The Intelligence and Security Committee Annual Report 2009-2010 (.pdf) has been published, exactly as we predicted in our previous blog article:
Intelligence and Security Committee publishes Two annual reports - Gordon Brown keeps one still secret
i.e. only on the actual day of the debate in the Commons, presumably to deliberately restrict the number of Members of Parliament and members of the public who would actually read and analyse it.
The covering letter to the prime Minister Gordon Brown by the outgoing Labour ISC Chairman the Rt. Hon. Dr Kim Howells, MP
"I am grateful that you have agreed to publish both Reports before the House of Commons debate on our work on 18 March."
Gordon Brown broke this promise !
The backbench Labour MP Andrew Mackinlay, pointed out that the 2009 - 2010 Report had not been published "in good time" for the debate on 18th March:
[...]
I put the problem simply: approximately 600 MPs do not know of the existence of the 2009-10 report because they are not here in the House of Commons today. When I went to our own dear Vote Office-I make absolutely no criticism of its staff-to ask for papers for today's debates, I was given the 2008-09 report; only when I came into the Chamber and listened to the Chairman of the Committee did I realise that there was another document worth looking at.
18 Mar 2010 : Column 1050
It is a mickey-take of Parliament when that sort of thing happens and I just wonder who is to blame. Will anyone own up to that cavalier handling by Parliament? We need to watch that in the future. To be candid, I think it is indicative of the cavalier way in which the scrutiny of our security and intelligence services has been dealt with by a number of people, including Ministers and, I have to say, my colleagues on the ISC.
Technically, since the debate on 18th March 2010 was only about the 2008 - 2009 report, MPs could in theory have another debate on the 20009 - 2010 report, but do not hold your breath in anticipation.
There appears to have been some sort of petty interference from the Cabinet Office and / or the Prime Minister and his henchmen, with the running of the Intelligence and Security Committee.
7. [...]
According to the legislation which established the Committee, it can set its own procedures. These have, naturally, evolved over the last 16 years through written agreements and verbal assurances. It has become very clear to us, however, that corporate knowledge of these procedures within Government has been lost over time and there was now very little awareness of our procedures, some of which date back to when the Committee was first established. This has led in some cases to misunderstandings as to the statutory independence of the Committee and its work and the nature of the relationship between the Committee and the Prime Minister.
This Report includes an appendix making a plea by the ISC to divorce themselves from reliance on the Cabinet Office for facilities and budget. The Cabinet Office is belatedly now seen to have a conflict of interest regarding Intelligence matters by the ISC, which rightly feels that the public perception of its supposed Independence from Government has been compromised.
This potential conflict of interest was obvious to outside observers since the very inception of the ISC.
A few crumbs of information from the 2009 - 2010 report:
As usual, this heavily censored Annual Report does not give sufficient detail for the public to be reassured that United Kingdom's intelligence agencies are either spending public money properly, or that they are working effectively and democratically.
Why do they bother censoring total annual headline expenditure figures ? These multi-million pound totals do not give away any useful tactical information to an enemy, since the individual projects which they represent are not broken down in any detail.
The public does deserve to see how much money of their money is being spent or wasted by these supposed public servants.
GCHQ
Administration
28. During 2008/09, 600 new staff joined GCHQ resulting in a small net increase in staff numbers of 3% (from 5,051 to 5,296 staff20). Its new recruitment target for 2008/09 was its largest to date (at over 700): GCHQ told the Committee that "recruitment of the much sought after Internet Analysts, those with rare language skills and Information Assurance specialists continue to be our main challenge".21
20 These figures do not include military personnel and inward secondees.
21 Oral evidence - GCHQ, 9 February 2010.
This recruitment drive by GCHQ, is almost certainly the reason that the BBC's Security Correspondent Gordon Corera, was allowed to record a 40 minute radio documentary within the GCHQ Cheltenham "doughnut" building, interviewing several employees, together with Clifford Cocks one of the (secret) inventors of Public Key Cryptography and Iain Lobban, the Director of GCHQ: GCHQ: Cracking the Code (still available online via the BBC iPlayer for the next few days)
Security Service MI5
31. As we mentioned in our last Annual Report,23 the focus for Security Service investment over the rest of this CSR period is the Intelligence Programme (IQ) and the Service's IT infrastructure. However, an emerging area which will require major investment is digital intelligence (DIGINT). We were told this year that the Service had embarked on scoping work aimed at ensuring that "in five years' time we are still able to do what we can do today when the use of IT has continued to change as rapidly as it is at the moment" 24
The cost of the new DIGINT programme was not yet clear, but the Director General estimated that it was likely to be "tens of millions over the next 12 months".23 Cm 7807.
