Counter Terror Business 49 by PSI Media

www.counterterrorbusiness.com | ISSUE 49

PROTECT DUTY

ANNUAL REVIEW

CYBER SECURITY

ANNUAL REVIEW 2021 How two decades of disruption has shaped todays’ fight against terrorism and extremism

ARTIFICIAL INTELLIGENCE

COMMENT

COUNTER TERROR BUSINESS 5

www.counterterrorbusiness.com | ISSUE 49

PROTECT DUTY

CYBER SECURITY

ARTIFICIAL INTELLIGENCE

PAST EVENTS AND FUTURE LEGISLATION This issue of Counter Terror Business has two main focuses. The first is an in-depth analysis by Ed Butler to mark the 20th anniversary of 9/11, in which he explains how two decades of disruption has shaped todays’ fight against terrorism and extremism.

ANNUAL REVIEW

ANNUAL REVIEW 2021 How two decades of disruption has shaped todays’ fight against terrorism and extremism

This timely review looks at the world’s response to terrorism since 9/11 and how it might be improved, identifying outdated solutions and hierarchical structures, and examining the current threat landscape. We also are lucky to share a Q&A with Ed Butler on page 36. In his interview Ed talks about the Protect Duty, which forms the second theme of this January issue. We share three perspectives with you on the duty: from a health and safety perspective; a perimeter security angle; and from a former police officer who campaigned alongside Figen Murray for Martyn’s Law and drafted the original proposal for the government.

Follow and interact with us on Twitter:

@CTBNews

The government’s response to the consultation was announced this month and we hope that this issue, as well as future issues of Counter Terror Business, continue to shed a light on the work needed to make our venues and crowded places safer from the threat of terrorism. Michael Lyons, editor

ONLINE // MOBILE // FACE TO FACE To register for your FREE Digital Subscription of Counter Terror Business, go to: www.counterterrorbusiness.com/digital-subscription or contact Public Sector Information, 226 High Road, Loughton, Essex IG10 1ET. Tel: 020 8532 0055

www.counterterrorbusiness.com PUBLISHED BY PUBLIC SECTOR INFORMATION LIMITED

226 High Rd, Loughton, Essex IG10 1ET. Tel: 020 8532 0055 Web: www.psi-media.co.uk EDITOR Michael Lyons PRODUCTION MANAGER & DESIGNER Dan Kanolik PRODUCTION CONTROL Lucy Maynard WEB PRODUCTION & ADMINISTRATION Victoria Casey PUBLISHER Jake Deadman

Counter Terror Business would like to thank the following organisations for their support:

© 2022 Public Sector Information Limited. No part of this publication can be reproduced, stored in a retrieval system or transmitted in any form or by any other means (electronic, mechanical, photocopying, recording or otherwise) without the prior written permission of the publisher. Whilst every care has been taken to ensure the accuracy of the editorial content the publisher cannot be held responsible for errors or omissions. The views expressed are not necessarily those of the publisher. ISSN 2399-4533

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

ADVERTISEMENT FEATURE

Project Servator – together, we’ll help keep people safe Project Servator is a policing tactic that aims to disrupt a range of criminal activity, including terrorism, whilst providing a reassuring presence for the public. The approach seeks to disrupt hostile reconnaissance – the information-gathering terrorists and other criminals need to do to plan a criminal act. It was developed by the Centre for the Protection of National Infrastructure (CPNI) before being trialled at the City of London Police. Uniformed and plain-clothed police officers are speciallytrained to identify tell-tale signs that someone may be carrying out hostile reconnaissance. If they suspect they are, they’ll speak to them to find out if there’s further cause for concern and if they need to take any further action. There may be an innocent explanation. If so, they’ll be free to get on with their day. Officers will always explain why they stopped someone. Project Servator is now being deployed in 22 UK police forces, and overseas by Royal Gibraltar Police and New South Wales Police Force, in Australia. It has been responsible for gathering intelligence that’s helped counter terrorism investigations, and taken illegal items off the streets, such as weapons and drugs. It’s been used to help keep major events secure, including the recent G7 and

COP26 summits, music festivals and sporting occasions. You will see Project Servator officers in town and city centres and places where people gather. They plan their deployments in advance, but they’re designed to be unpredictable, to keep criminals guessing. They’re often supported by other specialist police teams and tactics, including firearms officers, police dogs and horses, drones and automatic numberplate recognition (ANPR). Officers also work with security staff and CCTV operators. As well as looking out for suspicious activity, officers will approach you and talk to you about how you can play a part in helping to keep people safe. Whether you’re a passer-by or work in the area, they’ll encourage you to be their extra eyes and ears. You’ll know if something doesn’t seem right where you work or live or spend your free time. It’s important to trust your instincts and report it straight away. If it’s at your workplace, report it to a manager or security staff. If you’re passing by, tell a police officer or member of staff at the location. You can also call police on 101 if there’s no one there to report it to. In an emergency, always call 999. Together, we’ll help keep people safe.

Find out more counterterrorism.police.uk/servator

CONTENTS

CONTENTS CTB 49 12 PROTECT DUTY The long awaited government response to the Martyn’s Law consultation was published on 10 January. In this analysis, Nick Aldworth, the author of the original proposal submitted to the government, shares his thoughts

19 PROTECT DUTY The Protect Duty legislation has raised interest within the occupational safety and health community. In this article, Michael Edwards explains why the Protect Duty is something that H&S workers should keep an eye on

23 PROTECT DUTY The PSSA has introduced new codes of conduct and schemes to ensure that the communication and quality provided by its members are clear, consistent and commensurate with the requirements of the Protect Duty

27 COVID & CT Police said at the end of last year that they had foiled what they called seven ‘late stage’ terrorist attacks since the start of the pandemic. So, Jim Preen asks, how has the pandemic changed the terror threat in the UK?

30 POOL RE ANNUAL REVIEW In this Special Edition Annual Review, which marks the 20th anniversary of 9/11, Ed Butler, Chief Resilience Officer at Pool Re, explains how two decades of disruption has shaped todays’ fight against terrorism and extremism

36 POOLRE Q&A CTB shares an exclusive interview with Ed Butler concerning the aforementioned Annual Review, contemporary threats, the impact of climate change on the terrorism and the importance of collaboration

40 CYBER SCHEMES This month the government approved Cyber Essentials scheme is receiving the biggest overhaul to date. IASME, the NCSC partner responsible for the delivery of the scheme, discuss the scheme and the latest changes

44 FACIAL RECOGNITION The utilisation of facial recognition solutions can play a key role in improving the efficiency of police forces, intelligence agencies and organisations to respond and prevent major attacks, writes Tony Porter

48 AI Flawed or unethical use of artificial intelligence could result in unjust denial of individual freedoms and human rights, and erode public trust, writes defence and security expert Elisabeth McKay

50 TERRORISM There is nothing like seeing an iconic building or statue falling to the ground to tug at our emotions. If the symbol falls because of the actions of terrorists it is even more memorable, writes Phil Gurski

53 BAPCO PREVIEW Registration has opened for BAPCO 2022, taking place on 8-9 March. As ever, it will include a variety of cuttingedge conference sessions, led by some of the most respected names in public safety communications sector

56 SECURITY & POLICING Security & Policing is the premier platform for relevant UK suppliers to showcase the very latest equipment, training and support, to police services, government departments, organisations and agencies from the UK and overseas

Counter Terror Business magazine // www.counterterrorbusiness.com ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

The Oﬃcial UK Government Global Security Event

15-17 MARCH 2022

Farnborough International Exhibition & Conference Centre

6,000+

320+

EXHIBITORS

BEST IN CLASS SOLUTIONS

EXCLUSIVE NETWORKING

HOME OFFICE APPROVED VISITORS INDUSTRY LEADING CONTENT & FEATURES

Enquire to exhibit | Apply for a free visitor pass securityandpolicing.co.uk All attendees are subject to Home Office approval

Protecting People

Protecting Places

Protecting Prosperity

CTB NEWS PROTECT DUTY

Protect Duty to enforce legal duty on event venues

Home Secretary Priti Patel has detailed the proposals for the Protect Duty, including a requirement for some public places to be prepared for a terror attack. Following a consultation into what sort of venues should be bound by the Protect Duty, which is being brought in as a response to the May 2017 Manchester

Arena bombing, the Home Office has detailed that seven in 10 of the 2,755 respondents to the consultation agreed that publicly accessible locations should take measures to protect people from attacks, including ensuring staff were trained to respond appropriately. The government has said there was an understanding that measures should be proportionate to the size of the venue, with a greater onus put on those that are larger. Very strong views were also expressed in the consultation regarding the need for accountability, such as the need for clear roles and responsibilities, particularly amongst event organisers, and those at senior level within venues and organisations. Half the respondents were in favour of an inspectorate

that would identify key vulnerabilities and areas for improvement, as well as share best practice. There was also an even split of those who were supportive of the use of civil penalties to ensure compliance to the duty. To further support the public and private sector, the Home Office is collaborating with the National Counter Terrorism Security Office (NaCTSO) and Pool Reinsurance to develop a new interactive online platform, due to launch publicly this year. The platform will provide a central digital location for advice, guidance, e-learning and other helpful content. It will provide support for all organisations, not just those captured by the Protect Duty.

CLICK TO READ MORE

CYBER SECURITY STRATEGY

FOREIGN SPIES

Cyber Security Strategy to step up Britain’s resilience

Be on guard against foreign agents, says Patel

Chancellor of the Duchy of Lancaster Steve Barclay has announced that Britain’s public services will be strengthened to further protect them from the risk of being shut down by hostile cyber threats. Launching the first ever Government Cyber Security Strategy, Barclay outlined the cyber threat that government and wider public sector systems face in a speech in central London, during which he revealed that Britain is now the third most targeted country in the world in cyberspace from hostile states. Of the 777 incidents managed by the National Cyber Security Centre between September 2020 and August 2021, around 40 per cent were aimed at the public sector. The new strategy will be backed by £37.8 million invested to help local authorities boost their cyber resilience - protecting the essential services and data on which citizens rely on including housing benefit, voter registration, electoral management, school grants

and the provision of social care. The new strategy outlines how central government and the public sector will continue to ensure that public services can function in the face of growing cyber threats. It will step up the country’s cyber resilience by better sharing data, expertise and capabilities to allow government to ‘Defend As One’, meaning that government cyber defence is far greater than the sum of its parts. Key announcements in the strategy include establishing a new Government Cyber Coordination Centre (GCCC), to better coordinate cyber security efforts across the public sector and a new crossgovernment vulnerability reporting service, which will allow security researchers and members of the public to easily report issues they identify with public sector digital services.

CLICK TO READ MORE

Home Secretary Priti Patel has warned MPs that they need to be wary of the threat of interference in British politics by foreign states, following disclosure a suspected Chinese agent has been targeting Parliament. MI5 recently circulated an alert to MPs and peers that Christine Lee, a prominent London-based solicitor, was engaged in ‘political interference activities’ on behalf of China’s ruling communist regime. This was said to include channelling funds to British parliamentarians with a view to making the UK political landscape more favourable to Beijing. Speaking in the House of Commons, Patel said that the threat of such interference operations by foreign powers was ‘growing and diversifying’ and that ministers were working with police and the Crown Prosecution Service to give them additional powers to tackle activities which were not currently illegal. The Home Secretary also told MPs that these kinds of alerts were likely to become more commonplace and that new legislation would be introduced ‘to provide the security services and law enforcement agencies with the tools they need to disrupt the full range of state threats’.

CLICK TO READ MORE

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

TACTICAL

WEAPON LIGHTS TOUGH, VERSATILE, DURABLE AND RELIABLE

TLR–8® A G

TLR–7® sub

TLR® RM 1

TLR-7® SUB FEATURING AMBIDEXTROUS SWITCH

TLR® RM 1 LASER. 500 LUMENS & 140m BEAM.

Made for situations when failure is not worth contemplating, Streamlight® has created the broadest range of professional torches and lighting tools that can be trusted for a lifetime. streamlight.com

CTB NEWS FISHMONGERS HALL

Learning Together programme disbanded following attack recommended by an independent review last year that the programme be halted. An inquest jury found last May that there had been unacceptable management and a lack of accountability in the oversight of Khan, who had been allowed to travel on his own to London from his hometown of Stafford. This included failures in the sharing of information between state agencies responsible for monitoring him. Learning Together and the Fishmongers’ Company were also criticised over failures to keep those at the event safe. Now, in a statement on its website, the University of Cambridge said it had ‘undertaken a detailed analysis and thorough review of the many issues raised by the tragedy and the findings from the Coroner’.

The educational Learning Together project for prisoners and University of Cambridge students is to be disbanded following the 2019 terrorist attack at Fishmongers’ Hall in which two volunteers were killed. The programme was heavily criticised for allowing Usman Khan, who was on probation, to attend without a

police escort. 23-year-old volunteer Saskia Jones was not told about Khan’s background before she sat down at his table at the event and started chatting with him. Jones was stabbed by Khan, with 25-year-old Jack Merritt also killed. The Learning Together programme taught university students and student prisoners side-by-side. It was

PARLIAMENT

MANCHESTER ARENA

Security costs for MPs up by nearly a third last year

Changes needed in urgent medical care at attacks

The Independent Parliamentary Standards Authority has revealed that MPs’ security costs increased by nearly a third last year and could rise further following the stabbing of Sir David Amess in October. With overall MPs’ business costs amounting to nearly £138 million in 2020/21, the IPSA said that amount spent on security stood at £4.4 million for the financial year 2020/21, up from £3.4 million in 2019/20. Sir David Amess, the Conservative MP for Southend West ,was fatally stabbed during a constituency surgery in Leigh-on-Sea. Richard Lloyd, IPSA chair, said: “Security spending has also increased in the last year, and could increase further this year (following the death of Sir David in October). Keeping MPs, their families, and their staff safe is absolutely vital for our democracy.”

CLICK TO READ MORE

The ongoing inquiry into the Manchester bombing has heard from a consultant who served as a British Army medic in Iraq and Afghanistan about why change is needed to ensure casualties of terrorist attacks get advanced medical care at the scene. Lt Col Claire Park told the inquiry that experienced doctors needed to be at the immediate scene of mass casualty incidents to give the best possible interventions to help save lives. Only three medics went into the scene of the 2017 Manchester Arena bombing amid concerns about further attacks. Currently only specialist paramedics can enter potentially dangerous areas immediately after such an attack.

