Examination of Witnesses (Questions 127
- 139)
WEDNESDAY 30 JANUARY 2002
MS GLORIA
CRAIG, MR
LLOYD CLARKE
AND MR
JOHN COCHRANE
Chairman
127. Ms Craig, Mr Cochrane, Mr Clarke, you are
welcome. I must apologise to anyone who stumbled upon this Committee.
We will be doing something, if not unique, rather an aberration
for us. We are having a short public session and then I am afraid
we are going into a private session, although some of the information
we elicit during the private session will be made available after
the Ministry of Defence has rewritten it, which I suspect they
will do fairly extensivelyI do not mean rewrite but expunge
Nixon-like nine-tenths of what has been said. However I still
apologise in advance because we shall have to throw you out. Ms
Craig, would you like to make a brief introductory statementand
perhaps while doing so you could tell us the difference between
Director General Security and Safety and Director Defence Security;
we are a bit confused about the difference. We know what the Ministry
of Defence Police do.
(Ms Craig) Perhaps I could start by telling
you a bit about what we do so that you understand how we fit in.
I am Director General of Security and Safety, so half of my responsibility
is health, safety and the environment (but we are not talking
about that today, I hope). The other side of my responsibility
is as the Departmental Security Officer. In that I am responsible
to Ministers for the organisation and maintenance of security
across the MoD My role in that is to develop security policy,
to set standards and to ensure that they are met across the MoD.
In corporate governance parlance I am the person who provides
the Permanent Secretary at the end of the year with a certificate
of assurance that security risks are being properly managed. I
am directly assisted in that security role by two deputies. One
of them, Mr John Cochrane, sitting on my right, is the Director
of Defence Security; he is responsible for developing security
and for setting standards. There is another one who is not here
today who looks after IT accreditation and audit. On my left is
Mr Lloyd Clarke, the Chief Constable, and you know what he does.
We also have some colleagues in the back row. I will not introduce
them.
128. Please do, we like to know who is who.
(Ms Craig) If I can remember who they all are!
129. I have caught you out! Perhaps they can
introduce themselves
(Ms Craig) I shall tell you in general how they fit
in. The responsibility for implementing security risk management
lies with the chain of command. So each top-level budget holder
or TLB, as we will probably refer to them, and each Trading Fund
Chief Executive is a risk owner. Each of those people is accountable
to Ministers for ensuring that adequate security measures are
carried out in their own area. Each of them is helped in the task
of managing security by a Principal Security Adviser. There are
11 TLBs and four trading funds in the Ministry of Defence. We
have not tried to squeeze them all in here today, you will be
relieved to hear. But we have got five of them. May I introduce
Brigadier Roger Brunt, who looks after the army, Air Commodore
Clive Morgan, who is from the RAF, Mr Fred Wood, who looks after
the Defence Logistics Organisation, Andy Gray, who looks after
the MoD headquarters, and Mr Phil Betts, who looks after the Defence
Procurement Agency.
130. That is pretty impressive, I must say.
(Ms Craig) We also have here Mr John Barton, who is
sitting right behind me, from the MoD's Home and Special Forces
Secretariat. He is here just to take a note in case there are
any issues that arise that go beyond my own responsibilities,
which are limited to the defence estate, which I gather you will
be covering on 13 February.
131. Thank you. Have ministerial responsibilities
got any simpler or more complicated?
(Ms Craig) They are still spread amongst the Ministers.
Dr Moonie is the main minister who is concerned with security
issues.[3]
132. Could you send us a note on who is exactly
responsible for what, please, because it is beyond comprehension.
(Ms Craig) The ministerial responsibilities, do you
mean?
133. Yes. Did you want to say anything else?
(Ms Craig) If I could just make a brief statement
about what has been happening on the defence estate since 11 September,
the first point I would make is that, as our memorandum says,
the MoD has for many years had a high base-line of security which
has been put in place in response to the long-standing threat
from Irish terrorism. Awareness of the terrorist threat among
both service personnel and MoD civilians has been at a high level
and there are well-developed procedures for rapid changes in the
alert state as well as maintaining liaison with the police and
other civil authorities. But the 11 September, together with the
subsequent anthrax incidents in the United States, caused us to
look afresh at many of our security arrangements. On the ground,
the top level budget holders have taken various additional measures
to tighten up security at their establishments. Our memorandum
cites a few of them. Centrally, I and my staff have been carrying
out a number of reviews, either in conjunction with the Cabinet
Office or with others in the MoD, into different aspects of security
as and when we have identified the need. That work will continue
because we are continuously reviewing and plugging gaps as we
come across them in the security area. We would not, of course,
want to give our opponents clues as to what some of our specific
counter-measures are or where the gaps might be, so I hope the
Committee will understand that there are certain limits to what
we are able to discuss in a public forum but we will try to be
as helpful as we can.
134. Thank you. Perhaps you can tell us what
the key planks of the new structure are and why the specific changes
were needed.
(Ms Craig) The first point is that this review dates
back to 1999. I was asked to undertake it when I first took up
my post at the end of 1999. It was approved by the Defence Management
Board at the beginning of 2001 and came into effect on 1 April
last year. In a nutshell what it aims to do is to bring security
structures and management into the modern world. There had been
an earlier review of security in 1994it was one of the
defence cost studieswhich I actually undertook and that
had started the process of modernising by doing a number of things.