24 Oral Evidence - Security Service, 26 January 2010.
What exactly is digital intelligence (DIGINT) ? Is it simply an ongoing investment in upgraded desktop and backend server IT systems ?
How does it different from GCHQ's "Mastering the Internet" programme ?
Does it attempt to duplicate any of this e.g. snooping on Voice over IP telephony ?
Non-ICT work
34. During 2008/09, the Security Service allocated 13% to Irish-related terrorism. The Director General told us that "what was not anticipated when we went into this spending period was the way in which the situation in Northern Ireland has degenerated ".26 In
January 2010 the Service had "considerably more what we would call priority 1, i.e. life-
threatening investigations, in Northern Ireland than we do in the rest of Great Britain".
As a result of the increased threat from dissident republican terrorists in Northern Ireland, the Service is planning to increase its effort in this area during 2009/10 to 18%.
Some acknowledgement at last, that the Real IRA / Continuity IRA dissidents, who have actually murdered people and planted and detonated large car bombs, are actually more of a current threat, than Islamic or neo-Nazi or Animal Rights extremists.
35. During 2008/09 the Service allocated 3% of its overall effort to hostile foreign activity in the UK. The main threats continue to be posed by Russia and China, both in the conventional and cyber spheres. The Director General told the Committee that "there's no doubt that the internet27 is a strong vector of threat as far as espionage is concerned".28
For 2009/10, the Service planned to increase its effort in this area to 4%.
Administration
36. During 2008/09, 610 new staff joined the Service. Overall, there has been a 40% increase in Security Service staff between April 2006 and April 2009. However, this expansion is set to slow in pace. The Service aimed to recruit a further 253 staff by April 2010 (an increase of 7%).
25 Oral Evidence - Security Service, 26 January 2010.
26 Oral Evidence - Security Service, 26 January 2010.
27 Further detail on the threat from electronic attack and cyber security is covered in paragraphs 48 to 51.
28 Oral Evidence - Security Service, 26 January 2010.
This seems to be the only bit of the report which caught the attention of the mainstream media:
37. The Service has also been reviewing its staff profile. One particular area of concern was the level of IT skills. The Director General told us that "I think some of the staff perhaps aren't quite the ones that we will want for the future "29 and that, as a result, a programme of both voluntary and compulsory redundancies were being introduced.
29 Oral Evidence - Security Service, 26 January 2010.
Voluntary and Compulsory redundancies at MI5 ? How many of these people will move via the revolving door into Private Military / Security Contractor companies ?
Why has the Intelligence and Security Committee still not bothered to investigate the use of such Private Military / Security Contractor companies in intelligence and surveillance roles, in the United Kingdom and overseas ?
Secret Intelligence Service MI6
Administration
44. During 2008/09, SIS grew from 2,084 staff to 2,252 (an increase of 8%). SIS aims to increase further to 2,527 during 2009/10 (an additional 12%). Last year we noted that SIS's plans to increase overseas deployments significantly had been affected by security concerns. This year we were told that challenges remain with regard to the staffing of SIS stations in both *** and *** mainly because of the numbers of staff required and the high turnover, however, SIS has informed us that:all posts in *** and *** are currently flled. We have been able to achieve this because of improvements in our planning and the support that we provide to staff flling these posts.35
35 Letter from SIS, 4 February 2010.
The recruitment and staff vetting processes for SIS MI6 must surely come under review, after the Daniel Houghton case.
40. The Committee has previously criticised SIS for 'end-of-year surges' in its spending. However, an end-of-year surge was also seen in 2008/09 and we were told that a similar surge is expected towards the end of 2009/10. We have questioned SIS in detail on its financial management. We have been told that since the Treasury removed end-year spending flexibility, departments are now forced to spend their capital budgets within the financial year or risk losing them. Since this risks uncontrolled spending and a 'spend it or lose it' mentality, SIS has put in place rigorous control and prioritisation processes for capital spending. However, these processes inevitably delayed spending, and it was this that was leading to surges in spending at the end of the financial year.
Who exactly is the official or politician responsible for this discredited 'spend it or lose it' policy at the Treasury ?
This has never been the proper way to manage the public finances of even a Local Authority, let alone the Intelligence Agencies !
