WEDNESDAY 30 JANUARY 2002

MS GLORIA CRAIG, MR LLOYD CLARKE AND MR JOHN COCHRANE

  127. Ms Craig, Mr Cochrane, Mr Clarke, you are welcome. I must apologise to anyone who stumbled upon this Committee. We will be doing something, if not unique, rather an aberration for us. We are having a short public session and then I am afraid we are going into a private session, although some of the information we elicit during the private session will be made available after the Ministry of Defence has rewritten it, which I suspect they will do fairly extensively—I do not mean rewrite but expunge Nixon-like nine-tenths of what has been said. However I still apologise in advance because we shall have to throw you out. Ms Craig, would you like to make a brief introductory statement—and perhaps while doing so you could tell us the difference between Director General Security and Safety and Director Defence Security; we are a bit confused about the difference. We know what the Ministry of Defence Police do.

  (Ms Craig) Perhaps I could start by telling you a bit about what we do so that you understand how we fit in. I am Director General of Security and Safety, so half of my responsibility is health, safety and the environment (but we are not talking about that today, I hope). The other side of my responsibility is as the Departmental Security Officer. In that I am responsible to Ministers for the organisation and maintenance of security across the MoD My role in that is to develop security policy, to set standards and to ensure that they are met across the MoD. In corporate governance parlance I am the person who provides the Permanent Secretary at the end of the year with a certificate of assurance that security risks are being properly managed. I am directly assisted in that security role by two deputies. One of them, Mr John Cochrane, sitting on my right, is the Director of Defence Security; he is responsible for developing security and for setting standards. There is another one who is not here today who looks after IT accreditation and audit. On my left is Mr Lloyd Clarke, the Chief Constable, and you know what he does. We also have some colleagues in the back row. I will not introduce them.

  128. Please do, we like to know who is who.
  (Ms Craig) If I can remember who they all are!

  129. I have caught you out! Perhaps they can introduce themselves
  (Ms Craig) I shall tell you in general how they fit in. The responsibility for implementing security risk management lies with the chain of command. So each top-level budget holder or TLB, as we will probably refer to them, and each Trading Fund Chief Executive is a risk owner. Each of those people is accountable to Ministers for ensuring that adequate security measures are carried out in their own area. Each of them is helped in the task of managing security by a Principal Security Adviser. There are 11 TLBs and four trading funds in the Ministry of Defence. We have not tried to squeeze them all in here today, you will be relieved to hear. But we have got five of them. May I introduce Brigadier Roger Brunt, who looks after the army, Air Commodore Clive Morgan, who is from the RAF, Mr Fred Wood, who looks after the Defence Logistics Organisation, Andy Gray, who looks after the MoD headquarters, and Mr Phil Betts, who looks after the Defence Procurement Agency.

   130. That is pretty impressive, I must say.
  (Ms Craig) We also have here Mr John Barton, who is sitting right behind me, from the MoD's Home and Special Forces Secretariat. He is here just to take a note in case there are any issues that arise that go beyond my own responsibilities, which are limited to the defence estate, which I gather you will be covering on 13 February.

  131. Thank you. Have ministerial responsibilities got any simpler or more complicated?
  (Ms Craig) They are still spread amongst the Ministers. Dr Moonie is the main minister who is concerned with security issues.[3]

  132. Could you send us a note on who is exactly responsible for what, please, because it is beyond comprehension.
  (Ms Craig) The ministerial responsibilities, do you mean?

  133. Yes. Did you want to say anything else?
  (Ms Craig) If I could just make a brief statement about what has been happening on the defence estate since 11 September, the first point I would make is that, as our memorandum says, the MoD has for many years had a high base-line of security which has been put in place in response to the long-standing threat from Irish terrorism. Awareness of the terrorist threat among both service personnel and MoD civilians has been at a high level and there are well-developed procedures for rapid changes in the alert state as well as maintaining liaison with the police and other civil authorities. But the 11 September, together with the subsequent anthrax incidents in the United States, caused us to look afresh at many of our security arrangements. On the ground, the top level budget holders have taken various additional measures to tighten up security at their establishments. Our memorandum cites a few of them. Centrally, I and my staff have been carrying out a number of reviews, either in conjunction with the Cabinet Office or with others in the MoD, into different aspects of security as and when we have identified the need. That work will continue because we are continuously reviewing and plugging gaps as we come across them in the security area. We would not, of course, want to give our opponents clues as to what some of our specific counter-measures are or where the gaps might be, so I hope the Committee will understand that there are certain limits to what we are able to discuss in a public forum but we will try to be as helpful as we can.

