House of Commons - Scientific advice and evidence in emergencies

Scientific advice and evidence in emergencies - Science and Technology Committee Contents

7 Coordination

203. In this inquiry we have looked at four very different case studies, involving a host of Government departments and agencies, independent advisers, private organisations and regulators. All of the emergencies we explored have the potential to cross political and departmental boundaries and so it is unsurprising that a recurring theme has been the importance of coordinating the emergency response. In this final chapter we look at coordination in more detail, specifically the Office of Cyber Security and Information Assurance (OCSIA) and international coordination.

Office of Cyber Security and Information Assurance

204. There are a range of agencies providing scientific advice on cyber security to Government and businesses. The Centre for the Protection of National Infrastructure (CPNI) advises organisations within the national infrastructure on security measures and provides technical support.[230] The Cyber Security Operations Centre (CSOC) was set up in 2009 to monitor the health of cyber space and co-ordinate incident response, enable better understanding of attacks against UK networks and users; and provide better advice and information about the risks to business and the public.[231] CSOC draws on expertise from the Defence Science and Technology Laboratory (DSTL) and is housed at the Government Communications Headquarters (GCHQ). GCHQ has an information assurance arm called CESG (the Communications Electronics Security Group); this is the UK's National Technical Authority for information assurance, providing advice and assistance on the security of communications and electronic data to central Government departments and agencies, the Armed Forces and the wider public and private sector.[232] In addition, the Government's written submission stated that "individual Government departments are currently responsible for the protection of their own systems and infrastructure".[233]

205. Following the publication of the UK's Cyber Security Strategy in June 2009, the Office of Cyber Security (OCS) situated in Cabinet Office, and Cyber Security Operations Centre (CSOC) were set up to provide strategic leadership in the cyber domain, monitor developments in cyber space, analyse trends and improve the collective response to cyber incidents.[234] The OCS has subsequently been renamed the Office of Cyber Security and Information Assurance (OCSIA), to reflect its role in the safeguarding of data rather than just the networks and systems that handle that data.

206. The OCSIA is responsible for:

providing a strategic direction on cyber security and information assurance for the UK including e-crime;
supporting awareness, training and education;
working with private sector partners on exchanging information and promoting best practice;
ensuring that the UK's information and cyber security technical capability and operational architecture is improved and maintained;
working with the Office of the Government Chief Information Officer (OGCIO) to ensure the resilience and security of government ICT infrastructures; and
engaging with international partners in improving the security of cyberspace and information security.[235]

207. The Royal Academy of Engineering was concerned that:

At present, there is no one place in Government where responsibility lies, and different departments ask the same of advice of the same people. The role and resourcing of [OCSIA] needs to be resolved, clarifying whether [OCSIA] is merely raising awareness of this issue, or whether it will be setting out and enacting a cyber security strategy.[236]

208. Several of the witnesses we questioned supported the creation of the OCSIA, but warned that "unless the [OCSIA] has some teeth to enforce co-ordination across Government, being a mere observer in this game isn't going to be enough".[237] On whether the OCSIA was meeting its objectives we were told by Professor Sommer that:

[OSCIA's] problem is that, when it was set up, it had either no or very little independent funding of its own. The individual members, as I understand it, continued to get their salaries from the organisations from which they came.[238]

209. When asked whether the OCSIA would enact and deliver policy, Dr Marsh, Deputy Director of the OSCIA, told us "there will be policy. It is also [...] very much about the strategic leadership being a focus for cyber security across Government as a whole".[239] On whether the OCSIA had "teeth", he said:

We report to the National Security Adviser in the Cabinet Office, who then, obviously, reports directly to the Prime Minister. We have the Security Minister, Baroness Neville-Jones, in the Home Office. We have the support of the National Security Council for the cyber security work. So I think we have at least growing teeth to harness the activity across Government and certainly, without a doubt, this Government's commitment is shown by making this budget available for cyber security.[240]

However, when we asked Dr Marsh how much funding was available for the OCSIA, he was not able to give us an answer.[241]

210. The Government clearly recognises the importance of cyber security, but, despite this and Dr Marsh's assurances, we are uncertain how the OCSIA will meet its objectives, particularly as we were unable to ascertain its budget. In its response to this report, we recommend that the Government clarify the powers and funding of the Office for Cyber Security and Information Assurance.

