WEDNESDAY 10 APRIL 2002

MR JOHN SHARP, MR DAVID GAMBLE AND MR PAUL WOOD, MBE

  760.  The refocusing is very interesting. September 11 changed everyone's attitude and it was a wake-up call for everyone, I think. Was the refocus because of 11 September or just merely because the progress in the industry has changed?
  (Mr Wood) I do not know whether we are going to come on to talking about that flow of information from Government but I have been arguing for some time that actually the whole terrorist threat which historically we focused on being aimed at the defence sector or the defence industry really is not there any more, it has gone and other parts of the commercial infrastructure are just as vulnerable to terrorist attack as the military were during PIRA's mainland campaigns and other activities and the like. Government has continued to provide to the public sector advice and guidance on threat levels and how to protect its infrastructure and, in fact, across the support of the defence industry, the List X companies, they have continued to provide that level of support and advice and guidance on threat levels but they really have not provided it to the private sector. For some time we have been pushing the Cabinet Office to open that door to us because we were aware that the security services and others provide direct advice and assessment to the defence industry but they were not necessarily providing it to other spheres. I wrote to the Cabinet Office and have managed to open up that conduit and therefore we are getting some of that advice, but that needs to be made more available to my other colleagues in the financial sector and to other areas of industry. I actually think that Government has a duty of care to provide that information because if they did not and they had made that information available to a defence industry and yet there was somebody injured as a consequence of a direct attack focused on another part of the commercial sector and the defence sector had been able to prepare for it but commercial industry had not because they had not had the information available to them, there would be a very, very difficult area of judgment to be made there about who was responsible for not providing that adequate protection and advice.

  761.  I was talking originally about identifying critical places, nodal points, sites and targets as such. How much further information would you require apart from the identification of sites? Clearly you might put that in a letter, it might well be secret, but there must be information from Government that you require more than just the identification of geographical sites. That is all done. You probably do not want to expose that.
  (Mr Wood) No, I do not think it is done. We do need to focus into that area and I think we need to have that more readily available to the private sector.

  762.  If you have any documentation on this it would be helpful.
  (Mr Wood) I do not have any that is particular for me, I am calling on previous experience.

  763.  I will not ask you publicly what your previous job was but if you could drop us a note because it would be interesting to know who is doing that job now inside the system. At least it will give us a clue as to what kind of thinking is going on.
  (Mr Sharp) I was going to talk about not just the terrorist threat. We have seen many instances where critical infrastructure has been affected. I am thinking of the major chemical explosion that happened at Toulouse last year, not long after September 11, the fireworks explosion that happened in Holland. There was a smaller incident which caused great consternation to the local community in Gloucestershire when a fire took place at a waste processing plant and they were not aware of what was in the plant, the village was covered with toxic fumes, and then we had the floods which made it even worse. When it was revealed what was in the site it was realised it was extremely dangerous. There was something that happened in the States in work under Clinton's administration created by James Lee-Whit, who was head of FEMA, called Project Impact. What it looked at was trying to get communities to work together to increase their resilience to any incident . They had certainly done some of this work before for New York. It said "what are the threats to our community", whatever the size, and "how can we as a community work together to minimise that prior to that occurring, no matter what it is, whether it is terrorism, explosion or flooding?" Again, talking to the Civil Contingencies Secretariat, I believe that is something that the Government could lead on, encouraging this resilience planning by communities, across commercial and local government and amenity services, so that resources could be worked out beforehand. They can look at the smaller and medium enterprises in the area and how can we help them be resilient. If you look at when we have had floods, it was the smaller and medium enterprises that suffered because the local authorities have to protect civil life and not business. I think we have a lot to learn from Project Impact and we could use that in the UK.
  (Mr Gamble) One of the areas that we would really like information from Government on is what do they think would be the impact of a dirty nuclear bomb in London. It is a horrible subject to talk about but unless we have thought it through we are just going to be completely lost when it happens, if it happens, let us hope it does not. That is the sort of thing that we would welcome. It might have to be done in a very careful manner and it does seem to me that the City, regrettably, is a very significant target and we ought to know how we would manage our staff and the continuity in that situation, but we need help, we do not have that information as to what might happen.

  764.  Just some questions about vulnerabilities. It must obviously be difficult to admit one's own vulnerability but it must be even more difficult when it comes to a commercial institution. As I think someone said earlier, reputation is quite important. Are companies willing to be open enough with the Government to admit their true vulnerabilities? Do some firms see some commercial advantage in keeping quiet about security lapses?
  (Mr Gamble) I am sure the answer to the second bit is yes, some people just want to keep it quiet. There are one or two notable cases where banks have got into difficulties, particularly where they have been blackmailed and they have paid up and kept quiet about it rather than let people know that their system has been hacked into. Regrettably there will always be that aspect but I do not believe that it is particularly relevant.

