House of Lords Select Committee on the European Union (Sub-Committee F)
Inquiry into The EU Internal Security Strategy
Oral and associated written Evidence
Contents Cecilia Malmström, Home Affairs Commissioner ...... 2 Oral evidence, 6 December 2010, Q 1-39 ...... 2 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) ...... 15 Oral evidence, 6 December 2010, Q 40-66 ...... 15 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon ...... 28 Oral evidence, 7 December 2010, Q 67-102 ...... 28 Rob Wainwright and Brian Donald, Europol ...... 45 Oral evidence, 15 December 2010, Q 103-147 ...... 45 Hugo Brady, Senior Research Fellow, Centre for European Reform ...... 64 Written evidence, Hugo Brady (ISS 12) ...... 64 Oral evidence, 12 January 2011, Q 148-174 ...... 69 Dr Paul Cornish, Chatham House ...... 87 Oral evidence, 19 January 2011, Q 175-208 ...... 87 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office ...... 103 Written evidence, Home Office (ISS 10) ...... 103 Oral evidence, 26 January 2011, Q 209-266 ...... 119 Supplementary written evidence, Home Office (ISS 16) ...... 144 Neil Thompson and Dr Steve Marsh, Cabinet Office ...... 153 Oral evidence, 2 February 2011, Q 267-317 ...... 153 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency ...... 173 Oral evidence, 9 February 2011, Q 318-366 ...... 173 Supplementary written evidence, (ISS 17) ...... 195 Sir Richard Mottram ...... 198 Oral evidence, 16 February 2011, Q 367-404 ...... 198 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons ...... 216 Oral evidence, 2 March 2011, Q 405-447 ...... 216 Supplementary written evidence, James Brokenshire MP (ISS 18) ...... 234
Cecilia Malmström, Home Affairs Commissioner
Cecilia Malmström, Home Affairs Commissioner Oral evidence, 6 December 2010, Q 1-39
Evidence session no 1 : heard in public
Members present
Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Richard, L ______Examination of witness
Cecilia Malmström, Home Affairs Commissioner
Q1 The Chairman: Commissioner Malmström, we are grateful to you for allowing us to come and seek your views. They are central to the inquiry on which we have just embarked into the internal security strategy. A verbatim transcript will be taken of the evidence. This will be put on our parliamentary website and in due course it will be published as part of our report. A few days after our return to the UK, we will send your officials a copy of the transcript to check it for accuracy, and perhaps you could advise us of any corrections as quickly as possible. If, after the evidence session, there is anything you want to clarify or amplify, or there are any additional points, please do not hesitate to submit supplementary evidence to us in writing. Do you want us to introduce ourselves or are the name plates enough? Cecilia Malmström: I can see the name plates, but perhaps you want to introduce yourselves. We have met before, but I have not met Baroness Eccles or Lord Richard. Baroness Eccles of Moulton: I am Diana Eccles. I am a Member of the House of Lords and a member of this European Union Sub-Committee. Lord Richard: My name is Ivor Richard. I am a Member of the House of Lords and a member of this Sub-Committee. I am familiar with the old building, but this is a new one. Cecilia Malmström: You were a Commissioner, am I right, for social affairs? Was that its name at the time as well, or was it called employment? Lord Richard: Many years ago, yes. I was employment Commissioner when we had even more unemployment than we do today. The Chairman: I am David Hannay. You and I met at dinner in London. I was the Permanent Representative here in the 1980s and I am the Chair of this European Union Sub- Committee. Our special adviser is Stephen Hawker, whom I think you also met at that dinner. Cecilia Malmström: We met in London.
2 Cecilia Malmström, Home Affairs Commissioner
Q2 The Chairman: And Michael Collon is the Clerk of the Committee, whom you also met. Is there anything you would like to say before we plunge into the questions? Cecilia Malmström: No, just that it is an honour to be here. It is my first time, and giving evidence to the House of Lords is a bit mythical for me. I look forward to it very much and hope that I can be of help and assistance to the work of the Committee.
Q3 The Chairman: Thank you very much. I will start with two general questions. What do you regard as the key short-term issues in the internal security strategy that you have identified in your document? What do you think is achievable? What are your priorities for the short and medium term? Could you perhaps say a word about how you see what seems to be the inherent tension between achieving greater internal security and respecting the human rights of individuals? This seems to come up in a wide range of the issues covered in your document. If you could say something about that and about your general priorities, that would get us started very well. Cecilia Malmström: The internal security strategy aims to define a few limited but common threats that we are facing. Of course, member states are ultimately responsible for their own security but there are issues where there is clear and added value in co-operation. I have identified five of those areas: organised crime; cybercrime; terrorism; borders; and catastrophes, whether human made or natural disasters. We try to identify a few concrete aspects where we can bring bigger security to address this - for instance, going for the money in the organised crime issue. The aim is to produce concrete proposals to increasingly go after the money in the European Union and confiscate the profits of international criminals who move freely over Europe today. We also propose a European PNR system and we will work on anti-radicalisation measures, not monitored from Brussels, to create a platform for the exchange of views and ideas about what is being done there. When it comes to disasters, we want to decide how we can implement the solidarity clause provided for in the Lisbon Treaty in a much better way. It is a new clause but, now that we have it, how can we make sure, if a member state suffers from a catastrophe and wants and needs help, that help is given to it in the most efficient way and the member state in question does not have to call on all member states? How can we channel it in a better way? These are a few examples. I am very aware of the importance of fundamental rights and I do not see it as a trade-off. High security in the European Union can come only with a very strong safeguarding of individual rights and data protection. All the proposals we make will have to be thought through when it comes to proportionality, subsidiarity and data protection. This has always been important to me in my political life. Of course it is a sensitive issue and one is always subject to criticism, but it is not a trade-off and everything has to be there in the whole package when we deal with a person.
Q4 The Chairman: And the European Parliament, presumably, will have some quite strong views on that. Cecilia Malmström: The European Parliament has very strong views, which is good. It is very involved. As I see it, if we give greater transparency to the proposals it will force the Council and Commission to really motivate our proposals along with the questions of the national Parliaments. It is a very good thing that it is involved. After the entry into force of Lisbon, all three institutions are learning how to deal with each other and to work closely right from the beginning of a proposal and not come in late. If the Parliament is involved at an early stage, informed and listened to, we can work in a constructive way. This is a lesson I have learned from the TFTP, which started on my first day at work as a new Commissioner in February. 3 Cecilia Malmström, Home Affairs Commissioner
Q5 The Chairman: We hope to play a role in that co-operation, too, because national Parliaments will be involved in an area where national responsibilities are still very strong. Therefore we have to work in two different directions – towards our own Government and also towards the European institutions. That is why this is, for us, a particularly important area to be taken up in this early post-Lisbon study. Cecilia Malmström: Yes, I am aware of that. We have made an effort in the internal security strategy to make only proposals - I am aware that they can be questioned – where the Commission side can motivate. This is where European joint action can be of added value because, of course, security is a matter of responsibility for member states. However, as the threats are across border, we need to have responses across border as well.
Q6 Lord Richard: I think that you have partly answered the question that I was going to ask about the apparent conflict between Article 4 of the TEU and Articles 72 and 73 of the TFEU. As I understand it, Article 4 was put in, perhaps, at the UK’s insistence – I do not know the internal details but one hears rumours to that effect – and says that national security remains the sole responsibility of each member state. Then Article 73 allows like- minded member states to carry out enhanced co-operation and co-ordination in the development of national security. How big a role do you think the Commission can play in the Article 73 actions? Cecilia Malmström: I totally agree with you that national security is the responsibility of member states. However, Articles 67 to 76 also state that it is the EU’s responsibility to make sure that we have an area of justice, security and freedom and a shared competence. The Commission can only reinforce what the member states do. For instance, we have defined in the Lisbon treaty Euro-crimes where there is an interest to work together. I see my responsibility very much as proposing actions where we can really add value because the threat or the security issue cannot be addressed solely on a national basis. However, I am very aware of member states’ responsibility and that is why I said earlier that we try to motivate carefully, from a subsidiarity and proportionality view, everything that we are proposing.
Q7 Baroness Eccles of Moulton: If we could move on to relationships. The first part of my question is about internal organisational relationships, and the second part is about external relationships. First, how will the new strategy – the internal security strategy – interrelate with the existing European security strategy, the ESS, which has been running for about seven or eight years? This is quite important because that has been doing, presumably, quite a lot of the work that the new strategy is aimed at doing. So there is clearly a relationship there that needs sorting. As I understand it, the newly-created High Representative for Foreign Affairs and Security policy is in charge of a certain chunk of what is going to be the responsibility of the strategy we are discussing. How is that going to be sorted? Cecilia Malmström: When this strategy was elaborated many people in the Commission were involved. It is not, of course, only my responsibility. I had a very close co-operation with Lady Ashton because, as you rightly say, the threats are not exclusively internal nor external but interlinked. That is why we need to have an external dimension with the internal and the other way around. She and her cabinet have been very active in elaborating this, as has, for instance, Mrs Kristalina Georgieva, who works with disasters. She is in charge of the MIC, the monitoring of catastrophes system. Many are involved, which is how it should be, and so we will have a security working group within the Commission and the responsible parties in COSI – the committee on internal security – will monitor, follow-up 4 Cecilia Malmström, Home Affairs Commissioner and carry out the more day-to-day handling of the strategy. We see very open borders in that regard because we cannot operate in isolation from each other.
Q8 Baroness Eccles of Moulton: You mentioned Commissioner Georgieva is also involved in the disaster aspects, so the communications between the three departments will be seamless, one hopes. Cecilia Malmström: Ideally, in the best of worlds. The Commission is a bureaucracy in many ways – Lord Richard will know this – but it has improved. It is very determined to tear down some of these walls and to work much more horizontally across borders. I am not saying it will be easy and that it will happen tomorrow, but that is definitely our intention.
Q9 Baroness Eccles of Moulton: The other communication aspect which is so important is the bilateral element between the member states and countries such as the United States, Russia, China and India. They will relate as far as the EU is concerned to a different body from previously. Will that be easy to achieve, or will they be a little confused? Cecilia Malmström: Obviously, the US is our most important partner in this and the two Ministers concerned, Eric Holder and Janet Napolitano, have bilateral meetings. They are very much engaged in cybercrime, migration and so on. So we have natural counterparts in that respect. It is not so liberated with Russia, even if I also meet its Justice and Interior Ministers regularly. We are keen to make sure that European Union values and fundamental rights are present. For that reason, it is easier for us to work with the United States. However, those other countries will also be involved in such issues. That will be elaborated on but it is very much in the hands of the Council how we move on from this.
Q10 The Chairman: How will you and your department ensure that you have a proper level of expertise in the European External Action Service posts in the countries that are really important, such as the United States? Will some of your officials be seconded to the EEAS, or will you find in the EEAS people with sufficient technical and legal knowledge to be able to handle some of these complex issues and have them in Washington, Moscow and so on? Cecilia Malmström: This is also an issue that I am discussing with Lady Ashton. Of course everything is still being set up and so it is still a very early phase. Ideally we would have – at least in our most important missions – JLS experts so that we can work on this in a very coherent way.
Q11 Lord Richard: Can I ask a more specific question about SitCen, which at the moment has a particular mandate? There were some occasions in the past – particularly in January 2005 – when SitCen’s mandate was extended to include the domestic or internal threat gleaned from information provided by the member states’ intelligence agencies. So there was a slight widening there. Do you see that widening continuing? Do you think it ought to continue and that SitCen should have responsibility for both external and internal affairs? Cecilia Malmström: I know that Lady Ashton is now looking at this aspect very closely and we discussed it the other day. SitCen is excellent but we need to have it more co-ordinated with the other agencies and with what the rest of the European Union is doing. There is a lot of information at Frontex and Europol, for instance, and we need to co-ordinate the work much better. I am discussing this with Lady Ashton and she shares my view. I have also visited SitCen to discuss how we can increase our co-operation. We have discussed cargo 5 Cecilia Malmström, Home Affairs Commissioner security – the Dubai parcel, for instance – and how we can better make use of our joint analyses and share information to the extent that it feels it can share it. SitCen is very well situated to do that.
Q12 Lord Richard: It sounds from what you say as though you think an extension of SitCen’s mandate would be helpful, and obviously steps are being taken in that direction. It sounds as though negotiations are joined on that issue. Cecilia Malmström: We are still in very early times on that. The situation of SitCen and its mandate is being looked at. It is a priority for Lady Ashton and we have had dialogue on it, but no decisions have been made. SitCen is a good institution. It is generally trusted by member states but it is dependent on the information that it gets from them. We all know that intelligence is the most sensitive thing we can share with each other. We are not building up a European intelligence centre, but sometimes it might be valuable to share some of the assessments when it comes to threats.
Q13 Lord Richard: On the face of it, do you think that it would be a good idea to enlarge SitCen’s mandate? Cecilia Malmström: I think that SitCen is probably the best institution or body to have this mandate, yes.
Q14 The Chairman: This may sound rather ignorant but I remember that in the past the Commission had its own situation centre as well as the one in the Council. Is that now in the process of merging - or has it been merged - with the Council one? Cecilia Malmström: We do not have an old situation centre like that in the Commission. With the new Lisbon treaty and the solidarity clause and so on, it would make sense to join and share the analyses to a much better standard, not to build up a parallel thing, because we are dealing with very sensitive information. When there is a catastrophe or a threat or something like that it is important that we share the same assessment. If we want to assist each other if there is an attack or a natural disaster, for instance – information should not be shared by too many different bodies; rather it should be pooled.
Q15 The Chairman: Could we move on to talk a little about the interface between your department and the counterterrorism co-ordinator? How does that fit into the new strategic framework? Where does the co-ordinator really belong in it, and will his powers be enhanced? One of your five sections is dealing with counterterrorism. What role will the co- ordinator play in all that? Cecilia Malmström: The mandate of the co-ordinator is set by the Council, so the Commission cannot influence that, but we have had, and still have, a very good and open discussion with Mr de Kerchove, the counterterrorism co-ordinator. He has been very helpful and has had a lot of input into the internal security strategy. We have regular contact to ensure that we all speak with the same voice and go in the same direction. He will continue to play an important role in co-ordinating the member states. I do not see any new role for him. His role is to continue with what he is doing and to make sure that we all work together. The Chairman: We will come back to this question of the multiplicity of bodies that exist in this area when we talk about COSI and the handling of cyber crime. Perhaps we can come back to that at that stage.
6 Cecilia Malmström, Home Affairs Commissioner
Q16 Baroness Eccles of Moulton: Can I ask about the increasingly serious threat of cyberattacks on infrastructure and how the strategy will take account of this and be prepared for the extremely complicated and difficult matter of dealing with it, particularly when it has global pretensions? Cecilia Malmström: It does and therefore we should focus not only on European co- operation but also co-operation with the Americans. This is one of the issues that we will discuss with our American counterparts tomorrow and the day after. As you say, cybercrime is a growing problem, comprising everything from the stealing of bank accounts and identity theft to attacks on whole states, as we saw in Estonia and Georgia. It is likely to grow in importance and will affect the lives of ordinary people a lot. Just after the summer, we proposed an updating of the cyber directive to increase the penalties, widen the definition of the crime and criminalise the so-called botnets—this malicious software which can destroy whole industries, companies, departments and ministries. We also want to enlarge the competences of ENISA, which is the European Union’s cyber agency. We have also proposed in the internal security strategy that all member states should set up CERTs alert centres open 24 hours a day which member states can contact for information, and to share the expertise that we have at the cyber centre, probably through Europol. Of course, everybody is overwhelmed by the magnitude of these problems and there are no easy solutions but if we can at least pool our resources a little and the knowledge that we have and try to educate each other and to prepare and to prevent these attacks, we shall move a little way forward. But, as I said, we shall start co-operation with the Americans on this.
Q17 Baroness Eccles of Moulton: Presumably, there would not be a huge cost attached to pooling information and co-operating with people. It would not involve employing a great many more people and setting up new centres. Cecilia Malmström: No, I do not see that it would involve cost. It is more a case of sharing experiences, alerts and ways to act preventively, finding ways to work better with the private sector, identifying this at an early stage on the internet and finding out how we can work with the security strategies in the private sector to a much greater extent. So it is more about gathering the information that we have, or do not have, than building up new, gigantic structures.
Q18 Baroness Eccles of Moulton: And, of course, a lot of the information that will need to be shared has itself a high security label. Cecilia Malmström: Some of it will, yes.
Q19 The Chairman: One question that occurred to us on reading your communication was that the case for the Union doing more on cybercrime—this is not so much cyberattacks as cybercrime—seems to be very well articulated and justified but there seems to be rather a plethora of bodies that might be involved in this. How do you see them fitting together? In our recent report on cyberattacks, we suggested—although we were not covering cybercrime as such—that ENISA’s mandate ought to be enlarged to include that, but you also have Europol, which I think is very keen to have a greater capacity on this, and you mentioned also a cybercrime centre being set up at some stage, so that is rather a lot of bodies as well as the SitCen, which is rather important in respect of exchanging information and intelligence. Do you think there is a bit of a risk that there will be slightly too many
7 Cecilia Malmström, Home Affairs Commissioner people involved and that it will be rather difficult to get a properly focused effort if there are quite so many bodies involved? Alternatively, do you see some way of defining a bit more clearly who does what? Cecilia Malmström: The cybercrime centre would, as I see it, be set up at Europol and build on what already exists in Europol. I am not talking of having a new big agency but of pooling a few resources there, working closely with member states. Europol already has some capacity and some knowledge on this and it will be natural to build on that and not create anything new. ENISA—the European Network and Information Security Agency—in Greece also works with other issues relating to the internet that have nothing to do with crime, so I think that it can be beefed up a little bit. But if we want to focus on the crime issue, it would be more natural to put it under Europol because we want to increase co- operation but do not want, as you say, to create many new structures.
Q20 The Chairman: That certainly seems to make good sense, but I wonder whether resources will be a problem in all this because there are not huge amounts of resources available. The other question is the issue of countries setting up CERTs. When we did our report we were very clear that the Commission’s ambition that every member state should have a CERT was entirely laudable but did not take sufficient account of those member states that had gone well beyond that, like our own. We have quite a few CERTs but our Government do not see any case for a single national CERT. We certainly were not convinced of the case for that. I am not sure that that plurality of approaches comes through very clearly in the Commission communication but you might like to comment on that. Cecilia Malmström: We do not want to design one European model of a national CERT. It is more a case of making sure that member states are prepared for this. Some are very well prepared for this, like your own, others are very hesitant and fumbling a little bit over how to deal with this. But I think all member states want to set up some sort of mechanism. Where it is placed or how it is organised is not so important for the Commission, but some sort of contact point should exist to which citizens of a country can turn and where the European Union can seek a counterpart with which to co-operate. Exactly how they are organised and under whom they are organised is not really important to us. We do not want to set up new bodies but build on existing institutions and encourage member states to set up this competence. They will need to do this because this is something that will increase in all member states.
Q21 Lord Richard: Can I come to something perhaps a bit more specific, which is counterterrorism? Reading the Commission communication, there is quite a lot in there about increased co-operation between the countries—with the Commission taking an active part in it—and, indeed, promoting the creation of an EU radicalisation awareness network. You also say in the communication that, “Security policies, especially those of prevention, must take a broad approach … Cooperation should therefore be sought with other sectors like schools, universities and other educational institutions, in order to prevent young people from turning to crime”. That sounds admirable, but are you actually going to do it? Cecilia Malmström: No, the Commission is not going to do that because member states are much better fitted to do it and it comes under their competences. Many member states, including the one I come from and the one you come from, have already developed methods, mostly on a local level, to identify young men—it is mostly young men—who are vulnerable to extremist propaganda and who run the risk of being dragged into violent extremist networks. Those methods involve local communities, sometimes religious communities, schools, universities and social workers. I have met people from many 8 Cecilia Malmström, Home Affairs Commissioner countries who work with these methods, and researchers, who have told me that this must be done on a local or regional level as circumstances vary so much between countries, but that there is a need to meet with other people to compare methods, best practice, or even bad practice on what you should not be doing, and to have a network of exchanging ideas. But, of course, the Commission cannot deradicalise people; that is not our intention at all. Our intention is to gather together people who work with this issue and to give them a platform to share their experiences.
Q22 Lord Richard: But you would be responsible, I hope, for setting up the network. Cecilia Malmström: It would be the relevant people who run the network who would provide the means for people to meet, for example, a room, provide some money to enable them to meet and perhaps some information to hand out and coffee. The facilities will be there and there will be someone responsible for the administration but the network will be a matter for the people working on the ground. Lord Richard: And you would lubricate it.
Q23 The Chairman: This is another of those areas, a little bit like the cyber area, where it is quite important to bring in local authorities and local initiatives and not just rely on central government input in these things, which may, after all not always be absolutely ideal. Again, with the cyber case, the evidence that we took when we were doing our report showed that Government in our country was not doing enough to enlist the active involvement of the private sector and of individuals, some of whom were extremely talented, in both these areas that we are talking about. Cecilia Malmström: Exactly, it would not be member states’ Ministers or high-level persons coming in but, typically, those who work on a local level, to identify these vulnerable young people, and older people too, and to share their experiences. I met with Charles Farr who works on this issue for the Prime Minister in the UK. He said that his experiences had taught him how we should not tackle this and how we should tackle it. He said that some methods were not a good idea as they frightened people away and stigmatised them but that there were better ways to tackle the issue. I have talked to Swedish, Dutch, German and Danish people who have a lot of experience of working with this issue and they think that it is helpful to share their experience with each other. That could be done on a very down to earth level, perhaps by organising a conference, which could be attended by Ministers, to get a summary of these best practices.
Q24 The Chairman: I notice that your list does not include any southern European countries. Does that mean that there is a southern European problem with this issue? That is an unfair way to put it, but does it mean that they are further back on the learning curve on this issue and, if so, how will you try to influence them because you hear quite bad stories about hostility in countries such as Greece, for example? Cecilia Malmström: Yes, I have not discussed this particular item with my Greek colleagues although I have discussed it with my Spanish colleagues. Spain has a lot of experience of this matter due to its sad history on this. These were the Ministers that I met recently to discuss this, so that is why I mentioned it. I do not think there is a very clear north-south divide but some countries clearly have less experience in this area and could really benefit from sharing the experience of other countries in order to address this locally.
9 Cecilia Malmström, Home Affairs Commissioner
Q25 Baroness Eccles of Moulton: This is a continuation to move the discussion on to other counterterrorism initiatives, such as money laundering, fraudulent activities et cetera. Could the same sort of relatively low-key but effective early detection of these unattractive practices that have counterterrorism implications be carried out in the private sector through co-operation with non-government organisations? Could this be a useful way of getting hold of some of these activities in their infancy before they make a big contribution to terrorism? Cecilia Malmström: Yes, I think that that engagement is an important way of working. We have a financial coalition working on a lot of different initiatives. We know that money does travel across borders and we need to address this. I have also been given the task by the European Parliament and the Council to look at the possibilities of setting up a TFTP mechanism on European soil to extract bank data connected with, for example, suspected preparation of terrorist acts. We are looking at that now, and it will then be up to the Council to decide whether it is willing to go in this direction. We are looking at the tools that already exist to tackle money laundering and moving money over borders, to see how they are used, whether there are any problems in implementing them and whether they need to be refined. We will come back possibly next year with proposals on that.
Q26 Baroness Eccles of Moulton: Of course, there is a data protection aspect to this. Again, it is a balance. Cecilia Malmström: Absolutely. It is a very important balance. That also came up when we discussed the TFTP agreement. Many member states, individuals and Members of the European Parliament felt that it was better to extract the data of European citizens on European ground rather than send them over in bulk to the US. Even if it is important to track money and individuals who plan to do horrible things to our citizens, the vast majority of people are not criminal and we should protect their data and integrity. Baroness Eccles of Moulton: Particularly lately, one realises how vulnerable these are. Cecilia Malmström: Yes, very vulnerable.
Q27 Lord Richard: Perhaps I can turn to COSI for a moment. I have three points. First, it has only met five times. Secondly, when one looks at the number of existing European groups, such as CTG, COTER,TWG, CP931—I have no idea what that is—and the Article 36 Committee, there seem to be an awful lot. Is there not a case for rationalising them? If there is, what is the strength of the case and would it be accepted? I understand that there is trench warfare between the groups; there are a few too many. Thirdly, does COSI have a role in the implementation of the solidarity clause, which requires member states to provide mutual assistance in cases of natural or man-made disasters as well as of terrorist attacks? Cecilia Malmström: Yes, as you said, COSI has met only a few times. It, too, is a product of the new treaty. All new products of the treaty will take time to find a role. It is a difficult for me to judge, because these are Council co-operation bodies. I do not know what some of the group names that you mentioned mean; I have only heard of them. It is not possible for the Commission to steer how the Council works and what working groups it has; that is entirely its way of organising itself. COSI clearly has a role in our internal security strategy, and might also have one under the solidarity clause. We are looking at how this would be monitored and set up. I imagine that COSI could have a role as well.
Q28 Lord Richard: Do you think that, as a commissioner, you could at some stage propose to members of the Council that rationalisation is required in this area? 10 Cecilia Malmström, Home Affairs Commissioner
Cecilia Malmström: Members of the Council are sensitive to the Commission trying to steer how they work.
Q29 Lord Richard: I totally understand that. On the other hand, it seems that something needs to be done. Nobody else is going to do it, so it is obviously a matter for the Commission. It is part of its function. Cecilia Malmström: It is really not our task to tell the Council how to organise itself. Lord Richard: Nudge it.
Q30 The Chairman: Well, we might say something—who knows? On that point, have you attended a meeting of COSI? Have you any intention of briefing members and exchanging views? It is a high-level group with an important role in advising Governments on how to respond to your strategy. Would it be useful to have a more direct relationship? I am not suggesting that you attend their meetings, but perhaps you could meet them and talk things through from time to time. Cecilia Malmström: I have never been invited to a COSI meeting: but, as you said, it is a new body that has had only a few meetings. I will be happy to attend if they invite me. It could be useful to have a discussion once the internal security strategy is adopted or endorsed by the Council. I am open to the idea of attending its meetings, but so far I have not done so.
Q31 The Chairman: Perhaps we could we move to a couple of other issues. There has been some trouble over terrorists listed under UN resolutions, and the way in which the EU operates the system. Is the system okay now or does it need reform? Is there any risk of you getting into a clash with the obligations imposed on every member state by the UN if you have difficulties implementing them? Cecilia Malmström: The current system of listing is under the Common Foreign and Security Policy, so it is the responsibility of Baroness Ashton. Under the Lisbon Treaty, Article 75 enables the freezing of funds to combat terrorism. That would allow us to look at this and see whether there are any gaps, or if a new approach is needed to mitigate criticism from international bodies. We have established a working group of experts from member states to discuss the freezing of assets. We will consider a legislative framework, depending on the recommendations of the working group.
Q32 The Chairman: Presumably it is important that the two bodies—the European Union and the UN—do not at any stage get at cross purposes, because that would present important conflicts of interest for the member states, who are required under international law to do what the Security Council says but may run into difficulties. I gather that the cases that came to the European Court of Justice have been resolved in the short term, but in the longer term is it not important to have a more seamless approach to these things? Cecilia Malmström: It is, but it is also important to protect individuals and European values from abuse. As you said, there have been cases where people have found their assets totally frozen because they were on a list and it was very difficult for them to get off it even when they were apparently innocent. These things might need to be looked at.
Q33 Lord Richard: Can I come to RABITs? Is that part of your empire? Tell me how you see it working, because this is a first for you. I understand that you have about 175 border
11 Cecilia Malmström, Home Affairs Commissioner specialists from 24 member states. Some of them are armed and they have to try to police a very long border. How do you see this working? Cecilia Malmström: As you say, sir, this is the first time ever that these specialists have been deployed. They have been operating for three years and this is the first time they have been used. The Greek Government asked the Commission for help because the land border between Greece and Turkey around the city of Orestiada was under great pressure and the Greek authorities could not deal with the situation. Between 200 and 400 people a day kept coming in. This led to a great deal of pressure being put on the Greek authorities, and the humanitarian situation became very complicated because those people needed to be fed and sheltered. They did not have the facilities, so they asked the Commission for help. Frontex, which is the administrator for this, was very quick to react. Indeed, almost all member states as well as Norway have sent policemen, interpreters and customs administrators to the area. I was there just two or three days after they first arrived in order to talk to them. They are there not only to help monitor the situation on the border, but also to help the Greek authorities deal with the people who do come over. My impression is that they are doing a very professional job. They are there to provide support and help, and of course they follow European legislation. We face a problem right now in that the mission has been prolonged, but it is a short-term issue. They have to help the Greek authorities to build up their own capacity over time, and that is complicated.
Q34 The Chairman: What sort of role are the Turkish Government playing in this? Presumably a lot of these people are staying illegally in Turkey as well. Are the Turkish Government co-operating with Frontex and the RABIT operation to the maximum possible degree? Cecilia Malmström: Yes, it is much better now than it was at the beginning. What complicates matters is that for many years we have tried to reach an agreement with Turkey on re-admissions. Negotiations have been going on for eight years. In May we concluded a provisional agreement with the Turks, but now that is pending because of differences mainly between Greece and Turkey on the phrasing for borders and the issues related to that. We do not have the agreement in place, although of course it would have been very helpful if it were. In the beginning the Turks were a bit sceptical about the operation, but the Frontex people, the Commission and other individuals from member states have been keen to try to involve them. The Turks are now much more co-operative, and the pressures at the border have indeed diminished, even if people are still getting across.
Q35 The Chairman: What are the prospects for a full agreement with Turkey? Cecilia Malmström: It is very much part of the complicated history between Athens and Ankara. The agreement cannot solve all the border issues, but we will have to find the right wording and phrases to cover the concept of borders that both parties can agree on. We are committed to trying to find those and we are trying to be helpful. However, this has been going on for quite some time. I hope that we can achieve an agreement independently of what has happened with the RABIT operation because the land border between those two countries is much longer than just this area.
Q36 Lord Richard: Can I just follow up with one more question on RABITs? Do you see it as a permanent operation? Is there going to be a body of inspectors and soldiers set up
12 Cecilia Malmström, Home Affairs Commissioner under the general direction of Brussels? Is it a permanent force or an ad hoc thing depending on whether a member state asks for assistance? Cecilia Malmström: It cannot be a long-term thing because a RABIT operation depends on the willingness of member countries to send their staff. They have just decided to prolong until 1 March, but it has been made clear all the time that this is a temporary issue and the staff are there to provide support during this emergency and to help the Greek authorities to build up their own capacity. An operation has been going on for many years in the area known as Poseidon. This is also important and many member states take part. The European Union, if that is what you implied, does not have a border guard in itself. Although some member states have proposed it, it is not on the agenda for the moment. I do not think we have sufficient political support to do that in the short term.
Q37 The Chairman: Yes. Perhaps I could ask one more question that I overlooked about the European arrest warrant. It is not the primary responsibility of our Committee to work on that; another Sub-Committee deals with legal and constitutional issues. However, from the point of view of counterterrorism, is it your impression that the European arrest warrant has been a useful tool for the counterterrorist policies of the member states? Cecilia Malmström: It has been a useful tool. I have just looked up the statistics. My colleague Viviane Reding is responsible for this area and provided me with some statistics. In the past four years, 52,923 warrants have been issued and 11,328 have been executed. However, we do not have any statistics—I will see if I can look them up and provide you with them—to show what proportion were related to terrorist activity. I do not have that information.
Q38 The Chairman: It would be very useful if you could. We are considering whether the EAW is an integral part of counterterrorism policy in the EU. Any statistics that throw some light on that would be welcome. There is a well known case in Britain of the 7/7 bomber who went to Italy and was sent straight back under an EAW. That was a perfect example of its usefulness. It would help us a lot if we could take a more scientific approach, rather than always quoting one case that happens to fit exactly into a particular category. Cecilia Malmström: Yes, I think that all member states can quote one example that has been in the media. For the moment, I do not have that statistic, but I will be happy to look into it and see if we can provide the Committee with more facts. It would be helpful to see the figures not only for terrorism but for other types of crime, too. We will look at whether it is feasible to get them.1
Q39 Baroness Eccles of Moulton: I have one last question on road accidents. They do not fit very well with our definition of security. We would be interested to know your views on their inclusion in the strategy. Cecilia Malmström: They are not in my strategy. They were in the Council's proposal in February. Road accidents are very important, and of course it is important to fight them, but in defining the five most urgent cross-border threats, I felt that they did not really fit. Baroness Eccles of Moulton: They are a bit of an anomaly. Cecilia Malmström: Yes.
1 The Commissioner’s office subsequently informed the Committee that they did not have access to such statistics. See Q 101, post. 13 Cecilia Malmström, Home Affairs Commissioner
The Chairman: Thank you very much for being so generous with your time. I know that you are just about to go off to the States. Cecilia Malmström: I leave tomorrow morning, so I have oceans of time. The Chairman: Thank you very much for seeing us in this way; it has been extremely valuable. It has got us off to an excellent start in our understanding of the strategy. We will see a lot of other people in the next two or three months and will then produce a report that I hope will be of use to you as well as to our own Parliament. Cecilia Malmström: I am sure it will; I am looking forward to it. Thank you for inviting me to speak to the Committee. I hope I have been of assistance.
14 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen)
William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) Oral evidence, 6 December 2010, Q 40-66
Evidence session no 2 : heard in public
Members present
Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Richard, L ______Examination of witness
William Shapcott, Former Director of the Council Joint Situation Centre (SitCen)
Q40 The Chairman: We are most grateful to you for coming here to give us your views. We understand what you just said about being a little out of date on the SitCen, but it is an important part of our evidence-taking to understand how it fits in to the whole issue of the EU’s internal security strategy, which we have just started our inquiry on. We have just seen Cecilia Malmström, we are going to see David O’Sullivan to talk about the interface with the EEAS and tomorrow we are going to see the rapporteur from the European Parliament, Rita Borsellino. We will be taking a lot of evidence, with the director of Europol and so on coming along.
None of us was present when you gave evidence to this Committee in 2004 in its inquiry after the Madrid bombings, but I think you will remember from that and from other occasions that the verbatim transcript of your evidence will be put on the parliamentary website and will in due course be published with our report. Because of this, we would quite understand if at any time there are things you’d prefer to say off the record and not for publication; just say so and we will ensure that that is given effect. As I say, we will have a couple of points at the end. A few days after we get back to London we will send you a copy of the transcript to check it for accuracy. We would be grateful if you would advise us of any corrections as quickly as possible. If after this evidence you wish to clarify or amplify any points made during your evidence or have any additional points to make, don’t hesitate to submit supplementary evidence.
If you’d like to say a little bit to start us off, that will be fine; if not, we will go into questions, but we would be happy if you did. I think you’ve met the other two members of the Sub- Committee who are here as well as Stephen Hawker, our specialist adviser, and Michael Collon, who is the Clerk of the Committee. Over to you. William Shapcott: I shall start with an introduction that sweeps up at least the first, and maybe touches on the second, of your questions. It is incontestable that each of the member 15 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) states faces threats to its security that either have an overseas component or have a complexity to them that makes it very difficult for any single member state to respond alone. I think people have subconsciously recognised this for some time, and of course it’s what drives a lot of the bilateral relationships in terms not only of intelligence but of operation or collaboration. The security strategy highlighted that the web that joins all the member states together in this area is more complex than it perhaps first appears—in other words, that the security of one member state often depends on the approaches taken by other member states, and that there is scope to have a much more mutually reinforcing network of security collaboration. The internal security strategy was intended, first, to highlight the threat aspect of that, to make clear to everyone, or at least to reinforce with the public, the complex nature of the threat and, perhaps en passant, to remind people that member states can’t deal with these threats alone. It was also intended then to look at the areas where the Union can assist member states. For the UK, this is a delicate question. National security, rather than internal security, is the responsibility of states; one of the most important duties of a state, obviously, is to preserve the security of the state. But “internal security” is a useful term because it gets you away from national security and begins to convey the notion that they are not quite contiguous. Again, the strategy looks at ways in which the EU can help member states deal with their responsibilities. In my view, it is not an attempt to Europeanise national security; it is an attempt to identify ways in which the Union can assist. You have studied it, obviously. It has a section that deals essentially with the threat description and the notion of the complex nature of the threat. It talks a bit about common tools and policies. It provides at least a sort of stimulus to look at ways of enhancing co-operation. Although a lot of member states co- operate with a lot of other member states, the Union has brought some tools into play that could be used much more than they are at present. Europol is an underexploited instrument. The same goes for Frontex and SitCen to a certain extent. The Union has created these tools that have the potential to play a greater role. Then there is Eurojust—you can keep going through the list. They are all available and perhaps not sufficiently exploited as yet. Since the security strategy was written, I know that the commissioner whom you have just seen has started to place emphasis on one of the threats that was touched on but not developed in any great depth: cybersecurity. That is another example of an issue where there is much more that member states could do together and there is scope for the Union to help. To take one example in Brussels that illustrates that these are not just national issues, the security of the institutions’ IT infrastructure has come—for us, at least—a bit more centre stage in recent months. There was a period when member states looked at the institutions as unlikely to be of very major interest for hostile intelligence services, and they weren’t actually putting a great deal of effort into helping the institutions reinforce their security postures. Now, with the development of CFSP and the establishment of the EEAS, there is a realisation that here is a much closer joint interest between the member states and the institutions in sharing information and making sure that the Union’s policies are well founded. That immediately draws you into the situation where there is an interest in member states in seeing that this is all properly protected, and there has been a realisation in the past year or two that hostile intelligence services are rather interested in what goes on in the institutions. In a way, that is an example of an issue that previously was looked at very much from the point of view of national security—cybersecurity was a national thing to worry about—and now it is worthy of much greater attention at the EU level. Malmström is doing that, and a number of others are trying to get more attention paid to it. It is an example of something that has become a shared interest rather than purely a national one.
16 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen)
A last point and then I will stop my introduction. The breakdown in this notion that national security is something that should be dealt with only by the member states was illustrated a bit by the Swift judgment. Here we were talking about a matter—the transfer of sensitive data to third parties—which, up to that point, many member states had considered to be the sort of thing that they would deal with, yet we found ourselves in the sort of situation where, like it or not, the evolution in the treaties means that the institutions do have a role in this. So you can write into the treaty as many times as you like that national security falls within the exclusive competence of member states, but other bits of the treaty have taken you to a place where that no longer holds good. For better or for worse, the fact is that over these sorts of international agreements the European Parliament now has a role, and that role has to be taken into account. People should not necessarily be frightened of that. I work in Brussels so I might think this, but the European Parliament has a role in contributing positively to the legitimacy of some of the actions taken at EU level. If they are with an agreement, that agreement carries greater force. It should not necessarily be seen as a negative thing that there is an increased role vis-à-vis the past, or that there has been this increase in the EU’s scope to contribute and to play a role without, as I say, necessarily taking away the core competence that rests with the member states.
Q41 The Chairman: I want to follow up on your comments by asking about the dichotomy, which is often referred to, that it is one thing for member states to do certain things collectively at 27 in regulatory terms, in sharing experience and so on, but it is quite another to think of doing operational things at 27, where there are often strong arguments for saying that that is not the best way to do them. The SitCen is somewhere at the crossover between those two points, and I wonder whether you could give your own views, on the basis of your quite lengthy experience of SitCen, of how that dichotomy looks now. William Shapcott: SitCen, of course, has had no operational role so it has been limited essentially to sharing assessed intelligence with a view to producing evaluations to support policy-makers in Brussels. It has touched on the issue that you raise but that has not been a central issue. My personal view is that the member states are still a bit too coy about sharing in these sorts of frameworks. It is perfectly understandable that sensitive operational information should be shared on very limited circuits. It is not a question of nationality and limiting the number of nationalities in each area; it is simply a question of limiting the number of people that you share it with. The UK does share sensitive things with a range of nationalities, so the hang-up is not the notion of sharing with foreigners—the hang-up is the notion of sharing with lots of foreigners, sometimes in frameworks where you cannot control what every single one of them does with the information. SitCen is not dealing with such sensitive information, which has allowed it to get going, and member states have contributed reasonably well. We confronted one problem that in my time was never properly sorted out. Everyone agrees that you can share assessed intelligence about your views on a third state—what you think might be happening there if it has a programme of weapons of mass destruction, for example. That is not so contentious. But we realised that the EU is now doing operational things, and you can’t limit this discussion just to assessed information to support policy. The Union has people in dangerous places now, such as Afghanistan and Iraq, and we began to realise that the block on the sharing of more punctual operational information meant that these operations were not properly supported. Thank goodness, we have not so far had a terrorist attack on one of our ESDP missions, but a couple of years ago I tried to interest the member states in going a little further with regard to these vulnerable operations. They are what I call “operational diplomacy”—the more live negotiations where the Union was operating in one way or another by operating as a crisis management mission, or operating because High Rep 17 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen)
Solana was involved in an active negotiation, where member states knew things but were reticent about operational sharing or not sharing. We didn’t get very far. The line held pretty firmly that this sort of information was not for sharing in a multilateral framework. I don’t think people properly analysed it. In the case of Afghanistan, for example, people would say, “Ah, but this information’s all shared with NATO and your mission is in Kabul, it’s next to a NATO mission, it’s all perfectly safe”. Unfortunately, that’s not how it really happens. Information may be shared with NATO but I think you know that the state of EU- NATO relations is not good. NATO accorded the EU mission in Kabul the same status as it accorded the United Nations mission—it would be protected within means and capabilities. NATO was not able to reach agreement with us on an intelligence-sharing agreement, so our people had no solid intelligence feed from NATO and no protection beyond that which was offered through normal means and capabilities. So, in my view, it’s a gap. The model has worked reasonably well for assessed intelligence, but doesn’t work at present in the area of operational information—yet there is a need, because we have people in dangerous places and we are doing some live diplomacy in one or two cases.
Q42 Lord Richard: I want to pursue slightly the problem, as I see it, of the multiplicity of institutions working in groups, and all the rest of it, while all dealing with virtually the same point. This moves us slightly down to our questions 8 and 9, as well as our question 2. Article 72 of the treaty makes it clear that internal security continues to fall within the exclusive competence of member states. First, do you think that those provisions limit or undermine the strategy’s impact? Do you think that there will be much bilateral or multilateral co-operation between member states under Article 73? Where is it actually going to go? At the same time as one is asking oneself that, we then have the problem that COSI is now in existence. There is the relationship with COSI and COSI’s relationship with about six or seven other institutions. If one was Eurosceptic, which I am not, one would say that this is one of those things that should not happen but does, too often, in Europe. William Shapcott: It is reasonable to point out that there a number of actors and, perhaps, fair to say that COSI has got off to a rather slow start. Part of the theoretical appeal of COSI, at least, was that it would enable you to co-ordinate some of the action of all those bodies and working groups to ensure that there was not duplication. As I say, COSI has got off to a slow start. Member states have not yet made up their mind about how they want to staff or run it and it is not exerting this co-ordinating effect, so that is a disappointing point. On the other hand, in the alphabet soup of bodies that you mention here, there is a slight mix-up between bodies which are essentially for policy formulation, like the terrorist working group and the counter-terrorism group, and the CTG, which has a much more operational structure. Again, the Article 36 committee is a policy-making group, so you have a few things mixed up there. My personal view is that what we should want is essentially a permissive environment in which member states can co-operate, liberally and bilaterally, and use these European instruments when they want to.
Q43 Lord Richard: You would keep them? William Shapcott: Yes, because the CTG, which is technically not an EU structure, as they say, is valuable. It covers a range of technical operations between, essentially, operational co- operation and it provides a framework for member states to do some of that co-operation bilaterally. It provides a communications network among the services to share sensitive information. They look at best practices together and since this is spooks with spooks, they
18 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) get on pretty well and do quite a bit of decent stuff. They have kept the EU reasonably away from that, which is legitimate.
Q44 Lord Richard: Talking about spooks, what is the Club of Berne? William Shapcott: It is bigger than the CTG. The Chairman: It is wider. William Shapcott: Bigger in subject and scope. The Chairman: Geographically? William Shapcott: No, it is not at the moment. The CTG has enlarged to 27. All of the member states are in the CTG. The Club of Berne is, I think, still hesitating over a couple but the scope is larger. It was originally intended for counterintelligence—all the classics: counterintelligence, countersubversion and counterterrorism—and it sort of farmed off counterterrorism when the CTG was created.
Q45 Lord Richard: It is not part of the Community? William Shapcott: No, absolutely not. The Norwegians and the Swiss are in both the CTG and the Club of Berne. I think that the Club of Berne has about 26 at the moment and the CTG 29 with those two. Anyway, the CTG does some concrete stuff. Europol, as I mentioned earlier, is in my view an underexploited tool. It does some quite respectable operational work and could do more if people engaged with it more. Frontex is—I do not know if you have visited it—a rather lean and, by EU standards, quite effective structure. It got going rather quickly and has been involved in quite a lot of quite successful co-ordination of operational activity. It does a very good job of analysis. It has a very good idea, through its work, of what the flows are. It is very good at sharing what member states learn about particular methodologies and providing a framework for sharing. What I'm trying to say is that in the alphabet soup, you essentially have two tiers. You have an operational tier, which works rather well. It could do with a bit of co-ordination to make sure that there are no overlaps or duplications. Then you have the policy sphere, which is mainly the groups you have listed there yet, as I said, we do not yet have perfect order and co-ordination. But member states themselves are both the agent of and the barrier to enhancing that co- ordination. As I say, the member states have not fully sorted out how they want to be represented in COSI. There is not a consensus on quite how people see it operating, so it has not played this role yet.
Q46 Baroness Eccles of Moulton: You talked quite a bit about co-operation. This is more about specific international relations and co-operating with the US, particularly, Russia, China and India and how that will be fostered by the new internal security strategy, which is obviously extremely important. I am presuming that it will be a carry-forward of the sort of co-operation that already exists with those states, but now that this new body is being set up it is something which has to be carefully looked at to make sure that advantages are gained and existing areas of co-operation maintained. William Shapcott: As we perhaps have seen in recent days in terms of how the US sees other countries and organisations, they and other third parties make cool, cold calculations about the most efficient way of doing their business. On some of these issues, I am sure that they calculate that the most efficient way is to do it bilaterally. The US now has a reasonably good idea of how the EU works and has worked out that, on certain issues, it has to deal with the institutions. If you read Vice-President Biden’s speech, which he made in the 19 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen)
European Parliament about a month after the SWIFT deal was first blocked, he was emollient in his treatment of them. The more astute third parties, certainly, work out where they can work with us and in some of these areas, particularly legislative areas, their conclusion is that they are working with the EU. Because, as we have discussed, the EU is not involved operationally, the US does not try to engage with the EU operationally. That is probably the right judgment, 99 times out of 100, except for those very few occasions that I just mentioned where the EU is doing something operationally and where they cannot work out how to play it. I have personal experience in the case of Georgia, for example, where the EU has a mission. It knows lots of things which it could probably quite usefully share with the Americans, but the Americans will not get into a relationship with the EU over a subject like that because the US is in a number of rather intimate relationships with member states. I think that they miss a trick; the EU has 300 people on the ground in Georgia. It has had many of those since the end of August 2008, so it has a lot of ground information and ground truth.
Q47 Baroness Eccles of Moulton: What sort of capacity has the EU in Georgia? William Shapcott: There is an EU monitoring mission, which drives up and down the administrative boundary line between Georgia and South Ossetia and Abkhazia. It goes across from time to time and spends a lot of time talking to Russians and Georgians, so it has something which spy satellites cannot wholly cover. Q48 Baroness Eccles of Moulton: And is it equally welcomed on both sides? William Shapcott: It is not massively welcomed on the Russian side. Baroness Eccles of Moulton: But it is tolerated. William Shapcott: It is tolerated and it has achieved some effects. After 2008, there were some areas where the Russians did not pull back and, through rather long but determined and persistent diplomacy, the Russians have in recent months moved out of areas and properly withdrawn behind the boundary line. This is an operational activity of the Union which is a bit more complicated for third states to relate to, because of this essential split which they have between the legislative, where they will deal with us, and operational matters, where they tend to deal with the member states. It is the EU’s ambition to go further in its relationships in this area with some of the other countries listed—Russia, China and India—and perhaps one that was not mentioned, Pakistan. Yet with the exception of Pakistan, it has not really got very far. We have rather empty discussions with the Russians. I would say that the most fruitful area of co-operation after the United States is with Pakistan. The EU is helping and has had a number of assistance programmes to help Pakistan from which you do not get operational information, but that is not really the purpose of the exercise.
Q49 The Chairman: How will SitCen operate? What will its new position be within the EEAS framework and how will that affect its role in providing situational awareness and threat assessments for the internal dimension of EU security, in addition to its existing external role? That is: how is it going to change and adapt, et cetera? William Shapcott: Good question. I think that this was one of the biggest worries over the last 18 months. One positive thing about SitCen was that it brought together a range of information stakeholders, particularly military and foreign intelligence services and security services, so it was a bit like the JIC or the assessment staff but in a more modest way. It was able to produce all sorts of assessments covering the whole picture, so if you were looking
20 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) at Al-Qaida you did not stop by looking at it just within your own borders or outside your borders, it was looked at as a whole. The worrying thing as Lisbon approached was in how to make sure that that was not damaged, because everyone realised that with the creation of the EEAS, although it was intended—and I am sure that it will work—to increase the coherence of our external action, to a certain extent there is a disassociation of that external action from some other spheres of activity, so a boundary line risked being created between external and internal. Wherever you put the SitCen—if you put the SitCen in the EEAS, you have to work back to your customers dealing with the internal; or, you split the SitCen, but that was not a very good idea; or, you leave the SitCen in some other structure where one of its main customers would of course be the External Action Service—there was no neat answer. A decision was taken, probably because the bulk of its work is in the external area, to put it in the EEAS. When the member states agreed to that, in the documents doing it they made it clear that it was to continue to provide its services to the other bodies of the Council, to the Commission and to the President of the European Council, so the SitCen has now—and has had for some time—on its distribution lists all of the actors in the other bits of the institution who have a need-to-know for its particular reporting. If it is writing a report on the Iranian nuclear programme, it will send that to a few customers outside the EEAS—not so many—but if it is writing about the threat posed to transport infrastructure inside the Union, it will send that widely to people in the Commission, to the JHA Council and to its subsidiary working bodies. The mechanical steps have been taken to preserve this capacity to work for the other structures, but of course, information-sharing is not just about mechanics. It is about confidence and understanding, and it is a bit early to see whether its organisational placement has any effect on that. By the time I left it, I had not noticed any change in the volumes coming in on the different channels, but it is something that the new management and the High Rep will clearly have to be careful about. The High Rep, Baroness Ashton, has already met a number of heads of service and not just those covering external issues. She has met a number of heads of security services, which is a good thing, to reassure them that the role of the SitCen in working both sides of these questions should be maintained. Q50 The Chairman: Is it the case that the Commission’s rather small capacity for doing this sort of work is now being rolled up with the SitCen? William Shapcott: The Commission has always had a fantastic PR for what it does. The Commission has a crisis room of six people in the RELEX Directorate-General, which did a rather good job in the open sources field and Baroness Ashton's plan is to amalgamate this. It is a win-win, as they bring some skills which are not in the SitCen, so I think it is a good decision.
Q51 Lord Richard: How effective is SitCen likely to be in supporting at least the counterterrorism strand? William Shapcott: You should be asking other people as well. Lord Richard: We probably will. William Shapcott: As we have sort of touched on, this sharing exercise is not intended to have one member state expose its crown jewels to another. In this area in particular, it is about ensuring that everyone has a common understanding of the threat. It is actually rather helpful. You can roughly divide the member states into three groups: those who are threatened and who really understand it. The UK is clearly in that group, and the Germans and the French are as well. Then there is a group that possibly is threatened but maybe 21 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) doesn’t properly register it, and then maybe some that aren’t terribly threatened. The last group is probably rather small nowadays. A structure like this – and it’s not the only one; the CTG definitely plays a role – is a useful vehicle for passing what the first group have learnt already about the threat to the others. For example, the SitCen was writing papers about Pakistan and the threat from violent extremists living in Europe with links to Pakistan. The first group generally understood that; the second group said, “This is a British problem – don’t tell us that Pakistan is going to be the next major source of trouble”. What has happened over the past two or three years is that several countries not in that first group have found that they have had problems that have either derived from a small community with some Pakistani origin or strong links to Pakistan or with people who have been going backwards and forwards to Pakistan, gaining knowledge and experience and coming back with the intention of mounting attacks or at least providing logistical support. It wasn’t taken so seriously at the time, although we pushed it. For several years, we thought that we were a bit ahead of the game in trying to drive home to people what the first group were telling us by giving it more circulation to make the others wake up a bit to this threat. Some of them did and for some of them it had to happen before they woke up. That is an example of how you can help and will be able to help. It will not stop a single attack; no SitCen report will stop a single attack. That is not the purpose. It is to make people more sensitive to new directions of threat. The same applies with new technology. The most threatened member states will probably be the first to confront evolutions in terrorist methodology, modus operandi or technology. Again, you need a platform – and SitCen is perhaps not the only one – where that information is rapidly brought to the attention of others, and there are operational platforms that do that too. I will perhaps make one final point: when a member state learns of a new modus operandi and a new bit of technology, it often transmits this across the operational sharing platforms, but the connection is not always very good in member states between the operational actors and the policy actors. It is worth transmitting this across policy networks, because they are the people who can take decisions to change the approach at airports and perhaps decide to invest in new forms of detection technology. I do not know if Commissioner Malmström mentioned this, but one thing that the Commission did before but which was hinted at in the internal security strategy is investment in security research. Frattini was particularly interested in having good access to our material, because he was alert – he had the money for security research and wanted to be cued on where to put research money. So he wanted to know about the threat so he could ensure that the research money went in the right direction.
Q52 Baroness Eccles of Moulton: Presumably, the way in which SitCen works with the EU, the CTC and the Council through the Home Affairs Ministers is constantly evolving because it will be influenced by external circumstances. Part of this has been explained already, but what is of interest to us is how SitCen currently works with the CTC and the Council through the Home Affairs Ministers and how much the relationships have been affected, first by the entry into force of the Treaty of Lisbon and also the implementation of the ISS. William Shapcott: On the last point, I think it is still a bit too early, but perhaps I should come back to that. The Union has a lot of strengths, but it has a number of weaknesses as well. The evolution of our relationship with those bodies to a certain extent depends on presidencies. There have been presidencies where we have had a really quite close relationship and presidencies where it has been more distant. That depends on a lot of things – on the groups that I mentioned earlier, because presidencies from member states that are threatened really understand this and want everyone else to understand it. Then they might be from a member state that is not so concerned. Also it depends on how 22 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) presidencies staff their structures. If you look below the level of the Council at groups such as the Article 36 Committee, you can go around the table and find policemen and senior officials, and you might find someone from a security service. Depending on whether they are in the presidency to a certain extent varies their agenda; do they have an agenda with a more legislative quality to it, or one with a more substantive quality? Do they want to talk about the issues and then talk about what measures they can take rather than necessarily looking straightaway at a piece of legislation? You can chart the relationship by presidencies, to a certain extent. This brings new energy from time to time, but it also brings frustration for an organisation like SitCen.
Q53 Baroness Eccles of Moulton: I would have thought exhaustion. William Shapcott: Perhaps. On the external sphere, the permanent presidency will in some ways make life simpler. Coming to Lisbon, in the area of the ISS, that does not change very much. In a way, COSI could be considered an attempt to get away from a strict policy in relation to the approach and to inject a slightly more operational component. Again, some of this was done from time to time under certain presidencies. I can recall some awful Article 36 Committee meetings and awful presidencies, when no value was added during a presidency and others when a great deal was added. With any member state, if you have a problem in government and tackle it properly, analysing it and looking at the range of possible responses, that might some lead to legislation and some operational activity. Some member states have brought that approach to the Union. I particularly remember the French were very hot on recruitment and radicalisation, so they used a lot of these bodies to have discussions about the problem – analysing it, observing it and breaking it down into its component parts – and then about what tools were available, such as a joint manual developed by three member states on how to deal with radicalisation in prisons, which was a French initiative. COSI could step into that, if people made the necessary commitments in terms of their delegation and finding the right sort of people to do it. But it’s not there yet; it’s slightly operating as an alternative Article 36 Committee.
Q54 Baroness Eccles of Moulton: And the French would have been driving it through their presidency. William Shapcott: They were certainly bringing the full spectrum of discussion to the various bodies.
Q55 The Chairman: Do you expect SitCen to develop a bigger role and a more integrated approach to early warning and crisis co-operation functions, including disaster response? William Shapcott: I am not sure. We place perhaps too much emphasis on the SitCen. I do not think that the Union has decided how it wants to manage its response to crises. In responding to Baroness Eccles’ points, I forgot to mention one thing. You mentioned external events; this depends on external events as well, and the way the agenda changes if something happens. That is the case with disaster prevention as well, or disaster response. I don’t think the Union really has a settled view on how it wants to organise itself; there is the question of the balance between the work done centrally and the work done by member states; there is the question of whether the Union can do more than be a turntable for information for member states’ assets or whether it can have assets of its own that can contribute to disaster response. Those issues are in flux. For example, the member states had something like 2,000 civil protection workers in Haiti within five days, and they had quite a lot of military assets in the field only a few days thereafter, yet in Brussels everyone was 23 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) saying that the EU response to the disaster had been a disaster. That sort of illustrated that at that moment there was a political expectation here and in some member states that all these things should be presented as delivered by the EU, whereas the effect on the ground is probably not very different whether they are delivered by the EU or nationally. So this ebbs and flows. After Haiti, everyone runs around thinking that we need a much better EU answer to disasters. Haiti is now a year behind us and that has gone off the boil a little bit, although I think the Commission will come forward soon to refresh the subject and look again at the EU’s role. The SitCen and a couple of other actors bob along on these waves and, when I was there, my view was that we should not be driving this but we should be ready to offer assistance and ideas to the market, depending on where the market has settled itself. My personal view is that, given that many of these assets are rather important to member states for their own civil protection disaster response, or with military assets, that they are never going to move to a situation where there is European command and control. My view is that it will always remain at an information turntable type level. But others are more ambitious. You are presumably familiar with the Barnier report; others feel that the EU needs a crisis response capability of its own.
Q56 The Chairman: Taking a specific example, do you think that the SitCen will get involved in any way in early warning at the time of the Olympic Games? William Shapcott: It is possible. We have tried to avoid punctual events, because we are not built and equipped for it. As I said earlier, the information shared with us is generally not designed to help with that sort of warning. SitCen can write a respectable analysis of the overall threat in Europe and the types of features that it has, but it will not help you much in judging what next week’s threat in Paris or London will be. There are other people better placed to do that.
Q57 Lord Richard: I think that I have dealt with most of the COSI points that I wanted to make. Perhaps one more. How do you think we should judge COSI’s success? William Shapcott: I think that it is too early, to be honest. It is a terrible thing to say, but we talked about external events, and big evolutions happen generally in response to big external events – and there hasn’t been one for a while. So it has lost a little bit of attention.
Q58 Baroness Eccles of Moulton: And of course we are talking about terrorist events, not natural events, because there have been plenty of them. William Shapcott: Yes.
