I am delighted to have been invited to deliver the inaugural annual lecture to the Worshipful Company of Security Professionals.
As people in this room will know, Livery Companies have always occupied a unique position at the heart of the United Kingdom's trade, commerce and professions.
Some continue to have a direct role in trade and commerce by holding statutory or regulatory functions. I am therefore pleased to see that this Company, while not directly involving itself in trade and commerce, encourages, through its Sheriffs' Award, innovative projects that protect people, property and liberty. It is intellectual and industrial innovation that helps this country achieve value for money in these difficult economic times. It is also innovation, which is one of the hallmarks of Small and Medium Sized Enterprises, which should be championed to stem the decline of our defence and security manufacturing base and help pull us out of recession.
But just as important are three other functions that Livery Companies fulfil. The first of these is charitable: supporting members of their respective professions during time of need. The second is increasing public awareness and recognition of professions. The final function is harder to quantify but no less important because of this: and that is acting as a focal point for social and networking activity in the City.
It is very good news that the security profession, broadly defined, is now recognised and championed through a modern Livery Company. This is long overdue, and the Committee should be proud of what they have achieved for three particular reasons.
First, at a time when the public consensus around security policy is for various reasons increasingly strained - and it is a consensus which any government needs to restore very rapidly - it is right that the service which the state asks its servants to perform in its name should be given unfaltering support and recognition by us, the public. The activities of this Company certainly exemplify this. It is good to know that the first Ben Flenley Memorial Trophy was awarded earlier this year to Corporal Wallis Eade of the RAF Regiment who, attached to the Special Forces Support Group, helped withdraw a patrol to safety, saving many lives.
Secondly, those involved in protecting our open society are operating in increasingly difficult and arduous conditions, and many return with injuries both physical and psychological. It is a reminder of our duty as fellow citizens to honour the covenant we have with them, and so the charitable and benevolent work of this Company is increasingly needed and must be a priority. The Conservative Party has long been critical of the Government's fulfilment of the military covenant, and I am heartened to see that voluntary groups work very hard to fill the gap that the Government has allowed to develop over the years.
The third reason is what I would term 'second generation resilience'. I have said that the social and networking activities of this Company are harder to quantify but no less important just because of this, for it is increasingly recognised that it is the involvement of all aspects of society - individuals, communities, businesses and voluntary groups - in preparing for and responding to emergencies that will allow us to achieve security. Individuals, communities, businesses and groups must be involved in building their own security.
This is not an abdication of the first responsibility of government. Rather, it is a practical recognition of two things. First, that the state cannot provide total security against all threats and hazards and, if it were to move along this path, the attempt to do so would fundamentally alter the nature of our society - and not for the better. Secondly, that it is individuals who are frequently the real first responders when anything goes wrong because of the delay, even if just of a few minutes, before the arrival of the emergency services. And the actions and reactions of individuals will have a direct effect on the eventual scale of damage that occurs.
But involving individuals, groups and businesses in achieving security in this way cannot be a top-down exercise. It manifests itself in everyday activity - in meetings, conversations, training, the exchange of information and the building of real life social networks. The difficulty, of course, is how to go about getting people to engage in this activity with this in mind - that is to say, getting them to recognise that what they do on a daily basis or in voluntary groups can contribute to safety and security. So this Company, acting as a focal point for raising awareness of security in the City and across the range of organisations that form its membership, fulfils a very important role.
<h2>Vulnerability of the City</h2>
I want to turn now to talk specifically about the City and security. Much has been done over the years to strengthen the defences of the City against various forms of attack and I have no doubt that there are people in this room who have personally played important roles in this.
This is an issue of national importance. The banking crisis notwithstanding, the City remains an international financial centre of global standing (one can argue about its ranking in relation to Wall St) but, whatever that ranking, it is a prime national interest that the City so remain. And partly because of the City, London more generally has attained a status of being widely regarded as a global hub and one of three so called command centres of the global economy.
This very iconic status marks both out as attractive targets to malevolent state and non-state actors. An attack does not, of course, have to be on the City specifically to do the Square Mile great damage. London's vulnerability, which is considerable, is also the City's, I would maintain that today the interests of the two, London and the City, in safety and security, cannot really be differentiated and that protective measures must form a single, coherent, whole.
State actors tend target the City through espionage and the disruption of services - typically, today, through the cyber domain and insider threat.
In relation to non-state actors, Government should keep an eye on the effects on security of the economic crisis, such as the potential rise of political extremism, which however for the moment at least is more a threat to public order than to national security. The primary non-state threat remains that from Islamist inspired terrorism for which this great city symbolises the power and the social model they wish to destroy by inflicting violence. It is quite clear that a successful attack could damage the reputation of, and confidence in, the City - and by implication the UK's economy - and that the disruption caused to the concentration of wealth and physical activity in this small geographical area, could jeopardise the viability of not just major firms but also those many smaller firms far and wide that earn their living by providing services.
