Examination of Witnesses (Questions 382-412)
Q382 Chair: Good
morning, and apologies for running a little late. We have just
had a couple of very interesting sessions to start with. Baroness
Neville-Jones, this is the first time we have asked you to appear
before us. Welcome.
Yes, Chairman; thank you.
Q383 Chair: Mr
Willetts is a regular. We are coming to the end of our evidence
sessions on this area and there are some important questions on
which we would like to press you. Do Ministers now take the final
decision as to what goes on the national risk assessment, and
exactly who do you get your scientific advice from?
That sounds like my question. Clearly, drawing up the national
risk assessment is a team effort. Let me start with the scientific
advice, because there is obviously a process. The Cabinet Office
takes charge of the regular updating of the national risk assessment
and that is done by a team in the Civil Contingencies Secretariat,
who have a structured relationship with the scientific advice
available to Government through the Government Office for Science
and particularly Sir John Beddington. Scientific advice and, indeed,
help in the definition of what constitutes the risk, particularly
both likelihood and impact, is fed in from the very start. I wouldn't
say that there is any stage at which scientific advice is not
available or, indeed, not actively involved in the process of
When it comes to the actual approval of the risk
assessment itself, that does go to Ministers, and individual risks,
depending on the nature of the risk, can be discussed in detail.
It is fair to say that the Ministers do take responsibility for
the national risk assessment, the grid on which it is founded,
and indeed, in the case of the more sensitive risks, the ones
which are more difficultthe high risks, often low likelihood,
but not alwaysget considerable scrutiny and I, personally,
give them considerable scrutiny as the Minister who is charge
Q384 Chair: Who
gives you the scientific advice, though, because Sir John said
it's not him?
It will depend on the subject, obviously, because you will have
observed that there are a whole series of committees now exist
in relation to different sorts of advice that the Government need.
The Civil Contingencies Secretariat will be liable to turn to
people who have been on those committees or who are able to give
advice as to whom they should in turn seek advice from. It won't
always be the person who is familiar to Government who will eventually
be involved in giving the advice, because they may, in turn, say,
"I think you ought to talk to X", and X is somebody
who has not previously been involved in giving advice to Government.
It is quite an open process.
Q385 Chair: But
X could be someone anywhere in the country?
Or internationally, Chair.
Q386 Chair: Indeed.
And many of the risks exist in many locations up and down the
country. Why is it that the Local Government Association is on
record as saying that the National Risk Register is "rarely
informed by issues identified at the regional and sub-regional
I had not heard that comment, which I take seriously. Chair:
I do because I live in a hazard area.
Absolutely. It is the case, however, that there are regional committees,
so-called STACs, which do indeed inform the process. The point
you are making is probably that structured regional scientific
and local advice needs to be fed into the national risk assessment,
and particularly the register, when it cascades down to the local
level. I take that point. It is perfectly fair and sensible.
Q387 Chair: Who
is allowed access to the national risk assessment, and what kind
of information is withheld from the register?
From the register? You are right to distinguish between those
two because they are, obviously, different and the National Risk
Register is an unclassified version of the NRA. One of the things
that we want to try and do, if I might just say that, is to put
as much into the National Risk Register as we can; that is to
say, not to have a big difference between what is in the NRA and
what is in the National Risk Register. There are, however, some
items in the National Risk Register that are genuinely very sensitive
and it is difficult to put it all into the public domain.
The National Risk Register is an open document. It
can be seen by people. It is part of the guide to local authorities
at the sub-regional and regional level. We want to make that document
as useful as possible and, therefore, as full as possible. The
classified document is available to those who have the right clearance
to see it.
Q388 Chair: I
asked Sir David Pepper this exact question last night
areas that you and I have been interested in over a number of
years in terms of cyber-threats.
Q389 Chair: Some
of those cyber-threats are significant threats to civilian parts
of the nation's structuresbanks, utilities and so on. There
are great chunks of those areas where people don't have any security
Q390 Chair: How
do we manage that difficult relationship?
