Scientific advice and evidence in emergencies - Science and Technology Committee Contents


Examination of Witnesses (Questions 382-412)

Q382 Chair: Good morning, and apologies for running a little late. We have just had a couple of very interesting sessions to start with. Baroness Neville-Jones, this is the first time we have asked you to appear before us. Welcome.

Baroness Neville-Jones: Yes, Chairman; thank you.

Q383 Chair: Mr Willetts is a regular. We are coming to the end of our evidence sessions on this area and there are some important questions on which we would like to press you. Do Ministers now take the final decision as to what goes on the national risk assessment, and exactly who do you get your scientific advice from?

Baroness Neville-Jones: That sounds like my question. Clearly, drawing up the national risk assessment is a team effort. Let me start with the scientific advice, because there is obviously a process. The Cabinet Office takes charge of the regular updating of the national risk assessment and that is done by a team in the Civil Contingencies Secretariat, who have a structured relationship with the scientific advice available to Government through the Government Office for Science and particularly Sir John Beddington. Scientific advice and, indeed, help in the definition of what constitutes the risk, particularly both likelihood and impact, is fed in from the very start. I wouldn't say that there is any stage at which scientific advice is not available or, indeed, not actively involved in the process of consideration.

When it comes to the actual approval of the risk assessment itself, that does go to Ministers, and individual risks, depending on the nature of the risk, can be discussed in detail. It is fair to say that the Ministers do take responsibility for the national risk assessment, the grid on which it is founded, and indeed, in the case of the more sensitive risks, the ones which are more difficult—the high risks, often low likelihood, but not always—get considerable scrutiny and I, personally, give them considerable scrutiny as the Minister who is charge of resilience.

Q384 Chair: Who gives you the scientific advice, though, because Sir John said it's not him?

Baroness Neville-Jones: It will depend on the subject, obviously, because you will have observed that there are a whole series of committees now exist in relation to different sorts of advice that the Government need. The Civil Contingencies Secretariat will be liable to turn to people who have been on those committees or who are able to give advice as to whom they should in turn seek advice from. It won't always be the person who is familiar to Government who will eventually be involved in giving the advice, because they may, in turn, say, "I think you ought to talk to X", and X is somebody who has not previously been involved in giving advice to Government. It is quite an open process.

Q385 Chair: But X could be someone anywhere in the country?

Baroness Neville-Jones: Or internationally, Chair.

Q386 Chair: Indeed. And many of the risks exist in many locations up and down the country. Why is it that the Local Government Association is on record as saying that the National Risk Register is "rarely informed by issues identified at the regional and sub-regional level"?

Baroness Neville-Jones: I had not heard that comment, which I take seriously. Chair: I do because I live in a hazard area.

Baroness Neville-Jones: Absolutely. It is the case, however, that there are regional committees, so-called STACs, which do indeed inform the process. The point you are making is probably that structured regional scientific and local advice needs to be fed into the national risk assessment, and particularly the register, when it cascades down to the local level. I take that point. It is perfectly fair and sensible.

Q387 Chair: Who is allowed access to the national risk assessment, and what kind of information is withheld from the register?

Baroness Neville-Jones: From the register? You are right to distinguish between those two because they are, obviously, different and the National Risk Register is an unclassified version of the NRA. One of the things that we want to try and do, if I might just say that, is to put as much into the National Risk Register as we can; that is to say, not to have a big difference between what is in the NRA and what is in the National Risk Register. There are, however, some items in the National Risk Register that are genuinely very sensitive and it is difficult to put it all into the public domain.

The National Risk Register is an open document. It can be seen by people. It is part of the guide to local authorities at the sub-regional and regional level. We want to make that document as useful as possible and, therefore, as full as possible. The classified document is available to those who have the right clearance to see it.

Q388 Chair: I asked Sir David Pepper this exact question last night—

Baroness Neville-Jones: And?

Chair:—about the areas that you and I have been interested in over a number of years in terms of cyber-threats.