  134. Thank you. Perhaps you can tell us what the key planks of the new structure are and why the specific changes were needed.
  (Ms Craig) The first point is that this review dates back to 1999. I was asked to undertake it when I first took up my post at the end of 1999. It was approved by the Defence Management Board at the beginning of 2001 and came into effect on 1 April last year. In a nutshell what it aims to do is to bring security structures and management into the modern world. There had been an earlier review of security in 1994—it was one of the defence cost studies—which I actually undertook and that had started the process of modernising by doing a number of things. Notably it set up the Defence Vetting Agency as the purple body to carry out all the vetting on behalf of the armed forces and the civilian side, it abolished the four directorships of security policy that existed then and it produced a single manual for security which is called JSP 440, which I am sure we will refer to quite a lot today. But by 1999 there were several new drivers for change. First of all, the Strategic Defence Review had introduced an increased emphasis on joint operations, and there was also the Purple Defence Logistics Organisation, which was set up as a result of that, and in addition there was growing connectivity of our IT systems. All of those things together meant that we had to do things differently. In addition there were a number of things wrong with the old approach to security. In the first place, our structures did not really distinguish clearly between who owned the risk and who were the advisers on the risk. Secondly, the formulation of policy was spread across a number of areas. Thirdly, there was no independent audit capability and, fourthly, there was an incomplete understanding of risk management around the department. I might add to that, I sensed, certainly when I arrived back in the Ministry to do this job, that there was in some parts of the Ministry an unsatisfactory attitude towards security. There was a sense that people saw it as an irritating optional extra. So the key aim of the Security Structures Review was to ensure that security was treated as part of core business and not as an optional extra. One of the most important measures that we adopted was to do away with the old concept of security authorities; we replaced that with security advisers to the top-level budget holders. The top-level budget holders themselves were given letters of delegation, which made quite clear where the accountability for security rested. Each TLB and Trading Fund was given its own principal security adviser, although the armed forces chose to share three between six of them. We also brought together policy making in one body under John Cochrane and we also brought together the accreditation of corporate IT systems—the ones that crossed boundaries, which increasingly is the case—in a new organisation, the Defence Security Standards Organisation. Last but not least, we brought in an independent audit function under the DSSO, under me, so that we could have better oversight as to what was going on out there. That has been in place since 1 April, which is not very long, but I am generally very happy with the way it is working.

  135. If there were all these deficiencies in what had taken place hitherto, that is probably during the Cold War, we have to be relieved that we survived it if our security operations were in such need of fundamental reform (but that is a historical point and not a contemporary one). If I can follow this up, has the devolution of responsibility from the centre to the top-level budget holders been matched by a devolution of resources?
  (Ms Craig) Just to clarify, there was not a devolution of responsibility, because the responsibility was always with the TLBs in actual fact. What we did with the Structures Review was just to make that point clear and make clear within the TLBs who held the responsibility. By having these things called security authorities there was the tendency to think that it was the security people in charge; in actual fact the buck stops with the TLB holders and we have now made that clear. But the responsibility was always with them, it never actually was with the centre; the centre sets the standards but the responsibility for carrying out security has always been with the local commanders and the TLB holders

  136. There has been in the past some evidence that security being a grudge purchase is not just limited to the private sector but to cash-strapped top-level budget holders who are having difficulties in making ends meet and therefore security is something that potentially could be, if not relegated, somewhat downgraded in terms of what is spent now. What will you be able to do in the centre to ensure that that does not happen?
  (Ms Craig) I think that by placing the responsibility with them and by making the security advisers very clear about their own role, we will gradually find—and I think we are already seeing—a greater acceptance of ultimate responsibility. In the past what tended to happen was that the business managers (for want of a better word) would say "I would like to do something" and the security authorities would say "No, you can't do that because the rules don't allow you". There was often a debate between them but that was the relationship. What we are trying to get much clearer now is that it is the security adviser's job to tell the business managers how they could do something safely and what the risks would be if they were to do it. So we would expect a much more intelligent debate taking place, so that the security advisers would say "Yes, do it this way, but these are the risks, this is how you might mitigate them and this is the residual risk that you would be left with; it's now up to you to take the decision". In practice what we have found is that the business managers then become a lot more cautious about taking a decision, because they hold the responsibility.

  137. Will the centre be allocating marked funds specifically designated for security or will that be up to the top-level budget holders?
  (Ms Craig) They each have their own budget, but what I am doing on top of that is to institute an audit function, which has not yet got going—it is still in the pilot stage—but that will be keeping a close look at what the TLBs are actually doing.

  138. Would you expect them to use all the money allocated to them for security or will there be any temptation for them to syphon off some money in security and put it into something else?
  (Ms Craig) Money is not actually allocated in that way. If they needed to make security enhancements they would bid for those measures to the centre; they would find the money either within their own budget or they would have to bid centrally for it.

  139. Can the advisers appeal over the heads of their bosses to you or to somebody?
  (Ms Craig) Yes, they do not have any direct line of responsibility to me but I would expect that if any of them had any problems with what their business managers were doing, they would come to me and pray me in aid. That has not happened yet, but they all know they could do that if they felt they needed to.