Q59 Lord Richard: Listening to what you have been telling us today, which I must say I find extraordinarily interesting, what you are really saying is that it is almost by a process of natural accretion the functions of the SitCen are going to inevitably expand. I suppose that if you look at it bald-headedly and you say that the SitCen should take over responsibility for the whole thing, you lose something. This is what Beatrice Webb called the inevitability of gradualism. William Shapcott: I am still not so sure. Actually, on disaster response, as the SitCen moves into the EEAS, one thing is clear. The SitCen’s role as an assessment centre will be looking at foreign policy challenges, terrorism, counter-proliferation. It won’t change very much. The other things that SitCen has done are really for the High Rep to choose, in collaboration with her Commission counterparts. There is a commissioner who is responsible for disaster response—Commissioner Georgieva; I don’t know if you will have
24 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) the chance to see her—and she and Baroness Ashton, at the time of Haiti, developed a sort of modus vivendi, whereby Georgieva deals with the response to the disaster in the field of humanitarian assistance. You have a very interesting comparison between the Haitian and the Chilean earthquakes. The Chilean earthquake was regarded as a purely humanitarian issue. Georgieva led the response without any other actors, let’s say. Haiti was considered to be a more complex event, with more political components; the use of military assets; the role of the US at the time was particularly important; and there were diplomatic elements to it. The model that they worked out between them, which fitted into the little bit of doctrine we had already, was that Georgieva also continued in Haiti to lead on the humanitarian aspects; but the overall approach was for Ashton. This was worked out partly between themselves, partly as a result of Barroso’s clear indications to them—because the Commission was in transition at that point—and partly because it was roughly what the existing doctrine was. If we had a Haiti or Beirut again, you would find the same thing. Ashton, the High Rep has the opportunity to judge that this is a complex overseas disaster or event, and that therefore she needs to step in with a co-ordinating role, whilst leaving certain Commissioners—obviously Georgieva in particular—to run their particular parts of the dossier. That is a reasonable model, which leads to the question of where the SitCen fits into all this. Georgieva is going to reinforce the structure they have, the MIC—the monitoring information centre—which is the centre which has primarily dealt with civil protection assets and dialogue with the member states to co-ordinate their employment. The SitCen has never been interested in that—this is where the doctrinal background comes in. The SitCen took, let’s say, the higher view, which was, “That’s one component of the response. We are going to track the other components and serve this up to whoever is ‘in charge’”. We worked that through Haiti, so we were actually involved a little, as a small military cell, we did a little bit of co-ordination on the military aspects, we worked with the MIC, we had a lot of dealings with the Americans, and this was all packaged up as a tool for Ashton. Ashton has to decide on precisely how the service is going to be organised. You probably observed that she has recruited at a high level an interesting guy, a chap called Agostino Miozzo. He is going to be a managing director and a member of the corporate board of the EEAS. He has been the head of the Italian civil protection organisation for the past 10 years. He is a doctor and has enormous experience in responding to reasonably complex disasters. Baroness Ashton met him in Haiti, where he was co-ordinating some of the Italian response, which had military, civilian and police components to it. That is a pretty clear signal of intent that she wants to be interested in this broad aspect of disaster response. She is not going to do tents or water purification; that is for Georgieva and ECHO (European Commission Humanitarian Aid Office), but when it is a complex situation, she wants to be there, and Miozzo is the go-to guy for that.
Q60 Baroness Eccles of Moulton: Can I ask a related question? You mentioned Beirut, which is mixed with politics and disaster. That immediately makes one think of an ongoing disaster, which is Gaza. Presumably that is completely outside anything to do with SitCen. William Shapcott: SitCen was very interested in being able to describe the situation in Gaza in a high degree of detail—who the main actors were, what their relationships were, how smuggling functioned and so on. Since then SitCen has been interested in Gaza and has provided that sort of information to Dr Solana, Baroness Ashton, their teams and the member states. We had a rather respectable picture of what was going on and how things worked. But we do not do the policy.
25 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen)
Q61 Baroness Eccles of Moulton: No, but it would be advantageous to both the High Representative and, and on the humanitarian side, to Georgieva. William Shapcott: Yes.
Q62 The Chairman: Can I ask you about COSI? You say that it has got off to a slow start. That is certainly what we also heard from Commissioner Malmström. Do you think that the slowness of the start is due to it not having a clear enough remit, which needs clarifying? Or do you think that the wrong people are on it? Or do you think that there is not a very proper understanding of how COSI should mesh with other things? To what extent do you think that this needs to be remedied, or ought it to be more consciously involved in co-ordinating a lot of the other groups? William Shapcott: I do not think that this is something that anyone in Brussels should be very proud of; and you have worked here. New committees often have a hard time, because the old committees are still around. Deciding the terms of reference of the new committee often also partially falls to the new committee. I saw this when the Political and Security Committee replaced the Political Committee, for example. Part of COSI’s difficulty relates to that—that its parents or godparents are still around and want to keep some work for themselves. That is part of it. We have not had an external driving event, either, which would help. COSI has a broad range of subject competences, which does not help. Member states are represented by a wide variety of police, justice, customs, diplomats, Home Office officials and so on. And that is not within one delegation. There is one delegation and another. So that does not create cohesion. A lot of this could change with an external event, or with an individual who drives it, such as a particular commissioner, or if you have six months of a presidency which feels very passionately about this. Then you could get it going; but one of those things needs to come about.
Q63 The Chairman: By external event, you mean an event external to the Committee, not external to the European Union. William Shapcott: I mean a real-world event. The Chairman: It could be a Madrid or a London or whatever.
Q64 Baroness Eccles of Moulton: Otherwise could it fizzle out? William Shapcott: No. That is another thing you learn; these things never fizzle out. I think the CATS, the Article 36 committee, will fizzle out naturally. I think that COSI will work, but it will take something to spark it into life.
Q65 The Chairman: So it is more a role in search of a committee, rather than a committee in search of a role. William Shapcott: It is certainly not a committee in search of a role, at the moment.
Q66 The Chairman: Thank you for that. Can I ask you about the European arrest warrant? In your position at SitCen, in observing how counter-terrorism has developed and so on, what sort of role do you think the existence of the EAW has played in this area? Of course, it is not exclusively about counter-terrorism, but there have been very high-profile occasions. Do you think that the role of EAW has been important? William Shapcott: I am conscious that it is a rather sensitive issue in the UK and maybe in one or two other places. In a concrete number of important cases it has been very useful— for example, where people have been suspected of involvement in a serious terrorist offence, have fled the jurisdiction, and have been successfully found and returned to be 26 William Shapcott, Former Director of the Council Joint Situation Centre (SitCen) brought to justice. This has happened in a number of cases, and that is very positive. It is perhaps unfortunate that the EAW is getting slightly wider application than perhaps its original drafters had in mind, which creates a slight risk of devaluing the instrument, I think. The Chairman: Do we have any more things before we go off script for a minute or two? Baroness Eccles of Moulton: No, I think we’ve done pretty well, really.
27 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon
David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon Oral evidence, 7 December 2010, Q 67-102
Evidence session no 3 : heard in public
Members present
Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Richard, L ______Examination of witnesses
David O'Sullivan, Director General for External Relations at the Commission; Erik Windmar, Member of Commissioner Malmström's Cabinet; Lars-Gunnar Wigemark, Head of Security Policy, DG External Relations; Stéphane Chardon, Administrator, DG External Relations
Q67 The Chairman: It is very kind of you, Mr O’Sullivan, to allow us to come and seek your views, which are important to our inquiry. We have just started our inquiry on the EU's internal security strategy. The centre of it is the Commission's document on the strategy that Cecilia Malmström produced about three weeks ago and of course the Council’s Decision last March on the broad outlines of the strategy. This session is being transcribed verbatim. The evidence that we take will be put on our parliamentary website and in due course published as an annex to our report. Shortly after we go back to London, we will send your officials a copy of the transcript to check it for accuracy. It would be helpful if you could tell us of any corrections as quickly as possible. If after the session you wish to clarify or amplify any points made during your evidence or have any additional points to make, please do not hesitate to submit supplementary advice to us. I am sorry for asking such an idiot childish question, but it would be a great help to us if you could start by explaining what the role of Chief Operating Officer of the EEAS means. What will your task be in future? That will help us get a fix on these things. Obviously, what we want to talk to you about is the way in which the EEAS will integrate with the internal security strategy; how it will affect it and help it etc. At the start could you say little about your role as Chief Operating Officer and what exists above you and below you? We are a little low on the learning curve. David O'Sullivan: In answering your question, perhaps I can clarify things for myself as well. Thank you for reading me my rights. I am familiar with the work of the Committee. By the way, we are always impressed with the work of the House of Lords Committee. The reports that you do on European affairs are highly respected throughout the house.
28 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon
My role as Chief Operating Officer in the European External Action Service is a role that I will take over on 1 January. You are actually speaking to me in my capacity as the last Director General for RELEX. I have been doing this job for 6 weeks starting on 15 November, and at one minute past midnight on 31 December I will be mutated into the Chief Operating Officer of the new External Action Service along with all the rest of the Commission staff who will be transferred en bloc from the Commission to the EEAS, as will be the Council Secretariat.
Q68 The Chairman: Yes, we saw William Shapcott yesterday and we talked a bit about that transition. David O'Sullivan: So for the moment I am wearing two hats. The role of Chief Operating Officer is one that has as its initial focus the setting up of the service and the management of the administration and budget personnel. But it is also intended that, together with Pierre Vimont, the Executive Secretary General, we will jointly manage the policies and policy advice to the High Representative. We are still working out the details of what we call in Brussels parlance the organogram - the organisational structure of what will be a unique new structure. It will bring together staff from three sources: from two parts of the Commission, (DG External Relations and the geographical desks of DG Development) and several parts of the Council Secretariat that William will have explained to you (the policy unit, the DGE and the civilian SitCen and the crisis management side of things). Also, of course, there will be a substantial input of national diplomats, some of whom are currently being recruited as heads of delegation. We have just had a new batch of 30 heads of delegation appointed of whom a significant number come from member states. We are in the process of recruiting headquarters staff, which will also include some from member states. We are trying to figure out how this new organisation will be structured and how it will function. We have given a commitment to the staff to try to produce an organisational structure before Christmas so that when people go on holiday they have some idea of how they will fit into this new organisation to which they will be transferred on New Year's Eve, when they return to the office on 3 January. I cannot be much more specific than that at this point. The senior management team has been appointed with Pierre Vimont as Executive Secretary-General, me as Chief Operating Officer, Helga Schmid as Deputy Secretary General and Maciej Popowski as the second Deputy Secretary General. One of the first things that the High Representative has asked us to do is to work out how we should put this new organisation together in the most effective way possible. However, inevitably, the initial structure will be provisional. We will say so explicitly, and then give ourselves six months or so to see how it works, to talk in more detail to people and to allow adjustments some time in the summer. We hope, fingers crossed, that we can move into a new building in that kind of timeframe and finally bring everyone together because, for the time being, necessarily everyone stays where they are, so we have people scattered across many buildings, which is not very satisfactory. We certainly will not be able to integrate all the different components into a common structure until we are in the same building. That is another reason why we will allow ourselves some time to reflect on the working of the provisional structure and then finalise it when we enter the new building either just before the summer or probably, knowing the way that building projects go, just after.
Q69 The Chairman: Thank you, that is really helpful. Of course, we are not making an inquiry into the EEAS at all, as I am sure you understand. It is just that we need to 29 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon understand slightly better. Our inquiry is about the internal security strategy. It would be a real help if you could start with what you in the EEAS regard as the key issues of the internal security strategy: the five points that were set out in the communication that Cecilia Malmström put forward to the Council which was discussed in the Council last week. How will the EEAS fit in to that action plan? What will your priorities and goals be in this first initial phase of the EEAS to interface with the work that is going on in the Commission? Please supplement that answer from your own resources. David O'Sullivan: Firstly, this is part of a broader question of how the EEAS interfaces with the Commission, which is not fully clarified yet. The EEAS will be created as an autonomous structure outside of the Commission. But we are all clear that it will need to work very closely with the Commission on many different things, not least because the Commission no longer has an external relations component in-house. It will need our advice and we will need the Commission’s. We will need to input to Commission policy-making because, as an External Action Service we are not in ourselves creating new policies, but we will be in support of policies that are being developed either by the Commission or the Council. Frankly, those are questions to which we do not have perfect answers today. We are actively engaged in discussions with Commission colleagues as to what are the precise mechanisms by which we will co-operate and be inserted into the decision-making process of the Commission. I will take two examples. In the case of development policy, the EEAS decision sets out a relatively clear way in which the EEAS relates to DG Development which will remain in the Commission. Enlargement is another area where there is substantial overlap, which has to be managed because there will still be an enlargement DG and an enlargement Commissioner.
Q70 Lord Richard: Will there still be a Commissioner for Development? David O'Sullivan: Yes.
Q71 The Chairman: And one for enlargement? David O'Sullivan: Yes. A good deal of thinking has already gone into the interface and the decision setting up the EEAS provides some guidance. To be very frank, in the other policy areas, whether it is justice and home affairs, climate change, energy security or transport policy, where there are clearly important external dimensions, we have not yet fully worked out the working methods by which we will on the one hand contribute to the development of those policies and on the other hand help the DGs concerned manage the external dimension of what they are doing. The home affairs issue and the internal security strategy fall into that category. I cannot this morning present you with a fully developed working model of how this will work. There are some colleagues here who represent Commissioner Malmström’s office, and they may wish to comment. I can say in a preliminary way that this is classically a case where you need joined-up policy- making between what we are doing internally and externally. The interfaces are numerous. International crime, counterterrorism, cyber-security, border management and disaster management are all areas that have a strong internal/external interface. We will clearly need to co-operate very closely with our colleagues in the Commission in managing this interface and seeing how we can ensure that we are mutually supportive. Obviously, it goes without saying that we have signed up to the policy objectives. The High Representative is also Vice- President of the Commission.
Q72 Lord Richard: Do you think that that is a sensible thing? 30 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon
David O'Sullivan: I think it is. I was in the convention where this idea developed. If we had institutionalised for very much longer a separation between the High Representative and a Commissioner for external relations, or call it what you will, there was a risk of significant divergence between the two institutions, and in particular, the creation of an alternative executive capacity within the Council of Ministers. That would inevitably have grown and indeed has grown considerably. When I look at what we inherited from the work of Javier Solana, it is considerable. What Mr Solana managed to achieve with his colleagues in the Council Secretariat was remarkable. It had become a growth industry with several hundred people managing projects, managing crisis management on the ground and managing missions. Frankly, there would have been a risk in my view if we had not sought to bring together as we are now doing in the EEAS in a single structure under a single political authority of the High Representative and Vice-President. There would have been a risk at least of turf battles, daily rows about who did what and possibly open hostility between the two sides of the street because of the way administrative cultures tend naturally to diverge rather than converge once you set up bureaucratic structures.
Q73 The Chairman: Presumably, the Commission’s overseas offices—which are, after all fairly numerous; there are 130 or something—have absolutely no capacity in some of the areas you are talking about as they are currently constituted. They do not have a capacity to do, let us say, the homeland security aspects. They need to adapt quite considerably to take on policies which were previously member state policies from the Council, but which are now going to be dealt with in single, joined-up way. David O'Sullivan: It would not be true to say that they have no capacity, because a number of delegations are already dealing with the interface of these issues. But I think it is true to say that these delegations were Commission-centric. They were Commission delegations and focused on doing the work that the Commission required of them, which in many cases, particularly in developing countries, was about managing money and projects and so forth. I would not underestimate the extent to which Commission delegations were also playing an important policy role and were certainly covering the full spectrum of policies emanating from the Commission, including justice and home affairs. It is clear that we are going to see a change now, because these are of course EU delegations. They take over the role of the presidency in third countries. This is very striking. By the way, I think it has been a great success, if seldom commented upon. We talk about the External Action Service being created on 1 December and having been in existence for six days but, in fact, the reality on the ground in third countries has been that our delegations have taken over the role of EU delegations, chairing all the co-ordination meetings and making the demarches. This has frankly been a quiet revolution which has gone extremely successfully with, I must say—and it could not have happened without this—great co-operation from the member states. The esprit de corps and the sense of common purpose that we have witnessed in capitals all around the world have been quite remarkable. It is already a success. Of course, Lord Hannay is absolutely right that we will have to beef up the capacity of these delegations to deal with issues that were not always the top priority of Commission delegations: political reporting, political co-operation and co-operation in areas other than development or trade, or the classic core responsibilities of the Commission. Of course, justice, home affairs, judicial co-operation and what is covered in the internal security strategy will be an important part of that. This is part of our medium-term project on how we equip our delegations to cover the full spectrum of policies, perhaps in ways that they would not previously have had to do. 31 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon
The Chairman: Thank you. That is really helpful to start us off.
Q74 Baroness Eccles of Moulton: Before we move on, can I ask a quick question about the relationship between the EU delegations and the third-country embassies or representatives, or whatever they have had? Presumably there is a big range of existing bodies, such as embassies, in the third countries that depends on the size of the member states’ presence. Some will be highly developed and very sophisticated, and others will be almost embryonic in size. Is there therefore a big difference in the relationship between the EU delegations and whatever exists already in those member states? How is that going to be dealt with? David O'Sullivan: Well, you’re right. There is a huge diversity across 27 member states and 125 countries. It is clear that in some capitals—Washington or Beijing—you are quite likely to find nearly all member states seriously represented. Of course, the larger member states with extensive diplomatic networks—the UK, Germany, France, Italy, Spain, Poland and so forth—will have substantial presences, and indeed have had for hundreds of years. Other countries, which are newly emerging after the collapse of the wall, have got more recent embassies, less deep roots and fewer people. Equally, you may find in some of the African or developing countries only five or six member states present. One of them probably had a colonial link to the country in question, and therefore a very substantial presence. Others may be there for other reasons. In the latter case, the Commission delegation already played a very important role, particularly because development and trade were probably two of the key topics. Therefore, the EU delegation already had an important federating role among the other member states. If I take Washington as the other example, it is clear that this is an important diplomatic base for all our member states, and they will continue to be bilaterally very active. Those with deep roots and connections to the United States will continue to want to pursue them. None the less, it is interesting that member states’ ambassadors there see no incompatibility between having a strong bilateral role and presence with improving the co-ordination and co-operation between EU delegations, and other member state delegations under the auspices of the EU delegation. That was already happening under the presidency. It used to be that the presidency would convene monthly meetings of heads of mission, where they would discuss issues in common, share information and discuss joint approaches to certain issues. This is now happening under the auspices of the EU delegation and not the rotating presidency. That is the single biggest change. As I say, it has been a pleasant discovery that this process has gone very smoothly and positively. It has been well received by the third countries. Everyone agrees that it adds value without in any way compromising the traditional bilateral contacts that all our member states will wish to maintain with these third countries.
Q75 Lord Richard: You said earlier on that the interface between the European security strategy and the internal one had not really been worked out. Could you give us some of your thoughts on that? David O'Sullivan: When I say that it has not been worked out, we are a new creation. We have not yet fine-tuned all the bureaucratic measures, by which I mean what working groups of the Commission we will be invited to or some of the structures of the COSI. These are not yet formalised; I imagine that we will participate in this group, but we have not actually finalised all of these details. That is why I say that we have not fine-tuned the plumbing of the contacts. 32 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon
It is absolutely clear that we need to be well informed about the internal developments, and to bring to that discussion our knowledge of what is happening externally. That is generally our role: to advise people who are planning something internally, “You should be aware that what you are thinking of doing internally might have this or that consequence externally”. Then we need to be able to help project externally what we have decided to do internally and to be able to explain that to third countries, and to key countries with whom we will wish to interface. Now, as in any national situation, we will have to find ways of dividing labour between the legitimate desire of our justice and home affairs colleague to have direct contacts with their international counterparts and the fact that we will also wish to be informed of those. That is a tension that all our national Administrations have to manage. The days of saying that the Foreign Ministry is the exclusive channel of communication with foreigners is long gone. We are certainly not going to advocate a return to that. So we will also have to manage good collaboration between us so that we know what contacts justice and home colleagues are having, and can be supportive of that. Equally, when we are having contacts on similar subjects, we keep them mutually informed. To be frank, in the end it comes down to a very good flow of information so that everyone knows what they are doing, and so that we have at the disposal of the policy-makers here in Brussels the maximum intelligence and understanding about the implications about what we might wish to do in our internal security for the external interface.
Q76 The Chairman: Presumably, the third-country missions in Brussels, from the Americans downwards, are in the process of adjusting to this new state of affairs, too. They will build up rather more complex links with the new service, as you would expect because they carry out much of their diplomatic activity here rather than there. That is the normal practice. David O'Sullivan: Yes. For the missions present here, the situation does not change that much. We are all already here doing what we do. The fact that we are brought together in a single structure and, hopefully, a single building, may help rationalise the work and make it slightly easier for the diplomats who are trying to interface. They do not have to rush to the Council building and then come back over to RELEX. We can provide a one-stop shop, if I may say so. It does not change that dramatically for someone who is here interfacing with the Brussels- based people. We are all still here. We are simply assembling in one structure people who are already here and working. One can hope that we do more than a cut and paste of bringing people together, which is the first step. But then you develop synergies and new dynamics as a result of that, which we cannot fully predict at this point but which will, two or three years from now, show that bringing people together in this structure adds value in terms of the synergies we create between what were previously disparate operations.
Q77 Lord Richard: As far as the ISS is concerned, do you see yourself basically in a supporting role? David O'Sullivan: Yes. I want to be cautious about what I promise that the new service can deliver. Let’s start with the supporting role. I hope that we can be a bit more than that. What is our ultimate value-added to the system as a whole? It is to give people reliable advice about how the outside world sees what we are doing or is likely to react to something that we are thinking of doing, or how we could better relate to the outside world by doing some things differently. We are a sort of crossroads, if you like, where we try to manage the interface between what the EU is doing domestically—to use that term 33 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon crudely—in terms of setting the internal market, internal security, financial regulations and all the things we are doing internally, and the interface internationally. This is classically what a foreign service tries to do: to provide on the one hand accurate intelligence about how people outside perceive what you are doing, or the expectations they have, and on the other hand selling to them things which it has been decided to do internally and explaining why this is not threatening or unhelpful, but can in fact work well. So we are in fact the lubricant in the system between the internal and external. But we have to be realistic. There will be direct contacts between the different internal parts of the system and the outside world, as there must be. The important thing is that we have that overview and can then provide the best advice and policy recommendation based on that overview.
Q78 Baroness Eccles of Moulton: We have already touched on the relationship between the developing EEAS and third countries, but the internal security strategy is also still in the process of being developed. There already exist bilateral relationships between the EU and, for instance, the United States. Can you see any way in which this particular relationship can be affected by the development of the internal security strategy on the one hand and EEAS on the other, and whether those sorts of relationships can be usefully fostered between other countries, such as India, China, and so on? Or is it early days for saying very much on that? The Chairman: Just to add to that point, we are all aware that some member states have extremely developed bilateral structures in the internal security field, quite naturally. The question is how you are going to relate to those, and avoid a situation in which you are dealing with a kind of empty shell and a lot of the substance is continuing to pass down the bilateral relationships. David O'Sullivan: I fully accept that it is a bit specific when you get into the substance. Let’s be honest, it is not the same as other areas. Fundamentally, however, the principle we have always applied in developing European activity relative to existing national activities is the same. You start with complete transparency of the member states. You come with ideas, where you say, “Look, these are areas where we could actually do this better jointly. We could interface with the Americans collectively on some of these issues more efficiently than we can bilaterally”. You have to persuade member states of that. When you do, it is not too difficult then because, usually, the third country is quite delighted to be able to have a sort of single interface, provided it works. You do that progressively. You find the areas where it makes sense to operate as the EU, as 27, in some collective sense, fully recognising that you are in no way going to eliminate the ongoing bilateral context. We have done that in a wide range of areas starting with trade back in the 1950s, through other areas such as transport policy, even financial regulation and other areas. I fully recognise that this area gets you into slightly more sensitive territory. That is why the Commission has always been fairly prudent and cautious in trying to develop this. We know that we cannot run before we can walk. There are sensitivities there and serious issues at stake in terms of the consequences of what we do. Therefore, I think the approach, which is now supported by member states, is prudent to indentify those areas where progressively you can develop a joint European approach and dialogue with the United States.
Q79 The Chairman: And it will have to take into account the fact that, in purely operational terms, the co-operation, let us say, with the Americans will be in most cases between one or two member states for operational reasons, rather than with all 27 at the same time through some channel here. That is, as we would see it, the reality of what is
34 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon going to continue. That is how a lot of it works, even amongst the 27. The operational stuff is not all dealt with in Brussels, but on many bilateral links between the services concerned. David O'Sullivan: That is true, but I think that it is increasingly clear that if you look at the Schengen area, or at airport security and all these things, joint approaches are very valuable. It suits third countries to be able to have a dialogue with the EU as whole rather than bilaterally. Of course, we are a long way off the EU substituting itself for the very deep and long-established bilateral contacts that are there in this sensitive area of information sharing and so forth. No one is trying to substitute for that. We are simply trying to identify those areas where joint EU effort adds value, both from the point of view of our member states— member states see this; there are debates about the precise frontiers at given time, but no one doubts that there is value in the EU acting jointly in a number of these areas—and our partners also see that it is much better to be able to have a dialogue with a joined-up EU than with a disparate set of member states. Increasingly, these issues spill across borders. This is the global reality that we are facing. The relevance of national borders is diminished by the capacity of modern technology and travel, and so forth, and of people to transcend borders. We are therefore grappling with how you still have an effective enforcement within certain borders, recognising that there is great permeability and what happens in one part of the world can have an effect on another. You can have excellent airport security in Europe, but if you do not co-operate with other countries to ensure that you have similar good security for aircraft which are coming into Europe, you have a weak link in the chain. That is a trivial example, but you see the point.
Q80 The Chairman: Perhaps we could have a look at cyber, because it is one of the five areas that have been identified in the Commission's communication on internal security as a priority. I am sure you have noticed that the British Government in their recent security strategy review of these matters allocated a very high priority—one of the highest tier priorities—to cybersecurity and cybercrime, two slightly different aspects of a similar field. We wondered how the EEAS relates to the EU-US working group which now exists on cybersecurity issues and what is the scope for, jointly with the Americans, getting better at handling cyberattacks against the European Union. As you know, we wrote a report on your previous Communication about cyberattacks which we published earlier in the year and debated some months ago. I wonder what you could say about that. Erik Windmar: Thank you. As Mr O’Sullivan said, cyber is a good example: we will try to raise the level of cybersecurity in general for the member states, while we will still have some countries, such as the UK, which will be much more advanced. We will in no way compete with the most advanced countries, more, we will take advantage of the knowledge that you already have. Cybercrime is slightly different, because there is clearly a need for enhanced co-operation. We see from Europol that it helps member states to solve difficult cases. There is clearly value added by our taking further steps there. Also, there is an acknowledgement that the EU is going in the right direction. We have not seen interest from the US side before. The agreement to launch the working group on cyber was a real step forward for us.
Q81 The Chairman: That was taken at the summit? David O'Sullivan: Fairly recently. Erik Windmar: Yes, it was taken at the summit. We have one year to deliver the results from the Commission's side, we see three main actors: Commissioner Malmström, Commissioner Kroes and Vice-President Ashton. The three of them will be the ones driving from the EU. We are very happy with the cyber group and the interest from the US. Instead 35 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon of just talking about one issue at a time, we suddenly have a working group where we can address several of the issues.
Q82 The Chairman: And will the Commissioner be touching on some of that when she is in the States this week? Erik Windmar: Yes. She will be touching most on the cybercrime part, and then Commissioner Kroes will talk about cybersecurity, where Vice-President Ashton will also have an important role to play.
Q83 Lord Richard: Do you have any other bilateral groups on cyberspace? You have the one with the Americans; do you have one with any other countries? Erik Windmar: Not on the cybercrime side. I mean, we touch on it when we have meetings with the Russians, but it is not an easy subject—
Q84 The Chairman: And the Chinese? Erik Windmar: We do not have any meetings with the Chinese on home affairs. That would be more for the external side.
Q85 The Chairman: I do not know if you noticed, but in our report, we identified the need to get into an intensified dialogue on these issues with a range of the principal global players in this area, just to feel the way forward as to whether there can be more international co-operation, and how you can best protect yourself in a policy area where there are no frontiers at all—there is no distinction. Are you thinking about how the EU could play a role in an intensified dialogue, or have you not got to that point yet? Erik Windmar: As I understand it, the French will emphasise cybercrime at the G8. The Commissioner will meet the French Minister on Monday to discuss the French thoughts on taking that forward. Of course, we have to talk not only to the Americans but in the global perspective. As you know—your report was very enlightening—it is not an easy topic.
Q86 The Chairman: No, because you do not know at this stage where you might end up and what the potential really is, because we are all very low on the learning curve on that. Lars-Gunnar Wigemark: I think that it is important also to distinguish cybercrime as a subset under the general heading of cybersecurity, which is much broader and also involves national security interests. With regard to cybersecurity, as opposed to cybercrime, member states have until recently been rather reluctant to develop common positions for various reasons. You are absolutely right: the momentum is now building for various reasons taking place as we speak. Council conclusions are likely to be in the making in the near future to provide overall political guidance for us in the Commission and the new European External Action Service. In other words, the policy is still not fully developed.
Q87 Baroness Eccles of Moulton: I ask a specific question about the Instrument for Stability: the extent to which it might be affected by the developing internal security strategy; whether it will continue to have the same effect on global security challenges or whether changes will take place. Perhaps it needs to be grown to a larger size. How do you see its future? David O'Sullivan: It is difficult to predict that any fund will grow larger in the present budget climate. It is clear that this has been a successful programme, which is now entering 36 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon the last programming phase. Obviously, we need to sit down and assess how it has functioned. I think that by and large it has been helpful in mobilising support to third countries, capacity building for judicial authorities, and linked, in particular, to development issues. Of course, the difficulty that we have recently had is that it is precisely targeted at the third countries, and therefore not funding things that member states want to do or provide. That has proved to be a bit of a problem, because some of the things that member states might have wanted to develop—for example, platforms for member states’ intelligence exchange in third countries, or to finance an internet-based mechanism for co-ordinating EU member assistance in third countries—is not possible under the terms of the present regulations. We need to have a good look at what we have been able to achieve and what we have not. Clearly, we have an opportunity in the upcoming debate about the financial perspectives and the next programming phase of the European budget post-2013 to decide what kind of instruments we will propose for the next phase and whether we will make some adjustments. You will understand that the pressure is always to enable these things to do more, but I somehow suspect that the overall budgetary envelope will not only not significantly increase but possibly be even smaller—without prejudging political decisions to be taken a year or two from now. We will also have to decide how to prioritise. We have a number of external instruments which will have to be revisited to decide how we package it all, but a clear constraint will be budgetary possibilities. It is always nice to say, “Let us make it possible to do even more interesting things under this programme”. That is fine, but by making it possible to do more things, you simply create even more frustrated clients, because it is possible but you do not have the money to deliver.
Q88 The Chairman: Yes, and if you spread it too thin, it has nil impact. David O'Sullivan: Precisely. It seems to me that what we need is a good examination of what has worked and what has not and whether we propose exactly the same thing again, some variant of it or whether we package it in a different way with other things. We have a completely open mind.
Q89 The Chairman: Of course, some member states are quite active. In the British strategy review to which I referred, you may have noticed that there was increased emphasis on conflict prevention and resolution, and additional resources were allocated to it while cutting a lot of resources for other things. Presumably, it will be very important that the EEAS, in operating in this field, acts in a coherent way with what those member states which are active in the field are doing. Otherwise we will just have a lot of overlapping and duplication. David O'Sullivan: I think one of the big questions looking forward is how we ensure complementarity and how we create situations where member states feel comfortable that the EEAS is able to do certain things that they then no longer need to do for themselves. This will be the big question for the service—this goes way beyond the internal security strategy but more generally—if there is a strong EU delegation in a country, do all member states feel that they need to have 27 embassies also there, with all the trappings of residences, and so forth, that go with that, or could they have a slightly scaled-down presence which is somehow associated with the EU delegation? These are possibilities, no one is prejudging anything, but in a time of budgetary austerities and cutbacks all over the place, with Foreign Ministries in the front line, in some cases, of being asked to contribute to reduced public spending. 37 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon
We have to look at the complementarity between what we do at the European level and what member states are doing to ensure that, to the extent that we can add value and do something on their behalf, they can reallocate resources to other activities.
Q90 Baroness Eccles of Moulton: Has the Instrument for Stability been used more in crisis prevention and reacting to crises? What you have just described is very much concerned with ongoing operational positions of different countries in third countries. Or is its purpose more as you described it? David O'Sullivan: I am being told hastily by my colleague, two-thirds for crisis and one-third for the long term, but why do you not elaborate on that? Lars-Gunnar Wigemark: It is a big subject, but briefly, the lion’s share of the stability instrument has been used for so-called crisis response—quite successfully—on just about all continents, whereas one-third is for longer-term threats, including those that we are talking about today. Perhaps I could just add one small point on the budget side of the longer-term part of the stability instrument. About a year ago, we requested an increase in the budgetary envelope dealing specifically with so-called transregional threats, including trafficking of drugs, small arms and human beings, organised crime and counterterrorism, where we have some rather effective programmes starting up in West Africa and Latin America as well as the Caribbean: the so-called cocaine route programme. Also, as we speak, some projects are being started in the Sahel on counter-terrorism, specifically with regard to the deteriorating overall security situation in that region. We have requested the Parliament, in the context of an ongoing mid-term review of the stability instrument, to increase the envelope for Article 4.1, specifically, which deals with the transregional threats that I have just mentioned. However, that is blocked right now. I do not think that that has anything specifically to do with this issue; it is part of a larger budget discussion which is still ongoing in the European Parliament.
Q91 Baroness Eccles of Moulton: And that relates directly to internal security. Lars-Gunnar Wigemark: That is a correct observation, but I am not sure that that argument is being made.
Q92 The Chairman: Can we now look for a minute at the SitCen? We had a very good session with William Shapcott in his previous capacity. He kindly agreed to give us evidence yesterday about that. How do you see SitCen? I gather that the decision has been taken that SitCen will be firmly embedded in the new EEAS. How do you see its new position within that framework affecting its role of providing situation awareness and threat assessments dealing with the internal dimension of EU security, in addition to its existing role, which is mainly to do with external aspects? David O'Sullivan: I think that the challenge in this area, as in many, is joined-up policy. We have to sit down with colleagues in DG Home and DG Justice, who have their own situation centre-type operations to see how we connect the dots. To me, that is one of the challenges of the new service: to make sure that we have a structure that is lean, effective and maximises the interface between what exists, rather than duplicating it. One of the risks of setting up a new structure such as the European External Action Service is the temptation to do everything ourselves and to want everything in-house. Of course, SitCen will be in-house. We need to look at that operation in the whole area of civilian and military crisis management to be sure that we have the most effective structure, but because
38 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon we will also be connecting with some of the Commission RELEX stuff. Frankly, the High Representative has asked Pierre Vimont, the Executive Secretary-General, to have a calm look at all that, but not between now and January, because we are trying to get beyond midnight on 31 December in the most effective way possible. We need to look at how all that interfaces. The interface between the internal and the external is extremely important, and we need to make sure that the connections are in place and function. Erik Windmar: From the home side, we have great expectations of the EEAS on that, beside overall advice from the external side. As you know, internal security is member state-driven, and member states are ready to provide information to SitCen, at best. By having the EEAS and SitCen, we see great potential. That is the vision of my Commissioner, at least: by linking up the situation awareness centres we will get something more coherent so that, in the end, the Commission, the Council and the member states will be able, in a crisis, to get one report, if there is an incident, instead of several. We might not go as far as co-ordination, but at least it will be possible to have information, instead of too many different centres. From outside, instead of building up home capabilities, we would rather lean on the capabilities being developed within SitCen, as it is very difficult to differentiate between internal and external in terrorism and cyber.
Q93 Baroness Eccles of Moulton: Can I just ask where you are all based—presumably, you are with the Home Affairs Department—who you all are and where you are all from? Erik Windmar: I am with Commissioner Malmström. Baroness Eccles of Moulton: And everybody else? David O'Sullivan: Why don’t people briefly introduce themselves? Lars-Gunnar Wigemark: I am Lars-Gunnar Wigemark, head of the Security Policy Unit here in DG External Relations division. Stéphane Chardon: I am Stéphane Chardon from the European Commission, dealing specifically with sanctions. Baroness Eccles of Moulton: Thank you, that is very helpful.
Q94 Lord Richard: It is fairly obvious: one of the things we are most interested in is this interface problem. With a new service you will have to deal with, work with and react to existing institutions, existing working groups and heaven knows what else. Can I ask you about COSI? That is again something we are having a slight look at. We have heard different views of it working well or not working well. I would be very interested in your view on that and if you think that it is beginning to function properly. Secondly, what about the proposal in the Communication that COSI and the Political Security Committee should work together and meet directly? Is this happening? Has it got to that stage yet? David O'Sullivan: No, I do not think it is happening. I think it makes sense. Once again, it is all down to this issue of joined-up policy-making. We know that for bureaucracies and administrations to function, you have to have departments and compartments. Otherwise, you cannot manage everything in it and it would be an amorphous mess. On the other hand, the risk is that when you create compartments, you get disconnected policy making. You need mechanisms which ensure flow of information. Flow of information is probably the most important thing. You’ve laboured long in Brussels and probably remember that I think that one of the great weaknesses of this city was a poor flow of information within institutions. I mean, when I
39 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon first joined the Commission you did not distribute information widely, you held on to it because it gave you a position of power. By the way, I do not think that it is that different from any other bureaucracy, but it was a particular feature. The flow of information between institutions is equally difficult because people are cautious and nervous. In this area, of course, more than in any other area, people never want to share information anyway. Even within national Administrations we only have to look at the autopsy done by the Americans on 9/11 and the problems of getting different agencies to talk and communicate. This is not a particularly Brussels beltway phenomenon. But I think, in ways which are consistent with the integrity of the security of information, and some of this stuff is sensitive and therefore you can’t distribute it all over the place—WikiLeaks notwithstanding—we need proper channels of communication to get joined-up policy-making. COSI, it seems to me is a helpful creation because it provides a sort of underpinning to the work of the Council, as the PSC has done in its own way as overarching co-ordinating body. But inevitably you need to make sure that these different people are talking to each other. Whether you do that, as we have suggested, through joint meetings—this is certainly one way, although of course getting all these people in a room doesn’t necessarily mean you have more communication. But I think you need exchanges of information and mutual understanding of what each is doing because what COSI does will have implications for external relations in a way that the PSC would wish to be aware of. Equally, the PSC will sometimes be discussing aspects of relations with third countries which clearly feed into internal security, cyber security, counterterrorism, immigration and so forth.
Q95 Lord Richard: Is the PSC going to be a body of 27 political directors or rather smaller? How big is it? David O'Sullivan: It is 27 ambassadors. They are not political directors. There is a separate committee of the political directors which meets, but these are Brussels-based people.
Q96 The Chairman: It was set up by the Amsterdam treaty. It took over a large number of the functions of the political directors, which are much less operationally engaged now in the operation of the PSC. But COSI, we were told seems to have got off to a pretty slow start. David O'Sullivan: To be honest, I have no personal experience.
Q97 The Chairman: What is the Commission’s representation on COSI at the moment? Is that going to be adjusted in any way to take account of the changes you have described? David O'Sullivan: If I may, wearing my EEAS hat, we have to clarify an issue. The EEAS will chair a large number of the external relations working groups on behalf of the High Representative who, in her turn, chairs the Foreign Affairs Council. In that sense, the EEAS institutional role in the Council decision-making process is clear. We have taken over from the rotating presidency and we will chair a number of these groups. But there are a large number of Council groups which, of course, the rotating presidency continues to chair. There the question of EEAS presence in some form has yet to be finalised. To be frank, I do not think that we have the resources or the need to be in every working group, but we will need to select carefully those working groups where we feel there is a strong, potential external dimension, and at least make sure that we have some kind of 40 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon presence in those groups so that we are informed of what is going on and that that feeds into the policy-shaping process. COSI, in my view, is one of these. We have just to clarify with the Council secretariat and the presidency that there is no problem having an extra seat at the table or in the room for someone from the EEAS in order to connect the dots, as distinct from the groups which we ourselves will chair. I do not know who is the Commission representative in COSI. Erik Windmar: It is one of the directors in home affairs. I think the problem with COSI has been that it has been set up as an operational body. Traditionally, member state internal security is something that they do within the member states and is not based in Brussels. There is a process. We hope that this paper will help COSI also to find its role and the links to the external site.
Q98 The Chairman: On a different subject, there has been a certain amount of tension over the implementation of terrorist listing under UN Security Council resolutions and the way the EU operates this. There have been a couple of cases taken to the Court of Justice, which, if I understood it right, were mainly about process. Do you think that the current system that the UN operates is one that the EU will be able to be fully co-operative with or do you think that there are tensions there? Does the system need to be changed in any way? What are your thoughts on that? It seems to us, from the outside, that there is at least a risk that the EU could get into a position where it is not on quite the same sheet as the United Nations. That would be a very damaging and dangerous situation to get into. David O'Sullivan: I think that you are right that this is a live issue. As you may be aware, we overhauled our system of terrorist listing and we amended in December of last year Regulation 881 which freezes the assets of persons listed by the UN Al-Qaida and Taliban Sanctions Committee in order to ensure respect for due process in the light of a 2008 European Court of Justice judgment in the Kadi case. The main problem of the terrorist listing issue is the very bureaucratic delisting procedure, which also requires unanimity and makes it almost impossible to de-list someone.
Q99 The Chairman: At the UN or in the EU? David O'Sullivan: No, this is in the EU, in our system. There was a new ruling of the General Court in September of this year, which has annulled once again the listing of Mr Kadi for failure to carry out a full and rigorous review of Union acts implementing the UN consolidated list. Our legal people advise us that this judgment has indeed, as you hinted, potentially far-reaching consequences for the implementation by the Union of the UN sanctions. The Commission and Council have decided to appeal this ruling. We hope that member states will join us in that. Then we will have to see what the Court finally decides. We have welcomed the development of an administrative review process at UN level and they have designated an ombudsman under a UN Security Council resolution of last year. We are working closely with member states, and notably the UK, to ensure that the EU system of terrorist listing fully complies with fundamental rights. So you are right that there is a certain tension there. I am not a lawyer but it would seem that this most recent judgment does cause us some problems. We will appeal and hope to correct the situation. Of course, if not, we will have to see how we implement what is the final judgment of the Court in a way that respects the law and is compatible with what we are trying to achieve.
41 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon
Stéphane Chardon: Just to complement what has been said. We have now the second Kadi judgment. Kadi 1 was in September 2008 and we moved to Kadi 2 in September 2010. We are moving from form and procedures to issues of substance. The Kadi 2 judgment is very much about the intensity and the scope of a review which the EU does of UN sanctions. So it is very much a question of the substance of the reasons which have provided the grounds for these listings, and the issue of the evidentiary standards. This basically brings an immediate challenge for us. As was said, the decision to appeal was already madee by the Commission and we hope that the member states will join us. It raises a number of issues as regards the potential for further reform, both at the UN and the EU. We had a meeting two weeks ago with the UN on this issue. I think that a number of questions might arise whenever there is the next UN resolution concerning the procedures for the Al-Qaida committee. A number of questions are being considered to perhaps strengthen the administrative process, to strengthen the capacity of the Ombudsman, to review listings at the UN level and perhaps to introduce sunset clauses for UN listings. The Court has raised a question about if this listing lasts for 10 years how long can you maintain that it is still a preventive measure and when does it become a punitive measure? I do not think that there is for now a decision to reform the system, but ideas are being exchanged and discussed to improve the administrative review process. We very much hope that the Court will take account of the already considerably strengthened UN process. That is for the UN level. As for the EU level, we think that the overhaul of our system last year enabled us now to meet the procedural requirements which have been imposed by the courts following the Kadi 1 judgment and we do not see that there is a need for reform of the current system. We will see what comes out of the current appeal, and there might be a need for certain adjustments. Perhaps the issue of access to confidential information will need to be revisited. But we do not see at this stage a real need for complete reform of the system.
Q100 Baroness Eccles of Moulton: I think that this is probably our last question and it will be quite a quick one. It is on the European arrest warrant and whether it is useful in combating terrorism and aiding internal security, and whether fundamental rights and proportionality get in the way of its usefulness. David O'Sullivan: Thank you. I had been alerted to the fact that you were going to ask this question. My colleagues have very obligingly provided me with a full answer, but I am somewhat reluctant to go on the record, simply because, as the external action service, I do not think that we have anything to add particularly to it. My only comment would be from my previous experience. The idea is excellent. It is clearly something that we need to have between us that you can have some kind of expedited extradition process. But, of course, it raises the constant issue of the level of trust and mutual confidence which we have in each other’s systems. This goes to the core of these issues. Of course, it is not surprising that there are some criticisms and some complaints. As you know, it is a bit like I used to work in education and everyone is convinced that their education system is the best in the world, and that if only others had a similar education system, how much better they would be. So when you try to put systems together, things do not work. Most of our countries are convinced that their national justice system is the most fair and legally sound in the world and that, therefore, our neighbour’s system is never as transparent or as just or as fair. Therefore, we have not yet got to the point where we have 100 per cent mutual confidence in our respective systems, but this is where we have to get to. I think that the process of 42 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon intuitively getting there and improving things, identifying problems and ironing them out, is the way forward. There have been some teething problems and there are some difficulties but it seems to me that the objective is absolutely indispensable if we are not going to force ourselves through extremely labyrinthine extradition procedures every time. This would be counterproductive. On the other hand, we have to protect fundamental rights. We have to protect due process. Squaring that circle is not simple. But it is an objective we have to continue to pursue. I put all that as a general statement. From the EEAS point of view, the only thing I can say is that in my experience of some 31 years in the Commission, our external credibility is entirely linked to our internal credibility. When we act sensibly internally and when people see we have common policies they take us seriously externally. When we don’t, they tend not to take us seriously externally because they tend to feel that we are going 27 separate ways and that therefore there is not much point in dealing with us as EU. That is true whether it is trade policy, financial regulation, the internal market, competition rules or internal security. So if we want to have a serious dialogue externally with the Americans or with any other people in this area, we have to demonstrate that we have the internal tools to deliver on some of these commitments, which require us to have European structures. Otherwise the system will not work.
Q101 The Chairman: I should make it clear that we are not conducting an inquiry into the European arrest warrant as such. That is the responsibility of our sister committee, which deals with justice. But we are trying to look at the impact of the EAW on counterterrorism and the fields covered by the internal security strategy and to ask to what extent experience so far shows that it has been a useful tool. The Commissioner very helpfully yesterday said that she would try and provide us with some statistical underpinning for this; that is, what proportion of EAW warrants have been counterterrorism related and what the experience has been about whether this has been a useful tool. The general aspect is bound to come up in the context of the review of the EAW and so on, but it is a germane topic to our inquiry in so far as it has been useful or has not been useful in counterterrorism and various other aspects of the internal security strategy. Erik Windmar: As you said, my Commissioner gave her answer yesterday. I promised to follow up your question about if there were any statistics on how many EAWs have been linked to terrorism. I am afraid that there has been no distinction. There is just the general numbers. We checked it with Vice-President Reding last night.
Q102 The Chairman: That is a pity, but still, if you have any further thoughts in the weeks ahead on even a little bit of an anecdotal overview of how this has impacted on this area, it would be pretty valuable for us to have. I think that we will have to say something in our report about this. It will not be a general overall judgment on the EAW. That is not our job. David O'Sullivan: I am relatively new in this job, and I do not feel that we have any particular insights to offer beyond the general observations. The Chairman: We will carry on on the basis of the very helpful response that Commissioner Malmström gave us yesterday and anything you feel you can help us with in a form that would have to end up in the public domain, like all our reports. Thank you very
43 David O'Sullivan, Erik Windmar, Lars-Gunnar Wigemark and Stéphane Chardon much indeed for a useful session. It is of great value to us for scrambling up the learning curve, like everyone seems to be in this area. Lord Richard: We wish you good luck. The Chairman: Yes, that is what I was going to say. Good luck with the final phase of what is obviously an extremely complex operation. You have helped us to understand it a lot better. David O'Sullivan: Thank you. It is a very exciting project and I sure that under Cathy Ashton’s guidance we will make a success of it, even if we have the odd hiccup along the road, as we surely will.
44 Rob Wainwright and Brian Donald, Europol
Rob Wainwright and Brian Donald, Europol Oral evidence, 15 December 2010, Q 103-147
Evidence session no 4 : heard in public
Members present
Avebury, L Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Hodgson of Astley Abbotts, L Judd, L Richard, L Tope, L ______Examination of witnesses
Rob Wainwright, Director, Europol and Brian Donald, Head of Office of the Director, Europol
Q103 The Chairman: I think we can begin this evidence session now. We are very grateful to you, Mr Wainwright, and your colleague for coming from The Hague to give evidence to our inquiry on behalf of Europol. I will start with a few formal explanatory points. The session is open to the public. We may have some law students who wish to attend this session coming in fairly soon. A webcast of the session goes out live as an audio transmission and is subsequently accessible via the parliamentary website. A verbatim transcript of your evidence will be taken and this will be put on the parliamentary website. A few days after this session, you will be sent a copy of the transcript to check for accuracy. We would be grateful if you could advise us of any corrections as quickly as possible. If after this session you wish to clarify or amplify any points made during your evidence, or have any additional points to make, you are welcome to submit supplementary evidence to us. Perhaps we can start by you and your colleague introducing yourselves for the record. If you have any opening remarks that you would like to make on our inquiry—its scope and your views on it—please do so but that is voluntary, not obligatory. Rob Wainwright: Thank you very much for this kind invitation. I have been director of Europol since April 2009. The last time I gave evidence to your Committee was approximately two years ago when my candidacy for the position had just been announced. I am pleased to say that that was a successful initiative. I am joined by a British colleague, who was recently appointed as the chief of staff to my office in Europol. Brian Donald: Good morning. My name is Brian Donald. I am the head of the office of the director of Europol. Prior to that I served with SOCA and latterly was head of the United Kingdom Liaison Bureau at Europol.
45 Rob Wainwright and Brian Donald, Europol
Rob Wainwright: We appreciate that there is a strong history of this Committee taking an active interest in relevant policy developments that affect EU internal security. It is, therefore, to be welcomed by the EU institutions especially, and certainly by my organisation, which explains my willingness and appetite to appear before you today. The subject matter is of topical interest to the development of internal security issues in the EU, so this is a very good time for national Parliaments as well as the European Parliament to consider the impact of these new legislative arrangements in the EU. I am interested today in giving you the perspective of the European police agency, which is relevant to so many aspects of these new arrangements, on which I can elaborate in the course of my evidence this morning.
Q104 The Chairman: Thank you. It is encouraging to feel that we have hit on a subject that is going to benefit from a little parliamentary scrutiny. I will start with the first question that sprang to our minds. What does Europol regard as the key issues of the internal security strategy? You have presumably studied, as have we, the Commission’s communication of about a month ago on the five action points for implementing the internal security strategy that was approved by Ministers in March 2010. We would particularly like to hear what you think Europol can contribute to the fight against serious organised crime; what you think is achievable; and what should be the immediate priorities and longer-term goals. Rob Wainwright: I will begin with some general statements. We have not only studied the document but played a very active role in the development of the strategy itself, especially the communication that was recently issued by the Commission. That says something about the central role envisaged in the strategy for the European police office. We are very pleased to have that opportunity, which brings with it the possibility for Europol to better fulfil its mandate of providing operational support to the relevant authorities in the member states in the fight against organised crime and terrorism. In response to your question, I would like to make two broad statements. First, in institutional terms we regard the establishment of the strategy itself as a success—one that is, frankly, long overdue. Under the new architecture envisaged by the Lisbon treaty, for the first time we have a single coherent strategy to deal with all aspects of internal security in the EU. We have not had that before. In the past, in the absence of that policy coherence, there has been duplication of effort between agencies and the states. There has been a lack of clarity over what our agreed priorities should be, for example. Indeed, there has been a lack of institutional glue sticking everything together. This is already a significant development. The architecture that comes with it in administering this new strategy, particularly the establishment of the new so-called COSI group, gives us the framework to apply that practically. There have already been several meetings of that group, largely to positive effect. At the heart of this strategy is the idea of, for the first time, an agreed European security model. We would certainly support the main principle of that. First, it should be based on intelligence-led policing. That means there should be a greater focus on better understanding the threat as the basis for defining in sharper relief what the common priorities should be in the EU. It means promoting greater information exchange arrangements, not only among member states but between member states and European agencies, including Europol; and making efforts to increase the capacity of the EU to co-ordinate major cross-border operations. All of this is envisaged in the framework of the new internal security strategy. Already, the Council has decided on the framework of a new EU policy cycle to give practical effect to these aspirations under the strategy.
46 Rob Wainwright and Brian Donald, Europol
This initiative, under the Belgian presidency, defines the process landscape—if I can call it that—for how the strategy will be administered at the working level. It defines, for example, a four-year policy cycle and the extent to which certain threat assessments will be used as the cornerstone for policy-making. Even one year after the adoption of the Lisbon treaty, we are already quite far advanced in implementing the principles of the strategy. Within that there is a key role for Europol. The policy cycle, for example, formally gives responsibility to Europol for producing the definitive assessment of the threat to the EU from organised crime. On that basis Ministers will be formally invited to set priorities. It gives Europol the lead responsibility in developing a more integrated information management framework around the EU, and responsibility to develop its competence to co-ordinate cross-border operations. The strategy itself refers explicitly to the need to improve Europol’s capacity to support member states. We would welcome that as a policy statement. That is my first point. Institutionally this is already a good thing and is bringing some benefits. We also agree with the substance of the strategy, not least because we have been very much involved in its elaboration. The good analysis identifies the right priorities. The Commission’s communication strikes a good balance between the five major objectives. In four of those five objectives Europol has an important role to play. Disrupting international crime networks is our core business. Europol is very much involved in the promotion of law and better and more sophisticated joint operations between the member states, and is promoted to be further involved through this strategy. To give you a flavour for our current work, by the end of this year we will have facilitated approximately 13,000 major cross-border operations against some of the most significant organised crime and terrorist networks in Europe, using the unique competencies that we have. For example, we have 100 criminal analysts, a unique set of intelligence databases and a set of liaison officers who give us the capability to co-ordinate operations on a daily basis. That figure of 13,000 is already about 25% greater than it was a year ago, which shows that the appetite for engagement in this area at EU level seems to be growing. We very much welcome the Commission’s emphasis on improving the EU’s response in regard to seizing criminal assets. Perhaps we can talk about that later. With regard to terrorism, Europol applies all of the operational framework in this field as well. We have, for example, a unit of some 50 experts currently working on our terrorist casework. A decision, made by the Council earlier this year, to give Europol a key responsibility for managing the requests from the United States for access to terrorist financing data held in the EU was important to this area of tracking the financing of terrorism. In the Swift agreement and the so-called TFTP agreement Europol has been given a key role in verifying US requests. This is an important first step towards something that will end up with the creation of an EU terrorist financing tracking programme, possibly at Europol. I regard that as an important part of our future and the internal security strategy. Similarly, cybercrime is very much the future in so many respects of the threat that we face from organised crime and terrorism. I know I can expect a specific question from your Lordships about this later so I will reserve my comments until then. Finally, on borders, we are developing our relationship with Frontex in particular. All of this is achievable. I think the Commission paper achieves the right ambition level. It does not overextend itself but it depends on several things. I see two or three major risks to the full implementation of the strategy. First, the implementation may get stuck in the institutional treacle that often pervades working life in Brussels institutions. There are a lot of meetings and documents, and there is difficulty in achieving consensus across 27 member states. That is a characterisation of Brussels that many people see and feel every day. 47 Rob Wainwright and Brian Donald, Europol
Having said that, the Lisbon treaty has done a lot already to sharpen up those arrangements and bring added clarity. The establishment of COSI and the success so far in working through these issues are very promising signs. The Commission paper, in particular, is a sharp illustration of what we need to do in the future. So there are some encouraging signs here. The second risk is that the member states will not fully engage with the process. This is also an inherent risk that flows through so much of the work that we see at the EU. The real willingness of member states to avail themselves of these new opportunities has yet to be proven. Thirdly, in the light of these times of economic austerity, there is a risk of whether we have, collectively at the EU level and even in the national police budgets, the right level of resources to meet the level of ambition. That is a very long answer to the first question, but I also used my introductory statement broadly to add to our understanding of the importance of this internal security strategy. The Chairman: That is very helpful. Thank you. This Committee will be working on some aspects of this outside the internal security strategy because it has to make an input to the EU Select Committee’s overall inquiry into the financial framework for 2014-2020. Although the JHA demands within that framework are small compared to other European policies, the Committee will be making an inquiry. It would be valuable if, in the course of your answers, you can focus a little on resource requirements, both from member state Governments co- operating with you and from Europol itself. We will be able to make use of that in the separate testimony that we will give to the overall Select Committee, which yesterday decided to set up this inquiry into the financial framework. Each of the Sub-Committees has been asked for some input.
Q105 Lord Judd: You mentioned the real position of member states, but it is not only about member states, but the whole culture of the police, specifically, in member states. How is that working? How far do you feel that you are winning the hearts and minds of the police forces of the various member countries so that they co-operate in the success of the strategy? Rob Wainwright: To a certain extent, the nature of how Europol was formed and has since developed does not help us in that respect. It was very much a top-down political initiative, driven from the start by Ministers themselves. That is fine and very helpful in one sense, because we do not lack political interest in our work; it is very important to our work. However, from the start—the history of Europol takes us back to the early 1990s—we have had to fight for our natural space in the hearts and minds of the police. We have to do that through hard labour, demonstrating to investigators in our 12,000 or 13,000 cases the unique value that we can add. Our common experience is that four out of five investigators who use us for the first time come back a second and third time, and so on. Reaching a community of 2 million police officers in the EU is a long road for us. You are right and you used a very important word, which we feel the effects of every day–culture. The culture of a police officer—Mr Hawker, I know, will understand—is often a conservative one of retaining his information and his case within his control. In so far as he will share it across borders, he will do so with known people and through informal channels—not always through multilateral channels such as Europol. Trying to break through that cultural barrier remains a work in progress.
48 Rob Wainwright and Brian Donald, Europol
Q106 Baroness Eccles of Moulton: I have one or two quick questions. The first is the quickest. You talked about the request from the States to share more intelligence data. Are you concerned about the security of that data? Rob Wainwright: Are you referring to the recent— Baroness Eccles of Moulton: I would not say it was entirely out of my mind. Rob Wainwright: It is not entirely out of my mind either, but so far we have not made any definitive judgments that are having a practical effect on our collaboration with the United States. It remains for the member states, not least the United Kingdom, a very important ally in the fight against terrorism and organised crime. That has not changed, even with the events of the last few weeks and the unauthorised disclosure of so much material. Having said that, preserving the security and integrity of the information that we handle remains a top priority for us. Balancing those two interests is in our minds, as you would expect.