CLICK TO READ MORE

The inquiry is exploring whether the UK should consider embedding experienced doctors with armed police units to allow them to treat casualties in the very early stages of a terrorist attack. The system has been used successfully in France, including during the 2015 Bataclan Theatre attack in Paris when doctors treated casualties while police fought with gunmen. It is believed that Counter Terrorism Police do not currently support the idea of placing civilian medics within armed teams, maintaining it was not ‘the most effective way’ to provide fast treatment.

CLICK TO READ MORE

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

ADVERTISEMENT FEATURE

Maximise safety and security with free See, Check and Notify (SCaN) training SCaN educates staff at all levels of an organisation about hostile reconnaissance – the informationgathering terrorists and other criminals need to do. It helps to ensure that those seeking to cause harm can’t get the information they need. As an added bonus, the skills staff learn help to provide an enhanced customer service experience. See, Check and Notify See what? In a nutshell, anything that doesn’t seem right. Staff are educated about the importance of being aware of their surroundings and possible signs that someone may be gathering information to help them plan or prepare a criminal act. Check what? We encourage people to trust their instincts. If, for example, staff are concerned about someone’s behaviour, it could be

as simple as approaching them and saying hello. They may actually be a bit lost and need some help finding their way. This sort of simple interaction can help to determine whether there is anything that needs further investigation, and makes it harder for hostile reconnaissance to be carried out. Notify who about what? Anything that doesn’t seem right. Notifying can be done through local channels and procedures. Or it could be reporting concerns to the police through the online reporting tool at gov.uk/ACT, in person, or by calling 999 in an emergency. Hundreds of organisations across the UK have signed up to SCaN, including: retailers; airports; tourist attractions; sports clubs; event organisers; entertainment destinations; educational establishments; local authorities; hotels; religious establishments; and transport operators. The free training is delivered by qualified trainers working for the police in counter terrorism roles.

Find out more at cpni.gov.uk/Scan

CTB NEWS CYBER SECURITY

Updates to Cyber Essentials scheme announced Organisations are set to benefit from a refreshed governmentbacked scheme which supports them to protect against the majority of cyber attacks, including ransomware. Developed by the National Cyber Security Centre, the Cyber Essential scheme is a certification scheme that supports organisations of all sizes to guard against online threats and demonstrate a commitment to cyber security to customers and stakeholders. Delivered by IASME, the scheme has been updated following a major technical review which will help

organisations maintain their minimum cyber hygiene in an evolving threat landscape. Amongst the main changes are revisions to the use of cloud services, home working, multifactor authentication, password management, and security updates. Through the Cyber Essentials scheme, businesses can learn how to defend themselves by securing internet connections and devices, controlling access to data, and understanding how to protect against ransomware.

CLICK TO READ MORE

CYBER SECURITY

New laws to strengthen UK’s resilience from cyber attack The government has said that new laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses. Under new proposals, the government has said that it is making improvements in the way organisations report cyber security incidents and reforming legislation so that it is more flexible and can react to the speed of technological change. The plans follow recent highprofile cyber incidents such as the cyber attack on SolarWinds and on Microsoft Exchange Servers which showed vulnerabilities in the thirdparty products and services used by businesses can be exploited by cyber criminals and hostile states, affecting hundreds of thousands of organisations at the same time. The government is aiming, through new legislation, to take a

stronger approach to getting at-risk businesses to improve their cyber resilience as part of its new £2.6 billion National Cyber Strategy. Julia Lopez, Minister of State for Media, Data, and Digital Infrastructure, said: “Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched. The plans we are announcing today will help protect essential services and our wider economy from cyber threats. Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.” In March the government established and funded the UK Cyber Security Council, a new independent body to lead the cyber workforce and put it

on a par with established professions such as engineering. The new proposals would give the council the ability to define and recognise cyber job titles and link them to existing qualifications and certifications. People would have to meet competency standards set by the council before they could utilise a specific job title across the range of specialisms in cyber security.

CLICK TO READ MORE

CYBER SECURITY

NCSC joins US in countering Russian cyber threats

The National Cyber Security Centre has added its support to new advice from

international partners on countering Russian state-sponsored cyber threats targeting critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA) have published a joint advisory encouraging network defenders of critical infrastructure to remain vigilant against Russian-backed hacking groups. It provides an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures

(TTPs), detection actions, incident response guidance, and mitigations. The NCSC recommends that organisations follow the advice set out within the advisory, which also lists 13 vulnerabilities known to have been exploited by Russian-backed actors in order to gain access to networks, and warns that actors have also used spear phishing and brute force techniques successfully.

CLICK TO READ MORE

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

PROTECT DUTY

UNDERSTANDING THE PROTECT DUTY T

he long awaited government response to the Martyn’s Law (UK Protect Duty) consultation was published on 10 January, the same day that the government’s representative from the Homeland Security Group (formerly the Office for Security and Counter Terrorism) gave their final evidence to the Manchester Arena Inquiry. The ensuing, ferocious, questioning of Mr Shaun Hipgrave perhaps summarised how many felt about the government document. It wasn’t a response, it was an analysis and we are all generally none the wiser about the government’s policy direction on Martyn’s Law. However, understanding what the Martyn’s Law campaign originally asked of government, and what has subsequently come to light from the Manchester Inquiry, I think it is possible to give an informed view of how it might develop and what might be slowing things down. SECTION 1 - WHO OR WHERE SHOULD LEGISLATION APPLY The good news is that a majority of respondents agreed with the need for the law and none other than the Right Honourable Priti Patel, Home Secretary, has provided a ministerial statement giving an absolute commitment to bringing the proposed law before Parliament. The down side is that a government mired in many other challenges, hasn’t been able to give a timeline for when this might happen. An optimist won’t be troubled by this, but a pessimist might see the turbulent political

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

landscape creating potential for further delay or de-prioritisation. I’m somewhere in there being an optimistic pragmatist. It could happen, but hopefully it won’t. The majority (seven out of 10) agreed, or strongly agreed, with the principle of the legislation being applied to publicly accessible locations (PAL). Helpfully, the government’s document provided a definition: A publicly accessible location is defined as any place to which the public or any section of the public has access, on payment or otherwise, as of right or by virtue of express or implied permission. For clarity, public places/venues are permanent buildings (e.g., entertainment and sports venues) or temporary event locations (such as outdoor festivals) where there is a defined boundary and open access to the public. The document makes a distinction between places and spaces, and I hypothesise that this distinction will enable a desegregation of spaces from places in legislative terms. In other words, I sense that spaces, per-se, will not be included in the act, unless they become a temporary event location, or are in some other way boundaried. The single most significant feature that defined which places should be included in the legislation appears to be capacity, followed by a range of other criteria including: risk based assessment; geography; type of events; and average (rather than maximum) capacity. Most people agreed the capacity threshold should be 100 or more,

PROTECT DUTY

but where there were other suggestions, the mean equalled 303 persons. It is worth stating that those of us who continue to campaign for Martyn’s Law, would like to see all PAL’s, regardless of capacity, subject to the law, albeit proportionately so. Another important application proposed was that the law should apply to all companies with 250 or more employees. There were several suggested exemptions, notably within the faith sector, but these didn’t appear to have substance attached to them that would differentiate them from many others who could potentially claim exemption. Interestingly, the faith sector has benefited from government funding to help protect places of worship from terrorism and it would seem contradictory to now suggest that they are not at risk. When it came to accountability, most respondents believed that the owners and operators of PALs should be accountable to the law and this suggests to me the possibility of an accountable persons within a company needing to be identified as they are for health and safety or fiduciary matters. What will be interesting is how security and stewarding providers take forward discussions about whether compliance with the law can be migrated to contractors, who might be delivering security on behalf of an owner or operator. The challenge that I see here is that if the owner or operator is accountable for the security plan, they need to provision it properly. What happens if a

contractor defaults on the plan, or disagrees that their client is contracting sufficient resources for it to be delivered properly? I think the security industry as a whole now has an opportunity to come together and reconfigure themselves with a code of practice that stops the race to the bottom line, and requires clients to commission the right number of resources, with the right level of skills and at a fair price. Could a protect duty be the spark that ignites reform of the security industry, and the professionalisation of its workers? SECTION 2 - WHAT SHOULD THE REQUIREMENTS BE? The Martyn’s Law campaign group asked for the following: owners and operators engage their staff in freely available CT training; owners and operators undertake vulnerability risk assessments; where proportionate to do so, risks are mitigated; and owners and operators have a CT plan. The starting point of CT security should be a threat assessment followed by an assessment how vulnerable your place or space is to that threat. There was a split response (50-50) as to whether respondents undertook CT risk assessments, it seems to me that given this level of compliance already, that legislation would sensibly include this need. The reality is that without a risk assessment, the rest of the law is pointless. The Manchester Arena Inquiry generated a monitored recommendation relating to E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

THE QUEEN’S AWARDS FOR ENTERPRISE: INTERNATIONAL TRADE 2021

Are you ready for Protect Duty?

Learn More

Our innovative Self Funding Security Solution, Keeps you compliant, without additional cost or initial investment. What Solutions Can We Provide? Mass Entry Screening Systems Explosives & Narcotics Detection Mass Casualty / Bleed Kits & Training Online & Classroom Based Training Manpower Risk Assessments & Process Emergency Planning & Preparedness Emergency Scenario Training www.wg-plc.com enquiries@wg-plc.com +44 1295 756300

Self Funding Security Solutions are provided on a Risk Free basis. Meaning - no matter the ﬂuctuation in footfall, the appropriate security solutions will always be provided

KEEPING PEOPLE SAFE

COUNTER TERROR BUSINESS MAGAZINE ISSUE 49 Westminster Group PLC,| Westminster House, Blacklocks Hill, Banbury, Oxfordshire OX17 2BS

PROTECT DUTY

 government driving forward consistent risk model and I therefore conclude that a requirement to undertake assessments will be within the law. One of the challenges for government will be how to legislate the concept of proportionality. In some areas, there is useful guidance. An example of this is CPNI’s guidance on Hostile Vehicle Mitigation (HVM) which introduces a sliding-scale of effectiveness (and by default cost), and has allowed owners and operators to make more informed choices about how to reduce vulnerability from such threats. However, not all threats are so easily proportioned and therefore I’m far from convinced that mitigating risks can be universally legislated for, except in the high value end of operations, where it is right and proper to protect the thousands of people who attend some places. There is another element to this though which is whether failure to mitigate risk exposes you to the, potentially, even costlier spectre of public liability. If saving people’s lives is not motivation enough, costly publicly liability pay outs should encourage good behaviour among owners and operators. We know the human cost of missed opportunities at Manchester and those involved in the management of Manchester Arena, may yet find out what the final financial cost will be. Generally, investment in security seemed to be quite low and many will see the Protect Duty as an opportunity to engage better with their corporate finance controllers and insurers will see it as an opportunity to demand

THE STARTING POINT OF COUNTER TERRORISM SECURITY SHOULD BE A THREAT ASSESSMENT FOLLOWED BY AN ASSESSMENT HOW VULNERABLE YOUR PLACE OR SPACE IS TO THAT THREAT compliance with risk mitigation. The value of information, and using it to enhance security, was seen as important in respect of protecting public spaces. Training, awareness, campaigns and guidance were all seen as providing value. Within this grouping was the inclusion of ‘tools’ something that needs further consideration. I’m confident that the new law will include the need to engage with training and guidance, an important element of the campaigns call to government. Not only is it easily enacted (and already available), but government, policing, and the private sector, have been investing in Protect UK, which will soon become the centralised library of authoritative information, called for during the Manchester Arena Inquiry. There is a great emphasis within the report on engagement with existing statutory bodies, such as local authorities and emergency services, in the protection of public spaces, rather than places. It’s not clear to me why these questions were focused on spaces and not places. I hypothesise that given most spaces are likely to be controlled in some way by statutory regulations that the government might perceive there is sufficient regulation

already in existence to ensure effective oversight of their security. Another hypothesis might also be that engagement is seen as sufficiently important as to make it a legal requirement to do so, especially for those places that are linked to spaces. I think it is certain that places will be required to undertake CT risk assessments, not least of all as this has strong correlation with Part 1 of the Manchester Arena Inquiry’s monitored recommendations. Of course, once you have a risk assessment, that identifies risks, you are then likely to have liabilities under existing laws and TORTS and I wonder therefore whether the government will need to mandate risk mitigations. I sense that the application of the duty to spaces will be too difficult to achieve in the same way as places, but a general duty of collaboration and/or consultation on security issues might be applicable. However, this could also be expanded into applying a legal requirement for local resilience forums to consider the risk of terrorism, something that is currently only discretionary. The argument about cost will endure and I would certainly encourage a counter narrative regarding the cost of not doing something. E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

PROTECT DUTY  SECTION 3 - HOW SHOULD COMPLIANCE WORK? Views were sought on what an inspectorate might deliver and how it might enforce the law. It appears that most of the responses were tactical, with the highest number of respondents suggesting that the main compliance measure should be training. Other responses included spot checks, annual visits and selfassessment. It is clear from the brevity of this section that inspection and compliance are presenting government with some difficult questions. There was a mixed response about using civil fines as a sanction for noncompliance with a majority being against this however, a significantly larger group of respondents proposed alternative or additional views. This included a qualified use of fines and education as an alternative to enforcement. There seemed to be little support for criminal prosecution, although it was mentioned by some. I think it is unlikely that the government will build a new inspectorate. If this legislation is to be created this year, there is neither time nor money to create a new inspectorate and you cannot establish a new law without some sense of how it will be enforced. I therefore believe that enforcement will be pursued through self-certification and/or voluntary compliance, in most cases. Given the focus on existing statutory bodies in section 2, I also hypothesise that they will be used as part of the legislative mechanism, with some already having powers to bring criminal prosecutions (licensing law being the obvious example). It is possible that as the law matures, other inspection regimes will evolve, the HSE wasn’t created in a day.

