7 Coordination
203. In this inquiry we have looked at four very
different case studies, involving a host of Government departments
and agencies, independent advisers, private organisations and
regulators. All of the emergencies we explored have the potential
to cross political and departmental boundaries and so it is unsurprising
that a recurring theme has been the importance of coordinating
the emergency response. In this final chapter we look at coordination
in more detail, specifically the Office of Cyber Security and
Information Assurance (OCSIA) and international coordination.
Office of Cyber Security and
Information Assurance
204. There are a range of agencies providing scientific
advice on cyber security to Government and businesses. The Centre
for the Protection of National Infrastructure (CPNI) advises organisations
within the national infrastructure on security measures and provides
technical support.[230]
The Cyber Security Operations Centre (CSOC) was set up in 2009
to monitor the health of cyber space and co-ordinate incident
response, enable better understanding of attacks against UK networks
and users; and provide better advice and information about the
risks to business and the public.[231]
CSOC draws on expertise from the Defence Science and Technology
Laboratory (DSTL) and is housed at the Government Communications
Headquarters (GCHQ). GCHQ has an information assurance arm called
CESG (the Communications Electronics Security Group); this is
the UK's National Technical Authority for information assurance,
providing advice and assistance on the security of communications
and electronic data to central Government departments and agencies,
the Armed Forces and the wider public and private sector.[232]
In addition, the Government's written submission stated that "individual
Government departments are currently responsible for the protection
of their own systems and infrastructure".[233]
205. Following the publication of the UK's Cyber
Security Strategy in June 2009, the Office of Cyber Security
(OCS) situated in Cabinet Office, and Cyber Security Operations
Centre (CSOC) were set up to provide strategic leadership in the
cyber domain, monitor developments in cyber space, analyse trends
and improve the collective response to cyber incidents.[234]
The OCS has subsequently been renamed the Office of Cyber Security
and Information Assurance (OCSIA), to reflect its role in the
safeguarding of data rather than just the networks and systems
that handle that data.
206. The OCSIA is responsible for:
- providing a strategic direction
on cyber security and information assurance for the UK including
e-crime;
- supporting awareness, training and education;
- working with private sector partners on exchanging
information and promoting best practice;
- ensuring that the UK's information and cyber
security technical capability and operational architecture is
improved and maintained;
- working with the Office of the Government Chief
Information Officer (OGCIO) to ensure the resilience and security
of government ICT infrastructures; and
- engaging with international partners in improving
the security of cyberspace and information security.[235]
207. The Royal Academy of Engineering was concerned
that:
At present, there is no one place in Government where
responsibility lies, and different departments ask the same of
advice of the same people. The role and resourcing of [OCSIA]
needs to be resolved, clarifying whether [OCSIA] is merely raising
awareness of this issue, or whether it will be setting out and
enacting a cyber security strategy.[236]
208. Several of the witnesses we questioned supported
the creation of the OCSIA, but warned that "unless the [OCSIA]
has some teeth to enforce co-ordination across Government, being
a mere observer in this game isn't going to be enough".[237]
On whether the OCSIA was meeting its objectives we were told by
Professor Sommer that:
[OSCIA's] problem is that, when it was set up, it
had either no or very little independent funding of its own. The
individual members, as I understand it, continued to get their
salaries from the organisations from which they came.[238]
209. When asked whether the OCSIA would enact and
deliver policy, Dr Marsh, Deputy Director of the OSCIA, told us
"there will be policy. It is also [...] very much about the
strategic leadership being a focus for cyber security across Government
as a whole".[239]
On whether the OCSIA had "teeth", he said:
We report to the National Security Adviser in the
Cabinet Office, who then, obviously, reports directly to the Prime
Minister. We have the Security Minister, Baroness Neville-Jones,
in the Home Office. We have the support of the National Security
Council for the cyber security work. So I think we have at least
growing teeth to harness the activity across Government and certainly,
without a doubt, this Government's commitment is shown by making
this budget available for cyber security.[240]
However, when we asked Dr Marsh how much funding
was available for the OCSIA, he was not able to give us an answer.[241]
210. The Government clearly recognises the importance
of cyber security, but, despite this and Dr Marsh's assurances,
we are uncertain how the OCSIA will meet its objectives, particularly
as we were unable to ascertain its budget. In
its response to this report, we recommend that the Government
clarify the powers and funding of the Office for Cyber Security
and Information Assurance.
International coordination
211. International coordination is an umbrella term
encompassing a wide range of activity, from data sharing to the
development of new regulations. We have already touched on international
expertise in the context of how SAGE works (paragraph 157). In
this chapter we have examined three examples of where international
coordination is particularly important in the three case studies
where the emergency has clear implications beyond the UK.
