Supplementary memorandum from the Ministry
of Defence (12 February 2002) (continued)
What steps, if any, have been taken by List X
companies to enhance their security post 11 September?
MoD has no responsibility for security arrangements
in List X companies. These companies are required to comply with
Cabinet Office security regulations laid out in the Manual of
Protective Security. Government Security Advisers provided by
the Security Service give List X companies advice on both the
threat and security countermeasures and monitor List X compliance
with regulations for the secure handling and storage of protectively
marked Government information. The Committee may wish to refer
this question direct to the Home Office for an authoritative response.
Has extra funding been made available for extra
security measures needed since 11 September, and if so, is it
coming from MOD central funds or from the Treasury Contingency
None of the TLBs has received additional funding
for security. The only area where significant additional costs
have so far been incurred is overtime costs for MDP and civilian
guards, and these costs have generally been found from within
existing budgets. There have as yet been no recorded bids for
central funding, but some £600K has been accrued in extra
costs by the MDP, who will log this against the Op VERITAS contingency
fund (ultimately recoverable from the Treasury). £100K spent
on procuring masks and gloves against a potential threat from
anthrax in mail will be similarly logged. Otherwise there has
been no significant additional expenditure on security directly
attributable to the 11 September events.
What is the size of the Defence Estate in terms
of hectares and numbers of buildings and what numbers (Service,
MDP, MGS and Commercial Guard Force) are employed in guarding
The Defence Estate in the United Kingdom covers
some 242,000 hectares(ha), of which approximately 160,000ha are
rural training land. Where it is compatible with public safety
and military training requirements, the MoD actively encourages
public access to its land and operates a presumption in favour
of access. The built estate consists of more than 45,000 buildings,
including barracks, offices, workshops, storage facilities, garages,
and community and recreational facilities. It also includes privately
owned, but MoD-managed, accommodation for over 100,000 Service
personnel and their dependants.
Guarding of the MoD Estate is conducted by a
mix of MDP, civilian guards and Regular Service personnel. Each
type of guard has specific competences and skills: MDP officers
are employed where there is a requirement for constabulary powers,
or for armed security in situations where it would not be appropriate
to employ Service personnelfor instance at civilian establishments.
Only MDP officers and Service personnel are authorised to carry
out armed guarding; unarmed guarding can be carried out by either
the MoD Guard Service (MGS) or private guard companies. Often
mixed forces of contract guards or MGS, and Service personnel
or MDP officers are employed at the same site. The exact mix will
be determined by the Head Of Establishment's own assessment of
the threat and the resources available to manage the risk, including
the contribution made by other physical security measures inhibiting
unauthorised access to the site/sensitive area concerned.
It is difficult to be precise about the numbers
employed on guarding duties in Great Britain, mainly because of
the difficulty of making a clear distinction between MDP officers
employed purely on armed security, as opposed to policing duties,
and because Regular Service personnel, unlike Military Provost
Guard Service (MPGS), are not recruited and employed primarily
to carry out guarding duties, but are detailed for guard duties
as a secondary task.
Our best estimate is that, under the present
BIKINI Alert State of BLACK SPECIAL, at any one time 530 MDP officers,
810 members of the Regular Services, and 100 MPGS personnel are
posted on armed guarding duties across the Defence Estate. Sustaining
this guarding commitment requires some 2,500 MDP officers, 2,380
Regular Service personnel and 500 MPGS.
In the unarmed guarding role, guarding of the
Defence Estate is at any one time being carried out by 770 MGS
officers and 140 commercial guards. Sustaining this commitment
requires a total of some 3,500 MGS and 350 commercial guards.
What sites, including non-MOD sites, have been
identified as national Key Points?
As explained in evidence on 30 January, the
list is owned and managed by the Cabinet Office, whom we have
consulted about its release to the Committee. They have informed
us that they are unable to release the complete list owing to
its high classification. To help the Committee in establishing
how sites are designated as key points, the following paragraphs
describe the factors used in the determination and give specific
examples of some of the military key points.
What lessons have the MDP learned from their deployment
to Kosovo in terms of the kind of policing they are engaged in,
and can any of the lessons be transferred back to the UK?
Conditions in Kosovo are so different from those
prevailing at home that experiences of policing there do not translate
easily to the UK. What the deployment has proved is the ability
of the MDP to provide a policing service abroad in support of
peacekeeping operations, and to adapt its operation to different
and challenging circumstances. This has been recognised in the
continuation of the Kosovo commitment, and in proposals for additional
deployments that have been put forward subsequently. We have learned,
additionally, that such experience can be good for developing
officers by giving them the opportunity to exercise initiative
in an unfamiliar environment with much less supervision than would
be usual at home.