GENERALLY, INVESTMENT IN SECURITY SEEMED TO BE QUITE LOW AND MANY WILL SEE THE PROTECT DUTY AS AN OPPORTUNITY TO ENGAGE BETTER WITH THEIR CORPORATE FINANCE CONTROLLERS AND INSURERS WILL SEE IT AS AN OPPORTUNITY TO DEMAND COMPLIANCE WITH RISK MITIGATION engage with government/policeprovided advice and guidance which is demonstrable of the value such authoritative voices are seen as giving. Other respondents suggested that information should be sectorspecific as well as seeking validation of who provides expertise. It is within this context that the government discusses the possibility of licensing security consultants. Among the other responsibilities that it was suggested government should have, was the funding of mitigations where there was perceived to be a sector-specific cost impact. There is a precedent for this with the places of worship fund. There is a lot in this section, but most of it seems to validate the simple concept of the digital service and provides helpful feedback on how that is likely to be most effective. One of the final questions sought feedback on how the provision of highquality advice could be guaranteed. This led to significant commentary regarding the regulation and accreditation of security consultants. It is unclear what the government’s intentions are and the scope to which this might be applied. There is no such thing as a universal security consultant,

and many operate in fields for which there is not accredited training. I believe that the government is likely to satisfy itself by ensuring that the digital service is up and running in time for the launch of the law and it is of a standard that means people will engage with it voluntarily, and not just because of a legal compulsion. While there is a project already underway to look at the accreditation and skills of CTSA’s there is great risk in assuming that the protect duty is best served by this skill set. The Manchester Arena Inquiry highlighted the limitations of CTSA’s, and they are not CT generalists. I would argue that seeking to replicate their accreditation within the private sector, is more likely to increase costs and the use of costly physical measures, rather than other strategies. L

Nick Aldworth campaigned alongside Figen Murray for the introduction of the UK Protect Duty and was the author of the original proposal submitted to government for consideration. He is director of Risk to Resolution Ltd.

FURTHER INFORMATION www.risk2resolution.com

SECTION 4 - HOW SHOULD GOVERNMENT BEST SUPPORT AND WORK WITH PARTNERS? The government clearly sees itself as being responsible for providing authoritative advice and guidance. This is their most important role. Most respondents seem to agree, with 74 per cent proposing the use of a digital service to deliver this. Interestingly, there is some cross-over with section 3, with 61 per cent asking for the government to define what ‘reasonably practicable’ will mean in terms of compliance. While the government acknowledge this feedback, such definitions are usually defined by legal precedent (case law) and so it will be interesting to see where they draw their position from. Helpfully, the government, with policing and the private company Pool Reinsurance Ltd have been building the digital platform for the last 12 months, and it is expected to be launched imminently. Furthermore, 55 per cent of respondents stated that they currently

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

ADVERTISEMENT FEATURE

LOCKEN’s advanced access control solution ensures service continuity in the telecoms industry liaises with the operator’s information system, collecting select information from the various user profiles to limit access to authorised individuals. This allows operators to use the software to assign access rights for specific areas, based on the technician’s profile and authorisation. To improve on-site control activities, electronic keys work with the MyLocken app and new technology (RFID, beacons, etc.) to send technicians verification messages about their access rights or required safety instructions (wearing a helmet, the buddy system, etc.). Similarly, users can interact with the central system and submit on-site attendance reports, flag up anomalies errors, etc. These bespoke features are designed to meet ever stricter security requirements in companies and accommodate the latest Government guidelines.

The telecoms industry is growing exponentially, and is now an essential part of our everyday lives. The pandemic has created an unprecedented requirement for almost all industries to operate a working from home policy and to provide the public with increased access to online services, making the telecoms industry more important than ever A major impact of this change is the presence of a growing number of telecoms facilities, which are proving to be the cornerstone of service delivery. Equipment is often located in isolated areas, so strict access control systems are needed to keep any vulnerability to an absolute minimum. With solutions that have been installed at hundreds of thousands of sites over the past 19 years, LOCKEN has developed top-tier expertise in this particular industry. Catherine Laug, Group Head of Marketing at LOCKEN explains how the solutions perfectly meet the requirements of this industry. Access control for Telecoms multi-site facilities Telecoms companies cover vast expanses of land to keep the service up and running for customers. This involves several tens of thousands of plants and facilities, from mobile phone towers to street cabinets for the wired network. With LOCKEN’s access control solution dedicated to the Telecom industry, maintenance technicians no longer need to worry about accessing the numerous facilities during their daily inspection rounds. Once configured, their single electronic key guarantees access to the right place at the right time. Operators are assured that their field teams

– often subcontractors – can carry out all maintenance work during specified times in line with their specific access processes. Access control for extreme weather Most of the facilities requiring protection are outdoor sites particularly exposed to wind, sun, snow and sea spray. Access control systems must be able to withstand corrosion caused by bad weather. LOCKEN delivers a certified, conceptual solution to this challenge with a smart key and electronic cylinders, both manufactured by ISEO; Cylinders meet the requirements of the EN 1670 corrosion resistance standard with a IP66-67-68-69 rating to guarantee maximum protection. The latest-generation electronic keys use inductive technology for contactless information exchange between the key and cylinder. With this technology, the electronic key can transmit access rights to the cylinder even if the humidity at the site corroded the surface of the lock. Access control and authorisation: combination of App and management software for increased services At some telecommunications towers, access is restricted to those authorised to work at height. The Locken Smart Access (LSA) software

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

Subcontracting and shared access sites: the challenge for access control Subcontractors are an increasingly common fixture in both maintenance activities and emergency callouts and they require daily access to a number of scattered, remote facilities. The choice of an access control system is also conditioned by the fact that sites may be shared by different businesses, such as water towers that are often used to support radio masts. LOCKEN delivers an effective response to multiactivity sites with just one electronic key needed for countless locks. Officers no longer need to carry large bunches of keys between sites – they can access the right place at the right time in maximum security. Access control: a decisive advantage Communication infrastructures may be the prime target for large-scale attacks looking to compromise the country’s economic potential. They may also attract various types of vandalism, tempted by the challenge of scaling facilities or the apparent vulnerability of street cabinets. The LOCKEN solution is invaluable when it comes to protecting facilities from harm. The electronic cylinders and padlocks have CEN 1303 certification with the highest level of resistance to drilling and therefore vandalism. What’s more, a lost or stolen electronic key can be disabled to prevent any unwanted intrusions. The reporting feature in the Locken Smart Access software aims to report any attempts to gain access outside specified time ranges or in out-of-bounds areas, thus detecting any anomalies.L FURTHER INFORMATION www.locken.eu www.linkedin.com/company/locken

PROTECT DUTY

HEALTH AND SAFETY AND SECURITY MANAGEMENT

ealth and safety and security management share many key elements. Their main priorities are keeping people safe and allowing organisations to keep functioning. Both disciplines are legally based, so occupational safety and health (OSH) professionals and security professionals need to keep up to date with upcoming legislation. This month, the government is proposing to introduce Protect Duty. This legislation, and the changes it brings, will enhance the protection of the UK’s publicly accessible places from terrorist attacks and ensure that businesses and organisations are prepared to deal with incidents. The approach the government has taken has raised interest within the OSH community, mainly due to the requirement for organisations to undertake a risk assessment. This is to assess the risks posed to them by terrorist activities, based upon either information about terrorist attacks available through freely accessible government websites – the Centre for the Protection of National Infrastructure (CPNI) and the National Counter Terrorism Security Office (NaCTSO) for smaller or local event organisers, or by other means for larger organisations. Legal context is important here. The proposed new duty is not criminal law such as health and safety law, where non-

compliance can result in prosecution and a criminal record for those found to be culpable. This places an important limit on the legal liabilities of those with duties under this law. The proposal is for a new offence for non-complaint organisations based on civil sanctions such as fines. That is not, however, the same as Common Law where the employer is liable by default for the actions of employees. It is quite possible, but not entirely clear from this document, that individuals could be vulnerable to being fined. APPLICATION OF THE LEGISLATION The document discusses who the proposed legislation should apply to. There are three main areas (but it may also apply to other locations, parties and processes by exception): • public venues (eg entertainment and sports venues, tourist attractions, shopping centres) • large organisations (eg retail or entertainment chains) • public spaces (eg public parks, beaches, thoroughfares, bridges, town/ city squares and pedestrianised areas). From an Institution of Occupational Safety and Health (IOSH) perspective, E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

PROTECT DUTY \ any organisation that is public-facing should consider the risks of terrorism to the safety of their workers and members of the public using their facilities. REQUIREMENTS OF THE LEGISLATION The general requirement of the legislation is that applicable organisations must assess the risks posed by terrorist threats to workers and members of the public. Risk assessments are a time-tested technique used by organisations not only to manage OSH risks but also for general business risks as well. The consultation does not specify how the legislation, or its supporting guidance, will require the risk assessment to be carried out, but a good technique used by OSH professionals is below. • What is the hazard? (Hazard identification). • Who can be harmed and how? • What current control measures are in place? (Risk control and mitigation). • What is the likelihood of the hazard being realised and the consequence of harm? (Risk prioritisation). • What additional control measures are required to eliminate or further mitigate the risk? (Risk control, mitigation and resilience – risk treatment). • Is the remaining risk after controls acceptable? (Residual risk). This is where some of the terminology changes from OSH to security. Generally, OSH professionals use the term ‘hazard’ as something with the potential to cause harm. In the Protect Duty legislation, ‘threat’ is used, which is more akin to terms used in business risk assessments. The same applies to ‘risk control’, which tends to be an OSH term, while business risk assessments use ‘mitigation’. However, these terms are fairly interchangeable, and the above technique can still be used. Like OSH hazards, the threats need to be fully understood to properly assess the risk. The legislation talks about threat and risk. Key initial steps are understanding threat and risk. • Understanding the terrorist threat – noting that terrorist groups, their motivations and target preferences and attack methodologies can differ and tend to change over time. o A useful level of awareness can be achieved by following open source media reporting of recent attacks and their methodologies, understanding and monitoring the National Threat Level and browsing relevant government websites. • Understanding the specific risks the threat poses for your site and/

or organisation – how and why your site/organisation might be affected, either by being targeted directly or through indirect impacts, due to its location in a particular area or because of its proximity to neighbouring sites, businesses, or organisations that may be targeted. o You should undertake a risk assessment to identify and record terrorism risks and appropriate mitigations. This should be aligned with your organisation’s/ site’s wider assessment of risks and their management. One of the unknowns with the key initial steps in the legislation is which methodology organisations should use to assess their risks from terrorist activities. Is it purely going to be via a qualitative risk assessment process using an indicative matrix, or using a semi-quantitative or even quantitative methodology? Due to the subjective nature of threats from terrorist activities, it is likely that a qualitative approach will be adequate to properly assess the risks to the organisation, its workers and members of the public. Risks assessed as green within the matrix will be considered low risk to workers and members of the public, while amber and red-rated risks will need more controls or mitigations added to reduce the risk to tolerable levels. From an OSH perspective, this risk assessment could link into the suite of assessments that an organisation needs to evidence to show that it is managing all its risks properly. It is likely many public-facing organisations will already have considered terrorist threats within their OSH workplace risk assessments. The introduction of this legislation may mean that organisations may split this from their OSH risk assessments into separate documents, which may or may not have an effect on the detail of the information presented. Again, like OSH risk assessments, this legislation talks about implementing mitigations to unacceptable risks. However, there is no evidence that it takes into account what an organisation’s risk tolerance would be to a terrorist attack. Expressed in quantitative terms that can be monitored, risk tolerance is often communicated as acceptable or unacceptable outcomes or as limited levels of risk. Risk tolerance statements identify the specific minimum and maximum levels of risk that the organisation is willing to accept. The range of deviation within the expressed boundaries would be bearable. Exceeding the organisation’s established risk tolerance level may endanger its overall strategy and objectives. This

can be due to the consequences in terms of cost, disruption to objectives or in reputational impact. What risk would an organisation tolerate in the case of a terrorist attack? It could be self-explanatory that no organisation would tolerate harm or loss of life to workers or members of the public, but what about loss of buildings or other assets? Controls or mitigations are a normal part of any risk assessment. The Protect Duty discusses mitigations such as physical security measures including CCTV, security doors, fences electronic access and intruder detection systems, and ‘people’ measures such as training and awareness, eg ACT Awareness e-Learning. It also talks about developing cultural controls, encouraging and enabling a security culture in the workplace, eg ensuring that any concerns can be easily reported and will be acted upon and that managers lead by example and avoid giving mixed messages. Security professionals should be aware when looking to implement mitigations within their risk assessments to be considerate of what OSH professionals call ‘the Hierarchy of Control’. This looks at implementing controls that are most effective first and only looking at controls at the lower end when higher-level options are not feasible. Professionals should look at controls needed during preparation, execution and recovery of a terrorist event. It is also important to ensure that any security measures/plans don’t conflict with OSH requirements, including fire controls. The Bradford City Football Club fire in 1985 was an example of how security controls impacted on the health and safety of members of the public. The stand was ill-equipped to cope with an emergency – six fire exits at the back of the stand were found to have been locked, with seven forced or found to be open by supporters fleeing the fire. SUMMARY This piece of legislation does not introduce new concepts for keeping workers and members of the public safe but leans on existing methodologies in different fields, such as OSH, to utilise regarding other risks to an organisation, such as the Protect Duty will cover with terrorism. How this legislation will work in practice is still debatable, but it is definitely something that security professionals will need to consider. L

Written by Michael Edwards CMIOSH, Institution of Occupational Safety and Health (IOSH).