There is what we do now and there is what we hope to do in the
future. If you look at the National Risk Register, you will see
that electronic attack is on it. It is one of the things that
we need to develop as the result of developing the cyber-security
strategy, which is something which is now going to take shape
in the next few months, and we hope to publish the strategy in
the spring. Therefore, our treatment in the National Risk Register,
as it stands, and the assessment, is incomplete. However, that
doesn't mean to say that Government isn't active, because there
is a serious threat both to Government systems and, as I think
is implied in your question, the critical national infrastructure,
which is largely in private hands.
There is a close and co-operative relationship between
CSOC, which is developing national situational awareness. This
has further to go, but it is going to be absolutely key to the
development of and building on existing close co-operation between
public and private operators, which is what I have described as
being both a strategic and an operational partnership with the
private sector. What we would like to do is to develop our policies
in co-operation with the private sector, given that they are key
owners and key operators and are themselves very often suppliers
to Government. It makes a very great deal of sense not just for
the Government to try on its own to specify what it needs but
to conduct a much more co-operative relationship of the kind where
you define what the problem is together and you solve it together.
Then there needs to be an operational relationship
where the situational awareness which Government itself develops,
which I would hope the private sector would feed into, will then
be available at times of emergencythat is to say, if there
is an attackas a source, first of all, to report into but
also, then, to be the base on which decisions are taken about
what happens next and what solutions are arrived at. I would see
it as being something which is both strategic in character and
is there as the underlying framework in which policy is made but
also the operating framework for keeping the country secure in
Q391 Chair: But
there is, undoubtedly, this conflict with areas where national
security comes in but advice, guidance and expertise reside in
the technical parts of the private sectorthe supply chain
to Governmentbut there is also a different level of expertise,
hugely important, in areas like the banks and so on. This is going
to present you with a big challenge, isn't it?
Yes. You can, I think, exaggerate it. Certainly, there is an argument
that not everything is going to be readily available. My own view
is that a very large number of the problems that we will face,
the issues that we will need to try and solve and the ways in
which we will need to find solutions to existing problems can
be abstracted from the data that is the sensitive issue. Very
often, you have a systems problem and you need to try and solve
it. You do not need to have access to the data that it carries
in order to be able to make a worthwhile contribution to the solution
of that problem.
I think you can exaggerate the extent to which it
is absolutely necessary for somebody who is outside the Government
circle, who may not wish, themselves, to take Government clearance.
The Government, on the whole, wants to clear people who can help
it, but if that's the case I don't think these people are excluded
from giving extraordinarily helpful, worthwhile information.
I would say that one other area that could also
be regarded as constituting a problem is reputational risk. Companies
are known not to want, quite understandably, to get themselves
into trouble with either their competitors or the markets in being
shown to have had some kind of cyber-accident, if I can put it
that way. But I think there are ways round that too. It does involve
developing a trusted circle between Government and both operators
and suppliers in which they are willing to talk to each other
but in which, equallyI think, in the national interestthe
solution is found without there being great damage to the individual
reputation of the company.
Q392 Pamela Nash:
I would like to ask you, Baroness Neville-Jones, how the Cabinet
Office chooses a lead Government Department when a crisis ensues.
Is it an active choice or does the Cabinet Office sit back, as
it were, and wait for one to emerge?