What additional costs have the MDP incurred in
guarding US assets in the UK since 11 September and how are these
What ROE are used by US military personnel deployed
on guarding duties at US bases in the UK ?
The MoD is unable to provide details of the
ROE used by our Allies. The Committee may wish to refer the question
direct to the US Embassy.
The HCDC asked for a copy of the MDP Complementing
Review (CR) for AWE when it is available.
The Aldermaston complementing review is still
under way, although the groundwork has been completed. The next
steps are: endorsement by HQ MDP; comment by the customer; then
consultation with the Defence Police Federation (DPF). A note
summarizing the outcome of the process will be provided to the
Committee once the consultation period with the DPF has completed.
What are the guarding arrangements on sites shared
by Dstl and QinetiQ?
Guarding arrangements on shared sites fall into
three categories: those sites for which Dstl is responsible for
providing the guarding arrangements; those sites for which QinetiQ
is responsible; and those sites for which a third party is responsible.
The decision as to which organisation leads on security is based
largely on which organisation directly controls, and has overall
responsibility for, the site, and has been negotiated in each
On the two sites for which Dstl has the lead
security responsibility, Portsdown West and Fort Halstead, the
guarding arrangements are identical to those at any other MoD
site, working to MoD security regulations. The guard forces are
found from the MGS and/or the MDP.***
Where QinetiQ has the lead for security, the
standards for the protection of MoD material are those mandated
in QinetiQ's own security policy, which is approved by the Government
Security Adviser. The guards are found from the QinetiQ in-house
force, augmented where necessary by commercial contract guards.
Home Department Police Forces respond to emergency calls, the
MDP being called for incidents involving Dstl lodger units where
appropriate. These sites are: Farnborough, Malvern, Chertsey,
Bincleaves, Bedford, Defford, Alverstoke and Portsdown Main.
In one case, at Winfrith Technology Park, a
third party is host to a number of organisations, including Dstl
and QinetiQ. This is controlled and guarded by the UK Atomic Energy
Authority Constabulary. Within the UKAEA secure perimeter, the
individual organisations are responsible for providing their own
guarding arrangements in accordance with their own security policies.
The UKAEA constabulary would provide the initial response to an
incident involving either organisation, primacy resting with the
local Home Department Police Force.
What equipment redundancy is there to support
the military flight safety arrangements at Swanwick and what measures
are being taken to provide for the security of RAF personnel deployed
at the site? (requested by Mr Howarth)
The US General Accounting Office recently criticised
the DoD and other US agencies for not using "risk management"
methods to prioritise security measures. How has risk assessment
featured in regard to the security of MoD sites?
In deciding whether to strengthen
security at particular sites, how do you balance: risk, the consequences
of a successful attack, and the practicality of putting effective
defences in place?
Have you identified any cases
within the MoD where there are significant threats but, because
there is a lack of feasible or realistic defensive measures available,
you have been left in a vulnerable position?
How has risk assessment featured in regard to the
security of MoD sites?
In the security context before the Security
Structures Review (SSR), risk assessment was based on the precepts
of: residual risk (taking into account current mitigation and
reduction strategies), cost (financial or constrained output)
Post-SSR a more formal risk management process
has been developed. This derives from Joint Service Publication
(JSP) 525Corporate Governance and Risk Managementwhich
draws on HM Treasury's "Orange Book", published in September
2000. As was covered during the 30 January hearing, although responsibility
for the implementation of security policy and standards always
resided with local line managers, this has now been formalised,
together with other delegated responsibilities, in a single letter
of delegation from the Permanent Under Secretary to TLB Holders/Chief
Executives of Defence Agencies and Trading Funds. More detailed
advice has been issued by DGS&S on the application of risk
management to security risks.
How do you balance risk, the consequences of a
successful attack and the practicality of putting effective defences
The key element in the exercise of security
risk management is the compilation of a Risk Register that links
the probability and impact of a risk occurring to the effect it
would have on the delivery of corporate objectives. Having identified
the hazards or threats to key outputs, the probability of their
occurrence, and the impact if they do occur (the risk assessment
process), a judgement is made on the cost-effectiveness and practicability
of the control measures available to reduce the probability of
the risk and/or to mitigate its impact.
Responsibility for risk assessments may vary.
In some cases, like armed guarding, we set the security policy
centrally (and some measures are mandatory). But the risk assessment
is conducted locally, and counter-measures applied accordingly,
taking account of both mandatory measures and local conditions.
Responsibility rests with Heads of Establishments, helped by their
security advisers, and their higher authorities/chain of command.
Examples of vulnerabilities caused by lack of
feasible or realistic defensive measures?