FURTHER INFORMATION https://iosh.com/

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

ADVERTISEMENT FEATURE

Pure Vista lead the way with blast resistant frameless glass balustrade Written by Ruth Wilkes with Adam Oakes (Director) and Mark Oakes (Director), Pure Vista

Aiding on infrastructure design, the positioning of a balustrade can be the answer to containing a blast. Pure Vista is guiding the way

On the lead up to Martyn’s Law (Protect Duty) being discussed in parliament in 2022, Pure Vista is guiding the way with blast-resistant and bullet-resistant frameless glass balustrade. As balustrade manufacturers operating for more than 14 years, we have developed the MEGAgrip channel which can be fortified to become blast or bullet resistant. Glass has become a favorite in the design and construction industry but, glass is known for being fragile and a weak spot in a building. We know that this is not the case! Glass has been developed to withstand explosions and bullets and we have the system to hold it steadfast and strong. We are proud of the modern look of BLASTguard and BULLETguard, which provides the utmost security in private, public and commercial spaces, using completely frameless glass balustrade. In the aftermath of the Manchester Arena attack, the directors here were passionate about creating the safest balustrade design available. As organisations and individuals are looking to make changes to their environments, balustrade should be considered as a major safety element in upcoming refurbishments, developments and builds. The development of BLASTguard and BULLETguard began. Pure Vista supplies organisations globally with quick delivery and unparalleled technical support. Aiding on infrastructure design,

the positioning of a balustrade can be the answer to containing a blast. The team at the Pure Vista offices in Cornwall, can provide expert technical advice to aid in the planning and design process. BLASTguard was the first completely frameless, bomb-resistant glass balustrade on the anti-terror market place, with glass as high as 1800mm. Where a bomb blast is a perceived threat, 3kN balustrade can be used. Using screw-clamp technology, the glass can be aligned for a perfect finish. The fortified MEGAgrip is ideal for public locations where crowding is likely. Currently beautifully installed as a safety barrier in football stadiums, London train stations, underground stations, airports, hospitals and large music venues across the UK and around the world. BULLETguard is typically installed in public areas, as a protective screen to ensure the safety of a particular delegate, speaker, politician or celebrity who may be at risk. Another fortified variation of the MEGAgrip channel, this variation wields a different result, safety from bullets instead of a blast. Now that we are all learning to live with changing Covid restrictions, venues and public spaces have also developed certain entry and public safety requirements. Queueing before entry as crowds are put through security and Covid checks has

raised the questions – is this safe? Crowd management and safety is in the public eye, designers and developers are working to increase safety element in buildings and work places. Although, sadly, the risk will never be at 0, we can work together to make crowded locations as safe as possible. In our opinion, Protect Duty is massively beneficial to the safety of people and infrastructure. From training people to deal with new difficult terror situations, to changing and installing new elements into buildings that will physically keep people safe. All the changes being asked for can only do good in the long run. How can we help? The installation of Pure Vista BLASTguard or BULLETguard will significantly increase protection, while subtly blending into the design of the building. Adding MEGAgrip to your designs and plans adds extra security to any building. Technical Information Accredited to 3.0kN MEGAgrip is approved by multiple organisations to verify that it meets national and international building regulations for use as edge protection. After installation, if required, glass panels can be removed and replaced. If MEGAgrip is initially installed, it can later be fortified to become BLASTguard or BULLETguard. The BLASTguard balustrade channel itself is lightweight and strong, the hollow core provides incredible strengths to weight ration. For added protections, the channel is anodised to 25 microns, meets BSI standards and is compliant to ASIAD Class 1 & 2 compliant to ISO 16933:2007. BULLETguard has up to 1.5kN loading to BSI standards and is rated to FB5(NS) to EN 1522 and EN 1523. The same channel is used for BLASTguard, BULLETguard and MEGAgrip, this channel can be base fixed (or side fixed if it is not fortified) and can be installed with glass up to 1800mm high. For further information please visit the website or contact our technical team who will be able to assist. L Pure Vista manufactures and supplies Aluminium balustrade and do not supply glass or provide installation. However, we can recommend installation organisations that are local and suited to your project. FURTHER INFORMATION www.pure-vista.com sales@pure-vista.com www.facebook.com/purevista www.linkedin.com/company/pure-vista-ltd www.instagram.com/purevista.ltd

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

PROTECT DUTY

PROTECT DUTY ACT – WHAT DOES THIS MEAN FOR THE PERIMETER SECURITY INDUSTRY?

n 22 May 2017 a suicide bomber detonated an explosive vest/backpack filled with a combination of explosives and homemade shrapnel. The attack was clearly designed for mass casualty as the vest/ backpack device was specifically aimed at damage to close proximity crowds. The high profile of the concert and average ages of the targeted crows would also have been a factor in the attack planning as it would generate a greater media interest for the bombers ‘cause’. The son of Figen Murray, Martyn Hett, was one of the 22 victims that died in the attack and this coupled with the subsequent discovery by Figen that adequate security at events was not always in place has led to a journey that is now hopefully nearing its end. The Protect Duty Act (PDA) is a pending UK law that has been primarily driven by Figen

Murray and was issued for consultation in early 2021. With recent government announcements made this month, the PDA will become law in 2022 and will instigate one of the largest security protection level changes ever seen in the UK. One of the main drivers behind the PDA is to create a public responsibility for owner/operators of publicly accessible locations creating a very specific need for risk assessing these locations and where applicable ensuring that suitable protection measures are in place. Locations cited in the consultation draft of the PDA include (but not limited to) sports stadiums, festivals, hotels, pubs, clubs and bars, high streets and retail stores, shopping centres, schools and universities, hospitals, places of worship, stations, parks, beaches and other open spaces. It is therefore very clear that the extent of the PDA will be far reaching. E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

• IWA 14-1:2013 rated. Stops 1.5t vehicle at 30mph in its tracks • Provides security and protection to pedestrians and infrastructure • Enhances look and feel whilst bringing biodiversity to the urban landscape • Absorbs rainwater and filters harmful airborne pollutants • Scalable and modular design, available in a range of finishes • Hard-wearing and minimal maintenance • Shallow-mounted maximising versatility • New range of complementary HVM street furniture coming in 2022

INSPIRA PROTECT is our modular planting system, reinforced for Hostile Vehicle Mitigation (HVM) Offering security & protection to pedestrians and urban infrastructure while enhancing the aesthetic value of the space.

bsfg.co.uk 01625 322 888

PROTECT DUTY

ONE OF THE MAIN DRIVERS BEHIND THE PDA IS TO CREATE A PUBLIC RESPONSIBILITY FOR OWNER / OPERATORS OF PUBLICLY ACCESSIBLE LOCATIONS CREATING A VERY SPECIFIC NEED FOR RISK ASSESSING THESE LOCATIONS AND WHERE APPLICABLE ENSURING THAT SUITABLE PROTECTION MEASURES ARE IN PLACE

\ As the PDA has not been set in law yet, we do not know exactly what the parameters and requirements are however it is certainly likely that risk assessments on many publicly accessible locations will lead to physical protection requirements of these spaces. The PSSA is an international specialist security association that focuses on high security perimeter protection with an emphasis on hostile vehicle mitigation (HVM). Our members include the vast majority of manufacturers and installers of HVM products and obviously the PDA will have a major impact on our industry. As an association, we are very aware that the creation of new legal responsibilities for the protection of public spaces will have a knock-on effect down the chain and we have already put the wheels in motion to ensure that we, as an industry, are prepared. While all of our members already operate at the highest professional level, under the pending legal responsibility framework for public spaces, a future ‘event’ will undoubtedly lead to potential claims against all involved in the chain from the owners/operators through consultants to product manufacturers/ installers and maintenance providers. We have therefore introduced new codes of conduct and schemes to

ensure that the communication and quality provided by our members are clear, consistent and commensurate with requirements. The first of our new measures is a code of conduct for product modifications and this measure has been introduced to ensure that any customer of an association member has been provided with accurate detailed information regarding any impact tested product. This information includes the specific ‘as rated’ format of the products including key dimensions and foundation design used in the impact test. The code of conduct further details the process by which the product may be varied from its original state and how this must be communicated through company’s media and most importantly in any quotation provided. This should ensure that at the point of sale, customers are fully aware of the test data associated with the product and any changes to product and foundation design to suit a specific site requirement. It should be noted that any impact testing comes with a detailed report from the relevant test house however this is not a certificate and is purely evidence that the product has been tested. The second key document that has been issued is the Hostile Vehicle Mitigation Installers Scheme

(HVMIS) which is a scheme that documents the many aspects of the installation process including planning, communication, training, documentation etc. The main aims of the HVMIS are: to promote a competent and professional approach to the installation of temporary and permanent Vehicle Security Barriers (VSB’s); to have clear, open and honest communication with project stakeholders; and to ensure that the client fully understands what they are having installed, its compliance with its ‘as rated’ status and that all variances have been clearly explained and documented. One of the fundamental elements of the requirements under the scheme is training with a large training matrix forming part of the basic requirements of membership. The training matrix includes general security, installation and product specific training. This should ensure a much higher degree of specialism from scheme members in the installation process and the communication of any restrictions in this process. This is a key requirement in the installation of HVM as in the majority of installations it will not be possible to exactly replicate the conditions / foundations / layouts used in the original testing process and it is imperative that the installers not only understand this but also that they are able to communicate this effectively to stakeholders. While the HVMIS is a PSSA scheme, it is open to all barrier installers and PSSA membership is not a pre-requisite. The schemes and codes of conduct put in place by PSSA should provide protection, if followed correctly, to manufactures and installers however the aim of the association in all of its endeavours is the continuous improvement in quality and professionalism in an industry that is critical to providing life saving protection. Finally, we would like to add our sincere congratulations to Figen Murray not only for the achievement of her Master’s degree in Counter Terrorism but also on receiving a well-deserved OBE in the New Year’s honours list. L

The next PSSA Interact Day on 24 February will be a Protect Duty Act focused event and speakers will include Figen Murray, CTP and CPNI. Please contact Jen at jennifer.shail@ admin.co.uk for further information.

FURTHER INFORMATION www.pssasecurity.org

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

COVID-19

HOW THE PANDEMIC IS CHANGING THE TERROR THREAT C

ovid-19 emerged and was quickly followed by a slew of lockdowns and restrictions. At first, these events seemed to play into the hands of law enforcement and all those engaged in counter-terrorism. Put simply with people stuck at home and not gathering on public transport, at venues, or in office skyscrapers, terrorist targets were hugely reduced. Then right at the end of last year UK police said they had foiled what they called seven ‘late stage’ terrorist attacks since the start of the pandemic. For obvious reasons they were shy of releasing any specific details, but this was good news particularly as it meant more than 30 such attacks had been frustrated in the last four years. Unfortunately, as the pandemic progresses, the outlook is changing with the unexpected mingling of ideas and actions by those on very different sides of the political spectrum.

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

UN WARNS THAT LOCKDOWN MAY CONTRIBUTE TO RADICALISATION The UN’s Counter-Terrorism Committee published a paper on the impact Covid is having on terrorism, counter-terrorism and countering violent extremism. The paper concludes that the pandemic is ‘likely to have increased the underlying drivers and structural factors that are often conducive to terrorism’. The report warns there is a growing frustration and anger among populations at Covid restrictions that many see as disproportionate and unjust which contributes to ‘conditions conducive to radicalisation to terrorism’. They note that: ‘Several terrorist groups are already exploiting the pandemic to cultivate authority and legitimacy, expanding their recruitment and radicalisation tactics through charity, the provision of food or monetary E

COVID-19

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

COVID-19  resources, and other related support.’ Anti-vax groups also get a look-in with the report saying that violent extremist groups have sought ‘to develop ties with anti-vaccination communities’. We will return to the anti-vax movement in a moment. DARK JOURNEY During lockdown everyone has spent a great deal of time at home; often this time was spent searching the net. Those susceptible to radicalisation were able to indulge their fantasies. Damian Hinds, the UK’s Minister of State Security and Borders, recently told the Daily Telegraph newspaper: ‘Clearly, logically, when you have more people who are spending more time in their bedrooms at their computer … you are going to get a growth in that tiny proportion of people for whom that is a dark journey.’ He said there had been an increase in extreme right-wing terrorism but went on: ‘Islamist extremism

terrorism, though, remains a potent threat. And we also have quite a few people who you might describe as having a sort of mixed or unclear or unstable mindset. Sometimes [they are] looking at flirting with different ideologies, different groups, sometimes apparently mutually exclusive, very, very different types of ideology.’ CONSPIRACY THEORIES TRAVEL FROM RIGHT TO LEFT This was a theme explored recently by George Monbiot in the Guardian where he looked at how left wingers were being lured by far-right conspiracy theories. He wrote: ‘On an almost daily basis I see conspiracy theories travelling smoothly from right to left. I hear right-on people mouthing the claims of white supremacists, apparently in total ignorance of their origins.’ As he points out, this is not the first time there has been an overlap between left or liberal ideas with those of the

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

far right. The Nazis were propogandists for astrology, organic farming, forest conservation and ecology. Monbiot believes the antivaccine movement is a perfect vehicle allowing far-right groups to penetrate those on the left. PRO-MILITIA ACTIVISTS AND WHITE SUPREMACISTS Jonathan Jarry on the McGill website takes up this theme saying: ‘Anti-vaccine sentiment is strongly associated with conspiracy thinking and protection of individual freedoms, traits that are finding a home among far-right groups.’ As Jarry points out anti-vax protests ‘often show people holding signs slapped with antivaccine rhetoric next to pro-militia activists and white supremacists’. Typically, there are links between anti-vaxers and those with an interest in conspiracy theories particularly those who believe restrictions are being placed on their freedoms.

COVID-19 POLITICAL PRISONER Novak Djokovic, following his recent tussle over his Australia visa, and his subsequent ejection from the country has become something of a poster boy for the anti-vax community. Social media platform Telegram which is often home to conspiracy theories and antivax sentiment has seen anti-vax groups calling Djokovic ‘a political prisoner’. One respondent asks the question: ‘If this is what they can do to a multimillionaire superstar, what can they do to you?’ If you look at what Djokovic has said about vaccines, he is often more equivocal than his fans on Telegram would have you believe. In April 2020, he said he was ‘opposed to vaccination’ but later said he would keep an open mind and ‘choose what’s best for my body.’ And he ‘wouldn’t want to be forced by someone to take a vaccine.’ Notwithstanding that, he ultimately refused to be vaccinated and lost out on being able to defend his Australian Open tennis title.