Baroness Neville-Jones: Absolutely. Yes.

Q389 Chair: Some of those cyber-threats are significant threats to civilian parts of the nation's structures—banks, utilities and so on. There are great chunks of those areas where people don't have any security clearance.

Baroness Neville-Jones: Correct.

Q390 Chair: How do we manage that difficult relationship?

Baroness Neville-Jones: There is what we do now and there is what we hope to do in the future. If you look at the National Risk Register, you will see that electronic attack is on it. It is one of the things that we need to develop as the result of developing the cyber-security strategy, which is something which is now going to take shape in the next few months, and we hope to publish the strategy in the spring. Therefore, our treatment in the National Risk Register, as it stands, and the assessment, is incomplete. However, that doesn't mean to say that Government isn't active, because there is a serious threat both to Government systems and, as I think is implied in your question, the critical national infrastructure, which is largely in private hands.

There is a close and co-operative relationship between CSOC, which is developing national situational awareness. This has further to go, but it is going to be absolutely key to the development of and building on existing close co-operation between public and private operators, which is what I have described as being both a strategic and an operational partnership with the private sector. What we would like to do is to develop our policies in co-operation with the private sector, given that they are key owners and key operators and are themselves very often suppliers to Government. It makes a very great deal of sense not just for the Government to try on its own to specify what it needs but to conduct a much more co-operative relationship of the kind where you define what the problem is together and you solve it together.

Then there needs to be an operational relationship where the situational awareness which Government itself develops, which I would hope the private sector would feed into, will then be available at times of emergency—that is to say, if there is an attack—as a source, first of all, to report into but also, then, to be the base on which decisions are taken about what happens next and what solutions are arrived at. I would see it as being something which is both strategic in character and is there as the underlying framework in which policy is made but also the operating framework for keeping the country secure in cyber.

Q391 Chair: But there is, undoubtedly, this conflict with areas where national security comes in but advice, guidance and expertise reside in the technical parts of the private sector—the supply chain to Government—but there is also a different level of expertise, hugely important, in areas like the banks and so on. This is going to present you with a big challenge, isn't it?

Baroness Neville-Jones: Yes. You can, I think, exaggerate it. Certainly, there is an argument that not everything is going to be readily available. My own view is that a very large number of the problems that we will face, the issues that we will need to try and solve and the ways in which we will need to find solutions to existing problems can be abstracted from the data that is the sensitive issue. Very often, you have a systems problem and you need to try and solve it. You do not need to have access to the data that it carries in order to be able to make a worthwhile contribution to the solution of that problem.

I think you can exaggerate the extent to which it is absolutely necessary for somebody who is outside the Government circle, who may not wish, themselves, to take Government clearance. The Government, on the whole, wants to clear people who can help it, but if that's the case I don't think these people are excluded from giving extraordinarily helpful, worthwhile information.

  I would say that one other area that could also be regarded as constituting a problem is reputational risk. Companies are known not to want, quite understandably, to get themselves into trouble with either their competitors or the markets in being shown to have had some kind of cyber-accident, if I can put it that way. But I think there are ways round that too. It does involve developing a trusted circle between Government and both operators and suppliers in which they are willing to talk to each other but in which, equally—I think, in the national interest—the solution is found without there being great damage to the individual reputation of the company.

Q392 Pamela Nash: I would like to ask you, Baroness Neville-Jones, how the Cabinet Office chooses a lead Government Department when a crisis ensues. Is it an active choice or does the Cabinet Office sit back, as it were, and wait for one to emerge?