SPACE SITUATIONAL AWARENESS
212. A severe space weather event has not affected
the UK in living memory, and as we heard several times from witnesses,
there is a lot of "work in progress" to determine what
the impacts could be.[242]
It is clear that the effects of a severe space weather event could
be wide-ranging. The Royal Astronomical Society (RAS) warned that
"a severe space weather event will affect the whole planet;
indeed it will affect the whole of our solar system".[243]
Thus the ability to forecast, or predict, adverse space weather
is an effort that cannot be undertaken by individual nations alone.
Both the European Space Agency (ESA) and National Aeronautics
and Space Administration (NASA) have established Space Situational
Awareness (SSA) programmes.
213. Space Situational Awareness
(SSA) is the understanding of conditions in space that are relevant
to human activities. The objective of ESA's
SSA programme is to support Europe's independent utilisation of,
and access to, space through the provision of timely and accurate
information, data and services regarding the space environment,
and particularly hazards to infrastructure in orbit and on the
ground. The SSA programme should enable Europe autonomously to
detect, predict and assess the risk to life and property from
the effects of space weather phenomena on space and ground-based
infrastructure.[244]
214. There
are concerns that the UK is only a minimal
subscriber to ESA's Space Situational Awareness programme. Professor
Mike Hapgood, Royal Astronomical Society (RAS), noted that "this
greatly limits UK participation in, and influence on, the space
weather elements of the SSA programme".[245]
The RAS was concerned that
"if this continues, it is likely that other member states
will develop capabilities that outstrip those currently available
in the UK."[246]
Professor Paul Cannon, Fellow of the Royal
Academy of Engineering, explained that:
the Space Situational Awareness programme[...] is
an ideal opportunity to leverage an international programme into
a UK programme and vice versa. If we don't have a UK programme,
then our ability to participate in the European programme will
obviously be reduced. There is a good opportunity here for the
UK. I think it is worth also saying that the UK has a long history
in terms of the science in this area. It has a long history in
terms of the applications of science in this area. So we are very
well qualified as a country to move forward to the benefit of
UK Plc.[247]
215. The British National Space Centre (BNSC) partnership
was replaced in March 2010 by the UK Space Agency (UKSA). It was
announced that the UKSA would bring together space activities
and budgets, previously coordinated by the BNSC, from across Departments
into one executive agency.[248]
216. We recommend
that the Government review the need for the UK to increase its
participation in, and contributions to, ESA's Space Situational
Awareness programme, following the outcome of the 2011 National
Risk Assessment.
REGULATIONS ON FLYING THROUGH ASH
217. The International Civil Aviation Organisation
(ICAO) sets standards and recommended practices for international
civil aviation. Its ongoing mission is "to foster a global
civil aviation system that consistently and uniformly operates
at peak efficiency and provides optimum safety, security and sustainability".[249]
ICAO guidance and guidance
from the airframe and engine manufacturers is "to avoid flying
in visible volcanic ash. That is ash that you can see".[250]
The initial response to the presence of volcanic ash in the atmosphere
above Europe and the UK was to close airspace.
218. There was some dissatisfaction with the implementation
of ICAO guidelines. For example, British Airways, one of the world's
largest international airlines, stated:
ICAO guidance to aircraft operators is clear and
unambivalentavoid visible ash at all times. The areas of
predicted contamination produced by the [Volcanic Ash Advisory
Centre] model were vastly over-conservative: the Met Office has
since admitted this. Blue skies prevailed over much of the predicted
area of contamination for the majority of the time that the volcano
was erupting but this evidence was not taken into account by government
agencies. They contradicted ICAO guidance and imposed unreasonable
restrictions upon operators against established protocols.[251]
219. Captain Tim Steeds, Director of Safety and Security,
British Airways, told us that his personal view was that:
the senior management in the CAA expected too much
of the Safety Regulation Group [a group within the CAA]. They
should have asked the Safety Regulation Group to ensure that operators
had considered the problem and were reacting correctly to it,
rather than just closing the air space and inconveniencing everybody.[252]
220. The visibility of ash to the eye is a qualitative
assessment, as Dr Gratton, Royal Aeronautical Society, pointed
out:
volcanic ash is not always visible at levels that
are significant. That is fairly intuitive because aeroplanes fly
at night and they fly in cloud, in neither of which are you going
to see ash. [...] the fact that you can see or can't see the ash
is not a reliable indicator; secondly, the level of damage that
can be done [...] [and] actually you can fly through a significant
level of ash, do damage, pick up a substantial maintenance overhead
but without immediately endangering the flight. It is important
to realise this graduation.[253]
221. Given the difficulties of determining visible
ash, computer modelling was important for detecting the presence
of ash. However, there was criticism of the accuracy of the Met
Office computer prediction and the fact that its results were
produced every six hours. This led to prohibition of flying for
periods of six hours at a time which, in the context of the operational
needs of airlines and airports, was arbitrary. It is clear to
us that the ICAO guidance to avoid visible ash was insufficient.
