There has to be a balance, between keeping secrets for the sake of security, and other equally valid things – such as the right to know things in a free society, and, more to the point for security managers, knowing secret things that can help you to do your job better.
Towards the end of CS Forester’s novel in the Hornblower series, Flying Colours, the hero has escaped from captivity in Napoleonic France, and has reached London. Hornblower has to call on the War Office in Pall Mall: ‘…. there was a young Lord to see him, someone whom Hornblower liked at first sight. Palmerston was his name, the Under Secretary of State’. Forester has his fictional character meet a real person from history, the future Victorian prime minister.
He asked a great many intelligence questions regarding the state of opinion in France, the success of the last harvest, the manner of Hornblower’s escape. He nodded approvingly when Hornblower hesitated to answer when asked the name of the man who had given him shelter.
‘Quite right,’ he said. ‘You’re afraid some damned fool’ll blab it out and get him shot. Some damn fool probably would. I’ll ask you for it if ever we need it badly, and you will be able to rely on us then.’
That story, in arguably the greatest achievement of English popular literature in the 20th century, came out in 1938. Its first readers in the 1939-45 war would have understood the need to preserve secrets in wartime. People were bombarded with official propaganda telling them that ‘careless talk costs lives’, ‘walls have ears’, or ‘be like dad, keep mum’. To put it less catchily, for the sake of security, you had to keep some things secret.
In the Cold War against the Soviet Union between the 1940s and the 1980s, the similar tension arose; only now, how to keep secrets in a democratic society? As I wrote from a file in the National Archives, the making of a published book from MI5, Their Trade is Treachery, about Soviet methods to trap westerners, such as travelling businessmen and officials, was painfully long. Set against the point of publication – to alert people to the risks of being compromised and made to pass information to the Soviets – some in government took issue with details of the book, or with publishing anything, in case it did more harm than good.
Consider in the present, the police’s Servator patrolling method, using a mix of ‘assets’, and seemingly unpredictable timings, to catch criminals, including potential terrorists carrying out hostile reconnaissance. How far should the police pass that knowledge on, to security guard forces, balancing the gain from more informed pairs of eyes, and the risk that the knowledge will seep out and reach the bag guys? The irony here is that behavioural science tells you that even if the person carrying out hostile reconnaissance – visiting an airport terminal, let’s say, to look for weaknesses in security or busy times of day – knows what are the give-away clues that you’re not there for a legitimate reason; the ‘hostile’ can’t mask himself. That only serves to make him stand out in other ways.
Though still little known, the idea of ‘security minded communications’ has been around for some years; that a site or institution can say things publicly about its security, to reassure the law-abiding that they’re guarded, and to put off the ‘hostiles’, whether pick-pockets or terrorists.
The latest annual study by Prof Martin Gill’s Security Research Initiative (SRI) on collaboration between private security and police mentions Servator as an example of joint patrolling: when done well, SRI said, it can mean ‘communicating on dedicated channels, such as shared radio frequencies and mobile apps, facilitating real-time information sharing to help coordinate patrol strategies’. Such joint working can mean each plays to its strengths, the study added; the private security officers protect their clients (such as a shopping centre), while police enforce the law and arrest shop thieves or other law-breakers. Joint working implies shared knowledge, whether of radio protocol, the NATO phonetic alphabet, or JESIP principles of working jointly on an emergency incident; all in the public domain. Except that the Security Industry Authority badge is only an indication of competence, and not that someone has been vetted. In other words, there’s a limit to how far the authorities can trust the SIA-badged.
Staying with terrorism, the SIA which is in line to become the regulator of Martyn’s Law – a legal responsibility on premises to take measures to counter the threat of terrorism – will have to work out how to balance the secrecy around premises security with the public interest in knowing how compliant a site or business is with the law. Will premises be given a food safety-style rating, like a take-away or restaurant? Except that if a premises has a lower Martyn’s Law rating than its neighbours, especially its equivalent neighbours such as pubs, might that be a gift to terrorists or indeed thieves.
Cyber resilience
The Bank of England recently reversed plans in a policy statement to require third-party companies to disclose ‘unremedied’ vulnerabilities, acknowledging that such disclosures could inadvertently expose the UK’s financial system to cyber threats.
A policy statement (PS) was issued jointly by the Bank of England, Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) (collectively ‘the regulators’). Their aim was resilience; in their own words, to ‘manage risks to the stability of, or confidence in, the UK financial system that may arise due to a failure in, or disruption to, the services’ of banks.
In cyber-security terms, ‘vulnerability’ would be defined as ‘a weakness, susceptibility or flaw of an asset or control that can be exploited by one or more threats’. However, in various parts of the regulators’ draft rules and draft supervisory statement, ‘vulnerability’ was used in a general, ordinary-language sense. Respondents were particularly concerned about potential requirements or expectations on CTPs (Critical Third Parties, in the jargon) to disclose unremedied vulnerabilities (in the cyber-security sense) to the regulators and to other firms they provide services to. Sharing could increase the risk of threat actors exploiting these vulnerabilities, which would go against the regulators’ ‘overall objective’, of a resilient financial system.
