1.  I am a Visiting Professor at the London School of Economics and a Visiting Reader at the Open University. I attach, as Appendix I, a CV.

  2.  I believe I may be able to assist the Committee in two ways. Between July 2003 and March 2009 I was a member of the Scientific Advisory Panel on Emergency Response (SAPER) run by the Government's Chief Scientific Advisor and can comment on the experience. I have had interactions with parts of government in relation to cybersecurity since 1995. Together with Dr Ian Brown of the Oxford Internet Institute I am the author of a forthcoming OECD study entitled Systemic Cyber Security Risk which is part of their Future Global Shocks programme.

SAPER

  3.  If the Committee has not already had submissions on the existence and work of the Scientific Advisory Panel on Emergency Response (SAPER), then it will do well to make inquiries of the Government Chief Scientific Advisor. I will confine my comments to my own experiences

  4.  SAPER was set up by Professor David King when he has GCSA to support his role in COBRA. As I understand it, the decision was partly informed by the then developing "civil contingencies" agenda which included the Civil Contingencies legislation. The essential idea was that the GCSA needed to have a wide variety of sources to inform his advice. A number of scientists from the ministries, agencies and wider academia would be briefed about government plans for addressing emergencies both in terms of structure for decision-making and underlying analyses. As I understand it, the role of the non-government academics was twofold: to provide additional and fresh perspective on the issues but more importantly to provide networks by which other academics could be identified on an as-needed basis in specific circumstances.

  5.  The non-government academics were drawn from a wide range of disciplines which included engineering, the social sciences and finance/economics.

  6.  Regular briefings were provided on the development of government policy (we had an early presentation on CONTEST from David Omand), government structure for decision-making, horizon-scanning assessments from the Cabinet Office Civil Contingencies Secretariat and, as the counter-terrorism agenda became more important, from the Joint Terrorism Analysis Centre (JTAC). We were given previews of how a pandemic would be assessed and then specifically managed. There were also presentations on a number of actual and potential counter-terrorism technologies given by a variety of specialist scientists. These were all accompanied by discussions.

  7.  SAPER also undertook various projects. At one stage there were brain-storming sessions on the problems and features of "kitchen-sink bomb making". There was a review of the availability and practical use of computer models/simulations during the management of disasters; potential models included the spread of infectious diseases, the behaviour of plumes of noxious substances and the dispersal of irradiated contaminated material in a dirty bomb. There were also studies carried out by sub-groups: one looked at the behaviour of crowds during emergencies and with particular reference to London Underground.

  8.  Discussions were always on a multi-disciplinary basis. That is to say, although most of us had been recruited on the basis of specialist knowledge (in my case, of social science disciplines and cybersecurity), we were encouraged to contribute freely across the entire agenda.

  9.  Towards the end of its existence there emerged concern that there might be too many semi-duplicating and uncoordinated initiatives in ministries addressing aspects of the Counter-Terrorism agenda. There was an attempt by SAPER to collect data on these and then use regular academic skills in project funding assessment (as used by grant-awarding bodies) to identify good and not-so-good projects in terms of clarity of objectives, soundness of methods, and requirements for funding. I do not know what became of this exercise.

  10.  The current GCSA (who was on SAPER as CSA for the Ministry of Agriculture) should be able to explain how far SAPER has been replaced.

  11.  It is difficult for me, who have never been in direct full-time government employment, to assess the value of SAPER's work. As a participant I found the activities extremely interesting. As an academic I had had some interest in the generic issues of government response to emergencies from such books as Beneath the City Streets by Peter Laurie and Peter Hennessy's The Secret State. The officials from CCS, JTAC, the security agencies and bodies like HSE all stated that there were benefits to them. However in the nature of things it is quite difficult for me to track specific SAPER activity in terms of real policy outcomes.

  12.  A further problem in terms of the use of non-government service academics is that they are relatively unlikely to have been through developed vetting but be simply security cleared. The dilemma is this: the external academic may bring fresh insights, but cannot necessarily be shown a full picture—and that might include seeing how advice is converted into policy. Of course some academics may feel that they do not wish to go through any form of vetting.