Because insufficient guidance was available to inform aircraft
manufacturers and others of safe ash concentrations and little
preparation had occurred for such a crisis, a proportionate emergency
response was hampered. The Manchester Airports Group stated that:
it was very soon evident that the ICAO volcanic ash
plans were outdated and relied on assumptions that later proved
not to have been based on scientific evidence. It was then clear
that no scientific tests or certification had ever taken place
to analyse and assess the ability for aircraft or engines to safely
withstand flight in ash contaminated air.[254]
Rt Hon Lord Adonis, then Secretary of State for Transport,
told us his view that:
The question which needed to be asked, and involves
a searching process of self-examination on the part of the International
Civil Aviation Organisation and the European regulators, is why,
before April 2010, they had not conducted the scientific work
that was necessary to put in place a safe regime for flying through
concentrations of ash. They are doing that and a new regulatory
structure has been put in place.[255]
[...]
Work had not taken place on the estimation of what
a worst case scenario might be in the case of a volcanic eruption,
which is the reason why we had to put in place a new regulatory
regime, literally, over the course of a long weekend.[256]
And Dr Ray Elgy, Head of Licensing and Training Standards
at the CAA, told us that "there is work in place to improve
co-ordination across Europe [...] within the UK, I am not sure
that there is much that we could say would need to be improved.
I think the big issue for us would be for Europe".[257]
Concerns were also expressed about the involvement of the European
Aviation Safety Agency (EASA),[258]
to which the CAA will transfer some of its functions from 2012.[259]
222. We asked the former Minister why, putting aside
the international aspect, the UK was unprepared for the volcanic
ash emergency. He told us that it was "a question which needs
to be asked of the Civil Aviation Authority because they are the
regulatory agency. I never did get to the bottom of the answer".[260]
We are
concerned that, when asked why the UK was unprepared for volcanic
ash disruption, the former Secretary of State for Transport chose
both to distance himself from, and to pass responsibility to,
the CAA, a body for which he had ministerial oversight. This is
unsatisfactory.
223. The insufficiency of ICAO guidance meant there
was a need rapidly to work with all relevant stakeholders to identify
and validate new operating thresholds. Technical and scientific
advances continually improve the capability of aircraft to operate
safely in circumstances which had previously proved problematic.
However, the volcanic ash episode showed that the air transport
regulatory system, which must always take a precautionary view,
cannot always be abreast of these new capabilities, especially
in the face of unforeseen hazards. In addition, as this regulation
is now made at European level, it is essential the UK is able
to influence the review of regulations and guidance rapidly and
with authority. We conclude
that it is essential that the Department for Transport and the
CAA sustain the ability, in the face of any new hazard, to access
the full range of science, engineering, operating and regulatory
resources necessary to determine whether existing regulations
are adequate and appropriate.
224. We do not
agree that the closure of airspace imposed unreasonable restrictions
upon operators. Given the uncertainties involved and the lack
of prior risk assessment, it was necessary to take a precautionary
approach until aircraft and engine tolerances to ash had been
identified. We expect that, if a similar situation occurred in
future, the UK would be better prepared to conduct analyses and
make decisions on an appropriate emergency response. However,
the Government will need to resolve the following three policy
and process issues: (i) the CAA's contribution to EASA's decision-making
processes; (ii) the suitability of the Met Office's computer predictions
and (iii) the involvement of airline operators in decision-making.
DATA SHARING DURING THE SWINE FLU
PANDEMIC
225. The World Health Organisation (WHO) is the directing
and coordinating authority for health within the United Nations
system. It is responsible for providing leadership on global health
matters, shaping the health research agenda, articulating evidence-based
policy options, providing technical support to countries and monitoring
and assessing health trends.[261]
The WHO's Global Influenza Programme considers preparations for
influenza pandemics and ways in which death and disease can be
reduced.[262] WHO Collaborating
Centresinstitutes designated to carry out research in support
of WHO programmesare located around the world, including
at the National Institute for Medical Research (NIMR) in the UK.[263]
226. The European Centre for Disease Prevention and
Control (ECDC) is an EU agency whose purpose is to identify, assess
and communicate current and emerging threats to human health posed
by infectious diseases.[264]
Both the WHO and ECDC contributed to SAGE discussions and the
advice given to Ministers.[265]
The UK also contributed to discussions at the WHO; we were told
by Professor Neil Ferguson, Director, MRC Centre for Outbreak
Analysis and Modelling, that:
The World Health Organisation is a strange political
body in some ways, but I would say that the UK is disproportionally
represented. It was certainly true on the emergency committee.