We have to accept that guaranteed security against
all forms of threat is not achievable. It would not, for instance,
be realistic to attempt to secure the outer perimeters of any
MoD site to a level that would guarantee that it could never be
penetrated, or to exclude the possibility of material damage in
a non-sensitive area. We rely on defence in depth, priority being
given to the protection of life and to those assets critical to
the delivery of defence capability. We cannot, for example, ensure
that anti-nuclear protestors will not succeed in penetrating the
perimeter of the Clyde Naval Base, but we can ensure that proportionate
and lawful means are in place to prevent them from disrupting
the operation of the nuclear deterrent.
There are no instances where we consider that
the risk to life or to key defence information or materiel is
unacceptably high as a result of financial constraints or the
impracticability of available counter-measures.
What extra measures have you taken to deal with
chemical or biological attack on MoD sites? How many NBC protective
suits are available? Are these pre-positioned at MoD sites?
What role would Porton Down play
in the event of a chemical or biological attack on MoD sites?
The precautionary measures taken in the light
of the anthrax incidents in USA were included in the Initial Memorandum
(para 46). Guidance was widely disseminated through MoD, taking
account of the guidance issued by the Cabinet Office after consultation
with the Security Service on the threat and Dstl Porton Down on
the efficacy of counter-measures. The guidance concentrated on
action to be taken on finding a suspect device and was aimed particularly
at those staff who routinely handle public mail, including those
working in Ministers' offices and other high profile areas. The
main advice given was that, wherever possible, establishments
should re-engineer their processes so as to isolate mail opening
as far as possible. Some have done this. Following a risk assessment
conducted centrally in MoD, we have also, as a precautionary measure,
issued masks and gloves to people who open mail. ***
Apart from the issue of guidance on incident
response and provision of masks and gloves to selected staff handling
public mail, establishment contingency plans covering the response
to terrorist attacks have been reviewed to take account of the
possibility of the use of chemical, biological or radiological
material. As was covered during the 30 January hearing, physical
security measures have also been reviewed with a view to improving
separation between vulnerable site access points and the sensitive
areas of establishments where lives are at risk or key activities
Internally, MoD is examining the threat posed
by a wide range of means, including Chemical, Biological, Radiological
& Nuclear (CBRN) devices, to all bases and sites whether in
the UK, overseas bases such as Cyprus, or deployed operations.
This work, which was in hand before 11 September, has been given
new impetus. It is tied in closely with SDR New Chapter studies
and work conducted by CCS.
In the event of an attack on an MoD establishment,
the lead responsibility for dealing with it would lie with the
civil authoritiesin the same way as for an incident off
the MoD estate. Action to counter this threat is co-ordinated
and led by the Home Office. The response would involve mobilising
a wide range of services (including the police, fire and ambulance
services, local authorities and health services).
NBC suits (Individual Protection Equipment)
are kept by the Services for use in deployed operations, and there
are enough stocks for this purpose. Clearly, this equipment could
be used by the armed forces in the UK if Service personnel were
called upon to support the civil authorities, or it could be made
available for use by the civil emergency services. But this is
not the primary purpose for which the equipment was procured.***
Dstl Porton Down would not necessarily be involved
in the response to an attack involving an MoD establishment. Their
possible involvement would be essentially the same as they have
carried out in support of civil contingency planning and emergency
response: namely, the provision of scientific advice on protective
measures and post-incident action and the scientific examination
of suspect materials in their laboratories.
Is the dividing line between MoD and civil responsibilities
clear and unambiguous, when a security incident starting on MoD
land then spills over into neighbouring areas "beyond the
wire"? We have heard how this has been exercised at Aldermaston,
but have such "spill-over" exercises been undertaken
at other defence locations, such as the naval dockyards? Have
civil emergency authorities complained to the MoD about a lack
of clarity about how responsibilities would transfer to them when
events spill out of defence sites?
The dividing line between MoD and civil responsibilities
is clear: MoD takes lead responsibility for all security measures
within the limits of the Defence Estate, and each site has contingency
plans to cover a wide range of possible incidents. In the event
of an attack on a MoD establishment, the lead responsibility for
dealing with it lies with the civil police, in conjunction with
the other emergency services, and with support from MoD personnel
on site. Where there is a risk, at MoD nuclear establishments
and elsewhere, of an on-site incident "spilling over"
into the local civil community, contingency planning with the
emergency services and with local government Emergency Planning
staffs takes account of the need for liaison and joint action
with the civil authorities. For example, at locations where it
is conceivable that a radiation "spill" could spread
outside the site, Nuclear Accident Response exercises are conducted
regularly and in conjunction with the local authorities.
We are not aware of any instance in which the
civil emergency authorities have complained to MoD about a lack
of clarity on the division of responsibilities, or about how a
transfer of lead authority would be effected.