Q107 Baroness Eccles of Moulton: Throughout the Commission’s communication there was quite a lot of mention of law enforcement. Do you have anything to say about that? Has the use of it not been as comprehensive as you would have liked at Europol? Does the communication assist you in any way? Rob Wainwright: Are you referring to the fact that it is a limited definition of law enforcement? Baroness Eccles of Moulton: Yes. Rob Wainwright: Yes, it is limited in the sense that it is not an environment that naturally includes security and intelligence services. There is good reason for that: much security work is largely exempt from the arrangements of the Lisbon treaty. However, it gives rise to day-to-day practical problems, not least for an organisation such as Europol, which has a counterterrorism mandate. It removes a very important whole area of information that we would otherwise need to fulfil our mandate. There are some problems with how we implement those definitional issues in practice.
Q108 The Chairman: My next question is to ask you to say a little bit about how you see the internal security strategy relating to the external European security strategy which was adopted by member states in 2003 and confirmed again in 2008. It is of course being given effect by the new European External Action Service, which is about to become fully operational on 1 January, as I understand it. The SitCen in Brussels is, I believe, going to become part of the External Action Service. It is shortly to have a new director because Mr Shapcott, from whom we took evidence, has moved on to a different post. Can you say a bit about how the internal strategy fits together with the external strategy and how you as an important part of the internal strategy fit together with the EEAS, which is an important part of the external strategy? Rob Wainwright: The internal security strategy explicitly expects that there should be improvements in the future in the correlation between the internal and the external security strategy arrangements within the EU. The reason for that is quite compelling. The nature of the threat from organised crime and terrorism is becoming more global and cross-border in its impact. As we survey the nature of almost every major criminal threat affecting the internal security of the EU, we notice that almost all of them have their origins outside Europe. All of the cocaine and heroin consumed in the European Union originates in different parts of the world. Smuggled and trafficked people also almost all come from different parts of the world, and so the long list of examples goes on.
49 Rob Wainwright and Brian Donald, Europol
This should therefore call for policy coherence between the two strategies, and in particular effective operational arrangements to allow agencies such as Europol which are charged with securing the internal security of the European Union to work more effectively with the arrangements outside. What does that mean in practice? Already there are some foreign policy instruments in the EU which have some arrangements that cater for our requirements, and in particular some arrangements that connect Europol’s interests with the police missions of the EU in different parts of the world. We have information exchange arrangements that are currently in operation in that area. We already have a working relationship with SitCen by which we exchange information on a limited scale and even collaborate on joint assessments. But in both of the examples I have mentioned, the arrangements are more of a first or second step rather than anything more substantial than that, and still not enough, I think, to give us the policy framework properly to co-ordinate the internal and external security requirements. So we are very much looking forward to the development of the new external action service as the instrument that perhaps will give us the means to develop this work much further. Specifically in the Commission’s communication on the internal security strategy, reference is made for example to the possibility of Europol liaison officers being embedded in EU missions around the world to bring that specific internal security dimension to the daily work of the missions, but also in a way that can help us better to reach the diplomatic interests of the countries that we engage with outside the Union. We have our own working arrangements. We have formal legal co-operation agreements with over 20 countries outside the European Union now, and this gives us the framework with which to conduct our business. But it is not really entrenched within the machinery of the EU yet, and that is what we look forward to in terms of the EEAS. I have already written to Baroness Ashton with that in mind and I hope to meet her and her staff in the future to discuss how this can be implemented in practice.
Q109 The Chairman: Would it be possible for you to give the Committee a list of the countries you have legal co-operation agreements with? Rob Wainwright: Of course. The Chairman: That would be helpful for our report, because it would be a factual illustration of what you have been talking about. Rob Wainwright: We will send it to you immediately.2
Q110 Lord Richard: I would like to examine with you the role of the member states. In a sense, an awful lot of what you have been talking about has to do with communications. They depend very much on the attitude of individual member states and whether they are prepared to co-operate. As you know, Article 72 of the TFEU makes it clear that internal security continues to fall within the exclusive competence of member states. Will that limit the way in which the strategy is going to impact, and will it limit very much what you do in relation to that strategy? Do you think there will be more bilateral or multilateral co- operation between member states? What I am really asking is how you see this going because the relationship between the European part of it and the member states part of it is crucial to the operation of the whole thing.
2 Subsequently Mr Wainwright informed the Committee that Europol had cooperation agreements with the following countries: Albania, Australia, Bosnia-Herzegovina, Canada, Colombia, Croatia, FYROM, Iceland, Moldova, Montenegro, Norway, Russia, Serbia, Switzerland, Turkey, Ukraine, USA. 50 Rob Wainwright and Brian Donald, Europol
Rob Wainwright: This is of course an entirely political question about the level of appetite within the EU to even consider modifying the cherished principle that responsibility for executive action in terms of internal security lies exclusively within the competence of member states. That is not touched by the Lisbon Treaty. Of course other options are available in which EU institutions such as Europol are given at least some greater competence in that respect, and that model would also work in terms of the implementation of the ambitions of the internal security strategy. Indeed, it would allow for a more direct correlation, perhaps, between an EU strategy and EU action. But that is not the model we have today and I am not here to argue for that. The model we have is based on status quo arrangements that, I have to say, also work rather well. I also think it is entirely possible that the internal security strategy can be implemented through that rather more indirect constitutional arrangement involving the member states.
Q111 Lord Richard: That means, in effect that you preserve the principle but you would go around it. Rob Wainwright: No, not at all. You work through the principle. A very good illustration of that is how Europol works on a day-to-day basis. We are able to form a view on how the threat from organised crime, for example, is changing across Europe. Uniquely we can see the pattern of criminal activity across all of the member states that you cannot see at the national level. On that basis we are able to bring unique knowledge to a number of member states, and often in a specific case, a unique lead. But after that our job is finished. It is then for the police authorities at the national level to do something about it in terms of arresting the criminals involved. In those cases where we are able to demonstrate the obvious added value of the intelligence leads that we are presenting, the arrangements do not act as a barrier because it is self- evident that there should be police action thereafter. That is what I mean by saying that the arrangements can still be implemented in this way. Going back to the point that Lord Judd made, it depends on the cultural willingness of police authorities to work through these arrangements. Your second question about the mix between bilateral and multilateral arrangements is also important. As I said earlier, there is a historical and cultural preference for informal and bilateral connections in regard to pursuing international police work in the EU, not just in the UK but in most member states. That has an impact on the ability of Europol and of the EU as a whole to concert the most effective action. Of course it does. But I also think it has an impact on the investigator because what we see in many cases every month is an opportunity missed by the investigator. By choosing to engage only with one other country because that is what he thinks is the extent of his criminal case, he misses the opportunity to see the hidden part of that case, and he misses it by not checking our central databases. There is also an economic point about how efficient it is to invest so many resources in very expensive bilateral networks of liaison officers around Europe any more when we have a common liaison bureau arrangement at Europol. Every member state is represented there and work is done with the 27 countries as a whole rather than on a bilateral basis. Increasingly in these economic times, more and more member states are turning to an investment in Europol, which is much cheaper than sustaining their traditional bilateral networks. I see something changing in that respect, and while it is mainly economic conditions that are forcing that change rather than anything else, none the less it is helpful to the general interests of the internal security strategy and certainly of my organisation.
51 Rob Wainwright and Brian Donald, Europol
Q112 Lord Richard: Perhaps I may ask you a specific question. Do you think that co- operation on intelligence issues will remain bilateral or multilateral, and outside the Union, or is there going to be more of an EU culture when it even comes to that? Rob Wainwright: Here the cultural resistance is even higher and, importantly, there is an institutional or even a legal problem in that the Lisbon Treaty has an exemption around national security. I make no criticism of colleagues at the national level, including some former colleagues of mine in the UK. By their very nature, counter-terrorism investigations are more sensitive because the intelligence involved needs to be more highly protected. There is perhaps an undervaluation both of the security systems available at Europol and of how our analytical capacities can add value in these cases. Whereas I would not advocate a wholesale change to the current arrangements, I think there is significant scope for at least some change. But the general principle is one that is well accepted and not challenged, not even by me, frankly. That is the position we find ourselves in with regard to counter- terrorism.
Q113 The Chairman: Presumably, some evolution in that situation is most likely to be found through the operation of SitCen and the amount of sharing that people are prepared to do within it, as well as the extent to which SitCen begins to produce a product that is of genuine value to everyone. Rob Wainwright: So far at least, and I don’t see this changing very quickly. The product that comes from SitCen is of a strategic nature, not an operational nature, whereas we produce both types of product.
Q114 The Chairman: So that is the big distinction as between the overall policy thrust and the operational activities. Rob Wainwright: But even in our case—it is not right for me to disclose more in a public forum—we are currently working on supporting quite a significant counter-terrorist investigation in Europe using our operational analysts and our 50 counter-terrorist experts to provide operational support in that case. My point is that we can do more of this in a more systematic way, even allowing for the importance of retaining the general principle.
Q115 Lord Judd: Before I come to the question I want to raise, can I follow up on your response to Lord Richard? You use the words “investigation” or “investigators” quite often when talking about winning the confidence of member states. It seems to me that potentially an important part of your work is crime prevention, and that is intelligence. Is that a more difficult area for co-operation and for winning confidence? Of course there is a relationship with the security services, but I am particularly interested in the police dimension of this. Rob Wainwright: One of the cornerstones of our ambition is to become what I would describe as the information hub for police work in the European Union. We have a unique mandate, a unique legal framework, and a unique intelligence and information technology capability which, as a package, provides the possibility for us to sit at the centre of the information highway on all police matters in the European Union. A really important part of that is the framework that we have developed over 15 years to protect the information that we collect and exchange as well as, in the mean time, offering very high levels of data protection to the citizens of Europe. Again, this unique framework has served us very well. In 15 years there has not been a single major security compromise in the handling of our data. The architecture involved is generally underestimated by the investigators. They think that by sharing their sensitive case work with Europol, we are going to copy it to 27
52 Rob Wainwright and Brian Donald, Europol countries in Europe or that suddenly it will fly off in 1,000 different directions. That is not the case. Our security regime works around a very important set of handling codes and principles which retain in the hands of the originator full control over the dissemination of information. As a security regime, as I have said, it has stood the test of time. So we are capable of handling even sensitive intelligence, but it is harder for us to convince those in the counter-terrorist environment than those in the more everyday police environment to share information with us—despite the points that I have made.
Q116 Lord Judd: As you take the internal security strategy forward, you have mentioned the issues already arising on information exchange with the United States, for example. Could you elaborate a little more on how you envisage the impact of the development of the strategy on the United States, China, India, Russia and other countries which have an important part to play? Rob Wainwright: The point that I made about bringing institutional coherence is really important here. To paraphrase the words of Henry Kissinger, who do I call in Europe? At least with the single internal security strategy, for the external world there is an easier understanding of what the strategy of Europe is in response to both internal and external strategies. The machinery that has been put in place, including COSI, to manage it is very helpful in this respect. The machinery which has led to the appointment of Baroness Ashton is also helpful. It is clear from these strategic documents that the EU attaches priority to more effective and coherent engagement with the rest of the world. The United States is singled out for good reason. We have seen in the course of the last year a quickly developing relationship with the United States in our field, and that is very promising indeed. Similarly, right now we are in the middle of very important negotiations with the Russian Federation around concluding an operational agreement with Russia. That is also of significant strategic importance to us. It is less so in respect of India and China, but for the EU as a whole Baroness Ashton has made it clear that all of these countries, especially the BRIC countries and of course the United States, are major strategic priorities for the EU. I think that the internal security strategy helps in our elaboration of what sort of engagement we should have with the wider world.
Q117 The Chairman: Presumably you would include among the countries that are really rather essential to your work Ukraine and Turkey, both of which seem, to the outside observer at least, to be very closely connected with many of the areas you are involved in. Rob Wainwright: Absolutely right, Lord Chairman. Both of those countries are strategically important for the flows of certain illicit commodities into the European Union, and we have been or are currently engaged in moves to conclude working agreements with them.
Q118 Lord Judd: How confident are you of the professional quality of co-operation in places like Russia? In your introductory remarks you emphasised that much of what you are confronted with originates outside the European sphere. Does that not make for co- operation, if it is possible and if it is reliable, with countries like India and China? Then, of course, there is the huge issue of Pakistan. Rob Wainwright: As we survey the rest of the world, and without singling out any particular country, there are a number of challenges before us. They include levels of law enforcement competence, which is as much about the effectiveness of training as it is about resource allocations in those cases, and of course corruption in the public sector, which is a problem in many parts of the world. In each area there is a challenge for the European External Action Service to help us in our work trying to promote at least the right political 53 Rob Wainwright and Brian Donald, Europol will in those countries to deal with these challenges. There are some good examples around the world where that has been done, but in at least some parts of the world these challenges are very significant. We have to deal with them on a case-by-case basis. Security is important to us where there are problems with corruption. Then we rely even more on the security framework that we operate on a daily basis to protect ourselves from hostile penetration.
Q119 Baroness Eccles of Moulton: Perhaps we could turn to the passenger name record. Is an EU directive on the PNR likely to be useful in the fight against serious organised crime, and should it also cover intra-EU flights? Rob Wainwright: First, I can’t speak from direct experience. There is a clause in the EU-US PNR agreement of 2007 that allows the US to share directly with Europol the results of its analysis of PNR data. Unfortunately, on not even one occasion have we received any information from the US in respect of that agreement, which of course is disappointing. I know, of course, from our close collaboration with the American authorities that they find it to be of significant security benefit to their counterterrorist strategy. I also know the position from inside the EU—the view of the UK and others, especially France, on the need for something similar in the EU. From my professional experience, I would judge even intra- EU PNR arrangements to be helpful in supporting the internal security strategy. I see it in the same way as I see the need for similar arrangements to be put in place in regard to tracking terrorist financing. They are of a similar type and order in terms of how they could support our internal security work.
Q120 Baroness Eccles of Moulton: Do you think there are privacy implications? Rob Wainwright: Absolutely, as there are on terrorist financing. However, what we have in the EU, not least in the legal framework of Europol, are some of the most robust and advanced data protection and data privacy safeguards anywhere in the world—perhaps the most advanced. Therefore, we need to reach a mature understanding on the right balance between data protection and the needs of internal security. The two are mutually reinforcing. I often say to the European Parliament that we believe in fundamental rights as well. We at Europol are proud of our data protection, but we are also clear that our job is to support the fundamental rights of citizens, perhaps by safeguarding the most important fundamental right, namely the right to a safe life. The two go hand in glove. In the specific example of PNR or TFTP, it is possible to reach an agreement that does not infringe the fundamental rights of our citizens.
Q121 Baroness Eccles of Moulton: Is there something to be said for having a safeguard such as a sunset arrangement to cover how long the records are held? Rob Wainwright: In terms of data privacy, there are a number of important principles that should normally be applied to such agreements. They would include natural time limits and tests of proportionality and legality. There should also be a requirement for the data to be stored according to reliable standards. So there are a number of regular data privacy standards that should be applied to this agreement in the same way as they are to others.
Q122 Lord Avebury: If I understood you correctly, you said that the agreement with the Americans on PNR data would allow them to supply Europe with the same data that we supply to them, but that they have not done so in any single case. Does that mean that you have asked for the data and the request has been declined?
54 Rob Wainwright and Brian Donald, Europol
Rob Wainwright: No. That is a good question and congratulations on catching me out. We haven’t asked them for that—at least not in individual cases. We said generally at the start of the agreement that we looked forward to the opportunity for the US to share data with us. Indeed, the text of the agreement places the initiative on the United States to push the data towards us, rather than us having to ask them. However, I take the point implicit in your question that we should take some responsibility for being more proactive. That is not to say that on a bilateral level the United States has not shared the results of its data with member states: of course it has. I am just giving an illustration from my own experience at Europol. I don’t want to paint an entirely bleak picture of the US track record on this, but I do think that institutionally we can improve on this in a new agreement, as we have done in the case of terrorist financing, where the arrangements are working very well. That is the model that we could follow in this case.
Q123 The Chairman: Perhaps I could follow up on that question. If I have understood what you are saying, the United States is probably exchanging a lot of information with individual member states, but is not making use of the capacity to make inputs to your information at Europol. Do you think that is because they have doubts about the security of the information that they pass on in that way because it would become available to 27 countries, or is it just a case of old habits dying hard? Rob Wainwright: Maybe I should hesitate to speak for them, but my guess is that it’s a combination of doubts about our security and doubts about the value added that we can bring. They are certainly champions of bilateral rather than multilateral work, at least in the case of most federal agencies in the US. Having said that, the EU-US TFTP agreement has effectively forced the Americans to engage with Europol in a way that they hadn’t before. Through that process, we have seen that we have rather easily overcome any doubts that they might have had about security and about the value added that we bring. If you were to speak now to US Treasury Department officials, I think that they would speak very positively about their experience with Europol. This shows that where there is a natural prejudice against EU institutional machinery, at least in some cases in my experience, this can be overcome in practice.
Q124 Lord Avebury: To carry on with this line, if the Americans can be satisfied that the security arrangements that apply to Europol data are good enough for them to engage in sharing processes, is there a political hang-up that stops these things happening? Is this one of the items that you would put in Cathy Ashton’s in-tray? Rob Wainwright: Baroness Ashton can certainly help to address some of the cultural conservatism that we see also within the EU. That can be done by her interacting in a more positive way with the National Security Adviser, with the US Attorney-General and maybe even directly with officials in the White House and the State Department. But I don’t think that there is a lot of politics at work here. It is more about the traditional ways of working of the US federal agencies, which are more reliant on a channel of co-operation other than this one.
Q125 Lord Hodgson of Astley Abbotts: I shall move on to proposals to revise the directive on money laundering, and the impact on member states’ asset recovery offices. What is your feeling about how effective EU efforts have been in asset recovery and the confiscation of the proceeds of crime? What do we need to make them more effective in future? You will probably have seen our report on money laundering and the financing of
55 Rob Wainwright and Brian Donald, Europol terrorism. The UK recovered £135.7 million. It was a sizeable sum, but compared to the estimated £20 billion from the proceeds of crime, the word “fleabite” comes to mind. Rob Wainwright: You might apply that word to many member states in the EU. In that respect, it is very welcome indeed that the Commission communication places a very high priority on the need to improve our collective response in this area. It places at the heart of the internal security strategy the need for more effective arrangements in regard to the recovery of criminal proceeds. Asset recovery offices are an important part of that, and it is a good example of where the EU can add value. The obligation under the EU instrument to establish asset recovery offices in all member states has had a positive impact in raising the profile of this work around the EU. In the context of Europol, we have been very pleased to be directly associated with that. In 2007, we established the Europol criminal assets bureau to support this work. We are helping to train asset recovery officers in each member state. We have even provided them with a secure information exchange platform so that they can co-operate better among themselves. This is the right approach and we are pleased to have been associated with it so far. You asked how we can make asset recovery more effective in the EU. So far, asset recovery offices have not been established in every member state. That is the job that we have to finish first. Where they have been established, they haven’t been given the right resources or perhaps they haven’t been given the right place within national arrangements to fight organised crime and terrorism, so a general strengthening of asset recovery offices in each member state is important. We always need to raise awareness, and encourage the mainstreaming, of financial investigations in all major counter-terrorist and organised crime investigations. I hesitate to think what the figure might be, but it is nowhere near the 100% that it should be when it comes to ensuring a proactive financial element in all the investigations. In the UK at least, we have more or less the right legal framework. As I see it, the Proceeds of Crime Act 2002 represents European best practice and puts in place most of the elements of what a national authority should do to secure the means to recover criminal assets. There might be a need to promote best practice. The model in Ireland is another one that we could use across the EU. Finally, we should facilitate better flows of financial criminal intelligence. I made some general remarks earlier about making better use of this new machinery to facilitate financial intelligence in a more coherent and systematic way. As regards money laundering, we would argue for further changes to reduce the number of shell companies, for example. In many cases, the beneficial owners cannot be identified. Whereas a very important principle in one of the 40 recommendations of the Financial Action Task Force is to know your customer, very often that process leads to the customers self-certifying the details they have given to financial institutions. In reality, it is very difficult for financial institutions to prove the information that has been given. The issue of better identifying the true beneficial owners of these processes is something that must be taken further. This is also about better standards of customer due diligence and other issues as well. This is a major area of work for Europol. We have 20 dedicated officers working in this area and currently we are facilitating 10 major cross-border investigations into money laundering offences in the EU.
Q126 Lord Hodgson of Astley Abbotts: I regard that as a slightly gloomy answer, in that it seemed to indicate that even the UK’s very low level of recovery was towards the top of the league table. Do you have best practice arrangements that you are promulgating across participant member states? If so, what efforts are being made to push that and who besides the UK is making good progress at being best in class?
56 Rob Wainwright and Brian Donald, Europol
Rob Wainwright: One of the functions that we exercise is as a specialist platform for European policing. We have particular competences and expertise in a range of areas, of which this is one. We are developing and helping to promulgate best practice across Europe. The UK, Ireland and the Netherlands are included in this—and, from a different perspective, Italy, given the way in which it has used this tool to prosecute Mafia organisations. There are good examples out there, and some can be taken even further with what agencies in Europe would refer to as administrative measures—trying to make greater use of the range of tax powers and other powers in the broader government community to crack down on major criminal organisations. There is work afoot to develop the whole prevention agenda: to deny criminals the opportunity to operate in the first place, and also to deny them the opportunity to profit from their illicit proceeds. As you see, the Commission is putting this area of work at the heart of its strategy.
Q127 Baroness Eccles of Moulton: You have already told us a bit about Europol working with SitCen, but do you see any changes in your relationship with SitCen coming about when it becomes part of the EEAS? Also, will the implementation of the internal security strategy affect your way of working within the EU? Rob Wainwright: It is very difficult to predict how SitCen will go, even after speaking to the people directly involved. Perhaps Mr Shapcott has a different idea. As far as I can see, Baroness Ashton has not yet fully decided what sort of future service she wants, or even what the member states want, so it is difficult to answer that question. Our level of co- operation with SitCen is okay, but it could be a lot better, particularly in regard to information sharing and the joint production of major threat assessments in the field of counterterrorism. In that area, I hope that we will arrive at a better level of co-operation.
Q128 Baroness Eccles of Moulton: They, too, would probably want that. Rob Wainwright: I will ask the new chief of SitCen that question when he or she is appointed.
Q129 Baroness Eccles of Moulton: What about the internal security strategy as a whole? Do you see much change arising in that? Rob Wainwright: In regard to SitCen?
Baroness Eccles of Moulton: In regard to your relationship to the whole strategy. Rob Wainwright: No, nothing more than I have just elaborated.
Q130 The Chairman: The Commission communication that we have been talking about and working on states that the Commission will put forward proposals to enhance co- operation between Europol, Frontex and the European Asylum Support Office on all border management issues. Could you say a few words about the role that Europol could play in this field, and how this should move ahead? Rob Wainwright: Certainly, an important element in making our work collectively more effective is that the agencies should work better together. This year, for example, I had the opportunity to chair an inter-agency process to improve the operational co-operation between the four principal agencies in this field: Europol, Frontex, Eurojust and CEPOL. At that stage the European Asylum Support Office had not been formed. I convened the final meeting of that process in recent weeks. We have already agreed on many practical
57 Rob Wainwright and Brian Donald, Europol measures to improve our co-operation. Of course we need to build on that within the framework of the new internal security strategy. However, we should take into account some very important principles. First, where we bring ourselves closer together, we shouldn’t duplicate our activities. I encourage Frontex to play a bigger role at the border, for example, in supporting the combating of cross-border criminal activities. I am also in favour of recent proposals to consider giving Frontex limited responsibilities to collect and exchange operational data—personal data, as it is called. However, I hesitate to develop in Frontex competences that more or less duplicate what Europol already does. I don’t think we have the budget conditions at the moment to allow us the luxury of having overlapping competences like that. We have to take great care that we do this in a way that emphasises our respective competences. It’s a question of exploiting complementarity and natural synergies rather than going much further.
Q131 Lord Hodgson of Astley Abbotts: I would like to talk about the European arrest warrant. I ought to place on the record that I am a patron of Fair Trials International which has had some concerns about the way that it has been operated. It would be helpful if you could tell us about the impact that you think it has had on the fight against serious organised crime and internal security matters generally, and whether you feel able to say anything to Sir Scott Baker’s extradition review, which is going on here, or whether that is not allowed under your terms of reference. Rob Wainwright: That is probably outside, but what I can say, also based on my experience as the international director of SOCA until 2009, is that the European arrest warrant has had a significant impact on supporting international police co-operation since its introduction approximately 10 years ago. As you know, it has transformed the business of extradiction in the EU. The UK and many other countries have used it to very positive effect to trace the whereabouts of some dangerous criminals and to use this as a very fast and effective way to bring them back to justice in Britain and in other countries. According to my figures, more than 14,000 European arrest warrants were issued in 2009 across the European Union. From the UK perspective, this led, I think, to about 860 arrests made in the UK under European arrest warrants issued by other authorities. This shows that it is used on a substantial scale. It speaks for itself in terms of how it has become a mainstream element of international police co-operation. I know that important considerations are under review in regard to issues of proportionality especially. Eurojust, rather than Europol, has had more direct involvement in this and my colleagues in Eurojust have informed me about the issues that they are considering: the lack of proportionality; unwillingness of certain member states to surrender their own citizens; inadequate exchange of information; translation problems and other practical problems, so I recognise that this is not a perfect instrument in its implementation. From my narrow perspective, as regards any review of the arrest warrant, I would also be interested in how the casework involved, and especially the intelligence behind it, could also be systematically shared with Europol. In so far as we retain the only real European database for organised crime activity in Europe, it does not make much sense that these judicial instruments are not also cross-checked with our data repositories, and they are not systematically.
Q132 Lord Hodgson of Astley Abbotts: They are all bilateral now, are they? Rob Wainwright: I think they are bilateral. Brian Donald: The European arrest warrant is not bilateral. It can be bilateral if you know where the person is but generally they are circulated to all member states for execution if the person is found. 58 Rob Wainwright and Brian Donald, Europol
Q133 Lord Hodgson of Astley Abbotts: But not copied to Europol? Brian Donald: No, not copied to Europol. Some member states will submit their intelligence items separately, but not the European arrest warrant. We do not administer that.
Q134 The Chairman: I take it that you can’t help us on an issue that we were pursuing on our visit to Brussels, which was whether there is any breakdown in the EAW cases to show how many of them involve counterterrorism. We were told by the Commissioner that they didn’t have such information. We are still searching for it because it seems to us rather relevant to our inquiry. I don’t know whether you can help at all or whether Europol has any knowledge of that sort. Rob Wainwright: No, I can’t help at all, I’m afraid, but your point illustrates the fact that the European arrest warrant exists without an institutional home in the EU. It is a very effective legal instrument but certainly within the new architecture of the EU under Lisbon it floats in a space without an institutional home, which is different from most other instruments for police co-operation that we have. I wonder whether that could be changed in the future.
Q135 Lord Avebury: Can we move on to cybersecurity and consider first of all how Europol operates currently against cyberattacks and cybercrime? What impact do you think that Europol’s work is having on these activities and how should it develop in future? What will your priorities be? Rob Wainwright: As I said earlier, cybercrime is a major part of the threat that we face from organised crime. More and more even of offline traditional criminal activities are now facilitated through the abuse of the internet, certainly in terms of communication patterns and so on. Of course, the scale of criminal activity committed via the internet is staggering. We estimated that within the last year approximately €100 billion of VAT fraud was committed by enterprising criminals online, and that is just one aspect of it. Of course, it is a growing threat and of course there should be a greater response to it. It is also a very good example of a transnational problem without a natural home anywhere. All of this is pushing the institutions in the direction of establishing an EU cybercrime centre which the Council has decided to establish. We hope that we will play a major role in that and even be designated as that centre. So far we have developed that competence in this area as a central European police agency to co-ordinate more effective action across the 27 member states in three areas. First, we have a dedicated intelligence project, designed to identify the most significant cybercriminals operating in Europe. Using that, our information architecture, our analysts and our experts, we are supporting cross-border investigations against those criminal organisations. Secondly, there is a new initiative, at least within the EU, to develop what is known as an internet crime reporting online system, which will collect all internet crime reported online at the national level in a harmonised way across the EU. This will provide a crosscheck alerting system to notify law enforcement about potential connections between different criminal investigations. For the first time, the EU will have a comprehensive overview of reported cybercrime within its own borders. This could even in the future include a component of direct engagement with the public, for example. Thirdly, we are developing an expert platform for internet and forensic expertise. We have forensic experts at Europol who can improve the capacity for domestic law enforcement to investigate cybercrime offences. As a package, although rather small-scale at the moment because of our resource limitations, it already holds a key to the future elaboration of the EU cybercrime centre and that is the model that we would like to take forward, bearing in
59 Rob Wainwright and Brian Donald, Europol mind also the need to have a more systematic engagement with industry. I have particular views about how that might be done as well.
Q136 The Chairman: Could I just ask about the resource implications? I note what you say about the cybercrime centre perhaps being established at Europol. That was certainly the preference that seemed to be in the mind of the Commissioner when we took evidence from her. Presumably, there would be quite important resource implications if that were to be the case. You cannot, presumably, do a great deal more with your existing resources. There would have to be substantial resource support for that. I noticed that you referred to the need to bring the private sector more into this. The evidence that we took in our inquiry on cyberattacks showed that the links between governmental authorities, broadly described—that is, police, government et cetera—are not very well equipped and need to have a much more effective interface with some very bright people indeed who exist in the private sector but do not get much involved in this, although they probably should be. Rob Wainwright: This will be a real issue in the implementation of this ambition. Having said that, this is a scalable issue in the sense that there is obviously a minimum level of resources, although I hesitate to say what that is. Beyond that, it is possible to scale your work according to the available resources. It is possible to be relatively smart in the use of your resources. With industry, for example, we would think of borrowing some very good practice in the United States. I recently visited the cybercrime centres of the US secret service and discussed the matter with the FBI as well. They have a very good model of working with industry in a way that effectively subcontracts a lot of the hard work of research and forensic analysis to industry, and indeed to the academic world as well. This is for their benefit as well; it is a mutually reinforcing idea. We could also rely on the secondment of national experts—police officers, I mean—within the member states to come to Europol as the EU cybercrime centre, at least for a short tour of duty, and in that way they could share the burden of the resource work as well. But in the end, there is a minimum level of resources that has to be applied to this quickly developing area of our work.
Q137 The Chairman: Have you produced a business model on that yet? Rob Wainwright: No. We have something a bit more than the back of a fag paper, but it is not quite a finished article yet. We have some ideas and, if you would like, we can sketch something for you, at least in an informal way, and send that to your Committee if you are interested. The Chairman: I think that would be very valuable indeed. Thank you. Lord Avebury, I am sorry I interrupted you.
Q138 Lord Avebury: I have just one supplementary on this. On the development of your internet forensic expertise, there again, there must be an awful lot of experience and knowledge in private industry, and among the largest companies as well. Do you think it would be possible to persuade some of those, like Microsoft and so on, to second some of their experts for the purpose of developing this centre of forensic expertise? Rob Wainwright: Yes, it is possible. The new legal framework that was changed for Europol this year specifically promotes greater participation with industry, so I think that is possible. I have also spoken with some leaders in the internet security industry. They are very positive about this possibility, but what surprised me was the general under-appreciation of the extent to which organised crime was abusing the internet space. In so far as they are very
60 Rob Wainwright and Brian Donald, Europol serious about internet security, it is driven by a commercial imperative of designing a better, safer product for their users. The ideas that I have talked to some of them about mean that at the design stage of their new technologies they should introduce an approach which would better crimeproof their technologies and would design into that new technology ways which would prevent organised crime exploiting it. The new media and mobile technologies are heaven-sent opportunities for organised crime syndicates and are being quickly exploited. I want to have a partnership with industry in which we can engage with it in a more proactive and productive partnership at the very start of the process of designing new technology. That is just one aspect of how we can have much better collaboration with industry in this area in the future.
Q139 Lord Avebury: I suppose I should have asked this earlier. It is desirable that cybercrime work should be centred within Europol. How do you imagine that you will be able to recruit, retain and develop staff with the best expertise and skills when a lot of other people are competing for them? Rob Wainwright: It goes to the same point that the Lord Chairman asked me. We already have some experts in this field. I hope that we could supplement those with at least some others from national cybercrime centres, including one that will be established in the next year or so at SOCA here in London. Certainly, I will be making those overtures to national agencies like that in order to demonstrate to them that cybercrime investigations centred in the UK will, by their very nature, have a European, if not global, dimension, and that there are many strong reasons—even operational reasons—why they should invest in common European arrangements so that we can better support their work at the national level.
Q140 Lord Avebury: That wouldn’t necessarily apply to law enforcement expertise, would it? I would like to know how the existing law enforcement expertise can be integrated within the more specialist technical expertise required to operate in the cyberdomain. Rob Wainwright: There are very many experts in the law enforcement area and in other areas as well. In the context of an EU cybercrime centre, there is an issue about where you draw the boundaries between cybercrime and cybersecurity. That is a very important question to answer because, in terms of cybersecurity, a whole set of different arrangements with very significant resources and significant national sensitivities are involved. We have to be realistic about the design of these new arrangements in the EU.
Q141 Lord Avebury: Have you got your own internal boundary between cybercrime and cybersecurity? Do you have a definition of where that line falls? Rob Wainwright: No, and it’s fair to say that our direct engagement with the military community is very small indeed.
Q142 Lord Hodgson of Astley Abbotts: When we looked at cybercrime and cybersecurity, we noted that this was a very fast-moving area with technology changing all the time and will-o-the-wisp perpetrators, so that finding where the perpetrators are based is very hard. In the unhappy event that the cybercrime centre, if it was established, was not centred in Europol, we would then have a three-legged structure—Europol, the cybercrime centre and ENISA in Heraklion. How do you think that would work? Would those of us who think Heraklion was a big mistake be able to draw some hope that this was going to bypass Heraklion and make the new body, which is yet to be established, the future centre?
61 Rob Wainwright and Brian Donald, Europol
Rob Wainwright: Objection—leading the witness, your honour. No, I don’t think such a three-legged approach would work—I would say that, wouldn’t I?—particularly when the solution of establishing Europol would therefore allow for a more coherent and less bureaucratic arrangement. So I would have concerns if a solution such as that were to transpire. The Commission has made it clear that it will support the future development of ENISA. Its location is a political decision that I’d rather not comment on. My job in that case would be to work with ENISA, particularly with regard to the development of a more comprehensive network of emergency response teams at the national level and EU level. Beyond that, you’ll excuse me if I don’t comment further.
Q143 Lord Judd: Le comité permanent de sécurité intérieure—COSI. Was it a valid initiative? Rob Wainwright: Yes. I think I already said that it was long overdue, and it has brought institutional policy coherence. It has already proved its worth by establishing, agreeing and promoting this new EU policy cycle, which, as I said, gives a practical dimension to the internal security strategy. The first year’s experience of COSI is still a mixed bag, I’d say, despite that overall positive impression. I hope it can survive in the institutional treacle of Brussels that is often a problem. Its membership is an important issue. At the moment, to a certain extent, it suffers from a lack of identity. We have a mixture of senior police officers, Ministry of the Interior officials and even lawyers around the table. That gives it a special, but at the same time a rather complex, character. Sometimes that inhibits the right kind of dialogue. In broad terms, though, it’s needed if we are to implement the strategy, and so far I’d say it’s working rather well.
Q144 The Chairman: Certainly when we were in Brussels, one of our witnesses said that it had got off to a slow start, which I think was a diplomatic way of saying that it wasn’t yet functioning as effectively as it could. You’ve given it a rather better chit than that, but I think you recognise that it still hasn’t got up to full speed. I wonder if you could also comment on whether COSI offers an opportunity to rationalise a bit this enormous alphabet soup of bodies that deal with counter-terrorism, serous crime and so on. Could it have a role in that, or is the situation irremediable? Rob Wainwright: Nothing’s irremediable, even in the EU. It has already rationalised the policy space and the institutional machinery of the Council and the Commission, so that is already a benefit. Extending that principle and effect to, for example, the number of different agencies in the EU is also possible and, in some respects, perhaps even desirable. Already we see a closer coming together of many of the agencies; I talked a bit about that earlier. You could of course go further by considering the merger of some, but that immediately becomes a very political question. The trend in the EU’s history is to create more agencies rather than fewer, which is why you have one in Heraklion and now a new asylum support officer in Malta. The future of CEPOL is also being debated in the European Parliament because of the problems it has had in the past two years regarding the administration of its budget, among other things. To a certain extent because of the CEPOL issue, but also because of the general impact and tone of the Lisbon treaty, this is a current question, and COSI is competent to debate it. Having said that, I don’t see a lot of political appetite at the highest levels of the Commission or indeed in the Council to consider that at the moment.
Q145 Lord Judd: Do you think its membership is right, or could there be more appropriate membership? 62 Rob Wainwright and Brian Donald, Europol
Rob Wainwright: I would prefer a greater representation of the law enforcement community at senior level. I’d rather see a few more police chiefs around the table, perhaps, than administrators from the Ministries of Justice and the Interior. But I’m biased, I think; when I go to the meetings, I also see that COSI has already proven to be very effective at increasing the profile of Europol and helping to administer our interest. Running through the centre of almost all COSI’s outputs in the first year is the profile of Europol and more concerted action through the Europol channel, so that’s probably why I give it a very good chit. In so far as the police chiefs are able to support that, that makes me very happy.
Q146 Lord Judd: It seems to me that there’s always a danger in international work that you get a dead hand of theoretical policy-making, and there is a real need to generate an integrated team spirit among those concerned who maybe need to feel that they have a stake in that. Rob Wainwright: I would not always characterise it as a dead hand, because Governments have very important interests that have to be represented. It is true that police chiefs as a community tend to operate in a more informal way, slightly freer of those sorts of burdens. An associated subject is the future of the European Police Chiefs Task Force, which no longer has a formal place in the new architecture; its very being has been called into question by these new arrangements. I and others have been promoting the idea that we should retain its structure as an informal talking shop among the police chiefs themselves, an informal place to do business and exchange best practice, to retain that air of informality in order to get the most out of it.
Q147 Lord Judd: Following on from that, do you think the European Police Chiefs Task Force and the Police Working Group on Terrorism should be regularised and brought within the Council and COSI framework? Rob Wainwright: No, I don’t. The best contribution that the EPCTF can make in future is to sit outside that formal architecture, to operate as an influential senior think tank, if nothing else, and as a place for police chiefs to share best practice, still having influence on the formal policy debate in COSI but in that way rather than as something more constitutionally formal. The Chairman: Thank you very much, Mr Wainwright, for being so generous with your time and being so full and frank in your answers. It has helped the Committee a great deal. We look forward to receiving the additional material you kindly promised us. We will let you have the transcript of what has been said here, we will be taking evidence in January and February and then we hope to produce a report in March; that is our target area. I hope you will find that it is useful for your extremely valuable work, which we all feel we understand a bit better now, thanks to your evidence.
63 Hugo Brady, Senior Research Fellow, Centre for European Reform
Hugo Brady, Senior Research Fellow, Centre for European Reform Written evidence, Hugo Brady (ISS 12)
What factors are driving and shaping the EU's role in internal security?3 The EU exists to guarantee and advance freedoms. By far the most tangible of these is the freedom of ordinary citizens to travel to, live and work in another EU country with a minimum of fuss. Over the last decade, EU governments worked to make a reality of this principle of free movement while also incrementally abolishing land, sea and air borders between most European countries. Given that such freedoms did not exist even within the boundaries of some European states 50 years ago – the free movement of people and the so-called Schengen area of passport-free travel are achievements at least as profound as economic and monetary union.
As with the single currency, European governments have created a complex and often murky decision-making structure at EU level to manage the security- and immigration- related challenges thrown up by free movement and the creation of a common border that now stretches from Faro in Portugal to Narvi on Estonia's frontier with Russia. Through this structure – formerly called the 'third pillar' to differentiate it from processes dealing with economic or foreign policy matters – interior and justice ministry officials grind out an ever- growing range of legal and practical 'flanking measures' needed to deepen co-operation between police, judges, border guards, customs officers, immigration officials and other public authorities. Taken together, these decisions are known as EU 'justice and home affairs' or JHA policy.
For more than a decade, the JHA area has been considered Europe's “big new project” as policy-makers attempt to plug the security gaps created by free movement, construct common immigration policies and factor both of these considerations into their relations with the outside world. In 2009, the long-awaited entry into force of the EU's Lisbon treaty – which was intended to rationalise decision-making procedures and enhance accountability – brought significant changes to the JHA field. The treaty abolishes the formal legal distinctions of the third pillar. Henceforth the highly sensitive areas of criminal justice and police co- operation will be dealt with as standard areas of EU business for the first time, meaning the use of majority voting, the full involvement of the European Commission and European Parliament, and, after a transition period, full judicial review by the European Court of Justice.
For some, the Lisbon innovations were the logical completion of work begun by the 1997 Amsterdam treaty which similarly institutionalised policies on immigration, asylum and border control. Others, not least Germany's constitutional court, the Bundesverfassungsgericht, signalled their deep unease over the extension of the EU's writ into the inner sanctum of national sovereignty: internal security. And for some others still, notably the conservative national ministries themselves and key partners like the US, it is a brave new world as officials learn to accept inexperienced but eager negotiating partners like the European Parliament into their privileged arena.
3 The EU policy areas touched by the Internal Security Strategy (ISS) are in transition in a number of ways, including between the legal bases provided by the Nice and Lisbon treaties respectively so a basic overview of JHA policy is necessary. 64 Hugo Brady, Senior Research Fellow, Centre for European Reform
Nonetheless the success or failure of the EU's attempt to construct serious and effective justice, immigration and security policies matters and not just as measures essential to maintain the original pact behind the single market. First, the principle of free movement – a unique and fragile liberty – needs protecting. After a decade of mostly passive public acceptance, immigration is now the most pressing issue of popular concern in European politics after the economy. This in turn has drawn public attention to the EU's role as a driver of free movement, enlargement to the east and the removal of internal frontiers. In 2010 alone, Britain, France, Italy and the Netherlands all bridled, though for varying reasons, against the constraints of EU law when attempting to tighten their immigration rules. If the EU is to defend and extend free movement in the teeth of populist reaction in the coming years, a key argument the European Commission and others will need to be able to deploy will be that JHA co-operation at ground level, particularly at the Schengen border, is working well.
Second, inward migration to the EU slowed after 2008 as a result of poor economic prospects in most member-states. But how Europe confronts the realities of migration from non-European countries is probably the most critical question for the future of its economy, demography and society. These are not easy questions nor is the EU's role in them always clear. However it is certain that Europe needs to attract more migrants in the years to come while finding the right balance between firmness and fairness in its visa policies, especially in its neighbourhood. It is also a reality that more refugees are seeking protection in Europe at a time when EU countries are not only struggling to maintain the concept of a common asylum area but also their liberal convictions and legal obligations to those seeking refuge from persecution.4
Third, global trade, budget air-travel, broadband internet communications and the lure of a better life in Europe for the destitute present EU countries with a new range of law and order challenges that cannot be tackled in any one jurisdiction alone. Cross-border crime, now organised into global chains of supply and demand, is newly mobile and often empowered by the faceless and anarchic medium of the internet into a threat that can only be diligently contained. Similarly, Western countries face an ongoing and very real terrorist menace from Islamist subversives operating at home, abroad and online. All this would be true whether the EU existed or not. Nonetheless no other organisation has the legal or political clout to put minimum judicial standards in place across the continent, to steer the private sector in areas like aviation and container security, to get police and prosecutors working together across borders, or to put pressure on foreign countries to crack down on counterfeiters and other malefactors. Hence the EU has a bone fide role in some security matters.
Fourth – just as new security threats and and the responses to them have breeched national frontiers – so too has the question of who guards the guardians of public safety. EU interior and justice ministers agree an average of ten new JHA measures every month and have done so for the past decade. The vast majority of these are 'repressive' in nature, that is legal and practical agreements to allow police, judges and other public authorities to chase suspects across borders and to collect and share large amounts of intelligence and personal data. Furthermore EU countries carry out such co-operation on the basis that each of their police and judicial systems is equally trustworthy and professional. (A similarly broad assumption as markets pricing the sovereign debt of every eurozone country at the same
4 The packaging of the two subjects, crime and migration, has long been controversial and is at times inappropriate. There is no necessary link between migrants and criminality. But since the EU documents in question deal with these issues together in places, this submission takes this into account. 65 Hugo Brady, Senior Research Fellow, Centre for European Reform level of risk.) Since even a single serious miscarriage of justice connected to JHA co- operation could undermine public consent for the project, the EU must ensure robust protections are in place to uphold the right to a fair trial abroad and the ethical use of personal data for security-related purposes. This will not done easily or quickly, however, as it involves a shift in mentality amongst an group of professionals who are exceptionally conservative.5
Given that the EU took 50 years to build the single market, governments made remarkable progress in boosting JHA co-operation since co-operation began in earnest in 1999 at a summit in Tampere, Finland. But even after – or perhaps, linked to – the entry into force of the Lisbon treaty a little over a decade later, the signs are that the political consensus that has driven JHA co-operation for the past decade is fraying on several fronts. One of the most serious of these is the recent disagreement between the Commission and the member-states over how the Stockholm programme – the EU's current roadmap for how JHA policy should develop – should be implemented over the next five years.
The Commission's communication Aside from such visible political divergences, the JHA policy area also has a tendency to become littered by overlapping, incoherent, derivative and repetitious initiatives (the Internal Security Strategy itself is a prime example) that offer up process as product. To move beyond this to a more tangible security policy for the free movement area, the Commission has published 'The Internal Security Strategy in Action: Five steps towards a more secure Europe'. The communication is essentially designed to do three things: first, to encourage conservative interior ministries to 'buy in' to a more assertive role for the EU in security matters post-Lisbon by showing where the Commission and other bodies can add value; second, to identify a limited set of actions against a series of prioritised threats to European security (both the Stockholm programme and ISS failed to do this); and third, to serve as a learning and signposting exercise for the newly formed EU directorate for home affairs under the EU's first Commissioner for such matters, Cecilia Malmström.
Whatever the politics behind the document, the communication is a welcome development. The first thing to note is that it demonstrates an admirable concern from the Commission that the EU should deliver concrete results based a clear need and agreed approaches as opposed to citing its legal privileges under the Lisbon treaty. Also, by focusing on criminal asset seizure and action on counterfeiting, terrorism, cyber-crime, natural disasters and border issues, the communication identifies those security challenges that EU countries are palpably struggling to cope with solely within their own borders. In addition, the Commission rightly points to the imperative for a fresh push to tackle the almost unfathomable economic impact of cross-border crime: a message that will be well received in these austere times. VAT fraud alone probably takes at least €50 billion from European coffers yearly while accurately gauging the scale of the economic impact of cyber-crime continues to baffle industry and security analysts alike.
Nonetheless the communication's prescriptions on some issues remain somewhat vague and in places could be seen as dubious: the section on counter-radicalisation of potential terrorists is one example, as is the viability of establishing an EU equivalent of the US 'Terrorist Finance Tracking Program'.6 Counter-radicalisation is in any case a vexatious issue
5 The author is aware that these questions are not strictly within the remit of the inquiry. 6 Commission Communication, 'The EU Internal Security Strategy in Action: Five steps towards a more secure Europe', page 8.
66 Hugo Brady, Senior Research Fellow, Centre for European Reform for national policy-makers and the Commission clearly felt it necessary to indicate to member-states that it does not under-estimate the seriousness of the terrorist threat. A further significant tension running throughout the document in both analysis and prescriptions is the need for EU structures to come up with tangible ideas that do not infringe too aggressively on national prerogatives but add value to national security policies without supranational grandstanding. That tension – which has been the main theme in the stop-start development of Europol over many years – will continue to dog delivery in the JHA area for the foreseeable future. Despite the Commission's best efforts to match up threats and responses, it will be difficult for policy-making in JHA to evolve beyond the 'politics of the latest outrage' that has shaped it to date: that is when a relatively conservative policy area convulses forward in response to shocking incidents like terrorist spectaculars.
Four challenges for the future In an interview with the author for a forthcoming report on EU justice and security policies, a former British intelligence officer made the point that “if there is a European interior ministry in 20 years time, it will be because the EU correctly pin-points the pressure points where member-states mostly keenly feel their security has been breeched by globalisation and find a way to plug the gaps through collective action.” While the image of DG Home as a European interior ministry is obviously intended to provoke, this remark probably best characterises the main motivation behind the Commission's communication.
However, effective EU co-operation in internal security matters faces a number of hurdles not all specifically dealt with in the document under review but relevant to the realisation of many of its ideas. These include:
* How to make a success of ongoing attempts to organise operational responses to security threats at EU level in an appropriate and effective way.
The European Criminal Intelligence Model – an initiative of the UK presidency in 2005 to join up analysis of shared threats and subsequent joint actions against, say, organised crime gangs – has not taken on the robust operational nature its original architects hoped. In addition, the EU's much vaunted new Standing Committee on Internal Security (COSI) – which was supposed to provide at least part of the answer to this issue – is struggling to find a convincing modus operandi. One answer to this problem could be very simple: money. Police chiefs are reluctant to sign up to operations that will use up valuable resources in straitened economic circumstances. The idea of an 'internal security fund' to fund joint operations agreed by COSI could be a vital missing piece of the puzzle in this respect and should be welcomed as one of the strongest ideas in the communication.7
* How to rationalise and focus the EU's bureaucracy in internal security.
The EU now has a plethora of DGs, agencies and bodies dealing with internal security matters but these often fail to work well together and approach each other with the same suspicion that is common between departments and agencies at national level. Co-operation between Olaf – the EU's anti-fraud office – and Europol, for example, could be best described as sub-optimal. The EU's security research budget (circa €730 million) is controlled by DG Enterprise and Industry with little connection to policy priorities as defined by DG HOME or EU agencies like Frontex or Europol. And in areas like container
7 Commission Communication, 'The EU Internal Security Strategy in Action: Five steps towards a more secure Europe', page 15. 67 Hugo Brady, Senior Research Fellow, Centre for European Reform and aviation security, the directorate general with responsibility for transport regulation (DG MOVE) has met only once with DG HOME to discuss policy priorities during recent scares over the safety of air cargo controls. Clearly there is a need for radical thinking on how best to coordinate the various pieces of the EU bureaucracy involved in security matters. One first step might be to establish a 'platform' office in Brussels where members of relevant EU agencies – including Europol, Eurojust, Olaf, Frontex, Enisa (an EU body responsible for the security of information networks) – might be co-located together to share information with each other and work more closely with the EU's main institutions. At Commission-level, there is a need for an agreed consultation mechanism between all security relevant directorate-generals, though this is not the simple-to-achieve measure it might look on paper.
* How best to deal with the 'growing pains' of EU internal security policy.
The EU's role in security matters is self-evidently limited. The Commission's preference for reducing matters that could hardly be more sensitive from the perspective of national sovereignty to mere technical problems has clear limitations here. Over Malmström's term, three issues are likely to emerge as key conundrums in the implementation of a more strategic approach to internal security at EU level. These are the lack of authoritative EU- wide statistics and threat assessments as a basis for collective action against the security threats discussed by the current communication, the difficulty of designing and delivering the raft of cross-border IT solutions foreseen by the ISS, the Communication and the Stockholm programme (as has already been seen in the case of the SIS II database) and hugely challenging question of how best to balance internal security considerations with the implementation of an EU foreign policy. There are no easy answers to these issues: they must be resolved over the coming years through trial and error. But – in the case of technology solutions at least – the EU would do well to work from the principle that money made available for IT-based security solutions should be reallocated to the Internal Security Fund if the databases/networks in question take longer than 5 years to develop and become operational.
December 2010
68 Hugo Brady, Senior Research Fellow, Centre for European Reform
Oral evidence, 12 January 2011, Q 148-174
Evidence session no 5 : heard in public
Members present
Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Hodgson of Astley Abbotts, L Judd, L Mackenzie of Framwellgate, L Richard, L Tope, L ______Examination of witness
Hugo Brady, Senior Research Fellow, Centre for European Reform
Q148 The Chairman: I should, just for the record, state a declaration of interest myself, since I am on the advisory board of the Centre for European Reform, which Hugo Brady, our witness this morning, works for. I also, as an introduction, would like to thank you very much for your written communication, which I personally found very helpful and useful, and which members of the Committee have had circulated to them. We are grateful to you for coming to give evidence to our inquiry into the EU internal security strategy. The session is open to the public; a webcast of the session goes out live as an audio transmission and is subsequently accessible via the parliamentary website. A verbatim transcript will be taken of your evidence and this will be put on the parliamentary website. A few days after this session, you will be sent a copy of the transcript to check it for accuracy and we would be grateful if you could advise us of any corrections as quickly as possible. If, after this evidence session, you wish to clarify or amplify any points made during your evidence, or if you have any additional points to make, you are welcome to submit supplementary evidence to us. So perhaps you could introduce yourself for the record, and if you wish to make any opening remarks, please feel free to do so. Then we will move into the question and answer phase. Hugo Brady: I would be delighted to do that. My name is Hugo Brady. I am a senior research fellow at the Centre for European Reform, which is a foreign policy think tank based here in London, but has a European and, indeed, a global focus or ambition. The CER is officially pro-EU, but not uncritical, which is the formulation we use to show our objectivity. We think that the EU is a jolly good idea, but in many cases and ways does not work well—it could be made to work better—and we pride ourselves on fostering pragmatic practical ideas as to how that could be achieved. I am personally heading up our work on justice and home affairs. I have been there for almost six years now, and we have traditionally focused more on the security-related aspects of EU justice and security co- operation, although we have also done work on migration, but it is such a desperately tricky issue that requires a lot of in-house expertise and, as I am the only person there, I have many briefs to fill. 69 Hugo Brady, Senior Research Fellow, Centre for European Reform
I should like to start the discussion on the internal security strategy in action with a few provisos. The first is that the main players in this world, as you probably will no doubt find during the course of the inquiry, are not in the habit of making a generous disclosure of their activities. These are intelligence people, police officers, judges, officials and so on. I have been able to garner my contacts over the years on the basis that what they tell me is rather anonymous and not information that I will be passing on in a careless manner. So at times I shall have to speak a little bit carefully, and I hope you will appreciate that. Secondly, I often speak quite frankly, so I actually think that great progress has been made in justice and home affairs in the EU over the past 10 years. A lot of the much greater integration between national police forces, intelligence services, border guards and customs officers would be necessary whether the EU existed or not. So for me it is not so much a matter of the EU moving into an area that is very sensitive to national sovereignty just for its own fiat or glorification. You see it in bilateral and multilateral fora the past 10 years. With the increasing advance of globalisation, national security and law enforcement is changing and is rising to co-operate with outside forces in areas where countries believe their security is being breached by globalisation. But this is a price that we all must pay for much greater levels of prosperity and so on. If I speak frankly and critically at times, I appreciate that great work has been done to date by mostly anonymous policemen and their brethren in other services. But I do like to pinpoint where I feel the situation could be made better. So please don’t take my comments as too bombastic, especially because this is an area where people are very guarded in their remarks. I see a lot of my added value as being a sort of enfant terrible of EU justice and home affairs policy. If I may suggest some radical things, it is because I think that they may sound radical now, but in 10 years’ time these things have an odd way of becoming reality. I would prefer that they were well thought out and well considered, as opposed to being implemented in the throes of a crisis—as we have seen with the European arrest warrant, for example, in the wake of 11 September and other subsequent measures adopted in the wake of subsequent terrorist attacks. You probably want to know what significance I attach to the current communication, because over the course of 2010, the JHA sphere has sped up, but generated much more heat than light. It has generated major policy documents which the member states have adopted, or in some cases not adopted, including the internal security strategy itself, which was agreed by the Spanish presidency in early 2010, including the action plan on implementing the Stockholm Programme, which was adopted the previous December in 2009. The Stockholm Programme is an 84-page document. It is incredibly comprehensive, which I suppose is the best way of describing it. If you actually read it, as I know you have, it is difficult to take specifics from it. This is a development in justice and home affairs. The EU seems to have gotten much more powerful in the area, with the entry into force of the Lisbon treaty, but it become less and less clear what the EU is actually going to do with these new powers, apart from some rather nasty fights with the European Parliament over data privacy, Swift and other matters. We will see that trend continue over the next five years. The area has not yet really found its strategic focus. There are a lot of policy documents and a constant writing of papers in Brussels, proposing what the EU could do in various areas, including organised crime, counterterrorism, and natural disasters. The remit of JHA is expanding and expanding, and all the while we have a hardening of attitudes towards measures such as EU free movement, for example. It is evident at the moment that immigration is probably the second biggest area of public concern after the economy. So at a time when the EU is expanding its remit in response to global threats and challenges such as drug trafficking, human trafficking, fraud and other forms of organised crime, some of the freedoms that the EU provides, such as untrammelled free movement around the EU—as 70 Hugo Brady, Senior Research Fellow, Centre for European Reform we saw in the case of the Roma last September—are also coming under pressure. One of the criticisms, which I will get to later, is that I feel sometimes that the EU’s thinking is very ambitious (the member states are excited by a lot of proposed EU technological projects in this area, for example) when the politics of JHA is becoming more difficult. That for me finds its best expression in the hardening of public attitudes towards immigration, and, whether officials in Brussels like it or not—they might call it free movement, but anyone else and the man in the street calls it immigration—we have to keep an eye on those political developments. JHA since Lisbon will become more political and that will not always be a pretty sight. What do I think about the communication itself? Its most important elements, as was put to me in the question—
The Chairman: If you are going on into the detail of it, because a lot of this will be picked up by the questions, unless you have a particular strategic point you want to make about the communication, we do not want to waste your time by going over it twice. Hugo Brady: Of course. Perhaps I’ll stop here and let you direct the proceedings.