We had more members, advisers on it, myself included, than any
other nation. Also that is true of the lower level committees.
The United States and the United Kingdom pull well above our weight
in that international co-ordination.[266]
The Government told us that, in addition to working
with the WHO and ECDC:
the UK had bilateral relationships with Australia,
Canada and USA to facilitate rapid sharing of new epidemiological
and clinical data on the virus as the pandemic developed.[267]
227. While it appears to us that international coordination
was, on the whole, sufficient, Professor Ferguson highlighted
one failing, which was that:
while Governments and countries are happy to share
analysistheir view of the situationthey are rarely
willing to share the detailed data they are collecting in real
time, or at least some of it. [...] we had very detailed data
from the US CDC, data from Mexico and other countries. We couldn't
share it with the other partners we were working with. We could
only share a kind of synthesis. [...] it was not so much of an
issue last year because it was relatively mild, but there were
instances where, had we been dealing with something more serious,
it could have posed some problems and we could have lost some
efficiency about that inability to share raw data.[268]
He also suggested that it might have been helpful
to share high-level documents such as the Cabinet Office's Situation
Report (SITREP) with the White House and US Centres for Disease
Control (CDC) and similarly for the US to share their high-level
documents. He explained that:
A lot of the information flowed in the informal ways,
but the formal sharing of those confidential documents proved
impossible. With time, we could have had those formal agreements
in place to allow that even closer sharing. It was probably easier
between the UK and the US than many other pairs of countries.[269]
228. We
conclude that there needs to be a better mechanism of data-sharing,
particularly sharing of raw epidemiological data. We recommend
that the UK, as a member state of the WHO, propose the formation
of an international working group under the WHO to discuss how
to share effectively epidemiological data between countries in
the run-up to a new pandemic.
230 Ev 102 [Government Office for Science and Cabinet
Office] Back
231
Cabinet Office, Cyber Security Strategy of the United Kingdom:
Safety, security and resilience in cyber space, June 2009,
para 3.8 Back
232
"About us", Communications Electronics Security Group,
www.cesg.gov.uk Back
233
Ev 103 [Government Office for Science and Cabinet Office] Back
234
As above Back
235
"Office of Cyber Security and Information Assurance",
Cabinet Office, www.cabinetoffice.gov.uk Back
236
Ev 150, para 4 Back
237
Q 267 [Robert Hayes] Back
238
Q 268 Back
239
Q 296 Back
240
Q 298 Back
241
Q 303 Back
242
Qq 157-59, 167, 178, 191, 196, 209-10, 215-16 Back
243
Ev 113, para 37 Back
244
"What is SSA?", European Space Agency: Space situational
awareness, 26 January 2011, www.esa.int Back
245
Ev w23 [MIST], para 20 Back
246
Ev 113, para 39 Back
247
Q 167 Back
248
HC Deb, 23 March 2010, col 25WS [Commons written ministerial statement] Back
249
"ICAO Strategic Objectives 2011-2012-2013", International
Civil Aviation Organisation, www.icao.int Back
250
Q 62 [Captain Tim Steeds] Back
251
Ev 159, para 2.2.2 Back
252
Q 101 Back
253
Q 89 Back
254
Ev w49, para 5 Back
255
Q 360 Back
256
Q 363 Back
257
Q 61 [Dr Ray Elgy] Back
258
Q 100 [Dr Guy Gratton] Back
259
Q 101 [Captain Tim Steeds] Back
260
Q 367 Back
261
"About WHO", World Health Organisation, www.who.int Back
262
"About WHO Global Influenza Programme", World Health
Organisation, www.who.int Back
263
"WHO Collaborating Centres for influenza and Essential Regulatory
Laboratories", World Health Organisation, www.who.int Back
264
"About us", European Centre for Disease Prevention
and Control, www.ecdc.europa.eu Back
265
Ev 97 [Government Office for Science and Cabinet Office] Back
266
Q 29 Back
267
Ev 98 Back
268
Q 29 Back
269
As above Back
|