Normally, it is not difficult to see to which Government Department
the lead should fall. Most topics present themselves with an obvious
answer. If it doesn't, I can give you an example. I think space
weather is one area that covers many Departments and it is not
abundantly obvious right from the outset which Government Department
should actually lead. In that situation, and particularly if you
have something you need to deal with, as we did, then the Cabinet
Office will act and it will draw in the Government Departments
that are needed to be there in order to handle whatever crisis
it is. What we don't intend to do is to end up with the Cabinet
Office becoming departmentally responsible. At the moment, particularly
in relation to space, where there is yet no decision on which
Government Department should actually take the lead responsibility,
we are looking at all the factors. There is ongoing work to decide
where the bulk of the responsibility should lie. That will depend,
to some extent, on the analysis of the factors that go into your
assessment of likelihood, impact and, therefore, risk, and the
nature of those risks. I think that is the procedural answer to
Q393 Pamela Nash:
That's interesting. What I was trying to get to the bottom of
is whether a list of departmental responsibilities is enough,
and what you have told us is that in very specific issues it is
not. So there is work that goes on behind the scenes to prepare.
A decision has to be takenabsolutely. You can't just stop,
when the emergency is over, deciding how you will, in future,
handle another emergency should it arise. That is an ongoing issue
for us and we will, indeed, take a decision on where it should
I might say, and I think it is important to understand
this, that the Government is less and less stove-piped in the
way it carries out business. A lead Government Department may
well be in the chair but other Departments round the table will
be absolutely vital to the collective solution that the Government
brings to any emergency.
Q394 Pamela Nash:
On space weather, which you mentioned, what are your views on
the Office of Cyber Security, for instance, on solar and cyber
attacks, or the UK Space Agency on space weather actually taking
a co-ordinating role if an emergency was to occur between Government
The Space Agency would need, I think, to be involved. In fact,
I would regard the Space Agency as being one of our resources
in future for developing the policy that we need to pursue on
the risks involved in severe space weather. We have been forewarned,
in a sense, that the sunspot cycle is coming to a peak and it
looks as though it is going to be a fairly vigorous peak. It,
therefore, behoves us to have laid a good ground for that. I would
regard the Space Agency as being both a resource nationally for
some expertise but also being a connection to international expertise
on it as well. Clearly, if you get vigorous space weather and,
in particular, you get spikes in the solar cycle, it can clearly
affect, in particular, telecommunications, not only power. There
are a number of utilities we need to look at under that head.
Q395 Chair: Members
of the Committee saw some very interesting presentations yesterday
at the British Antarctic Survey, for example.
Q396 Chair: Mr
Willetts, this spills into your bailiwick as well. Do you see
the Space Agency having a key role here?
Mr Willetts: Absolutely.
I agree with what the Baroness said. We have a double role. There
is a role in obtaining information and research evidence and there
is also, of course, co-ordinating with the private sector, because
things like privately operated satellites are, clearly, vulnerable.
So there is a double interest. Indeed, it is something we have
already discussed briefly and I hope to put back on the agenda
at the Space Leadership Council, which I co-chair.
Q397 Graham Stringer:
Do you think the National Grid is at risk? We have had slightly
conflicting evidence. The sun is approaching one of its phases
when it might be ejecting more stuff. Do you believe that the
National Grid is at risk?
The National Grid is itself doing an assessment at the moment
because precisely the question you have asked is the one that
we need to have more of a fix on than we have at the moment. My
feeling is that there must be some risk. Every country, it turns
out, is specific in this. There are no generalisations and a lot
depends, for instance, on how many overhead lines you've got,
how much you have buried underground, and specific vulnerabilities,
such as, I'm told, when the power lines come from underwater to
on-land. That junction, apparently, is a specific vulnerability.
The answer to your question is that we need to do, and this is
what the National Grid is doing, a study in specific detail on
UK conditions. The answer to your question is that there must
be some risk. What we don't yet know, but I think they are reporting
in the spring, is how great it is.
Q398 Graham Stringer:
Will that be made public?
I would think there is every good reason to suppose that knowledge
about it should be in the public domain, yes, absolutely.
Q399 Stephen Mosley:
In some of the evidence that we have seen, in particular relating
to cyber-security, there has been a suggestion that there are
two separate culturesone intelligence and defence and one
the civil side of thingsand that information flows only
one way, and I think you can guess which way that is. Do you agree
with that analysis at all?