International coordination

211. International coordination is an umbrella term encompassing a wide range of activity, from data sharing to the development of new regulations. We have already touched on international expertise in the context of how SAGE works (paragraph 157). In this chapter we have examined three examples of where international coordination is particularly important in the three case studies where the emergency has clear implications beyond the UK.

SPACE SITUATIONAL AWARENESS

212. A severe space weather event has not affected the UK in living memory, and as we heard several times from witnesses, there is a lot of "work in progress" to determine what the impacts could be.[242] It is clear that the effects of a severe space weather event could be wide-ranging. The Royal Astronomical Society (RAS) warned that "a severe space weather event will affect the whole planet; indeed it will affect the whole of our solar system".[243] Thus the ability to forecast, or predict, adverse space weather is an effort that cannot be undertaken by individual nations alone. Both the European Space Agency (ESA) and National Aeronautics and Space Administration (NASA) have established Space Situational Awareness (SSA) programmes.

213. Space Situational Awareness (SSA) is the understanding of conditions in space that are relevant to human activities. The objective of ESA's SSA programme is to support Europe's independent utilisation of, and access to, space through the provision of timely and accurate information, data and services regarding the space environment, and particularly hazards to infrastructure in orbit and on the ground. The SSA programme should enable Europe autonomously to detect, predict and assess the risk to life and property from the effects of space weather phenomena on space and ground-based infrastructure.[244]

214. There are concerns that the UK is only a minimal subscriber to ESA's Space Situational Awareness programme. Professor Mike Hapgood, Royal Astronomical Society (RAS), noted that "this greatly limits UK participation in, and influence on, the space weather elements of the SSA programme".[245] The RAS was concerned that "if this continues, it is likely that other member states will develop capabilities that outstrip those currently available in the UK."[246] Professor Paul Cannon, Fellow of the Royal Academy of Engineering, explained that:

the Space Situational Awareness programme[...] is an ideal opportunity to leverage an international programme into a UK programme and vice versa. If we don't have a UK programme, then our ability to participate in the European programme will obviously be reduced. There is a good opportunity here for the UK. I think it is worth also saying that the UK has a long history in terms of the science in this area. It has a long history in terms of the applications of science in this area. So we are very well qualified as a country to move forward to the benefit of UK Plc.[247]

215. The British National Space Centre (BNSC) partnership was replaced in March 2010 by the UK Space Agency (UKSA). It was announced that the UKSA would bring together space activities and budgets, previously coordinated by the BNSC, from across Departments into one executive agency.[248]

216. We recommend that the Government review the need for the UK to increase its participation in, and contributions to, ESA's Space Situational Awareness programme, following the outcome of the 2011 National Risk Assessment.

REGULATIONS ON FLYING THROUGH ASH

217. The International Civil Aviation Organisation (ICAO) sets standards and recommended practices for international civil aviation. Its ongoing mission is "to foster a global civil aviation system that consistently and uniformly operates at peak efficiency and provides optimum safety, security and sustainability".[249] ICAO guidance and guidance from the airframe and engine manufacturers is "to avoid flying in visible volcanic ash. That is ash that you can see".[250] The initial response to the presence of volcanic ash in the atmosphere above Europe and the UK was to close airspace.