Q149 The Chairman: Does anybody have any points they would like to take up on the introductory statement before we move on to detailed questioning? Thank you very much, that is a very helpful introduction. I should like to start the questioning by asking: what do you consider to be the key aspects of the internal security strategy, including of course this most recent document from the Commission? Are the proposals in that document achievable? What in your view should be the priorities and indeed the longer-term goals? You began to talk a little about that in your introductory statement. Do you think that the Commission makes a satisfactory case for its role in internal security in this document? Some of the previous evidence we have taken situates this as by no means an extremist bid for power by the Commission. In fact, it has been criticised by some, particularly in the European Parliament, as being too unambitious. Could you talk a bit about that? Hugo Brady: I think that the internal security strategy in action document is an attempt to bring coherence to the original internal security strategy, which in my view is not a very useful document. It is much more a mission statement than a strategy, simply outlining that the EU has a role in internal security. The Commission's purpose with this document was basically to bring a set of priorities to EU action in this area, which neither the internal security strategy, the Stockholm Programme or the action plan for implementing the Stockholm Programme did. I admire the document’s pragmatism by focusing on, for example, cybercrime, money laundering and the more effective seizure of criminal assets across borders. By recognising that there is a problem of interagency co-operation in the EU it at least highlights the issue for further action, and usefully focuses on issues such as stopping crime at the EU border. I am not as convinced in some other areas. For example, I feel that the sections on counter- radicalisation of terrorist suspects or vulnerable young people are more like a bookmark to indicate that this area is important. However, the Commission recognises that and is willing to fund co-operation between states on that issue. None the less, I think that the Commission felt obliged to include this section, otherwise it would not have any substantive recommendations on terrorism. I am also not one of the people who are very convinced by the proposal which really emanated from the renegotiations of the Swift agreement on an EU terrorist finance tracking programme. First of all, it is not clear to me that the EU has a role in the area and, second of all, because it was the result of a messy political compromise, I do not believe that the proposal is very well thought through. Perhaps we can get into that 71 Hugo Brady, Senior Research Fellow, Centre for European Reform in a bit more detail. I must also recuse myself from too much discussion of the emergency crisis response proposals for natural disasters and such issues, because it not really an area on which I focus. So I think that the chief points of value are the proposals to do a lot of capacity building across the member states in the area of cybercrime, which is still a rather unknowable area in terms of economic and personal impact. A security expert specialising in cybercrime summarised it very well to me. They said, that yes, it is a very big problem and, yes, we are at the moment rather pitiably prepared to deal with it and respond to it, especially given the fact that cybercrime takes absolutely no account of jurisdictions, happens in seconds, whereas legal systems move so slowly. However, we should be careful about being bombastic about the nature of the threat. Yes, cybercrime, botnets, and things such as Stuxnet and limited forms of cyber war are essentially cyber sabotage. Thereby, you can stop things working but you can’t blow them up—not yet. Just to put that issue in context, cybercrime, cybersabotage, cyberwar are not able to inflict cataclysmic damage on us, at present. However, it is a threat that there is an absolutely completely uneven level of capacity in the member states to respond to. That is largely what the communication focuses on by proposing that every member state should have a properly working CERT, for example. Secondly, I think that the Commission was wise and correct to focus on the issue of confiscation of criminal assets across borders, because the EU does have a sort of system to do that. It has a series of framework decisions on the seizure of criminal assets across borders, but the communication rightly points out that that legislation is unevenly implemented and that it is ineffective, in the sense that if you know that the state is coming for your ill gotten gains, you automatically give them to your partner or somebody else. There is a need to find a just way of ensuring that transfers to third parties can in some way be addressed. What will be done specifically to do that, in terms of the legislation that they are proposing to write, I don’t know. On the operational element, I see the biggest challenge rooted in the ISS, and partly the reason for it in first place, is that the EU has struggled in the past couple of years to come up with a system where policemen and interior ministries—this may sound very simplistic—just agree on what has to be done, take the action to do it, and evaluate the results. During the UK’s presidency in 2005, they came up with a model system for trying to do this, called the European criminal intelligence model. It has since been recognised that this model did not really take off and has to be reworked. The Belgian presidency of last year tried to that with something called Project Harmony, which you will no doubt have heard about in previous sessions. I can tell you a little more about it if you have not. The main issue here is that if you are going to take cross-border action against organised crime, you need some structure to do so, but the establishment of the so-called standing committee on internal security in the EU, and other measures, have not yet managed to do that. The reason for that is that policemen are not soldiers. You cannot task the police of three different countries to go after an organised crime gang and take them out, as it were. That is not the way that the criminal system or the justice system work, and that is the sort of conceptual difficulty that is facing the EU at the moment. I have some ideas about how that could be addressed. The Chairman: We’ll come on to COSI as one of the specific questions later on. I think you said very clearly what you believe to be the priorities here on the confiscation of assets and the cyber unit, and that you don’t want to talk about the response to natural disasters, which is understandable. Has anyone any thoughts before we move on to the next question?
Q150 Lord Hodgson of Astley Abbotts: In your introduction, you talked about the fact that this was a global issue and that we would need to make progress on it whether the
72 Hugo Brady, Senior Research Fellow, Centre for European Reform
EU existed or not. I think that was the thrust of one of your points. Therefore, can you give us your views on the relationship between the internal security strategy and the European security strategy as practised in its relationships with third party states, how it ought to work and how it could be made to work more effectively? Do you think that the communication adequately describes how that will happen in terms of mechanisms and practical co-ordination? Hugo Brady: As regards the connections between internal security and foreign policy, I do not believe that the communication addresses them very well, because there is no real level of political agreement in Brussels or between many of the member states on how that can best be done. The idea of tasking policy to the needs of internal security or vice versa is the holy grail of justice and home affairs policy in the sense that everyone knows that it’s important but nobody knows where to find it. Conceptually, although the EU has adopted strategies and even action plans on this issue, there isn’t a great deal of coherence, even in the Commission for example, between Baroness Ashton and Cecilia Malmström, who are as well disposed to each other as any two colleagues. There is no real agreement at the moment in international forums such as the UN on who leads for the EU on areas such as fraud or even counterterrorism, or on who speaks on those issues when there are both Council and Commission people present—as with the establishment of the European external action service, whose role in JHA is also not clear and hasn’t been worked out, and which also contains SitCen, the EU’s intelligence cell. When it was established, one of its added value points was supposed to be that it was one of the few intelligence services that would combine MI5 and MI6 style information and merge them. That may have been a utopian concept, because I haven’t really seen evidence that SitCen has really successfully done that. That is in keeping with the general theme here. Often the concept of joining up different kinds of co-operation seems like it would be an absolutely brilliant idea. But doing so is difficult enough at the national level, and we are still at the very beginning stages of knowing how to do it at EU level. One example is the closure of the EU’s security reform project in Guinea-Bissau, which is essentially a mission under the common foreign and security policy. That was closed in September 2010 to the chagrin of the JHA-related bodies of the EU, which consider West Africa to be incredibly important from the point of view of drug smuggling and other kinds of crime. They would have liked that mission to remain open; they didn’t believe that its job was done and they still haven’t resolved the idea of passing information from EU missions to the JHA structures. So as much as it has been recognised as an issue and as an area where the EU and EEAS in particular could add huge value, a workable concept and list of clear priorities have yet to emerge.
Q151 The Chairman: Yes, I think that the evidence that we took in Brussels showed that the first order of business is to appoint a new head of the SitCen and then above all to work out how the SitCen will be situated in the interface between internal and external security. So there is obviously a big agenda there, and you have rightly underlined that it has not yet been properly addressed and that if it is not addressed the EU is likely to fall short. Hugo Brady: If I might just add one small point, on whether the complete coherence of internal security objectives and foreign policy is achievable is questionable. I find the idea a little bit Panglossian. Even within the Commission, you have those typical strains you would see between a national interior and justice ministry over the issue of visa liberalisation, such as with the liberalisation of the visas regime with Albania. One part of the Commission, RELEX, wanted that because it was important for the EU’s foreign policy. The other part of it, DG Home, didn’t want it, or spoke against it, as any interior ministry would, because it was going to make life a little bit more difficult from an internal security point of view.
73 Hugo Brady, Senior Research Fellow, Centre for European Reform
The Chairman: Yes, those are the endemic tensions that exist in every national Administration as well, of course, so it is not particularly surprising if they come up.
Q152 Lord Judd: Would you agree that part of achieving security of the EU is securing and enhancing the quality of life in the EU, and that that directly relates to the issue of human rights, and the rest? There is a tricky question here about the relationship between security measures that may be needed and how you are actually strengthening the thing you are trying to protect, as distinct from diminishing it. How do you think the communications proposals help in that respect? Hugo Brady: The communication is rooted in pragmatism, because it knows that interior ministries are not going to sign up to anything that smacks of unrealistic projects that are not going to go anywhere. They know that the interior ministries are 20 years more conservative or 20 years behind foreign ministries in their willingness to engage with outside players. But these documents usually have a line in them saying that, of course, with full respect to fundamental rights, we are going to do X, Y and Z. There is a big battle coming in the EU over the issue of fundamental rights; for example, we are going to see it this year in terms of data protection and the various EU information exchange systems that have appeared in response to the need, for example, for the cross-border exchange of criminal records. In my view, it will be very important in future to put some sort of limitations on various forms of EU co-operation, such as the European arrest warrant. I know, because I have read it in reports of the House of Commons Home Affairs Committee, that some 40 per cent of European arrest warrants are issued by Poland, which believes under its constitution that it is duty-bound to prosecute any crime, no matter how small. So you have the slightly farcical situation of people being extradited for the theft of two bicycle wheels or a piglet. There is a great need for a de minimis rule, such as we would have in common law, to say that the law does not deal with trivia—certainly not European law, which should deal with only serious forms of crime. We will erode public support. At the moment, there is an unchallenged assertion that European citizens will support greater integration in this area. It was quite subtly put in the Economist a couple of years ago, when it said that if you ask citizens in a survey whether they support greater co-operation between national police forces against terrorism and organised crime, of course they will say yes. But if their door is kicked down in the middle of the night on the say-so of a judge in Bulgaria, they might have other things to say about that. So public opinion surveys are no good on that issue; you must use your judgment, and a de minimis rule is one thing that we will need, not only with the European arrest warrant but also with the European investigation order, which has yet to be finally agreed and is the most important development in this area for many years. There is also a need to approach the issue of a European bail system. Another area not covered by this communication is low-level criminality. We have this image in our minds of organised crime gangs being incredibly sophisticated; often they’re just quite entrepreneurial. You have the so-called parking meter gangs operating around Europe, who will take a cheap budget flight to Dublin—I hope you will forgive me for being slightly parochial—because they know the day when the parking meters will be full. They then empty the parking meters, launder the money and are back on the flight the same afternoon to somewhere in the Baltic countries, let us say. That is low-level but persistent and serious in some ways. Those are the issues that they are facing. Free movement really has opened up a new law enforcement environment, as has enlargement.
Q153 Lord Judd: Do you think that in the culture of the EU there is an understanding all the time that this is a crucial issue? Do you think that there is a consciousness and awareness that, inadvertently, it is possible for measures that seem very important in 74 Hugo Brady, Senior Research Fellow, Centre for European Reform security terms not to be looked at in terms of counter-productivity, because of the very diverse nature of the population that we now have in the EU? Hugo Brady: I think that’s an excellent point. I had that particular thought as regards the Commission’s action plan on tackling misuse of chemical, biological or nuclear materials, one of which would be to have a standardised system for checking university employees who have access to fissile material, for example, and might divert that material for nefarious purposes. Of course, a system such as that could have unintended consequences on the vast majority of people who carry out that work for legitimate purposes. I shall be glad to come back to the Committee and speak about this another time. One area that I feel would be important for the future is the risk of over-regulating freedom, or over-regulating for security. The Commission is taking a single market approach to justice and crime issues, such as the concept of mutual recognition, which was originally invented for Cassis de Dijon and is now applied to the European arrest warrant. A person is a bit more complicated than a bottle of blackcurrant liqueur, and we are going to have to face that—but, unfortunately, we have no other choice. We do actually need this system, and it is impossible to construct it from the beginning without any flaws. We will just have to make sure that it is not, like the euro, constructed with some very serious flaws, which later blow up in our face.
Q154 Lord Hodgson of Astley Abbotts: When you talk about the European bail system, would you include in that the need for access to proper translation services and legal support? Hugo Brady: I would. There is a whole series of balancing measures currently under negotiation. For the first 10 years, the EU focused mainly on what we would call repressive measures, such as criminal asset seizure, extradition and evidence exchange. Now the focus is swinging from the repressive to the protection of rights under the very capable and robust leadership of Viviane Reding, who is the EU’s Justice Commissioner. The plans for the next five years are very ambitious in this area, including the establishment of a whole canon of EU legislation, bringing in minimum standards in those areas and others. You may remember a few years ago when the UK didn’t have an opt-out over these matters, when it was one of the member states most opposed to them, but which has now swung its support towards them, seeing them as capacity-building measures for central and eastern Europe. I think we are on that road.
Q155 Lord Richard: I wonder if I could just refer to something that is in your paper, not in the evidence that you have just given to us. It is perhaps slightly to this discussion, but it seems to me to be very important. In your paper, on the second page, in your third point, you say that, “no other organisation has the legal or political clout to put minimum judicial standards in place across the continent”. What is your thought there? How do you think the Commission is going to act, and in order to deal with what? Hugo Brady: That’s what the EU has already been doing. I am talking about minimal judicial standards in the sense not of the actual conduct of judges—that is not what I meant in that statement—but the minimum benchmarks for criminal justice, such as what we were just discussing. I mean translation and how defendants are dealt with in police custody, as well as access to legal aid, on which there is also to be an agreed European set of rules, along with the letter of rights directive, which is coming. However, there is a large element, which you will see in the Stockholm Programme, the action plan and other documents, moving towards the idea of establishing a European judicial college. On that I have no particular comment. I would be slightly sceptical of the idea myself, given the fact that something like CEPOL—the European Police College—hasn’t been an outstanding success in my view and has been the 75 Hugo Brady, Senior Research Fellow, Centre for European Reform subject of some dissatisfaction over the past year. There was the idea that if we got all the judges together in one place they could be trained to properly apply European law; that idea rankles particularly with those of us rooted in the common law, because you don’t instruct a judge in the common law. Judges may discuss between themselves the proper application of the law, but that is not for a regulator to do. These are controversial matters, but I didn’t mean judicial standards in the sense that you might have thought I meant it.
Q156 Lord Mawson: Do you believe that member states’ reliance on bilateral and multilateral intelligence exchanges outside the EU in a judicial framework is likely to be a handicap to the implementation of the internal security strategy? Hugo Brady: I don’t. If security was 100%, the Commission’s value added in this area would be about 10% to 15%. It has an indispensible role in a limited area. Nothing the EU does is going to stop member states co-operating, either bilaterally or multilaterally. In fact, I have detected a pragmatism from the Commission. One of the main ideas that we have not discussed yet in the security strategy document has been this idea of an internal security fund, where the Commission has money to give to cash-strapped public administrations to do a bit more work together. A reason for a lot of the failure of early efforts to get various EU initiatives for closer police and judicial co-operation was that you can always tell policemen to work closer together but they won’t unless there is a comparable level of maturity between the two people co-operating, a comparable level of respect. And a bit of cash always helps in these matters. You really see that with the increasing take-up of joint investigation teams, which at the beginning were thought of by policemen as just a bureaucratic tool that they were never going to use. You see much more positive take-up now, and that has been congruent with the increasing level of support available from the Commission to participate on projects together. That is why I think the internal security fund is a good idea. It is probably one of the stronger initiatives. It is rather depressing to think that one of the main roles of the Commission in internal security is just to provide money, but I’m afraid that that is the reality. The police chiefs’ taskforce, for example, has not co-operated at the level that was originally hoped for in the Tampere programme in 1999, or in the European criminal intelligence model, where it was supposed to be the head of the whole system and has now been downgraded to regular meetings of police chiefs. You would only get these people to work seriously together if you show them that you are not going to take away from their precious national budgets in the process.
Q157 Lord Richard: I come on to an area that concerns many people: information sharing. There is a whole multitude of new information sharing systems and overlapping legal frameworks. Do you think that they need to be streamlined and, if so, how would you like to see them streamlined? Is there a need for a more coherent data protection framework? Should there be a distinct regime in relation to information shared by law enforcement agencies? Do you think that the privacy of data subjects needs to be more adequately addressed in this context, or is it all right? What effect is the internal security strategy going to have on that? Hugo Brady: Well, the internal security strategy is largely a summation of ongoing activities, things that are happening anyway but which may have not yet come to fruition, such as a great number of systems for organising information sharing between the member states’ police forces. It should be remembered that there are only six forms of centralised information gathering for police and security purposes in the EU: the customs information system; the visa information system, which is not even solely law-enforcement based; the SIS and SIS2 system, which has not come online yet; Europol, Eurojust and Eurodac, the
76 Hugo Brady, Senior Research Fellow, Centre for European Reform database of asylum applicants Those are the only systems which require their own separate set of EU-specific rules for the collection of data on personal individuals. There is a proposal that Frontex would start to do it also, so there would be seven systems. All of the other various forms of information sharing, from PNR to the agreement to link up all the national criminal records registers, are decentralised forms of information exchange and subject to national law. It will be interesting this year that the Commission wants to take a principles-based approach to any EU law covering any form of information exchange. The question will be how you differentiate between data collected for private purposes, which in some cases may also be used for police purposes like PNR, and strictly police information. My own view is that at least the agencies themselves should have one set of data protection rules, because the more overlapping these sets of data protection rules are, every time the EU brings in a piece of legislation that, for instance, allows Frontex to collect personal data, a policeman or border guard somewhere has to write a new standard operating procedure to make sure that they keep inside the bounds of what is legally acceptable when using that information. Streamlining would be greatly appreciated in this area. In my own view, I would go further than that. I am a bit of a voice in the wilderness on this because it is not politically possible, I am told. The agencies themselves should be at least co- located; Europol and Eurojust, at least. Something that might come up in another question is the level of co-operation between agencies, but despite co-operation agreements and so on it is still sub-optimal in many cases.
Q158 Lord Mawson: One of the things I have been pushing for for quite a long time on this Committee is this question of how one enables some of these agencies to work more effectively together. It seems to me that the whole question of security is a really important matter. I don’t get a sense that very much work has been done on all that, and on what it actually means in a modern culture. It is a bit like your message of people getting on planes and coming and emptying the parking meters in Ireland. The truth is that a lot of these organisations are very entrepreneurial. I am an entrepreneur; I know how that culture works. The trouble is that we have got an elephant trying to get hold of a mouse, which requires a very different sort of logic. I would be interested in how far down the road some of these institutions have got in terms of having the sorts of conversations that need to happen about creating more joined-up working and the kind of integrated entrepreneurial culture that is effective in the modern world we now live in in the EU—just bit more of a feel for that. Hugo Brady: The agencies rhetorically want to work closer together and with Interpol. However, in practice, bureaucracies fight each other. That is not an EU-specific thing; it happens all over the place. The level of co-operation, for example between Europol and OLAF, is really sub-optimal, not good, and based on a sense of competition over prerogatives and future ideas coming down the line, such as a European public prosecutor and so on. So the agencies in some cases don’t work well together because they are bureaucracies, in some cases because they cannot due to their rather strict data protection rules which are laudable but restrictive. For example, one of Europol’s tasks is to help the member states scan the internet for websites related to Islamic terrorism. In some cases they have not been able to pass information back to the member states because the websites mention specific individuals and their data protection rights might be breached, such as Osama bin Laden. In some cases, the rules come out as Kafkaesque and not practical. But agencies will always find it difficult to work together, as was seen when the Spanish presidency had the idea that all the agencies should write a single report outlining the state of internal security in the EU, 77 Hugo Brady, Senior Research Fellow, Centre for European Reform which to my mind was a bit Panglossian and over the top. You can’t do that in a couple of pages. Already, the agencies do not find it easy to write distilled, crisp analytical products on their own. That’s the period we are in now: training them to do that. The next period will hopefully be about getting them to work more closely together to do that. As I say, it is not just about rules. There has to be a level of respect and mutual maturity.
Q159 Lord Mawson: How much money, investment and energy in the EU—which seem to be so critical if any of these issues are going to be affected—have been put into this question? I hear that there is a lot further to go. Is there any investment going into this? Partnership working is quite a complicated thing to do. It is about people and relationships and all of that stuff. Do you get the sense that there is a sense of urgency about that, and investment in it, or not? Hugo Brady: I do get the impression that there is a sense of urgency. For example, OLAF has become a lot more productive in recent years, despite hiccoughs and problems in leadership and a tragedy with the death of their director. With Europol, again, we must be careful of being too parochial as its head is a former senior police officer with the Serious and Organised Crime Agency. It now has an energy and an appetite, and a pragmatic focus, as in this communication from the Commission. It knows that it runs the risk of not being taken seriously. Europol has been on the go now, technically, for 20 years, although only in the past five years has it really made a play to be taken seriously by the other police forces. So there is a hunger out there. Frontex has done exceptional work in a short space of time, but it is also a sort of palliative. It is a tiny agency, and every time there is an outcry over illegal immigration, Frontex gets brought up as a sort of band aid, but none the less has performed remarkably well. It is the youngest EU agency in this area at the moment. You can clearly see that the EU is learning lessons as it goes along. One area I am worried about is the establishment of this EU/IT agency. Let me give you a quick bit of background on that. It is being established because the Commission has rightly said, “We mismanaged the Schengen Information System 2, and we put our hand up in the air. The reason we mismanaged it is that we are bureaucrats, not IT specialists, so what you need is an agency to specialise in this area”. I am little bit worried about that because I still think that there will be bureaucrats in that agency. We have an EU/cyber security agency, or information network security agency, called ENISA, also not a huge success and based on the island of Crete in a country with not-incredible broadband. There is a clear need for rationalisation of the agencies. If I had my way—I will go into my enfant terrible role, if you don’t laugh at me—I would collocate the cores of all the agencies together. The EU’s value added is small in JHA. Even Europol is already thinking along these lines. It wants to increase its effectiveness by creating regional hubs because it knows that, although they are linked, the concerns of a policeman in the Mediterranean security sphere and one in the Nordic security sphere are different. So it wants to create specialised hubs. Lord Mawson: One final point. I have built collocated hubs. Bringing organisations into the same office space is one thing. They could still be a thousand miles apart from each other. They will not talk to each other unless you do something else. They need to meet around the photocopier and for coffee. There is something else you need to do to make that work. It is essential that we create those sorts of environments in the modern world, and learn how to do it. I suspect that it is pretty essential here. The Chairman: I think we had better move on, otherwise we are going to run out of time.
78 Hugo Brady, Senior Research Fellow, Centre for European Reform
Q160 Lord Hodgson of Astley Abbotts: Obviously the September 11 bombings in the United States gave a great shock to the whole area of security. How do you see the implementation of the ISS affecting co-operation with the US in the fight against crime and law enforcement? Should we be thinking about parallel arrangements with other parts of the world? Russia and China are big emerging markets; and, of course, the Middle East, where there is a particular focus; and maybe Africa where there are a number of failed states. Any thoughts on priorities and how we might proceed in Africa? Hugo Brady: That is a big issue and linked to the issue that we talked about earlier on the external priorities. My own view is that once you move outside the EU, things slow down. Many European countries have intimate and very pragmatic links with Russia, for example, but they have taken an awful long time to develop. They are mostly based around liaison officers. One of the big value added areas that the EU has tried to offer the member states, such as migration, has been through agreeing legal readmission arrangements with third countries like Pakistan and Turkey on taking back illegal immigrants or migrants who transit through their countries. The EU has just signed a very ambitious agreement with Turkey on this. Once you get outside the EU, money can be spent on upgrading security reform. We haven’t yet seen whether the rafts of readmission agreements that have been signed over the years are really delivering. There is simply no EU substitute yet for a national liaison officer based in Moscow who has earned the trust of the Russian police and knows the local lie of the land. I understand that there will be JHA attachés in future external action service missions. That is a welcome step, but my view is that it is very difficult to translate internal security priorities into foreign policy. One area it might translate into well is cyber-crime because of the shared nature of the threat in economic terms. One of the things I wanted to say when we were talking about co- ordination was that it is not just a question of the agencies, there is the question of the EU being set up with an economic focus and trying to get other countries to abide by intellectual property rules and help out with cartel fraud and as well ill-gotten gains transferred outside the EU. There are about five or six commissioners who are involved in the whole JHA sphere directly or indirectly. Georgieva is the crisis management commissioner. Tajani is the enterprise commissioner who controls the security research fund, which is not linked at all to DG Home or the other DGs. Kallas is probably the most influential commissioner in many ways because he controls transport regulation: aviation, container security, all of that. Then you have Malmström, Reding and, indeed, Ashton. Even inside the Commission there is the problem of co-ordinating and translating these into foreign policy priorities. I think that we are a long way off that yet. My own feeling is rather pragmatic. It is absolutely essential to secure deep JHA co- operation with Turkey because if, as might be the case, the negotiations on Turkish membership of the EU do not go well, and seeing as the JHA chapters are always the last to be agreed in any negotiation, it would be essential that we deepen our links, as has been happening over the past few years on terrorism in particular. It is really essential, for example, that the agencies work more closely together on external priorities. Pakistan is a perennially difficult partner for this country as much as the EU as a whole. West Africa has clearly been laid out as a priority. I am afraid that I do not have any comment on areas like China because they are too far outside my experience. Russia operates by its own rules. It does not really recognise the EU in this sphere, although the recent EU agreements with Russia which have not been concluded include a chapter on JHA. The only thing that will influence the Russians to engage with the EU on that level is access to files at Europol, which they are keen to get, or visa liberalisation, which they are very keen to get. So there
79 Hugo Brady, Senior Research Fellow, Centre for European Reform are some carrots there, but how we translate those into making the average European citizen safer is not really clear at EU level yet. The Chairman: I think the point you make about Turkey demonstrates that. I am sure you are right in saying that if Turkey is frustrated or slowed down to a snail’s pace in its accession, this poses a serious third country problem, but it also makes it clear how much better it would be to do it if Turkey was going to join and could simply apply most of these regimes itself.
Q161 Lord Tope: You referred in your evidence to the “stop start” development and I think you said just now it had made a serious play over the past five years. Has it worked? Is this an organisation that is now taken seriously and doing serious business with national enforcement agencies? Hugo Brady: I think that it is working and that Europol used to be described—famously by the Dutch—as a black box into which you put things but nothing comes out. It is trapped in this vicious cycle of saying, “We could give you useful intelligence products if you gave us useful information”. There is no doubt that many member states still do not take Europol all that seriously. Certain promising developments have happened. Number one, it sorted out a real problem that it was having with its IT file storage system. It has a professional standard computer system for sharing and exchanging sensitive criminal intelligence data, the SIENA system, which they are now marketing to member states as a an IT solution for various problems of information exchange between countries because it can be used by individual countries working together if they wish to keep certain co-operation strictly bi-lateral. Iuropol did something similar in the 1990s to reform image with national police forces. It developed the I-24/7. That made Iuropol more relevant all of a sudden and increased member states’ participation. So for Europol the development of SIENA is one major achievement. The second has been to develop a series of intelligence products. You have the annual assessment of the OCTA, the organised crime threat assessment. You can see at the beginning Europol started just doing one big assessment. But as Europol's knowledge and expertise, which is there, grows deeper, it has a better understanding of what member states expect. The OCTA is now getting into specifics. There is now a Russian organised crime threat assessment (ROCTA) and Europol is breaking its activities down further and further to regional focuses. That is one of the conceptual processes that have been taken to divide the EU into four bits and say, “This is criminal hub number one. Here are its priorities. Here are priorities for criminal hub number two, and so on and so on”. Europol is getting there, but is not there yet. The director has done an excellent job of showing that the organisation has purpose, but it will probably take the whole of this term to convert the agency from being useful every now and then to being indispensable. If that happens, that will be the end of a very long journey to make Europol something that the member states take seriously. If you look at Frontex and the border agency’s development over five years, say, and Europol’s development over 10, there is no comparison. The people in Europol lay a lot of that at the door of the original legal framework that was used for Europol. It was an old stodgy convention whereas Frontex had a bespoke European regulation. It worked properly from day one with border services, whereas Europol has never really been like that. At the moment, it still appears more like a think tank than a European FBI.
Q162 Lord Tope: Do you think it needs additional powers and how well is it working with the other agencies such as Frontex and OLAF and Eurojust?
80 Hugo Brady, Senior Research Fellow, Centre for European Reform
Hugo Brady: Its closest working relationship is probably with Eurojust. Again, they are based in the same city in the Netherlands, which helps. They have a longer history of working together than some of the other agencies. The Chairman: We did take some evidence on this from the director of Europol who was in charge of a taskforce that brings together the agencies. He gave a rather optimistic view that they were in the future going to be able to work more closely than they had done in the past. That was in the evidence session when we had the director of Europol.
Q163 Lord Tope: The earlier question was whether it needed additional powers. Hugo Brady: I don’t think so, for the moment. There is a sense of a permanent revolution going on with the Commission writing all these new laws that change how the agencies work. The agencies need to be allowed to mature. There is already a proposal to give Frontex new powers and that is the third in five years. There is a need for consolidation.
Q164 Baroness Eccles of Moulton: This is a good moment to go back to COSI, which you mentioned in your introduction and COSI-related matters have been referred to throughout the discussion. It is relevant when it comes to other organisations having a forum within which they can co-operate. What are your views about the potential success of COSI in achieving its objectives? Does it have the right membership? Will it be able to acquire sufficient funding? How will its success or otherwise be judged? Hugo Brady: This is absolutely crucial to the question of the future of justice and security matters at EU level. COSI was considered to be the missing piece of the puzzle that was not answered by the Police Chief Task Force. There is a need to have final political agreement on saying, “Here are the things we need to do on internal security at operational level— nothing to do with criminal justice legislation or court proceedings. And here is how we are going to go about it.” COSI’s membership at the moment is rather fluid, depending on the issue. It is the member states, the senior interior officials plus the relevant people from the agencies, Commissioners and JHA Councillors. It depends on who you talk to as to whether or not the meetings are going well. First of all as is understandable at its first handful of meetings, it was not very clear what the committee was supposed to do. The EU structures have no real experience in maintaining 'internal security'. There is a natural and probably correct hesitancy on, “Well, are we going to now make a list of organised crime gangs who we want to go after, then task ourselves to do it and see if we did it?” That is the Rubicon that the EU has stopped at time and time again. It has not been able to do that. My own view, which is radical, is that it should have an EU most wanted list. Why have COSI at all if it is not to decide on priorities and establish a set of targets and measure progress against them? Even if it is only levels of drug smuggling or human trafficking and to report back to the member states on whether it has been effective. I also think that an EU most wanted list should be public. One thing you frequently hear about COSI is that it is an unaccountable body operating in a shadowy enclave, taking decisions that nobody knows about. It would be better if it had a public list of priorities. You could also use that list to leverage the EU soft power in areas like enlargement. As an example, if COSI decided that a certain Albanian organised crime gang’s activities were a real problem throughout the EU, and to publicly target the leader of that gang, suddenly that person’s name would appear all over the press in their native country as being associated with organised crime. That would be a problem in terms of that country’s EU ambitions. The Government authorities would be forced to step in and take action to crack down on whatever crimes are being perpetrated. That is a radical idea: COSI is nowhere near doing anything like that at the moment. But these things have to work. COSI is in the Lisbon Treaty as being the solution 81 Hugo Brady, Senior Research Fellow, Centre for European Reform to the JHA equivalent of the EU’s Political and Security Committee. At the moment it is not operating on the level of that committee.
Q165 The Chairman: There seems to be some tension between one view, which is that it should purely be involved in operational matters, and that it should have a more co- ordinating function. There is a tension among the member states. The UK appears to believe in the operational approach rather than the co-ordination approach, but that it partly due to a dislike of the idea of new legislation. Hugo Brady: Yes, and COSI was specifically supposed, at least at its conception, to stay out of legislative matters altogether. Another issue that was unclear was whether it would replace the so-called CATS committee, which deals with most of the legislative matters on the police side. If COSI is to do anything it is to focus on operations, but it is where the EU’s limited legitimacy of the area is revealed. You have to ask what are the other balancing mechanisms such as the European Parliament. Are COSI’s activities covered by the remit of the ECJ, which they are not, in most cases. Its function is still not entirely clear. Unfortunately, having a clear role will bring political implications. Its legitimacy and its activities will lead to a demand for more accountability from the public.
Q166 Baroness Eccles of Moulton: And underpinning its effectiveness has to be genuine co-operation from member states? Without that it might as well not exist. Hugo Brady: We might be tempted to lay a lot of these problems at the door of the EU. They are really just the problems of international co-operation and internal security, which is always difficult. If you look at the problems that the G6 has had in the past few years, it has become a more and more anonymous grouping of states doing less and less. That is because there may only be a small threshold of co-operation in these matters and perhaps that is why Interior Ministries are so conservative. They will always be so. Policemen are not soldiers and trying to think of them as that is a conceptual mistake.
Q167 Lord Tope: We’ve been going for an hour and we have not mentioned the Counter-Terrorism Coordinator. How do you see his role and function fitting within this strategy? Does he need enhanced powers?
Hugo Brady: I note your enthusiasm for granting the EU enhanced powers in sensitive areas. Lord Tope: You shouldn’t do.
Hugo Brady: I’m being facetious. Gilles de Kerchove has been the EU’s Counter-Terrorism Coordinator since 2007. He took over from a rather disappointed Gijs de Vries, who was frustrated that he could not increase co-operation at EU level, at least in terms of his own office. The Counter-Terrorism Coordinator function has been in a bit of an existential crisis since the Lisbon treaty. Now that the EU has a role in internal security, what do we need an intergovernmental Counter-Terrorism Coordinator for? Originally, some people thought that Cecilia Malmström, the EU’s Home Affairs Commissioner, would take over the role of the CTC. That was especially given that four or five Commissioners that I mentioned, such as Kallas, had such a big role in transport, in aviation security. When you suddenly have to implement a liquids ban at short notice, the Commissioner is a key player in that. Eventually it will appropriate to abolish the CTC's position or place it somewhere else, possibly in the EEAS and shift its role more towards the foreign policy priorities of 82 Hugo Brady, Senior Research Fellow, Centre for European Reform counterterrorism. But at the moment the office plays a valuable role in a number of ways. First, its current occupant has the wonderful genius to be liked and respected by everybody. He is able to bring together professionally sceptical interior ministries and officials dealing with counterterrorism and get them talking. That is valuable. It doesn’t happen as often as you’d think. Mr de Kerchove has done a lot of very good work in instituting regular meetings between heads of counterterrorism in various countries. Until that becomes embedded and permanent, that office will always have a role. In many cases, the function of these EU bodies is to make themselves irrelevant. Hopefully, co-operation happens naturally and normally but for at least the next couple of years, the CTC has a role. I hope I never need to know, but I would be interested to know what happens if there needs to be a face of the EU in a terrorism crisis. Imagine if there is a major terrorism attack possibly affecting two or three countries. Who will people need to see and hear a European view from, perhaps on the implementation of the solidarity clause? I do not know if it would be the CTC. It would be someone more like Herman Van Rompuy— probably not exactly appropriate but who happens to be a focal point for people at the time. That is why the position was originally created: to give the EU’s counterterrorism’s policy a public face. That is not the direction Gilles de Kerchove went in. He wanted to get the services to work more closely together and talk to each other in a Brussels context.
Q168 Lord Tope: More co-ordination and facilitation. Hugo Brady: He’s been very clever in how he has done his job. Even in the difficult area of radicalisation, he has managed to get the member states to talk around the issues. It might not seem like much, but in this area it is an achievement in itself. The Chairman: We’re running a bit short of time, so if those people who I've allocated things to don't mind we'll skip one or two. I think you answered the question about counter-radicalisation, in which you said it was a lower priority.
Q169 Lord Judd: There is just one question. How do you think the Commission approaches the problem which I detect, that some of the counter-radicalisation programmes being devised in the psychological dimensions of the security situation are actually being exploited by manipulative people, who like disclosing what they are and turning that against the whole cause of achieving security by trying to discredit them? In that context particularly, how do you see the work being done by the European Union—indeed, is there a role—on the relationship of the extraordinarily challenging issue of Pakistan and the very large population within the European Union with Pakistani connections? Hugo Brady: Radicalisation is one of the issues on which everything you say is wrong, because it is so incredibly difficult. Even in the implementation of Contest 2, UK officials would say back to you that there are two unintended effects, in certain cases, of counter- radicalisation policy. One is that if somebody knows that they are being counter-radicalised, that is likely to radicalise them even further. They will see the state engaging in ethnic profiling and the targeting of certain communities. That is incredibly dangerous. The second is more mundane, in that a sort of industry crops up around the communities who are being funded. Various projects receive funding and they become dependent on the funding and invent new reasons for it. These may, over time, lose their actual relevance to counter-terror efforts. For myself, I remain rather sceptical about the effectiveness of counter-radicalisation policies. Yet you can easily see that it is somewhere where you have to do something and take action at municipal and national level. The EU’s role in it, for me, is simply to raise the level of discussion higher than it would be. In one area, for example, I 83 Hugo Brady, Senior Research Fellow, Centre for European Reform think that Gilles de Kerchove, the counter-terrorism co-ordinator asked the UK to lead the project on countering the Al-Qaeda narrative—because a lot of good work had been done on that here—by disseminating a very high level of analysis on the problem and what might be done to tackle it, including anonymous interventions in chatrooms, factual interventions et cetera, on what Al-Qaeda’s narrative is. For most of Europe, counter-terrorism is a G6, plus Denmark, plus the Netherlands matter. Somebody in the interior ministry in Poland might not immediately see why countering Al- Qaeda's narrative is relevant to them, so raising the level of that debate is probably the most that the EU can do. Funding the odd community project here or there that seems to be working particularly well is worthwhile, but any more than that and I think the EU would not benefit from huge visibility on counter-radicalisation. Incidentally, Pakistan was one of the areas which Gilles de Kerchove reported himself scared by from the radicalisation point of view, after a number of visits. But again, the EU’s added value in the area is small and I do not think that it is worth making too much of it. The Chairman: I think we’ll drop the next two—one is mine anyway, so I can happily take an executive decision to drop that—because they are areas which you said you did not have a great expertise on. They were emergency response and, I am afraid, it goes for the Olympic Games too because that is covered by that.
Q170 Baroness Eccles of Moulton: This is a question of democratic accountability. With the emerging EU security framework, which is perhaps entering rather different territories than it has been in before, do you think that the European Parliament and national Parliaments will be able to ensure that democratic accountability is sufficiently protected? Hugo Brady: I think that most of the EU’s JHA—or its security agenda, let’s call it that now—is really about capacity building: improving the infrastructure, professionalism and training; the ability to work across borders; and the technological resources of police and judicial authorities. In that sense, the great majority of co-operation in this area is not going to be controversial. But if people feel that national constitutional freedoms are being eroded by a sort of supranational activity, there is a real problem of democratic legitimacy. The European Parliament has so far proved itself at least eager to take on that task. It has been the subject of criticism, as you will be for doing so in a Parliament. I am, however, critical of the negotiations that happened with the Swift agreement. I was really taken aback by them. Those negotiations were really more about increasing the Parliament’s actual power and giving the EU its own terrorist finance-tracking programme. It was not very clear to me that the European Parliament in that instance was fighting for civil liberties. It was fighting for the expansion of the Parliament’s role on security. Of course, every Parliament worth its name fights for an expansion in its role. John Pym was fighting for an expansion of the role of the Houses of Parliament; so it will be with the European Parliament. In protecting its own prerogatives, the idea goes that it will protect the fundamental rights of European citizens.
Q171 Baroness Eccles of Moulton: From that point of view, I suppose that it is more remote from its electorate than national parliaments. Perhaps it thinks it can get away with a bit more. Hugo Brady: In the particular case of Swift, to take that example again, what really piqued the Parliament in that sense was that the deal on Swift had been passed the day before the Lisbon treaty entered into force and the Parliament got its extra powers in this area. There may come a time when the Parliament’s role would be best executed if it could also prove itself a serious considerer of security priorities as well as a serious defender of civil liberties. 84 Hugo Brady, Senior Research Fellow, Centre for European Reform
Now, how would that find expression? One idea would be to create a special committee inside the LIBE committee. My original thought was that there would be, as in the American Senate, a sort of House Services Committee for the agencies and a civil liberties committee: one to vet EU legislation in the area of its appropriateness and impact on democratic personal freedoms, the other to vet it just for its actual effectiveness to the security issue at question. But creating a new parliamentary committee in the European Parliament is incredibly difficult, therefore it is probably more feasible to have a special committee inside that committee which deals with that and where security professionals—for example, policemen et cetera—can come and speak at hearings such as this. It could also compile serious reports, such as the one you are doing now, so that it can at least show the outside world—partners like the US, for example—that it has seriously considered the issue and is not acting in a fit of pique. That is one idea. A second area is more interesting. As you said, on national parliaments it is not clear to me but the Lisbon Treaty contains various references to making Europol becoming more directly accountable to national parliaments. You may have heard about that in more detail from Rob Wainwright, but I am not clear what that means in practice further than them simply coming and making the occasional speech in front of a Parliament. Then you have to look at the other systems of accountability in the EU. There are probably three major ones now. One is to have a separate justice commissioner whose role is partly to balance the repressive measures with protective ones. The second is to have stronger powers for the European Parliament and the third is to allow the European Court of Justice scrutiny powers or judicial review powers over all those various things, provided that they do not affect the actions of internal security and policing.
Q172 Baroness Eccles of Moulton: Would they ever allow it? Hugo Brady: I think that’s going to be a mess in future because while the treaty creates the distinction between national security and EU internal security, I am not clear in my own mind what the distinction between those two things is. I fear that we will end up in front of the ECJ one day, arguing that point on some issue or other. But for me the court is probably the strongest protector because, as it has been in previous cases and will be on many other aspects of the Lisbon Treaty, it is going to be the final arbiter on what is often a vaguely written text. The Chairman: We became conscious as we worked our way into this that the role of the European Parliament has of course been increased by Lisbon, but so has the role of the national Parliaments. Because we are talking about an area where the competences in so many cases remain national, not European, both these issues of accountability have to be addressed. That has become very clear to us. We have also tried to open up channels of communication with the European Parliament, one purpose of which is to bring home to them that national Parliaments have rather more to do than they have done in the past in this area. We will see in future how it goes.
If you don't mind, Lord Mackenzie, we will drop the second of your questions because it is not very germane to the EUISS.
Q173 Lord Mackenzie of Framwellgate: Thank you Lord Chairman, I was going to roll them into one in any case. Mr Brady, what impact do you think that the European arrest warrant, which you have touched on already—I think I already have the drift of your view— has had in the fight against terrorism and in its impact on other internal security issues? Again, is it undermined by issues of fundamental rights and proportionality? 85 Hugo Brady, Senior Research Fellow, Centre for European Reform
Hugo Brady: Obviously, the European arrest warrant has radically changed the process of extradition in Europe. One interesting comment that was made to me by a policeman about this was that they don’t fly to Spain any more, they go to Brazil. That means it is harder to evade justice inside the EU now because of the warrant. My only concern about it, as I said earlier, is that it has been undermined by excessive use in some member states for trivial things.
Q174 Lord Mackenzie of Framwellgate: Could I then put the supplementary question? Would you compare it with the FBI in the United States, where on certain federal offences the FBI can go across borders and act independently? Do you think that there is an argument for having federal offences for the European Union and only certain categories of offences that can be used for extradition as opposed to being across-the-board? The example of Poland, which you gave, was a good one. Hugo Brady: That argument has been made many times by what we would call ardent federalists, who have a vision of the EU as a single state. It is too politically sensitive to propose it in that way. That idea is the central idea behind the European prosecutor, which is why that issue is so controversial. For example, the UK has no intention of becoming a part of the EPP because it would be the foundation of a sort of system of European federal crimes. The EU actually has one federal crime, which is the counterfeiting of the euro. Europol is the lead body taking action in that area. Actually, Europol has been rather effective in clamping down on counterfeiting of the euro, partly because it has such a clearly defined legal role, but any sort of robust body of EU federal law would open up a very difficult political debate. As well as that and - I think that a horizontal point for this whole inquiry - is that you would see a very strong reaction from the Interior Ministries. The Council (all the interior ministries together - does not even like this communication document, for example. It does not like the Commission putting its stall out like this; it is very shocking for some of them. One frequent theme that we see on the EU’s new powers on justice and security is that the EU uses the power, and then the Interior Ministries are taken by surprise because it was not they who negotiated the Lisbon treaty. They were not the lead people negotiating that. They were told by foreign ministries that the JHA issues were part of a balanced compromise; therefore they are frequently shocked when certain things have happened as they were on Swift, for example. To sum up, I hope that a body of EU federal law is probably not in our future because it would undermine so much of the co-operation that we are struggling to make work now. The Chairman: Thank you very much indeed, Mr Brady. You have covered a huge amount of ground this morning and helped us to find our way through this jungle that we are working our way through at the moment. Thank you very much for sparing us the time. As I say, we will let you have the transcript for you to make any corrections that you wish. Hugo Brady: If the Committee wishes to get back to me with specific queries I would be happy to give you any follow-ups. The Chairman: The secretariat will be in touch with you if there were any points which we could usefully follow up. Thanks very much indeed. Hugo Brady: Thank you. It has been a great honour to be here.
86 Dr Paul Cornish, Chatham House
Dr Paul Cornish, Chatham House Oral evidence, 19 January 2011, Q 175-208
Evidence session no 6 : heard in public
Members present
Avebury, L Dear, L Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Hodgson of Astley Abbotts, L Judd, L Mackenzie of Framwellgate, L Tomlinson, L Tope, L ______Examination of witness
Dr Paul Cornish, Carrington Professor of International Security, Chatham House
Q175 The Chairman: Good morning, Dr Cornish, and thank you very much for coming along to give evidence to us on the EU’s internal security strategy and, in particular, on the document that we are taking evidence on at the moment, which is the Commission’s action plan for implementing the internal security strategy. The strategy was approved by the European Council last March, and contains a lot of words but not much substance. The Commission, as you know, in November produced a much more down-to-earth document, which is the one we are looking at now, and we are taking evidence on it. I think we are aware of the work that you did at Chatham House on some of the issues that are covered by it, particularly quite a lot on cyber, which is why we put the cyber questions at the front, because we want to tap your knowledge and wisdom on that.
The session, as you know, is open to the public. The webcast of the session goes out live as an audio transmission and is subsequently accessible on the parliamentary website. A verbatim transcript will be taken of your evidence and this will be put on the parliamentary website. A few days after the session, we will send you a copy of the transcript to check it for accuracy, and we would be grateful if you could advise us at that stage whether there are any corrections. If after the evidence session you wish to clarify or amplify any points made during your evidence, or have any additional points to make, you would be very welcome to submit supplementary evidence to us. So perhaps, if you wish to make an opening statement, that would be very welcome to us. If not, we will proceed straight to questions and answers. 87 Dr Paul Cornish, Chatham House
Dr Paul Cornish: Lord Hannay, thank you very much. It’s a pleasure to be here. Thank you for inviting me, and I hope I can be of some small help in your inquiry. Thank you.
The Chairman: Do you not want to make an opening statement? Dr Paul Cornish: No thank you.
Q176 The Chairman: All right, we will proceed then, if I may, to the issue of cyber- security, which I know you are knowledgeable about. I wonder if we could start with a very general question, which is: can and should the EU play an active role in enhancing the cyber- security of its 27 Member States? In what way could that develop? Incidentally, I hope that, in this section of questions, you will cover both cyber attacks and cyber-crime, which as you know is quite prominent in the Commission’s paper that we are looking at. Dr Paul Cornish: Thank you. In answer to the first part of your question, Lord Hannay, I certainly think the European Union should play a very active role in cyber-security, broadly defined for the moment, including crime and hacking and various other activities. It seems to me that the European Union cannot but be involved and cannot but take a leading part in this discussion and, indeed, in policy and in practice, because the European Union institutions and the Member States and private people all over the European Union are, it seems to me, targets in one way or another of aggressive or hostile cyber activity. I have a note here of an IMF report that estimates that financial crime consumes some 5% of global GDP, and maybe that’s a useful measure to take. If that’s 5% of the EU’s GDP, then clearly we have a fairly major problem, which does need a lot of attention and a lot of good effort. As for the developments in the future, reading both the ISS and the five points of the Commission’s response, it looks to me as if there is an awful lot going on with the cyber- crime centre, the proposal to establish the network of national CERTs (or Computer Emergency Response Teams), and then the EISAS and all these efforts, which is to the good, I think. Also, within those two papers, there are calls for Member States to establish common standards. Again, all that is for the good. But, on the basis of some work we are doing at the moment on the UK’s own critical national infrastructure and the sensitivity within the CNI, as it’s called, to cyber-security matters, I would say that the European Union has a big task on its hands in terms of establishing and raising common standards. The cyber consciousness in the UK, I would say, even within the critical national infrastructure, even within in other words those organisations and businesses that ought to be very familiar with this sort of thing, is at the moment very low. We have a report coming out on that subject in the next month or so.
Q177 The Chairman: Perhaps you could make that available to us. Dr Paul Cornish: I certainly would be delighted to.
The Chairman: It would be helpful if we had that for our information. Dr Paul Cornish: I have hard copies of our previous publications, which I’d be very happy to leave with you, if that would be useful, and could send over other copies if those would be useful to you. Setting all of that apart, the ambition and the structures and the organisation, I think there is a lot of soft work to be done, raising awareness and so on, because it seems to me that a large part of what needs to be done is, as I said, to raise common standards and to encourage even a common language. You will not find organisations, and certainly 88 Dr Paul Cornish, Chatham House governments, across the European Union who would even agree on what they mean by “cyber-security”, so I think we have a fairly basic problem to begin with to have the language more or less on a common basis. Once you have done that, you then have something that you can improve through agreeing on reference points and common practice and sharing best practice and so on. Forgive me if I am going on, but I think cyber-security is still a very new and very fast- evolving problem, so my observation on the institutionalist—if I can call it that—approach to the problem of cyber-security is that, by 2012 and 2013 when these organisations I referred to should be up and running, the problem of cyber-security and the threats from cyberspace will have advanced considerably, so we could be setting up institutions that will just about come on stream, only to find that they are obsolete. I hope they won’t be obsolete, but there is always that danger, simply because cyber-security moves so fast. So if I were to put it in headline terms, I would say that the European Union’s first step as it approaches the future should be to address the problem that we at Chatham House call the “lack of a culture of cyber-security” across the European Union. There are hints of that— more than hints. In Objective 3, Action 2 of the European Commission document, there are lots of good initiatives that seem to be addressing that approach, but I think it should be made more explicit. I think there is a cultural problem across the EU that needs to be addressed first of all.
The Chairman: Yes, of course the Commission will be putting flesh on those bones as time passes, and that will partly help in that respect, but I am struck, like you I think, that there is a long way to go. This Committee did a report, as you know, on cyber attacks, on an earlier Commission paper, but I think it is striking that this subject is only addressed in the press in rather hysterical terms, without any very clear specifics or any very clear prescriptions of what one might usefully do to deal with the risks and threat. Anything that can be done to increase general knowledge is, I think, desirable.
Q178 Lord Tomlinson: Dr Cornish, you referred to the proposal in the ISS to establish a cyber-crime centre, possibly within Europol. Now, in what you just said, you referred I think to the primacy of an EU role in creating a consciousness about the problem, but as I understand it the proposal for the Cybercrime Centre would be something through which the Member States and the EU institutions could build an operational and analytical capacity to carry out investigations. How do you see the relativity of what they state as their objective and the issue that you raised with us about creating consciousness? Dr Paul Cornish: I think that there must be a case for collaboration on investigations across the piece in crime and terrorism and so on. Of course there must be, but I do wonder. The first thing to say is it can’t be the only thing that needs to be done. There must also be cooperation and collaboration on training and doctrine and forensics and all these other things. So there is plenty to be done; it isn’t just a matter of investigation. There must also be coherence in how crimes are investigated and prosecuted, so plenty of supporting activity, if I can call it that, that needs to be undertaken. I think my gut feeling is that, in a way, the problem of cyber-security is still too young and too indistinct to be absolutely confident that what is needed right now or by 2012 is a cyber- crime centre run within the European Union. As I was saying, it seems to me there is an awful lot more groundwork that needs to be done before we can be confident that we’ve got to that requirement and, therefore, should be putting it into place. 89 Dr Paul Cornish, Chatham House
Q179 Lord Tomlinson: Would I be putting too many words in your mouth if I said that you seem to be suggesting that a centre that had this operational and analytical capacity might, if the other work that you’ve referred to wasn’t done, be the manifestation of the EU trying to run before it had taught everybody else how to walk? Dr Paul Cornish: I think those are very well-chosen words, which I wish I’d used. No, I think that’s absolutely right. I think in this regard it is not yet—perhaps it never will be—for the European Union to tell the Member States how to deal with the problem, any side of the problem. It is certainly, though, for the European Union to facilitate and coordinate national efforts. I think once we’ve got enough progress, enough momentum, enough of a critical mass if you like, then that’s the point at which you need to share best practice and to be doing all sort of things that a cyber-crime organisation might be doing.
Lord Tomlinson: Thank you very much.
Q180 Lord Dear: Dr Cornish, I just wanted to explore with you—and I know we’re going to be guessing at this—the concept of operations and analysis. It seems to me that both of those are ex post facto. There has been an attack. Who caused it and what can we do in the future and so on? Would you see such a centre eventually developing a capacity to try to suggest ways in which one could protect oneself in the first instance? Because that is actually the more important of the two but, of course, very much more difficult. Dr Paul Cornish: I think, in a way, I’d wrap that into the notion of a culture of cyber- security. Protection and self-defence and so on, and all these sensible either individual or local measures seem to me to be part of that. I’d attach one other thing in my vision for the cyber-crime centre. It would be to not only look at training and all these other things that I mentioned, and information-sharing and so on, but really to focus very hard on the problem of cyber forensics and cyber attribution. This is something of a hobby horse of mine, because it seems to me that one of the things that is so plainly lacking in cyberspace is, quite simply, politics. And if politics are lacking, then I don’t think we can have deterrence, and what we need is deterrence. We have, in cyberspace, a terra nullius. We have an ungoverned space, as some would call it, and I think whoever you are, whatever the miscreant or adversary, you know that and you know that you can work in a space that is unregulated or largely unregulated. You can work in that space with relative impunity because we, the targets, whoever we are, are on the back foot. We don’t quite know what the problem is. We don’t quite know how to deal with it or who should be doing what. And this is the point we make in our cyber-warfare paper—until we can, as it were, insert politics into cyberspace, we won’t be able to have this deterrence relationship with the adversary, whoever it might be, the criminal or the terrorist. We won’t be able, therefore, to affect their calculus and introduce an element of possible sanction and, therefore, make it quite plain to them that this is not a risk-free activity on their part.
Q181 Lord Dear: That step is going to be by far the more important and the more difficult. Dr Paul Cornish: Absolutely, I think this is what I mean, really, by arguing for a softer approach to cyber-security at the moment. Forensics is not a soft issue. You need people with huge skill, in buildings and in organisations, able to track down the source, and indeed the intent of the cyber attack of whatever sort, or criminal event. You also need, vitally, to attribute it. Now, you might not ever be able to attribute it 100%, but you might be able to 90 Dr Paul Cornish, Chatham House reach 75%. You might be able to begin asking questions such as: who has gained from this? That, I think, changes the whole political dynamic of the relationship in cyberspace between ‘us’ (the ‘good’), and ‘them’ (the ‘bad’).
Q182 Lord Hodgson of Astley Abbotts: As I understand it, you think that we have to be prepared to saddle a third horse, in this case, the cyber-crime centre, and maybe it’ll have an independent life for a bit. Maybe it will be within Europol; maybe it will be within ENISA. You don’t want to decide yet how it would best be structured until the landscape of cyber- crime becomes a bit clearer over the next few years. That having been said, how then do we find the right people with the right skill set to work in the cyber-crime centre? When we took evidence before, we had a very powerful set of evidence given to us, which was that the traditional management approach is older, arts-led and hierarchical, while technological areas such as cyber-crime are younger, engineered and flat-structured. Dr Paul Cornish: I actually don’t think this will be a problem.
Lord Hodgson of Astley Abbotts: Good. Dr Paul Cornish: I say, from an arts background. We have done and are continuing to do quite a lot of work. In fact, one of the distinctive features of the work we’ve been doing at Chatham House on cyber-security is that we work closely with the industrial sector. We work with technologists and, in fact, the starting premise, in a way—and it will sound very simplistic—was that the Whitehall world of security policy doesn’t know enough about the technology, and the technologists don’t know enough about the world of security policy. So here at Chatham House, we can fit them together. And by and large, I think it’s worked very successfully, but my sense is there is no shortage of people who have the ability and the interest in working on these sorts of problems as technologists, investigators, forensic specialists and so on. I would say that that’s not what should be done before we have a clear sense of our political and policy framework. Until we know which are the questions we want to have answered, I don’t think we should be necessarily right at the moment pouring money into recruiting people. What are they going to be doing, and to what end and on whose behalf?
Q183 Lord Mackenzie of Framwellgate: Good morning, Dr Cornish. Cyber-security is obviously, I think we agree, a growing global concern. How should the European Union cooperate with other countries and other actors such as the United States and NATO on this very important issue? Dr Paul Cornish: I think, as I said, there’s a lot to be done. The first thing to say is, just as I cannot conceive of the European Union not being interested and active in cyberspace and cyber-security, neither can I conceive of a European Union not co-operating and collaborating with its Member State governments and, indeed, with other institutions. A couple of years ago, I did a report for the European Parliament in which I examined the level of collaboration among a set of organisations—European Union, NATO, OECD, UN and so on—and the broad conclusion was that there was then, two years ago, next to no collaboration, partly because they had no common understanding of what they were talking about. There was no common lexicon. There was no common doctrine. There was nothing common really. There were lots of good well-intentioned people in good organisations trying to do their best, but there was no coming together. And as you said, the one thing we do know about cyber is that it’s a global problem, so the chances that any one institution can solve that problem within its own remit seems to me to be slim.
91 Dr Paul Cornish, Chatham House
So all those things need to be addressed: common doctrine, common lexicon. How we measure harm is another huge area of interest. What matters to us? Does the same thing matter to others? So I can’t conceive of the EU not co-operating, and I think it’s clear that there’s an awful lot that should be done: best practice, common language and all those sorts of things. I think also what the EU needs to do is to be clear, in its own mind, what it is and what it’s trying to do in cyberspace, because not all of these organisations need to do absolutely everything, and if they try to do absolutely everything then it seems to me that the chances of failure are even higher. As far as the US and the European Union are concerned, I know there is a working group on cyber-security, which I think is now running. I think it’s to report in a year or later this year, so I imagine, knowing some of the people in the administration who are working on cyber, that that will be very high level and a very serious effort. The EU and NATO though is the big problem. At present, my sense is that it’s unlikely in the very near future we’ll have a very good collaborative effort between those two organisations.
Q184 Lord Mackenzie of Framwellgate: Do you think a massive cyber attack amounts to an act of war? That’s the issue, isn’t it really? Dr Paul Cornish: Again, this is yet another debate. What we have at the moment is, very crudely, NATO with its Emerging Security Challenges department looking at such things as the possibility of cyber-warfare or war, an act of war, and how NATO would react to it: whether it would invoke Article 5, and all those sorts of things. That’s clearly a NATO concern, but what NATO doesn’t look at is cyber-crime, or it doesn’t look at organised crime discretely, as a discrete problem, which the European Union clearly does, but both organisations are clearly looking at cyber-security. There are huge overlaps, but there is also, I think, a history. “Bad blood” would probably be too strong a term, but they have not collaborated all that well or all that effectively, over the last several decades.
Q185 Lord Mackenzie of Framwellgate: Do you think they should? Dr Paul Cornish: I think they should, but my view in all these things really is that it has to happen from the bottom up, through a process of problem-solving, learning by doing, and all these. I think, on the basis of having looked at the way the ESDP and the CSDP have developed over the last couple of decades, I’m suspicious of the top-down institutional approach to the problem. I think it has to be allowed to come from the bottom, and there’s plenty of that sort of evidence happening in the mainstream security field at the moment.
