Page:ISC-China.pdf/172

CHINA their presence and of their legitimate ***. MI5 noted the Chinese state's ability to use its people, industries and companies to gather information, and said that:

***.

It is also worth noting that the Civil Nuclear sector will be a user of the Government's Secret-level IT system (known as ROSA), which is explicitly designed to protect against hostile states. Providing an agent of a foreign state with even irregular access to the system could undermine its viability as a tool of secure communications.

Nevertheless, witnesses were keen to emphasise that, while the question of physical access to sensitive sites by Chinese nationals is taken seriously, it is more of an issue that might "provide good media headlines and be an alarming picture" than is really the case in practice, since "you really don’t need to be present to get the scale of data and have the opportunity". In October 2020 the DNSA explained that:

''there will be some forms of threat that physical access will offer greater opportunity for. That said, the nuclear sector is extremely highly regulated and inspected and, as part of the Energy Act, there are a whole set of provisions in there that mean that the site operators have security plans, that they are assured, and they will work with the CPNI [Centre for the Protection of National Infrastructure] on the particular kind of insider risks and the specific technical insider risks and get the best professional advice on staff access, everything from pass routines, and we do that for the Energy sector in the same way as we do for other sectors with CNI.''

While we accept that the risk posed by physical access to Civil Nuclear sites is overshadowed by the vulnerabilities exposed by Chinese investment and operational control, it would be wrong to dismiss the former outright. The Government recognises the risk that a digital back door into the UK’s Critical National Infrastructure might create, but the risk posed by the literal back door of human actors with access to sensitive sites should not be dismissed.

Chinese cyber actors appear to have an interest in, and ability to target, a broad range of international companies and agencies in the Civil Nuclear sector. An assessment *** stated that, "in the last twelve months [the Chinese] have compromised ***".

There also appears to be indications of Chinese cyber attacks targeting UK firms with links to the Civil Nuclear sector. For example, ***. ***.