I think there have, historically, been two tribes. Yes, I think
that is fair comment. One of the things we are trying to do in
the cyber-security strategy is, frankly, to break that down. If
you learn anything about modern Government it is that stovepipes
won't do and that you lose greatly if you don't allow both information
and technique to flow both ways. If you look at the sciences that
are going to be involved in any security strategy that we have,
it's the same for both communities. I do take the view that GCHQ
is the right organisation for it, but by having an organisation
in Government that crosses those boundaries and services both,
in that respect, I personally think we are better placed than
the Americans, who have the NSA, which is very distinctly defence.
Then it has other less well defined structures in the civilian
sphere. I think we have a better chance of bringing our community
together on a national basis.
Q400 Chair: Would
that be strengthened if there was greater representation of scientists
and engineers across the civil service? Isn't part of the underlying
problem that the stovepipes are, in a sense, enhanced because
of the characteristics of the population?
I think scientists can certainly help us to break down the stovepipes,
yes. One of the things this Government is trying to do is to break
down the stovepipes. That is one of the reasons why we have the
National Security Council, and this sort of issue would go to
the National Security Council. So it does help to break down stovepipes
at both the departmental consideration and also ministerial consideration.
You can't present a paper to a collection of Ministers if it doesn't
cover all the ambits and all the facets that it needs to. So I
think it does help that.
Q401 Chair: Several
witnesses in our inquiry have touched on the absence of a chief
scientific officer at the Treasury. What is your view?
I note it is a Department without.
Chair: We will interpret
Q402 Stephen Mosley:
Still on co-operation but more on international co-operation,
we have heard in both space weather and in cyber-security the
importance of international co-operation between ourselves, in
particular, and people like America and Europe, but also elsewhere.
How does the UK resolve the tension between co-ordinating and
sharing information with some countries and also doing the opposite
in hiding information from others?
I think the answer is that we certainly do have closer partners.
This is true of all Governments. All Governments have their close
relationships and their less close relationships. In this sort
of area, in cyber-security, for instance, one would want fairly
close relations. When it comes to something like space weather,
the circles within which you would want to consult, spread and
share information would be quite broad because, apart from anything
else, our state of knowledge generally is not so brilliant that
one would want to exclude the possibility of obtaining information
from quite far-flung sources.
When it comes to some of the more sensitive forms
of activity in which science is involved, of which cyber is one,
you have to discriminate a bit between your close partners and
others, if only because you do have some adversaries in that game.
There is a difference between those fields in which you may be
talking more about threat than hazard and those fields in which
you are talking about hazard.
Q403 Stephen Metcalfe:
Mr Willetts, during our investigation we have seen the value of
scientific advice across Government. I am sure the Government
appreciates that. There is a small concern, though. As we see
departmental spending reduce, how do we make sure that we maintain
that scientific capability within individual Departments and that
that is not the area that gets squeezed?
Mr Willetts: This
is something that is very important and it is why Sir John Beddington
and I wrote jointly to Cabinet colleagues during the CSR process
reminding them of the importance of continuing with their R&D
responsibilities, and inviting them to come to us if they were
planning any substantial reduction in departmental R&D. Of
course, the position is still being finalised as people work through
the detail of their CSR settlements, but, as I reported to this
Committee last week, in general, we feel it is working quite well.
We have a health budget with a continuing robust commitment to
R&D; Defence is doing pretty well on R&D; and DIFD is
doing quite well on R&D. But Sir John and I carry on monitoring
this. As yet, we have not identified a Department that seems to
us to be making a massive reduction in its R&D effort.
Q404 Stephen Metcalfe:
That's good to hear. You have touched on the R&D side of things.
Taking the research and development issue and applying it to Government
advice in emergencies, who should be funding that research? Should
it be the individual Departments or should there be some other
Mr Willetts: If
you take a step back, if you mean the scientific capacity within
the nation to understand these challenges, that is something that
we finance via research councils and via the QR money that goes
to universities. Without being complacent, I think we are fortunate.