Q186 The Chairman: Yes, I think we have come across that in this Committee, both in the context of dealing with civil emergencies where the co-operation between NATO and the EU seemed to us, to put it politely, to be sub-optimal, and also on the issue of cyber attacks. Of course, now we are looking at cyber in a rather wider framework. But as you know very well, the problem about co-operation between the EU and NATO is not the lack of need for it or the lack of awareness by the key people in the EU and NATO of the need for it, but the problem over Cyprus, Turkey and all that, which was addressed by the NATO summit in November, on which a remit has been given to Baroness Ashton and the Secretary General of NATO to see whether they can work their way around this problem, at any rate in the short term, subject to rather major political shifts that would be necessary to solve the problem. I think what you say is very interesting. I am quite sure that we will
92 Dr Paul Cornish, Chatham House want to take that on board and yet again say that this is really not a good situation to be in, where these two organisations are working in an overlapping way. Could I just go on on this same subject about the global aspects? In our report on cyber attacks, we spoke rather tentatively about the desirability of the EU and its leading Member States, particularly Britain and France, talking to the United States, China, Russia and others about an international framework, guidelines or something. We didn’t go very clearly into how this should be constructed, whether it should be a legally binding framework or just at first a set of informal rules. I wonder if you could comment on whether you think this direction is one in which the EU should be looking to get itself involved. Dr Paul Cornish: Thank you. I think I would say it certainly must. It seems to me that, if we can have a strong development, let’s say, of national effort across the European Union, across NATO member countries and so on, then that’s to the good. And if we then have organisations such as the EU and NATO making their own contribution on top of the national efforts, then that’s all to the good. But if you take my argument, which is to begin from the bottom and create the culture, and then put yourself in the position of asking the questions that you need to ask, and then funding the organisations that you know are needed, et cetera, there does come a point at which you must ask what is going on at the international level. And at the international level, if we think in the UK, there is a lack of understanding and cyber consciousness, as I call it, then I think that problem is multiplied a thousand times when you get to the international level. As you said, Lord Hannay, the level of agreement internationally on what is needed and so on is thin, at the very best. Perhaps I’m taking an extremely cautious approach to this, and I acknowledge that, but my view is that the best way to proceed would be to draw upon the best practice of those countries and organisations that have improved and strengthened their positions on cyber-security, use that in an informal exchange of best practice and information-sharing—so at the international level begin to create a climate of cyber-security far more advanced than it is at present—then begin with informal or non-treaty arrangements, until the point at which we are quite sure and confident that we know what we’re doing. Then we can regulate this ungoverned space more effectively, because it seems to me, I guess, that were we to agree a treaty that had no real means or capacity to apply itself effectively, then that would be the worst of all possible solutions. So I’m for cautiously pushing the barrier outwards and upwards, I think.
Q187 The Chairman: I do not know if you are familiar with the pamphlet that Professor Nye from Harvard wrote about this, but that, I think, was rather his conclusion too. He also did suggest that this issue of cyber is in the same situation now that the issue of nuclear was in the 1950s, and that we needed to keep the international dimension in mind, because we went on for far too long in the nuclear field without realising the need for international co- operation to limit proliferation and limit the risks. I found the Nye pamphlet quite helpful. Dr Paul Cornish: I think it is extremely helpful, and I think I’ve quoted that very comment somewhere. I think it’s a useful comparison. I’m sure in the late 1940s, early 1950s, there were people saying about the nuclear problem something along the same lines that I’ve just said about cyber-security: it’s too big, it’s too problematic, don’t do anything. Although that’s not strictly what I’m saying; I’m averse to the big solution. I think there’s an important difference, which is that, in a sense, the problem of cyber-security is a problem of what we’ve called in one of our reports “the global technological commons”. It is and must be and must remain in some respects a loosely regulated, or an un-owned space. That’s, by
93 Dr Paul Cornish, Chatham House definition, what cyberspace is, so clearly we’re going to have to have a fairly nuanced approach to this problem. Some of the most interesting work I’ve read on this is trying to apply the argument of the UN Convention on the Law of the Sea. Here’s another global commons that is, nevertheless, still regulated sufficiently well. It is still understood what can and can’t be done on the high seas, so I think it’s probably along those sorts of lines that we need to be progressing.
Q188 The Chairman: Thank you. Could we just switch now to the last question on cyber? The British Government has recently announced that it is committing £650 million of funding to the UK National Cyber-security Programme over the next four years. At the same time, in the explanatory memorandum they gave us on the EU document that we’re looking at, the action programme, they were opposed to any budget increases at the EU level to tackle the same problem. Is that consistent? Dr Paul Cornish: I would say it is internally, domestically consistent with the Coalition, or the larger part of the Coalition Government’s approach to the European Union institutions. Nothing I have said so far would put me in a position to argue against any Member State of the European Union funding cyber-security; of course, they need to. It’s vital that that should be done to establish a proper functioning national capability, but I’ve read the Home Office’s memorandum to your Committee, Lord Hannay, and that memorandum is steeped with, I think, a consistent political position, which is that the current Government is unwilling, as it were, to fling money at an institution-building approach to the problem of cyber-security within the European Union. As they would say, there is no money anyway; we are certainly not going to be flinging it around. I do think there’s a more constructive approach to it behind all of this. I think the £650 million that’s been allocated to cyber-security in the UK is a vast amount of money, but is nothing like enough. I think the Government’s approach is, in a way, to fund or to vastly increase, actually, what was offered in 2009, which was hundreds of thousands, so this is a very considerable increase over that. But I think the Government’s approach is to take a proof of concept approach and to say, “Okay, we’re going to give you a certain amount of money. Show us how best to spend it, and what can be achieved as a result of that spending”. Then, in time, and I think it’s expected, there will be another considerable increase in funding for UK cyber-security, so I think something along the same lines as informing the Government’s thinking about the European Union’s approach. I think there is a certain suspicion that the European Union’s approach, as I think I was saying earlier, to a new problem is to put up a building and employ a few hundred people, and that will solve the problem. I think the Government’s approach is to say, “Well, we’re not even sure that we know what the problem is, so let’s not put up any buildings for the time being”. Perhaps that puts it too crudely, but I think it’s something along those lines.
Q189 Baroness Eccles of Moulton: Dr Cornish, you have spoken quite a lot about cyberspace and its relationships with the international scene. If we could perhaps now move slightly nearer the ground and slightly more governed space, and if you could give us your views on serious crime and law enforcement, the relationship between the EU and the US, and also maybe even broader: other substantially influential states such as Russia, China, India et cetera. It’s a very broad question. Dr Paul Cornish: If I were to say that cyber-security is an international problem, then it’s an international problem about which we know too little, but I think organised crime more broadly is an international problem about which we know quite a lot. I think we know 94 Dr Paul Cornish, Chatham House enough to be much clearer and much more convinced that international co-operation is utterly indispensible. My understanding is that there is a good deal of that co-operation going on within the European Union of course, and between the EU and the US. How could there not be? I think I’d also make, I suppose, another general point, which is that when the European Union describes and discusses international security, and within the ISS and indeed the Commission’s five steps, there’s a very clear sense that international security is seen as a set of problems that are, to a considerable extent—not exclusively—generated from outside the European Union. So my point would be, I think, in simple terms, if you are interested in EU internal security, you cannot possibly be inward-looking. There must be co-operation and there’s lots of it going on, and that’s all welcome. But then there are countries that are known or thought either to be involved in, or at the very least to condone, data theft and international property theft, in some cases even for reasons of national security, one reads. For those countries, it seems to me the first problem is not simply to collaborate or co-operate with them, because they are part of the problem. The first step with those countries is to try to convince them and persuade them to deal with serious organised crime as a problem that it is right and proper for them to regulate. They’re a source of organised crime and, therefore, what we want them to do is to work on it and stamp it out, rather than necessarily to collaborate with them. I think it would all be a little bit disingenuous if we pretended that all was well and we are simply trying to capture organised criminals, when actually the source of a lot of the organised crime could be those very countries themselves.
Q190 Baroness Eccles of Moulton: Would we be in a position to offer them any help in improving their detection and law enforcement methods, or would that be seen as interference? Dr Paul Cornish: I think it would have to be, obviously, by invitation only, but it would depend, I think, on the maturity and the responsibility of the government and the organisation in question, because there would have to be assurances. If, let’s say, the UK Serious Organised Crime Agency was invited to another country to help with training or forensics or whatever, there would have to be a very clear understanding that it isn’t going to be used back against the UK Serious Organised Crime Agency, because obviously if you know how to defend, then you also know even better how to attack.
Baroness Eccles of Moulton: Yes, I see what you mean, yes.
Q191 The Chairman: Would you be able to give a few examples of the sorts of countries or organisations you see as being in this category: where you have to be rather clear about their intentions before you get very far with them? Dr Paul Cornish: I think the two countries that leap to the top of the list at present would be Russia and China.
The Chairman: And Ukraine? Dr Paul Cornish: I’m forming my impression, really, just from open source media reporting and so on, and I don’t see Ukraine figuring that often, so I’m ignorant on Ukraine, I’m afraid.
95 Dr Paul Cornish, Chatham House
Q192 Lord Judd: If one is looking at this issue of international co-operation with specific countries, one of the things that fascinates me about security and, indeed, crime is that we have very significant populations within the European Union from very turbulent parts of the world. One thinks of Pakistan. One thinks of the Middle East and Turkey. What I am always interested in is that at one level you can be thinking about fairly advanced forms of co- operation with countries with whom you know you are on board and you are all working on the same thing broadly. You couldn’t be co-operating with each other if you’re not, but sometimes it’s necessarily important to get into relationships with countries that are the source of the trouble. That is the really complex challenging issue, it seems to me. We know how turbulent these areas are. I wonder if you’ve got anything to say about that. Dr Paul Cornish: I agree entirely. The only thing that comes to mind would be to suggest that there should also be an effort, or perhaps more of an effort, to deal with—let’s call them—the diaspora communities from those troubled conflict-prone areas and perhaps to deal more effectively with those communities, let’s say in the UK, where organised crime and other security problems are concerned. I think I’m going to go out on a limb here, because I think one has to accept that while there are cultural differences that must be acknowledged quite properly, I think in the end most people around most of the world understand what crime is. So I think there is a common language that we can use and perhaps need to use more fully.
Q193 The Chairman: Does Turkey have a role to play as a bridge? Dr Paul Cornish: I think Turkey has always had a role to play as a bridge. The problem with Turkey is that nobody has yet really wanted to cross that bridge. It sits there potent and latent, but in my view an unfortunate failure, I suppose, in a way, to use an opportunity that we could all exploit.
Q194 Lord Dear: Without wanting to start putting words into your mouth, perhaps what we are really talking about is trust. At the one level, I can think of countries that I would not wish to exchange high-grade intelligence with—and that’s where the bedrock of this co-operation lies—for fear that it would compromise operations here, compromise people, compromise agents and whatever else; and the other that marches really side by side with that is a confidence here that the other country has a broadly compatible judicial system and approach to judicial problems and human rights. So what happens then if you do seek extradition either way? I think the whole thing is tangled up, and without wanting myself or you to identify countries, we can both, I’m sure, think of countries where we would not want to be very close, but we would be working constantly to trying to have a rapprochement over years. It will take years in some cases. Sorry, I have gone on and given you a view. I see you nodding. You probably do agree with that. Dr Paul Cornish: Thank you, Lord Dear, for that view with which I concur entirely. No, absolutely, and it must of course be possible to improve relations with a person, organisation or country for whom you have very little or no trust. It can still be possible through discussion and engagement to allow these little seed -corns of trust and engagement to grow. As you said, I’d agree entirely. This is something that takes years of diplomatic effort and, again, I’d say it’s probably not the sort of thing you can expect to be produced out of an institution or an organisation, no matter how well-meaning and well-funded.
Q195 Lord Hodgson of Astley Abbotts: We had an inquiry a couple of years ago into money laundering, which had clearly become a serious problem. The Financial Action Task Force was established, which created a system for performance assessment: if a country had 96 Dr Paul Cornish, Chatham House ticks in all the boxes, it went into the premiership and all countries were graded according to their performance. Is there any read-across into this area whereby one could have a FATF equivalent for cyber-security, or is it fanciful? Dr Paul Cornish: I think this is a really good idea, actually. When we began our work on cyber-security in the UK a couple of years ago, one of the suggestions we made was that there could be some kind of a British Kitemark approach—that actually companies and organisations within the UK or within the critical national infrastructure or whatever would educate themselves and organise themselves such that they would actually receive the stamp of approval. I don’t really see why that sort of approach—perhaps not something as explicit and formal as that—couldn’t apply at the highest possible levels. It seems to me, let’s say, when we’re talking about organised crime and cyber-security, and in organisations such as the European Union, it could be possible or should be possible for the EU to produce in time, once it’s considered the problem and knows what it’s doing about it, a list of principles or standards or whatever. I am just thinking it did something similar with arms transfers many years ago and there is a code of conduct, which informs if not regulates EU practice, but it is also understood as a benchmark for relations with others, so I think it is all possible.
Q196 Lord Judd: In this whole area, do you think the international organisations like the UN and NATO have a significant potential for co-operation with the EU? Dr Paul Cornish: Yes, I think there is a very significant potential, but as always the question is: will we realise that potential in the near term? The European Union is a recognised regional organisation under Chapter VIII of the Charter, so there is a good relationship. As I understand it, there’s a very great deal of work going on between the UN and the EU all the time on various aspects of security, very broadly defined: health security, development, climate change. All these sorts of things are all happening, so there is a great deal of cooperation, which is welcome. I think relations with and interaction with NATO have been difficult and will continue to be difficult, not least because at the heart of the EU-NATO problem, if you like, or the problem of that relationship—and as Lord Hannay said, it is expressed in the problem of certain members—is the inability to trust and to exchange intelligence information. If you can’t exchange intelligence information when you’re talking about possible major Article 5 type assaults on NATO, then it’s pretty unlikely you’re going to be doing the same when we’re talking about commercial theft, data theft, intellectual property theft and so on, or crimes of that sort, crimes that are considered to be lower level. I just don’t see that we’re yet at the stage that these two organisations are going to talk to each other sufficiently well. As I said, the ESCD within NATO, the Emerging Security Challenges Division, doesn’t look at organised crime as a problem. The EU does. Both look at cyber-security, and they both have a centre of sorts for looking at aspects of cyber-security. One is in Tallinn and one is in Crete. It would make eminent sense, because they are both funded obviously by the same bunch of people, for these organisations to get together, but you have to somehow get over that hurdle of trust and the reluctance to exchange intelligence.
Q197 Lord Judd: You concentrated on NATO, but what about the UN? Dr Paul Cornish: As I say, as far as I know, the relationship with the UN is—
Lord Judd: If I could just say, I asked that because there is an interesting debate developing, it seems to me, between how far in these kinds of matters the UN should build up its own expertise and operational contention, or how far it should concentrate on policy co- 97 Dr Paul Cornish, Chatham House ordination and subcontract work of this kind to others who already have a level of sophisticated co-operation in place. I just wondered whether you feel there is some strength in that.
If I could just make the point, without making the question too long, that I was very struck by hearing a former Secretary General saying once and reflecting when he was dealing with intelligence matters, that one of the things that was very difficult for him was that he had no independent proper source of intelligence. He had to rely on Member States. Dr Paul Cornish: This is a real “view of the world” question, but I think the UN’s problem, in a way, is that the nation state is going to remain what it has for several hundred years. There are some who argue that actually we are now at the point of the nation state going back to something like a late nineteenth-century version of the nation state; all these experiments with multi-lateralism and so on haven’t failed, but they haven’t produced what was needed, in other words, via the UN, and what we need is more multi-bilateralism or mini-lateralism, as some would call it. There is that intellectual argument. I think the UN’s problem is partly one of credibility and partly an operational problem. If, as I said, it is difficult to imagine the EU and NATO in current circumstances agreeing in the very short term to exchange intelligence over crimes and cyber-security and, indeed, terrorism and so on, then I think it’s almost unthinkable that the United Nations could expect to receive that intelligence from its member governments. If we were then to contemplate the United Nations setting up its own global intelligence organisation, yes, it’s an interesting thought. I can’t imagine the idea lasting very long though.
Q198 The Chairman: I think that idea has always been discounted by all concerned, including the United Nations. I think the question is a bit more: first of all, whether the United Nations has a normative role, which it seems to me that it does have and sometimes performs effectively; or whether it has an operational role, which clearly it does in areas like peace-keeping, but in many other areas and the ones we’re talking about now, are probably ones where it doesn’t have a very major capacity to take an operational role. Does that make sense? Dr Paul Cornish: Yes, I think I’d agree with that. I’d certainly agree the UN has a normative role and I think, if it hadn’t been invented, we’d be having the argument about inventing it. My preference would be, in the areas we’re discussing, to take a coordination approach and, indeed, to subcontract to organisations that are either already engaged in these security issues, or at least are trying to get into them more effectively and with, at least for the moment, better funding and so on. I think in a way that’s part of what I understand to be the essence of the relationship between the UN and its regional organisations, and it seems to me this is an area where that relationship should work effectively.
Q199 Baroness Eccles of Moulton: Dr Cornish, you mentioned the importance of trust in the passing of highly confidential security intelligence between different organisations. Do you think the experience of Wikileaks has had any impression on people’s trust in the security of other people’s information transfers? Dr Paul Cornish: I think Wikileaks has had an enormous effect, and I think we’ve yet to see just how deep and lasting that effect is. I form that view out of discussions with diplomats in 98 Dr Paul Cornish, Chatham House the UK and elsewhere and with those who are working in the security and intelligence agencies, as we call them now, who in some regards are in a sort of state of shock, really, that this has happened. I’m just surmising, but I would sense there is going to be a shift in diplomatic practice, in the level and the quality of information that is exchanged by electronic means and all of these sorts of things. I think it’s going to have a huge impression, yes, but it is too early to say exactly what. Baroness Eccles of Moulton: It would obviously go well beyond diplomatic exchanges. Dr Paul Cornish: Yes, I think so.
Q200 Lord Dear: Dr Cornish, if I can turn your attention to the role of the military. The internal security strategy of the EU is silent on the role of the military in a number of issues, particularly counter-terrorism and disaster response, which to me with my background seems rather strange. I wondered if you thought that was logical, or is there an explanation? Dr Paul Cornish: I don’t think it is logical, but I think there is an explanation. The reason I think it is not logical is because it makes patently clear to me that in certain circumstances there is and must be a role for military specialists in either counter-terrorism or operations. For example, countering an improvised explosive device: it’s either police or very often it’s military bomb disposal experts who deal with these things. That’s a small but not by any means trivial example. In disaster relief, it’s often the case that military bodies are called upon because they are deployable and they have control systems and all those sorts of things that we know about. I think there is a very clear case for using the military in these ways. In the UK, we have the military aid system to the civil authority, power, community and so on, and I imagine that across the European Union there are similar versions of that. The explanation as to why it doesn’t happen or why it’s omitted is down to neurosis. I think there is a neurosis within the European Union about military matters, and I think that does come from watching the very painfully slow development of the European security and defence policy, and now the CSDP over 20-odd years. It’s happened so, so slowly. I think on the other side, there’s a neurosis within governments and indeed within NATO when the European Union is perceived to be trying to extend the European project into the intergovernmental sphere. The notion that the civil power, or the EU as a civil power, should have even a very basic military competence—which is something I’ve argued for—has not been accepted by the most significant EU military powers because, I think, national security is seen as the last redoubt of the sovereign government against the pernicious wave of ‘Brusselsisation’, or whatever word would be used.
Q201 Lord Dear: I can understand that it’s pretty unchallengeable with flooding or whatever else that the army come in if you need them with their equipment. It’s more in the question of counter-terrorism that I have the quandary. I wondered if you would agree with me that the science might lie in the fact that many of the European countries have a paramilitary police organisation to sit between the military and the civil police— gendarmerie, Gendarmerie Mobile, Carabinieri, Guardia Civil and so on—who in a sense can pick up all of that work and yet not embarrass the government by calling in, as it were, the real military. Would that be the reason, do you think? Dr Paul Cornish: No, I think there’s a lot in that, Lord Dear, actually. It is something that has been looked at time and time again in the UK, but we’ve always—
Q202 Lord Dear: “Should we have a third force?” is an argument that is frequently raised here and, I think quite rightly, was knocked on the head. But other countries have got that 99 Dr Paul Cornish, Chatham House organisation, often highly efficient for what they do, largely because they have experienced a total breakdown at some stage in their history in law and order. The military have gone in and then the military retreat. They leave something of their own kind behind, and that’s the reason. Dr Paul Cornish: Yes, I can see that would give more flexibility, if you like, but I think whatever solution you take, whether you take the UK solution, which is to have civil and military, or let’s say a French solution, which would have a third force in the middle, it is essential that civil control is maintained throughout. If it is the gendarmerie, the army or whoever else, it must be very clear. Again, it’s a cultural problem. From the outset, it has to be clear, to any extent that the military is involved in these domestic and criminal problems, that they are subordinate to the civil power. I think that’s really where some of the neurosis comes from. I’m using the word “neurosis” and it sounds as if I’m knocking the whole effort, but I think there’s clearly a very serious point in here.
Lord Dear: “Caution” would be the word you’re looking for. Dr Paul Cornish: Exactly.
Q203 The Chairman: I was at a briefing at the end of last week by the Chairman of the EU Military Committee, a Swedish marine general, who said they were beginning to give some thought between himself and Baroness Ashton as to whether the military capacity for disaster response should be looked at on an EU level. I think he was talking more about response to an event like Haiti, an earthquake or a tsunami where it’s more obvious than an internal disaster response in Europe, though there could be a disaster that exceeded national capacity to deal with it. I think that is an area that is not covered in this communication, but I judge from what you said that it could be worth looking at. Dr Paul Cornish: I certainly think so, Lord Hannay. At the moment, I would hope for the point, at which the European Union has the maturity and the self-confidence to say to itself, “This is a problem that we cannot deal with without calling in military help”, but this is not going to be an intergovernmental challenge to the Commission or any of that nonsense. This is simply an arrangement that must be made to deal with this immediate problem. I think that ought to be the target, really, as simple as that.
The Chairman: Because of course the response time of the military is often shorter than anyone else and that’s when the greatest losses in disasters occur—the very few hours after they happen. Dr Paul Cornish: Yes, I agree.
Q204 Lord Avebury: Can I ask you what role, if any, you think the European Union should have in dealing with the ideological foundations of terrorism? Is this a matter that concerns the European Union, or should they leave it to Member States? Dr Paul Cornish: I’m sorry for the unsatisfactory answer, but I think, “Yes, to all of the above”. I think counter-radicalisation work is best carried out by Member States, but there is an aspect of the problem of counter-radicalisation, not least because we are talking about the movement of people, that can only be carried out by inter-state organisations such as the European Union. So I would see, again, a mature and intelligent exchange of duties, really, between state or government and EU.
100 Dr Paul Cornish, Chatham House
Q205 Lord Avebury: If we’re confronting an ideology that is universal and global, then have individual states got the capacity to think about the origins in a coherent way? Do you ever hear, for example, about the ideologies of Qutb or Maududi, which are the mainstream of much international terrorism? Should we not acknowledge that international terrorism has these common ideological foundations, and should we not understand them better if we’re going to counter them, whether it’s at European or state level? Dr Paul Cornish: I agree entirely. It seems to me that that’s precisely where there ought to be functional co-operation among the governments of the European Union: pooling their efforts to achieve a common aim, which is either to understand what the problem is and where it’s coming from, or indeed perhaps through development aid or economic assistance of some sort, to try to address the problem at source. But I would say that in counter- radicalisation, in the ideological bases of terrorism, the source is not always and not necessarily overseas. I think what we have learned in the UK since 2005 is this expression “the homegrown radical”. It is conceivable that there could be people radicalised at home within the European Union who then move to these problem areas to take on further training and so on, so we do have an internal and external problem, I think, as far as radicalisation is concerned. That’s why I think you need both state level effort and EU level effort to address it from both ends.
Q206 The Chairman: Presumably, given the fact that, let us say, the French have very considerable radicalisation problems of their own, as we do and as Germany does—and there are other European countries, Sweden, and so on—there is something to be said for exchanges of experience for trying to understand how other countries set about doing this in a group of countries which actually have common values and common attitudes towards individual freedom and things like that. Dr Paul Cornish: I couldn’t agree more, and I think there is the EU Radicalisation Awareness Network proposed in the Commission document, which looks good, timely and ideal as a best practice transfer scheme. My only concern, if I have one, would be that as you push the best practice/information exchange idea further up, you end up with a European Union that’s looking outward and abroad perhaps a little bit too much and not looking inwardly; in other words, losing sight of the fact that a lot of the problem, or a certain amount of the problem, of radicalisation actually can come from within the European Union initially. Some of the language in both documents almost begins to suggest that the EU sees counter-radicalisation as a defensive response to aggressive intent from outside somewhere, and I think it needs to avoid that impression. I suppose in a way I am wondering whether the EU is sensitive enough to some of the lessons that the UK has been learning over the last several years, which is that counter- radicalisation, which is seen as simply snitching on your friends and family, or gathering intelligence about your local community, is not going to do anything of any good to anybody. There has to be something more positive and inclusive and engaging about it, and so I think that needs to be kept in sight.
Q207 Lord Judd: Then doesn’t that precisely reinforce, in a sense, the question that, as I understand it, the Chair was putting? If we have the greater sensitivity and experience in this country and, by implication, you are saying therefore that others haven’t, isn’t there a need for quite a lot of co-operation to get other people on board as to why we have developed and how we’ve developed this sensitivity? You referred earlier to the work that had been done in the European Union, for example, on the guidelines on arms trade developing some
101 Dr Paul Cornish, Chatham House sort of thinking about the way in which members of the European Union should be concocting— Dr Paul Cornish: I think I agree. All I am trying to suggest is that I would regret it, I think, if it was seen that the European Union’s approach to counter-radicalisation were to see its role as being outward-facing and dealing with problems abroad. It’s a presentational point really, that there needs to be a more explicit understanding that this is a joint effort and that counter-radicalisation has to happen within the European Union, within the Member States, within the cities of the European Union, and that is best dealt with by those governments, perhaps drawing on some of the lessons that UK and France and Spain have learnt over the last several years. I hope I am making my point. It is really presentation more than anything else.
Q208 The Chairman: Yes, it’s an illustration also, is it not, of the fact that where Britain has quite a deep experience like this, there is sometimes a reluctance to share that with other people when, in fact, you could argue that our own security requires us to share that with other people because we may have interesting things to tell them as well as interesting things to learn from them? You have cases like the recent Swedish terrorist attack, which showed that I imagine they will be probing into where the radicalisation occurred and what its nature was. Over time, more and more of these international linkages will occur. Is that not the case? Dr Paul Cornish: I agree entirely. There must be a lot of self-interest at work in this. Mutual self-help seems to me a good way of going about things.
The Chairman: Thank you very much, Dr Cornish, for sparing us your time. It’s been very helpful to us to have your views on these issues. As I say, if you have anything additional you want to let us have, that would be very kind. You offered us some written material, which I’m sure the Committee would be very happy to have. Thank you very warmly for your help.
102 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office
Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Written evidence, Home Office (ISS 10)
1. Introduction
This memorandum presents the Government’s view of both the European Council’s Internal Security Strategy (ISS)8 and the European Commission’s Communication on Internal Security (hereafter referred to as “the Communication”). Responsibility in England and Wales for the majority of the policies from within these documents falls to the Home Secretary, but certain elements also fall to the Secretary of State for Justice and the Attorney General. The Minister for Security in the Home Office has responsibility in England and Wales for cross- cutting resilience policy and in this role is supported by the Cabinet Office. The Scottish Cabinet Secretary for Justice has responsibility in Scotland and the Minister for the Department of Justice has responsibility in Northern Ireland for devolved JHA matters. Civil protection is a devolved matter under the UK's devolution settlements.
This memorandum seeks to respond to the areas for which the Committee has requested evidence. These responses are presented under the thematic priorities identified in the Commission’s Communication, as well as under the specific headings listed in the Committee’s Call for Evidence.
2. Background
The Stockholm Programme9, the current five year work programme for Justice and Home Affairs (JHA) agreed by Heads of Government at the European Council in December 2009, called on the Commission to “define a comprehensive EU internal security strategy”. Taking this work forward, the European Council adopted the ISS in March 2010. This document presented an overview of the general threats and challenges to internal security in the EU and the principles for how to tackle these issues. It did not recommend specific initiatives, instead calling on the Commission to propose actions for implementing the strategy. Similarly, the European Commission’s Stockholm Programme Action Plan10 also tasked itself to present a Communication on internal security to be adopted in 2010. The Communication “The EU Internal Security Strategy in Action: Five steps towards a more secure Europe”11, is the Commission’s response to these requests.
3. Summary
• The Government broadly supports the Internal Security Strategy (ISS) as a guideline for future action on EU internal security. We support the focus of the ISS on: greater practical action and practical cooperation between Member States and EU agencies; protection of civil liberties; improving existing EU structures rather than creating new bodies or competencies; and keeping EU action on internal security within the boundary of the Stockholm Programme. The Government largely agrees with the five priority threats outlined in the Commission’s Communication.
8 http://register.consilium.europa.eu/pdf/en/10/st05/st05842-re02.en10.pdf 9 http://www.se2009.eu/polopoly_fs/1.26419!menu/standard/file/Klar_Stockholmsprogram.pdf 10 http://ec.europa.eu/commission_2010-2014/malmstrom/archive/COM%202010%20171%20EN.pdf 11 http://ec.europa.eu/commission_2010-2014/malmstrom/archive/internal_security_strategy_in_action_en.pdf 103 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office
• The Government welcomes proposals in the ISS and Communication for more practical action and cooperation on organised crime, but we do not endorse legislative proposals that go beyond the Stockholm Programme.
• The Government welcomes a focus on the external dimension in order to effectively tackle terrorism and emphasizes the importance of information exchange and bilateral co-operation. However, the Commission must ensure that its proposals on counter- terrorism do not duplicate existing work at a bilateral level without adding value.
• The Government supports some of the practical measures outlined by the Commission for tackling cybercrime and would encourage the EU to help develop a cross-EU programme of public awareness. However, any action to tackle cybercrime arising from the Communication should be undertaken within existing structures and budgets.
• The Government agrees that the EU can add some value to the efforts of individual Member States in the development of an integrated border management strategy to manage irregular migration more effectively and combat criminality at the external borders.
• We support proposals in the Communication for the remit of Frontex to be expanded to allow the Agency to handle certain categories of personal data with stringent data protection safeguards. We also welcome an early proposal in January or February 2011 for EU legislation on the collection of Passenger Name Records (PNR).
• The Government welcomes appropriate moves to streamline the array of existing rapid alert and notification processes for crisis management.
• On proposals to establish a pool of voluntarily pre-committed civil protection assets, we would support a genuinely voluntary arrangement but would resist moves to prioritise EU operations over national operations, or to introduce a legal presumption that Member States will pre-commit disaster response assets for EU deployment, or any move to limit the right of Member States to decide deployment of assets.
• Appropriate use of data is vital (between law enforcement bodies and, in some circumstances, between Member States) in keeping the public safe. The Government is intent on defending security and civil liberties so that we infringe people’s freedoms less whilst still providing the public with effective protection from terrorism and crime.
• The focus of the EU Committee on internal security (COSI) on facilitating practical cooperation means it is well-positioned to take responsibility for monitoring implementation of the ISS and measures in the Communication.
4. Priorities and scope
The Council’s Internal Security Strategy (ISS) The Coalition Government welcomes the ongoing focus of both the Council and the Commission on the important issue of internal security. Although the ISS was agreed under the previous UK Administration, this Government broadly supports the strategy as a
104 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office guideline for future action on EU internal security in terms both of the priorities it identifies and the principles it sets out.
The Government largely agrees with the priority threats identified in the strategy, in particular counter terrorism, organised crime and cyber security. We also support a focus on strengthening the EU’s borders to tackle illegal immigration and other threats. In the current climate it is vital that we use our resources to target the key priorities. As set out in the ISS, the identification of these priorities is dependent on effective EU threat assessments.
However, we do not consider it pertinent for the ISS to include action on road traffic accidents, which we do not judge to be a key threat to internal security, important though it may be. This work would be better placed within expert EU transport groups. We are pleased that such proposals do not feature in the Commission’s Internal Security Communication. We note that the ISS emphasises the importance of a flexible approach to internal security, and whilst the Government agrees with the priorities outlined in the ISS, we also recognise the need to identify and tackle emerging and future threats.
This Government strongly supports four principles set out in the ISS on the scope of future proposals on EU internal security. Firstly, the strategy places emphasis on achieving a more holistic approach to internal security, with Member States, EU agencies and institutions, judicial and border management authorities and other services working more closely together to tackle threats. Sharing of best practice is also highlighted as a key approach. The Government welcomes this aim and believes that future proposals must focus on enhancing practical cooperation rather than introducing new EU legislation.
Secondly, the Government welcomes the emphasis in the ISS on effective data sharing mechanisms that respect citizens’ freedoms and requirements for the protection of personal data. This chimes with the Coalition Government’s focus on the protection of civil liberties. Thirdly, the ISS states that it is “not aimed at creating any new competences, but at integrating existing strategies and conceptual approaches”. This Government agrees that our focus must be on improving existing EU structures, not on the expensive and time- consuming process of creating new bodies and mandates.
Finally, the ISS is committed to “acknowledging the framework of the Stockholm Programme”. The Stockholm Programme was agreed under the previous Administration. The current Government therefore did not sign up to the Stockholm Programme and does not support all the proposals within that document. However, we believe that future EU JHA measures must at the very least not stray outside the boundary of this Programme, which was agreed by Heads of Government.
The ambition of the ISS is to establish what is described as a “European Security Model”. The Government believes that any such model must be built upon a more coherent and holistic approach to strengthening EU internal security through increased practical cooperation and sharing of best practice. We would not support any moves to harmonise Member State laws or practices, and will consider proposals that involve mutual recognition or enhanced EU solidarity on a case-by-case basis, placing UK interests at the heart of our decision.
The Commission’s Communication on Internal Security The UK broadly supports the five priority areas set out in the Communication, which reflect the priorities within the ISS. The Government also welcomes the link between internal and 105 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office external security and the importance of working collaboratively with third countries, an issue raised in the UK’s paper to COSI on practical methods for tackling organised crime, which can be found at Annex A. We believe, however, that the Communication suffers from the lack of a dedicated section on data sharing and data mechanisms such as Passenger Name Records and Terrorist Finance Tracking Programme (TFTP). Further views on the specific measures proposed in the Communication are outlined below under the thematic policy headings.
5. Organised Crime
The ISS identifies organised crime as a growing threat to the EU and one that occurs wherever the financial reward is greatest, regardless of borders. Whilst not proposing specific actions for tackling organised crime, the ISS proposes a number of approaches that this Government believes would be effective.
The strategy outlines the importance of effective threat anticipation in order to effectively target resources. Project Harmony, a Belgian-led initiative supported by the UK, Netherlands and Europol, has developed an intelligence-led approach12 to inform EU level political priority setting on pan-EU and regional organised crime threats. COSI will have a key role and be responsible for coordinating planning and monitoring delivery. In line with the ISS, the approach developed will use key tools such as the EU Organised Crime Threat Assessment (OCTA) and a new Executive Summary which ranks threats. Key benefits of this approach include: greater opportunity to influence the EU agenda on organised crime; the potential alignment of EU funds to support operational delivery; a focus on practical delivery and, as a result, greater commitment of Member States to work collaboratively. The recommendations of Project Harmony were adopted as Council Conclusions on 8/9 November 201013.
The ISS places emphasis on greater practical cooperation between agencies and Member States in the fight against organised crime. The Government fully supports this approach and believes that COSI should continue to facilitate such operational cooperation. Whilst new EU legislation is often slow to implement and poorly targeted, practical cooperation between law enforcement agencies offers a flexible and more prompt response to multifaceted and evolving threats.
Judicial co-operation also has an important role to play in tackling serious and organised crime, and we support the emphasis in the ISS on the effective implementation of the European Arrest Warrant (‘EAW’). In particular the Government looks forward to continuing its work with Member States and the European Commission to address the issue of proportionality and the EAW. Moreover the operation of the European Arrest Warrant, including the way in which those of its safeguards which are optional have been transposed into UK law, will be examined as part of a wider independent review of the UK’s extradition arrangements. The review will report in September 2011.
As part of a practical approach, the Government supports the greater use of peer-to-peer mechanisms for sharing best practice. For example, with EU funding, HMRC and SOCA have jointly hosted three EAW practitioners’ workshops with law enforcement, prosecution and judiciary colleagues from Ireland, France, Italy, Spain, the Netherlands and Poland. These
12 The EU Organised Crime Policy Cycle takes forward the 2005 UK Presidency’s initiative, to implement a European Criminal Intelligence Model. 13 ST15358.EN10, adopted by the JHA Council on 8/9 November. 106 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office workshops have provided an environment for peers across Europe to better understand each other, to collaborate and to share best practice. Outcomes of the workshops include: an academic study by Kings College London into the factors that contribute to individuals becoming fugitives; closer collaboration with Crimestoppers14 on projects to release details of wanted persons to the media; an increased awareness of proceeds of crime; and the production of a compendium detailing the different legislation and systems of countries around European Arrest Warrants. The final workshop will be held in London in February 2011.
We also agree with the ISS on the need to consider the external dimension when tackling organised crime. The UK is committed to working collaboratively with EU Member States and other international partners in regions along the drug trafficking routes towards the EU. This work, such as the EU Seaport Cooperation Programme in West Africa (SEACOP), builds sustainable improvements in local law enforcement and judicial capacity, and helps develop long-term regional stability.
The Commission’s Communication builds upon a number of these approaches by suggesting specific proposals, in support of the EU Organised Crime Policy Cycle. We welcome the recommendation for more joint operations where feasible, with Member States’ competent authorities working alongside EU Agencies, and also the proposal for more Joint Investigation Teams (JITs), which the UK considers a valuable tool to support cross-border investigations. The Metropolitan Police Service JIT, Operation Golf, demonstrates the tangible and successful impact of this mechanism on the ground. Working with Romanian law enforcement authorities, the JIT has disrupted the trafficking of over 1,000 vulnerable children from Romania, some of whom are trafficked to the UK for the purposes of forced criminality and benefit fraud. This investigation has delivered over 118 arrests and convictions for child trafficking, child abuse, organised benefit fraud and money laundering, with a number of senior gang figures going on trial in Romania.
We are working alongside COSI partners to build on the practical proposals in the Communication by seeking innovative methods for tackling organised crime. Examples of these alternative approaches include:
Preventing organised crime through issuing alerts to the private sector about vulnerabilities - UK law enforcement has worked closely with banks to combat the problems of investment fraud, in particular where investors are targeted and promised high returns but sold worthless shares. Alerts and advice on identifying and preventing the fraud have been issued to banks and had demonstrable success, reducing the number of victims, but also maintaining the level of capital available for investment.
Lifetime management of key suspects and convicted offenders - As at end of March 2010, SOCA had 39 Serious Crime Prevention Orders (SCPOs) in place. Examples include SCPOs that have enabled the management of a group of counterfeiters whose trade relied on access to paper, printers and ink. Such an order on one individual prohibited the subject from owning printers, scanners and any equipment that could be used for reproducing any articles. This led to his arrest for breaching the terms of his SCPO following a search of his premises. He remains on bail pending a hearing next year.
14 Crimestoppers is an independent charity that works with the police, media, Government and others to tackle crime. For further information please go to www.crimestoppers-uk.org 107 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Focus on facilitators, individuals, manufacturers - Activity by SOCA and its partners against the cutting agent market and the usage of cutting agents in the narcotics trade, including influence activity and the targeting and removal of suspicious web sites selling benzocaine, lidocaine and phenacetin, has had a significant effect on the national cutting agent market. Prices have risen by 500% and benzocaine imports have dropped dramatically, from 34 tonnes in 2009 to 9 tonnes (as of September) in 2010.
We are pleased that the Commission is addressing the important area of corruption. Corruption poses very real risks to the internal security and prosperity of Member States, the EU and the wider world. The UK has participated in the Commission’s consultation on the future EU evaluation of anti-corruption efforts. The UK supports the Commission’s view that there must be no duplication of existing anti-corruption monitoring mechanisms and that the Commission should work closely with the Council of Europe Group of States against Corruption when considering proposals. The UK looks forward to clarification of the Commission’s proposal next year.
The Government also welcomes the Communication’s focus on confiscating criminal assets as we believe we must target the financial incentive that drives organised crime. The UK experience is that non-conviction based confiscation provides a direct route to tackling the incentive structure for acquisitive crime, with the contingent prevention and deterrent benefits that brings. So whilst we broadly welcome the consideration and debate on recognition of non-conviction based confiscation orders, we would have to carefully monitor and consider any developing legislative proposals if these were proposed.
The Government also welcomes an increased focus on seizing criminal assets; nonetheless we believe this too should be achieved through improving practical cooperation between law enforcement agencies rather than the proposal in the Communication for new EU legislation. There is no basis in the Stockholm Programme for legislation in this area; instead, we believe an increase in focus in this context should be on better use of existing powers under the existing Framework Decisions.
Furthermore, the suggested proposal within the Communication for new powers for Asset Recovery Offices also goes beyond both the Stockholm Programme and the ISS, which were committed to not creating new competencies.
The Communication also proposes legislation for tackling online sale of counterfeit goods. This recommendation is dependent on the outcome of the Commission’s report and consultation on the implementation of the Intellectual Property Rights Enforcement Directive. This proposal pre-empts the report which is not due to be completed until March 2011. This legislative proposal does not, therefore, adhere to the better regulation principles within the Stockholm Programme, which state that new legislative proposals should only be tabled after a thorough evaluation.
In conclusion, whilst the Government welcomes proposals for more practical action and cooperation, we do not endorse legislative proposals that go beyond the Stockholm Programme. Such legislative proposals are also at variance with the ISS’s focus on practical action, as well as the remit of COSI, which is focussed on implementing a non-legislative agenda for tackling organised crime.
6. Counter-terrorism
108 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office The Government supports the inclusion of tackling terrorism as a top priority in the ISS.
The ISS focuses on information exchange and co-operation as a vital mechanism for tackling crime, and this is also true with tackling terrorism. For example a key tool in generating the intelligence picture with regard to aviation security has been passenger name record data (PNR), which demonstrates that potential suspects are exploiting not only flights from third countries into the EU, but also intra-EU travel. The UK also considers communications data to be of very significant value to its intelligence and law enforcement agencies. For example, data retained under the data retention directive (DRD) is used to prevent and detect a wide variety of serious crimes, including terrorism.
The ISS also places a focus on greater practical cooperation, including sharing of best practice, and this is an approach that the UK supports with regards to tackling terrorism. However work at an EU level must complement the bi-lateral arrangements that already exist between Member States. For example, the Commission’s Communication states that it will promote the creation of an EU radicalisation awareness network, ministerial conference and a handbook of actions and experiences. We are concerned that many of these initiatives duplicate existing work at a bilateral level without adding value. This also applies to the proposals in the Commission’s Communication to protect transport. While we welcome EU efforts to improve information sharing and coordination in the area of land transport security the Commission must recognise the complex and broad nature of the sector and avoid duplication of efforts by setting up additional groups or adopting similar measures to those of aviation and maritime security. The Commission should give further thought to what practical measures can usefully be taken at an EU level.
We welcome the focus on the external dimension in terms of tackling terrorism. The Stockholm Programme and the ISS demonstrate that Europe’s response to the threat requires close and coordinated action between the internal and external dimensions of our counter-terrorism policy if we are to create an area of freedom, justice and security. The links between internal and external action need to be coordinated. As the European External Action Service (EEAS) develops its expertise in the field of counter-terrorism, it will also have a role to play. The EU can also help fund and build counter terrorism capabilities in key third countries.
The UK also supports efforts to continue to drive forward EU action and co-operation on the judicial dimension of the fight against terrorism. We must ensure that work in this area fits flexibly with countries' varied legal systems – one size will not fit all.
The Communication places specific focus on preventing radicalisation, work which the Government has been taking forward through the Prevent strategy since 2007. The Prevent strategy is currently being reviewed with a view to publishing a revised Prevent strategy in 2011. The heart of Prevent – targeted, local work to support people who are most vulnerable to radicalisation and to disrupt propagandists for terrorism – will be retained in a refreshed Prevent strategy. However, we want to more clearly separate work on preventing violent extremism from wider work to promote integration. The Government believes Prevent needs to be more focussed in specific areas and sectors where propagandists for terrorism are known to be operating. While we welcome initiatives to share experience with our EU counterparts, we believe that preventing radicalisation is only one aspect of work to tackle terrorism.
109 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office With regards to victims of terrorism, we support work to ensure that the needs of people affected by major incidents are understood and properly considered within the EU. Although victims of terrorism can never be fully compensated, we can recognise their suffering and give them some support that may help them move on.
The Communication states that it will “consider devising a framework for administrative measures under Article 75 of the Treaty on the Functioning of the European Union (TFEU) as regards freezing of assets”. The Government opposes the use of Article 75, which we would see as an unnecessary expansion of the EU’s work in this field. Instead we would encourage the Commission to consider the use of Article 74 which would maintain an obligation on Member States to cooperate.
Two other proposals in the Communication, the Passenger Name Records Directive and proposals on an EU risk management policy, will have a substantial impact on the EU’s effort to tackle terrorism. These will be considered under the Border Security and Civil Protection sections of this memorandum respectively.
7. Cyber security
The Government welcomes the inclusion in the ISS of cyber crime as a priority threat to the EU. Cyber crime is a growing threat for citizens across the EU and, as recognised in the UK’s 2010 National Security Strategy, cyber attacks pose a significant threat to economic operations and welfare, as well as to infrastructure, such as electricity grids. We would support several of the principles outlined in the ISS as useful approaches for strengthening cyber security, in particular an increased focus on practical cooperation and sharing of best practice between Member States and EU Agencies.
The Communication takes forward action on this priority by proposing a mixture of practical and legislative measures. The Communication seeks to improve the guidance provided to citizens to help them protect themselves from cyber threats. We believe that this is a positive approach, and would encourage the EU to help develop a cross-EU programme of public awareness, building on the work done to protect children online. The Communication also proposes measures to encourage the European Network and Information Security Agency (ENISA) to promote national Computer Emergency Response Teams (CERTs), and increase the cooperation between them. This is one of the better examples of ENISA in action and we see this as a continuing strength of the Agency.
However, the Communication is at variance with the ISS in suggesting the establishment of new EU structures and capacities for tackling cyber crime, including the development of an EU cyber crime centre. We believe that any action to tackle cyber crime arising out of the Commission’s Communication should be undertaken within existing structures and budgets, and should not require new EU legislation. It should also not be mandatory for Member States to report every cyber crime to any new EU cyber crime centre as this would add an unnecessary bureaucratic level without clear benefit – we think it better for the majority of crimes to be managed at the national level. However, we do support the sharing of information gathered at national level through existing structures such as Europol.
8. Border security
110 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office The ISS underlines the link between effective border management and EU internal security. The Government welcomes this focus and agrees that the EU can add value to the efforts of individual Member States in the development of an integrated border management strategy to manage irregular migration more effectively and combat criminality at the external borders.
A large part of strengthening our borders will involve the sharing of information and best practice between Member States and EU Agencies and the Government is supportive of measures to strengthen the role of Frontex in this regard. Regarding the case for a European system of border guards, the Government thinks that Frontex is making good progress in raising the professional skills of the corps of EU Border Guards through a common training curriculum, increased joint working and the sharing of technology and expertise which together will help to create such a system. The Government does not believe that this translates into proof of the need for a Schengen Border Guard Service, the case for which has yet to be made.
On the scope for greater use of technology to facilitate border crossing by citizens, the Government believes that technology will have an increasing role to play in the integrated border management of the future. However, the Government believes that the introduction of technology needs to be properly trialled and staged and will complement the pre- screening and clearance activities that help to facilitate the admission of passengers and interventions necessary to secure the UK border.
Regarding the Commission’s Communication, the Government broadly supports the proposed combination of technical innovations and enhanced cooperation to improve the management of migration and combat criminality at the external borders of the EU. However, the only true deterrent to illegal migration into the EU is an enhanced expectation of swift return to the migrant’s country of origin. The Government would therefore have welcomed the inclusion of measures to strengthen capacities in the area of voluntary and forced returns. Regarding the European Border Surveillance System (EUROSUR) the Government is keen to see that forthcoming European legislation establishes a system that fits within a coherent strategy for the sharing of information within the European maritime area. Although the Government does not expect that the UK will participate in any legislative measure to establish EUROSUR, the Government intends to monitor this work to assist future UK cooperation with this initiative.
We support proposals for the remit of Frontex to be expanded to allow the Agency to handle certain categories of personal data with stringent data protection safeguards. We believe that effective cooperation between Frontex and other European Agencies such as Europol and Eurojust – including the exchange of personal data concerning suspected criminal activity - will be vital in effectively tackling the criminal gangs working at the external EU borders, especially those which are involved in the trafficking and smuggling of human beings.
We also welcome an early proposal in January or February 2011 for EU legislation on the collection of Passenger Name Records (PNR). The UK’s collection, analysis and retention of PNR and Advanced Passenger Information (API) – also known as Travel Document Information - data are key elements of the UK’s e-Borders programme and important tools in our public security both in countering the terrorist threat and bringing criminals to justice. Whilst the Communication does not mention collecting PNR data on intra-EU flights – which is of vital importance to the Government – the Communication does not rule out an 111 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office intra-EU provision in the PNR Directive itself. If we do not collect data on routes within the EU we will be in the illogical position of making internal EU travel less safe than travel outside the Union, increasing the attractiveness of intra-EU travel to those who would seek to cause harm, potentially displacing the risk rather than removing it.
Such views are evidence based; analysis of passenger data has already shown that criminals and potential terrorists/suspects are exploiting intra-EU travel for their own end. The Government believes that it is vital that the EU secure intra-EU provision within an EU PNR Directive now to give Member States the best chance of preventing another incident such as those in London and Madrid. The Government remains strongly committed to its objectives and will continue to press for intra-EU provision to be included within the scope of the Directive before it is adopted.
Provision of passenger and crew data (API) in advance of travel enables comprehensive screening of travellers against counter terrorist, crime and immigration watch-lists identifying significant numbers of known suspects and their associates. API provision also allows UK police to identify travel patterns and map the journeys taken by suspects. The greatest benefits of e-Borders are realised when API data is processed in conjunction with PNR data. PNR data is enriched by watch-list alerts from API data by linking the identity and travel history of the individual to the risk profile match. Using these data sets in parallel enables e- Borders to identify a greater proportion of individuals that pose a risk to the UK and other nations worldwide. There is a significant danger that by having no intra-EU API collection, terrorists exploit the loophole and will choose to travel on intra-EU routes in an attempt to avoid the attention of security and law enforcement agencies.
9. Civil protection
Natural and man-made disasters feature as a priority threat in the ISS. The Commission’s ISS Communication proposes a broad approach to improving disaster management efficiency and coherence in the EU. This overlaps with the recent Communication Towards a stronger European disaster response: the role of civil protection and humanitarian assistance, which covers a wider spectrum of civil protection and humanitarian assistance issues within and outside the EU. The corresponding Explanatory Memorandum of 15 November 2010 sets out Government’s response to its proposals (reference 15614/10). The two Communications are the responsibility of different Commissioners. In this context, Government stresses the importance of effective coordination, cooperation and collaboration between the various Commission structures involved in this cross-cutting field.
Among the Communication’s proposals, the Commission suggests establishing a coherent EU risk management policy. The Government welcomes the prospect of a credible all- hazards approach to national risk assessment, including natural and man-made disasters and malicious threats. This might enable appropriate future contingency planning for disasters within the EU. The Commission also proposes to develop an integrated approach to situation awareness by strengthening links between existing early warning and crisis cooperation EU functions. In this context, we recognise the importance of effective crisis coordination arrangements; and Government recognises that high-level crisis coordination processes should reflect the Lisbon Treaty’s new arrangements and responsibilities. The Government would welcome appropriate moves to streamline the complex array of existing rapid alert and notification processes for crisis management, which include early warning systems and other arrangements for sharing information among Member States, where this would make more cost efficient use of EU disaster management resources. 112 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office
Regarding proposals to establish a pool of voluntarily pre-committed civil protection assets, the Government’s Explanatory Memorandum of 15 November 2010 sets out our response to the relevant Commission Communication which expounds these proposals in detail. In summary, Government supports the principle of a genuinely voluntary asset pool. However, we would resist moves to prioritise EU operations over national operations, or to introduce a legal presumption that Member States will pre-commit disaster response assets for EU deployment, or any move to limit the right of Member States to decide asset deployments domestically or internationally.
In consulting on the development of their proposals for a stronger European disaster response, the Commission brought together a range of civil society organisations from private and other non-governmental sectors. The Government welcomes this consultative approach to engaging with the wider constituency of strategic partners. The Government is committed to the important role of voluntary organisations in supporting statutory services and helping local communities respond to emergencies; and is similarly committed to making it easier for the voluntary sector to work with the State as a central pillar of our Big Society agenda, delivering a greater role for charities, social enterprises and cooperatives in public services.
Regarding the development of a cooperation framework for security at major and mass international events, the Government recalls that in June 2010 the JHA Council adopted Conclusions on use of the Civil Protection Mechanism in major events. These Conclusions invite Member States, where required by their own civil protection arrangements and other relevant authorities, to undertake integrated risk management planning; to promote exchange of best practice and sharing of experience; to encourage coordination; to encourage appropriate evacuation planning; and accordingly to make use of the existing possibilities offered by the Financial Instrument and Civil Protection Mechanism. They also invite the European Commission to support identification of best practices in risk management, including through lessons learning; to enable relevant analytical and planning projects; to promote exercises; to explore options for pre-positioning response assets at the host government’s request; to facilitate access to information on intervention procedures where requested; and to work with Member States on host nation support. The Conclusions apply to Member States only insofar as their civil protection systems and other relevant authorities so require; and therefore they impose no obligations on the UK beyond existing domestic requirements. Government is content that current arrangements enable a flexible and proportionate approach to European cooperation over security at major and mass international events.
10. Information exchange
The ISS proposed the development of a comprehensive model for information exchange which sought to consolidate and where necessary increase cooperation on the exchange of relevant information on criminal acts and their perpetrators between law enforcement authorities within a clear data protection framework. The strategy acknowledged that for law enforcement authorities to prevent and act early they must have timely access to as much data as possible concerning criminal acts and their perpetrators. If a higher level of security means an increase in data exchange, the strategy then stated it as essential that this be proportionate and respect data protection laws.
113 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office This Government is firmly committed to protecting the security of its citizens and to restoring and protecting civil liberties. It believes that appropriate use of data is vital (between law enforcement bodies and, in some circumstances, between Member States) to keep the public safe. The threat of terrorism is real. The security of our citizens is the first concern of any government. National security is and must remain a matter for Member States and we are absolutely clear that protecting our citizens and protecting the rule of law go hand in hand.
Information exchange is also vital in protecting the public from travelling offenders. Criminal Conviction notifications sent from one Member State to another will allow authorities to be aware of patterns of offending that take place outside the country of nationality. Providing details of previous convictions for people being prosecuted in another Member State plays a key role in ensuring that sentencing reflects recidivism across the entire EU and not just the country of nationality.
We need to remain vigilant in tackling crime as it is not just cyber criminals, paedophiles and terrorists who harness new technologies. If we are to be successful in protecting the public then we need to be equally nimble and effective in using information and technology to detect, disrupt and prosecute them. Our citizens will be safer that way. This is a challenge facing us all and one to which we must respond together. Criminals and terrorists will seek weak points across the European Union and look to exploit them. But we also fully recognise the need to provide rigorous evidence based arguments at the EU level to build a compelling case in those circumstances in which the collection and use of personal data is both necessary and proportionate.
For these reasons, as set out in section eight of this memorandum, we support the expansion of Frontex’s role to allow the handling of personal data.
In addition, there are other dossiers not mentioned in the ISS where we believe that data sharing will be essential in ensuring the security and protection of our citizens. This includes the possible revision of the Data Retention Directive (DRD). The UK’s position is that in its current form the DRD offers sufficient flexibility to meet our operational needs whilst allowing each Member State to ensure that the appropriate protections are in place. Data retained under this Directive is used to prevent and detect a wide variety of serious crimes, including terrorism. It will be important to ensure that any revision does not undermine the contribution that the DRD makes to combating serious crime in the UK and across the EU.
The Government is intent on defending security and civil liberties so that we infringe less on people’s freedoms whilst still providing the public with effective protection from terrorism and crime. We will seek to translate our domestic agenda - reversing the substantial erosion of civil liberties, consistent with protecting the public - to the EU and international level. We believe the exchange of personal data, some of it sensitive, requires stringent data protection safeguards. Going forward, we will always ensure full compliance with the principles of necessity and proportionality when collecting, retaining or sharing data, so that we always do it responsibly and securely. The European Commission’s Communication ‘a comprehensive approach on personal data protection in the EU’ provides the basis for a helpful opportunity to review data protection safeguards and see whether they can be updated or improved. We believe that any revision of the data protection rules must cater for the specific needs of law enforcement bodies because of the distinctive nature of law enforcement work.
114 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Given the number of data-related dossiers (six currently15) over the coming year in Brussels which will impact upon internal security in the EU, and as stated in section four of this memorandum, the Government believes that the Commission’s Communication should have included a dedicated section on these dossiers.
11. Roles and responsibilities
The Commission’s Communication includes a table that allocates responsibility for the proposed measures. The UK’s opt-in protocol will be triggered by any proposals presented pursuant to Title V of Part III of the Treaty on the Functioning of the EU. We will work with Member States and EU Agencies on a bilateral and multilateral basis in order to take forward non-legislative proposals.
Regarding subsidiarity, it is appropriate for the European Commission to present a Communication on Internal Security as the Council’s Stockholm Programme called on the Commission to “define a comprehensive EU internal security strategy”. The recommendations within the Communication would, in theory, necessitate a response at EU level. However, individual measures will need to be judged against this principle at the time they are proposed.
The Government notes that Article 4(2) of the Treaty on the Functioning of the European Union states that matters of national security are reserved solely to each Member State. Our view is that neither the Council’s ISS nor the Commission’s Communication strays into matters of national security; however we will continue to monitor this closely as proposals are brought forward.
The Government believes that COSI, the EU’s standing committee on operational cooperation on internal security, is the appropriate vehicle to take forward non-legislative, practical measures arising from the Commission’s Communication. As set out in Article 4 of The Treaty on the Functioning of the European Union (TFEU), COSI does not have powers to propose or draft legislation and cannot, therefore, be involved in taking forward legislative measures from the Communication. Nor would the Government wish COSI to be distracted from its existing work programme, which is focussed on facilitating cooperation through a number of targeted, practical projects. We are clear, however, that such projects are facilitated and not carried out by COSI: Article 4(1) of the TFEU is clear that conducting operations will remain the task of Member States.