<h2>The Current Situation</h2>
This audience will be aware that the Joint Terrorism Analysis Centre changed the UK threat level from international terrorism from 'severe' to 'substantial' at the end of July. This is not to suggest that a reduction in the overall terrorist threat has taken place on a sustained basis which can only be achieved by preventing radicalisation - and the 'Prevent' strand of the UK's Counter Terrorism Strategy is still the one on which the least progress has been made. Rather, the reduction in threat level is, I suggest, partly the result of successful disruption, at least in the short term, of terrorist planning and networking, and substantially the effect of the work undertaken by the security services and police to reduce the vulnerability of sites from attack, thus altering the overall risk profile. There has been considerable focus, for instance, on the protection of crowded places.
But we must not become overconfident. Our defences develop. But the enemy's tactics evolve too. The attacks in Mumbai last year and in Lahore earlier this year rightly worried security authorities worldwide. Here in the UK, the Home Secretary announced that there had been an overhaul of protective security arrangements for hotels and other public buildings. The Director General of the Security Service raised a different point when he said: 'If the method used in Mumbai of using firearms in public places becomes adopted as a model, it changes our most likely scenarios'. There are potentially new models for terrorist attacks against cities and towns which, in the absence of adequate preparation could overwhelm the response capabilities of emergency services.
What characterised these attacks was the use of small "assault teams". They were mobile and, while moving into position, fought and killed using small firearms - weapons, pistols and hand grenades. In other words, we saw "running" attacks. In contrast to suicide attacks, which are of brief, if devastating, duration, these attacks were prolonged.
In Mumbai, they brought the city to a halt for three days as the attackers took hostages and conducted sieges of public buildings. It is with these two features of the attacks that the Indian security forces found it most difficult to deal. They were able to reestablish control of sites not under siege relatively quickly, but it took days for them to regain mastery of sites like the Taj Mahal and Trident hotels and Jewish Centre. In Lahore, although the attack did not last for days, there was a running battle between the police and attackers that lasted for hours.
The very concentration of the City makes it especially vulnerable to the effects of other forms of physical disruption. These include natural disasters. Extreme weather conditions are increasing in scale and frequency globally and the UK is not exempt from this. I am concerned that unlike the attention rightly paid by Government to the protection of crowded places from terrorist attack, it has not given nearly enough attention, despite the Pitt Review of the floods of a couple of years ago, to protection from natural hazards of vulnerable and economically critically sensitive sites or to the capacity of the emergency services to cope in the event of disaster. To put it mildly, there are unrealised synergies between what can be done to protect sites against terrorism and against natural hazards. But currently government is not organised to attain these. It needs to adopt an 'all hazards' approach to protection and emergency service response - something a Conservative Government will put into practice.
Which brings me to how my Party sees the role of government. A key point for us, which I made at the outset and will have a little more to say at the end, is that individuals need to be involved in building their own security. But the state can and must do more in certain areas to which only it can bring to bear the necessary degree of control and resources. I want to look briefly at three areas - strategic direction, the response to catastrophic disasters or marauding attacks and cyber security.
<h2>Organisation of government</h2>
First, strategic direction. This is impossible without good organisation which can be relied upon to function predictably and well in emergency. Which means it needs to have been designed and exercised before the event. Some of this goes on, but in my view, not nearly enough. Right at the heart of government something is missing.
Under Labour, the Cabinet Office has lost its capacity for strategic direction. At the centre a new way of governing has to be created in which departments are able to bring their expertise together, think strategically about policy and innovate in delivery. Through a National Security Council and National Security Budget a Conservative Government will restore the Cabinet Office to its position at the apex of government with a small compact bureaucracy which is responsible for developing and monitoring strategy.
Secondly, one of the reasons why government structures have become so disorderly and fragmented is that as a "new" issue arises, the habit has grown up of creating a new body to deal with it without much regard to the functions of existing organisations or relationships between them. The critical infrastructure and emergency preparation, response and recovery agendas are examples of this. As I mentioned, a Conservative Government will underpin the implementation of an all-hazards strategy with the right structures, bringing together in one organisation many aspects of 'Protect' and 'Prepare' work, extended to cover both terrorism and natural hazards, that are at present scattered through government.
<h2>Responding to catastrophic events and marauding attacks</h2>
Having put in place the machinery of government needed to adopt an all-hazards approach, what are the capabilities government needs to develop to respond effectively to crises?
We do not know how terrorists will change their modus operandi in the future. But we can and must learn from what has already happened. The repetition of a Mumbai style attack cannot be ruled out for three reasons.
First, vulnerability. Major cities - with their multiple points of access and transit, high population densities and open access buildings like hotels, hospitals, restaurants, cafes, offices - offer a target that is susceptible to prolonged mobile attacks.
Secondly, imitation. We know that terrorists adopt methods that are used successfully elsewhere. We have already seen, for example, the Taliban in Afghanistan adopt tactics used by insurgents in Iraq.
Finally, evasion. We know that terrorists actively seek to understand and counter the capabilities of our security forces. They innovate tactically to obviate security measures and to confuse authorities.
The risk of such catastrophic and marauding events overwhelming the capabilities of the emergency services is unacceptably high in two particular respects: command and control and doctrine.