PERHAPS THE BIG TAKEAWAY TO BE DRAWN FROM ALL THESE EVENTS IS THE MERGING OF THE RHETORIC AND SOMETIMES THE DIRECT ACTION TAKEN BY THOSE ON VERY DIFFERENT SIDES OF THE POLITICAL SPECTRUM

‘BURN DOWN MPS’ OFFICES’ It is worth reflecting on another antivax adherent. Piers Corbyn, brother of the former Labour leader Jeremy Corbyn, undoubtedly sees himself as a figure on the radical left but many of his actions and comments would be entirely at home with those who stormed the Capitol building in Washington DC on 6 January 2021. Corbyn was arrested on ‘suspicion of encouraging people to burn down MPs’ offices’. He was captured on video at an anti-vax protest telling supporters to: ‘hammer to death those scum who have decided to go ahead with introducing new fascism. You’ve got to get a list of them … and if your MP is one of them, go to their offices and, well, I would recommend burning them down, OK. But I can’t say that on air. I hope we’re not on air.’ Just before New Year anti-vax protesters entered a Covid testing site, believing it to be a vaccine centre, and shouted abuse at staff and were reported stealing pieces of equipment. Jeff Wyatt, a right-wing UKIP candidate, and Piers Corbyn were both part of this so-called Freedom Rally protest. So extreme left and right points of view were both represented. Strange bedfellows for strange times. ALPHA MEN ASSEMBLE You may say this is hardly terrorism, but police are troubled about the direction of travel some anti-vax groups are taking. Of particular concern is a group known as Alpha Men Assemble. A Daily Mail reporter was present at one of their training sessions at a park in Staffordshire where those present were told to: ‘hit vaccine centres, schools, headteachers, colleges, councillors and directors of public health in every area’. The training was conducted by a former member of the armed forces who said those present should prepare for a ‘war on the government’ and called on them to ‘take it to the Old Bill’ and warned the fight was ‘not for the faint-hearted’. SYNAGOGUE SIEGE At the time of writing, it is Islamic terrorism that’s making the news once again. Information is emerging about the terror attack at a Synagogue in Colleyville, Texas. The BBC reported that three men including the synagogue’s rabbi were taken hostage. The rabbi, Charlie Cytron-Walker,

helped all the men escape by throwing a chair at the terrorist. Cytron-Walker released a statement saying security training had helped him and his fellow hostages survive. He said: ‘Over the years, my congregation and I have participated in multiple security courses from the Colleyville Police Department, the FBI, the Anti-Defamation League, and Secure Community Network. We are alive today because of that education. I encourage all Jewish congregations, religious groups, schools, and others to participate in active-shooter and security courses.’ The terrorist identified as British citizen Malik Faisal Akram, was shot dead by police. Akram, from Blackburn Lancashire, is thought to have arrived in the US two weeks prior to the attack and secured a handgun on the street. In an indication of the international nature of both terrorism and counterterrorism, US and UK police are liaising. Greater Manchester Police announced they have arrested two teenagers in England in connection with on-going enquiries into the Synagogue siege. Whether the pandemic had any bearing on this man’s actions it is too early to tell. UNLIKELY ALLIANCES Perhaps the big takeaway to be drawn from all these events is the merging of the rhetoric and sometimes the direct action taken by those on very different sides of the political spectrum. These groups have lockdown time and the easy ability to disappear down some unwholesome internet rabbit-holes. As left and right conspiracy theorists merge, counter-terror officials have their work cut out to unpick and challenge this new and unlikely assembly of threats. L

Written by Jim Preen. Jim is a freelance crisis management and communication consultant. He designs and delivers crisis simulation exercises, writes crisis communication plans and presents crisis management webinars. In another life he was a journalist working at ABC News (US) where he covered stories including the Gulf War, the Bosnian conflict, and the Concorde crash. He won two Emmys for his work.

FURTHER INFORMATION jim@jimpreen.co.uk

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

ANNUAL REVIEW

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

ANNUAL REVIEW

POOL RE SOLUTIONS ANNUAL REVIEW 2021 SPECIAL EDITION In this Special Edition Annual Review, which marks the 20th anniversary of 9/11, Ed Butler CBE, DSO, Chief Resilience Officer at Pool Re, explains how two decades of disruption has shaped todays’ fight against terrorism and extremism. This timely review looks at the world’s response to terrorism since 9/11 and how it might be improved, identifies outdated solutions and hierarchical structures, and examines the current threat landscape. In the year that saw the US and other forces withdraw from Afghanistan, it also looks at the long-term consequences of this, as well as other sources of concern such as terrorist use of biological weapons in the post pandemic era, the continual growth of right wing extremism, and how climate change is influencing the drivers of terrorism

t feels appropriate, a couple of months after the twentieth anniversary of 9/11, to pause and consider whether the world is more, or less, secure from terrorism than in the latter part of the previous century. I fear not. We are living in unprecedented times, in a new paradigm where ‘Cold War’ has been replaced by ‘Hot Peace’. A paradigm where we have gone from a bi-polar world to one of multiple asymmetric conflicts and threats, where war is now indistinguishable from peace. Where the distinction between acts of war, hybrid war, terrorism, and serious organised crime, in particular in the cyber domain, is becoming increasingly blurred. The build-up of Russian forces on the Ukrainian border, coupled with destablisation operations by Belarus, could well see the first outbreak of a global ‘conventional confrontation’ in the 21st Century. Tensions over Taiwan, and the Iranian pursuit of a nuclear weapon add to global uncertainty and unpredictability. We inhabit a world where traditional terrorist threats, which tended to be localised and focused on the destruction of property and killing servicemen, policemen and public figures, feel somewhat primitive. Our new world is populated by Jihadis and extremists who buy ‘one-way tickets’ on route to martyrdom and mass casualty events. The new world is characterised by remarkable digital and information sharing advances, where information (good and bad) can pass at the speed of photons and is largely ‘unseen’, hidden in a virtual cloud. Concerns over ‘bedroom radicalisation’ continue to grow. At the time of 9/11, we had technological superiority over terrorists, through the use

of Global Positioning Systems (GPS), Night Vision Systems (NVS), Unmanned Aerial Vehicles (UAVs), and precision strike weapons and across most, if not all, IT networks. Now, Daesh, Al Qaeda (AQ) and most, if not all, threat actors use state of the art GPS, NVS, drones, the dark web and encrypted messaging to plan and execute their attacks. The latter is of significant concern for our intelligence and security services and, to quote a former Director of the FBI, we are going ‘dark and dumb’ at just the wrong time. The growing capabilities of terrorists raises concerns around the ability and capacity of our military, security and intelligence services to continually deliver success against a rapidly evolving spectrum of threats. Can our counterterrorism operations keep pace with the rapid technological changes? The diversity of threat actors? New, dynamic threats, especially in the information domain? And lastly the evolution of the ‘digital terrorist’? OUTDATED SOLUTIONS AND HIERARCHICAL STRUCTURES If we are to believe terrorism has entered a new dimension with growing sophisticated capabilities, this is likely to have a significant impact on businesses and our infrastructure, especially those which operate in complex environments. Therefore, we will almost certainly need greater collaboration between the public and private sector in order to improve our economic and societal resilience to terrorism. We have seen how threat actors, be they traditional terrorists, radical extremists, militias, hybrid fighters, serious organised and/or narco or cyber criminals, use any means to E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

ANNUAL REVIEW  harm, attack and avoid us. My concern is that we are using outdated methods. Our capabilities and corporate security solutions are configured in traditional hierarchical structures, and conventionally equipped, often led by too many people who still think and operate in a classical, [Western] conventional way. In my view, we need to re- think, plan, operate, lead, and deliver terrorism security and risk solutions. As TE Lawrence described it, while fighting the Ottomans, asymmetric operations are ‘like eating soup with a knife’. We need to eat more soup with knives and try and ‘synchronise this asymmetry’. Before looking at how we might better prepare and mitigate against all forms of extremism and violent action, I’d like to review our current situation. We are both recovering from, and adjusting to, the global pandemic. In the light of a global pandemic we are slowly waking up to the increased threat of terrorist use of Chemical, Biological and Radiological (CBR) weapons. We are dealing with the ‘forever consequences’ of the humiliating withdrawal from Afghanistan, and the increasing radicalisation and disaffection across our communities, coupled with the consequences of climate change influencing and fuelling the drivers of terrorism. It is a bleak landscape. WHAT HAS BEEN OUR RESPONSE AND HOW DO WE IMPROVE IT? Back in the 80s and 90s, it was very much a long-term game. There were relatively few active members of the Irish Republican Army (IRA), we knew who they were, where they lived, and we had extensive data bases on them and their networks. We undertook intensive surveillance operations, through active and passive means and relied heavily on human sources and technology to provide us with the edge. We took down the hierarchy – difficult with today’s Islamist terrorists which operate on a decentralised approach – disrupted their supply chains and focused on their finances and supporters.

In the 1990s radical Islam, and the growth of Al Qaeda (AQ), was not seen as a problem facing the UK. I think it’s important to make the distinction here between our understanding and response to the threat of radical Islam pre and post 9/11, when the scale of the potential threat became clear. The French intelligence services did warn us of the growing threat and coined the term ‘Londonistan’ because of the presence of a large number of radical Islamists, mostly from Algeria and some who had served in Bosnia, who were living in London. But these individuals did not pose a direct threat to the UK where PIRA was still considered the primary terrorist threat. But even in 2001, the threat of Islamic terrorism against the UK was still seen as low, and it remained so until the first successful attack in 2005 (although there had been a ricin plot interdicted in Wood Green, with the Islamist perpetrators intending to attack the London Underground in 2003). CT operations became more challenging and more global in the late 90s and early 2000s, as opposed to localised campaigns, primarily because of the safe havens in Afghanistan and Iraq (although international terrorism, vide Palestinian terrorism, had always been global.) There were a large number of suspects, with only a small handful known to the authorities. We lacked the necessary ‘human sources’, and AQ was more alert to our surveillance techniques and methodologies. They went ‘off-grid’ and were able to plan catastrophic attacks, in the late 90s, such as the USS Cole, the US embassy in Dar Es Salaam and, of course, 9/11. In 1993, MI5 had only 2,000 staff and 70 per cent of its efforts were focussed on terrorism, much of it targeted towards the activities of the IRA and domestic terrorism. 25 per cent was devoted to counter-espionage and counter-proliferation - the latter against the growing threat from ‘weapons of mass destruction . . . nuclear, chemical and biological.”

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

MI6 was still coming out of the shadows of fighting the Cold War and, despite having more overseas stations than it does today, Islamist terrorism was not seen as a threat. The CT agencies – MI5, MI6, GCHQ, DIS and Special Forces (SF) - were also very stove-piped and we did not share intelligence and knowledge about the threat. MI5 now has 4000+ staff and is funded as part of the Single Intelligence Account (£3.02 billion in 2017–2018 financial year, which includes the budget for GCHQ). There is a now national network of MI5 agents, with a significant proportion focussed on Islamist terrorism, based out of the Counter Terrorism Units (CTUs), but still with a reasonable proportion leading the efforts against Northern Ireland related terrorism. More significantly, our domestic and international CT policy and operations are combined, taking into account the global, physical and virtual nature of the threat. 9/11 was a huge wake up call for our CT agencies, and the start of a more coordinated international collaboration across the 5 Eyes community (UK, US, Australia, New Zealand, and Canada). Although the challenge of sharing timely and accurate intelligence still existed, and our US partners were in the early years, in my opinion, determined to win the War on Terror on their own terms and often under their own steam. The major challenge in the aftermath of 9/11 was that the so called ‘war on terror’, which was the political cover for regime change in Iraq, became conflated and confused with a ‘neocon’ political agenda. Notwithstanding, collaboration across the UK CT communities improved, albeit slowly. This was enhanced with the implementation of CONTEST, and the four pillars of Prevent, Pursue, Protect and Prepare. This was the first CT policy of its kind, and it endures, with little change, today. The game changer, in my view, was the creation of the CTUs and (then a network of CT Intelligence Units - CTIUs) in London, Manchester, Birmingham and Leeds that fused Police, MI5, MI6, GCHQ and SF Liaison Officers) under the direction of Assistant Commissioner Special Operations (ACSO) and the oversight of Association of Chief Police Offices Terrorism and Allied Matters (ACPO TAM) with a new Home Office department, the Office of Security and Counter Terrorism (OSCT, now named the Homeland Security Group), to provide the policy lead. The attacks in London in July 2005, ‘7/7’ and ‘7/21’, created another strategic shock. This saw the coming of age of the Joint Terrorism Analysis Centre (JTAC), formed in 2003, which brought all the CT agencies together, fusing all source intelligence and full interagency cooperation. JTAC is an exemplar organisation, envied by our European partners and has done much to keep the threat of terrorism to the level it is.

ANNUAL REVIEW CURRENT THREAT LANDSCAPE Since 9/11 we have witnessed a huge amount of chaos and uncertainty and the current terrorist threat landscape continues to evolve, remaining complex and confusing, recently highlighted by still unexplained motivations of the perpetrator who, based on what we know, tried to attack the Liverpool Women’s Hospital. The threat from all terrorist constituencies is arguably more dangerous and diverse than in 2000. This concern was recently highlighted by Richard Moore, the new head of the Secret Intelligence Service (MI6), who stated that countering international terrorism is now one of the ‘Big Four’ priorities for MI6. The emergence of the ‘self-initiated terrorist’, i.e. one who acts relatively alone and is informed and radicalised via the internet, appears to be the main threat to the UK. This has changed over the last five to six years when terrorist attacks were a combination of those directed from abroad, frustrated ‘travellers’ who could not get out to the so-called Caliphate and those who simply acted on their own. The continuing rise of Right Wing extremism is increasingly of concern. This trend is well recognised but during 2021 it certainly saw no sign of slowing, especially in Europe and North America – as illustrated by the riots in Washington in January 2021. Previously confined to the US and Europe it now poses a more transnational and global threat. Right Wing extremism used to be characterised, by some, as ‘hapless and hopeless’. Now a more cellular structure, often portrayed as a political movement with a clear vision and mission, Right Wing extremists have more connectivity and coordination than they did 5 years ago, and, as with Islamist extremism, they have shifted ‘online’ with access to the same suite of highly effective ‘virtual’ tools and resources at their disposal. However, the chaotic threat landscape does not necessarily mean we are likely to face more frequent or sophisticated attacks, it may simply lead to a broader range of attacks. Experience tells us that terrorists are persistent, and they will continue to plan for mass casualty attacks using the full spectrum of technologies and methodologies available – be they sophisticated devices or those which are more readily to hand and off the shelf. I would argue that we need to deal with terrorism end to end, looking at both the drivers of terrorism as well as its consequences. The involvement of businesses and the private sector is crucial to our success. As Neil Basu, senior lead for CT in the UK, commented at a Pool Re conference in 2019, ‘there can be no prosperity without security and that every business needed to be a counter terrorism business’. The forthcoming Protect Duty legislation will put more requirements on businesses, especially those operating in publicly accessible