218. There was some dissatisfaction with the implementation of ICAO guidelines. For example, British Airways, one of the world's largest international airlines, stated:

ICAO guidance to aircraft operators is clear and unambivalent—avoid visible ash at all times. The areas of predicted contamination produced by the [Volcanic Ash Advisory Centre] model were vastly over-conservative: the Met Office has since admitted this. Blue skies prevailed over much of the predicted area of contamination for the majority of the time that the volcano was erupting but this evidence was not taken into account by government agencies. They contradicted ICAO guidance and imposed unreasonable restrictions upon operators against established protocols.[251]

219. Captain Tim Steeds, Director of Safety and Security, British Airways, told us that his personal view was that:

the senior management in the CAA expected too much of the Safety Regulation Group [a group within the CAA]. They should have asked the Safety Regulation Group to ensure that operators had considered the problem and were reacting correctly to it, rather than just closing the air space and inconveniencing everybody.[252]

220. The visibility of ash to the eye is a qualitative assessment, as Dr Gratton, Royal Aeronautical Society, pointed out:

volcanic ash is not always visible at levels that are significant. That is fairly intuitive because aeroplanes fly at night and they fly in cloud, in neither of which are you going to see ash. [...] the fact that you can see or can't see the ash is not a reliable indicator; secondly, the level of damage that can be done [...] [and] actually you can fly through a significant level of ash, do damage, pick up a substantial maintenance overhead but without immediately endangering the flight. It is important to realise this graduation.[253]

221. Given the difficulties of determining visible ash, computer modelling was important for detecting the presence of ash. However, there was criticism of the accuracy of the Met Office computer prediction and the fact that its results were produced every six hours. This led to prohibition of flying for periods of six hours at a time which, in the context of the operational needs of airlines and airports, was arbitrary. It is clear to us that the ICAO guidance to avoid visible ash was insufficient. Because insufficient guidance was available to inform aircraft manufacturers and others of safe ash concentrations and little preparation had occurred for such a crisis, a proportionate emergency response was hampered. The Manchester Airports Group stated that:

it was very soon evident that the ICAO volcanic ash plans were outdated and relied on assumptions that later proved not to have been based on scientific evidence. It was then clear that no scientific tests or certification had ever taken place to analyse and assess the ability for aircraft or engines to safely withstand flight in ash contaminated air.[254]

Rt Hon Lord Adonis, then Secretary of State for Transport, told us his view that:

The question which needed to be asked, and involves a searching process of self-examination on the part of the International Civil Aviation Organisation and the European regulators, is why, before April 2010, they had not conducted the scientific work that was necessary to put in place a safe regime for flying through concentrations of ash. They are doing that and a new regulatory structure has been put in place.[255]

[...]

Work had not taken place on the estimation of what a worst case scenario might be in the case of a volcanic eruption, which is the reason why we had to put in place a new regulatory regime, literally, over the course of a long weekend.[256]

And Dr Ray Elgy, Head of Licensing and Training Standards at the CAA, told us that "there is work in place to improve co-ordination across Europe [...] within the UK, I am not sure that there is much that we could say would need to be improved. I think the big issue for us would be for Europe".[257] Concerns were also expressed about the involvement of the European Aviation Safety Agency (EASA),[258] to which the CAA will transfer some of its functions from 2012.[259]

222. We asked the former Minister why, putting aside the international aspect, the UK was unprepared for the volcanic ash emergency. He told us that it was "a question which needs to be asked of the Civil Aviation Authority because they are the regulatory agency. I never did get to the bottom of the answer".[260] We are concerned that, when asked why the UK was unprepared for volcanic ash disruption, the former Secretary of State for Transport chose both to distance himself from, and to pass responsibility to, the CAA, a body for which he had ministerial oversight. This is unsatisfactory.

223. The insufficiency of ICAO guidance meant there was a need rapidly to work with all relevant stakeholders to identify and validate new operating thresholds. Technical and scientific advances continually improve the capability of aircraft to operate safely in circumstances which had previously proved problematic. However, the volcanic ash episode showed that the air transport regulatory system, which must always take a precautionary view, cannot always be abreast of these new capabilities, especially in the face of unforeseen hazards. In addition, as this regulation is now made at European level, it is essential the UK is able to influence the review of regulations and guidance rapidly and with authority. We conclude that it is essential that the Department for Transport and the CAA sustain the ability, in the face of any new hazard, to access the full range of science, engineering, operating and regulatory resources necessary to determine whether existing regulations are adequate and appropriate.

