Page:ISC-China.pdf/88

CHINA allocating resources to sectors, industries and businesses where there is evidence of Chinese desire to gain knowledge, technology, expertise and Intellectual Property (IP). CPNI works with cross-government partners "to raise awareness of the threat, identify vulnerabilities, and to provide holistic advice and mitigations". NCSC was set up to be the single authority on UK cyber security. It works closely with government departments to help them own and manage the risks in their sectors of Critical National Infrastructure, including setting policy and direction for protecting the sector, ensuring legislation is fit for purpose, and understanding how the operators are responsible for the security and resilience of their own systems and assets. It works jointly with CPNI in a number of areas, including recently producing guidance for Industry and Academia on engaging with foreign entities. This guidance (Trusted Research) provides advice to senior leaders and individuals about how to protect research, IP and products.

MI5 told us that CPNI and NCSC carry out regular protective defensive briefings. These can either be regularly scheduled briefings to a particular sector or they can be specific briefings in response to intelligence received suggesting that a company is being targeted. ***. Although this work is actor-agnostic, China is acknowledged to be the greatest threat. Director General MI5 noted:

"when we are talking about the protection of Intellectual Property, economic security, those kinds of themes, mostly in that space we are talking about the threat of China. Russia does also spy against particular sectors, you know, most famously Energy, but for the most part the chunk of CPNI that is addressing espionage and the theft of information and those kinds of influence risks is mostly there to tackle ***."

Director GCHQ told us that NCSC "seeks to investigate Chinese cyber intrusions and defend against them, including advising our Critical National Infrastructure, our military and defence colleagues on how best to defend". NCSC carries out its defensive role by:

providing bespoke advice and guidance; working with providers of Critical National Infrastructure on bespoke projects to enhance standards; responding to incidents; and engaging in proactive research and design in order to help the sector think about its vulnerabilities end-to-end. This might include: identifying the networks and information systems that are critical; carrying out risk reviews;