Examination of Witnesses (Questions 760
WEDNESDAY 10 APRIL 2002
760. The refocusing is very interesting.
September 11 changed everyone's attitude and it was a wake-up
call for everyone, I think. Was the refocus because of 11 September
or just merely because the progress in the industry has changed?
(Mr Wood) I do not know whether we are going to come
on to talking about that flow of information from Government but
I have been arguing for some time that actually the whole terrorist
threat which historically we focused on being aimed at the defence
sector or the defence industry really is not there any more, it
has gone and other parts of the commercial infrastructure are
just as vulnerable to terrorist attack as the military were during
PIRA's mainland campaigns and other activities and the like. Government
has continued to provide to the public sector advice and guidance
on threat levels and how to protect its infrastructure and, in
fact, across the support of the defence industry, the List X companies,
they have continued to provide that level of support and advice
and guidance on threat levels but they really have not provided
it to the private sector. For some time we have been pushing the
Cabinet Office to open that door to us because we were aware that
the security services and others provide direct advice and assessment
to the defence industry but they were not necessarily providing
it to other spheres. I wrote to the Cabinet Office and have managed
to open up that conduit and therefore we are getting some of that
advice, but that needs to be made more available to my other colleagues
in the financial sector and to other areas of industry. I actually
think that Government has a duty of care to provide that information
because if they did not and they had made that information available
to a defence industry and yet there was somebody injured as a
consequence of a direct attack focused on another part of the
commercial sector and the defence sector had been able to prepare
for it but commercial industry had not because they had not had
the information available to them, there would be a very, very
difficult area of judgment to be made there about who was responsible
for not providing that adequate protection and advice.
761. I was talking originally about identifying
critical places, nodal points, sites and targets as such. How
much further information would you require apart from the identification
of sites? Clearly you might put that in a letter, it might well
be secret, but there must be information from Government that
you require more than just the identification of geographical
sites. That is all done. You probably do not want to expose that.
(Mr Wood) No, I do not think it is done. We do need
to focus into that area and I think we need to have that more
readily available to the private sector.
762. If you have any documentation on this
it would be helpful.
(Mr Wood) I do not have any that is particular for
me, I am calling on previous experience.
763. I will not ask you publicly what your
previous job was but if you could drop us a note because it would
be interesting to know who is doing that job now inside the system.
At least it will give us a clue as to what kind of thinking is
(Mr Sharp) I was going to talk about not just the
terrorist threat. We have seen many instances where critical infrastructure
has been affected. I am thinking of the major chemical explosion
that happened at Toulouse last year, not long after September
11, the fireworks explosion that happened in Holland. There was
a smaller incident which caused great consternation to the local
community in Gloucestershire when a fire took place at a waste
processing plant and they were not aware of what was in the plant,
the village was covered with toxic fumes, and then we had the
floods which made it even worse. When it was revealed what was
in the site it was realised it was extremely dangerous. There
was something that happened in the States in work under Clinton's
administration created by James Lee-Whit, who was head of FEMA,
called Project Impact. What it looked at was trying to get communities
to work together to increase their resilience to any incident
. They had certainly done some of this work before for New York.
It said "what are the threats to our community", whatever
the size, and "how can we as a community work together to
minimise that prior to that occurring, no matter what it is, whether
it is terrorism, explosion or flooding?" Again, talking to
the Civil Contingencies Secretariat, I believe that is something
that the Government could lead on, encouraging this resilience
planning by communities, across commercial and local government
and amenity services, so that resources could be worked out beforehand.
They can look at the smaller and medium enterprises in the area
and how can we help them be resilient. If you look at when we
have had floods, it was the smaller and medium enterprises that
suffered because the local authorities have to protect civil life
and not business. I think we have a lot to learn from Project
Impact and we could use that in the UK.
(Mr Gamble) One of the areas that we would really
like information from Government on is what do they think would
be the impact of a dirty nuclear bomb in London. It is a horrible
subject to talk about but unless we have thought it through we
are just going to be completely lost when it happens, if it happens,
let us hope it does not. That is the sort of thing that we would
welcome. It might have to be done in a very careful manner and
it does seem to me that the City, regrettably, is a very significant
target and we ought to know how we would manage our staff and
the continuity in that situation, but we need help, we do not
have that information as to what might happen.
764. Just some questions about vulnerabilities.
It must obviously be difficult to admit one's own vulnerability
but it must be even more difficult when it comes to a commercial
institution. As I think someone said earlier, reputation is quite
important. Are companies willing to be open enough with the Government
to admit their true vulnerabilities? Do some firms see some commercial
advantage in keeping quiet about security lapses?
