Policy paper

Sabotage: National Security Bill factsheet

Updated 12 February 2024

Key points

• The new offence of sabotage will capture activity conducted for, on behalf of, or for the benefit of a foreign power, resulting in damage to property, sites and data affecting the UK’s interests, and national security. This can be done through, but is not limited to, the use of cyber actions and physical damage.
• Sabotage may be conducted directly by members of a foreign intelligence service, but it could also be conducted by agents, co-optees or other individuals or organisations working on behalf of the foreign state.
• State actors may pre-position technology and equipment to commit an act of sabotage at a later date, or commit sabotage from overseas. This offence will link to the preparatory conduct offence to give law enforcement and the intelligence agencies the powers to intervene at an early stage.

Background

• Foreign states can use sabotage to undermine the UK’s national security, furthering their political, military, and economic interests, and it is often carried out covertly. Sabotage can be conducted from anywhere in the world but still have an impact on UK safety and interests, for example if a saboteur were to cause damage to UK overseas sites or disrupt a critical supply chain.
• There is currently no criminal offence of sabotage in UK law. There are offences in legislation that could cover similar activities such as in the Criminal Damage Act 1971 (CDA) and the Computer Misuse Act 1990 (CMA).
• However, those offences were not drafted with state-sponsored sabotage in mind and the new offence more appropriately addresses the methods that saboteurs may seek to employ.
• Existing offences cover a wide range of activity with different elements required and variable sentences available. The appropriate offence would depend on how the offence is committed, in relation to what and where and the consequences of the action.
• However, none of the existing offences reflect the seriousness of sabotage with a link to a foreign power.
• State sponsored sabotage conducted against the UK will be done in order to prejudice the safety or interests of the UK (SOIOTUK). We need a bespoke, modern offence to tackle a modern and evolving threat.

Key facts

• There is no criminal offence of sabotage. Existing pieces of legislation, including the Criminal Damage Act 1971 and the Computer Misuse Act 1990, are not sufficient for the state-linked activity in this area.
• While sabotage is within scope of the existing espionage offence in section 1 of the Official Secrets Act 1911 in certain circumstances, that offence is being repealed as part of the National Security Bill, and is limited in its application to most modern sabotage activity.
• Sabotage can be conducted through any means, including cyber, such as ransomware attacks, and physical damage to sites or to data.

Key quotes

• The Government’s Integrated Review of Security, Defence, Development and Foreign Policy, published in March 2021 noted Sabotage as one of the growing forms of threat faced by the UK.
• In his speech from 2021, MI5 Director General Ken McCallum said: “Disruptive cyber-attacks such as ransomware can bring down everything from national institutions to your local hospital…cyber is no longer some abstract contest between hackers in it for the thrill or between states jockeying for position in some specialised domain; in the 2021s, cyber consistently bites on our everyday lives.”

What harm does the offence/measure tackle?

• The sabotage offence aims to tackle damage which might take place in sensitive locations, such as critical national infrastructure, HMG property, military buildings and sites, other defence assets (for example naval vessels), or that impact goods, systems or services supplying the UK, such as data centres or undersea cable infrastructure.
• Sabotage seeks to capture physical damage which may include damaging something directly but could also involve doing something (or omitting to do so) which causes a system failure triggering damage, for example interfering with a piece of critical national infrastructure.
• Sabotage could be caused by cyber means such as overriding critical systems but would also include the deletion or corruption of data, the installation of malware or introduction of vulnerabilities into systems or ransomware, which can also be put in place without being implemented. This allows hostile activity to take place at a future date, known as ‘pre-positioning’.

What are the safeguards?

• Any prosecution must have Attorney General consent (or Advocate General in NI).
• The foreign power condition must be met, and this is at the heart of the offence. This could include direct tasking by a foreign government to commit an act of sabotage.
• A person’s conduct must meet the prejudicial to the safety or interests of the UK test. This is designed to capture harmful activity, such as a cyber attack on HMG data or a physical attack on data severs, resulting in wide-spread disruption and damage to national security, not legitimate protesting.

How does the offence work?

• The offence has four tests:
  1. A person engages in conduct which results in damage to an asset.
  2. The person intends that their conduct will, or is reckless as to whether it will, result in damage to an asset.
  3. The person’s conduct must be for a purpose they know, or ought reasonably to know, is prejudicial to the safety or interests of the UK.
  4. Someone has to be working for or on behalf of a foreign power. This could include direct tasking from, or being by funded by, a foreign power. Someone could also be acting with an intention to benefit a foreign power.
• The offence applies whether the person’s conduct takes place in the UK of elsewhere, or whether the asset is located in the UK or elsewhere.

What are the penalties?

• We are proposing a maximum penalty of life imprisonment or a fine, or both. We expect the maximum penalties to apply only in the most serious cases, for example where an act of sabotage has resulted in the loss of life or catastrophic damage to UK critical infrastructure.
• This is in line with existing maximum penalties for comparative legislation, such as the CMA and CDA.

Hypothetical case studies

Case study (1): where conduct involves a cyber intrusion

A person is directed by a foreign power to release malware into a water treatment facility. The malware results in damage by altering the operability of the facility’s safety functions (as the malware was designed to do), but it also results in further damage to the facility’s systems by releasing chemicals into the water, causing the site to shut down. As a result, millions of people are left without clean water.

Case study (2): where the conduct takes place overseas / involves physical damage

A covert unit of people working for a foreign power blow up a gas pipeline which supplies the UK. This results in the alteration of supply to the UK and has serious consequences for UK homes and businesses.

Case study (3): where the conduct involves an omission

A person working as a contractor for a nuclear energy company agrees to work for a foreign power. They are instructed to not implement compulsory safety protocols which result in the site they are working on being shut down due to a suspected radiation leak. This results in delays to a critical nuclear technology being developed as well as wide-spread grid damage. Millions of people are left without power.