  765.  That is understandable, is it not, from the public point of view but I am talking really about in consultation with Government. Is there enough trust to consult Government?
  (Mr Sharp) I believe that there is a sharing between themselves of information on security that group do share.
  (Mr Wood) I think so. In addition, we are seeing a different approach from those areas of Government that are starting to talk about more about open Government and are actually even prepared to sign confidentiality agreements between themselves and commercial companies. You are touching on the subject of hacking and the head of the High Tech National Crime Unit has made quite clear that is one of the things he would be prepared to do, to enter into that flow of information between themselves and industry to try and encourage. They need to learn from the issues as well and they need to understand where those threats are and if they do not get the full picture of incidents and activities then they are not able to plan counter-measures and think about it. As long as it was a two-way flow and there was a confidentiality surrounding it, I do not think there is a problem.

  766.  Is there enough vigour in identifying one's own vulnerabilities? There is a temptation sometimes to not find out sometimes. Are companies exercising their full security capabilities in discovering what their vulnerabilities are?
  (Mr Wood) There will always be the surprises. No matter what planning and reviewing you do I never ceased to be amazed by what someone might think about doing next because in terms of IT certainly there is always someone trying to be one step ahead of you and you see that with regard to the way viruses can propagate very quickly across the Internet and then into businesses and cause significant disruption. As part of doing good risk analysis and if you are taking the subject seriously then you should be able to identify the core vulnerabilities and the critical weaknesses in your infrastructures and in your systems. Sometimes you might not want to face up to them straight away but if you are trying to be realistic about continuing to operate you have to face up to the reality of these things, but still things will surprise you. You will not cover every eventuality because somebody else brighter around the corner is coming up with the next threat. We go back to September 11 but none of us sitting here today probably ever anticipated that activity. Nobody probably ever anticipated that sort of impact and the fact that other human beings would be prepared to cause such devastating damage on a community. I think it has opened the box of saying the unthinkable is now there, you cannot say that the unthinkable will not happen any more because it has happened.

  767.  What about legislation? Is there a role for ensuring that the private sector be required to disclose security lapses to the Government, for instance? Do you think that is appropriate? You pretty well accept that some companies would see a commercial advantage in not disclosing a security lapse, that might well be in their best interest but not in the best interest of the country.
  (Mr Gamble) It would be very difficult to police, would it not?
  (Mr Wood) I think it is very difficult to define the security lapse as well. I think it would be a very difficult area to legislate for. I do believe that if there is more co-operation between central government and the private sector and that trust is built, there will be more disclosure.
  (Mr Sharp) I think that is the very thing, it is co-operation rather than requiring. It is a sharing, it is working together because you cannot separate Government organisations from the private sector any more. If we talked about Government business and are the records protected? Where IT processing is done by the private sector there would be full disclosure between the private contractor who is managing the contract and the Government agency on whose behalf it is managing it.

  768.  Is there any role for legislation at all for commercial secrecy issues, for example, that the Government might help with?
  (Mr Sharp) I personally do not think so.
  (Mr Gamble) I cannot see it.

  769.  You were saying, Mr Wood, how we did not anticipate, or the vast majority of us did not, the events of 11 September. We did, however, all seem to massively convince ourselves that disaster would strike on 31 December 1999 and I confess I, and I think many others, got totally fed up with hearing about the millennium and all the possible disasters, let alone feeling sorry for those friends who were required to forego celebrating the new year while they went in and sat in their offices.
  (Mr Wood) I was one of them.