Baroness Neville-Jones: Normally, it is not difficult to see to which Government Department the lead should fall. Most topics present themselves with an obvious answer. If it doesn't, I can give you an example. I think space weather is one area that covers many Departments and it is not abundantly obvious right from the outset which Government Department should actually lead. In that situation, and particularly if you have something you need to deal with, as we did, then the Cabinet Office will act and it will draw in the Government Departments that are needed to be there in order to handle whatever crisis it is. What we don't intend to do is to end up with the Cabinet Office becoming departmentally responsible. At the moment, particularly in relation to space, where there is yet no decision on which Government Department should actually take the lead responsibility, we are looking at all the factors. There is ongoing work to decide where the bulk of the responsibility should lie. That will depend, to some extent, on the analysis of the factors that go into your assessment of likelihood, impact and, therefore, risk, and the nature of those risks. I think that is the procedural answer to your question.

Q393 Pamela Nash: That's interesting. What I was trying to get to the bottom of is whether a list of departmental responsibilities is enough, and what you have told us is that in very specific issues it is not. So there is work that goes on behind the scenes to prepare.

Baroness Neville-Jones: A decision has to be taken—absolutely. You can't just stop, when the emergency is over, deciding how you will, in future, handle another emergency should it arise. That is an ongoing issue for us and we will, indeed, take a decision on where it should lie.

I might say, and I think it is important to understand this, that the Government is less and less stove-piped in the way it carries out business. A lead Government Department may well be in the chair but other Departments round the table will be absolutely vital to the collective solution that the Government brings to any emergency.

Q394 Pamela Nash: On space weather, which you mentioned, what are your views on the Office of Cyber Security, for instance, on solar and cyber attacks, or the UK Space Agency on space weather actually taking a co-ordinating role if an emergency was to occur between Government Departments?

Baroness Neville-Jones: The Space Agency would need, I think, to be involved. In fact, I would regard the Space Agency as being one of our resources in future for developing the policy that we need to pursue on the risks involved in severe space weather. We have been forewarned, in a sense, that the sunspot cycle is coming to a peak and it looks as though it is going to be a fairly vigorous peak. It, therefore, behoves us to have laid a good ground for that. I would regard the Space Agency as being both a resource nationally for some expertise but also being a connection to international expertise on it as well. Clearly, if you get vigorous space weather and, in particular, you get spikes in the solar cycle, it can clearly affect, in particular, telecommunications, not only power. There are a number of utilities we need to look at under that head.

Q395 Chair: Members of the Committee saw some very interesting presentations yesterday at the British Antarctic Survey, for example.

Baroness Neville-Jones: Absolutely.

Q396 Chair: Mr Willetts, this spills into your bailiwick as well. Do you see the Space Agency having a key role here?

Mr Willetts: Absolutely. I agree with what the Baroness said. We have a double role. There is a role in obtaining information and research evidence and there is also, of course, co-ordinating with the private sector, because things like privately operated satellites are, clearly, vulnerable. So there is a double interest. Indeed, it is something we have already discussed briefly and I hope to put back on the agenda at the Space Leadership Council, which I co-chair.

Q397 Graham Stringer: Do you think the National Grid is at risk? We have had slightly conflicting evidence. The sun is approaching one of its phases when it might be ejecting more stuff. Do you believe that the National Grid is at risk?

Baroness Neville-Jones: The National Grid is itself doing an assessment at the moment because precisely the question you have asked is the one that we need to have more of a fix on than we have at the moment. My feeling is that there must be some risk. Every country, it turns out, is specific in this. There are no generalisations and a lot depends, for instance, on how many overhead lines you've got, how much you have buried underground, and specific vulnerabilities, such as, I'm told, when the power lines come from underwater to on-land. That junction, apparently, is a specific vulnerability. The answer to your question is that we need to do, and this is what the National Grid is doing, a study in specific detail on UK conditions. The answer to your question is that there must be some risk. What we don't yet know, but I think they are reporting in the spring, is how great it is.

Q398 Graham Stringer: Will that be made public?

Baroness Neville-Jones: I would think there is every good reason to suppose that knowledge about it should be in the public domain, yes, absolutely.