(Mr Gamble) I am sure the answer to the second bit
is yes, some people just want to keep it quiet. There are one
or two notable cases where banks have got into difficulties, particularly
where they have been blackmailed and they have paid up and kept
quiet about it rather than let people know that their system has
been hacked into. Regrettably there will always be that aspect
but I do not believe that it is particularly relevant.
765. That is understandable, is it not,
from the public point of view but I am talking really about in
consultation with Government. Is there enough trust to consult
(Mr Sharp) I believe that there is a sharing between
themselves of information on security that group do share.
(Mr Wood) I think so. In addition, we are seeing a
different approach from those areas of Government that are starting
to talk about more about open Government and are actually even
prepared to sign confidentiality agreements between themselves
and commercial companies. You are touching on the subject of hacking
and the head of the High Tech National Crime Unit has made quite
clear that is one of the things he would be prepared to do, to
enter into that flow of information between themselves and industry
to try and encourage. They need to learn from the issues as well
and they need to understand where those threats are and if they
do not get the full picture of incidents and activities then they
are not able to plan counter-measures and think about it. As long
as it was a two-way flow and there was a confidentiality surrounding
it, I do not think there is a problem.
766. Is there enough vigour in identifying
one's own vulnerabilities? There is a temptation sometimes to
not find out sometimes. Are companies exercising their full security
capabilities in discovering what their vulnerabilities are?
(Mr Wood) There will always be the surprises. No matter
what planning and reviewing you do I never ceased to be amazed
by what someone might think about doing next because in terms
of IT certainly there is always someone trying to be one step
ahead of you and you see that with regard to the way viruses can
propagate very quickly across the Internet and then into businesses
and cause significant disruption. As part of doing good risk analysis
and if you are taking the subject seriously then you should be
able to identify the core vulnerabilities and the critical weaknesses
in your infrastructures and in your systems. Sometimes you might
not want to face up to them straight away but if you are trying
to be realistic about continuing to operate you have to face up
to the reality of these things, but still things will surprise
you. You will not cover every eventuality because somebody else
brighter around the corner is coming up with the next threat.
We go back to September 11 but none of us sitting here today probably
ever anticipated that activity. Nobody probably ever anticipated
that sort of impact and the fact that other human beings would
be prepared to cause such devastating damage on a community. I
think it has opened the box of saying the unthinkable is now there,
you cannot say that the unthinkable will not happen any more because
it has happened.
767. What about legislation? Is there a
role for ensuring that the private sector be required to disclose
security lapses to the Government, for instance? Do you think
that is appropriate? You pretty well accept that some companies
would see a commercial advantage in not disclosing a security
lapse, that might well be in their best interest but not in the
best interest of the country.
(Mr Gamble) It would be very difficult to police,
would it not?
(Mr Wood) I think it is very difficult to define the
security lapse as well. I think it would be a very difficult area
to legislate for. I do believe that if there is more co-operation
between central government and the private sector and that trust
is built, there will be more disclosure.
(Mr Sharp) I think that is the very thing, it is co-operation
rather than requiring. It is a sharing, it is working together
because you cannot separate Government organisations from the
private sector any more. If we talked about Government business
and are the records protected? Where IT processing is done by
the private sector there would be full disclosure between the
private contractor who is managing the contract and the Government
agency on whose behalf it is managing it.
768. Is there any role for legislation at
all for commercial secrecy issues, for example, that the Government
might help with?
(Mr Sharp) I personally do not think so.
(Mr Gamble) I cannot see it.
769. You were saying, Mr Wood, how we did
not anticipate, or the vast majority of us did not, the events
of 11 September. We did, however, all seem to massively convince
ourselves that disaster would strike on 31 December 1999 and I
confess I, and I think many others, got totally fed up with hearing
about the millennium and all the possible disasters, let alone
feeling sorry for those friends who were required to forego celebrating
the new year while they went in and sat in their offices.
(Mr Wood) I was one of them.
770. You have my sympathy. It does seem
that the Y2K issue did wake up companies to prepare for a possible
collapse of information technology structures and systems. Was
that the case, that that did result in increased resilience being
created from that experience?