  770.  You have my sympathy. It does seem that the Y2K issue did wake up companies to prepare for a possible collapse of information technology structures and systems. Was that the case, that that did result in increased resilience being created from that experience?
  (Mr Wood) I think it is true to say that it had an impact over that particular period and that it was a good opportunity for organisations and institutions and governments to think about the problem and to think about testing and being prepared for it and, therefore, I think it raised awareness significantly right the way across the UK and then further afield into the rest of the world. Do I personally think it was a good exercise? I am sceptical. I still am very sceptical about the impact of what Y2K was all about. We did not really see any major substantial failures or activities that I am aware of, certainly in the UK, nothing that was major or devastating. I do not know whether that was just because of the planning and preparedness and the activities that took place. But if you then go and look at it further afield and say where were the big disasters in the Third World and other countries where, in fact, they probably did not spend the same degree of focus, they did not materialise either. I remain very sceptical about how much we needed to have done with regard to Y2K. To answer your specific question about did it help people to think about resilience, yes, it did but I think it was very quickly forgotten.
  (Mr Sharp) It is interesting because in the UK last year it was reported that a particular hospital's records on cervical cancer smears were wrong, the test results were wrong, and that was a Y2K problem. On 1 January 2001 all the railway engines in Norway would not start. In America the Seven-Eleven stores throughout Dallas failed to operate their computer systems. These were people who had done things and had not done them properly, there is evidence of that. There were a lot of things that happened that were very quickly put right, patched up or covered up. It did raise awareness, the problem was because nothing happened of any consequence people said it was a waste of money. I think at the time somebody who was working in the Cabinet Office commented "you protect everybody against diphtheria; when nobody gets diphtheria you do not criticise" and that was the situation, we did all that work to protect and it was effective but the problem was because there was not any evidence to say "if you had not done it, this was what happened". Six months later people had disbanded the teams who had done the work, destroyed the records of what equipment they had got and said it is never going to be a problem again and then, of course, it re-emerges in another form. We saw a heightened awareness and then it fell away. Then Turnbull and corporate governance raised it and then it fell away. September 11 has raised it and already in North America, in Canada. The Centre for emergency preparedness it is indicating that it is beginning to fade in people's memories. If you are in Milton Keynes are you under threat? Immediately you start to rationalise that you are not under threat. I think that is part of the cycle that we go through. We need major incidents to make people aware that you cannot drop your guard, unfortunately. Would you agree?
  (Mr Wood) I think there is a very easy by which these sights very quickly fade out of people's minds.

  771.  I think you have effectively answered my second question which was the events of September 11 have been seen by some as absolutely awful but it was a one-off event and people are beginning to relax their view of what action needs to be taken. You seemed to suggest that you do think that terrorists could deliberately, again, target the private sector and you referred to the City of London being seen as potentially a target site. In spite of trying to persuade people that they should not relax in their efforts, are you confident that there is that perception generally in the private sector, that knowledge and awareness that it could be the target of terrorist activity?
  (Mr Wood) I think it is certainly in the minds of the security specialists and the other people from a police perspective and from a Government perspective who are fighting terrorism that it is there and it will not go away, that we have a heightened risk and it will happen at some point in the future. There was the event of Reid attempting to board the aircraft and carry out the terrorist attack that he did, again an opportunist terrorist, whether he was actually directed to do that by some organisation or whether he took it upon himself to do it, those risks remain and we need to remain vigilant to those risks. It is extremely difficult and it is the one problem that as a security specialist you constantly face in all walks of life, convincing people that the threat is real and that the risk is high and then making sure that you have an acceptable level of compensation measures in place and keeping your preparedness ready to be able to deal with it. You can only do that from continuous education but eventually when nothing has happened they drop their guard and there is not very much you can do to change that because that is just the mentality and approach that we have in society. There is this issue about will it happen here, what could be the impact, people focusing on how it personally affects them at a given time and I think that is why we have seen the reduction in air travel and it is now starting to pick up again. They have some ideas in their mind sets about what is acceptable and where they see the risks. Certainly I have problems sometimes with people still wanting to fly and reassuring them about security at the airport and security of airlines is paramount in that awareness issue. Yes, it has faded in a lot of people's minds and it is an horrendous job keeping people focused on the threat and at the same time not over-egging it, because that is the real balance, making sure that they are aware and that you push the right buttons to get their awareness to a heightened level when there is something worth making them more aware of.
  (Mr Sharp) I think it is interesting to note also that terrorism comes in many forms. If we consider Huntingdon Life Sciences, two people started a campaign and it has now spread out into the insurance industry where they have identified the companies who are insuring and they are targeting them now and they will not stop until they have completely shut Huntingdon Life Sciences. It is another form of terrorism. In terms of can we maintain that awareness of risk, there is a revision of company law proposed and it has gone through the consultation process and one of the proposals in that is that all companies shall submit a certificate which includes a statement about various things, one of which includes the issue about how they are managing risks. If that does move into company law, and that was in the last paper that was produced, it has now gone to the drafting stage—

  772.  Forgive my ignorance, but what is the title of it?
  (Mr Sharp) It is a revision of company law I think.

  773.  I was the only one courageous enough to ask. I was too intimidated to look at our advisers to see if they were aware.
  (Mr Sharp) Within that there is an opportunity to encourage quite strongly—remember what we said about the FSA need to be more firm—people to take risk and continuity more seriously. I think that is a unique opportunity which you should seize upon.