SINCE 9/11 WE HAVE WITNESSED A HUGE AMOUNT OF CHAOS AND UNCERTAINTY AND THE CURRENT TERRORIST THREAT LANDSCAPE CONTINUES TO EVOLVE, REMAINING COMPLEX AND CONFUSING locations to protect their customers and the public from terrorist attacks. POST PANDEMIC AND BIOLOGICAL WEAPONS? The Covid-19 pandemic impacted (and continues to do so) on all societies and economies, exacerbating many of the divisions which are exploited by extremist groups. Many commentators and CT professionals predicted a post pandemic surge of terrorist attacks as the country came out of lockdown. This is yet to manifest itself at scale, as witnessed in 2017, but the murder of Sir David Amess and the failed attack on the women’s hospital in Liverpool, both within a month of each other, may herald the start of a series of further incidents. The consequences of the pandemic on terrorism are still unfolding, but early signs indicate increased levels of radicalisation. Of significant concern is the impact on CT (and related) budgets. The pandemic has left a serious economic scar on the global economy. Will we face further cuts, and budget reviews? How will this affect the international CT infrastructure and our preparedness to prevent or minimise the effects of an attack? We have already witnessed many countries scaling back on their international commitments (for example the withdrawal of troops from Afghanistan) which is already reducing the pressure on a wide range of terrorist groups. The pandemic has also demonstrated the potency and scope a biological attack could pose. We now need to consider to what extent terrorists are likely to invest time and effort in exploring this as a serious means of destruction. It is generally believed that a sophisticated weaponised virus would be difficult to produce and

deploy successfully, not least because when released it becomes so difficult to control and is indiscriminate in its effect. Covid-19 will most likely have resurrected terrorist interest in developing biological and chemical weapons. Five years of experimentation of novel weapons, in particular chemical IEDs, in Iraq and Syria during the time of the so-called Caliphate, will have contributed to their knowledge of using them. They will be well versed in the psychological impact of ‘terror’ weapons. Whether they have the appetite and means to deploy a biological weapon is not something to be ignored, especially when the 2021 UK Integrated Review warned of a successful chemical, biological or radiological device being used by a terrorist group before 2030. THE FOREVER CONSEQUENCES OF THE WITHDRAWAL FROM AFGHANISTAN Much has already been written about the calamitous withdrawal of US and other forces from Afghanistan - what Presidents Trump and Biden called the ‘forever war.’ Afghanistan continues to spiral into a humanitarian, economic, security and political crisis, exacerbated by splits between the Taliban movement, which is likely to lead to a civil war and further chaos which will be exploited by state, non-state, and terrorist groups. The withdrawal of US and coalition troops cannot be discussed as either the right or wrong decision, rather an unnecessary and poorly timed one, with massive and forever consequences. The mass exodus of Afghans from their homeland will add to further pressures of a migrant population in Europe and the UK which, will in turn, increase tensions within some elements of society. This is likely to be exploited by E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

ANNUAL REVIEW

 both Islamists and the Far Right. What is certain is that the Taliban victory in Afghanistan has provided a major morale boost for Jihadist groups around the world, which will no doubt be of benefit to AQ and its affiliates. The West will be less safe, with increased probability of another 9/11 style attack being planned and prepared from Afghanistan. A counter narrative to the negative consequences of the withdrawal from Afghanistan is the potential for this decision to lead to an inflexion point in the ‘war on terror’. Whilst random and seemingly isolated incidents and selfinitiated terrorists will continue to be a problem, the fundamental rationale for the Islamist extremists’ call to arms, namely our presence in Iraq and Afghanistan, has now disappeared. No longer can the West be blamed for interfering in Muslims’ lives as both countries are now being run by Islamic governments albeit with very different political and religious hues. The call to arms expressed so successfully by AQ and then by Daesh was predicated on Western interference in Iraq and Afghanistan will be much more difficult to substantiate and justify. What we may see instead is a struggle for power and control between various Islamic groups in Iraq, Afghanistan, Syria, and the Sahel, with less focus on fermenting extremism and launching attacks in the West. Sadly, the attraction of the so-called Caliphate spreading to western Europe will likely continue. The narrative will resonate amongst some of the many disenfranchised and disillusioned young men and women in the disaffected and economically depressed areas of the UK, France, the Low Countries and across much of the sub-Sahara and Sahel. Time will tell. CLIMATE CHANGE Despite climate change starting to inform the political dialogue in 2001, very few experts could have foreseen the serious

consequences climate change would have on the impact of the drivers of terrorism. Clear evidence is now emerging that climate change is becoming an indirect contributor to terrorism as opposed to just a security concern (for example, interand intra-regional disputes over water). Climate change is viewed as a threat multiplier, exacerbating existing problems, causing massive social dislocation and migration, be it in the Sahel or Afghanistan, which provides opportunities for terrorists to coerce or recruit foot soldiers amongst disgruntled or displaced people. More often than not this has the effect of solidifying support around local issues as much as ideological ones. In some instances, climate change rhetoric may be adopted as the primary ideology of a terrorist group or the embracing of terrorist tactics by environmental extremists and Left-wing groups as societies become more vulnerable to radicalisation and extremist mobilisation. PROTECT DUTY: A RESPONSE TO NEW AND CHANGING THREATS More recently, the findings of the 2021 Manchester Arena Enquiry have paved the way for the forthcoming Protect Duty legislation which emanated from Martyn’s Law and is expected to come into effect in the latter part of 2022. The legislation is intended to provide clear guidance on a range of requirements as well as placing legal expectation on businesses and organisations who own property or operate in publicly accessible places, such as arenas, shopping centres and the high street. Protect Duty will be the single biggest change to the UK terrorism risk landscape for a generation and is likely to affect at least 650,000 (Home Office estimate) businesses in the UK, many of which will never have considered the risk of terrorism to their people or property. This will no doubt be challenging for all but the largest and more sophisticated businesses, with business owners and operators facing the largest change to their terrorism liability cover for both Employers’ Liability and Public Liability. WHAT DOES THE FUTURE HOLD? Having reflected on my early days patrolling the streets of West Belfast, through to leading and conducting high intensity CT operations, then into the quagmires of Iraq and Afghanistan, and now in the post (so-called) Caliphate era, let me share a few thoughts for the future of countering terrorism.

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

• In my view, we will never again fight an enemy who tries to fight against our own strengths. The last person to do this was Saddam Hussein in 1991 when he laid out the Iraqi Army in drill like formations on the desert plains. Therefore, we need to combine technological advantage, cunning, and boldness into a winning combination that can defeat an opposition who are comfortable with asymmetry and exploit the flow of technological change as opposed to being constrained by it. It is also possible that state sponsored actors will conduct asymmetric attacks rather than a state engaging in open warfare. • The major groups such as Daesh AQ, Al Shabaab, Hezbollah and Boko Haram are still very much alive. They have adapted their tactics and business models to changing circumstances. These actors are also having an impact in emerging and frontier markets, threatening many of the West’s global supply chains within the ‘Global Village’. • The humiliating withdrawal of Western forces from Afghanistan has increased the threat of terrorism to Europe and the UK. The possibility of another 9/11 being planned and prepared from Afghanistan cannot be discounted. • Terrorism is now moving with greater velocity and increasing volatility, exposing our vulnerabilities – be they resource, legal or policy driven. We need to adapt our CT business models in response and make them more dynamic. • We discussed the rise of Right Wing extremism, often based on white supremacist groups. These groups are now carrying out more attacks in the United States than the jihadists and constitute 20 per cent of cases under investigation by the FBI. Recent statistics for Prevent, the UK government’s counter-extremism programme, showed that for the first time in the programme’s history, referrals made in relation to Right Wing extremism outstripped those for Islamist extremism. • The trouble is that terrorists and extremists will continue to use tactics, techniques and procedures that exploit gaps and weaknesses in our state and corporate security architecture, as well as divisions in our communities. They will continue to move up the technology curve, and they will succeed until there is an antidote. Part of this solution, as acknowledged by the new Director of MI6, is that his Service is no longer independently capable of staying competitive at a time of rapid technological development. Consequently, he envisages MI6 working alongside technology companies and other private sector organisations to increase the former’s capabilities presented by newly emerging technologies, including artificial intelligence and advanced computing.

ANNUAL REVIEW Genuine collaboration between the public and private sector is now needed if we are to successfully contain the enduring threat posed by extremism and terrorism. • Next is the growing number of targets of terrorist violence. It is no longer the state or its representatives in diplomacy, police or the military that are the primary target. Rather any group in society that can be stigmatised, such as Jews, Hispanics, LGBT activists or pro-EU liberals and where hatred can be whipped up by conspiracy theories in the social media, are all potential targets. • Terrorism is linked to armed conflicts and social breakdown within countries. Domestic violence is running at four times the number of war deaths globally and 75 per cent of terrorist casualties occur in just eight countries. These are among the most violent, such as Afghanistan, Pakistan, Iraq, and Somalia. The macro drivers of climate change, migration, immigration, and population growth are all contributing to a worrying security situation. • As the definitions of state and state sponsored terrorism, hybrid warfare and terrorism become increasingly blurred it will become progressively harder for CT agencies to counter and constrain physical and virtual attacks against our democratic values, people, and assets. The ambiguity surrounding the definition of terrorism will create further, significant challenges to Pool Re and the broader terrorism (re)insurance market, particularly with resultant protection gap issues. • In response, we need to be threat actor and peril agnostic in devising

security, risk management and resilience plans. In particular, we need to increase the resilience of our physical and virtual supply chains. • Finally, everyone should acknowledge that there has been a paradigm shift in risk management as a result of Covid19, and organisations will need to recognise that they have to adapt as they look at implementing new strategies and plans to protect their people, assets, reputation and share value. This includes focussing on strategic tail risk management, as well as the day-to-day risk management activities and asking the question whether they have the appropriate insurance cover in place for the full spectrum of perils out there. TO CLOSE In conclusion, especially after recent events in Afghanistan, I would argue that the threat from global terrorism and

extremism to the UK and West is now greater than it was pre 9/11. The threat is now more diverse, persistent, complex, and moves and evolves at a pace not seen before. I strongly believe that in order to prepare for, and become more resilient to terrorism, all sectors of society need to think differently, act differently, and respond differently to the threats facing us today and for the foreseeable future. I have witnessed a real appetite in the private sector to engage with and level up to these new threats, seeking more frequent collaboration with the CT Police and Security Services. Collaboration across sectors, public and private, is crucial for our safety and security, where all of us have a ‘community responsibility’ for our individual and collective security. Government cannot contain the threat on its own. At the end of the day, this is about looking after our people, duty of care, protecting the bottom line and improving our resilience against extremism and terrorism. I don’t believe the current situation will improve for some time; we can and should expect more attacks in the UK and further afield. We all have a duty, and I would suggest public responsibility, towards our employees, communities, families and the next generation to better understand the context of today’s uncertain, unstable and asymmetric world. Paraphrasing TE Lawrence again, we need to learn to eat more soup with knives and try and ‘synchronise this asymmetry’, using all ways and means to defeat those who are intent on doing us harm. L

Ed Butler is the Chief Resilience Officer at Pool Re, the government backed terrorism reinsurance scheme. He has extensive experience spanning nearly 40 years of international relations, counter terrorism, intelligence, security and risk management much of which was gained during 24 years on front line service with the British Army.

FURTHER INFORMATION www.poolre.co.uk

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

Q&A

Q&A WITH ED BUTLER, CHIEF RESILIENCE OFFICER AT POOL RE

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

Q&A

OUR ANNUAL REVIEW CERTAINLY MADE FOR AN INTERESTING ALBEIT DAUNTING READ. IS OUR CURRENT SECURITY SITUATION REALLY THAT BLEAK? Yes and I’m sorry not to be more positive but I think my review does paint a pretty realistic picture of the current and future security situation. We are facing a perfect storm of possible nation state conflict in Ukraine, Chinese seizure of Taiwan, an accelerating nuclear programme in Iran and an evolving, complex and confusing terrorist threat landscape. From my perspective, the global terrorism landscape is more dangerous and diverse than it was pre 9/11. Wrap around this the long term consequences of a global pandemic, climate change, fiscal and financial pressures on the global economy and growing malicious cyber activity and you are left with a pretty uncertain and challenging future.

A MAJOR THEME OF YOUR REPORT WAS THE DIVERSIFICATION OF TERRORIST THREAT ACTORS, TARGETS AND METHODOLOGIES SEEN OVER THE LAST 20 YEARS. WHICH OF THESE CHANGES POSES THE GREATEST CHALLENGE FOR CT PROFESSIONALS AND GOVERNMENTS? I think the main challenge is probably the diversification of methodologies. As the range of attack methodologies continues to broaden, the Counter Terrorism Police (CTP) and MI5 can’t take their eyes off legacy threats, such as large truck bombs (VBIEDs), as they could still happen. In simple terms; ‘nothing falls off the plate’ while the resources to deal with the scale and breadth of the threat remain the same. In addition, I am concerned that in these resource constrained times, coupled with the current focus on unsophisticated methodologies, that we are not investing E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

Q&A  enough time in looking at highimpact, so called ‘spectacular’ events. The strategic challenge facing governments is how to address the underlying causes and drivers of terrorism, be they political polarisation, social inequalities, economic hardship, or growing extremism between left wing, right wing and Islamists. These are fundamental challenges which cannot be resolved by the CT Police and security services alone; they require long term, and very sizeable investment to address the core problems within our society and our communities. WHICH CONTEMPORARY THREATS DO YOU THINK REPRESENT THE GREATEST RISK AND WHAT STEPS CAN WE TAKE TO BETTER UNDERSTAND AND MITIGATE THEM? From my perspective it has to be CBRN, terrorist use of drones followed by cyber. In early 2001, when I was in charge of the UK’s leading military CT capability, I was hosting a discreet conference on the terrorist use of CBR material and I remember summing up that we would see the terrorist use of a WMD (Weapon of Mass Destruction) in our lifetimes. None of us thought

that only nine months later Al Qaeda would fly two aircraft into the Twin Towers and achieve catastrophic, WMD, effect. Here we are now, 20 years on, with the chilling statement in last year’s Integrated Review stating that a terrorist group will successfully use a CBRN weapon by 2030. That’s why we at Pool Re, the only terrorism pool to provide reinsurance cover for CBRN events, are investing heavily in research and modelling to fully understand not just the impact but also future frequency of these types of events. We work very closely with a range of academic institutions, including the Cambridge Centre for Risk Studies and Cranfield University, and we value very highly the ground breaking collaboration we have undertaken with them over the last five or so years. More still needs to be done and that’s why we are encouraged by the closer partnership we are developing with the Home Office in understanding and mitigating this strategic risk. EARLY EVIDENCE OF CLIMATE CHANGE’S AGGRAVATING IMPACT ON TERRORISM HAS STARTED TO EMERGE. DO YOU SEE THIS AS AN IMPORTANT AREA FOR RESEARCH AND DEVELOPMENT?