Notably it set up the Defence Vetting Agency as the purple body
to carry out all the vetting on behalf of the armed forces and
the civilian side, it abolished the four directorships of security
policy that existed then and it produced a single manual for security
which is called JSP 440, which I am sure we will refer to quite
a lot today. But by 1999 there were several new drivers for change.
First of all, the Strategic Defence Review had introduced an increased
emphasis on joint operations, and there was also the Purple Defence
Logistics Organisation, which was set up as a result of that,
and in addition there was growing connectivity of our IT systems.
All of those things together meant that we had to do things differently.
In addition there were a number of things wrong with the old approach
to security. In the first place, our structures did not really
distinguish clearly between who owned the risk and who were the
advisers on the risk. Secondly, the formulation of policy was
spread across a number of areas. Thirdly, there was no independent
audit capability and, fourthly, there was an incomplete understanding
of risk management around the department. I might add to that,
I sensed, certainly when I arrived back in the Ministry to do
this job, that there was in some parts of the Ministry an unsatisfactory
attitude towards security. There was a sense that people saw it
as an irritating optional extra. So the key aim of the Security
Structures Review was to ensure that security was treated as part
of core business and not as an optional extra. One of the most
important measures that we adopted was to do away with the old
concept of security authorities; we replaced that with security
advisers to the top-level budget holders. The top-level budget
holders themselves were given letters of delegation, which made
quite clear where the accountability for security rested. Each
TLB and Trading Fund was given its own principal security adviser,
although the armed forces chose to share three between six of
them. We also brought together policy making in one body under
John Cochrane and we also brought together the accreditation of
corporate IT systemsthe ones that crossed boundaries, which
increasingly is the casein a new organisation, the Defence
Security Standards Organisation. Last but not least, we brought
in an independent audit function under the DSSO, under me, so
that we could have better oversight as to what was going on out
there. That has been in place since 1 April, which is not very
long, but I am generally very happy with the way it is working.
135. If there were all these deficiencies in
what had taken place hitherto, that is probably during the Cold
War, we have to be relieved that we survived it if our security
operations were in such need of fundamental reform (but that is
a historical point and not a contemporary one). If I can follow
this up, has the devolution of responsibility from the centre
to the top-level budget holders been matched by a devolution of
resources?
(Ms Craig) Just to clarify, there was not a devolution
of responsibility, because the responsibility was always with
the TLBs in actual fact. What we did with the Structures Review
was just to make that point clear and make clear within the TLBs
who held the responsibility. By having these things called security
authorities there was the tendency to think that it was the security
people in charge; in actual fact the buck stops with the TLB holders
and we have now made that clear. But the responsibility was always
with them, it never actually was with the centre; the centre sets
the standards but the responsibility for carrying out security
has always been with the local commanders and the TLB holders
136. There has been in the past some evidence
that security being a grudge purchase is not just limited to the
private sector but to cash-strapped top-level budget holders who
are having difficulties in making ends meet and therefore security
is something that potentially could be, if not relegated, somewhat
downgraded in terms of what is spent now. What will you be able
to do in the centre to ensure that that does not happen?
(Ms Craig) I think that by placing the responsibility
with them and by making the security advisers very clear about
their own role, we will gradually findand I think we are
already seeinga greater acceptance of ultimate responsibility.
In the past what tended to happen was that the business managers
(for want of a better word) would say "I would like to do
something" and the security authorities would say "No,
you can't do that because the rules don't allow you". There
was often a debate between them but that was the relationship.
What we are trying to get much clearer now is that it is the security
adviser's job to tell the business managers how they could do
something safely and what the risks would be if they were to do
it. So we would expect a much more intelligent debate taking place,
so that the security advisers would say "Yes, do it this
way, but these are the risks, this is how you might mitigate them
and this is the residual risk that you would be left with; it's
now up to you to take the decision". In practice what we
have found is that the business managers then become a lot more
cautious about taking a decision, because they hold the responsibility.
137. Will the centre be allocating marked funds
specifically designated for security or will that be up to the
top-level budget holders?
(Ms Craig) They each have their own budget, but what
I am doing on top of that is to institute an audit function, which
has not yet got goingit is still in the pilot stagebut
that will be keeping a close look at what the TLBs are actually
doing.
138. Would you expect them to use all the money
allocated to them for security or will there be any temptation
for them to syphon off some money in security and put it into
something else?
(Ms Craig) Money is not actually allocated in that
way. If they needed to make security enhancements they would bid
for those measures to the centre; they would find the money either
within their own budget or they would have to bid centrally for
it.
139. Can the advisers appeal over the heads
of their bosses to you or to somebody?
(Ms Craig) Yes, they do not have any direct line of
responsibility to me but I would expect that if any of them had
any problems with what their business managers were doing, they
would come to me and pray me in aid. That has not happened yet,
but they all know they could do that if they felt they needed
to.
3 Note from Witness: Minister (Armed Forces),
Mr Ingram, is the main Minister who is concerned with security
issues, while Parliamentary Under-Secretary of State, Dr Moonie,
is responsible for MDP operations. Back
|