On the first, the military is best placed to provide agile and innovative command and control capabilities in support of the civil power when events are of such a scale, pace and danger that the emergency services cannot be expected to have adequate situational awareness. So the armed forces need to be in a position to assume an enhanced role in homeland security and resilience tasks. Currently, military contributions are dependent on there being available sufficient numbers of service personnel with suitable training not deployed on operations abroad. Military support to the civil power - other than in a few niche capabilities - is therefore only declaratory and its availability is not guaranteed. As a result, first responders find it difficult to include the military in their planning. They have told me that what they need is predictable support. I agree.
On the second point - doctrine - events like Mumbai and Lahore are not cases of consequence management: simply dealing with the aftermath of an attack, as was the case on 7/7. It would be a case of meeting the terrorists head on. The military is well placed to support appropriate changes to the doctrine of emergency services to meet evolving terrorist techniques. Similarly, the need for interoperability is a concept that must be pulled through from the armed forces to blue light services.
What this leads to is the conclusion that the military contribution to homeland security and resilience tasks needs to be more structured. A Conservative government will put in place a small permanent military command or headquarters for this purpose, building on the existing facilities at Land Command. This would provide a single focus for operation demands on forces for homeland roles. It would act as a focus for developing and delivering a coherent response with the large number of emergency services, and would facilitate joint training and exercises between the military and blue light services.
Let me turn now to look at the issue of cyber security - or, perhaps a more accurate description, this country's cyber insecurity.
This issue has recently risen up the Government's agenda but much is still left to be desired. The Cyber Security Strategy launched earlier this year did not even address the growing menace of cyber crime which is a significant drain on the UK's economy and cannot be separated from other risks in the cyber domain. The distinctions between serious organised crime, cyber crime, petty hacking, cyber terrorism and state-sponsored or led attacks are indeed blurred.
The acute dependence of modern Western economies and societies on the integrity and security of their cyber systems means that any vulnerability can have massive cascading repercussions well outside the sector in which it is located. Security has to be the object of close, continuous and specialised attention. But at the moment neither government nor the private sector, nor for that matter the country's citizenry, are geared up to the task. By and large, international companies, and especially financial institutions, take seriously the need to protect networks and systems, though this is not to say that attacks do not take place or that they are always unsuccessful. On the contrary.
An additional problem is that the private sector is not incentivised to report such incidents - whether successful or unsuccessful - for fear of damaging their reputation with existing or potential clients. Individuals likewise do not report commonplace cyber crimes. Government fares worse, in often not even being fully aware of risks to its networks and systems.
As a result of all of this, too little is known about the extent of the UK's vulnerability or of the scale of the challenge of providing security in this domain. But one suspects that it is greater than admitted or realised. No detail has yet been given about the Government's proposed Cyber Security Operations Centre. I would suggest that, as a start, it needs to develop and provide to relevant players a common operating picture and threat assessment to bring about agreed situational awareness across government and the critical infrastructure of the nation - of which the City forms a part. To achieve this the Centre should act as the single and trusted point for reporting for cyber-related incidents.
<h2>Involving individuals and businesses in building security</h2>
If cyber security is one very important example of a domain where public/private sector cooperation is essential, there are others where government should do more to encourage and support action independent of it.
I return to the role of smaller businesses and private individuals. Part of safety and security is strengthening resilience to emergencies. But business continuity planning in many companies is still primitive: to take an example, management tends to forget about its supply chain. But that can be crucial in a crisis. The insurance industry could perhaps explore ways of incentivising companies to meet the continuity standards as set out in private sector-led BS25999, possibly by offering lower premiums to those businesses which conform. There are lots of other examples.
And at the local, community level there is much that individual private citizens can do to help themselves and others. Some excellent work has been undertaken by Local Resilience Forums to push forward this agenda, but more can be done.
The role of government is to facilitate and encourage this preparedness. It should make available, in accessible and interactive form, information about risks and what individuals and businesses can do to prepare for and respond to emergencies. The National Risk Register and local Community Risk Registers do not yet provide this information. As part of this, thought needs to be given to how organisations or their members - whether private sector or voluntary - can fit into local and national response structures, so that best use can be made of local knowledge and specialist skills. I am sure that the Worshipful Company of Security Professionals, given its diverse membership base and links to the emergency services and armed forces, possesses the means to facilitate this.
Ladies and Gentlemen, let me conclude. The key message I want to impart to you this evening is that while the country is vulnerable - and London and the City have a concentration of such vulnerabilities - they can be greatly reduced by good organisation, planning, training and concerted co-operation between government and all levels of society.
I have outlined where government can and should do more. But government cannot provide or guarantee total security and we would not like to live in a society that attempted this. In some areas the state and the private sector need to work in close partnership. But overall, I think that the City - and the country - will be freer, safer, more cohesive and efficient if as individuals, communities and businesses, we rely less on officialdom and more on ourselves, working together to lessen threats and hazards. Achieving this requires honesty on the part of government about the limits of its role and the nature of the challenges we all face, and good sense on the part of others willing to contribute their knowledge and their skills.
This is not about the state abdicating responsibility for its primary duty which is well characterised by what this Company supports - the protection of people, liberty and property. Rather, it is about recognising that true security and resilience is achieved in a free society by trust and cooperation in support of shared goals.