CYBERSECURITY

  13.  Although the Cybersecurity agenda is wider than this, possible events which seem to relate to the need for future emergency activity are:

— Loss, as a result of accident or bug, of computer services critical to central and/or local government activity.

— Loss or compromise of large quantities of critical government data, including data about citizens which should be held confidential.

— Loss, as a result of accident or bug, of computer services owned in the private sector but part of the Critical National Infrastructure.

— Deliberate attacks on computer services critical to central and/or local government activity.

— Deliberate attacks on computer services owned in the private sector but part of the Critical National Infrastructure.

  It should be noted that "cyber attack" is only one set of scenarios that might trigger an emergency affecting the public.

  14.  The Committee should, if it is not doing so already, obtain an update on coalition plans for cybersecurity.

  15.  The wider cybersecurity agenda also includes the need to protect critical central government, intelligence agency, military and police data and systems. But there are many events here which, though important, do not amount to emergencies immediately affecting the public as a whole.

  16.  "Cybersecurity" at government level has several components and in assessing the role of scientific advice the Committee needs to be aware of the various elements:

— Security Technologies: there is a substantial technical element within a "computer sciences" domain. It includes: engineering requirements analysis, access control/identity management, the development of safe databases, the deployment of encryption, the use and development of Intrusion Detection Systems, malware research, tracing/attribution.

— Risk Analysis and Management is an essential element.

— Dependency Analysis studies the ways in which, in this highly-inter-connected world, dependencies can be mapped and modelled.

— Human factors: a great deal of security planning and engineering relies on an understanding of how individuals by themselves and as members of a group behave—how do they react to the interfaces to the security technologies and to security policies, for example?

— Criminology of Cybercrime Taxonomies of criminals, Motivations.

— Political Analysis In terms of cyber-attacks, an understanding of the motivations of likely actors is at least as important as appreciating the technologies they may be able to deploy.

— Management Science, among other things, to help develop a relationship with the private sector aspects of the CNI.

— Contingency Planning Preventative and Detective measures are insufficient to guarantee an absence of cybersercurity problems. Considerable attention to methods of rapid recovery after an incident is an essential component.

  17.  Much research work in all of these sectors is openly available and published, not the least because many of the problems , albeit in slightly different forms, also apply to large and not-so-large businesses. As a result security officials may not need much in the way of specialist research.

  18.  There are a number of research programmes available for academics through which to channel and fund their activities in these areas. The include:

— Under the European Commission Framework Programme 7: http://ec.europa.eu/research/fp7/index_en.cfm?pg=security

— Under current ESRC plans, the Environment, Energy and Resilience, Security, Conflict and Justice themes: http://www.esrcsocietytoday.ac.uk/ESRCInfoCentre/strategicplan/challenges/environmentandenergy.aspx and http://www.esrcsocietytoday.ac.uk/ESRCInfoCentre/strategic plan/challenges/securityandconflict.aspx

— I also draw attention to the Cybersecurity KTN: http://www.innovationuk.org/news/innovation-uk-vol4-1/0101-cyber-security-ktn.html

  19.  My experience is that officials from CPNI, CESG and CCS all attend specialist academic workshops, seminars and conferences without necessarily drawing attention to their actual employers.

  20.  Officials also participate in think-tank workshops held under "Chatham House" rules. (Chatham House has a current cyber security project, but so do some other think tanks). There are also a number of industry-funded membership-by-invitation organisations within the computer and security industries who host off-the-record workshops.

  21.  The linked Office of CyberSecurity (OCS) and CyberSecurity Operations Centre (CSOC) have attended and participated in a number of events. They have also arranged for external academics to attend horizon-scanning sessions.

  22.  In addition security officials build up informal relationships with individual researchers of interest. My own experience of this is in the form of discussions of broad trends and clarification of research. The flow of information has been largely towards the security officials. I am aware that other researchers may from time to time have a more formal relationship and be commissioned to carry out specific work.

  23.  Many non-government academics are wary of obtaining commissions direct from the security agencies. The reasons include: ideology (a feeling that science should always be open) and restrictions on publication (which is one very important measure of academic excellence and key to further promotion).

  I would be happy to expand on any of these issues.

Professor Peter Sommer

14 September 2010