Still no Resilient Backup Data Centres
46. Another key aspect of business continuity is that of IT backup. The Security Service and SIS are planning to establish a joint data centre to provide secure storage for both Services' data records outside London. SIS and the Security Service are splitting the cost of the project which is estimated to be approximately £***m over eight years. The data centre is expected to be operational by 2011.
47. GCHQ is not - at least in the short term - taking part in the joint data centre project despite the fact that, as we have previously highlighted, it is vulnerable with so much of its key operational equipment in one area.40This is primarily because it does not have the funding at present. We were also told that GCHQ was not planning to participate in the joint data centre currently being developed by the Security Service and SIS because it: doesn't offer sufficient space for our requirements or indeed a resilient solution. It's just effectively another data centre. But there is an option, and we have an option to consider participation with that project at a later phase as and when we may have funding.41
Given the disruption and near disaster caused by the Severn River floods to GCHQ's operations, there is no excuse for not finding the money for a "fully resilient backup data centre", by , for example, scrapping the wretched National Identity Scheme.
Electronic attack and cyber security
Electronic attack and cyber security
The threat
48. Last year we raised concerns about the potential threat posed to the UK from electronic attack. We recommended that the UK accord the area a similar priority and resources as do the US and Canada.42
The Chief of SIS told the Committee this year that "the whole question of cyber security is shooting up everybody's agendas" and that it is "a major new challenge to the intelligence community". 43
The Director General of the Security Service observed that "I don't think we are where we need to be" and that "it's a difficult threat to grasp".44
49. GCHQ informed the Committee that it is not known whether terrorist groups intend, or have the capability, to launch significant attacks over the internet but this, along with extremist use of the internet, remains an area of considerable concern. Nevertheless, we have been told by GCHQ that the greatest threat of electronic attack to the UK comes from State Actors, with Russia and China continuing to pose the greatest threat. The Director General of the Security Service told us that: At the moment my understanding is that there will be considerable impact if a state, be it Russia or China, and probably those are the most likely, decided to do serious damage to us one way or another.45
Machinery
50. The Cyber Security Strategy46 published in June 2009 established two new organisations, the Office of Cyber Security (OCS) and the Cyber Security Operations Centre (CSOC):
i. The OCS is based in the Cabinet Office. Its role is to provide strategic leadership and coherence on cyber security issues across Government and to "drive delivery of the strategy through a cross-government programme".47
As of 1 November 2009 it had 11 staff, drawn from across a range of departments and agencies with a further seven staff expected to join by March 2010 (full capacity is expected by April 2010).
42 Cm 7807.
43 Oral Evidence - SIS, 19 January 2010.
44 Oral Evidence - Security Service, 26 January 2010.
45 Oral Evidence - Security Service, 26 January 2010.
46 Cm 7642.
47 Cm 7642.ii. The CSOC was established in September 2009 and is hosted by GCHQ. The role of the CSOC is to: monitor the health of cyber space and co-ordinate incident response, enable better understanding of attacks against UK networks and users, and, provide better advice and information about risk to both business and the public.48
As of 1 November 2009, the CSOC had 11 staff, drawn from across a range of departments and agencies, with 19 staff planned by the end of March 2010.51. In addition to this work being done by the OCS and the CSOC there are a number of other bodies working in this feld including: the Network Defence Intelligence and Security Team (NDIST) and the Internet Operations Centre (INOC), which are part of GCHQ, the Centre for the Protection of National Infrastructure (CPNI), and the Technical Counter-Intelligence Team at SIS. The Cyber Strategy states that "there is no intention to replace or duplicate existing work".49
However, with such a number of units operating in this area this must be a concern. We note the comments made by Baroness Eliza Manningham-Buller that: This area is covered by acronyms; there are lots of different units and organisations. But... the focus should be on what improvements result from these new structures, not the structures and their names themselves.50
48 Cm 7642.
49 Cm 7642.
50 Baroness Eliza Manningham-Buller, Hansard, House of Lords, 4 February 2010.
51 Cm 7171.F. The Committee welcomes the new developments in the field of cyber security which indicate that the threat of electronic attack is now being taken seriously across both Government and the intelligence and security Agencies. However, we are concerned that there is a risk of duplication of effort in this important area.
Apart from the obvious risk of duplication of effort, the lack of transparency makes it impossible for the people at the sharp end of "cyber attacks", whether they be members of the public or for private sector companies, or even for other Government departments to even know who to try to contact in this mess of acronyms.