12. Relationships and interdependencies between the ISS and other EU strategies and policies, including the external dimension
As detailed in section two of this memorandum, the ISS and the Commission’s Internal Security Communication seek to respond to the original request in the Stockholm Programme for an increased focus on EU internal security. Given that the ISS and Communication have arisen from the Stockholm Programme, which set the boundary for future EU JHA measures, we believe that measures arising from those two documents must not go beyond the Stockholm Programme. As is evident from the analysis of measures above, there are examples of proposals that do exceed commitments in the Stockholm
15 EU-US Data Protection Agreement; EU PNR Agreements with US, Australia and Canada; EU PNR Directive; Review of EU Data Retention Directive; Data Protection Directive; Terrorist Finance Tracking Programme. 115 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Programme; for example the proposal for legislation on seizing criminal assets. We believe that the Commission should not bring forward such measures. As stated at the June JHA Council, and as set out in section four of this memorandum, this Government does not support all elements of the Stockholm Programme, which was agreed under the previous Administration. The Coalition Government would not have signed up to the Stockholm Programme as it stands, and will consider measures that are brought forward from the Programme, including in the field of EU internal security, on a case by case basis. With regards to the Commission’s Stockholm Action Plan, the Council Conclusions adopted in June 2010 make clear that the Council will not endorse future proposals arising from the Commission’s Action Plan that go beyond the boundary of the Stockholm Programme.
With regards to existing EU strategies in the field of organised crime, two key recommendations of Project Harmony were “to align and integrate already existing EU strategies into a more coherent and effective policy cycle” and “to stop producing strategies for criminal phenomena outside the context of this policy cycle”. Project Harmony also stated that multi-annual strategic plans should be “linked to the identified priorities”. The Commission’s Communication adopts the approach of the EU Organised Crime Policy Cycle by monitoring progress on the ISS through an annual report to the European Parliament and the Council.
With regards to drugs trafficking, the EU Drugs Pact is designed to increase operational cooperation between Member States on tackling drug-trafficking, through work on the heroin route, the cocaine route, and on asset recovery. As such it fits in with the Internal Security Strategy’s suggested focus on the development of operational cooperation. In addition, actions under the Communication fit particularly well with priorities 3 and 4 of the Drugs Action Plan 2009-2012; to reduce the supply of drugs and improve international cooperation, with the emphasis on disrupting international criminal networks through complementary international action.
With regards to immigration security and Frontex, the proposed measures are coherent with the proposals within the Stockholm Programme.
In the field of counter-terrorism, it is vital that the ISS and Commission Communication support and reinforce existing strategies and work taking place at a bilateral and regional as well as at an EU level. One area where the ISS complements existing work is in the suggested recommendation for more peer-to-peer evaluation exercises. One of the priorities within the EU CT Strategy and Action Plan is to strengthen national capabilities to combat terrorism in light of recommendations resulting from a peer evaluation exercise to assess national anti-terrorism arrangements.
13. The relationship between the ISS and global security initiatives, especially those of the United States
The Government fully recognises the importance of working with partners outside the EU given the threats we face are global in nature. Notably we will continue to engage closely with the US on PNR and data protection, crucial to our ability to cooperate with the US on improving US and EU security. The ISS encourages operational cooperation between Member States, based on an intelligence-led approach. This fits well with the UK model, and the approach taken by other international partners. The UK currently cooperates on a strategic and operational basis with US and other international partner agencies. For example, in West Africa we work to 116 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office counter organised crime collaboratively through a virtual platform of Member States which involves the US Drug Enforcement Agency (DEA).
In May 2011, the US and EU will hold a Symposium on dismantling Trans-Regional Illicit Networks. This will bring together key countries and jurisdictions from Latin America, West Africa, Europe and North America to identify current and emerging threats and propose concrete, practical measures for the future. The Symposium will build on existing strategies and action plans, including the EU Drugs Strategy and Action Plan and the EU Drugs Pact. The proposed objectives of the symposium fit well with the objectives of the ISS, and build on the current strong cooperation between the US and EU in a number of regions, including Afghanistan and Pakistan, Latin America and West Africa.
14. Implementation and assessment
The Government supports the use of the ISS – the threats it identifies and the practical cooperation it recommends – as a general guide for future action on EU internal security. The focus in the ISS on greater practical action and cooperation should be reflected in future Commission strategies and work plans. Regarding specific proposals in the Commission’s Communication, where measures will enhance practical cooperation between EU Agencies these should be reflected in the operational work plans of those agencies. Measures for greater cooperation between Member States will be taken forward at a national level.
COSI’s focus on facilitating practical cooperation means it is well-positioned to take responsibility for monitoring implementation of the ISS and measures in the Communication. As part of this role, COSI will present an end of year report on the state of EU internal security. Whilst this report will play a part in evaluating progress on internal security, such work should not diminish COSI’s focus on facilitating practical action that can make a tangible difference on the ground. We note that the Commission also intend to publish a report evaluating the impact of the ISS and their Communication, which will be produced ‘using as far as possible existing reporting mechanisms’. We support effective evaluation; however it is important that this does not detract from the important practical work of Member States and EU Agencies. The Stockholm Programme will also undergo a mid-term review in 2012 that will consider progress on its recommendations, including for strengthening EU internal security.
We expect the Commission to present proposals in early 2011 for the funding of internal security in the next financial perspective, beginning in 2014. We would support the amalgamation of the ISEC (Fight against and prevention of crime) and CIPS (Prevention, preparedness and consequence management of terrorism and other security related risks) funds to create an Internal Security Fund. We feel that the size of these two funds combined would make an appropriate maximum size for any Internal Security Fund. We will submit Government views on the Commission’s proposals once they have been presented.
15. Conclusion
The Government welcomes the Commission’s ongoing focus on EU internal security. We largely agree with the priorities and practical approaches outlined in the ISS. We also support many of the proposals brought forward in the Communication; in particular those which will engender greater practical cooperation between Member States and EU Agencies.
117 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office However, as stated above, the Government does maintain a number of concerns with the Communication that we will continue to monitor as work on internal security progresses. The Communication departs from the Council’s Internal Security Strategy by proposing new EU structures, including an EU cyber crime centre, and new competence such as powers for new asset recovery offices. It also proposes legislation, such as a revised legal framework on asset recovery, which was unforeseen in the Stockholm Programme. In contrast, the ISS explicitly acknowledges working within ‘the framework of the Stockholm Programme’. Such legislative proposals also run counter to the focus of the ISS and COSI on practical measures and cooperation instead of new EU legislation. The Government also has concerns on specific counter-terrorism and civil protection proposals, as outlined above.
In general, however, we believe that together the ISS and the Communication will provide a useful platform for the Commission, Member States, EU Agencies and others to work together to enhance public security across the EU. The Government will present its views at discussions of the Communication at JHA Council and COSI.
21 December 2010
118 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office
Oral evidence, 26 January 2011, Q 209-266
Evidence session no 7 : heard in public
Members present
Avebury, L Dear, L Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Judd, L Mackenzie of Framwellgate, L Mawson, L Richard, L Tope, L ______Examination of witnesses
Mr Peter Storr, C.B., International Director, Home Office; Mr Christophe Prince, JHA Counsellor, UKRep; Dr Simon Strickland, Head of the International Team, Civil Contingencies Secretariat, Cabinet Office
Q209 The Chairman: Good morning and thank you very much for coming along. I think, if you agree, when you start it would be helpful if you could just introduce yourselves briefly. Of course, we know who is before us and who you are, but it would help, I think, to focus our questions. And we’re really grateful to you, Mr Storr, for coming along; this Committee has received evidence from you before and that’s always been valuable. And Dr Strickland also, I think, gave evidence two years ago for the report that we did on civil protection, which is, of course, one of the areas covered in this morning’s session.
As you know, the session is open to the public. A webcast of the session will be accessible via the parliamentary website. A verbatim transcript will be taken of the whole of the evidence, and this will be put on the parliamentary website. In a few days after this session you will be sent a copy of the transcript to check it for accuracy and we’d be grateful if you could advise us of any corrections as quickly as possible. And if after this evidence session you wish to clarify or amplify any points made during your evidence or have any additional points to make, you’re welcome to submit supplementary evidence to us.
And now, perhaps you can introduce yourselves. I am sorry, I did not welcome Christophe Prince, who very helpfully arranged the programme of those Members of the Committee who went to Brussels before Christmas and who subsequently helped me meet a number of the European parliamentarians involved in their analysis of the Internal Security Strategy
119 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office implementation plan. So, perhaps if you could just introduce yourselves briefly and then if you wish to say anything by way of introduction please do so, but if not we’ll move on into questions, as you wish. Peter Storr: Thank you very much indeed. I’m Peter Storr, International Director at the Home Office. To my left Christophe Prince, who is the Justice and Home Affairs Counsellor at the UK’s permanent mission to the European Union in Brussels. On my right is Dr Simon Strickland, who is head of the International Team in the Cabinet Office Civil Contingencies Unit. With your permission, I think we’d prefer to go straight into questions.
Q210 The Chairman: Yes, and I should just add that we had hoped to have somebody from the Border Agency but that wasn’t possible, but there may be a couple of the questions that will come your way, which I hope you’ll be able to manage as well on that issue.
Let’s start then. I wonder whether you think that the Commission’s action plan for implementing the Internal Security Strategy provides a satisfactory explanation of what it understands internal security to be and whether it makes a good case for extending the role of European Union activity, sometimes Community activity, sometimes co-ordinated nation state activity, in this area. And I wonder if you could also say what you think the key aspects of the Internal Security Strategy are, which was approved by the Council last March, and whether there are any important omissions. Obviously, there is an interface between the primary responsibility that member states have for their own internal security. How will the Internal Security Strategy and its implementation manage that interface? Peter Storr: Thank you. I think we are broadly content with the Internal Security Strategy. We need to see it in its context. It builds on earlier strategies starting with the Tampere Programme on Justice and Home Affairs in 1999, building also on the Hague Programme of 2004. So, to that extent it doesn’t contain any great surprises and it respects the differences in terms of the responsibilities of member states for their own national security and the areas in which the Commission can genuinely add value to what Europe as a whole delivers. The five elements in the programme, which are set out in our evidence—serious and organised crime, terrorism, cyber-crime, border security and dealing with natural and manmade disasters—are all things to which the UK attaches importance and they’re broadly in line with the priorities identified in the Council’s Internal Security Strategy. There are one or two areas where we have noted omissions. We would have liked, I think, to have seen a greater concentration on the issue of information exchange. There are a large number of dossiers on data that are either before the Council at the moment or going to be coming up before the Council. I think we would have wanted to see a rather more strategic approach to that issue contained within the Commission communication, and clearly there is, as with all data issues, a balance to be struck between the security aspect and the civil liberties and privacy aspects. We felt that that perhaps should have been picked up in the Commission communication. But there is also one other omission, which we would not have pushed to put in there, which was that there was emphasis given in the Stockholm Programme to road traffic and road safety, which we’ve never considered was appropriate for Justice and Home Affairs. We thought that was an issue more appropriate to transport experts and we were glad that the Commission communication did not contain that. So, one omission that we were a little bit disappointed with and one that we were fairly pleased not to see there. Some of the important aspects that we like and we’ve been pushing for a long time are the need for good quality, objective threat assessments on crime and terrorism, an analytical 120 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office approach to those issues, better operational co-operation between law enforcement and border management authorities, and co-operation between EU agencies. All of those are in the strategy and we welcome that aspect as well.
The Chairman: Yes. Well, that’s on the whole a pretty positive reaction to it and we’ll pick up the individual points as we go through.
Q211 Lord Richard: I wonder whether I might ask you a question on the relationship between the ISS and the European Security Strategy. What is your view on how the relationship between those two ought to work or how can it be made to work more effectively than it is at present? How important is the instrument for stability in building counter terrorism capacities in third countries that receive more money? Peter Storr: If I may, I’ll ask Mr Prince to start off the answer to that. Christophe Prince: I think the relationship between the Internal Security Strategy and the External Security Strategy is an important one and, indeed, it’s recognised in the communication and in the previous Council strategy that we need to recognise that you can’t separate out the external threats and the action we may take to address them and the internal security that we’re trying to meet. The External Security Strategy, agreed in 2003 and refreshed in 2008, had counter terrorism as one of its priorities to address. Since that refresh and the original drafting, the EU’s landscape in how it will deliver its external activities has changed significantly with the introduction of the Lisbon Treaty and, most importantly, the External Action Service. So, in terms of how we should be trying to deliver those two interactions, I think the External Action Service will play a decisive role in drawing on and working with the Commission Directorates General but also, very importantly, working with the member states in trying to define our key objectives, incorporate them into the Union’s foreign policy, and also using the delegations as a mechanism for understanding what is going on on the ground. So how they should work together I would say is we need to ensure that the priorities identified in the Internal Security Strategy are reflected as appropriate in the EU’s external activity and that we use the Council structures to give EAS and the Commission the appropriate mandates to take its work forward, which is one of the reasons why we’ve been supportive of the work of the Justice and Home Affairs External Working Group, otherwise known as JAIEX, which has been looking at those issues. In terms of the instrument for stability, we think it is a very useful instrument for looking at counter terrorism measures. It’s of course not the only EU funding mechanism that can address problems related to counter terrorism. There are also the development instruments and the neighbourhood instruments, which can address rule of law, education or other related aspects that can contribute to our counter terrorism efforts in countries overseas. But it’s funded a €15 million project in Pakistan, a €15 million project in Yemen and a €5 million project in Sahel. I think these are relatively early days.
Q212 Lord Richard: What are the programmes? Christophe Prince: In Pakistan it’s looking at the rule of law, training of the judiciary. In Yemen, it includes aspects on the aviation security side and working with non-governmental organisations on co-operation. I can’t remember which one, but there were also deradicalisation elements within—
121 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Peter Storr: Pakistan. Christophe Prince: In Pakistan. So, it picks up on some of those. They’re at a relatively early stage and we would quite like to be confident that future projects are well evaluated. As to whether or not we should increase the funding, we would welcome additional spend on counter terrorism overseas but, of course, that’s got to be within the budgetary constraints that are set for the Union.
Q213 Lord Richard: I don’t know whether you think it’s fair to characterise the present situation. It’s a good, typical European—I nearly said “mess”, but complicated structure. You’ve got about three or four different structures. Somehow or other they’ve got to be co-ordinated. You can’t do it under one great umbrella because the will to create one great umbrella clearly doesn’t exist. But do you think that the way in which the co-ordination is going is successful? Christophe Prince: Aspects of it, yes. I would say that certain work that we’ve been doing on the Justice and Home Affairs external side has been working quite well. It’s really been focused initially on working out what member states are doing in countries of origin, drawing that together and then identifying what it is that we as people working in the internal security would welcome further work outside. I think it is early days for the External Action Service and they’re still appointing their senior people, but there is certainly a will to make that work, both from the member states and from the Commission. There is also a commitment and I think an improvement in conversations within Brussels between those working on, say, migration and visa liberalisation, so it’s working reasonably. Can it work better? Yes. Is there the commitment to do so? I think so, yes.
Q214 Lord Richard: So you’re reasonably satisfied with the way it’s all going? Christophe Prince: We’d like to have better co-operation than we have, but I think it’s going in the right direction.
Q215 The Chairman: When we were in Brussels before Christmas and had a session with David O’Sullivan, who is the CEO of the External Action Service, I have to say that it was very early days indeed, which is a polite way of saying that they didn’t really know what they were going to do at all. Is there any sign of that shaking down and leading to some really meaningful management decisions on how the External Action Service and the Internal Security Strategy are going to work together and, indeed, on really nitty-gritty issues like are there to be in the missions of the European Union abroad people with an expertise in this area who are able to actually operate effectively? Christophe Prince: Taking the latter point, yes, there are already conversations I know between heads of delegation in several countries who are looking to get Justice and Home Affairs experience into their delegations.
Q216 The Chairman: Would you be able to tell us the countries? Christophe Prince: One of the ones has been Pakistan, where we would certainly welcome the delegation having JHA experience. In terms of the arrangements, the managing director responsible for multilateral, who will have responsibility on the counter terrorism side, has not yet been appointed, so I think we’ll have to wait to see how they will shape up in terms of the interaction with Justice and Home Affairs DGs, sectoral DGs and member states.
122 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Q217 Lord Judd: Could I just ask one specific on this? On the code of conduct for the arms trade, is there a minimalist formal commitment or is there a real push in dynamic behind this? Christophe Prince: I’m afraid that’s not an area that I’m able to comment on, but obviously if the Committee would like further information—
Q218 Lord Judd: You don’t deal with arms trafficking at all? Christophe Prince: Not one that I follow closely myself.
Q219 Lord Avebury: You have mentioned Pakistan several times. What is the EAS doing about the attitude of the Pakistani public to the assassination of the Governor of Punjab? As you know, the murderer was garlanded; 40,000 people demonstrated on the streets in favour of letting him off for his atrocious crime. Presumably, not only the EAS would have to take note of this development in Pakistan, but from the ISS point of view we would have to consider what rub-off it has on the Pakistani populations in Europe. Christophe Prince: I can’t speak for the EAS, or specifically respond on that particular point, but I think the interaction between national politics in countries outside the Union clearly is of interest to those who are working on internal security, for example, on counter terrorism. I’m afraid I can’t give a specific answer on that. Peter Storr: What we can do is to make sure that your comments on this particular issue are brought to the attention of the External Action Service, which I’m very happy to do.
Q220 Lord Dear: Mr Prince, I may have misunderstood your answer, but to clarify the position for me, you were asked a moment ago by my colleague about arms trafficking, which can be one gun or it can be in some instances, worryingly, very large numbers. You said you didn’t have a view of that and I accept that, but are you saying nobody has a view of that or is there some organisation or person that you know of that we could talk to for information on that? Peter Storr: I think maybe I can assist. My understanding of the comment of Lord Judd was that it was about a code of conduct for the arms trade. If I’ve misunderstood that, then I apologise. As far as arms trafficking is concerned, then there is an interest insofar as it is an organised crime problem. It is not one that I have heard surfaced in Justice and Home Affairs Committee circles in the European Union. It’s one that I think as far as the EU is concerned is left largely to individual member states to take action at the country level.
Q221 Lord Dear: And yet trafficking can very often be very closely linked with the so- called or apparently legitimate arms trade, which itself then can become corrupted and be used then as a conduit to move quite large consignments. Peter Storr: Yes. I think this leads on to a point that I was going to make, which is the importance of starting off European Union activity in the organised crime area with a good threat assessment and good analysis of what constitutes the threat. And we see that being linked very clearly with all aspects of the work on organised crime. As noble Lords will recall from the previous inquiry into Europol, we have been pushing on Europol for a number of years the importance of getting a good quality threat assessment and we see that as important not only in its own right but because it links in with the work programme. Your threat assessment ought to identify your organised crime priorities. Those priorities should form the agenda that Ministers endorse, and that agenda ought to inform spending decisions 123 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office for Commission money so that the money gets spent on those things that are identified as priorities. I don’t have in front of me the latest Europol threat assessment so I’m not in a position to say whether organised arms trafficking has been identified as one of the key priorities for Europe, but we can easily make enquiries of Europol and provide further information to the Committee.
Q222 Lord Judd: Who would be responsible for looking at the interrelationship that some of us suspect is there between the arms trader clients and trafficking? Peter Storr: I think if that were an issue that was identified as a particular problem by member states, the way in which it would be done would be for a member state or member states to discuss with the Commission and maybe commission a specific piece of research work by Europol. That is how I think it would probably best be done within the European Union itself.
Q223 The Chairman: But I think it’s correct, is it not, that the European Union as a whole is supporting the work at the United Nations on an arms trade treaty, but that, of course, deals with the legitimate arms trade and that will certainly fall within the EAS’s activities, I imagine. But that doesn’t, of course, answer the question that’s being put about the read-across to arms trafficking, and it would be helpful if you could let us have anything additional you could on that. And perhaps just finally on this issue before we move on to the next question, has Baroness Ashton appointed a new head of the Situation Centre yet, and are we getting any closer to having a proper functioning risk assessment system? Christophe Prince: I don’t know if there’s been a final decision on the head of the Situation Centre, but I can give you an answer on that afterwards. When they are in place one of their clear top priorities will be to improve and to work on the production of threat assessment both for missions overseas but also for internal clients.
Q224 Lord Mackenzie of Framwellgate: Staying with international crime, the European Union already has fairly close co-operation obviously with the United States in the fight against serious crime and also in law enforcement. Do you think that similar levels of co-operation should be fostered with other major states such as Russia, China, India, and should any other regions be obviously regarded as a priority, such as the Middle East, Pakistan—which we’ve mentioned—Turkey and Africa? Peter Storr: Yes, the relation between the EU and the United States is important but it’s by no means the only one. I think my starting point would be the point I made earlier. We need good quality analysis to work out where the key relationships are, and matters do change. But to take the examples that you’ve quoted, we’ve already covered the relationship with Pakistan. Turkey is clearly an important country because of the possibility of its future membership of the European Union, and I know that the European Commission has funded quite a lot of activity in terms of training, technical assistance to Turkey, preparing it for membership of the European Union eventually. And the United Kingdom has been active in Turkey in providing technical assistance and personnel to help in that process. There are regular high-level meetings between the European Union Presidency, the Commission and Russian authorities on the whole range of Justice and Home Affairs measures. Europol has established a number of bilateral agreements with third countries that are intended further to strengthen the capacity to tackle international crime. And the EU has also committed to improving operational law enforcement co-operation overseas in, for example, Latin America, the Caribbean and West Africa.
124 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office If I may make a point on West Africa specifically that shows how situations change, the UK and France a couple of years ago identified a potentially worrying development in cocaine trafficking, which was that a new route was developing from Latin America to West Africa largely, it is thought, because of the success of interdiction of cocaine shipments in more traditional routes. We took up in the Council and with the Commission the importance of EU action on this particular aspect, and the Commission listened, took it seriously and, as far as I am aware, has funded programmes designed to tackle that problem.
Q225 Lord Dear: The nub of this question is, of course, the word “co-operation”. Certainly, when I was closely involved with this—and I would ask you to comment on whether things have changed since I left that scene—you could not really co-operate at a national official level unless you trusted and respected the political system, the judicial system and the organisations that operated within that. And if that trust and respect is not there, you either don’t co-operate or you don’t link with them at all, or, alternatively and dangerously, you link on an individual person to person basis on the basis that I trust this particular individual but not the rest of them. And that is fraught with dangers and difficulties but it does go on, as we discovered when a couple of years ago we were looking at Europol, and that was really only on the European scene. I am interested in your view. Firstly, am I correct that that still is the case and, secondly, assuming it is the case, what is your view on countries like Somalia and some of the West Coast of Africa countries in particular as to how one can ever begin to move towards a state of co-operation other than encouraging them to change? Peter Storr: I think one of the important things is to try and change the system in countries that are of strategic importance to the European Union, and I think many programmes funded by the European Commission are designed to do that. To give one example, there is a European Commission project to reform the Albanian state police. The United Kingdom bid to lead that project. We were successful in doing so. It’s a €6 million project. We’re working together with the Austrians, and the purpose is to reform the police, to bring the Albanian police up to a standard that we would recognise ourselves. And there are other programmes funded by the European Commission to do the same thing in terms of judicial reform. It’s not a quick or easy process and it’s one where we think the Commission, using member state expertise, can genuinely add value. So we see a place for that sort of infrastructure building, but I don’t think you will—and for very understandable reasons— ever change the view of individual law enforcement authorities in various member states to work more closely with some partners than they do with others. I think things like protection of sources, protection of data are built largely on trust and there are very good reasons for that to be the case.
Q226 The Chairman: I am not sure, but did I correctly understand you to say you thought that would never change or that it would change only slowly? Peter Storr: I think you will always find that people, not only in the field of law enforcement and the areas that we specialise in, will to some extent rely on personal relationships. Where I think you start to build trust is by having trust in the institutions of countries concerned, and it is that that is a slow process and it’s also one that builds up personal trust. Working, for example, in Albania, the experts that we have out there will make contacts with the Albanian police and judiciary, which will enable that sort of personal trust to be built up over the years.
125 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Q227 Baroness Eccles of Moulton: Mr Storr, could we turn to hearing something from your point of view about COSI? As we know, it is quite a recent organisation. I understand it had its first meeting last March, so it hasn’t really been in existence for very long. The member states can presumably decide who is relevant to COSI and who they send as representatives. This can cover quite a span of sources, as it were. Also, the funding that keeps COSI going again will be quite dependent on member states’ input into their own internal security. Therefore, the internal security fund will be quite important to the levels of funding that COSI receives and needs. So could you very kindly give us your view on how it’s going and whether it’s moving into a stable and successful organisation? Peter Storr: Thank you. I think the first point to make is that we regard it as being an important committee set up by Treaty and it is intended to be a high-level committee. It’s met six times already. It hasn’t been going for very long and I think it’s perhaps too early to pass a judgement on whether it’s effective or not. In my view, it still has to find its feet. In terms of representation, the seriousness with which we take it is reflected in the fact we send a senior official from the Home Office. It’s me, together with a senior executive director of the Serious Organised Crime Agency. So the UK representation has a senior level policymaker and a senior level law enforcement specialist. Other member states vary their representation. I would very much like to see a greater number of senior level law enforcement specialists round the COSI table because I think that is where the genuine added value of COSI will be. So, it’s disappointing, I think, to see that some member states are represented out of Brussels missions by people who are generalists rather than specialists. We are subtly making that point to a number of member states and are urging through our own police and law enforcement contacts with other member states for that situation to change. As far as the funds are concerned, COSI doesn’t have a direct funding role. What we would like to see, as I mentioned in previous replies, is for it to, as it were, set the agenda for the Commission to follow in terms of funding activity. If COSI establishes itself as we would like to see, then I hope it would play a role in working with Europol to determine what the organised crime priorities are, what the countries are that are of most concern from that perspective, and to be highly influential over Commission funding in terms of where the Commission spends its money. But I have to say that so far we’re a little way away from reaching that point.
Q228 The Chairman: I wonder if I could just follow up on that one, because in the evidence we’ve taken so far there’s been a tendency, I think, just to be a bit fuzzy about what COSI really ought to be doing. You say it is early days yet and we accept that, I think. Clearly, a committee like this takes a bit of time to shake down. But what would be your set of criteria for a successful COSI? What do you think a successful COSI would be doing? We’ve heard from time to time the suggestion that COSI should be focusing on operational co-operation and not on legislative co-operation. Is that a very meaningful distinction? Surely if COSI is to, to use a hackneyed phrase, punch its weight, it needs to be able to influence the Commission both on its spending and on its legislative proposals and on operational co-operation, shouldn’t it? Or have I got that wrong? Peter Storr: No, I think COSI’s mandate doesn’t cover legislative activity. It has no role, for example, in the negotiation of directives, regulations, et cetera. That’s done within other aspects of the Council structure. I would like to see it use law enforcement expertise to influence the legislative agenda to identify issues that require European legislation and issues that don’t, and we will be pushing
126 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office COSI very much in that direction. I think we have a reasonably clear idea what we want it to do, which is enhanced operational co-operation. We’ve seen that there’s been a gap in the European Union’s activity on Justice and Home Affairs in bringing policymakers and specialists together, and in our view COSI can plug that gap. We have put to COSI a number of proposals for specific areas of activity, which we hope it will develop into a work plan and a future agenda.
Q229 The Chairman: Is COSI sufficiently underpinned by effective bureaucratic support, as it were, for its work? I’m sorry to be so ignorant about it, but how is the chairing of COSI achieved? Is it a rotating chairmanship or is it a chairmanship for a fixed number of years? I mean a fixed period longer than six months. Peter Storr: It goes with the EU Presidency of the day, so it’s a six-month presidency at the moment chaired by the Hungarians. There is continuity in the sense that the practice nowadays is for groups of presidencies to get together and determine the agenda and that’s usually done in three member states. So you do have a certain amount of continuity over about an 18-month period. As far as its support is concerned, like any other working group of the Council, or other Council group, it’s supported by the Council Secretariat, but we recognise that for it to be a fully effective body it needs considerable member state input, which is why we are determined that we will give it ideas and suggestions for future work activity.
Q230 The Chairman: There have been European Union bodies like the Monetary Committee that used to exist, which was chaired for I think two years at a time by a person who was recognised by everyone to be a real expert in this matter, and it certainly produced very good results that way. Do you think the rotating presidency is the best way of chairing COSI? Peter Storr: I think if you could get a good chairman with sufficient knowledge and drive to chair any Council working group for a longer period than six months, then you’d have the benefits of having somebody good, having somebody who knew the subject, and that would push the agenda forward better. But I think that’s an observation that applies not just to COSI but rather more generally. On the other hand, with 27 member states they all want the opportunity to influence the agenda and push forward their own priorities.
The Chairman: Yes, although one can think of one or two who might not make a very big contribution.
Q231 Lord Mawson: One of the words that has been used quite a bit is “co-operation”, and I’d like to just push us a bit further beyond co-operation into more joined up working. Just a bit of background, I spend a lot of time in this country in very challenging housing estates where I’ve listened to lots of talk about joined up thinking and joined up working. And yet when I’ve got under the committees and the paperwork and had a look in estates where you’ve got people from all over the world, what you actually find is a lot of that not happening at all—in fact, the reverse, actually—and that you have not got the top structures, the middle management and the people on the ground actually co-operating in a common story and knowing how to do it. You’ve got the policy paper coming into the local authority officer who means well, who changes the name on the door but hasn’t got the faintest idea how to pass that down in a real street in a real place and make it happen. And it seems to 127 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office me that our internal security in Europe depends a great deal on starting to get this right. I wasn’t at the meetings in Brussels but I’ve read some of the papers, and if I’m honest I haven’t really seen anything that gives me confidence as a practitioner that we’re really coming to terms with what this means. So, my question is how well do the different EU Director General agencies and bodies with a role in internal security work together? How might this be improved? Is there adequate liaison with COSI? And I’d quite like if there were some practical examples that you might give of agencies actually working together. What does that actually look like top, middle and bottom and what investment is actually going into this? Because doing complex partnerships like this, actually there are some skills in all of this and there needs to be investment to help people and organisations understand how to do it. Because it seems to me that people and relationship state is the absolute key to our security, and certainly on the ground if you don’t have it, you have none. Peter Storr: May I ask Christophe Prince to start off? Christophe Prince: I’ll start by saying I think the co-operation that is required in particular between agencies is one of the issues that was identified as being essential to improve the effectiveness of the main European agencies such as Frontex, Europol, Eurojust and work with SitCen and one or two of the other bodies, including OLAF, for example. And that was one of the issues that has been taken and discussed in COSI and a number of recommendations were made on how they should take that forward. Of course, writing it down on paper is just half the work. So they’ve now had one meeting of all the heads of agencies to discuss the recommendations and give their view on those, and they’ve agreed that there will now be subsequent meetings of those agencies to keep an eye on the recommendations that are being put forward. Some of the recommendations in there include enhancing contacts, looking at data exchange issues where they’re able to and they’ve got agreements between them so that they can work effectively on investigations or further analysis. So, that’s one of the issues that I think has been identified. There are some recommendations and I think the heads of agencies in their first meeting have welcomed the push from the Council but also welcomed the work. That will be monitored in part through COSI so it is early days again perhaps but it is something that is being addressed. The new Commission separated out what was DG Justice and Home Affairs, so there has been some restructuring. The Commission has its internal arrangements for co-operating on the development of new legislative proposals or on other work. The two, DG Home, which is in the lead, and DG Justice, actually are still very close to each other and I know that the people working in the individual units continue to have close working relationships between them. So, again, there is a desire and a capability within the Commission to work together. And I suppose the last bit is how well do those DGs work with the Council structures and the Council working groups, and I think they are present. There are some good relations being built up, and strong relationships between the Commission and the agencies as well, which also provides some of the continuity in work. So I think the right things are being done. We need to continue to keep the pressure, certainly on the agencies to co-operate and implement the recommendations and we need to continue to make sure that the working groups are exchanging information with the Commission and the DGs are working together. Making it all work is not easy but it’s recognised as one of the priorities to be effective in this area.
Q232 Lord Mawson: Can you give me a practical example of where that work you’ve done has actually led to real delivery that’s tangible, and answer the questions a bit about
128 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office investment in how you do this stuff? Because as I say, certainly my experience in this country is lots of meetings, lots of papers, lots of policy, sounds fine, tick boxes, but when you go look at the absolute detail in some of the most challenging areas of this country, it isn’t happening, actually. Christophe Prince: I would have to get back to you with some specific examples, but I know that in the case of Europol and Eurojust, for example, they’ve been investing quite heavily to try and improve their co-operation on investigations and they’ve reported back that in one or two areas their ability to co-operate has helped them then subsequently improve investigations within the member states. To give you a specific example, I’d have to come back. Peter Storr: I can perhaps give some examples of where we believe that Europol have been effective. For example, they provided substantial assistance to the UK in tackling and breaking up a violent and armed gang of Eastern European robbers who committed more than 20 attacks in the UK on top-end jewellers. They’ve also done a lot of work, working with other partners including Interpol, in tackling child abuse online or child pornography. So I think there are successes you can point to. In our dealings with Europol and Eurojust, we regularly emphasise the importance of co-operation between agencies, and at the Justice and Home Affairs informal council last week in Budapest, which the Home Secretary attended, both Europol and Interpol gave a very strong impression of working more closely together than they had done in previous years. That was affirmed to me privately by the directors of both organisations, and that’s an extremely welcome development.
Q233 The Chairman: Do you think that there’s any rationalisation of this mass of different Council groups and so on that could be a sort of medium-term objective? It’s rather hard for people like ourselves coming from the outside not to believe that there are rather too many of these groups and that there is bound to be duplication, overlap, perhaps bureaucratic inertia in it all. What would your response to that be? Peter Storr: I would agree with you. I think it’s important to separate out Council working groups from Council bodies. Bodies like Europol, for example, I see as having a very clear purpose, so our aim ought to be to work with Europol to give it the information that it needs to do its work properly and to influence it in the right direction, which we are doing. Looking at the proliferation of working groups and committees in Brussels, there are groups that in my view do overlap and if one was starting with a blank sheet of paper I think one would end up with rather fewer than there are at the moment. But that’s a view that we take; other member states seem quite happy with new committees cropping up without old committees being discontinued.
Q234 The Chairman: And is this a subject in which COSI could have some influence to have a sensible debate about a bit more rationalisation of this structure? Peter Storr: Potentially it could. When COSI was being set up and member states were being consulted and we took part in those discussions, our view was that the setting up of COSI ought to be accompanied by the removal of certain other groups that dabbled in the area of police co-operation. There is a group called the Police Chiefs Task Force, which meets infrequently but once or twice during each presidency. Our view was that in order to establish itself as the primary focus for operational co-operation between law enforcement agencies COSI would benefit if the Police Chiefs no longer continued to meet because we took the view that that particular task force was no longer effective. Likewise, there’s a group called the Police Co-Operation Working Group, which does some work on drawing 129 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office up manuals and slightly lower level policing policy. Again, my view was that COSI would benefit if it was seen as being, as it were, the only show in town. But as I said earlier, some other member states don’t take that view of the world and are happy to see a larger number of groups than we would be happy to see.
Q235 Lord Tope: You were giving us examples just now of some of the effective working of Europol. Do you think Europol has now emerged as a credible organisation with which UK law enforcement agencies can do business? Do you think Europol needs any additional powers or even additional funding to go with it? Peter Storr: It has recently had a Council decision, which I think was in negotiation at about the time that this Committee was looking into Europol, and I think that has benefited Europol. I think it’s established an easier relationship between the directors of Europol and the Europol Management Board. I think the change of director has made a difference and you are starting to see the effects of that. There is still obviously work to be done but I know that one of the recommendations in the report into Europol from this Committee was that the United Kingdom and other Member States ought to be more active in using Europol’s analytical services. The UK is now, I think, one of the top five users of that particular facility, the Europol Analytical Work File, as it’s called in Europol. I think that’s an indication of the value that UK law enforcement now places on Europol. There are 21 analytical work programmes and the UK is actively involved in each of those. So, yes, I think Europol is moving in the right direction and we will continue to help it to do so. I think you will have an opportunity—I understand that you might be hearing evidence from the Serious Organised Crime Agency, which is responsible for the, as it were, operational relationship with Europol and I think it would be useful to ask them a similar question.
Q236 Lord Tope: I’m sure we will. What about additional powers in funding? Peter Storr: I think at the moment Europol has fairly clearly set out powers. We think it has the tools to do the job. We see it principally as being a processor of information and intelligence and we very much value its analytical capability. We think it should concentrate, broadly speaking, on that particular mandate. It’s starting to develop, as I mentioned earlier, into relations with third countries. It has a number of co-operation agreements, which again we think is valuable activity. As far as additional powers are concerned, there have been debates in the past among Member States; some Member States want Europol to have the capacity to direct operations, others don’t. I think it has enough powers to be able to prove what it can do, and it should concentrate on doing its present mandate well.
Q237 The Chairman: Presumably if Europol were to become the focus for European effort on cyber-crime that would require some increase in its mandate and would also require, one would assume, some increase in its funding. Peter Storr: Yes. If it takes on that additional role, depending what the role is, I imagine that it will push for additional funding, and we will need to consider that. I think our view of many such European Union bodies is that one of the most important jobs of the director, as in many British bodies, is to ensure that maximum value is extracted from the budget. So we 130 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office wouldn’t accept that automatically when there is a new mandate it should be accompanied by an increase in resources.
Q238 The Chairman: But since I understand it’s the Government’s view that there should not be a standalone cyber crime agency, and that was in the explanatory memorandum and there was a negative reaction to that, presumably you would consider some expansion of Europol’s activities in that field as being more desirable than a standalone agency. Peter Storr: Certainly, yes.
Q239 Lord Dear: A couple of short supplementaries, Mr Storr. When we were looking at Europol, I think a couple of days ago now, we were particularly concerned as to its relationship with Eurojust, whether tension came into being and so on. I wonder, first of all, whether you had any broad views on that relationship now, and how it’s developing. Secondly, and in a very mundane way, but actually very important, was the issue of common nomenclature of the dictionary because it seemed to us that one of the things getting in the way of the co-operation between nations was simply the varying ways in which perfectly ordinary simple terms were being identified and determined in different countries. I think we made a recommendation, from memory, about having some sort of common dictionary that everyone signed up to. A couple of points: I wonder if you could very shortly comment on both of those. Peter Storr: Firstly, on the relationship between Europol and Eurojust, my impression, and it’s only an impression, is that they work closely together. They are, for a start, located in the same city. I think Europol recognises that Eurojust is here to stay. I don’t know how frequently the directors meet, but in my dealings with both of them they’ve indicated that co-operation is good. As far as the common nomenclature is concerned, I would need to find out what progress has been made on that because I’m afraid I don’t have the answer. Lord Dear: I think it would be helpful, if you would not mind. Peter Storr: Certainly.
Q240 The Chairman: We have picked up on two points, both of them small, so perhaps we can add that to the list of things, on which you should give us additional material. Moving on, could I ask what you understand EUROSUR to amount to so far and what its relationship is with UK border control activities? Peter Storr: I’ll ask Mr Prince to answer. Christophe Prince: The genesis of EUROSUR was in some of the challenges that arose in the mid 1990s from a significant rise in irregular migration, not least from West Africa, but also across the Mediterranean, and it was recognised at that time that there were a very large number of smaller boats moving across with a resultant significant increase in irregular migration, but also the loss of life at sea. It was clear that a number of the Member States had inadequate capacity to identify those boats and movement of irregular migrants. So, the EUROSUR project has been put forward and it’s meant to be a technology-based approach to improve pre-surveillance of the Schengen external border with a view to addressing irregular migration, reduce the loss of life at sea and also contribute to internal security by addressing cross border criminality. 131 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office What does it amount to? Three phases of work: the first of those is an inventory and assessment of the technologies that are already established and then to create national co- ordination points, which are able to draw the information from their own national systems and exchange that with other Member States, so there are a number of pilot projects under way at the moment. That’s the phase we’re in at present. The next two phases would be an improvement of the technology and the sharing of information with a view to try and create a common intelligence picture. Then the last phase would be to integrate that pre-border surveillance arrangement into the national and union level intelligence analysis. That’s how we understand the project to be taken forward. In terms of its connection and interaction with the UK, we are involved and participate in some of the Frontex-led working groups and follow the developments at the moment. We expect not to participate in the final phases or the full development of the programme as it will be building on parts of the Schengen acquis, in which we have not sought to participate. And that’s, I think, supported by the fact they’ve identified the European border fund as the basis for solidarity support for implementation. However, we would look to be able to exchange information and co-operate with EUROSUR as it develops, and we would expect that to be through the UK’s own National Maritime Intelligence Centre, which has been announced and will be situated in Northwood in Middlesex. So that would be the obvious link point with our own arrangements, because obviously we are interested and it is in our interest there is a stronger southern maritime border and the land borders as well, and being able to exchange information would be key to that. But I think it’s too early to say what the exact arrangements would be and, indeed, they’re only currently running pilot projects.
Q241 Baroness Eccles of Moulton: You mentioned the fact that we aren’t part of the Schengen Agreement. Could this, in this particular instance, be a disadvantage, and could the measures that might arise from EUROSUR mean that it would be easier for us to join the Schengen Agreement because we would maybe gain the sort of protection that we feel is not there and is one of the reasons why we’re outside it? Christophe Prince: I think it’s a broader question on Schengen participation, but with specific respect to EUROSUR, I think it’s also only a small part of the picture about how one improves border controls, so it addresses the identification of boats, individual travelling across the maritime and, to some extent, land borders. So, in a sense, it improves the overall Union border controls. It is welcome. It is unlikely to be a decisive element in any decisions on our extent to participation in the underlying acquis, but it is welcome in that respect.
Q242 The Chairman: I was intrigued to see in the Government’s security review of last October that one of the high priority objectives that the Government set was to support and strengthen Frontex. Could you possibly say what that amounts to other than a few words on paper? Christophe Prince: We have an arrangement with Frontex whereby we are participating in the management board and make a financial contribution to Frontex, but also contribute experts both in Warsaw but also to some of the missions that have been undertaken. So, we initially sought to participate in Frontex but the ruling of the European Court of Justice made it clear that we couldn’t do so, but we are actively involved in returns operations through Frontex and continue to contribute as we can. So there are material contributions that are made, including any intelligence analysis and developing the strategic picture, as well as, for example, debriefing of migrants picked up in Frontex operations. We will continue to be an 132 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office active member of the management board in helping it identify where it should be supporting operations and what types of activities it should undertake.
The Chairman: That is very helpful. Do you think you could possibly send a little note on what Britain does to support Frontex, both in the past and prospectively too, given that the security review suggests they are going to do more of it, not just the same amount of it in the future?
Q243 Lord Avebury: Do you think that the ISS places enough emphasis on counter terrorism measures or should the EU be doing more in this area? In particular, is there a role for the EU to play in counter radicalisation over and above the individual Member States? Can I ask you to identify where, in either the external or internal security strategies, we look at the ideological foundations of terrorism? I’d love to be able to find an agency that does that—or do we think it’s totally unnecessary to look at what motivates terrorists and how the ideologies concerned can best be countered? One other question, do you think that yet another body is necessary, as proposed, in relation to land transport security or could it be dealt with in some other way? Peter Storr: Firstly, does the internal security strategy give enough prominence to terrorism? I think it’s identified as being one of the top five priorities, and we think rightly so. We think that there is value for the European Union to add, both in terms of policy and in terms of funding. Among the examples of where we think the European Union has been valuable is, for example, in the streamlined process of extradition introduced under the European Arrest Warrant which has led, in some cases, to very quick return of people sought for terrorist offences. So it is one of the top priorities. The question of the ideological underpinning of terrorism is an interesting one. I think it’s fair to say that the European Union, as a whole, is probably rather more concerned in dealing with the effects of terrorism and looking at the way in which the law impacts on the terrorist problem, but I know through speaking to colleagues who specialise in the counter terrorist field that there is quite a lot of research done by the academic institutions and individuals into the ideological underpinning of terrorism. I’m not sure immediately what value the European Commission or the EU, as a whole, could add to that body of knowledge. As far as the strategy of the European Union is concerned on counter terrorism, it does follow fairly closely the United Kingdom’s own strategy, so you would expect me to say that that was a good thing. One of the aspects, which I think the Commission adds value to, is the counter radicalisation agenda and the prevention side of the counter terrorist strategy. I think in that respect it’s probably fair to say that the European Commission’s message will be heard in third countries probably rather more effectively than messages from certain Member States would do, so I think that is an area where the Commission can add value.
Q244 Lord Avebury: You obviously consider that we ought to know more than we do about the ideologies that underpin terrorism. Do you think that the academic institutions that are studying the matter are doing everything that is necessary? How will you access that body of knowledge that you say is spread around the academic institutions? Do you think that somewhere within the framework of the Internal Security Strategy there should be a collection of the work that has been done on the ideological foundations of terrorism, so that the practitioners can understand where it is coming from and how to counter it? 133 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Peter Storr: I think, certainly within the United Kingdom’s own strategy, the bit dealing with counter radicalisation does benefit from contact with the academic institutions and does contain a significant research element, so I think that that research work; a study of the origins and underpinnings of terrorism does inform the United Kingdom’s strategy. Quite whether it does so at the European Union level, I’m not so sure. But the fact that it exists as part of the European Union’s strategy does indicate to me that there is an interest there. I think the United Kingdom has shared its own experience in counter radicalisation work with other Member States and, indeed, has discussed it with the European Commission. So I would not want to leave the Committee with the impression that we in any way undervalued the importance of that sort of work.
The Chairman: I think the Commission’s own programme suggests that it’s more in the way of exchanging experience rather than anything operational that should be involved.
Q245 Lord Avebury: One question that I asked that has not been dealt with, and that is the creation of another body in relation to land transport. Is that necessary or can it be dealt with some other way? Peter Storr: I’m sorry, I did overlook your question, I apologise. I think the Commission has suggested that the first step would be to establish a standing committee on land transport security involving people who are experts in transport and experts in law enforcement, and that seems to us to be a sensible first step. In other words, not to establish a body or a new organisation but bring together people who are experts in the relevant fields to examine the problem and see what practical measures may be necessary at the EU level.
Q246 Lord Judd: You expressed some scepticism about how far work on the ideological basis of radical terrorism could be pursued in the European context. Would you agree that on something so all pervasive and fundamental as that, we desperately need European insight, analysis and intelligence? The experience, for example, of the Germans in working in this area might be highly relevant to the development of our own policies. Could you just say a little bit more about why you’re sceptical? Peter Storr: I think the experience of different countries is extremely important but there are different ways of tapping into that experience, and they don’t necessarily have to be done at the level of the 27, and I think that was the point I was trying to make. Across the 27 Member States there are varying degrees of experience of the terrorist threat, understanding of the terrorist threat and, indeed, interest in the subject. It is not the same across all the Member States, and we have found round the table discussing the issue that the extent to which individual Member States make it a priority largely depends on how greatly they perceive the threat to their own national security arising from terrorism.
Q247 Lord Judd: Could I just follow that up with one other question? I sometimes get a bit concerned that some of the manipulation of people in the cause of terrorism uses our counter radicalisation policies and operations as a means of extending what one might call the disenchantment of potential recruits, because it is seen as a sort of “Uncle Tom” operation that is, from the terrorist point of view, on the other side. Peter Storr: On the European Union attitude, if I may add an additional point to your earlier question. My point was that it’s important to learn from other countries’ experience. But that experience varies across the Union, so I think for the most part it’s done bilaterally and 134 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office we will exchange information and our own experience with anyone who is interested. My point was merely that in this field, as in many other fields, we need, I think, to establish what additional value an EU-wide approach would bring to it. On your observation on counter radicalisation and its effect, I’m afraid I would need to leave that to an expert in counter terrorism to comment on it. I don’t pretend to be such an expert myself.
Q248 Lord Richard: I wonder if we could turn to the solidarity clause for a moment. One of the things that is interesting me is that with regard to the ISS’s proposals on civil protection, first of all, how do you think priorities might be determined between what constitutes an EU crisis and what constitutes a national crisis? What are the likely implications of the implementation of the solidarity clause? Peter Storr: If I may, I’ll ask Dr Strickland to answer that question. Dr Strickland: It is perhaps helpful to reflect that a national crisis might take on a European Union dimension in a number of different circumstances: for example, when the response capability of an affected Member State is overwhelmed to the extent that that State calls for assistance through the civil protection mechanism; secondly, perhaps when designated European critical infrastructure is affected under the terms of the European programme for critical infrastructure protection directive; and thirdly, when an emergency affects a number of Member States or the whole of the EU to the extent that the EU-level crisis co-ordination arrangements are activated or placed on alert, or are used with a view to political co- ordination of the response. If we reflect on the circumstances under which Member States have activated the civil protection mechanism, those circumstances have been very varied. Some of them have been very large scale catastrophic disasters with or without cross-border implications or consequences; but also some of them have been, if I may put it like this, very small scale, as last year, for example, when a single cave diver was lost in France and France activated the civil protection mechanism in order to call for assistance by expert speleological search and rescue cave divers. So given the range of different circumstances under which the civil protection mechanism can be involved one might think that the term “EU crisis” could perhaps best describe the situation where the crisis co-ordination arrangements are activated, but clearly there are shades of grey along that continuum. The proposals in the Commission communication adopt an integrated approach across prevention, preparedness, response and recovery, and they stress prevention and anticipation while recognising national responsibility for improved preparedness and response. The EU work on disaster prevention is relatively recent but it could help, if it was successful, to enhance the resilience of Member States and therefore reduce the extent to which national crises end up becoming EU crises. I think it’s fair to say that the UK plays a leading role in this, particularly through our support for work on risk assessment in the European Union, and more generally for seeking to integrate prevention considerations into European Union funding instruments; and in that sense, we would prioritise ways to prevent national crises from becoming EU crises. If I may pass on to other elements in the internal security strategy, one element refers to the recent Commission communication on disaster response, which proposes that Member States place response assets on-call for EU operations, unless they are needed for domestic 135 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office emergencies, and that Member States could have such assets at their full disposal for national purposes when they were not in use for EU operations. Our approach is to resist moves to prioritise EU operations over national purposes in such a way as to limit Member States’ rights to decide how such assets should be deployed, whether deployment was domestically or internationally. The internal security strategy also refers to crisis co-ordination arrangements; and here there is some current reflection within European Union institutions on how those co- ordination arrangements might accommodate the new Lisbon Treaty arrangements. There are still significant challenges in the, if I can call it this, functioning of the relationships between EU institutions, namely the Council Secretariat, the Commission, External Action Service and the President of the European Council, but also between Member States’ permanent representatives and their capitals, and between the EU institutions and the Member States. I think we look forward to a review, which is in progress at the moment, to enable us to make progress on those arrangements. If I can respond to the point about the solidarity clause; we understand that proposals for implementing arrangements will be tabled possibly towards the end of this year; and with reference to natural and man-made disasters, the clause focuses on the response rather than on prevention but its ambit is wider where a Member State is the object of a terrorist attack. Our understanding is that the implementing decision will cover the European Union’s arrangements and therefore would not affect the obligations of Member States to each other under the second part of the clause in question.
Q249 Lord Richard: Can I just follow that on a little bit? The ISS says nothing about involving the military. Do you think that’s a gap? They use the military in civil disaster situations. That’s a pretty well known and quite successful involvement. Do you think that’s a gap in the ISS? Is it a logical approach to ignore the military totally? Dr Strickland: Well, clearly military assets can provide significant support to disaster relief and our view has been, and still is, that these should only be used where there are no civilian alternatives. Not every Member State shares that principle of last resort when it comes to military use in those circumstances, for example, the Netherlands I might cite. Although the solidarity clause includes reference to military resources, the extent to which the implementation of that clause could integrate civilian and military instruments is still very unclear. We await the proposals on implementing arrangements in that respect later this year. The Government’s approach to specific proposals for the use of military support to civilian disaster response has been to consider each case of emergency on its own merits case by case. Having said that, there are some examples of EU military staff already supporting disaster relief. I could refer to the instances last year in the response to the devastating earthquake in Haiti and the devastating floods in Pakistan, in which EU military staff enabled access to military strategic airlift to support Member States’ assistance in the latter circumstances16. On the question about prospective counter terrorism operations and the role of the military in that context, there could be an EU military response to a counter terrorism event
16 The witness subsequently explained that EU Military Staff played a limited co-ordinating role in the EU response to Haiti’s earthquake. NATO’s Euro-Atlantic Disaster Response Coordination Centre separately offered strategic airlift support for Member States’ disaster relief to Haiti through the Civil Protection Mechanism’s Monitoring and Information Centre. 136 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office perhaps, but what exactly would those circumstances be is a question that we would need to answer; and any response would be likely to be a matter of national responsibility and more likely, perhaps, to be handled bilaterally through requests for specialist assistance in managing the consequences of such incidents.
Q250 The Chairman: I was wondering whether you don’t think this concept of only looking to the military where civil response is inadequate is perhaps appropriate for Member States who have a very strongly developed system for handling an emergency, but is less so for Member States that aren’t so well-equipped, and almost not at all applicable in third countries where the whole of their civilian response capacity may have collapsed? That was the case in Haiti. And whether or not it wouldn’t make a bit more sense to think of how the military can sometimes be the only people who can get there in the period of time when most of the casualties are being incurred? Dr Strickland: Thank you, Lord Chairman. I think the question may resolve into a question about the extent to which we have spare military capacity. In practical terms, our military are resourced to carry out their commitments, and a decision has to be made, case by case, on whether it is feasible and practicable to provide military support in a civilian disaster. So it would be very difficult for us to, for example, pre-commit military resources to civilian disaster response in any way.
Q251 Lord Richard: I suppose one of the guiding principles is that the UK would not permit its military to be used against its own wishes at the decision of an EU institution to that effect. I imagine you would want to keep that firmly under national control? Dr Strickland: At present decision-making with defence implications is by unanimity anyway, and therefore I see no likelihood of a situation where EU institutions could, as it were, decide for us what would happen.
Q252 Lord Dear: We were engaged, you and I, in a conversation before about trust and co-operation and understanding, and all the rest of it. I think largely that answer would bear very heavily on the question which, for the record, I’ll put to you, although I suspect you may want to answer it rather shortly. That is the agenda question of what contribution you think the EU can make to the safety of large scale international events like the London Olympics. You might want to shade over, away from the counter terrorism thing, which we’ve already covered to a large extent, and perhaps give us a comment or two on the exchange of manpower for specialist tasks, which one country may not have in abundance, looking at co-operation that is taking place with large scale football matches, for example, when spotters are being sent from one country to another trying to find troublemakers in advance. But that, I realise, is a whole raft lower than the higher grade thing to do with international co-operation of terrorism. Peter Storr: I think to start with, on the point you made about large sporting events, there is considerable expertise within the UK, not always from the happiest of circumstances, but there is a body of expertise, both in policy setting terms, and also in operational co- operation. There are well developed ways in which we share our experience with our European partners. As far as the Olympics are concerned, the planning obviously is at an advanced stage, and in terms of letting our European partners know what is going on and benefiting from their experience, a number of things have been done. There is an international liaison unit in the
137 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Metropolitan Police which has been set up to engage bilaterally at an operational level with European and other partners. The Foreign Office has set up a similar initiative at diplomatic level with foreign missions based in London. We plan a major conference to provide ambassadors and high commissioners of each competing nation, and representatives of those countries who deal in security issues with an overview of the preparations that we are putting in place. My understanding is that there is one conference due to be held shortly with another three planned. There is good liaison with the European Union’s counter terrorist co-ordinator, who is based in Brussels. He has been invited to visit the Olympic Park in the first quarter of 2011 and we intend to brief him on arrangements for the Games. Finally, we are continuing to review our engagement with European Union structures and bodies such as Europol. It’s unlikely, we think, that we will need to, as it were, look to the EU as a whole for support. But we are certainly tapping into the expertise that exists in these areas from other Member States, not only from a security point of view but from a point of view of the effect of organising a large scale Games event.
Q253 The Chairman: So you could reasonably say that you responded quite well to the recommendations of this Committee when we had our civil protection study some time ago, and said that we thought the evidence we had taken at that stage showed a certain complacency about the situation, and that the need to build up a better understanding across Europe of what was being done and what we might need to turn to in certain circumstances has been quite effectively followed up. Peter Storr: I hope so. My conversations with my European Union counterparts indicate to me that on issues like security and safety relating to football matches and other sporting events, the UK is not only recognised as having some expertise in that field but is also valued in the sense that it shares that expertise with our partners, and we will continue to do so.
Q254 Lord Mawson: I should declare an interest because I’m a director of the Olympic Park Legacy Company Board and I’m quite aware of what’s happening on the ground. Having worked there for 26 years, I think the real threat in east London might not be what is happening within the 11-mile fence; it might be in the global community that lives around that area. If I was going to attack east London I could think of all sorts of other places outside that fence I would go for. I just wondered, at a practical level again—it is a question I raised last time and you might not know the answer—whether as part of this process there have been conversations with Sir Robin Wales, the Mayor of Newham who is responsible for a large part of the population, and certainly in the past has expressed concern to me about the lack of connection with some of that. It may have improved recently, things may have moved on, and so on, I have not caught up on some of that, but I would be interested just to know in terms of the EU how much briefing has gone on with regard to the realities of the people and communities that live in East London, not just what happens within the Park. Peter Storr: I’m afraid I don’t know the answer about the degree of interaction between the people organising the Games and the security of the Games and Newham Borough, but I can certainly pass on your observations to the people within the Home Office responsible for that sort of issue.
138 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office As far as the consultation with the rest of the EU is concerned, I think that the measures that I’ve outlined that are both in place at the moment and planned will be the means of ensuring that the relevant messages get through to our European Union partners.
Q255 Lord Mackenzie of Framwellgate: Cyber-crime is obviously very topical, as evidenced by the recent attack on the carbon exchange programme, and so on. Do you think that the appropriate place for the proposed Cybercrime Centre is Europol, and how do you think it might work with ENISA? Of course the Government has recently proposed or committed £650 million to the UK national Cyber Security Programme but, of course probably for political reasons, is opposed to any budget increase for the European Union. Do you think these things are realistic? Is it a realistic approach? Peter Storr: I think the first point to make is that a certain proportion of the £650 million— perhaps indeed a considerable proportion of it—is for infrastructure building, which would not necessarily apply to Europol’s own activities in that field. So, I don’t think one could look at the size of the UK’s own investment in tackling cyber-crime and cyber security and draw automatic conclusions as to the size of the Europol budget for tackling the European Union aspects of it. Having said that, I do think it is an important issue. We would be very much in favour of Europol being the body to take this on for two reasons. One is that, as previously discussed, we don’t always think the answer to a problem is to invent another body at the European Union level. But the second point, I think, is that Europol, as we have said earlier, is beginning—or certainly rather more than beginning—to establish itself as an effective body and we think that its expertise is sufficient to take on this role. The relationship with ENISA will require careful study. There’s a Commission proposal for the renewal of ENISA’s mandate and it’s identified a new role for ENISA in working with law enforcement in the fight against cyber-crime. We regard that as being a reasonable proposal. The work that ENISA does on security of networks and on information technology is potentially valuable in identifying problems and solutions on the cyber-crime problem. So we would be looking to use that discussion on that communication to try and bring the agenda of Europol, if it takes on the cyber-crime mandate, and ENISA closely together to see them co-operating fully without duplication or gaps. I think I’ve dealt with the budgetary issue.
