The NPSA began in 2023. Will the National Protective Security Authority turn out to be the best thing that ever happened to the private security industry, or the worst; or as so often in life, something in between? asks Mark Rowe.
At least we knew where we stood, when in March the NPSA was announced. To quote from the Security Services’ website, NPSA had taken the responsibilities of the CPNI (Centre for the Protection of National Infrastructure) but with a broader remit, as the name would suggest. National, or critical national, infrastructure implies electricity pylons, motorways and banks; the ‘national’ in the NPSA implies any walk of life. And on the launch of the Authority, the Home Office Security Minister Tom Tugendhat spoke of ‘helping businesses and universities better protect themselves and maintain their competitive advantage’. We knew, because the Security Services told us, that the NPSA is part of MI5, whereas with CPNI we were never quite sure what was the mix of policing and the security services.
The Sixties
This change is in fact a return to the roots of private security in Britain, in the 1960s, when the security services had a hand in site and event security, whether surveying central government departments, or doing vetting and ID-badging before the investiture of Prince Charles as Prince of Wales at Caernarfon Castle (pictured) in 1969. Partly, the security services’ role was due to the fact that the state had more reach than now: what has since been privatised was in state hands, such as the railways (and even some hotels), utilities and telecoms (run by the Post Office).
Britain and NATO was in what we now can see was the middle of the Cold War; keeping scientific and state secrets from Soviet Russia was a common purpose for the British government (its development of atomic energy was important in this regard) and businesses. An echo in the 2020s is the ‘Think before you Link’ awareness campaign and app, warning people – whether retired defence contractors, security managers or software developers – to be wary of approaches through social media such as LinkedIn.
PALs to VAPs
Where the common purpose breaks down is if the Protect Duty, popularly known as Martyn’s Law, comes into force. The argument for it by the Home Office has been that the threat from terrorism is such that premises – crowded places, publicly accessible locations (PALs) or venues and public spaces (VAPs), whatever the current jargon is – should have a legal responsibility to make plans and prepare in case of an act of terrorism; and (for all the denials of those in authority) punish those who aren’t up to the mark (the same as for anything that requires compliance, such as data protection).
When the work of the NPSA stops being advisory – that businesses can shrug off if their budgets are too tight this year, or they just don’t feel like taking heed – and being the law, or else, the secrecy around the security services becomes a problem, assuming that the NPSA were to be the regulator of the Protect Duty (and even if it weren’t, it would surely have a deciding input into any regulator). This is not to deny that some secrecy is necessary, nor that the secrecy is hiding anything bad. Indeed, MI5 has been acknowledging that it can no longer be entirely secret; hence the identity of the director-general of MI5 is known. Any CPNI people I have spoken to or met seem able, articulate, even nice; not cynical, brutal James Bonds.
SIA
The trouble is, if someone in private security takes issue with the Security Industry Authority, over an individual badging decision, or about the approved contractor scheme being too strict (or lenient), we know who the SIA directors are, and the non-execs. We’re not in a perfect, Athenian democracy, so we might have a job putting points to them, or even to find out their email addresses. But the SIA like most organisations these days keeps an eye on social media, so if you pipe up, they are listening and may well answer you. Or, you can take your case up with your MP, and they can write around. None of that applies with the NPSA. We don’t know who any of them are (as with the cyber equivalents at the National Cyber Security Centre, if they speak at industry events, they give their first name and first letter of their surname). If the NPSA does something under the Protect Duty – heck, if a security person wants to complain about some injustice, that a famous or important site is ignoring the Duty, or saying one thing and doing another – how to go about making your point? You could answer that the NPSA would make a public-facing side, such as contract out the inspection of premises. Because of the sheer number of premises, hundreds of thousands, that a Protect Duty would cover, and the number of counter-terror security advisers is counted in the hundreds, CTSAs cannot possibly attend every premises to advise; the Protect Duty regulator will have to accredit ‘competent persons’. But the basic problem remains, that those in charge of policy will be secret. How to influence them, for the good of all, the essence of being in a free society that rights wrongs?
Three volumes
Because we cannot assume that MI5, unlike the rest of the British state, works perfectly and can be utterly trusted and left without scrutiny. While summer 2021 saw the publication of volume one of the Manchester Arena Inquiry that pointed out shortcomings in the security and stewarding of the venue, before and on the night of May 22, 2017; and volume two came out in November 2022, pointing out likewise faults by police, fire and ambulance services in their emergency response, in March 2023 the third and final volume covered ‘radicalisation and preventability’. The most depressing thing about the Inquiry was that the suicide bombing found just about every institution wanting. And yet, as the Inquiry chair Sir John Saunders said when publishing volume three, quoting a witness, the suicide bomber was a ‘Petri dish absolutely brimming with germs’ in terms of radicalisation. Yet the bomber was (to quote Sir John further) a young man of ‘limited intelligence and abilities’. This has been the starting question for the counsel to the Inquiry, Paul Greany, each October when he has made a (remote) presentation to Consec, the annual conference of the Association of Security Consultants; how (and I paraphrase here) could the bomber, a failing student, have got around Security on the night? Hence the thrust of the Protect Duty; to thwart such attacks. Except that the grotesque logic nowhere admitted at the Inquiry nor by anyone else in authority is that a steward or SIA-badged officer, maybe in his late teens and certainly earning minimum wage or barely more, would be expected in extremis to challenge a suicide bomber, who presumably would detonate, making the steward a dead hero, leaving the support of any family to charity?
Sir John added that the Arena bomber likely ‘was provided with help’. Which is where the work of the security services comes in. For reasons of national security, Sir John’s volume three had open and closed parts. Sir John said he:
…. found a significant missed opportunity to take action that might have prevented the attack …. there was a realistic possibility that actionable intelligence could have been obtained which might have led to actions preventing the attack. The reasons for this missed opportunity included a failure by the Security Service, in my view, to act swiftly enough.
Sir John acknowledged that the bereaved wanted to know more (if the bomber had been picked up by the authorities, the 22 would not have died and hundreds would not have been hurt). “All I can say is that I have done my best to reveal what I can,” Sir John said. If that’s the best that the near-three years Inquiry could come up with, the security industry is going to get nowhere querying the details of the Protect Duty if the NPSA is the regulator.