We are one of the nations that, facing these challenges, probably
has a more broadly-based scientific community to draw on than
just about anywhere else. If you mean specifically, I know there
is an issue that has arisen on these specific exercises about
the exact budgetary funding when NERC finds itself providing resource
during the volcanic ash episode. During the crisis itself, it's
common sensepeople just get on with it. It's true to say
that now there are some accounting issues that are still being
resolved. During these crises individual scientists are very good
at coming forward on a pro bono basis and providing their advice
and assistance, but I don't think it would be fair if that was
the basis on which we always worked, especially if the time commitment
becomes substantial. We do need mechanisms to provide, in specific
circumstances, proper financial support for people who help out
during a crisis.
Q405 Stephen Metcalfe:
Where a potential emergency has been identified and it makes it
on to the national risk assessment but there isn't any research
necessarily being undertaken across the wider scientific community,
what role do you think the Government has? Should it direct someone
who is already funded to look at that or should it fund that research
Mr Willetts: We
do try through the research councils, when a big issue has been
identified, to commission research in the area. Cyber-security
is a very good example. It is clearly coming up the agenda. We
recognise we need to have a strong in-house capacity on that,
and work is currently going on as to how we might commission background
research in that whole area that can be drawn on. I don't know
if the Baroness wants to add to that.
That's right. In the case of cyber, of course, there is specific
work that the national research councils might do. There is also
a big reservoir in the academic world. What we try to do in Government,
therefore, are those things that we can't in the Government's
scientific officesthose things that, for whatever reason,
are so specific to Government's needs that it is sensible to do
the research in Government. Were we only to rely on that, it would
be a very impoverished way of looking at our scientific base.
Increasingly, what tends to happen is that Government scientific
laboratories are in very close contact with people who are in
the academic world. There is a very close intellectual relationship
and, what's more, the Government's scientific laboratories themselves
contract out to the academic world and to the research councils
for certain work to be done. It is very hard, in the end, to separate
these things from each other. They constitute a mosaic.
Q406 Stephen Metcalfe:
You are very happy with the arrangement as it is at the momentthat
if an issue does come up there is the ability to fund that research?
We would always like more money.
Q407 Stephen Metcalfe:
I realise that. That was a stupid question.
Mr Willetts: I
am normally less subtle than that in my ways of putting it.
Resources aside, I think the methodology has been developed, and
the degree of contact that takes place between the two. I know
some people think that the British Government is still not good
at reaching out to the academic and the scientific world, and
one does hear that view expressed. All I can say is two things.
One is that it is an awful lot better than it used to be. Can
it go still further? I've no doubt. What I do thinkthis
is one of the changes I would say between having previously been
in government and nowis that people are very much more
aware of, in a sense, how little Government knows, and how much
others do need to contribute. You don't operate just on the basis
of Government information. I think there is a real change in outlook
and attitude and that goes from top to bottom, too.
Q408 Stephen Metcalfe:
Let me focus, finally, on the cyber-security issue. I think that
is something that is rising up the agenda fairly quickly. Do you
feel that we need to develop more capacity across Governmentacross
all Departments perhapsto understand that better and the
science of that, and perhaps with specific focus on the social
and behavioural sciences? Do you think that that is an area where
we are perhaps lacking at the moment?
Yes, I would say that's true because I think Government is a reflection
of the nation. That is a national issue. We need much greater
awareness and it should take at least two forms. One is that we
need to upskill our population. Things like Get Safe Online
are very important parts of educating the so-called 80%. I
think that knowledge and a more sophisticated understanding of
this subject also need to penetrate more deeply. Everybody is
aware of its importance, but do they really understand it? I suspect
there is more to be done there. Can we do that with the development
of the security strategy and things? Yes, I think that will be
a contribution. Is it going to be something that we need to develop
over a period of time? I've no doubt about that. There is the
national issue, and what is going to be an important part of this
is increasing the profileDavid may want to contribute on
thisin our universities to the profile given to qualifications
in this area and, indeed, the way in which the public sector and
universities invest in cyber-skills.