Q256 The Chairman: I take your point that some of the £650 million is, as it were, hardware that the UK wishes to spend to strengthen its own cyber security, and that this doesn’t necessarily replicate itself at a European level. I think those points are both well taken. I do however frankly think it defies credibility to suggest that a clearly poorly defended European Union in the cyber security field—and we’ve had this most recent event at the emissions trading scheme being attacked successfully—can strengthen its security, which has implications for this country’s security, at nil cost. It just defies any serious belief, I think, and so I wonder whether it is wise for us to be taking this line. Everyone in this Committee understands that the European budget is under great strain, as national budgets are, that you cannot expect a massive expansion, and so on but to simply say that they have to do it all with the resources they have, when they don’t have any resources at all for dealing with cyber-crime, does seem a little odd. Peter Storr: I don’t think I was suggesting that we would block or be opposed to an increase in the Europol budget to deal with cyber security as a sort of principle. The Government’s position on the EU budget as a whole is well known. I think, as I’ve said earlier, what one 139 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office would look to Europol to do, as one would look to other European bodies, is to make out a properly costed, well-argued business case, and I think that’s a discipline that will get more and more important in the years to come. I’ve seen proposals over the years from Europol, some of which have been well put together and well argued, and I’ve seen proposals from Europol in the past which haven’t been. What we don’t want to encourage in any European body is an automatic reflex that any new mandate will be accompanied by a large amount of additional resources. That is not to say that we will be completely closed-minded about it. It’s to say that what we would expect from Europol is a well argued business case to justify additional resources, which we, along with the other 26 Member States, will then consider.
The Chairman: Thank you very much. I think the issue of automatic reflexes goes in both directions, but that is a helpful response.
Q257 Lord Judd: I am grateful to you, Lord Chairman, because I know we are getting short of time. Would you agree that if one is to make a success of security policy in general, and particularly counter terrorism, it’s absolutely essential to maximise public understanding and goodwill of the policies that are being followed, and to get as many people on board as possible? Some of our witnesses have regretted the lack of transparency in, for example, COSI. They’ve put it to us that COSI should be more accountable in National Parliaments and the European Parliament, and its papers should be made public. Are you confident that the emerging EU security framework, both internally and externally, respects citizens’ fundamental rights and is subject to sufficient democratic accountability? Peter Storr: I think the first point to make is that I don’t think there is a great understanding of what COSI is and what COSI does. I think it’s probably a good idea for us to consider how we can address that. There have been a number of comments that I’ve read that seem to suggest that COSI is seen as a permanent body. It is in fact, as I’ve said earlier, a high level working group that officials attend from capitals, they meet for a day, and they decide various courses of action. So it isn’t a permanent body, but I think you’re right. We probably need to think about how we explain the work of COSI in a way that puts right what it does and what it does not do. As far as its documentation is concerned, like other working groups of the Council, it observes the same rules as regards publication of documents, as other working groups do. In some cases there will be sensitive issues discussed, which will mean that certain documents can’t be released, but in many cases I think the documents that it considers won’t attract that degree of classification. Its major recommendations will go to the Council of Ministers, the Justice and Home Affairs Council to which COSI, like other bodies in the Justice and Home Affairs field, is accountable, and many of the deliberations of Ministers in the Council are now broadcast so that they are open in that sense. Finally, relevant documents for COSI will be subject to the usual parliamentary scrutiny arrangements thereby introducing another level of accountability. So I think that in terms of the operation of COSI we will certainly regard it as being subject to the same accountability, scrutiny and other arrangements as other council bodies, but we will, if we may, take away your point about how to get across what COSI is and does in a way that maybe takes some of the suspicion and lack of knowledge away from the issue.
140 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Q258 Lord Judd: Just if we may, that takes us on to the issue of the European Arrest Warrant. I wonder if you can just say a word or two about how effective it’s proving and how its operation is integrated with commitments to fundamental rights and proportionality? Peter Storr: Certainly. As far as its effectiveness is concerned, it was introduced in 2004, and since then has resulted in 447 suspected or convicted criminals being returned to the United Kingdom to face criminal proceedings or to serve prison sentences, so in that sense it is effective. It has resulted, within the European Union, in a much quicker extradition of suspected offenders than existed under the previous bilateral arrangements. The question of its relation to fundamental rights is one of the areas being considered at the moment by the extradition review that the Government set up, which is chaired by Sir Scott Baker, which is due to report and publish its findings in September of this year. It is looking at three aspects of extradition: the operation of the 2003 Extradition Act, which is the UK’s legislation; the US/UK extradition treaty and arrangements; and the European Arrest Warrant. So that issue of the balance between efficient extradition and the rights of suspects is one of the issues that the Committee will be considering.
Q259 Lord Judd: This will clearly be an important report, but do you agree with the principle that for almost anything that is undertaken in this sphere there ought already to be a kind of question at the top of every paper saying, “And the counter productivity?” because inadvertently it is so possible to do something that makes all sorts of logical sense operationally but when you stand back and look at it you see it is going to aggravate the problem. Peter Storr: I am sure that that issue is well within the mandate of the review that Sir Scott Baker is looking at. I know there has been a lot of discussion on whether the European Arrest Warrant, which I think was drafted in 2001 and discussed extensively immediately after the 11 September incidents, does achieve the right balance between speedy extradition and the rights of the suspect. So I think I’m right in saying that that issue will be looked at by the review, which is, as with other reviews, open to anyone to submit views and evidence to it.
Q260 Lord Mackenzie of Framwellgate: Just a very quick one from me: in your experience do you think that any European countries are abusing the European Arrest Warrant in the sense that trivial matters are being dealt with, which clearly we wouldn’t use as a law enforcement agency in this country? Peter Storr: I’m not sure I would describe it as being an abuse, but it certainly is a concern. I think it illustrates how different legal systems within the European Union operate. In some countries there is a constitutional requirement to pursue any measure designed to bring a criminal to justice. So you will see that investigations into what we would consider to be comparatively minor offences are pursued, even at the European level, by a number of Member States. That is, in many cases, because their law or their constitution requires them to do so. We are discussing with a number of the Member States concerned that issue of proportionality, not only in the context of the European Arrest Warrant but also during the ongoing negotiations at present on the European Investigation Order, so we are aware of the problem and we are trying to do something about it.
141 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Q261 Lord Richard: I have two purely factual points. You told us we have 447 back to the UK; I think that’s the figure. Peter Storr: Yes, it was indeed.
Q262 Lord Richard: How many did we lose? Secondly, when is the Baker report likely to see the light of day? Peter Storr: I think Baker is due to report his findings in September of this year, so it isn’t that far away. As far as the statistics are concerned, and I will drop a note if I may to the Committee giving the full facts, my understanding is that in the last financial year, 2009-10, SOCA received 4,100 European Arrest Warrants issued by other Member States, 1,032 people were arrested in the UK, 699 people were extradited to the issuing state, but I will write to the Committee with a full set of figures.
Q263 The Chairman: That will be very valuable. I think you said, at an earlier stage in your evidence, that from the counter terrorism point of view the European Arrest Warrant had proved to be rather valuable. I think you said that in an earlier answer, if I recall correctly. Peter Storr: Yes, but it’s not solely confined to counter terrorists.
Q264 The Chairman: No, not at all, but of course we have a slightly awkward distinction here because the European Arrest Warrant is the property of our sister committee dealing with Justice and Institutions, but we are particularly looking in this inquiry at whether the European Arrest Warrant has been an effective tool in the fight against terrorism, and I think you said that you did think it had been valuable. Peter Storr: Yes. There is one example that illustrates it. One of the suspected plotters behind the, I think, 21 July 2005 failed attacks on the United Kingdom was extradited within 21 days from Italy under the European Arrest Warrant.
Q265 The Chairman: Is that the only example, because we have heard that one mentioned pretty frequently? Peter Storr: It’s the example that I think illustrates the effectiveness best, so that’s probably why you’ve heard it a number of times. If you would like me to see if I can further illustrate the usefulness of the European Arrest Warrant I will gladly do so.
Q266 The Chairman: That would be very useful. I hesitate to use this phrase, but that example has, I think, been slightly overused in the sense that it’s well known to everyone but it is now fading into the distance, and the question that we’re looking at more is whether the EAW is an effective tool, not just once but in general terms. So if you were able to give us a little more of an illustration of that it will be helpful. Peter Storr: I will gladly do so. The Chairman: I would like to thank you very warmly on behalf of the Committee for the evidence that you and your two colleagues have given us this morning; it has been extremely valuable. You have enlightened us considerably on a number of areas, and if I could just remind you that we have, as we went along, identified one or two areas where we would value it if you could give us a little bit more in writing. Our Clerk, Michael Collon, will be in 142 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office touch with you to identify the points that came up here, on which you said you thought you could help us a bit further, and that would be welcome to the Committee if you could do that. Meanwhile, thank you for the evidence you’ve given us. That will be of great value to us. Peter Storr: Thank you.
143 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office
Supplementary written evidence, Home Office (ISS 16)
Introduction
• This memorandum provides supplementary evidence to that provided during and in advance of the Official’s Evidence Session on Wednesday 26th January as part of the Lord’s Enquiry into EU Internal Security. It responds to specific commitments to provide additional evidence and questions raised during the session.
Common Nomenclature for Europol
• We understand that Europol has taken forward work in a number of areas to address the need for a common terminology and understanding amongst Member States.
• Last year Europol created a Catalogue of Products and Services, an unclassified publication issued to all Europol Heads of Units, which clarifies terms such as threat assessment, situation reports, intelligence notifications, and describes the various types of operational analysis report, Joint Investigation Teams, and the range of products for which Europol are responsible or are developing, including the Analysis Work Files. The catalogue is intended to be updated as the need arises – for example, in relation to the current business change programme underway at Europol, which includes proposals for amendments to the overarching Analysis Work File Structure.
• One of the products Europol is developing which is included in the catalogue is the Europol Platform for Experts (EPE), which allows experts to access knowledge products related to special law enforcement techniques through one web-based portal.
• The European Law Enforcement Dictionary, to which Europol’s 2009 Work Programme referred, was developed and tested in 2009. A subsequent evaluation established that the tool was difficult to maintain. Further development has been put on hold pending an assessment as to whether a customised dictionary could be integrated in the next version of the SYSTRANS translation tool. The intention is for this dictionary to be accessible later in 2011 as part of the SYSTRANS tool to Europol officials and Law Enforcement officials in Member States, initially via Europol's intranet and in the future via the SIENA system and the EPE
UK work with Frontex
• Frontex’ role is to coordinate the resources of the Member States to strengthen the security and surveillance of the external borders. The first five years of Frontex activities have demonstrated that this work must be delivered in coordination with the efforts of third countries if the numbers of illegal migrants arriving in the EU are to be reduced. Equally, the coordination of Frontex activities with those of other EU Agencies is imperative if the Agency is to contribute to the fight against cross-border criminality including human trafficking and people smuggling.
• Proposed new legislation on Frontex will, if adopted, enable Frontex to engage more effectively with third countries and will allow some types of personal information about suspected criminals to be shared with other EU agencies and member states. The
144 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Frontex Programme of Work 2011 supports the European Internal Security Strategy by increasing its operational focus on targeting organised cross border crime.
• The UK’s engagement with Frontex is constrained by our non-participation in the legislative measures that support the Agency. This means UK officials do not enjoy the same legal powers or protections as the Schengen border guards and UK officials are therefore restricted to a role that Frontex refers to as ‘special advisors’. There are, however, provisions in the Frontex Regulation to allow for UK participation in Frontex activities with the permission of the Management Board. This is assessed on a case-by- case basis where such participation will assist in the fulfilment of the objectives of that activity.
• Since Frontex was first established in Warsaw in May 2005, the UK has provided support to the Agency in a range of activities including:
• Seconding experts to work in the Frontex HQ offices. A UKBA official is currently special advisor on external relations to the Executive Director.
• Supporting Frontex joint operational activities at land, sea and air borders. For example deploying debriefing experts to interview newly arrived migrants to identify the routes taken and the facilitators involved in their travel. These interviews are voluntary and have helped to expose the extent of nationality swapping taking place at the external borders.
• Acting as lead country in Frontex joint return operations.
• Supporting Frontex training activities including opening a Partnership Academy of the Frontex Training Sector at London Gatwick that has delivered leadership and human rights courses to Schengen border guards.
• Seconding a UK expert to set up and run the Risk Analysis Unit in Frontex HQ.
• Supporting the Frontex R&D sector and hosting visits to demonstrate UK technological support systems for border management.
• The UK makes a financial contribution to the costs of the activities in which we participate and for the last four years that contribution has been €570k (c. £520k). We are currently discussing with Frontex how we could create a more transparent link between the level of UK participation and the size of the UK’s financial contribution.
• The National Security Strategy identified a “significant increase in the level of terrorists, organised criminals, illegal immigrants and illicit goods trying to cross the UK border to enter the UK”. The proposed mitigating action was to “maintain border controls to prevent a significant increase in the flows of terrorists, criminals or illegal immigrants or goods. In almost all cases, our efforts to prevent risks are strengthened by working alongside allies and partners with the same interests”. The Strategic Defence Security Review included a commitment to continue our work to support Frontex.
• The UK will be using its overseas liaison network to feed into Frontex’ work with third countries and we will be seeking an increasing participation in Frontex return operational 145 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office activities which we believe send a strong deterrent message to those intending to enter the EU illegally.
European Arrest Warrant
• From April 2009 to March 2010, there were a total of 1,032 people arrested and 699 people extradited pursuant to EAWs issued to the UK. The tables below show those numbers broken down by offence. Table 1 show those arrested and table 2 shows those surrendered.
146 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office
Table 1 – Arrests Apr- May Jun- Jul- Aug Sep Oct- Nov Dec Jan- Feb- Mar- Grand Principal offence 09 -09 09 09 -09 -09 09 -09 -09 10 10 10 Total 1 1 1 3 Armed Robbery 2 1 1211111 1 3 15 Arms Trafficking 1 1 Arson 1 1 2 Child Sex Offences 1 2 3 3 5 2 2 4 22 Counterfeiting 11 2 Drugs Trafficking 9 9 9 13 10 11 8 10 7 9 18 12 125 E-Crime 1 1 Fraud 7 8 10 14 15 13 16 17 12 9 20 26 167 Grievous Bodily Harm 6 35 5771335 6 10 61 Immigration & Human Trafficking 1 33 235173 1 29 Kidnapping 1 1 2 2 3 9 Money Laundering 1 1 5 7 Murder 1 14 2242122 5 5 31 Other 17 10 14 20 14 20 25 12 12 17 14 20 195 Rape 3 32 115532 2 27 Robbery 4 7 6 5 5 17 12 17 8 12 20 15 128 Terrorism 1 1 1 1 2 6 Theft 8 11 15 18 14 17 17 12 20 27 23 19 201 Grand Total 62 59 70 86 74 103 96 85 76 83 118 120 1032
Table 2 – Surrenders Apr- May Jun- Jul- Aug Sep Oct- Nov Dec Jan- Feb- Mar- Grand Principal offence 09 -09 09 09 -09 -09 09 -09 -09 10 10 10 Total 1 1 2 Armed Robbery 1 1 1 2 2 7 Arms Trafficking 1 1 Arson 1 11 3 Child Sex Offences 2 12223 1 3 16 Counterfeiting 1 1 2 Drugs Trafficking 5 4 6 8 5 11 11 5 11 5 9 13 93 E-Crime 1 1 Fraud 6 48 788312149 9 9 97 Grievous Bodily Harm 1 12 6552345 3 7 44 Immigration & Human Trafficking 2 1 3438 21 Kidnapping 1 2 1 1 5 Murder 1 1 5313253 3 4 31 Other 12 10 3 11 14 12 13 15 11 10 11 9 131 Rape 1 11 34 6252 25 Robbery 1 32 76699119 5 11 79 Terrorism 1 1 2 Theft 5 9 4 9 12 9 12 10 13 23 14 19 139 Grand Total 35 34 28 58 62 58 66 65 86 72 56 79 699
147 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office Organised Arms Trafficking
• Whilst organised arms trafficking was not identified as a priority threat within the 2009 EU Organised Crime Threat Assessment (OCTA), produced by Europol, arms trafficking remains an important issue for the EU and for Europol. It should be noted that the next EU OCTA is due to be published in March 2011 and will be supported by a new Executive Summary of identified priority threats (also produced by Europol). As part of the EU policy cycle, these will inform decision making by COSI and a political debate by the Council in May 2011 on the EU’s Crime Priorities17. It would therefore be premature to comment on whether organised arms trafficking will be identified as one of the key priorities for Europe.
• The Stockholm Programme highlights trafficking in firearms as one of the illegal activities which continue to challenge the EU, and the Stockholm Programme Action Plan includes two firearms-related actions:
• A proposal for a regulation implementing Article 10 of the United Nations' Firearms Protocol and establishing export authorisation, import and transit measures for firearms, their parts and components and ammunition.
• A proposal on the conclusion (ratification) of the United Nations Protocol against the illicit manufacturing of and trafficking in firearms, their parts and components, and ammunition.
• The fight against arms trafficking forms part of COSI’s Work Programme, under which the COSI is responsible for monitoring developments within this area, including developments through the informal European Firearms Experts group (EFE). The EFE was created under the former Police Chiefs Task Force and now reports to the EU Law Enforcement Working Party and, subsequently, to the COSI. The EFE is actively engaged on a number of projects, including:
• Following-up two agreements: “Firearms-related crime – Information exchange between police services” and “A standard procedure for cross-border enquiries by police authorities in investigation supply channels for seized or recovered crime- related firearms”.
• A European “Action Plan to combat illegal trafficking in so called “heavy” firearms which could be used or are used in criminal activities”. This plan was adopted by the COSI on 24 November and, by the Council on 3 December 2010.
• An EU Firearms Threat Assessment (EUTA) concerning firearms-related crime, ranging from international firearms trafficking and distribution within Member States to the criminal use of firearms and the law enforcement response to firearms crime across the EU. The last European Threat Assessment on the Criminal Use and Supply of Firearms within the EU was written in 2008. The UK’s National Ballistics Intelligence Service (NABIS), who represent the UK on the EFE, have agreed to author the new Threat Assessment and are preparing a questionnaire and intelligence
17 According to the roadmap adopted as part of the ‘Council Conclusions on the creation and implementation of an EU policy cycle on serious and organised international crime’, the Council will have a “political discussion on EU Crime priorities” in May 2011. 148 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office requirement that the EFE Secretariat and Europol will disseminate in addition to collating the returns on behalf of the UK. This will assist in the delivery of the aforementioned action plan.
• The action plan to combat illegal trafficking in so called “heavy” firearms considers the continuing use of smaller handguns, the rise in the number of incidents involving so called “heavy” firearms and the threat from South East Europe due to the vast number of stockpiles and weapons in circulation in that region which are considered to serve as a supply for conflict zones outside the EU.
• The plan includes several actions, including defining terms, setting up a general data collection plan and, ensuring detailed recording of the number and types of illegal firearms seized in law enforcement efforts, amongst other things.
• The EFE will work with Europol to deliver the action plan. The plan demonstrates the sort of approach advocated under the EU policy cycle, bringing national experts together to agree realistic actions for practical cooperation. The next meeting of the EFE will take place in April 2011, in Hungary, where the EFE will look at the practicalities of implementing the plan.
• It is open to any Member State to ask Europol to carry out an analysis of a particular threat outside of the priority areas, under their Organised Crime (OC) SCAN Notice arrangements. During their Presidency Belgium raised such a request concerning the illegal trafficking in and internal circulation of heavy firearms, such as assault rifles, in the European Union. Analysis showed that the possession of such firearms by Organised Crime Groups was increasing, and Europol recommended a number of measures, including joint investigations. The European Action Plan referred to above takes into account the outcome of this OC-SCAN Notice.
• Furthermore, the Government is fully committed to securing a robust and effective, legally binding Arms Trade Treaty to regulate the international trade in conventional arms. The introduction of common international standards for the global arms trade will help to close the gaps and inconsistencies that exist between the current range of national and regional arms export control systems, through which weapons can pass into the illicit market, and into the hands of terrorists and insurgents.
Inter Agency Cooperation
• Details of a number of operations which involved joint working by Europol and Eurojust were published in the Europol 2009 Review. These include:
• Operation Andromeda - In December 2008 Eurojust provided Europol with information about an investigation in the early stages of development. This was originally an Italian inquiry which concerned suspected organised criminals of Albanian origin, located in Antwerp, and involved in drugs trafficking into Italy and the UK. Three different coordination meetings were held at Eurojust during 2009, which paved the way to a joint initiative. Police activities carried out in several European countries corroborated elements stemming from technical investigations. The investigation and action produced recoveries of significant amounts of drugs and cash, and resulted in 15 immediate arrests.
149 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office The execution of European Arrest Warrants and official requests for Mutual Legal Assistance in Criminal Matters against 42 suspects led to the arrest of 30 individuals and the seizure of further quantities of drugs and €127 000 in cash. The operation was finalised in December 2009.
• Operation Gomorrah 1 - Operation Gomorrah I targeted Italian organised criminal networks that were trafficking unsafe counterfeit commodities such as power tools and generators. This operation involved actions in several EU Member States. In June 2009, French Customs and Gendarmerie deployed 350 officers nationwide resulting in the arrest of 9 persons and the search of 98 warehouses where counterfeit products were seized. Evidence indicated that 748 tonnes of such items, representing an estimated value of 11 200 000 euros, were sold through these outlets since 2007. Close French cooperation with German Police led to a further simultaneous arrest in Germany. In September 2009, 130 German police officers were involved in the arrest of 19 persons and 30 premises searches where more than 30 tonnes of illicit products were seized. Evidence was also simultaneously gathered in both Austria and Italy. On both occasions, actions were coordinated by Europol and Eurojust, with technical on-the-spot support provided by Europol.
• Operation Creieur - An operation against a large international skimming network, coordinated from the Europol operational centre, led to 24 arrests in September 2009. Eurojust coordinated the judicial part of the operation, which involved Belgium, Ireland, Italy, the Netherlands and Romania. Italy’s Polizia di Stato, who led the investigation, considered this its biggest operation against a payment card fraud gang. So far the network was suspected of skimming at least 15 000 payment cards in the EU, with over 35 000 fraudulent transactions in total and losses amounting to around €6.5 million. From the Europol operational centre, police officers, judges and prosecutors from the Member States concerned coordinated the joint operation via video link. Direct communication with prosecutors and police officers in the Member States during the three-day joint operation resulted in a total of 24 persons arrested, in Italy, in Romania, in the Netherlands, and in Belgium. In several house searches illegal equipment, counterfeit payment cards, drugs, weapons and a large sum of cash were seized. The operational analysis carried out at Europol identified links to criminal offences in Belgium, France, Germany, Ireland, Italy, Moldova, the Netherlands, Spain, Sweden, Switzerland and the United Kingdom.
• There is also considerable evidence of interagency cooperation involving Frontex, including:
• A recent operation involving cooperation between Europol and Frontex where an overloaded boat carrying 250 illegal migrants sank off Corfu after leaving Greece for Italy. One key Turkish facilitator was identified together with a Syrian national based in Greece. As a result of intelligence being passed to Europol, links were then established with a criminal network based in Germany. This is currently under investigation.
• Plans are in the pipe-line for Europol mobile office teams (i.e. the provision of Europol analysts and laptops for direct access to Europol system capabilities) to be assigned to Frontex Joint Operations in the future, thereby enabling access to Europol’s information system on the spot.
150 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office
• Strategic intelligence which Frontex routinely passes to Europol can enhance/inspire their tactical intelligence products which go on to lead to the targeting of criminal networks. In addition, Frontex and Europol produce various joint intelligence products which help to inform the wider situational picture related to illegal migration flows, cross-border crime etc.
• Frontex cooperation with CEPOL, the European Police College, in the field of training serves as an important tool in promoting effective action against cross- border crime as well as respecting human rights. Frontex has frequently contributed to CEPOL seminars and training, for example the CEPOL study tour for the Frontex training project on trafficking in human beings. CEPOL and Frontex Heads of Agencies regularly consult on cooperation issues. Eurojust and Europol participated in the last CEPOL Annual Programme Committee in September 2010, and CEPOL and Frontex have exchanged best practice in the field of media monitoring.
• The Frontex presence at the external borders has led to an improvement in the use of tactical information/intelligence identified during its coordinated joint operations, encouraging, where appropriate, the hosting Member State to forward information to Europol.
• Europol and Frontex have continued their mutual contribution to each other’s products, such as the Europol Illegal Immigration Bulletin and the Frontex Tailored Risk Assessment.
• Eurojust and Frontex are planning to sign a cooperation instrument at the beginning of 2011.
• Following an informal meeting of EU Justice / Interior Ministers in October 2009 it was agreed that Europol, Frontex, Eurojust and Cepol would explore improved inter-agency cooperation. The agencies have already identified some key achievements, including:
• A staff exchange programme, starting in 2011, between Eurojust and Europol.
• Establishment of Europol and Frontex contact points in various areas for operational cooperation.
• Alignment of CEPOL’s training activities to Europol’s OCTA findings.
• Finalisation of CEPOL’s e-learning tool on Europol.
• Increased involvement by Eurojust in CEPOL training courses. Both Agencies are jointly developing a common curriculum on Eurojust.
• Implementation of the EU Policy Cycle by the Agencies, with a leading role by Europol.
• Participation by all Agencies in the exhibition at the European Parliament “EU Agencies – The Way Ahead” from 31 January to 4 February 2011.
151 Mr Peter Storr, C.B., Home Office; Mr Christophe Prince, UKRep; Dr Simon Strickland, Cabinet Office
• The Agencies have developed a scorecard on agreed actions which seeks to improve cooperation in a number of areas, including improved cooperation between Eurojust and Europol concerning the joint promotion of Joint Investigation Teams, and Eurojust’s association with Analysis Work Files, where practicable.
Police Cooperation Working Group
• The introduction of COSI was accompanied by a review of the JHA working structures, designed to address the consequences of the entry into force of the Lisbon Treaty and introduce more efficiency in the work of the Council. Following the review the Police Cooperation Working Group, referred to at page 19 of the transcript of Home Office evidence, ceased to exist from 1 July 2010, and was succeeded by the Law Enforcement Working Party (LEWP), which merged the responsibilities of the Police Cooperation Working Group and the Europol Working Party. The LEWP deals with general issues of police cooperation and law enforcement.
15 February 2011
152 Neil Thompson and Dr Steve Marsh, Cabinet Office
Neil Thompson and Dr Steve Marsh, Cabinet Office Oral evidence, 2 February 2011, Q 267-317
Evidence session no 8 : heard in public
Members present
Avebury, L Dear, L Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Hodgson of Astley Abbotts, L Judd, L Mackenzie of Framwellgate, L Mawson, L Tomlinson, L Tope, L ______Examination of witnesses
Neil Thompson and Dr Steve Marsh, Office of Cyber Security and Information Assurance, Cabinet Office
Q267 The Chairman: Good morning, and welcome to Mr Thompson and Dr Marsh. I seem to remember at least one of you has given evidence when I was in this Sub-Committee before, but wasn’t yet the Chair. Just to remind you, as we agreed in advance, although evidence sessions are usually open to the public and webcast, as you know we have agreed to make an exception in your case, and so this is a private meeting and it will not be webcast or broadcast. However, a verbatim transcript will as usual be taken of your evidence. This will be put on the parliamentary website and, a few days after this session, you will be sent a copy of the transcript to check it for accuracy. We would be grateful if you could advise us of any corrections as quickly as possible. If after this evidence session you wish to clarify or amplify any points made during your evidence, or have any additional points to make, you would be very welcome to submit supplementary evidence to us. Thereafter, your corrected evidence will be published in due course, with our report, which we anticipate emerging some time in May. We will make full use of it, as we do with the evidence of other witnesses. The fact that we are in private session will only have that very limited impact, which you particularly asked us to respect and which we are respecting.
Perhaps you could introduce yourselves for the record. It would be very helpful for members of the Committee if you could, in doing so, explain a little bit what your main functions are at the Cabinet Office, because I am not sure we all of us totally understand the 153 Neil Thompson and Dr Steve Marsh, Cabinet Office structure for handling this increasingly important issue at the Cabinet Office. As much as you can say, it would be helpful if you could say that then. If you wanted to make opening remarks, then perhaps after you have each introduced yourself, you could do that. Alternatively, we can go into questions—as you wish. Neil Thompson: Thank you very much. I am Neil Thompson, Director of the Office of Cyber Security and Information Assurance in the Cabinet Office. If I may, I will let Steve introduce himself and then I will come back to talk about how we fit together. Dr Steve Marsh: Thank you. Good morning. My name is Steve Marsh. I work for Neil in the Office of Cyber Security and Information Assurance. I particularly look at the technical aspects and broad consultancy inside the organisation. Neil Thompson: As you know, we are based in the Cabinet Office and I am part of the National Security Secretariat, reporting through Oliver Robbins, who is the Deputy National Security Adviser, to Sir Peter Ricketts, but my responsible Minister is the Security Minister in the Home Office, Baroness Neville-Jones. It is to her that my team provides support and we report to. I lead a sort of merged policy team. On the one hand, we were created under the last Government to look after cyber security issues, but we have now merged with Information Assurance, so we are a combined Cabinet Office-based policy team. We represent and comprise people from across Departments and agencies, who have all been brought together to work on this topic at a national level. My responsibilities I would describe in the following ways: firstly, to support the Minister in her role as the UK Cyber Security Minister, a job she was given by the Prime Minister; secondly, to provide policy and coordination across Government as we deal with the challenge of cyber security; and thirdly, my team is there supporting and ensuring the smooth running of governance around the additional investment that has been made in cyber security on the back of the Strategic Defence and Security Review. In that respect, we are running it as a cross-government programme of work, which we have called the National Cyber Security Programme. The support to the governance of that rests in my team.
Q268 The Chairman: Thank you. Could you just, if it is not too sensitive, give a rough idea of the number of people in your team? Neil Thompson: Yes. We have currently working in the team 28 people from across the Cabinet Office and also from Departments such as BIS, the Home Office, Ministry of Defence, law enforcement and a number of the agencies as well.
Q269 Lord Hodgson of Astley Abbotts: Again if it is not too sensitive, could you tell us whether you have experience in the technical field of information technology? Neil Thompson: No, I am not a specialist in information technology. I see my role as standing up cross-departmental arrangements, making sure that they work. There are people in my team, like Steve, who do understand the technical issues, but my own view about the nature of this problem is that the more we define it through technology, the less able we are to wrestle with the dilemma that it gives us. What we need is a broader national business change programme, of which technology needs to be a major part, but it is not the only part.
Q270 The Chairman: Does anyone else want to take up any points on the structure of the Cabinet Office? I think that was very helpful. Right, well then do you have any opening statement you would like to make?
154 Neil Thompson and Dr Steve Marsh, Cabinet Office
Neil Thompson: I do not think so. As the Minister will have said when she responded to your last report on this topic, we are in the foundations of doing better cyber security, so I see this very much as work in progress. As we talk about the issues, I want to be honest with you about where we are strong and where we need to improve. The first thing that I would say, just by way of general introduction, is we are not starting from first base here. There is, as you know because your Committee has taken evidence on this, a good track record of cyber security effort across UK Government and, indeed, in the private sector. The challenge is now, given the scale, pace and complexity of the cyber security challenge, how we harness that all together across government, which is very definitely now happening, and secondly how we connect it with the private sector, which is very much work in progress, with events happening shortly. Thirdly, how do we then connect all of what we are doing nationally with the international dimension? It is that growing awareness in other states and institutions that cyber security is a major challenge; we need to ensure that we completely recognise this is not entirely a national responsibility.
Q271 The Chairman: Thank you; that is a very helpful introduction. Perhaps I could now move into the first question, which is: can and should the European Union play an active role in enhancing cyber security? By that incidentally, I would hope that, in the whole of the day’s session, we would not make too clear a distinction between cyber security and cyber crime. I think one can get very tangled up in that and it is not necessary. When I say here “in enhancing cyber security”, I mean including defence against cyber crime. How should the EU’s role be developed in future? Is the EU attaching an appropriate degree of urgency and importance to the issue? Neil Thompson: The first thing to say is, as I just mentioned, a lot of international institutions are now waking up to this issue, or indeed many of them have been active in this space already, and the EU is part of that. The EU does have a role to play and we welcome what is going on there. As we all grapple nationally with the challenges of implementing better cyber security, we become acutely aware that our national capacity is less than it should be. Getting the balance right between what we should do at an international level versus what we need to do domestically is one of the key challenges that all states have. Anything the EU does in this space to raise awareness of the issues around cyber security is welcome. What we are not looking for are additional structures; we need to make existing structures work better, because we do not need, I think, new structures. We need to ensure we get the value out of structures that are already in place.
Q272 The Chairman: Just following that up, you of course read the Commission’s five-point action plan, which is what this Committee is writing a report on. Do you think that, broadly, in this area of cyber security and cyber crime, the Commission has got that balance you describe about right or not? Neil Thompson: I think the devil is in the detail.
The Chairman: We will come on to all that but, broadly, do you think the communication shows a sensible approach or not? Neil Thompson: Yes, I think it does.
The Chairman: Good.
155 Neil Thompson and Dr Steve Marsh, Cabinet Office
Q273 Lord Dear: In a sense, I wanted to follow that up in a bit more detail and look at this balance between what you might call the hard end and the soft end of tackling cyber crime. The hard end would be the law enforcement side and all that goes with that, and the softer end would be raising awareness, influencing behaviour and so on. I wonder if you could go into some more detail on whether you think that balance is right, because clearly one needs both approaches, but they can be skewed. My question really is: are they skewed and, if so, how can we bring them back? Neil Thompson: Arresting and prosecuting people who carry out cyber crime has got to be one of the things that we see as an outcome. We do not do enough of it. There is insufficient deterrent in place to help contain and suppress the growing volumes of cyber crime that exist.
Lord Dear: I missed that. Did you say there is not a sufficient deterrent? Neil Thompson: No, I do not think there is from a law enforcement perspective. That is speaking nationally and internationally. Indeed, that is one of the challenges of this particular problem: the anonymity that cyberspace will give criminals, and the fact that it is very easy to conduct crime in this space of all sorts. That is one of the reasons that this is a growing problem that we are all, nationally and internationally, waking up to. We have to get the balance right between policy responses that reduce the impact and harm of cyber crime in the round, at the same time as building up your law enforcement, judicial and legal capacity to deal with criminals when they are detected. I am pretty clear, and I think most people who look at this problem are, that you could not prosecute your way out of this problem. You have to find ways of engaging states where this type of activity is emanating. You want them to raise their cyber security standards. You have got to get upstream of the problem. You have got to cope with the very agile pace in which cyber crime is now operating, and its truly global and industrialised scale. There has to be a law enforcement direction. That certainly should not be all of it, but there needs to be a balance.
Q274 Lord Dear: A very trite example, but it goes to prove the point, is that years ago motor vehicles were stolen off the streets of this country repetitively, in very large numbers. In the end, with pressure on the motor manufacturers, they—the term was—hardened the target. It has become now very difficult to steal them and that level of crime has gone right down. I suppose the analogy you are saying is, if you harden the target of cyber crime sufficiently, you can actually make it very difficult for this crime to take place. Neil Thompson: You certainly can. You can reduce—you know the 80/20 rule. If you have good information assurance in place, you will deal with most of the low level and volume end of cyber crime activity, hopefully then allocating more resource at the top end to deal with the stuff that you won’t get with the good information assurance.
Q275 Lord Dear: If I might have one very short supplementary, is enough being done to harden the target? Neil Thompson: The short answer is no. Certainly that is part of one of the benefits we want to deliver as a result of the National Cyber Security Programme here: harden the UK as a target for e-crime. This is where he EU can be helpful in raising awareness across Member States and also on the public awareness side. At the forefront of this are the citizen and business, and they need to understand more clearly than they do now the sorts of risks they are running as they operate in, and gain enormous benefit from, cyberspace. Actually 156 Neil Thompson and Dr Steve Marsh, Cabinet Office there comes a price with it, which is increasing volumes of crime and other bad state activity.
Q276 Lord Hodgson of Astley Abbotts: On the issue of awareness, there is anecdotal evidence, particularly in the financial services area, that a lot of crime is not actually reported, because there is a reputational risk that the firm’s security system is not good enough and there is a regulatory risk that the regulator will pursue you. Do you think we get enough visibility of the true picture of what is happening or do you think it is like the iceberg; most is beneath the surface? Neil Thompson: That is precisely the description I would give it; it is an iceberg of an issue. I think you have identified some of the reasons why people do not share instances where they have been a victim of crime or some form of malicious activity.
Q277 Lord Hodgson of Astley Abbotts: What can we do about that? Neil Thompson: I think it is about building trust with the private sector in a partnership arrangement. Regulation may be part of it, but you want the behavioural change from the private sector as well. In some ways, regulation drives you to a certain standard. The sort of effect I think we need to make is making people care about this issue like they do health and safety, which has a component of: we absolutely need to do this, but we absolutely need to do this because it is good for our business as well. That is one of the things. It needs to be elevated to a business-level, board-level risk. Dr Steve Marsh: If I could just add to that, in some cases also organisations are not aware that they are being attacked. It is one thing if it is a direct financial loss, because then presumably it will show up on the balance sheet somewhere, but the less tangible assets, the information assets, awareness of bids that they are putting in, pricing information, customer lists and so on, they may not know that that information is being stolen until a long way down the track. It is not like a tangible item where they can see it; it is not there any more. Again, part of the awareness raising is getting organisations to look more closely at their information systems and really try harder to see whether there is something going on and something going missing from their companies.
Q278 Baroness Eccles of Moulton: Mr Thompson, we would be very interested to hear your views about a proposal in the Internal Security Strategy, which I am sure you are aware of, which is the establishment of a cyber crime centre, possibly within Europol, through which Member States and EU institutions can build the operational and analytical capacity to carry out investigations. Then I have got a string of questions like: what should be its role? Is Europol the right place? Does it have the resources, skills and capabilities or how should it build them? How should it work within the ENISA—which of course is based in Heraklion—and with national intelligence and defence agencies involved in cyber security? That is all a bit of a mouthful, but we would be very interested to know what your views are about this proposal. Neil Thompson: Thanks very much, and I would appreciate it, if I do not cover your ground, if you would chase me for an answer. The first thing to say is Europol would be the place to build additional capacity at an EU level. I do not think there is a good case for new structures. We all have to recognise that, as we attempt to describe the problem as a sort of global problem, and then we move it to an international organisation to help fix it, we are ignoring the fact that our own national capacity is weak. Indeed, if you want to be able to implement some of this stuff from an EU level down to Member States’ level, actually your
157 Neil Thompson and Dr Steve Marsh, Cabinet Office best course of action is to build the capacity of all the individual Member States, at least to some level, with an overlay of additional capacity at the EU level. It is welcome but, as I test this issue here domestically, we realise that our own national capacity is very weak. I think it would be quite a challenge for Europol to build this. As I described the issue of the private sector being at the centre of this, the different ways that government and the private sector work across the EU will be quite a challenge to manage. It is welcome that they are at the heart of this; I think they need to look at the strategic picture. Certainly the thing that we would all benefit from is that better overarching picture of what is going on in cyberspace. A repository of national data aggregated into a composite picture of what is going on would be a helpful first step. Certainly as we look at this issue, our own capacity is weak and we are looked to as one of the stronger European countries in this area. The idea that you could create an agency that will fix this problem or give it additional responsibilities I do not think is quite aligned to the reality of where we are now.
Q279 The Chairman: If I have understood it rightly, you are saying this is not an either/or; it is a both/and question really. Certainly establishing Europol with a cyber crime capability would not solve the problem because, as you say, there are lots of Member States that have very weak structures. Even our own as one of the stronger Member States is not that far up the curve. It is a both/and and, if one has to look within the European structure, Europol in your view is the better place to look than anywhere else, given the idea of a freestanding cyber crime unit seems to be one that you do not think would make much sense. Neil Thompson: No, I do not think it would make much sense. Europol already has responsibilities in this area. I think it would make more sense to build from those rather than creating a new structure. I think it is about what our response to this issue is, and not seen entirely through the prism of law enforcement. It has to be about, as we talked about before, the hardening of the target and to ensure that our relationship is better with the private sector and joined up internationally. To define it entirely through the prism of law enforcement is not the right approach, and indeed that reflects the approach that the UK has taken in bringing together the whole of Government and then reaching out both internationally and to the private sector in order to deliver the improvement.
Q280 Lord Tomlinson: Mr Thompson, if I can come back on this, you are leaving me slightly confused. I wrote down something you said a little bit earlier, where you described the EU role as increasing consciousness. You seem to be saying something more than that in an operational sense. I really want to know exactly where you draw those parameters. What should the EU be doing operationally, if anything? How far should their role be limited to increasing consciousness, which you spoke about earlier? Neil Thompson: Clearly with a problem as international as it is, there would be a role for an institution like Europol to help coordinate complex law enforcement investigations across international boundaries. That would be a helpful addition to what we are doing now.
Lord Tomlinson: Only to help coordinate? Neil Thompson: Yes. Sorry if I was not clear. I think the real need is about building national Member State capacity and not about creating institutions where somebody thinks it is their problem to fix it, because the problem is very granular and needs to be tackled on a national and an international basis. The weakness in the construct is around Member State
158 Neil Thompson and Dr Steve Marsh, Cabinet Office capacity, and that is a challenge for some smaller countries, which believe, I would imagine, that this is the sort of thing that the EU could pick up nationally, but it won’t fix the problem.
The Chairman: That is very clear, I think, and we will come on to some of it, the national part of it, because we take that point very well, when we talk about CERTs further on. Neil Thompson: Could I just respond to Lord Tomlinson’s point about the awareness piece? I think the awareness piece is a very good place to start. There are other EU initiatives about raising awareness, and I think that is one of the areas that the EU could champion well on a cross-European basis.
Q281 Lord Mackenzie of Framwellgate: Good morning, gentlemen. The Internal Security Strategy emphasises the importance of common standards, and we have touched on this already, amongst the various countries dealing with cyber crime—including cooperation between the police, judges, prosecutors and forensic investigators. We have seen examples of the problems this causes in the application of the arrest warrant, where different standards of justice apply in different members of the EU. How significant are the current divergences between the Member States in terms of practice and standards, and what do you think the EU can do to improve the situation? Neil Thompson: I would not describe myself in any way as an expert on how the EU does this, either at the EU level or indeed at Member State level. I can only really speak about what we are trying to do here through the National Cyber Security Programme: improve UK law enforcement capacity; improve the reporting of e-crime; make sure that our law, working with the CPS, gives us the ability to prosecute people who the police detect are conducting malicious activity here; and thirdly, that our courts have the capacity to deal with these cases when they get there. That is very much the approach that other Member States are taking. Certainly the support that we can give at a policy level to support the work of organisations like SOCA, which are working across international boundaries, is where we need to be. I would not have any particular knowledge of how individual Member States deal with this issue from a crime point of view, but this is what we want to do here, because everyone recognises that our law enforcement capacity here is weaker than it should be and needs to be strengthened.
Q282 Lord Mackenzie of Framwellgate: I understand that. I understand that target hardening in each state argument. We have seen the importance of good intelligence, of course, in relation to ordinary crime in terms of terrorism. Have you any examples or could you comment on whether there is a good exchange of intelligence in the field of cyber crime, because it is a very specialist area, or is it simply a matter of preventing in your own bailiwick, as it were? Neil Thompson: I think colleagues from the law enforcement side could speak more about this. I think there is good cooperation going on, on practical day-to-day tactical investigations. What we need to ensure from a national perspective is we have the right Government posture around this. We need to support law enforcement efforts, get the right policy response in place, ensure that our Ministers are discussing these issues, bilaterally, multilaterally and at the EU level, to ensure we have got the right framework so that law enforcement can do its job better. Therefore, they can be assured that the information sharing is going on.
159 Neil Thompson and Dr Steve Marsh, Cabinet Office
For me, it is about getting our posture right and then aligning our posture alongside the work of counterparts that I am seeing standing up in other European countries, who are trying to develop their own response to this challenge as well. As we all grapple with it, increasingly the international institutions are wanting to assert their interest in it as well, which is welcome. We need to talk about this issue more. That is why this Committee hearing is welcome in itself. Getting the balance right from where we are now to where we need to be, we need to take smaller steps.
Q283 The Chairman: And as you have emphasised, build up the capacity of the individual Member States every bit as much. Are we in any way bilaterally helping other Member States do this or is it all run through discussions in Brussels and so on? Neil Thompson: There are relationships run by GCHQ, and between CPNI’s critical infrastructure, CERT, and European counterparts. We need to do more in that space. There is always a challenge as to how you allocate scarce capacity. It would not be wrong to say that capacity is nowhere near what we need to meet the demand. Working in international fora is more the area where you can share best practice and experience, and help raise the standards of others. Of course, we are not the only significant European player in this area. Germany, France and some of the other larger European countries, indeed some of the smaller ones like Estonia, are very active in this space, and are encouraging much more information sharing at Member State level but also at EU level.
Q284 The Chairman: When we hear about the Government’s intention to spend £650 million over the next five years on strengthening cyber security, will some of that go into increasing your capacity to work with individual Member States and get them improved? Neil Thompson: We will increase our capacity in the UK. That is one of the things that we absolutely need to do. As a result of that, we will be able to put more effort into working on a broader European agenda. That is one of the things I think we absolutely need to do as a country, but we have not specifically allocated resources for capacity-building. What we have done is ensured that, where we believe there are critical capabilities the UK needs to invest in, we are investing in those and investing in policy capacity elsewhere to make sure that the issue becomes mainstreamed. It is too stove-piped and siloed as it is; it needs to be mainstreamed so that it is seen as a more general risk, so more general outreach to business can be aligned to national cyber security objectives. It is that sort of approach—much more cross-cutting. Dr Steve Marsh: It is not just European either. This is an international problem. By putting capacity into the law enforcement side of things, that should encourage and enable them to do more international and European collaboration on some of these cyber crimes.
Q285 Lord Dear: Given what you have both said to date, my next question really is only an invitation to tuck in one or two loose ends. As we all know, the Strategy encourages Member States to develop cyber crime awareness, training, centres of excellence and so on, dealing with all the obvious players—Eurojust, CEPOL, Europol and so on. I wondered whether you could wrap this up for us and indicate whether, in your view, the EU should be doing more to develop all that awareness and make life more difficult for criminals who are exploiting it at the moment. I know you have covered this in generality, but some specifics would help us in this respect. Neil Thompson: If the EU were to get behind an EU-wide public awareness campaign, that would be an excellent way of applying EU resource to dealing with a problem that most
160 Neil Thompson and Dr Steve Marsh, Cabinet Office people do not realise that we have. That is one of the early start points of starting to tackle this problem: making people aware of the risks they are running. I do not mean in a sort of alarmist way, but just to start focusing on the fact that the vulnerability of the networks on which their business is running, they need to take more interest in. Secondly, information is being monetised and that is a fantastic lure for organised criminals and others to pile into this space, because they go where the money is.
Q286 Lord Dear: Platforms like Facebook are wide open. Unless you cover your tracks, I am told, very, very carefully indeed, you are immediately open to all sorts of exploitation. That is at one end, the bottom end of the scale. The same would apply for businesses as well. Neil Thompson: Yes. At the higher end of activity on the state side, the theft of highly commercially sensitive material and intellectual property, companies need to know what they value and secure it accordingly. There is not much point in developing a product if details of the product are going to be stolen off a server and then copied. That does not strike me as being a really effective business model. There is a whole cost of not just crime in those terms but also the theft of commercially sensitive material, price-sensitive material, and IPR material as well.
Q287 Lord Dear: Do you think the recent publicity around WikiLeaks has heightened public awareness of the overall problem? Neil Thompson: I think it has. People are now aware of how much information is potentially extractable from systems and can be taken away relatively easily, which highlights the other end of the problem. As we think about it as a networked issue, we also need to bear in mind that, at the end of it, there are human beings, so our response needs to be genuinely holistic, taking into account personnel security issues. Who has got access to your system? Who can access it and how easy is it for them to download material from it? The response needs to be genuinely holistic, but you also need to recognise, in a networked world, people enter your systems and steal things very easily.
Q288 Lord Tope: This may follow on from the public awareness campaign you have just been referring to. How do you think the EU should encourage the greater involvement of the private sector and academia, and leverage their capabilities to make cyberspace safer for citizens, businesses and government, and generally? Dr Steve Marsh: The EU here could very easily benefit from following the sort of strategy we are adopting in the UK and try to engage more with the private sector to raise the awareness of the issues there, but also with academia to develop both more enhanced technical countermeasures, if you like, but also understanding the human and behavioural aspects as well. It is really making sure that the private sector and academia, to some extent, are involved in co-designing the sorts of policies that Member States and more broadly Europe should be adopting. This is not an issue where Government has all the answers, the private sector has all the answers or academia has all the answers. Really, we need to develop new ways of addressing what are really quite complicated problems here. There has been a range of activity in the EU through their Framework programmes over the last few years. That is still continuing; that is a good source of research from private sector and academia getting together in collaboration, but we do need to do more of that generally. There are, as I say, some very deep problems that we do not have good answers to yet, and this is something
161 Neil Thompson and Dr Steve Marsh, Cabinet Office that does require collaboration and partnership to come up with new and innovative solutions, just in the same way that the criminals are coming up with innovative ways to attack these systems.
Q289 Lord Tope: How would the EU do this? As distinct from each of the Member States tackling it, what is the role of the EU as such in achieving this? Dr Steve Marsh: Some of these aspects, particularly on the academic side, are not going to be specific to Member States in the same way that perhaps the legal systems will be specific to Member States. Bringing in the consortia of academics and industry partners there is something that the EU has done in the past and can continue to do very helpfully, because that then does develop potential solutions, which are applicable across several Member States and not just unique to a particular country.
Q290 The Chairman: Is what you are suggesting a way that the EU’s 8th Framework Research programme, which is under negotiation at the moment, ought to be giving more space to this area of research and that that would be valuable? Dr Steve Marsh: Yes, I believe it should. Yes, that is right.
The Chairman: If the answer is yes, is the British Government pushing for that? Dr Steve Marsh: Yes, we are, in discussion with the people who are designing that programme at the moment. I am making that point to them.
Q291 Lord Mawson: I am just wondering a bit “why academics?” really. My experience of the entrepreneurial world is often academics and universities are pretty irrelevant really to a lot of this environment, because it is young entrepreneurs who are doing this stuff. My son’s just created an app with a person in India who he has never met, just online quite quickly. How do you make sure that those people who are really running this new environment are part of this, not people writing theories about it, because writing theories about it and doing it are quite different matters? Dr Steve Marsh: That is where the consortia approach is quite helpful, and it is something again that we have done in the UK through the Technology Strategy Board, where you bring together the academics who, as you say, are quite often focused quite far out, with the industry and private sector, which often has products on the shelf but they are trying to push them a little bit further forward, to say, “How can we take this product, take the research side of things, and produce a step change around this product?” It does need both. The entrepreneurs clearly have a very big input to make, but we should not be excluding the academic side of things as well. I am not talking so much, I guess, about the technology, but about some of the softer aspects, the human behavioural aspects, the social side of things, the economic models that underpin both the criminal market and the private sector response. There is quite a lot that can be done there to get a greater understanding of the way these markets are working and what is driving both the criminal behaviour and the private sector response to those attacks.
Q292 Lord Mawson: Partly what we have seen in Silicon Valley over recent years is about creating a culture, and a group of people, many of them quite young, coming together in a certain culture and climate, that begins to change the nature of the world and a whole range of communication in all sorts of ways. In a decade, it is sort of amazing. I used to have a secretary 12 years ago. It is a very different world. If that is true, we have used the 162 Neil Thompson and Dr Steve Marsh, Cabinet Office term helping countries become aware—I think that is really important—but how do we help them become aware of this new emerging culture, which fundamentally challenges some of this discussion? This feels in many ways like a discussion about an old culture rather than this new culture. How does this interface really help countries prepare for what this now means? Neil Thompson: You have put your finger on one of the profound challenges that we face: the speed at which innovation is happening, where it is happening and the impact of social networking technology on the young. This is a profound change to how society operates. That policy lag is clear; we need to develop a mechanism for being able to respond. Your challenge about how you connect with the entrepreneurial end of this, that is the engine of that but, at the end of it, if you are buying and selling your app, you need to be able to do so without your revenue stream being lost, your work being corrupted by somebody else or indeed all of the other things that can happen in an environment that is largely unregulated, because that is the nature of it. As we drive commerce, innovation and hopefully growth, through more reliance on cyberspace, we need to adjust our national and international postures to make sure that we can deal with the challenge that you have described. I do not have any easy answers for them; we are making a good start in getting that going from a governmental point of view, but there is that sort of national awareness that needs to be done about the nature of the world we are living in now. The way it is going, if you track the nature of IP numbers, there will be more items connected to the internet than people alive on the planet very soon. That is just going to get more and more as your fridge becomes connected to the internet, for example.
Q293 Lord Judd: There have been references to behavioural dimensions to all this and cultural dimensions. While I do not differ at all from my colleague Lord Mawson on his point that you must have people who are doing it at the centre, it is not quite either/or is it? Simply because of these kinds of dimensions, to have some really good first-rate social scientists working with you in the academic community is all the more important. Neil Thompson: I agree with that, because I think some of the things about awareness are how you develop an awareness campaign that genuinely connects with people who may not care about their personal standard of privacy, the amount of information that they will share or why they would click on that particular link, which takes them to a site that they really should not go to. That is where social science can be really helpful in targeting messages and the channels that you use, in order to get the message across to the people who are actually at most risk from doing it.
Q294 Lord Dear: In a sense, people have their own future in their own hands and, if they are—to use the words rather callously—stupid enough not to take precautions, then whatever happens is their own misfortune. I am sensitive to that and not entirely callous to it, but I am more concerned really by the governmental, institutional end of it, where institutions or governments take enormously bold steps to try to protect themselves and still get hacked. I wonder if that is where we ought to be concentrating our efforts, because the damage to society is marginal at the bottom end, although it can be aggregated out, I know, but can be catastrophic at the top end. Estonia would have been one example, a few years ago. Dr Steve Marsh: From my point of view, clearly there are problems all across the spectrum. When we are looking at Government systems, as time goes on, it is harder and harder to divorce the Government system from the rest of society. In particular, Government had the 163 Neil Thompson and Dr Steve Marsh, Cabinet Office long programme of trying to put services online, both to make them more accessible but also to reduce the administrative burden; then, of necessity, the system includes the citizen or the business at the far end of the link as well as the Government system. What we cannot do is say, “Right, we are going to build strong barriers around the Government bit of the system and then allow our customers or the citizens accessing those services to fight it out with the criminals.” We need to think quite holistically about how the system as a whole is designed to protect society as a whole.
Q295 Lord Dear: If you have to start somewhere, I would have thought you would have protected things like the power infrastructure, the energy infrastructure, of the country. Take that down and all the lights go off and everything stops. That is one example at the macro end. If you have to start somewhere, I would have thought, correct me if I am wrong, you would start at the macro end and come down to the micro, rather than try to deal with them both together. Dr Steve Marsh: Again, I would say it is not an either/or. I do not think we have the luxury of just saying we are going to do the high end, but obviously we are doing—
Lord Dear: There have to be priorities. Dr Steve Marsh: Yes, indeed. The Centre for the Protection of National Infrastructure has been working with critical infrastructure providers for many years precisely because of that. As value goes online from other services, it becomes harder to determine what is critical and what is not in infrastructure. The range of organisations we have to take within that broad spectrum increases as well, and it really just shows that it is a big problem and it is a growing problem still.
Lord Mawson: I think this is part of the key question about how one does this. My experience of this new environment in a sense is that it is not about starting with the macro actually; it is all about the micro. It is about finding really good practice in the micro that works and beginning to back success and grow it. It is not about some people in a room working out a policy and a strategy, because that is not how this modern culture works. What we can see in this modern culture is how quickly those very small things can become global through this infrastructure.
Part of the mindset shift, I would suggest, is about identifying really excellent and encouraging micro developments. That is how the internet happened, of course: two people in a garage began it. Actually, I have met them both; they are really interesting. It began in a garage, and they understood some fundamental problems with technology that they solved, which then went global. I would have thought it is about finding those micro pieces of the jigsaw and growing those sorts of cultures, and the macro cultures responding to that. It is about the relationship between the micro and the macro. The old culture is about starting with the macro; the new culture is about starting with the micro and that inter-relationship.
Q296 Lord Hodgson of Astley Abbotts: Quite a bit of my question I think we have covered already. The strategy envisages well functioning CERTs being established in each nation quite quickly, then networking and the sharing of alerts and information by 2013. It would be helpful if you could give us a present state of the nation assessment on national CERTs—you have obviously referred to Estonia—and whether having up and running 164 Neil Thompson and Dr Steve Marsh, Cabinet Office
CERTs in each nation on that timetable is a realistic possibility. Secondly, we have said as a country we are not going to have a national CERT; we are going to have a series of CERTs. Will that make the task more difficult? What are other countries doing? What are France and Germany doing? Do they have national CERTs? Are we going to be the odd man out or are we in line with everyone else’s strategy? Neil Thompson: Just picking up your last point, France has a highly regulated environment, so it has a much closer relationship between the state and the private sector. Whereas we do it on a voluntary basis, building trust with the people, particularly on the private sector side, and then working separately across Government, I think France has a slightly different model, and I think Germany, a different model. That is one of the challenges, because everyone’s relationships domestically evolve in a different way. As we try to harmonise this work, just stepping back to make a sort of macro point, that is one of the things: the slightly different ways our national policy structures are evolving and the unevenness. We are all a reflection of the national picture, which is quite different. On the CERTs side, whether we need a national CERT or not, I think we certainly need those mechanisms to enable information to be shared. One of the things we are going to deliver more than anything else through the national cyber programme is that improved situational awareness. The CERTs will be one of the vehicles for doing that; there will be others. Certainly I think this is one of the areas where the EU can help build capacity, by getting more countries to adopt this model of CERTs and implement that within the timescale that they have set out.
Q297 Lord Hodgson of Astley Abbotts: Could I just ask quickly, you have mentioned France; what is happening in Germany initially? Neil Thompson: I would need to come back to you, Lord Hodgson, on that. I got a very quick massive PowerPoint overload presentation on structures, but it seems to be, from the German context, very focused on protecting government systems. I did not see the reach-out to the private sector, which I think is very much the approach that we want to be doing. My job at the moment is marshalling what Government is doing, and I think we have made good progress over the year or so in doing that. The next challenge is tying it up with the private sector, which is the next step to deliver those and help build the improvements we know we need to make.
The Chairman: I was going to say it would be very helpful if you were able to let us have a little note on what we know about the two big equivalents to ourselves—France and Germany. That would help the inquiry quite a bit, just to have that as a background.
Q298 Lord Tomlinson: I am conscious, perhaps to an excessive degree, of the emphasis you have been placing on limiting the EU role to awareness raising. Against that background, do you believe that the internal strategy will, in practice, do anything to protect the EU against cyber attacks like the one that two weeks ago stole millions of euros’ worth of greenhouse gas emission permits and temporarily closed down the Emissions Trading Scheme? If not, what do you think the EU ought to do, and how should they do it, to protect the common areas of action that they are responsible for from cyber attack—such other things besides the Emissions Trading Scheme as the External Action Service, Common Foreign and Security Policy or even areas of the budget itself?