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

Absolutely. Climate change is now very much on the political agenda as seen at last year’s COP 26 and in the PRA’s Climate Change Adaptation report 2021. Back in 2019 we commissioned Professor Andrew Silke, at Cranfield University, to undertake some research in this area: Horizon Scanning the Terrorism Threat. In his paper, Andrew identified climate change as one of the three macro-drivers of terrorism and that most states are increasingly recognising it as a growing strategic security concern. More recently, we have teamed up with START, at the University of Maryland, to look more closely at how climate change is becoming one of the key drivers of terrorism. This work will be one of the principle discussion topics at the International Federation of Terrorism Reinsurance Pools (IFTRIP) conference in Washington this May. WHAT DID YOU MEAN WHEN YOU WROTE WE SHOULD BE ‘THREAT ACTOR AGNOSTIC’ WHEN DEVISING RISK MANAGEMENT AND RESILIENCE STRATEGIES? When I talk of the need to be threat actor agnostic I mean that security professionals and risk managers should

Q&A not be fixated on whether a perpetrator is an Islamist extremist, right/left wing terrorist or a serious, organised criminal as well-designed, planned and resourced risk management plans will prevent and protect against the vast majority of attackers, regardless of their ideology and motivations. This is particularly the case in the cyber domain where, for example, the adoption of NCSC 10 Steps to Cyber Security will prevent all but the most sophisticated attacker from breaching your IT system. Improved awareness and better training are perhaps the best tools for deterring any attack or at least mitigating the impact. It’s how you prepare and respond that will limit the severity of an attack, enable a speedy recovery and improve long term resilience to a broad array of risks. IN THE REPORT, YOU MENTION A NEED FOR GREATER COLLABORATION BETWEEN PUBLIC AND PRIVATE SECTORS. WHY IS THIS IMPORTANT AND WHAT MIGHT THIS LOOK LIKE IN PRACTICE? This is now so important especially as the threat continues to rapidly evolve and we need to keep up, innovate, overhaul old structures, technological advancement and be more agile in our collective responses to the threat. The CT Police and government do not have sufficient resources, and as acknowledged recently by the Head of MI6, the skills and experiences to keep up with all the emerging technologies. We need to think, act and respond differently to the full spectrum of terrorist threats. To achieve this, business, academia and government need to work together in a genuine partnership and collaboration. This needs to be underpinned by a cross sector and inter-disciplinary response from all sectors of society, building a ‘community of responsibility’ where businesses and sector groups come together to build on awareness and resilience. A good example of this is the partnership, known as the ‘CT Alliance’, between the Homeland Security Group, CT Police and Pool Re and the development of an information sharing platform, called Protect UK, which will be launched at the Security and Policing Conference in March this year. We have also just launched a new private public research consortium with the Cambridge Centre for Risk Studies, focusing on how best to protect society from future systemic risks such as pandemics, cyber threats, geopolitical change, financial crisis and climate change.

CLOSER TO HOME, AND CERTAINLY FOR THE NEXT COUPLE OF YEARS, THE FOCUS FOR EVERY RISK MANAGER, BUSINESS OWNER AND OPERATOR, SHOULD BE ON THE FORTHCOMING PROTECT DUTY AND HOW THIS WILL IMPACT ON THEIR DAY TO DAY OPERATIONS AND LIABILITIES YOU MENTION PROTECT DUTY, WHAT DO YOU THINK THE IMPACT OF THIS LEGISLATION WILL BE ON BUSINESSES AND THE INSURANCE INDUSTRY? As I wrote in the Review, Protect Duty will be the single biggest change to the terrorism risk landscape for a generation and will impact over half a million businesses, most of whom have never formally considered the risk of terrorism on their businesses, employees and customers. Over 2,700 businesses responded to the government’s consultation on the proposed Duty which demonstrates the high level of interest and concern by owners and operators of Publicly Accessible Locations. The impact of the legislation of the business community is likely to be as significant as the introduction of the 1974 Health and Safety and Work Act, although it is still not clear exactly what the compliance and enforcement measures will be. From an insurance perspective, business owners and operators will need to consider the impact on their terrorism liability cover for both Employers’ Liability and Public Liability. AND WHAT ROLE WILL POOL RE PLAY? Pool Re, through its consultancy division SOLUTIONS, has already been approached by its Members for advice on how the Duty will impact on their insureds. We have written a number of briefing notes, held webinars and stand-by to provide further guidance as detail on the legislation becomes apparent.

you have the appropriate insurance cover in place to cover the full spectrum of terrorist risks out there. Closer to home, and certainly for the next couple of years, the focus for every risk manager, business owner and operator, should be on the forthcoming Protect Duty and how this will impact on their day to day operations and liabilities. AND FINALLY, ED, WHAT WOULD YOU SAY IS THE MOST IMPORTANT LESSON FROM THE LAST 20 YEARS WHEN DECIDING HOW WE RESPOND TO FUTURE TERRORIST THREATS? For me, having spent over 35 years in the counter terrorism space, as a practitioner, risk consultant and now in the terrorism reinsurance sector it has to be greater collaboration between the private and public sector and the sharing and fusing of all sources of intelligence. As Lucy D’Orsi, the former Deputy Assistant Commissioner in the Met Police, said the police and security services need to ‘dare to share’ more information and data with business and security professionals. Business is very much up for this two way exchange as its people, assets and customers are very much on the terrorist front line. L

WHEN IT COMES TO TERRORISM, WHAT SHOULD BE ON THE TOP OF EVERY RISK MANAGER’S AGENDA IN 2022 AND BEYOND? That’s a difficult but good question. There is so much for a risk manager to consider and, more importantly, prioritise in these resource challenged times. I think that from a C-Suite and Board perspective more attention needs to be paid to the identification and management of strategic tail risks as well as supply chain vulnerabilities. The bottom line question to consider is whether

FURTHER INFORMATION www.poolre.co.uk

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

CYBER SECURITY

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

CYBER SECURITY

CYBER ESSENTIALS, A MINIMUM BASELINE OF CYBER SECURITY FOR ALL BUSINESSES T

his month, the government approved Cyber Essentials scheme receives the biggest overhaul to date. The significant changes to the technical requirements in the scheme reflect the security challenges in today’s digital world. HOW DOES THE CYBER ESSENTIALS SCHEME WORK? The government approved scheme includes five technical controls that help protect organisations of all sizes from the majority of commodity cyber attacks. A team of experts review the scheme at

regular intervals to ensure it stays effective in the ever-evolving threat landscape. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security, it is now widely considered the minimum level of cyber security for all businesses. Cyber Essentials works in the format of a verified self-assessment questionnaire. Organisations log onto a secure portal to answer a series of questions that address the scope of the assessment, their employees, devices and work location. They will also answer questions that address E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

CYBER SECURITY  the five core controls, which include user access control, secure configuration, security update management, firewalls and routers, and malware protection. A senior member of the board will sign a document to verify that all the answers are true and then a qualified external assessor will mark the answers. The preparation and process of getting certified to Cyber Essentials will give an organisation a clear picture of their cyber security and an opportunity to improve. For organisations that require a higher level of assurance, Cyber Essentials Plus starts with the Cyber Essentials questionnaire but the technical controls are then physically audited to verify that they are in place. SMEs based in the UK with a turnover of less than £20 million who certify their whole organisation to Cyber Essentials are awarded free cyber security insurance. The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the Government approved minimum level of cyber security in place and can be trusted with their data and business. Many contracts stipulate Cyber Essentials as a pre-requisite. The scheme was introduced by the UK government in 2014, as a way to help make the UK the safest place to do business. The environment that the scheme operates in has changed dramatically in the last seven years and, to reflect these changes, some of the technical control requirements

were updated in January 2022 in line with recommended security updates. The pricing of Cyber Essentials has also changed and will adopt a new tiered structure based on organisation size. While micro-organisations will continue to pay the current £300 assessment charge, small, medium and large organisations will pay a little more, on a sliding scale that aims to better reflect the complexity involved in assessing larger organisations. THE MAIN TECHNICAL CHANGES In recent years, business cyber security has been further challenged by the wide adoption of cloud services and remote working, the move to home working and use of privately owned devices. Many of the Cyber Essentials technical requirement changes reflect this new environment. Home working devices are in scope, but most home routers are not. Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational data and services, whether they are owned by the organisation or the user, are in scope for Cyber Essentials. Home routers that are provided by Internet Service Providers or by the home worker are now out of scope for the assessment while Cyber Essentials firewall controls apply to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope for the assessment and must have the Cyber Essentials controls applied to it.

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

WHY THE CHANGE? Home working or hybrid working (coming into the office for only some of the working week) is now normal practice for most businesses and is unlikely to change back in the short term. It is difficult to impose rules onto multiple employee’s private home routers unless it is provided by the organisation. All cloud services are in scope Cloud services are to be fully integrated into the scheme. If an organisation’s data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented on that service. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user actually implement the control depends on the type of cloud service but the user has a responsibility to check that the controls are put in place. WHY THE CHANGE? People commonly assume that cloud services are secure out of the box, but this is not the case. It is necessary for users to take responsibility for the services they use and spend time reading up and checking their cloud services and applying the Cyber Essentials controls where possible. Previously, Platform as a Service (PaaS) and Software as a Service (SaaS) were not in scope for Cyber Essentials, but the new requirements now insist that organisations take

CYBER SECURITY responsibility for user access control and the secure configuration of their services which would include securely managing access to the different administration accounts and blocking accounts that they do not need. Where the cloud service is in charge of implementing one or more of the controls ( eg security update management or anti-malware), the applicant organisation has the responsibility to seek evidence that this is done to the required standard. Multi factor authentication (MFA) must be used for access to cloud services As well as providing extra protection for passwords that are not protected by other technical controls, multi factor authentication should always be used to provide additional protection to administrator accounts and user accounts when connecting to cloud services. No matter how an attacker acquires a password, if multi factor authentication is enabled on the account, it will act as a safeguard on the account. The password element of the multifactor authentication approach must have a password length of at least eight characters with no maximum length restrictions. WHY THE CHANGE? There has been an increasing number of attacks on cloud services, using techniques to steal or brute force a user’s passwords to access their accounts. Thin clients are a type of very simple computer holding only a base operating system which are often used to connect to virtual desktops. These are confirmed as being in scope when they connect to organisational data or services. PASSWORD-BASED AND MULTIFACTOR AUTHENTICATION REQUIREMENTS When using passwords, one of the following protections should be used to protect against bruteforce password guessing: • Using multi-factor authentication • Throttling the rate of unsuccessful or guessed attempts. • Locking accounts after no more than 10 unsuccessful attempts. Technical controls are used to manage the quality of passwords. This will include one of the following: • Using multi-factor authentication in conjunction with a password of at least eight characters, with no maximum length restrictions. • A minimum password length of at least 12 characters, with no maximum length restrictions. • A minimum password length of at least eight characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list.

People must be supported to choose unique passwords for their work accounts. New guidance has been created on how to form passwords. It is now recommended that three random words are used to create a password that is long, difficult to guess and unique. There must be an established process to change passwords promptly if the applicant knows or suspects the password or account has been compromised.

in the Microsoft Exchange System came out very publicly and was reported by numerous news outlets. That attack went from being a complex state actor attack to a commodity attack within seven days. It was commoditised into a ransomware attack only 12 hours later. This proves that a high complexity attack can be commoditised in hours and for this reason, all high and critical updates, need to be applied within 14 days for Cyber Essentials,

WHAT IS A BRUTE FORCE ATTACK? Brute force attacks use trial and error to guess passwords and encryption keys. Powerful computers are used to target a login page where they try many different combinations of characters until the correct combination is found to crack the password or encryption key. Depending on the length and complexity of the password and the power of the computer used, cracking the password can take anywhere from a few seconds to many years. Modern computers have advanced in power and capability to the point where an eight-character alphanumeric password can be cracked in just over two hours.

GUIDANCE ON BACKING UP Backing up your data is not a technical requirement of Cyber Essentials because the scheme focuses on measures to prevent an attack as opposed to aspects to allow recovery after an attack. However, with the recognition of the vital importance of backup, there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended.

All high and critical updates must be applied within 14 days and remove unsupported software. All software on in scope devices must be: • Licensed and supported • Removed from devices when it becomes un-supported or removed from scope by using a defined ‘sub-set’ that prevents all traffic to/from the internet. • Have automatic updates enabled where possible • Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where: – The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ – The update addresses vulnerabilities with a CVSS v3 score of 7 or above – There are no details of the level of vulnerabilities the update fixes provide by the vendor WHY THE CHANGE? Previously, there was a set criteria that the vulnerabilities which had to be applied had to meet, which were laid out in the requirements. These criteria have now been dropped and organisations need to apply all high and critical updates on all their systems. This is raising the bar because organisations can no longer be selective about which patches they apply and leave themselves weak and vulnerable. The reason for these changes can be illustrated by a highprofile example this year. A vulnerability

HOW THE CHANGES WILL WORK There will be a grace period of one year to allow organisations to make the changes for the following requirements: MFA for cloud services, thin clients and security update management. HELP AND SUPPORT If you need help preparing your organisation for Cyber Essentials, there is a free online tool that helps you gauge your current level of cyber security in relation to where you need to be to achieve Cyber Essentials. The Cyber Essentials Readiness Tool includes a series of guidance documents to help you understand the five controls and how they apply to your business. Your answers to the readiness tool questionnaire will inform the tailored guidance and step by step action plan which will be presented to you when you reach the end of the readiness tool. For in depth and bespoke support, contact one of the Cyber Essentials Certification Bodies located around the UK and Crown Dependencies. These specialists are trained and licenced to certify against Cyber Essentials and are available to offer consulting services to help you achieve your certification. L

IASME, based in Worcestershire, helps businesses improve their cyber security, risk management and counter fraud, through an effective and accessible range of certifications. In April 2020, IASME became the NCSC’s Cyber Essentials Partner, responsible for the delivery of the scheme.

FURTHER INFORMATION

https://iasme.co.uk/cyber-essentials

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

FACIAL RECOGNITION

FACIAL RECOGNITION: FACING UP TO TERRORISM T

he EU Commission intends to define rules for the public use of artificial intelligence (AI) by setting precise boundaries for systems which may present risks for the rights to data protection and privacy. AI systems intended to be used for remote biometric identification of persons in public places will be considered high risk and will be subject to a thirdparty conformity assessment, including documentation and human oversight requirements by design. Although, there will be ‘serious’ exceptions to this prohibition, such as terrorism

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

investigations, finding missing children and public safety emergencies, as officers will need to take urgent action. However, there are still misconceptions about the validity of facial recognition —both the technology itself and its deployment— which may entice some police authorities and organisations to limit or withdraw the use of Facial Recognition Technology (FRT) altogether. This article seeks to explore the use of FRT to combat terrorism, and how organisations operating in the supply chain ought to develop and utilise FRT to enhance public confidence and fit in line with the new EU’s proposals.