Q399 Stephen Mosley: In some of the evidence that we have seen, in particular relating to cyber-security, there has been a suggestion that there are two separate cultures—one intelligence and defence and one the civil side of things—and that information flows only one way, and I think you can guess which way that is. Do you agree with that analysis at all?

Baroness Neville-Jones: I think there have, historically, been two tribes. Yes, I think that is fair comment. One of the things we are trying to do in the cyber-security strategy is, frankly, to break that down. If you learn anything about modern Government it is that stovepipes won't do and that you lose greatly if you don't allow both information and technique to flow both ways. If you look at the sciences that are going to be involved in any security strategy that we have, it's the same for both communities. I do take the view that GCHQ is the right organisation for it, but by having an organisation in Government that crosses those boundaries and services both, in that respect, I personally think we are better placed than the Americans, who have the NSA, which is very distinctly defence. Then it has other less well defined structures in the civilian sphere. I think we have a better chance of bringing our community together on a national basis.

Q400 Chair: Would that be strengthened if there was greater representation of scientists and engineers across the civil service? Isn't part of the underlying problem that the stovepipes are, in a sense, enhanced because of the characteristics of the population?

Baroness Neville-Jones: I think scientists can certainly help us to break down the stovepipes, yes. One of the things this Government is trying to do is to break down the stovepipes. That is one of the reasons why we have the National Security Council, and this sort of issue would go to the National Security Council. So it does help to break down stovepipes at both the departmental consideration and also ministerial consideration. You can't present a paper to a collection of Ministers if it doesn't cover all the ambits and all the facets that it needs to. So I think it does help that.

Q401 Chair: Several witnesses in our inquiry have touched on the absence of a chief scientific officer at the Treasury. What is your view?

Baroness Neville-Jones: I note it is a Department without.

Chair: We will interpret that.

Q402 Stephen Mosley: Still on co-operation but more on international co-operation, we have heard in both space weather and in cyber-security the importance of international co-operation between ourselves, in particular, and people like America and Europe, but also elsewhere. How does the UK resolve the tension between co-ordinating and sharing information with some countries and also doing the opposite in hiding information from others?

Baroness Neville-Jones: I think the answer is that we certainly do have closer partners. This is true of all Governments. All Governments have their close relationships and their less close relationships. In this sort of area, in cyber-security, for instance, one would want fairly close relations. When it comes to something like space weather, the circles within which you would want to consult, spread and share information would be quite broad because, apart from anything else, our state of knowledge generally is not so brilliant that one would want to exclude the possibility of obtaining information from quite far-flung sources.

When it comes to some of the more sensitive forms of activity in which science is involved, of which cyber is one, you have to discriminate a bit between your close partners and others, if only because you do have some adversaries in that game. There is a difference between those fields in which you may be talking more about threat than hazard and those fields in which you are talking about hazard.

Q403 Stephen Metcalfe: Mr Willetts, during our investigation we have seen the value of scientific advice across Government. I am sure the Government appreciates that. There is a small concern, though. As we see departmental spending reduce, how do we make sure that we maintain that scientific capability within individual Departments and that that is not the area that gets squeezed?

Mr Willetts: This is something that is very important and it is why Sir John Beddington and I wrote jointly to Cabinet colleagues during the CSR process reminding them of the importance of continuing with their R&D responsibilities, and inviting them to come to us if they were planning any substantial reduction in departmental R&D. Of course, the position is still being finalised as people work through the detail of their CSR settlements, but, as I reported to this Committee last week, in general, we feel it is working quite well. We have a health budget with a continuing robust commitment to R&D; Defence is doing pretty well on R&D; and DIFD is doing quite well on R&D. But Sir John and I carry on monitoring this. As yet, we have not identified a Department that seems to us to be making a massive reduction in its R&D effort.

Q404 Stephen Metcalfe: That's good to hear. You have touched on the R&D side of things. Taking the research and development issue and applying it to Government advice in emergencies, who should be funding that research? Should it be the individual Departments or should there be some other body?