Which of these organisations runs a secure public website, staffed by knowledgeable people, which publishes 24 / 7 phone and email contact details, with a PGP public encryption key for sending sensitive details over the internet ? None of them do.
Incredibly, what used to be the main UK Government advisory body on "cyber defences", CESG appears to be bankrupt !
Information Assurance and Communications-Electronics Security Group (CESG)
27. CESG is the national technical authority for Information Assurance (IA) services17
Last year we reported that GCHQ, via CESG, was providing IA services to a grow customer base, and that this would require greater resources.18
This year GCHQ told us that the increasing demand for CESG's services meant that the current repayment model was not viable and there was a shortfall in funded work of several million pounds
I want to move from a model where repayment from other Government departments is the norm to one where more work, especially that needed to keep us ahead of technology, is funded centrally... I believe there is a strong argument that as Government becomes more and more dependent on IT... we need to consider what proportion of Government IT spend should be going towards making the systems secure and resilient. I have been recommending to the Cabinet Secretary that we should stop charging Government departments for CESG services with effect from April this year [2010], if not from April this year, April next year [2011].19
D. The Committee considers that the Information Assurance work carried out by the Communications-Electronics Security Group is important for Government as a whole and that - whatever the suggested funding arrangements might be - they are resolved as a matter of priority.
17 'Information Assurance' relates to the integrity, confidentiality and reliability of Government ICT systems and data.
18 Cm 7807.
19 Oral evidence - GCHQ, 9 February 2010.
How can there be any effective UK Government "Cyber Defence" against terrorist or "Russian" or "Chinese" or just as likely USA based "cyber attacks", if CESG is no longer being properly funded ?
Intercept as evidence - "full retention of interception materia" ?
Intercept as evidence
58. Since our last Annual Report, work (led by the Home Office) to examine whether a system could be devised to enable the use of intercepted material in court, which simultaneously satisfied the requirements for a fair trial and safeguard national security has continued. On 10 December 2009 the Home Secretary published a further update report.
56 The report concluded that the model which had been developed and tested would not be legally viable and that: The collective view of the departments, intercepting agencies and prosecution authorities engaged in the work programme is that despite best efforts to design, build and test the model, it does not provide a viable basis for implementation, without breaching the operational requirements57 set out by the Privy Council.58
59. The report went on to note that the implementation of the original legal model would in fact "weaken and not enhance our ability to protect the public and to identify and bring the guilty to justice".59
60. However, further work would be done on three areas that were outside the scope of the original programme which might address some of the current failings. These areas are: further enhancing judicial oversight, exploring options for the full retention of interception material, and considering whether advances in technology could make full retention and review more manageable. The results of this additional work are expected to be reported to Parliament before the Easter recess in 2010.
55 Statement by the Office of the Director of National Intelligence, 10 February 2010.
56 Cm 7760.
57 We reported on these operational requirements in our 2007-2008 Annual Report, Cm 7542.
58 Cm 7760.
59 Cm 7760.
The "results of this additional work" have not been published by Easter 2010 !
What exactly are the proposals for the " full retention of interception material, and considering whether advances in technology could make full retention and review more manageable" ?
This sounds suspiciously like previous, supposedly abandoned plans for Yet Another Even Bigger Database System, which scoops up and retains the private data of millions of innocent people.
SCOPE contract failure details still secret
63. SCOPE Phase 2 has been beset by problems and delays. In our 2008-2009 Annual Report we noted that we were continuing with our investigation into the exact circumstances surrounding the Cabinet Office's decision to abandon Phase 2 of SCOPE, and that we would detail our findings in this Annual Report. Although we have taken further evidence on this matter, and were in a position to report our findings, both parties remain engaged in a contractual dispute process61 and we have been advised to postpone publishing further details until this process is completed. Our findings will be provided to our successor Committee for them to publish at an appropriate time.
60 Cm 7542.
61 The Cabinet Office informed the Committee in October 2009 that mediation had taken place in September 2009 which had failed to produce a resolution, and that the dispute was about to move to arbitration.
Someone has now managed to keep the details of what went so horribly wrong with this IT project away from any proper scrutiny, for two ISC Annual Reports.
Somehow we doubt that next year's report will shed any more light on this scandal, or that those to blame will be named and shamed.
Will the new Intelligence and Security Committee actually provide the public reassurance that the UK intelligence Agencies are actually doing their jobs properly without destroying our democratic values, something which the current setup fails to do, despite the best efforts of those involved. ?
Just to let you know... your website looks extremely strange in Mozilla on a Mac