(Mr Wood) I think it is true to say that it had an
impact over that particular period and that it was a good opportunity
for organisations and institutions and governments to think about
the problem and to think about testing and being prepared for
it and, therefore, I think it raised awareness significantly right
the way across the UK and then further afield into the rest of
the world. Do I personally think it was a good exercise? I am
sceptical. I still am very sceptical about the impact of what
Y2K was all about. We did not really see any major substantial
failures or activities that I am aware of, certainly in the UK,
nothing that was major or devastating. I do not know whether that
was just because of the planning and preparedness and the activities
that took place. But if you then go and look at it further afield
and say where were the big disasters in the Third World and other
countries where, in fact, they probably did not spend the same
degree of focus, they did not materialise either. I remain very
sceptical about how much we needed to have done with regard to
Y2K. To answer your specific question about did it help people
to think about resilience, yes, it did but I think it was very
(Mr Sharp) It is interesting because in the UK last
year it was reported that a particular hospital's records on cervical
cancer smears were wrong, the test results were wrong, and that
was a Y2K problem. On 1 January 2001 all the railway engines in
Norway would not start. In America the Seven-Eleven stores throughout
Dallas failed to operate their computer systems. These were people
who had done things and had not done them properly, there is evidence
of that. There were a lot of things that happened that were very
quickly put right, patched up or covered up. It did raise awareness,
the problem was because nothing happened of any consequence people
said it was a waste of money. I think at the time somebody who
was working in the Cabinet Office commented "you protect
everybody against diphtheria; when nobody gets diphtheria you
do not criticise" and that was the situation, we did all
that work to protect and it was effective but the problem was
because there was not any evidence to say "if you had not
done it, this was what happened". Six months later people
had disbanded the teams who had done the work, destroyed the records
of what equipment they had got and said it is never going to be
a problem again and then, of course, it re-emerges in another
form. We saw a heightened awareness and then it fell away. Then
Turnbull and corporate governance raised it and then it fell away.
September 11 has raised it and already in North America, in Canada.
The Centre for emergency preparedness it is indicating that it
is beginning to fade in people's memories. If you are in Milton
Keynes are you under threat? Immediately you start to rationalise
that you are not under threat. I think that is part of the cycle
that we go through. We need major incidents to make people aware
that you cannot drop your guard, unfortunately. Would you agree?
(Mr Wood) I think there is a very easy by which these
sights very quickly fade out of people's minds.
771. I think you have effectively answered
my second question which was the events of September 11 have been
seen by some as absolutely awful but it was a one-off event and
people are beginning to relax their view of what action needs
to be taken. You seemed to suggest that you do think that terrorists
could deliberately, again, target the private sector and you referred
to the City of London being seen as potentially a target site.
In spite of trying to persuade people that they should not relax
in their efforts, are you confident that there is that perception
generally in the private sector, that knowledge and awareness
that it could be the target of terrorist activity?
(Mr Wood) I think it is certainly in the minds of
the security specialists and the other people from a police perspective
and from a Government perspective who are fighting terrorism that
it is there and it will not go away, that we have a heightened
risk and it will happen at some point in the future. There was
the event of Reid attempting to board the aircraft and carry out
the terrorist attack that he did, again an opportunist terrorist,
whether he was actually directed to do that by some organisation
or whether he took it upon himself to do it, those risks remain
and we need to remain vigilant to those risks. It is extremely
difficult and it is the one problem that as a security specialist
you constantly face in all walks of life, convincing people that
the threat is real and that the risk is high and then making sure
that you have an acceptable level of compensation measures in
place and keeping your preparedness ready to be able to deal with
it. You can only do that from continuous education but eventually
when nothing has happened they drop their guard and there is not
very much you can do to change that because that is just the mentality
and approach that we have in society. There is this issue about
will it happen here, what could be the impact, people focusing
on how it personally affects them at a given time and I think
that is why we have seen the reduction in air travel and it is
now starting to pick up again. They have some ideas in their mind
sets about what is acceptable and where they see the risks. Certainly
I have problems sometimes with people still wanting to fly and
reassuring them about security at the airport and security of
airlines is paramount in that awareness issue. Yes, it has faded
in a lot of people's minds and it is an horrendous job keeping
people focused on the threat and at the same time not over-egging
it, because that is the real balance, making sure that they are
aware and that you push the right buttons to get their awareness
to a heightened level when there is something worth making them
more aware of.
(Mr Sharp) I think it is interesting to note also
that terrorism comes in many forms. If we consider Huntingdon
Life Sciences, two people started a campaign and it has now spread
out into the insurance industry where they have identified the
companies who are insuring and they are targeting them now and
they will not stop until they have completely shut Huntingdon
Life Sciences. It is another form of terrorism. In terms of can
we maintain that awareness of risk, there is a revision of company
law proposed and it has gone through the consultation process
and one of the proposals in that is that all companies shall submit
a certificate which includes a statement about various things,
one of which includes the issue about how they are managing risks.
If that does move into company law, and that was in the last paper
that was produced, it has now gone to the drafting stage
772. Forgive my ignorance, but what is the
title of it?
(Mr Sharp) It is a revision of company law I think.
773. I was the only one courageous enough
to ask. I was too intimidated to look at our advisers to see if
they were aware.
(Mr Sharp) Within that there is an opportunity to
encourage quite stronglyremember what we said about the
FSA need to be more firmpeople to take risk and continuity
more seriously. I think that is a unique opportunity which you
should seize upon.
774. You have mentioned the City of London
but just thinking ahead, which top three areas would you identify
as the areas of greatest vulnerability?