224. We do not agree that the closure of airspace imposed unreasonable restrictions upon operators. Given the uncertainties involved and the lack of prior risk assessment, it was necessary to take a precautionary approach until aircraft and engine tolerances to ash had been identified. We expect that, if a similar situation occurred in future, the UK would be better prepared to conduct analyses and make decisions on an appropriate emergency response. However, the Government will need to resolve the following three policy and process issues: (i) the CAA's contribution to EASA's decision-making processes; (ii) the suitability of the Met Office's computer predictions and (iii) the involvement of airline operators in decision-making.

DATA SHARING DURING THE SWINE FLU PANDEMIC

225. The World Health Organisation (WHO) is the directing and coordinating authority for health within the United Nations system. It is responsible for providing leadership on global health matters, shaping the health research agenda, articulating evidence-based policy options, providing technical support to countries and monitoring and assessing health trends.[261] The WHO's Global Influenza Programme considers preparations for influenza pandemics and ways in which death and disease can be reduced.[262] WHO Collaborating Centres—institutes designated to carry out research in support of WHO programmes—are located around the world, including at the National Institute for Medical Research (NIMR) in the UK.[263]

226. The European Centre for Disease Prevention and Control (ECDC) is an EU agency whose purpose is to identify, assess and communicate current and emerging threats to human health posed by infectious diseases.[264] Both the WHO and ECDC contributed to SAGE discussions and the advice given to Ministers.[265] The UK also contributed to discussions at the WHO; we were told by Professor Neil Ferguson, Director, MRC Centre for Outbreak Analysis and Modelling, that:

The World Health Organisation is a strange political body in some ways, but I would say that the UK is disproportionally represented. It was certainly true on the emergency committee. We had more members, advisers on it, myself included, than any other nation. Also that is true of the lower level committees. The United States and the United Kingdom pull well above our weight in that international co-ordination.[266]

The Government told us that, in addition to working with the WHO and ECDC:

the UK had bilateral relationships with Australia, Canada and USA to facilitate rapid sharing of new epidemiological and clinical data on the virus as the pandemic developed.[267]

227. While it appears to us that international coordination was, on the whole, sufficient, Professor Ferguson highlighted one failing, which was that:

while Governments and countries are happy to share analysis—their view of the situation—they are rarely willing to share the detailed data they are collecting in real time, or at least some of it. [...] we had very detailed data from the US CDC, data from Mexico and other countries. We couldn't share it with the other partners we were working with. We could only share a kind of synthesis. [...] it was not so much of an issue last year because it was relatively mild, but there were instances where, had we been dealing with something more serious, it could have posed some problems and we could have lost some efficiency about that inability to share raw data.[268]

He also suggested that it might have been helpful to share high-level documents such as the Cabinet Office's Situation Report (SITREP) with the White House and US Centres for Disease Control (CDC) and similarly for the US to share their high-level documents. He explained that:

A lot of the information flowed in the informal ways, but the formal sharing of those confidential documents proved impossible. With time, we could have had those formal agreements in place to allow that even closer sharing. It was probably easier between the UK and the US than many other pairs of countries.[269]

228. We conclude that there needs to be a better mechanism of data-sharing, particularly sharing of raw epidemiological data. We recommend that the UK, as a member state of the WHO, propose the formation of an international working group under the WHO to discuss how to share effectively epidemiological data between countries in the run-up to a new pandemic.

230 Ev 102 [Government Office for Science and Cabinet Office] Back

231 Cabinet Office, Cyber Security Strategy of the United Kingdom: Safety, security and resilience in cyber space, June 2009, para 3.8 Back

232 "About us", Communications Electronics Security Group, www.cesg.gov.uk Back

233 Ev 103 [Government Office for Science and Cabinet Office] Back

234 As above Back

235 "Office of Cyber Security and Information Assurance", Cabinet Office, www.cabinetoffice.gov.uk Back

236 Ev 150, para 4 Back

237 Q 267 [Robert Hayes] Back

238 Q 268 Back

239 Q 296 Back

240 Q 298 Back

241 Q 303 Back