  774.  You have mentioned the City of London but just thinking ahead, which top three areas would you identify as the areas of greatest vulnerability?
  (Mr Sharp) That is a good one.
  (Mr Wood) I am quite happy to have a stab at that. I think experience will show us very easily where that can come from. I think the City is there and that is a focal point, but not just necessarily the City square mile, the wider concept of London. We have seen suggestions that there was a planned ship going to come and cause devastation at Canary Wharf, which we read about and was speculated about in the press. I think it goes wider than the square mile. The other major area which we have also seen, fortunately being thwarted, was the attack on the core electricity systems in the United Kingdom and we have seen issues on other power and utility industries. I think the three core areas for me would be the City and its surrounds, the power and utilities industries, gas and electricity, oil, and I think air transport. Those are still the areas that I would focus on and be concerned about.
  (Mr Gamble) Just an idea of how when you start talking to colleagues you come up with these ideas. ***

  Chairman: ***

  775.  ***
  (Mr Gamble) ***

  Mr Roy: ***.

  776.  Moving away from the level of the company or the organisation to the City of London and however far out you want to go from it. The City of London did quite a lot in the 1970s, 1980s and the 1990s and so on as a result of the PIRA attacks, the Irish attacks. I do not think I need to tell you what they all were, some were hidden, some were very apparent. How far do you think they have got to be recalibrated, rethought?
  (Mr Wood) I do not think they need to be significantly. The way in which the City of London Police, the Metropolitan Police and the other communities have those plans in place to fight the type of terrorism that we saw in those periods of time could be put into action very quickly and, in fact, we have seen measures both overt and covert being put into place. I think they are very well prepared and certainly from the liaison that I have with them I am very confident that they provide the level of protection that we would want to see. I think though there are other issues that we are not quite sure about and that rests with what would we do if we faced, like Israel is facing now, the suicide bomber just turning up? How do we deal with that? I do not think we can put in preparedness and measures to deal with that. Then to the other extreme, and colleagues touched on it earlier, the level of terrorism and activity has changed but it causes significant disruption to business. We are already thinking about what is going to happen on May 1.  We have actually started to see the environmentalist protesters, the radical protesters, become much more vociferous, much more forceful, much more aggressive in their stance. They are well aware of where they can go from a legal perspective, what is legally acceptable, but still cause significant disruption, and then there are those who are clearly the rent-a-mob crew who want to come and cause significant disruption to the City. It is how you deal with those sort of things. On May 1 two years ago there was significant disruption, last year it was much more controlled, much more well policed and focused and they learned the lessons from that. I think the police and the communities that are directly responsible for that are very well prepared to deal with those things.

  777.  Just to make sure I understand, in relation to anything that an organisation like PIRA could throw at the City, what we have in place is robust enough to do what needs to be done?
  (Mr Wood) As long as they do not change their modus operandi.

  778.  Just let us assume for a second that it is not at that level. I am not suggesting a plane going into a building because that is somebody else who would prevent that, but the next stage of the escalation of terrorism. Are you sure then that the plans in place for the City of London are robust enough?
  (Mr Wood) It is very difficult to actually plan for some of those inevitable events, where do you start? The key to that is good intelligence and being able to work proactively to try and make sure that you can thwart that activity. It is difficult to say what further they can do. The real emphasis has got to come on providing timely intelligence and being able to get the intelligence on these extreme groups. I think that is something that we will need to think about carefully.

  779.  So for the City of London—perhaps this is a question more for you than anybody, Mr Gamble—insurance would be provided at a cost, it may well be a much greater cost than it may well have been in the years heretofore but there would not be a question of withdrawal of insurance cover given what you have just said?
  (Mr Gamble) At the moment as far as buildings and business interruption is concerned, the arrangements are through an organisation called Pool Re Insurance and behind Pool Re sits the Treasury. Pool Re has got about £1.2 billion in reserves which come from people paying in premiums and they have had a number of major pay-outs as a result of the IRA's activities. If they went more than £1.2 billion, which is of course what happened with the World Trade Centre, the Treasury would step in as the insurer of last resort. The situation at the moment is the commercial market declines to quote for terrorism insurance, they are withdrawing in all areas from that. At the moment we have only got cover for property and business interruption. If we have public liability or employer's liability, that is not being covered beyond a certain level at the moment. We are seeing at every kind of renewal it is being withdrawn. It is a very serious problem and it will only really start to manifest itself in a major way toWoods the end of this year I would think. We are in discussion with the Treasury. They have a particular view of life, as I am sure you are aware, and their view is generally quite helpful but they are basically protecting the public purse and we are saying this is a problem that will not go away, we need a long-term solution, and quite rightly we cannot expect the insurance industry to provide that solution, it has to come from Government. You are the risk managers of the nation and this is a national problem.