Mr Willetts: The
Office of Cyber Security & Information Assurance is actually
working now on a cyber-security R&D programme. That will both
be involving activity within Government and also will feed into
some of the research council commissioning. If I may say so, I
very much agreed with your final point that this is not simply
a matter of the physical sciences. So many of these policy areas
ultimately become matters of human behaviour. The social sciences,
even the humanities, have a role here. As we allocate money between
the different research councils, we have to remember that no one
discipline has all the answers.
The human factor is extraordinarily important. Look at airport
security. The human factor is very important.
Q409 Chair: On
several occasions you have suggested that there needs to be more
openness and more collaboration between the traditional agencies
that protect us from electronic attacks and so on, and the private
sector. It brought to mind the section in Simon Singh's book,
The Code Book: The Secret History of Codes and Code-breaking,
where he argues that the algorithms that were necessary to create
the business RSL were first established in Cheltenham. Do you
envisage a change that is so radical that it will have the commercialisation
of products, working in partnership with the private sector, or
do you still see that traditional barrier occurring?
You are taking me on to ground, Chairman, that we are thinking
about. There are many ways of tackling the whole question of whether,
for instance, if Cheltenham were to supply a service to the private
sector how that might be funded and what the financial relationship
might be. If you'll forgive me, I don't terribly want to go very
far. There are a number of options. It's a live issue, I would
Q410 Chair: If
RSL had been created in the UK then you would have a bit more
money to spend.
All of the above, yes.
Q411 Chair: In
terms of structures, should the Government Office for Science
be in the Cabinet Office? Would that create a better relationship?
Mr Willetts: It
has been located in various places over the years. I don't think
there is any ideal location. All I can say is that we are very
comfortable with the current arrangement. The Prime Minister took
a very clear view when the coalition Government came into office
that he wasn't going to divert his energies into reorganising
Whitehall. As we do have within BIS responsibility for the science
budget in research councils and universities, there is certainly
a very strong logic to having the Government Office based in BIS.
Of course, Sir John is not a conventional part of the BIS machine.
He is a resource for Government as a whole. He is, I know, in
the service of the Cabinet Office machine and No. 10, so he is
not there as a conventional BIS official, but it is fair to say
that we are all very happy to have that operation based there
because it does help, given that we at least have by far the biggest
Q412 Graham Stringer:
Having looked at the swine flu pandemic and the volcanic event
earlier this year, is there anything that you have learnt from
that that you would apply to emergencies in the future or the
application of scientific advice to emergencies in the future?
Mr Willetts: I
think there are some lessons actually, and perhaps this Committee's
investigation will help us learn the lessons because it is clearly
something in process. I mentioned earlier that there is one specific
issue, for example, about funding, which we are having to sort
out afterwards. The scientific community has been heroic in people
just turning up and providing advice for free, but there comes
a point, as an emergency runs on, that you are affecting their
ability to do other work and you do need to have some mechanism
for reimbursing them. We recognisethis may have been something
you were discussing earlier todaythat there are a range
of uncertainties in science. There is a tension between scientists
who give advice across a range, from a best case to a worst case
scenario, and we know that it is very easy for the media then
to pick up on the worst case and the political process to be driven
absolutely by the worst case rather than the range of risks. Communicating
the intrinsic uncertainties in scientific advice is something
that we probably need to do better.
Chair: We thank you for
your attendance this morning. Some of the issues we have discussed
are clearly going to be of interest to the House in terms of future
inquiries, particularly as some of the thinking unfolds on cyber-security
issues, because there are some very important subjects just below
the surface there that go beyond the scope of our current inquiry.
I am sure we will want to keep in touch with you, Baroness Neville-Jones.
Thank you for your attendance. Thank you, again, David Willetts,
for your attendance.