Mr Willetts: If you take a step back, if you mean the scientific capacity within the nation to understand these challenges, that is something that we finance via research councils and via the QR money that goes to universities. Without being complacent, I think we are fortunate. We are one of the nations that, facing these challenges, probably has a more broadly-based scientific community to draw on than just about anywhere else. If you mean specifically, I know there is an issue that has arisen on these specific exercises about the exact budgetary funding when NERC finds itself providing resource during the volcanic ash episode. During the crisis itself, it's common sense—people just get on with it. It's true to say that now there are some accounting issues that are still being resolved. During these crises individual scientists are very good at coming forward on a pro bono basis and providing their advice and assistance, but I don't think it would be fair if that was the basis on which we always worked, especially if the time commitment becomes substantial. We do need mechanisms to provide, in specific circumstances, proper financial support for people who help out during a crisis.

Q405 Stephen Metcalfe: Where a potential emergency has been identified and it makes it on to the national risk assessment but there isn't any research necessarily being undertaken across the wider scientific community, what role do you think the Government has? Should it direct someone who is already funded to look at that or should it fund that research itself?

Mr Willetts: We do try through the research councils, when a big issue has been identified, to commission research in the area. Cyber-security is a very good example. It is clearly coming up the agenda. We recognise we need to have a strong in-house capacity on that, and work is currently going on as to how we might commission background research in that whole area that can be drawn on. I don't know if the Baroness wants to add to that.

Baroness Neville-Jones: That's right. In the case of cyber, of course, there is specific work that the national research councils might do. There is also a big reservoir in the academic world. What we try to do in Government, therefore, are those things that we can't in the Government's scientific offices—those things that, for whatever reason, are so specific to Government's needs that it is sensible to do the research in Government. Were we only to rely on that, it would be a very impoverished way of looking at our scientific base. Increasingly, what tends to happen is that Government scientific laboratories are in very close contact with people who are in the academic world. There is a very close intellectual relationship and, what's more, the Government's scientific laboratories themselves contract out to the academic world and to the research councils for certain work to be done. It is very hard, in the end, to separate these things from each other. They constitute a mosaic.

Q406 Stephen Metcalfe: You are very happy with the arrangement as it is at the moment—that if an issue does come up there is the ability to fund that research?

Baroness Neville-Jones: We would always like more money.

Q407 Stephen Metcalfe: I realise that. That was a stupid question.

Mr Willetts: I am normally less subtle than that in my ways of putting it.

Baroness Neville-Jones: Resources aside, I think the methodology has been developed, and the degree of contact that takes place between the two. I know some people think that the British Government is still not good at reaching out to the academic and the scientific world, and one does hear that view expressed. All I can say is two things. One is that it is an awful lot better than it used to be. Can it go still further? I've no doubt. What I do think—this is one of the changes I would say between having previously been in government and now—is that people are very much more aware of, in a sense, how little Government knows, and how much others do need to contribute. You don't operate just on the basis of Government information. I think there is a real change in outlook and attitude and that goes from top to bottom, too.

Q408 Stephen Metcalfe: Let me focus, finally, on the cyber-security issue. I think that is something that is rising up the agenda fairly quickly. Do you feel that we need to develop more capacity across Government—across all Departments perhaps—to understand that better and the science of that, and perhaps with specific focus on the social and behavioural sciences? Do you think that that is an area where we are perhaps lacking at the moment?

Baroness Neville-Jones: Yes, I would say that's true because I think Government is a reflection of the nation. That is a national issue. We need much greater awareness and it should take at least two forms. One is that we need to upskill our population. Things like Get Safe Online are very important parts of educating the so-called 80%. I think that knowledge and a more sophisticated understanding of this subject also need to penetrate more deeply. Everybody is aware of its importance, but do they really understand it? I suspect there is more to be done there. Can we do that with the development of the security strategy and things? Yes, I think that will be a contribution. Is it going to be something that we need to develop over a period of time? I've no doubt about that. There is the national issue, and what is going to be an important part of this is increasing the profile—David may want to contribute on this—in our universities to the profile given to qualifications in this area and, indeed, the way in which the public sector and universities invest in cyber-skills.

