out of time. Let me ask Mr Maynard to wrap this up.

Q236 Charlie Maynard: We have talked a lot about cellular IoT modules. Is it accurate to be talking specifically about that, or are there other very significant modules or technologies that we should also consider in the same breath?

I have a pie chart in front of me showing that China is getting up to roughly 70%, Europe is 10%, the US is 10% and the rest of the world is 10%. Is it even doable to say, “Actually, we’re just going to buy from the non-Chinese suppliers”? That is one way of playing it. That sounds to be what the US is doing. Is that something you would say is just not feasible, or if we are serious about this, is it the sort of thing that we should be thinking about?

Charles Parton: On the second question, this is not particularly high-tech; production can be ramped up very quickly. On the first question, there are four things that we truly should be worried about: quantum, AI, semiconductors and cellular modules. The thing about cellular modules is that they are not that high-tech, and it is actually a problem that politically and practically is solvable. Doing that sends a very strong message about why you are doing it—because of the threat from China.

If I could very quickly go back to Mr Cooper’s question of whether you should do this generically or specify China, I think it is actually quite important to say China—because it is the truth and it is not like Ethiopia, Somaliland or anywhere else produces technology that is threatening to us, and because, if you have things like the Procurement Act where you put things that threaten your national security on the debarment list, and do so in terms of a company, you will find on the next day that the Chinese company that has been put on that list has transmogrified—or, to use a cancer term, metastasised—into another company that is not on the list. Chinese cellular modules should be on the debarment list, not company X or Y.

Chair: We have slightly trespassed over time, but this has been such an interesting and alarming panel. We are grateful to you for your patience and forbearance. Thank you very much indeed.