FACIAL RECOGNITION

THE NEED FOR FRT TO COMBAT TERRORISM In a hostile world, terrorism risks are increasing. These risks pose a significant threat to not only national security, but to political and social stability and economic development. The utilisation of facial recognition solutions can play a key role in improving the efficiency of police forces, intelligence agencies and organisations to respond and prevent major attacks, in a way that minimises intrusiveness for citizens. In general, FRT is a biometric surveillance aid which uses a camera to capture an image of an individual’s face, mainly in densely populated places such as streets, shopping centres, and football arenas. It is then able to provide a similarity score when it recognises a similarity between a facial image captured, with an image held within a criminal database. If a match is made, an alarm will inform the security operator to do a visual comparison. The operator then can verify the match and radio police officers and have them

conduct a stop, if one is needed. It is important to note, the technology does not establish individual ‘identity’ – that is the job of humans. Moreover, many terrorists are not known to a database and can move around populated spaces largely unnoticed. With the advancement of AI, these surveillance systems can now monitor patterns of irregular behaviour, such as someone leaving a bag unattended for a long period of time or returning to a site regularly to take photographs. This information can then be used as the basis on which to perform actions, e.g. to notify officers to conduct a stop search or to record the footage. Security officers need access to this type of intelligence, to secure the perimeter of their facility and ultimately save lives. PRIVACY REMAINS A TOP PRIORITY It is essential, in this particular case, that privacy remains a top priority when utilising FRT. Privacy advocates, and AI sceptics suggest FRT can be hijacked for nefarious purposes, including unlawful surveillance. But what these sceptics are

not aware of are the measures that can be put in place to ensure the privacy of individuals captured by Automatic Facial Recognition (AFR) cameras is protected. This can include anonymising by passers in the camera’s field of view without obscuring movements or encrypting original footage so that only authorised users can access sensitive data. Moreover, it is the responsibility of FRT developers to implement internal policies that clearly stipulate they will not partner with end users who do not act upon the importance of privacy and security in the implementation and operations of their systems. It is also equally important that these customers are properly prepared, trained and competent to use FRT lawfully. It must also be said, where FRT is being used under a Directed Surveillance Authority, the UK has one of the strongest and globally respected regulatory authorities under the Investigatory Powers Commissioner. This provides for oversight, restriction of collateral intrusion and greater provision of accountability for surveillance operations of this nature. E

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

Find suspects in minutes

Reduce search times for suspects in video footage from days, hours . . . to minutes! Cognitec’s face recognition technology imports still images and video material, finds all faces, and clusters the appearances of the same person, even across multiple media files.

Meet our experts in June during Identity Week in London! Most experienced. Highly trusted. Cognitec is the only company that has worked exclusively on face recognition technology since its inception in 2002.

www.cognitec.com | sales-emea@cognitec.com

FACIAL RECOGNITION

 ACCURACY IS IMPROVING In addition, while face masks have helped reduce the spread of Covid-19, they have also become a significant security threat. Security officials have raised concerns that facial recognition cameras will not be able to identify terrorists because they can blend into crowds and hide their faces with a mask. In fact, as recently as July 2020, NIST flagged that even the best of the facial recognition algorithms studied were unable to correctly identify a mask-wearing individual up to 50 per cent of the time. However, these systems no longer have to operate best when environmental factors are controlled, meaning that extreme angles, occlusion and contrast in lighting can now be compensated for. It must be pointed out, that with most technology, FRT is advancing at rapid rates. Indeed, as of January 2021, facial recognition algorithms can now correctly identify individuals up to 96 per cent of the time, regardless of if they are wearing protective facial coverings or not. Moreover, however flawless our technology is when it is designed and produced, it can of course be abused when operated by an oppressive end user. Where inadequately regulated in a democracy, such dysfunction is a short ride away from dystopia. Developers must therefore work closely with end users such as police departments,

THE UTILISATION OF FACIAL RECOGNITION SOLUTIONS CAN PLAY A KEY ROLE IN IMPROVING THE EFFICIENCY OF POLICE FORCES, INTELLIGENCE AGENCIES AND ORGANISATIONS TO RESPOND AND PREVENT MAJOR ATTACKS, IN A WAY THAT MINIMISES INTRUSIVENESS FOR CITIZENS to understand the user requirement and the legitimacy of endeavour. They must work collaboratively where necessary to enable and support client compliance to statutory obligations and to build appropriate safeguards where vulnerabilities may arise. Indeed, anyone who develops machines which have an impact upon society carries a responsibility, to ensure that they are only used as a force for good and to the benefit of the society and communities which our technology may help to shape. CLOSING THOUGHT The entire supply chain must welcome the recent declaration made by the European Union to establish a pan European Data Governance Act and put further measures in place to ensure FRT is deployed and utilised in an ethical way. It is our hope that this legislation will provide much needed statutory leadership in the establishment of clear

rules and guidance by which the use of technologies such as FRT can be more confidently designed, produced and operated in a manner which maintains trust in safer societies. This will allow overstretched and under-resourced law enforcement agencies to fight terrorism and other serious crime without one hand tied behind their backs. L

Tony Porter, former Surveillance Camera Commissioner, is the Chief Privacy Officer at Corsight AI – a leading Facial Recognition Solutions provider with unparalleled speed, accuracy and privacy protection. Tony works across Corsight’s senior team to assist in further developing FRT to achieve best practice, legal compliance and to be best in class.

FURTHER INFORMATION www.corsight.ai

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

ARTIFICIAL INTELLIGENCE

EMBEDDING HUMAN GOVERNANCE IN AI FRAMEWORKS TO MAINTAIN ETHICAL STANDARDS

he UK’s Integrated Review of Security, Defence, Development and Foreign Policy set out the country’s ambition to be a global leader in artificial intelligence (AI) and data technologies. This was welcome news for the defence and security sector, which already relies on data to inform strategies, insights and operations, a fact GCHQ says will only become more apparent as AI becomes more able to analyse large, complex and distinct data sets. But law enforcement and national security are high risk contexts for the use of AI. Flawed or unethical AI could result in unjust denial of individual freedoms and human rights, and erode public trust. While frameworks such as the OECD Principles on Artificial Intelligence and

Turing guidelines for responsible AI are bolstering the regulations governing defence and security’s use of data, organisations can do more. By rooting their own ethical frameworks in the human context of AI deployments, they can better ensure their AI is ethical. KEEP HUMANS IN THE ANALYTICAL LOOP Establishing the scope of an AI application is key to ethical frameworks in defence and security. Regulators, academics and the public all agree that the scope of AI shouldn’t go so far as to replace human decision making in defence and security. In counter terrorism, for example, RUSI has outlined how AI would be inaccurate if used to identify potential

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

terrorists, concluding that ‘human judgement is essential when making assessments regarding behavioural intent or changes in an individual’s psychological state’. And in criminal justice, most people oppose automated decision making due to the likelihood of unintended biases, such as algorithms based on data that might reflect historic inequalities in society. Without human analysis, use of AI risks inaccuracies and loss of trust. So, AI should be a tool to aid human decision making. Humans should process and validate outputs against other sources of intelligence while understanding the potential limitations of AI-derived findings. Keeping humans in the analytical loop should be a cornerstone of an ethics framework.

ARTIFICIAL INTELLIGENCE EMBED HUMAN GOVERNANCE STRUCTURES TO SUPPORT ETHICAL AI An ethical framework for AI relies on human governance structures and oversight. Organisations should consider the line of sight from requirements setting, through development, to operational outputs – a diverse, skilled and knowledgeable panel should have visibility of all stages so they can consider factors such as the proportionality of the data used and the potential undesirable consequences. The panel should include those who understand the development of the AI and the data involved, the legal and policy context and the potential real-world effects of proposed developments. And the panel should provide expert, unbiased challenge and diversity of thought. Keeping this line of sight will maintain ethical principles throughout the lifecycle of development and deployment. Doing this properly will involve workforce upskilling and careful navigation of sensitivities and silos. For example, you could involve data scientists in the planning of operational deployments, or train operational managers to build their understanding of the AI technologies deployed. This might require new governance structures, roles and responsibilities to complement existing compliance structures. There’s a lot defence and security organisations can learn from the major tech companies, which are very good at ensuring humans are overseeing potential AI deployments. In recent

FLAWED OR UNETHICAL AI COULD RESULT IN UNJUST DENIAL OF INDIVIDUAL FREEDOMS AND HUMAN RIGHTS, AND ERODE PUBLIC TRUST years, Google has scaled back or blocked several AI developments after finding the ethical risks too high. BALANCE AI AND EXISTING DATA FRAMEWORKS The defence and security sector will need to consider and address tensions between AI and existing compliance, data protection and privacy frameworks. But this isn’t unique to defence and security. For example, a leading pharmaceutical company found strict data retention limits would impact the availability of data needed for AI training and oversight. The company acknowledged these tensions and developed privacy and ethics principles specifically for AI. Assuring the quality of data sets should be a key part of any AI ethics framework as higher quality inputs lead to more accurate and trustworthy outputs. For defence and security, data might be biased to a specific context that makes it unsuitable for the proposed use, or it might be incomplete or contain errors, which could lead to misleading outputs. This is because security exemptions might mean data subjects are unable to exercise rights that would be available to them from other organisations, such as the right to correct inaccurate data. Similarly, defence and security organisations can’t always implement effective feedback loops between the

users of data and data subjects. So, organisations should make adjustments to mitigate potential quality issues. These mitigations could be business processes (such as the inclusion of data scientists in decision making for operational deployment) or they could be technically based (such as using statistical testing to identify biases in the training data). DEFENCE AND SECURITY ORGANISATIONS MUST EMBED HUMAN GOVERNANCE IN AI FRAMEWORKS By creating an ethical framework for AI that prizes human analysis, embeds human governance structures and addresses the compliance challenges unique to the sector, defence and security organisations will be able to leverage the power of data and ensure accurate outputs while maintaining public trust and upholding the high ethical standards upon which the UK prides itself. L

Written by Elisabeth McKay, defence and security expert at PA Consulting.

FURTHER INFORMATION www.paconsulting.com

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

TERRORISM

THE ROLE OF SYMBOLISM IN TERRORIST ATTACKS

magine for one minute that you are a terrorist. Perhaps you belong to a known group like Al Qaeda (AQ) or Islamic State (ISIS) or Al Shabaab. Perhaps you see yourself as part of these organisations or are just ‘inspired’ by them. Imagine also that you have been planning for the ‘big one’ for some time now. This plan will end in a spectacular attack that will capture the attention of the world. You may die in the process but you will be famous (or should that be ‘infamous’?). Why go to that length? After all, any terrorist can carry out a smallscale act with nothing more than a knife or a car or even a golf club (as ISIS wannabe Rehab Dughmosh did in Toronto in 2017). As these are much easier deeds to plan and execute why risk something more complicated and more timeconsuming? Such an operation opens you up to detection, infiltration (with a human source or surveillance or intercepted communications), and interdiction. Why not settle for less?

The answer is an easy one. Not only will your success get you on the front page of every news source in the world and every Web page but it will strike a chord as well as fear in the hearts of all (or at least you hope it will). There is nothing like seeing an iconic building or statue falling to the ground to tug at our emotions: this is why every dystopian sci-fi movie shows the Statue of Liberty in New York keeling over. If the symbol falls because of the actions of terrorists it is even more memorable. What is the evidence for this desire by terrorists to hit symbolic targets? Here are a few examples: - Algerian GIA terrorists planned to explode a hijacked plane over the Eiffel Tower in Paris in 1994; in 2014 a French jihadist was plotting to bomb both the Louvre and the Eiffel Tower; - The 9/11 hijackers chose to fly the aircraft they had commandeered into the World Trade Center towers in New York and the Pentagon in Washington (the fourth airliner which

COUNTER TERROR BUSINESS MAGAZINE | ISSUE 49

crashed in Pennsylvania may have been headed for the White House); - Canadian jihadi Michael ZehafBibeau tried to breach the Centre Block of Parliament Hill after killing a soldier at the National War Memorial in October 2014; - Paris’ Stade de France, that country’s national sports stadium, was one of the targets of the 2015 jihadist cell which killed 137 people; - The 2002 Bali bombings by Jemaah Islamiyah targeted largely Australian citizens in one of Indonesia’s most important tourist sectors. One would think that the security in place around such highly symbolic venues would deter terrorists and lead them to aim for ‘softer’ targets. The sheer importance and high visibility of these spots may override any doubts about success. In addition, security protocols may not be as effective as assumed. The 6 January 2021 riot at the US Capitol (which I am not calling

TERRORISM

ASSASSINATIONS ARE, BY DEFINITION, ACTS OF POLITICAL VIOLENCE AGAINST HIGH LEVEL PUBLIC FIGURES AND, HENCE, HIGHLY SYMBOLIC a terrorist incident) demonstrated that even the American Senate was open to a breach by a semi-organised mob. Zehaf-Bibeau’s 2014 attack on the Canadian Parliament showed that a lone actor could get that close to elected leaders (the Prime Minister was in a caucus meeting metres away from Bibeau when he was killed by Parliamentary security). To these events we have to add assassinations by terrorists. A few examples will suffice: - In 1984 Indian Prime Minister Indira Gandhi was killed by two of her Sikh bodyguards in the aftermath of the decision by her government to storm the Golden Temple in Amritsar, the holiest shrine for Sikhs; - In May 1991 Liberation Tigers of Tamil Eelam (LTTE) claimed the assassination of Indian Prime Minister Rajiv Gandhi; - In the late 19th and early 20th centuries anarchist terrorists killed several world leaders including Russia’s Tsar Alexander II (1881), Spanish Prime Minister Antonio

Canovas de Castillo (1897), Italy’s King Umberto (1900) and US President McKinley (1901). Assassinations are, by definition, acts of political violence against high level public figures and, hence, highly symbolic. In short, while we will continue to see low level terrorist attacks against targets of opportunity by a variety of groups with a range of motivations – the so-called ‘Nike’ brand of terrorism (‘Just Do It’) – there will also be the periodic symbolic act. It is as if terrorists too want their ’15 minutes of fame’. L

Written by Phil Gurski, President and CEO of Borealis Threat and Risk Consulting. His latest book The Peaceable Kingdom: A history of terrorism in Canada from Confederation to the present is available on his website.

FURTHER INFORMATION

www.borealisthreatandrisk.com

ISSUE 49 | COUNTER TERROR BUSINESS MAGAZINE

A SAFER, MORE PRODUCTIVE WORKFORCE For over 50 years, Tait Communications has helped Public Safety and Transport organisations around the world serve their communities. Developing a deeper understanding of our clients’ needs, we improve situational awareness, worker safety and organisational efficiency. As critical industries increase their reliance on data and applications, our innovative solutions enable agencies to take advantage of both broadband and radio networks, in user-friendly converged devices. Visit us to see how this new range of solutions can help you.

BROADBAND SOLUTIONS Enable a safer, more productive workforce using an ecosystem of workforce applications, automated workflows, business integrations and devices for your mobile teams.

Join us at STAND F40, Coventry Building Society Arena, COVENTRY, 8–9 March 2022 Learn more at taitradio.com/BAPCO

BAPCO 2022