(Mr Sharp) That is a good one.
(Mr Wood) I am quite happy to have a stab at that.
I think experience will show us very easily where that can come
from. I think the City is there and that is a focal point, but
not just necessarily the City square mile, the wider concept of
London. We have seen suggestions that there was a planned ship
going to come and cause devastation at Canary Wharf, which we
read about and was speculated about in the press. I think it goes
wider than the square mile. The other major area which we have
also seen, fortunately being thwarted, was the attack on the core
electricity systems in the United Kingdom and we have seen issues
on other power and utility industries. I think the three core
areas for me would be the City and its surrounds, the power and
utilities industries, gas and electricity, oil, and I think air
transport. Those are still the areas that I would focus on and
be concerned about.
(Mr Gamble) Just an idea of how when you start talking
to colleagues you come up with these ideas. ***
(Mr Gamble) ***
Mr Roy: ***.
776. Moving away from the level of the company
or the organisation to the City of London and however far out
you want to go from it. The City of London did quite a lot in
the 1970s, 1980s and the 1990s and so on as a result of the PIRA
attacks, the Irish attacks. I do not think I need to tell you
what they all were, some were hidden, some were very apparent.
How far do you think they have got to be recalibrated, rethought?
(Mr Wood) I do not think they need to be significantly.
The way in which the City of London Police, the Metropolitan Police
and the other communities have those plans in place to fight the
type of terrorism that we saw in those periods of time could be
put into action very quickly and, in fact, we have seen measures
both overt and covert being put into place. I think they are very
well prepared and certainly from the liaison that I have with
them I am very confident that they provide the level of protection
that we would want to see. I think though there are other issues
that we are not quite sure about and that rests with what would
we do if we faced, like Israel is facing now, the suicide bomber
just turning up? How do we deal with that? I do not think we can
put in preparedness and measures to deal with that. Then to the
other extreme, and colleagues touched on it earlier, the level
of terrorism and activity has changed but it causes significant
disruption to business. We are already thinking about what is
going to happen on May 1. We have actually started to see
the environmentalist protesters, the radical protesters, become
much more vociferous, much more forceful, much more aggressive
in their stance. They are well aware of where they can go from
a legal perspective, what is legally acceptable, but still cause
significant disruption, and then there are those who are clearly
the rent-a-mob crew who want to come and cause significant disruption
to the City. It is how you deal with those sort of things. On
May 1 two years ago there was significant disruption, last year
it was much more controlled, much more well policed and focused
and they learned the lessons from that. I think the police and
the communities that are directly responsible for that are very
well prepared to deal with those things.
777. Just to make sure I understand, in
relation to anything that an organisation like PIRA could throw
at the City, what we have in place is robust enough to do what
needs to be done?
(Mr Wood) As long as they do not change their modus
778. Just let us assume for a second that
it is not at that level. I am not suggesting a plane going into
a building because that is somebody else who would prevent that,
but the next stage of the escalation of terrorism. Are you sure
then that the plans in place for the City of London are robust
(Mr Wood) It is very difficult to actually plan for
some of those inevitable events, where do you start? The key to
that is good intelligence and being able to work proactively to
try and make sure that you can thwart that activity. It is difficult
to say what further they can do. The real emphasis has got to
come on providing timely intelligence and being able to get the
intelligence on these extreme groups. I think that is something
that we will need to think about carefully.
779. So for the City of Londonperhaps
this is a question more for you than anybody, Mr Gambleinsurance
would be provided at a cost, it may well be a much greater cost
than it may well have been in the years heretofore but there would
not be a question of withdrawal of insurance cover given what
you have just said?
(Mr Gamble) At the moment as far as buildings and
business interruption is concerned, the arrangements are through
an organisation called Pool Re Insurance and behind Pool Re sits
the Treasury. Pool Re has got about £1.2 billion in reserves
which come from people paying in premiums and they have had a
number of major pay-outs as a result of the IRA's activities.
If they went more than £1.2 billion, which is of course what
happened with the World Trade Centre, the Treasury would step
in as the insurer of last resort. The situation at the moment
is the commercial market declines to quote for terrorism insurance,
they are withdrawing in all areas from that. At the moment we
have only got cover for property and business interruption. If
we have public liability or employer's liability, that is not
being covered beyond a certain level at the moment. We are seeing
at every kind of renewal it is being withdrawn. It is a very serious
problem and it will only really start to manifest itself in a
major way toWoods the end of this year I would think. We are in
discussion with the Treasury. They have a particular view of life,
as I am sure you are aware, and their view is generally quite
helpful but they are basically protecting the public purse and
we are saying this is a problem that will not go away, we need
a long-term solution, and quite rightly we cannot expect the insurance
industry to provide that solution, it has to come from Government.
You are the risk managers of the nation and this is a national