Mr Willetts: The Office of Cyber Security & Information Assurance is actually working now on a cyber-security R&D programme. That will both be involving activity within Government and also will feed into some of the research council commissioning. If I may say so, I very much agreed with your final point that this is not simply a matter of the physical sciences. So many of these policy areas ultimately become matters of human behaviour. The social sciences, even the humanities, have a role here. As we allocate money between the different research councils, we have to remember that no one discipline has all the answers.

Baroness Neville-Jones: The human factor is extraordinarily important. Look at airport security. The human factor is very important.

Q409 Chair: On several occasions you have suggested that there needs to be more openness and more collaboration between the traditional agencies that protect us from electronic attacks and so on, and the private sector. It brought to mind the section in Simon Singh's book, The Code Book: The Secret History of Codes and Code-breaking, where he argues that the algorithms that were necessary to create the business RSL were first established in Cheltenham. Do you envisage a change that is so radical that it will have the commercialisation of products, working in partnership with the private sector, or do you still see that traditional barrier occurring?

Baroness Neville-Jones: You are taking me on to ground, Chairman, that we are thinking about. There are many ways of tackling the whole question of whether, for instance, if Cheltenham were to supply a service to the private sector how that might be funded and what the financial relationship might be. If you'll forgive me, I don't terribly want to go very far. There are a number of options. It's a live issue, I would say.

Q410 Chair: If RSL had been created in the UK then you would have a bit more money to spend.

Baroness Neville-Jones: All of the above, yes.

Q411 Chair: In terms of structures, should the Government Office for Science be in the Cabinet Office? Would that create a better relationship?

Mr Willetts: It has been located in various places over the years. I don't think there is any ideal location. All I can say is that we are very comfortable with the current arrangement. The Prime Minister took a very clear view when the coalition Government came into office that he wasn't going to divert his energies into reorganising Whitehall. As we do have within BIS responsibility for the science budget in research councils and universities, there is certainly a very strong logic to having the Government Office based in BIS. Of course, Sir John is not a conventional part of the BIS machine. He is a resource for Government as a whole. He is, I know, in the service of the Cabinet Office machine and No. 10, so he is not there as a conventional BIS official, but it is fair to say that we are all very happy to have that operation based there because it does help, given that we at least have by far the biggest science budget.

Q412 Graham Stringer: Having looked at the swine flu pandemic and the volcanic event earlier this year, is there anything that you have learnt from that that you would apply to emergencies in the future or the application of scientific advice to emergencies in the future?

Mr Willetts: I think there are some lessons actually, and perhaps this Committee's investigation will help us learn the lessons because it is clearly something in process. I mentioned earlier that there is one specific issue, for example, about funding, which we are having to sort out afterwards. The scientific community has been heroic in people just turning up and providing advice for free, but there comes a point, as an emergency runs on, that you are affecting their ability to do other work and you do need to have some mechanism for reimbursing them. We recognise—this may have been something you were discussing earlier today—that there are a range of uncertainties in science. There is a tension between scientists who give advice across a range, from a best case to a worst case scenario, and we know that it is very easy for the media then to pick up on the worst case and the political process to be driven absolutely by the worst case rather than the range of risks. Communicating the intrinsic uncertainties in scientific advice is something that we probably need to do better.

Chair: We thank you for your attendance this morning. Some of the issues we have discussed are clearly going to be of interest to the House in terms of future inquiries, particularly as some of the thinking unfolds on cyber-security issues, because there are some very important subjects just below the surface there that go beyond the scope of our current inquiry. I am sure we will want to keep in touch with you, Baroness Neville-Jones. Thank you for your attendance. Thank you, again, David Willetts, for your attendance.


 
previous page contents

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2011
Prepared 2 March 2011