165 Neil Thompson and Dr Steve Marsh, Cabinet Office
Neil Thompson: I cannot comment on the specifics of the particular incident on the European Union Emissions Trading Scheme, but certainly I believe that the lax security standards, not even applying basic standards of security, were at fault. That just illustrates that, if you put in some of the fundamentals, you are going to deal with some of the problem—in fact quite a lot of the problem. Getting people on the same page gets people’s awareness up. In part, it is an awareness-raising programme for the EU as an institution itself. It operates on networks, which similarly are subject to cyber attack as well. On the specific points you make, I know if the EU were able to reduce the number of portals it has, that would certainly help to eliminate some of the weaknesses in the system. Our side of the Channel is seen as one of the more secure areas, but what is needed is everybody to lift their basic information assurance, and clearly that is not happening, as the evidence from the attack on the Emissions Trading Scheme demonstrates. This is basic computer hygiene. Without serious accountability and people owning this as a risk, you are not going to have improvements. Almost creating structures in order to fix the problem is just going to displace the problem somewhere else. People have responsibilities when they put systems online or an interface with the public or an emissions trading scheme. They need to ensure that it meets appropriate levels of security as it operates in cyberspace because, as we have identified, criminals will go where the money is.
Q299 The Chairman: Presumably both Europol and ENISA, if they had a somewhat greater scope for acting in this field, would be able to help European institutions in this way, which they seem to need. It is a phenomenon that I have certainly come across myself in other areas, that big international institutions somehow seem to think they are immune from these kinds of attacks, until somebody blows up the UN headquarters in Baghdad or whatever it is. They are not immune from it as that has shown. Having within the European system some capacity to help educate people and to help increase awareness is probably presumably quite useful. Neil Thompson: Yes. I enjoyed your point about institutions believing they are immune, because they are absolutely not. I was in NATO last week, which is equally now focused on the security of NATO systems and what the role is for NATO in cyber security going forward. Just as a re-cross, because I know you are aware of the interface at that level, the importance of the UK’s position backed by the United States is that we need to ensure that we put more effort into defending NATO’s own networks. That is where you start. You start by knowing what you have got and what security is in place, and making sure that it meets appropriate standards of security.
Q300 Lord Hodgson of Astley Abbotts: The Chairman may have shot my fox, he has certainly wounded it. This is a serious matter. The Trading Scheme is in its infancy so the numbers are quite small. Give it a few years and it could be really big numbers. What do you expect is now going on? Who is saying this is potentially catastrophic? Who is responsible for following that up—Europol, ENISA, Scotland Yard? Neil Thompson: I apologise for not knowing the specific detail about this—there is no particular reason why I should—but I imagine the point is whoever has responsibility in the EU for the Emissions Trading Scheme site needs to see how that operates as part of its corporate risk, in the way that any other institution dealing with any significant interface, certainly with a financial component but also between the state and the public, needs to accept that this is the world we are now living in. It is ensuring that it does not become the responsibility of the IT security department, which is how this is managed—the IT security department will fix it. No, because you need that rounded programme of ensuring not just 166 Neil Thompson and Dr Steve Marsh, Cabinet Office that your technical standards are being maintained but you have got your policy framework in place for dealing with this issue, and also you have got the personnel security practices in place as well. You need a much more rounded thing: you need to know what your vulnerabilities are; you need to map those more clearly; and this needs to be much more ingrained and mainstreamed within the institutions themselves.
Q301 Lord Tomlinson: I just want to pick up on one phrase in your original answer to me, because you talked about owning this as a risk. Now, it strikes me that what you are saying, and I hope you will disabuse me, is that, if that risk is somewhere in an EU institution, even though we are a major contributor to the budget, we have no contributory responsibility for owning the risk, which is a major risk to our money. It is not European money; it is an aggregation of Member States’ money. When you say “owning the risk”, do you feel that we must have a sense of shared responsibility for the risk of that which happens in EU institutions? Neil Thompson: That is a question around governance. Who has responsibility? You can take evidence from people more expert than I on the relationship between the state and the EU. My point is: who is the person who is accountable, and to whom are they accountable for this? If that is a Member State responsibility, then we need to make sure that the Member States hold the EU to a higher standard than they are currently delivering. I take your point. The other thing about risk is, in some ways, this is not a risk; we are actually living with this. This is something that will happen; this is something that is happening every single day, across a very broad spectrum of activity.
Q302 Lord Avebury: Reading the account of what has happened since the theft of the ETS certificates, it seems that national authorities took responsibility for the attempts to recover them. For example, the Austrians recovered €7.5 million worth of these certificates. Is it the case that, although it is a European scheme, each Member State is responsible for the security of its own certificates and for recovering them if they are stolen? Neil Thompson: I apologise, Lord Avebury; I do not have an answer to that. I think that would be something that would need to be directed to somebody else, as to who in the UK would have responsibility for this.
Q303 The Chairman: I think perhaps we had better not pursue this line. It is an absolutely valid one, Lord Avebury, but would it be unreasonable to ask if you could find out who would be following this? Neil Thompson: I will do my best.
The Chairman: See if you can elicit from them a response just to the questions that have been asked. It would be really helpful. I have to say that, if you cannot find someone who is responsible for it in the UK, that also is a conclusion, although rather negative, which we would draw. I do not want to get there yet, because Lord Tomlinson is making an absolutely valid point. It would not be the first time that one had discovered that absolutely nobody owned the risk at all, because the European institutions did not understand it and the Member States did not think it was any of their job to do anything much about it, even though it was their money. It would not be totally surprising. If you could help us go a little further in this, it would be really kind.
167 Neil Thompson and Dr Steve Marsh, Cabinet Office
Just to give you an anecdotal point about it, in the days when I first started working with the European institutions, they believed that personnel security was something that other people had to do but they did not have to worry about. It took quite a long time before it was brought home to them that they might well be the object of attack by the Soviet Bloc, as European institutions started to do more things than they had done in the past. It was an uphill task to get them to understand that, and to get them to take any kind of measures about it. It would be very helpful if you could do that.
Q304 Lord Judd: This really follows on from what we have been talking about. Member States are encouraged by the Strategy to develop contingency plans and to undertake regular national and European exercises in instant response and disaster recovery. As I understand it, the first pan-European cyber attack simulation exercise took place last year. Can you tell us about what this revealed about the state of readiness across the EU and what is being done about it? Neil Thompson: It was a test of communications capabilities, technically credible but at quite a simple level, to ensure that the right bits of machinery were able to communicate with one another. This was successful. I think it is fair to say that this was at the lower end of stretching, as an exercise, but it illustrates where the EU can have a role in helping to facilitate these sorts of exchanges happening. When problems occur, they do not occur in the domestic space; they occur with international ramifications. The ability to liaise with counterparts is a vital part in the response. The whole issue of crisis response is the thing that will helpfully drive the change that we need, because I certainly believe it is one of the things that we need as a priority in the UK. The sophistication and complexity of malware that is out there now means that, at some point, you are going to see a significant infection of bad malware, which will require levels of response that we do not have sufficiently in place. That is one of the things that we need to do.
Q305 Lord Judd: Can I just press you a little? I think you said that it was at really quite a simple level and it was successful, but anyone can conduct an experiment at a simple level that is successful. The issue that we are after is whether exercises are being conducted to meet the real possibilities and what we are learning from those exercises. Neil Thompson: Certainly my experience of the Member States, which is very limited, is that people’s understanding of the cyber security challenges is very uneven, which is going back to the point about raising the standard and getting the basics in place. We absolutely need to be able to walk before we can run. This is where I think ENISA’s role is helpful in helping to raise those national standards in facilitating the coordination arrangements that you need in place when problems occur.
Q306 Lord Judd: Can I just put one other question to you here? Perhaps I might make one comment before I put my question. My comment on your answers to previous questions is that all my experience is that, in areas of policy where action is required, unless there is someone specifically responsible for that action, it disappears into the academic world of theory. I think that applies to learning, would not you agree, from these experiments? Then I will ask my question. Neil Thompson: I have a great deal of sympathy with that point of view. I also think that one of the areas that changes this dynamic are events. The major changes in how governments and others respond to these things, take counterterrorism, were driven on the
168 Neil Thompson and Dr Steve Marsh, Cabinet Office back of events. There is that. This is one of the challenges of cyber security; it is how you respond to both the ubiquitous nature of the problem—its iceberg-like view—without the piquancy of a major significant event. It is lots and lots of bits of activity, which degrade us both economically and in security terms. It is what I call the death of a thousand cuts.
Q307 Lord Judd: My question, and I am afraid it is quite a big one potentially, and the Chair may be cross with me for asking this, is this: going back to the underlying theme in all that has been going on in our exchange, doesn’t this underline that our degree of cooperation internationally is not an option? We tend to believe that what really matters is what we are doing ourselves, but it is useful to do these things internationally; however, isn’t the real discipline that comes out of this that we simply cannot protect our interests without effective international arrangements? Doesn’t that raise huge issues of trust and human relations, as distinct from systems—well, not as distinct, but as the life blood of systems? Neil Thompson: I certainly agree with your point that we cannot do this alone. The international side of this is a big part of the agenda that we are trying to construct, from my team working with the other Departments, the Foreign Office, the MOD and the agencies that are involved with this as well. That in turn is about making sure that the broader policy response is also aligned to our allies and partners, and then how do we extend that, not just to the people who would classify in those areas but to the countries that aren’t really our allies and partners, but equally are dependent on cyberspace? This is a truly global problem, but we are all in different places on it. It is about trying to harmonise that response, which is why institutions like the EU add value in championing it as an issue. We have to have a sense of reality that it is not the vehicle through which this problem will be fixed. It has a role to play and it should not duplicate what we are doing. It is interesting that Member States themselves are evolving their own national strategies. In some ways, the view from some of the Member States is that they need that national capacity in place, and they want to see a role for the EU as well so, in other words, it is not an either/or.
Q308 The Chairman: Presumably, when you talk about wider fora in which this sort of thing would be taken forward, you are thinking in a pure military security sense NATO, and in the wider global sense the United Nations. Somehow or other, we obviously need a dialogue—we will come on to this in a later question—with the Russians and the Chinese, even though we may not trust them very much. Neil Thompson: It is a global problem. We need to have a serious conversation with other Member States around this issue and that is starting to happen. My sense of this is that this problem has been siloed for quite some time. It is now being given the oxygen of publicity, focus and interest but we now urgently need to build our response and capacity in order to align ourselves with where we think the threat is, which is not in a good place.
Q309 The Chairman: Do you think that there is some kind of analogy, as I know someone like Professor Joseph Nye has said, with the early days of nuclear weapons, in which people were insufficiently aware that, although we were talking about vital issues of national security, we all had a collective security interest as well in it, because otherwise you ended up with mutually assured destruction? In this sector you could think of a mutually assured destruction, but it would be disastrous for everyone. Neil Thompson: There are some parallels with that sort of description of where we are at, in terms of thinking about our strategic response to this problem. It is early days, but I am not sure the parallel is entirely right—you cannot read across into it. It is that sort of public 169 Neil Thompson and Dr Steve Marsh, Cabinet Office and private shared problem that we have, which is quite different. Sorry, I did not want to start a discussion about the early state of nuclear security, but there is a different characteristic to the nature of this problem that it cannot be fixed by government. It has to be fixed by government in partnership with other governments and institutions, but also with the private sector and, indeed, the citizen. That is the nature of cyberspace. Dr Steve Marsh: I think that is why we see a whole range of international institutions that are beginning to operate in this area. It is not just the United Nations or NATO; there is the International Telecommunications Union, the OECD, the Internet Governance Forum and a list of international fora that seems to get longer almost by the day. Neil Thompson: In that department, what is very welcome is, across government now, there is much more focus on this issue facilitated through my team. The Foreign Office is building additional capacity to deal with these very crucial international fora, where we will decide how we govern cyberspace in the future. It is important that we are active, and we are increasingly active in those areas. We always have been, but we need much more focus on this.
Q310 The Chairman: Do you think we are moving along a kind of spectrum that starts with talking to the big players around the world and considering whether there are informal guidelines that we can agree, before we consider whether you want something more legally structured than that? Neil Thompson: Yes, we need some rules of the road, some norms.
Q311 Lord Avebury: When the Chairman asked you about the £650 million funding for the UK National Cyber Security Programme earlier on, you, Mr Thompson, answered that we will increase our capacity in the UK. My question is: do you think it is realistic for the whole of this £650 million to be allocated within the UK and none of it to go to any European institutions, because of apparently the Government’s reluctance to allow any increase in spending in the EU, as a matter of doctrine? Neil Thompson: I think it would be for somebody else to decide whether or not it would be the balance between what is spent in the UK versus what is spent in the EU. All I can say is that Ministers identified cyber security, after review of the risks that the country was facing, as a Tier 1 risk, and then wanted to put in place a programme of work to move us from where we are now to a much better position around cyber security issues, as they recognise it is a massively forward issue for the country, both in terms of its security but also our economy. That is what the programme is trying to do in a very tight fiscal climate, and it will build both capabilities for the UK, of which law enforcement is one of those key parts, defence and GCHQ capabilities, and additional protection for UK government systems, but also there are things like greater public awareness here in the UK, better reporting of e-crime and indeed building capacity around government, where it does not exist at the moment, which is one of things that we do.
Q312 The Chairman: I do not think that any of us would doubt that the £650 million that has been identified by the Government and allocated within its spending programme, for strengthening our cyber security, is highly desirable and necessary. I do not think that is the question so much. There does just seem to be a slight discrepancy between saying we, as a country, need to spend all that money in the next five years if we are to increase our security, and we agree that the EU needs higher cyber security but, by the way, they can do it for nothing. That is where we are finding a little bit of difficulty in getting our minds
170 Neil Thompson and Dr Steve Marsh, Cabinet Office around the Government’s position. It seems, even if you take a rather modest view, which you yourself have helped us with a great deal, of understanding what the EU can do, what Europol could do, what ENISA in a very modest way can do, they will need some resources if they are going to do it. They cannot do it out of thin air. Neil Thompson: Yes, I agree that is a problem.
Q313 Lord Tomlinson: I was just reflecting, and I am not sure that Mr Thompson will be able to comment on it, on whether this problem of having any resource allocated to Brussels is an ideological problem concerning the transfer of resources, or whether it is an ideological problem concerning the transfer of responsibility. Neil Thompson: I am not sure I do know the answer to that question, Lord Tomlinson. No, I am not sure I do.
Q314 Lord Avebury: Is it possible we could have a breakdown of the spend of this £650 million? Neil Thompson: I would be happy to share with the Committee some of the things we have already said about the broad distribution of it, yes.
The Chairman: It would be very helpful if you could. Of course we understand that you may not have got very far yourselves in that but, if you give us some orders of magnitude or approximate figures, that would be very valuable. Of course you do not need me to tell you that it will end up in the public domain if you do so. Thank you very much.
Q315 Lord Judd: Whether one’s talking about NATO, the UN or relationships with other countries in all this, I would like to hear a little bit more about how the EU can play a part in building the necessary relationships. In that context, I would ask you to return for a moment to this issue of systems, trust and cooperation. It occurs to me that, on the one hand, we must have cooperation with Russia and China but, on the other, how far can we trust that cooperation with Russia and China, to be blunt, and indeed with others? I would just like to hear your comment. Dr Steve Marsh: I will start by making a stab. You are quite right of course that cooperation is essential. We need to just bear in mind that trust is not a binary thing: you do not either trust somebody completely or not at all; there are levels of trust. What we are particularly finding with some of the countries that traditionally perhaps we would trust less is that we are increasingly having common cause, particularly around the cyber crime side of things. There are areas there where we can make progress in coming up with solutions to common problems. That in a sense is a way of building trust as we head down that route. How far that will go into the state area, I think remains to be seen but, nevertheless, it is clear that as the economies of other nations develop and become more online, as ours is, there is an increasing understanding that the criminal activity on the internet is a threat to us all and therefore a very reasonable area where we should cooperate and begin to develop levels of interaction and law enforcement cooperation, perhaps, that we have not had before, but it is tricky.
Q316 The Chairman: Is this area one where the old adage about trust but verify applies?
171 Neil Thompson and Dr Steve Marsh, Cabinet Office
Dr Steve Marsh: Yes, it is. The difficulty in cyberspace is that verification is much harder than we have found in the physical world but, again, that is something that it is early days. Perhaps as time goes on, we will find better ways of doing that.
Q317 Lord Judd: What worries me slightly about your last answer is it goes back to what the Chair said in his introductory remarks, which certainly reflects my own anxiety in this space, which is: how far is it realistic to distinguish between criminal and national objectives when you get into international cooperation? Where does one begin and the other stop? Dr Steve Marsh: That is clearly an issue; I completely agree with that, but there are areas where you can distinguish that and that is the place to start. Again, how far that goes— when you get into the realms of proxies for state action then, yes, you become less trusting and cooperation becomes harder. If there are areas of the problem that you can clearly distinguish as being something that we have common cause against, then that is a sensible place to start that cooperation. Neil Thompson: Indeed, that is under way in the sense that we, in a variety of multilateral and bilateral exchanges with other states, are trying to talk about these very issues. This is a debate that has started. I am sure you would say you need a much better answer than that, but the debate is under way. I particularly welcome the fact that the Foreign Office is increasing its capacity to deal with these very issues, on a diplomatic basis, to help support this as a major task that the Government wants to make improvements on. In some ways, to use the Chair’s comment, we are at the start of this, although this has been an issue that has been around for decades. You are all sensing that, both on a national level and on an international level, this is an issue that is now very close to the top of the agenda. If you look at what the United States is doing and the staggering sums that they are investing in cyber security, and the fact that it is a consistent theme of their exchange with us, with NATO and with others, this is an issue on which we are all talking now, increasingly. The Chairman: The United States do seem to be locking the stable door after the horse has bolted, as far as WikiLeaks is concerned. That is probably an unkind remark. Thank you very much, both of you, Mr Thompson and Dr Marsh, for being so frank and giving us so much of your time this morning. You have really helped us a lot in an area where this Committee at least is striving to go up a fairly steep learning curve. That has been very helpful, and thank you very much. Thank you also in anticipation for the things you said you were able to help us or try to help us with. Thank you very much.
172 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency Oral evidence, 9 February 2011, Q 318-366
Evidence session no 9 : heard in public
Members present
Avebury, L Dear, L Eccles of Moulton, B Hannay of Chiswick, L (Chairman) Hodgson of Astley Abbotts, L Judd, L Mackenzie of Framwellgate, L Mawson, L ______Examination of witnesses
Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Q318 The Chairman: Good morning, Sir Ian and Mr Bishop. We are very grateful to you for coming to give evidence on behalf of SOCA for our inquiry into the European Union’s internal security strategy. We are sorry that Mr Armond was unable to come but happy to welcome Mr Bishop. As you know, this session is open to the public. A webcast goes out live as an audio transmission and is subsequently accessible via the parliamentary website. A verbatim transcript of your evidence will be taken and will be put on the same website. A few days after this session you will be sent a copy of the transcript to check it for accuracy, and we would be grateful if you could advise us of any corrections as quickly as possible. If after this evidence session you wish to clarify or amplify any points made during your evidence or have any additional points to make, you are welcome to submit supplementary evidence to us. It would be helpful if you introduced yourselves for the record. If you wanted to make some opening remarks, that would be very welcome to the Committee, but, equally, if you didn’t particularly want to make an opening statement but wanted to go straight on to questions and answers, that would also be perfectly acceptable. Sir Ian Andrews: Thank you very much for the invitation to give evidence to you today. I am pleased to be able to do so. I will make a brief introductory scene-setting statement, if that is in order. As you may know, I have been the non-executive chair of the Serious Organised Crime Agency since August 2009, which probably makes me well placed to provide a strategic overview. However, many of your questions will, rightly, expect responses on points of detail that I would find myself struggling with. I am accompanied by Mark Bishop
173 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency from the SOCA international staff, who has knowledge and experience of some of the issues that are the subject of the inquiry. As was made clear in the formal memorandum that the Home Office submitted to the inquiry, to which we contributed, we broadly welcome the internal security strategy and the Commission’s subsequent communication. Most of the priority threats reflect those in our own national security strategy. Two in particular—organised crime and cybercrime—fall within the SOCA priorities that the Home Secretary sets. We sit alongside Home Office representatives on COSI; indeed, the real subject matter experts are doing that today, which is why they are not able to be here. We provide the gateway between UK law enforcement and Europol, where a number of our officers are embedded. It is worth remembering that organised crime does not recognise national, international or jurisdictional boundaries. It targets the most vulnerable individuals, communities and businesses, and the public purse. It is increasingly globalised and IT-enabled, and it is growing exponentially. Frankly, it is bigger than any one agency, nation or even group of nations can tackle effectively. Only by working in co-operation with one another can we begin to challenge it. Those partners are a growing community. Whether it is intelligence and law enforcement partners—the traditional people one would expect—the public, private or third sectors, domestically or internationally, we have to get that right before we can begin to counter organised crime. Obviously, fiscal pressures give added urgency to that. SOCA contributes to the Europol organised crime threat assessment, which provides a common assessment of the challenge. The internal security strategy and the communication provide a framework for a common understanding of the response, including how we can work together effectively across member states, institutions and agencies to counter it. We are working very hard in support of the wider use of Europol’s extensive capabilities and infrastructure by building on work that it is doing to rationalise its analysis work files and information systems, particularly in west Africa in the context of drugs and getting it on the executive board of Maritime Analysis and Operations Centre - Narcotics (MAOC-N), which is based in Lisbon. I should probably mention that last June the UK tabled a paper at one of the very early COSI meetings, describing the tools and techniques used by UK law enforcement that have enabled us to complement and go beyond the traditional investigation, prosecution, criminal sanctions and criminal justice approaches into disruption and denial. As a direct consequence, the Hungarian presidency is leading a project that we are closely involved in supporting, looking at ways to deliver practical EU responses to organised crime but drawing on making the best use of existing legislative and resource frameworks, and making the best use of what we have internationally before we start moving forward into something new. That is a sort of scene-setter from me. I am very happy to answer any questions you may have.
Q319 The Chairman: Thank you, that is a really helpful start. I have one procedural question: is the document that you say you tabled in COSI last year something that you could share with the Committee, or would you feel that you could not? If you did, it would end up in the public domain. Sir Ian Andrews: I think it is in the public domain, with the Committee, already. The Chairman: So if you could let us have that, it would be helpful, particularly as it is now, as you say, at the heart of the work that COSI and the Hungarian presidency are doing.
174 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
I welcome your earlier statement that echoes my own feeling that can be summed up by saying that Britain’s internal security neither starts nor ends at the water’s edge. That seemed to be what you were saying very eloquently yourself. Sir Ian Andrews: Absolutely.
Q320 The Chairman: Perhaps we could go into questions and answers. Does SOCA believe that the actions proposed under the internal security strategy are appropriate, proportionate and achievable and likely to make an impact on organised crime? What is your view of the EU’s near-term and longer-term priorities, if that differs in any way from that of the Commission’s communication and action plan? Sir Ian Andrews: That flows from the statement that I just made. Our view is that this is the right approach, and it has the potential to make a real difference. It needs to be seen in the context of the EU policy cycle, which will bring forward a set of proposals. The organised crime threat assessment, followed by an assessment of EU priorities against that is due to come to COSI at its April meeting and would then go forward to the Council in May. The policy cycle that was launched under the Belgian presidency, as I recall, and which very much engaged Europol, the UK, the Dutch, the Belgians and so on, was in parallel with the development of the internal security strategy and the communication, looking at how we can develop a pragmatic intelligence-led approach to prioritising and tackling the threats. It seems to me that for many reasons this has become quite a crowded space. The putting in place of the COSI machinery gives us the opportunity to converge the many initiatives into a common shared set of objectives. Going beyond that, from SOCA’s point of view, and it is important that this is understood, the traditional criminal justice approaches will only ever have a limited impact on the huge challenge that we face. We have to think how we can go outside those, adopting imaginative, innovative approaches, from disruption to denial to targeting financial assets, if we are going to make a difference. We will see what comes to COSI in terms of priorities, but the machinery to do that is there. Mark Bishop: There are a couple of points that I would seek to make in addition to that, centred on the fact that international work often provides value for money. For example, interdicting upstream allows us to tackle the problem at source, with more significant results, focusing on high-value targets, the disruption of production facilities, multi-tonne seizures and the like. We support the proposals on organised crime, which will allow effective threat anticipation, greater practical co-operation between member states and the new agencies and, as Sir Ian said, the increased sharing of best practice. It is not really our place to comment on the overall proportionality of the measures but from a law enforcement perspective, given the damage to the UK caused by organised crime and the cost-effective nature of international work in tackling it, the approach is suitable. We have practical examples of working with European partners that we are more than happy to give the Committee if that would be appropriate. The Chairman: It would be very helpful if you did. Mark Bishop: An example that I can give you here is that the liaison officer platforms in Ghana and Senegal demonstrate the new approach to co-operation between agencies and countries. They provide a platform for joint working, the sharing of intelligence and a co- ordinated approach to capacity-building. The platform in Dakar is led by the French, while the UK has the lead in Accra. The platforms have the primary aim of exchanging technical and operational information and co-ordinating technical co-operation. They are based on informal co-operation, and they support bilateral engagement. One particular benefit has 175 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency been the ability to use other members’ political leverage in the region, so that members of the platform are able to interact to greater effect with more partners across the country and the region than would otherwise be possible. The Chairman: Thank you very much.
Q321 Lord Dear: I turn your attention to the PNR, the passenger name record, which, as we all know, came about largely as a result of the USA authorities following 9/11, but there is a debate now about whether that should be extended within Europe and whether the exchange of information should be made compulsory on intra-EU flights. Would you care to comment generally about what exists at the moment? Do the current arrangements help in the fight against organised crime? In your opinion, should they cover the internal EU dimension? Sir Ian Andrews: We very much welcome the proposal that Commissioner Malmström announced last week for this. There should be legislation on the collection of passenger name records. As far as the UK is concerned, the lead on this comes very much from the UK Border Agency and is a Home Office policy issue. It is an important part of the EU e- Borders programme. The passenger name records, linked to the advanced passenger information systems, where the information is appropriately and proportionately collected, stored and disseminated, is an important tool in the fight against organised crime. I think the Home Office witnesses said to you recently at the session where they gave evidence that there is a strong case for data on intra-European flights to be included as well. Only then will law enforcement have a complete picture of what is happening. As I think Mr Storr mentioned when he gave evidence, not to capture PNR for internal journeys almost risks them being less safe than external journeys. So the logic is compelling: if you do not do it, you displace rather than manage risk. That said, there is not yet a consensus on how that should be moved forward, but from the UK’s point of view we would very much favour it. As I say, though, the lead in policy terms is the UK Borders Agency and the Home Office.
Q322 Lord Dear: That means a huge amount of data, and a huge amount of inconvenience to people in some ways. Once the criminal who wants to remain unobtrusive realises what is going on, they will travel by road, rail, ferry and so on. That would be the counterargument. Any comment about that? Sir Ian Andrews: This is an activity on which one is seeking to have influence. If you are causing them to change their plans, to displace their activity, to move in other ways, that is surely an effect. Lord Dear: Disruption. Sir Ian Andrews: Precisely. The relatively limited data that we have at the moment, is a useful tool for tackling organised crime. Volumes of data are not an issue. The ability to manage large quantities of data and, when they are appropriately collected, stored and disseminated, to look for patterns and indicators in them is not a problem. It is manageable.
Q323 Lord Dear: You have access to all those records? Sir Ian Andrews: Yes.
Q324 Lord Mackenzie of Framwellgate: The “Mr Bigs” of crime often hide behind companies, as you are fully aware. The strategy suggests that legislation may be necessary to
176 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency obtain more information about people running trusts, directors of companies and so on. How big a problem is this, and is legislation really the answer? Sir Ian Andrews: We try not to use the term “Mr Bigs”, because it attaches a label to these people: they are criminals of one sort or another. You are right, though; it is well documented that the use of companies and trusts as a means of money-laundering is extensive. Indeed, that is why they are already significantly regulated. I should say that changes in the approach to EU law on money-laundering, in policy terms, are very much a matter for the Treasury. That said, the Financial Action Task Force is currently leading a piece of work looking at global standards for this sort of activity in terms of anti-money- laundering and counterterrorist financing. I think that that is due to publish towards the end of this year. Mark, is that correct? Mark Bishop: 2012. Sir Ian Andrews: When it comes out, we will consider it. That said, we are having a substantial impact in terms of denying criminals access to the assets that they have acquired, and we are having increasing success in that area. As the Government have made clear, there is no desire to create new structures and new legislation unless and until we are satisfied that we are making the best use of the legislation that we have now. That is the priority. From our point of view, we have the tools that we need to be able to challenge this. Whether the Government wants to go further is a wider policy issue.
Q325 Lord Mackenzie of Framwellgate: I am sure that there are many countries in the European Union that perhaps do not have the standards that we have in terms of company law. I am asking whether there is a need for further legislation at European Level to bring people into line with our standards. Sir Ian Andrews: The policy issue is one for the Treasury but we have found, in interacting with other European countries, that they may not have consistent approaches but are able to help us in a number of areas in targeting assets where it is appropriate to do so. Mark, can you expand on that? Mark Bishop: Not at the moment, no, but we would be happy to write to the Committee.
Q326 Lord Judd: The strategy calls for more joint operations involving border and judicial authorities, police and Customs, and a more flexible use of joint investigation teams. What is your view of the effectiveness of the arrangements as they stand, and do you suggest that there are changes that should be made? Sir Ian Andrews: If I may, I will ask Mark Bishop to answer that question. It flows from everything that I have said that, particularly in the current financial climate, it is important that we work as flexibly and closely as possible with member states and others if we are to maximise our impact on organised crime. Indeed, the strategic defence and security review talked about the importance of making sure that we were mobilising our efforts and our assets in the most effective way possible. Mark Bishop: Building on that, therefore, we need to use our resources to best effect within the UK and in collaboration with other member states. There are many existing effective mechanisms in place that support joint operations, including bilateral engagement, working with the EU JHA agencies, including Europol, Eurojust and Frontex, through the use of Schengen article 40 (cross-border surveillance), and exchanging information such as biometrics, details on suspected persons and lost and stolen objects, as well as the application of the European arrest warrant and multilateral co-operation through the
177 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Comprehensive Operational Strategic Planning for Police, COSPOL, which now sits under COSI. SOCA is keen to advocate the use of joint investigation teams, or JITs, as they are referred to, as a mechanism for supporting international operational engagement. This was emphasised in the UK paper that Sir Ian referred to at the start, and we are pleased to see it further reflected in the communication. To raise awareness and assist UK law enforcement partners in engaging with other member states to start up new JITs, SOCA has recently appointed a national JIT expert who participates in the EU-level forum for national JIT experts. We have also recently seconded a member of staff to Eurojust, with support and funding from the Home Office, whose role will include promoting the use of JITs by and with UK law enforcement partners, in collaboration with EU member states, Europol and Eurojust. Similarly, Eurojust has a key role to play in helping to establish JITs. The framework developed through establishing them and the funding available through Eurojust for this purpose is of great assistance. It allows member states to discuss at an early stage legal constraints that could prohibit the establishment of a JIT and likewise identify opportunities and set down a form of agreement for how member states can co-operate if one goes ahead. I believe that we will come on to Europol later. However, in relation to this question, it is worth highlighting Europol’s role in supporting member states and setting up joint projects and operational meetings, which can lead further to joint operations and the establishment of proposals for JITs. To further support Europol engagement in this context, our Europol liaison bureau comprises staff from various UK law enforcement agencies. I believe that we will discuss funding in more detail later on, specifically in relation to the ISF and COSI. However, in relation to establishing JITs and the communication’s proposal that these should be set up where necessary at short notice, with the full support of the Commission, we feel that it is worth highlighting the current ISEC funding mechanism as an area for improvement. While the commission’s rules on applying for funding are quite clear and helpful, the process itself is overly administrative and could be streamlined. I shall give you an example: each framework partnership application can require up to 20 forms in varying formats to be completed and submitted online. There are often technical difficulties with this process. Also, a key dependency for bidding for ISEC funds at present is the requirement to make planning assumptions around internal budgets and resourcing. To do this effectively, it would be helpful if the Commission responded promptly to funding bids—that is, in line with their own published schedules. I can give you a further example of SOCA’s operational use of JITs. I know that you have heard about Operation Golf in the past, but we have others.
Q327 The Chairman: Just for the purposes of clarity of the record, could you just say what ISEC is? Mark Bishop: I have it written down here, because I knew I would struggle with it. It translates as the Prevention of and Fight against Crime.
The Chairman: That does not seem to affect the acronym. Mark Bishop: I believe it is a French acronym.
178 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
The Chairman: Could you possibly give us on a piece of paper, for the record, its French and English names so that we get it right? Otherwise we will confuse everyone, including ourselves.
Q328 Lord Judd: That was a very full reply and I am sure that we all appreciate that, but it indicates candidly that there is a lot of work to be done. In a nutshell, are you saying that you are hampered by a bureaucratic, as opposed to an action-orientated, approach? Mark Bishop: We are saying, in effect, that there are bureaucratic processes that could be streamlined considerably. We accept that with any proposal for funding there will be a requirement to complete documentation, but we suggest that 20 different forms for one proposal is possibly not the best way forward.
Q329 The Chairman: Have you put your concerns about the excessive bureaucracy to the Commission at all, or is this the first time that you have surfaced them? Mark Bishop: I am not aware of whether we have or not; I would have to check to see whether the Home Office has raised this. The Chairman: Perhaps you would let us know whether you have.
Q330 Lord Judd: You were reeling off structures, committees and all sorts of arrangements that are in place. Personally, and I think this goes for other Members of the Committee, I am very firm that what really succeeds is teambuilding, trust, a sense of motivation—enjoyment, if I may put it that way—in working in international teams; a culture. How far has all that progressed? Sir Ian Andrews: I will address that, if I may. As I said earlier, this is a crowded space. We are seeing a genuine effort to provide a forward-looking convergence path to move these bodies together and to create the efficiency that will enable action to be carried forward and delivered. What has struck me, coming to this relatively fresh, is that wherever you go there is a real sense of commonality of interest between the professionals. Whether it is within Europol or within bilateral relations with individual countries, there is a real desire to work together and achieve results. That comes across very strongly. We have an opportunity here, with the internal security strategy, the Commission’s approach and COSI, to mobilise the institutions to support and capitalise on that commitment and energy. It is a really good opportunity if we can collectively seize it.
Q331 Lord Mawson: I welcome the fact that there is a desire to do this. However, lots of organisations that I have worked with over the years talk about this stuff but in practice, when you actually look on the ground, something quite different is happening. I would be interested if you could give me a practical example on the ground of this actually happening and of what the results look like. There is a relationship between the macro aspirations of large organisations and the micro practice on the ground. The micro is the way into the macro. What is that relationship looking like? Also, what investment is going into this whole way of joint working? People assume that it can happen if we share bits of paper or put it on an IT platform. In my experience, it does not happen. Joint working, partnership working, is not a straightforward thing; there needs to be work, energy and investment to help organisations to do that. Many officers have not been taught how to do that in their training; they have been taught to work in silos. This is quite a different discipline. What investment and energy is going into that joint working?
179 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Sir Ian Andrews: If I can address that at the general level, perhaps Mark can pick up on a detailed operational example. The paper that we referred to, which the UK tabled in COSI back in June and which we will let you see, was focused on how we move from expressions of intent to making a difference and getting people to work together and deliver. That was seized upon by the whole Committee as a way to move forward, and the Hungarian presidency is working very hard to develop how that can be done—practical things that we can do today to enable that intent to be delivered and have an effect on the ground. Mark Bishop: With regard to additional examples of what we are doing operationally, the most recent one that I can give you is a SOCA-led JIT to uncover the acquisition and use of fraudulently obtained genuine British passports by members of organised crime groups. These are genuine passports issued by the relevant UK authority after receipt of a fraudulent application. To date, the project has focused largely on British criminals living in the Netherlands who are trafficking drugs and firearms into the UK and Ireland. As a result, a JIT agreement was signed with the Dutch authorities, which was extended again in December 2010. This JIT has thus far identified a large number of these passport offences and in many cases prosecuted these through the issue and execution of European arrest warrants.
Q332 Lord Dear: Can I drill down a little further on Eurojust? We have talked about the concept of joint international working between law enforcement agencies, but the cement that would hold that together would be the judicial process, the lawyer who is in with the team as the investigation continues to make sure that all the necessary steps are taken pre- court. Would you like to comment on the role of Eurojust at the moment and whether it is up to speed at the moment —fit for purpose, so to speak? Does it need a very small change to become fully effective, or is there a lot of ground to make up? Sir Ian Andrews: Eurojust is a relatively new player, but it is co-located with Europol in The Hague. As it happens, I was at a major prosecution conference in The Hague last year, and there was a real recognition of the importance of getting law enforcement and prosecution authorities to work ever more closely together. There was also recognition at the international level about prosecution authorities working more effectively together, because if prosecutor can speak unto prosecutor then law enforcement body can talk unto law enforcement body. There was a real sense of a desire to build on that. Again, I think that the intent is there, but these things can take a long time to reach fruition. Mark Bishop: Eurojust has a key role in the JIT process, which, as you have seen, we have started to find useful.
Q333 Lord Dear: Sorry, did you say that it does have a key role? Mark Bishop: It does. In 2007 it bid for funding from the Prevention of and Fight Against Crime fund, ISEC, to support a pilot project in relation to JITs. The Commission awarded it a considerable sum of money to cover a three-year period up to September 2013. Prior to making a bid for funds, Eurojust will host these informal meetings, referred to as “level 3 meetings”, and more formal co-ordination meetings, to facilitate engagement between the member states. So it definitely has a role within the JIT process.
Q334 Lord Dear: With respect, my question was: is it up to speed at the moment? Has it some way to go? Can you give an indication of whether you are happy with the present state of affairs and how much it needs to develop? Mark Bishop: The issue of Eurojust is a Home Office policy lead.
180 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Q335 Lord Dear: I am terribly sorry; I am pressing the point. From your perspective, can you give me a view? Mark Bishop: In the context of JIT work, we have certainly found them very useful.
Q336 Lord Dear: Did you say “useful”? I’m sorry, the acoustics are very bad in this room. Mark Bishop: Very useful. That is partly why we are posting an officer within that mechanism, because we feel that it is an organisation that has benefits.
Q337 Lord Dear: I am sure, but is it efficient? Sir Ian Andrews: I do not think we are in a position to comment on that. What I will say is that, in terms of our experience working alongside prosecution authorities in the UK, embedding prosecution people within investigation teams from a very early stage can be key to getting the right outcome. Indeed, only yesterday we had a SOCA awards ceremony where we were recognising achievement, and almost all the teams within SOCA included domestic law enforcement, international law enforcement and prosecution authorities as part of the team. That is something towards which we should all be seeking to work. As Lord Mawson was saying, though, it can take a long time to get from a statement of intent to delivering something effective on the ground. We are working on it and moving in the right direction, but the policy issue is very much one for the Home Office and Eurojust.
Q338 Lord Dear: With respect, I am left with the conclusion that you are saying, in effect, that that there is a long way to go. Sir Ian Andrews: You can always get better.
Q339 Lord Dear: Changing the subject, I wonder if we could look at money-laundering. There are a number of proposals in the strategy to make it easier to freeze, seize and confiscate criminal assets, including the revision of the money-laundering directive and increasing the powers of the asset recovery offices. It would help us to know whether you think that these proposals would make the EU’s efforts in this area more effective. Sir Ian Andrews: Again, we welcome an increased focus on denying criminals access to their assets. In our experience, certainly domestically, this is something that they really do not appreciate! A criminal will look at being caught and going to prison as a risk that he or she recognises, but where you really start to impact on them is when you deny or disrupt their access to their assets or take those assets as part of the process of the penalty imposed by the courts. Again, there is a lot that can be done to improve practical co-operation, but the view of the Home Office—again, this is essentially a policy issue for it—is that we need to make the best use of what we have before we go down a new legislative route, and certainly before any steps beyond the Stockholm agreement. For example, you refer to asset recovery offices. A number of EU member states have yet to designate their national asset recovery office. That is clearly a deficiency, and we need to bring everyone up to a common level. On the wider issues of money-laundering and new legislative requirements, again, I am afraid—I hope this does not sound as if we are ducking the issue—this is a policy issue for the Treasury. We are the executive arm, and we operate within the priorities and policies that the Government set for us.
181 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Q340 The Chairman: I think this issue of who is responsible for policy is clearly understood by the Committee, and we are not asking you in any way to step outside your remit. It is, however, valuable to us is if you tell us whether toughening up the various provisions for money-laundering and strengthening the effort on asset recovery helps you, SOCA, in your work. We do not suggest for one minute that that is an expression of view about whether or not there should be more legislation—just an expression of the executive arm, which you are, about whether it helps your work. Sir Ian Andrews: From our point of view, our ability to target assets is hugely useful. Increasingly, criminals are resorting to putting their assets in other jurisdictions in order to hide them. We work very closely with a number of European countries—and indeed countries beyond Europe, across the world—and are having increasing success in getting them to take action. As I say, though, the priority should be to get everyone in the European Community up to a level—dare I say?—with us, before we start setting ever more demanding targets, because that simply risks setting an ambition that people then focus on and forget to work on the basics.
Q341 Lord Dear: A level comparable with us is actually not very high. As we all know, the history of asset recovery in this country has not been a spectacular success—until very recently, anyway. It has been woeful. That was a matter of record under the previous Government, I suppose, only 18 months ago. Again, the picture that I am picking up is that the concept of the criminal being arrested and then all the assets being stripped, so they come out of prison to some sort of financial desert, does not in fact exist, and it is possible to put money into central Africa or wherever else and almost impossible for anyone else to get it out. It is dangerous to go into central Africa and get it, we all understand that; that brings a wry smile. The fact is that criminals find it increasingly easy to salt their large sums of money away in a variety of ways, serve a term of imprisonment and then begin to feed off the proceeds. The law enforcement agencies in all countries, including this one, I venture to suggest, have not yet come anywhere near success in pursuing that aim. I do not want to put words into your mouth, but I think that what I am getting from you is that again, rather like the last question, there is a long way to go, and some countries are lagging behind us. Sir Ian Andrews: I would not disagree with that analysis. As we have understood the criminal business model, we are shifting the focus very much towards asset denial rather than headline figures for the amount of cash put in the tin box. This is a really important disruption capability, and one that is being recognised. Again, the conference that I was at last September was looking at how we can go after and disrupt organised criminals by targeting their assets, denying them access to them and hitting them where it hurts. There is a growing recognition that that is the right way to go. It is about moving outside the traditional criminal justice approaches. For example, we have on the statute book the ability to put in place serious crime prevention orders and financial reporting orders, which can put real constraints on what criminals are able to do way into the future. “Follow the money” is a bit of a cliché, but in our investigation teams we now routinely have financial investigators alongside our traditional criminal justice investigators. They are hugely helpful and beneficial in our targeting and in getting results. We have quite extensive powers regarding civil recovery and tax as well. Again, this is about getting all countries up to a common standard. As I say, a number of states do not yet have designated asset recovery offices, and that would be a really good step to getting some clarity here. The Chairman: You have given us a very helpful steer there. What Lord Dear has been pursuing—tenaciously, I think—is the feeling that there is more that needs to be done here, particularly to get some member states even up to the not totally brilliant level that we are
182 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency at now, and that therefore this kind of EU activity is valuable to the UK if we can use the EU machinery to do that. That throws light on the question of whether the communication that we are looking at is useful from the UK and the EU point of view. You have illustrated that point very helpfully. It is not just a piece of bureaucratic wheel-turning with no practical benefits to us. That is a really helpful reply. Sir Ian Andrews: It has real potential to make a difference for the better.
Q342 Lord Judd: Meanwhile, crime is globalised. While you are struggling to bring standards up within the European Union, it strikes me that the kind of crime that you are faced with now, particularly taking account of the ethnically pluralist nature of so much of the European Union, not least the United Kingdom, cannot be tackled without wider effective co-operation. I understand that a lot of work is already done with the United States, but what about China and India, or wider areas like Russia, the Middle East, Pakistan, Turkey, Africa—you mentioned Senegal, but what about different regions of Africa?—the Caribbean or Latin America? How do you promote co-operation with people there? If you are going to tackle this, you have to have effective co-operation. Sir Ian Andrews: I agree. Again, the EU works especially closely with the US, but it also works increasingly with all the areas that you have mentioned. Indeed, the Stockholm programme provided the strategic framework for this because it emphasised the importance of the EU working with third countries on transnational organised crime for precisely the reasons that you mentioned. At the operational level, there is engagement through Europol in Latin America, the Caribbean and West Africa. What has struck me, if I may make a personal observation here, is that whenever you get law enforcement working with law enforcement, this is a common language. However corrupt a country is perceived to be, there will be people who care passionately about law enforcement, and that network really works. From the domestic point of view, SOCA maintains a network of liaison officers in a lot of the parts of the world that you talked about. I shall pass over to Mark to give a more detailed response Mark Bishop: Europol has already established a number of co-operation agreements with third countries that further strengthen our ability to fight international organised crime. These strategic agreements are with, for example, Russia and Turkey. I know that in previous evidence reference has been made to the significant EU funding available to support the fight against organised crime in these wider areas. The UK partnership with Spain has recently secured €3.5 million of funding to enhance the capacity of Ameripol, which is Latin America’s version of Europol. The UK has an improved dialogue with Pakistan on law enforcement and counternarcotics co-operation under the aegis of both the UK/Pakistan and EU/Pakistan strategic dialogues. The requirement for counternarcotics and law enforcement co-operation was specifically included within the joint statement of the second EU/Pakistan summit held in June last year. So within this context, SOCA works with the Pakistani authorities on operational co-operation and securing potential CN funding. You named quite a few different locations throughout the world there. If you like, I can touch upon some of the areas that we cover. Clearly, we are working closely with our EU partners in West Africa, as I have already spoken about. In September the UK presented to EU member states the importance of tackling organised crime in the western Balkans. Highlighting an increased focus on the rule of law from the early stage of the accession process enables the EU to provide more effective support in delivering crucial JHA reforms in-country. As an example of practical assistance in this region, the UK currently leads PAMECA 3, a €6 million EU police assistance mission to Albania. Austria is our project partner on this. The project commenced in May 2008 and is due to run until May this year. 183 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
There are regular high-level meetings between the EU and Russia. There was a recent meeting in November to discuss, among other topics, co-operation to combat transnational crime. You mentioned China in your list. Bilaterally, certainly, for the past three years the UK has hosted an annual work conference between the UK and the Chinese Ministry of Public Security, designed to encourage discussion on organised crime matters. This is led by SOCA but there are many other UK participants within it, HMRC, the Human Trafficking Centre, the UK Border Agency, the Home Office’s Intellectual Property Office and the Metropolitan Police Service being some examples. We can go through what we are doing country by country, but there is a strong theme of doing it both within an EU context and bilaterally with our own liaison mechanism.
Q343 The Chairman: Presumably, you will be hoping that the new external action service that was set up at the beginning of this year will have some expertise in the area that you work in so as to strengthen the links with these third countries through European missions in them with people who are properly trained and capable of helping you and other, similar organisations in Europe. Sir Ian Andrews: It is entirely consistent with the declaration of the Stockholm programme that the heads of Government adopted towards the end of 2009, that there is a seamless relationship between an internal security strategy and an external one. As Lord Judd was saying, this is a globalised phenomenon. It is everywhere. It is recognised that you cannot have an internal security strategy that is pursued independently of that engagement with international partners. Regarding West Africa, I mentioned getting Europol on the MAOC-N management board. A major programme, based in West Africa, to build capability in the interdiction of drugs coming across the Atlantic is EU-funded, and that is delivering success now as well. So wherever you look, there are examples of precisely those sorts of connections being made. The multilateral and bilateral links are mutually reinforcing. As I say, what really comes across to me, having spent a career in the national security space, is how close the dialogue can be, in an entirely non-threatening way, between law enforcement and law enforcement. Lord Judd: Having worked in international work most of my life, I think it is impressive that you tell us about all this activity—it sets a framework within which things can happen— but it is all rather at the formal, structural policy level. What I am interested in, and I think the Committee is too, is how far within those contexts effective teamwork and co-operation are developing, how far there is a feeling of joint ownership of what is being done and how much people get professional and psychological fulfilment from working in an international team, rather than feeling, “Oh my God, we’ve got these bloody foreigners we’ve got to co- operate with”. I mean, let’s face the realities. Are you confident that that kind of sea change is taking place? I just do not see how the hell we can get to grips with this global phenomenon unless we have that kind approach. Sir Ian Andrews: Having spent most of my career in an area that you, Lord Judd, were very familiar with in the past, in defence, and then moved into this wider national security sphere, I have been hugely impressed by the extent to which, when you talk to people internationally, that passion, that shared endeavour, comes through. I talked about our awards ceremony yesterday. We had officers there from Spain, Holland and other countries celebrating that. You are right: the only way that we are even going to begin to get on top of this problem is by working internationally. I sense that there is a real passion and
184 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency commitment to making that happen, and the ISS and the Commission’s communication is another step along the way to helping us to build on that.
Q344 Lord Judd: I have just one other specific question. Do you think that more could be done in terms of international training, staff courses and so on, in which people would get training and information for the work that they will be doing in an international context? Sir Ian Andrews: More can always be done—I go back to that point. I was just thinking about cybercrime. Proposals have been made regarding Europol; it wants to develop a model based on one that has been very successful in getting people together in the United States across industry and law enforcement. Ultimately, it comes down to the confidence and trust that one has in the people one is working with. For training, secondment and exchange opportunities, SOCA has its people embedded in law enforcement organisations across the world. We have people embedded in the European institutions. We are seeking to drive that agenda forward. Ultimately, though, you are right; it comes down to the fact that when people know and trust one another, they can take it forward. Of course, joint training can help with that, but it is not the only way to move it forward.
Q345 Baroness Eccles of Moulton: Sir Ian, you have referred to COSI on a number of occasions, but I think the Committee would be very interested to have an overall view from you on this relatively new organisation—I do not know if it has even been in existence for a year yet—which is made up of representatives from all member states. Do you consider the balance of representation across the piece and in the Ministries is right? There is a proposal that the internal security fund should be set up under the ISS. Would that make a useful contribution to COSI’s effectiveness? Sir Ian Andrews: You are absolutely right, it is a relatively new committee. It is meeting today, as I said, so things may have changed—I do not know. It is finding its feet. It has the potential to rationalise significantly the multiple players in this crowded space and provide a focus. We make no secret of the fact, and Home Office witnesses have said this, that we would like to see more senior professional law enforcement representation at the table, as opposed to the policy-makers that some countries tend to send. To have continuity in terms of the same people turning up on a regular basis, going back to Lord Judd’s point, gives you the opportunity to build that sense of common endeavour, teamwork and mutual confidence. It has the potential to do that, and we very much hope that it will. We are doing everything we can to help it to achieve that. That is the way ahead as I see it. Mark Bishop: On the point about the need to see senior law enforcement representation at COSI, this is particularly important given that COSI will have a responsibility for monitoring operational initiatives within the framework of the policy cycle—things like the COSPOL projects that were previously overseen by the European Police Chiefs Task Force. We think that the UK’s COSI delegation, which is there today, reflects the ideal balance of Home Office and senior law enforcement representation. On your point about the significance of the ISS for work against organised crime, it is difficult to articulate this when we do not as yet know how much this will be. However, the Council conclusions on the creation and implementation of an EU policy cycle call for the Commission to review the ISEC funding mechanism and consider the feasibility of setting up the internal Security Fund, and we fully support this position. It could help support, for example, the further effective implementation of JITs. As per my previous response to the question on JITs, though, the current ISEC arrangements require a lot of forward planning, which makes this very difficult at present.
185 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Q346 Baroness Eccles of Moulton: You mentioned monitoring. Presumably, the tasks that that are then going to be monitored have to be established, set and carried out. How does that work? Mark Bishop: Sorry, could you clarify that for me?
Q347 Baroness Eccles of Moulton: Presumably, COSI meets once every two months and has discussions about what is needed, but how then are operations carried out that can be monitored by COSI? I was alerted to the fact that you used the word “monitoring”, but you can monitor only if you know what it has been established that you are then required to monitor. Sir Ian Andrews: If I may, while Mark is looking for his evidence on this, this is an opportunity to shape COSI. It is due to take the product of the threat assessment and the priorities, and out of that will flow an action programme. It should be as visible and transparent as any equivalent institution of the Community. This is an opportunity to put in place that sort of mechanism. As we have all observed, COSI is relatively new and still finding its feet, and we have the opportunity to shape it. From the UK’s perspective, and SOCA is alongside the Home Office officials on this, we are seeking to help shape that agenda so that it can be relevant, enable us to move things forward and hold people collectively to account for what they do. Baroness Eccles of Moulton: It is the collective aspect of that which is so important. Mark Bishop: You asked me about the policy cycle in particular. It is effectively broken down into four key steps, each of which has a feedback loop built into it, ranging from policy development—that is step one—through policy-setting and policy decisions to implementation of the policy and monitoring, which is the part that I will come on to, and then step four is evaluation. Implementation of the policy and monitoring involves groups of experts from member states, the EU institutions, the JHA agencies and other key stakeholders developing multi- annual strategic plans, MASPs. Effectively, they are an EU control strategy for tackling the agreed priority threats. Each MASP will cover the full four-year period of the policy cycle and be supported by an annual operational action plan—also developed by experts, I should stress—that will co-ordinate and steer the direction of multilateral activity against these threats. Baroness Eccles of Moulton: That is very helpful, thank you.
Q348 Lord Mackenzie of Framwellgate: We have mentioned close co-operation with the United States, and I am sure that you work closely with the FBI and the Department of Justice. Looking at what I suppose is the European equivalent, has Europol emerged in your view as a credible organisation that UK enforcement authorities can do business with? Does it provide a value-added service? Does it need additional functions and powers, such as the powers that the FBI has? Sir Ian Andrews: We work with the FBI and many other US law enforcement agencies, of which there is a significant number. As far as Europol is concerned, it has been explicit in a lot of what we have said today that we believe it has a vital role to play in combating serious organised crime globally, but particularly in co-ordinating and building the European response to it. The UK is working hard—we are one of the five biggest users of Europol— to drive those developments forward. I believe that is increasingly fit for purpose. The director is a UK officer; I think he has given evidence to you previously. I have visited it
186 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency twice in the time that I have been in this job, and I have been hugely impressed by its ambition and the collective will of the law enforcement officers who are embedded within it and seconded to it to make it relevant and to move the agenda forward. Mark Bishop: One of the points that should be emphasised is that Europol’s effectiveness can only reflect the extent to which member states take advantage of its tools and its expertise. Europol is making significant efforts to improve its capabilities at present, which perhaps I will come on to later. However, the changes that it is making will take time to embed. It has a leading role on the development of the EU organised crime threat assessment, which is viewed by member states as an important tool to combat organised crime. Europol produces the threat scans and other key products—for example, the Terrorism Situation and Trend report—which are also helpful in monitoring and identifying new and emerging trends. As you know, SOCA is responsible for co-ordinating the UK’s contribution to the OCTA. Along the same lines, we have supported the admission of Europol to the Maritime Analysis and Operations Centre - Narcotics (MAOC-N) executive board, where Europol is represented by its assistant director, Troels Oerting. We see this as quite an important step in ensuring consistency of approach to help maximise co-operation efforts and, in terms of increasing the intelligence contributions from MAOC-N to Europol to inform the wider intelligence picture at the EU level.
Q349 Lord Mackenzie of Framwellgate: You are very ably describing what Europol does and so on, but what I asked you is whether in your view it requires extra funding or powers—in other words, could it be improved? Sir Ian Andrews: Yes, it can always be improved, but I do not think that extra powers or extra funding would be the priority. This is actually about making something that has a lot of potential to work as effectively as we believe it can. We have talked about different countries having different approaches to this, but if we can move to a situation where the whole European Community sees Europol as its primary law enforcement arm to co- ordinate the activities of the 27 nations, that will be a huge step forward. We can point to areas, and we have done, where it is having a significant impact now, but it tends to be with the involvement of different nations, with a significant minority of nations moving it forward. We need to move everyone up. I am sorry; that is a consistent theme of this evidence session. We need to move the whole Community up to a common standard before we start thinking about new powers, new legislation and so on.
Q350 Lord Mawson: The communication states that it will put forward proposals to enhance co-operation between Europol, Frontex and the European Asylum Support Office on border management issues. What are your views on this? Sir Ian Andrews: We are in a slightly difficult position. As far as I understand it, the issue of co-operation between the Justice and Home Affairs Agency and all the organisations that you are talking about is what is being discussed at the COSI meeting that is going on today. Mark Bishop: In respect of this specific question, border management issues are a UKBA responsibility. We view interagency co-operation as key, particularly in terms of supporting the delivery of this internal delivery strategy and the EU policy cycle. We welcome improvements in co-operation between Eurojust and Europol. This matter will be discussed at COSI today, but the broader picture is that, on organised crime, experience has shown, and the internal security strategy recognises, that by working together we improve our impact. That means both member states collaborating and agencies working more closely 187 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency with the same aim. As Sir Ian has already mentioned, as international barriers become less significant for organised criminals and in the current climate of tight resources, it is even more important that we work together to tackle this.
Q351 Lord Avebury: You mentioned that you wanted to work towards Europol being the primary law enforcement arm of the European Union. Does that mean that you think Europol is the right place for the proposed cybercrime centre? Does it already have the skills and capabilities to develop such a centre, or would it be necessary for it to acquire those skills having been given the task? Can it really be established without any additional EU funds being allocated for the purpose? How might it work with ENISA? Sir Ian Andrews: In short, yes. I believe that Europol is the right place for the proposed cybercrime centre. Its core business is to provide support to the competent authorities in the member states in their fight against crime and terrorism, and the use of cyberspace is increasingly enabling that organised criminality. Indeed, this is a specifically mandated area for Europol to get involved in. To me it makes no sense to set up a completely separate structure; let’s put it there, let’s build on it, let’s integrate it. I have no reason to doubt that Europol should have the skills and capabilities to host such a centre. The high-tech crime centre has been housed in Europol since 2002 or thereabouts, and it provides valuable experience on which to draw. I think that Mr Wainwright, the director of Europol, outlined to this Committee a model based on the US National Cyber-Forensics and Training Alliance, which is about industry and law enforcement working together, as I mentioned earlier. That is something with which we are very familiar. It would have the ability to second experts from member states into such a body to build that body of knowledge and expertise. Would I create a separate centre? No, I would not; I would absolutely put it in Europol, because that is where it ought to be. The issues of resourcing are not primarily issues for SOCA—these are wider government judgments—but there is a huge amount that can be done even with the existing resources that are in place in building on what is there.
Q352 Lord Avebury: I am not sure that we have heard about the high-tech crime centre that you mentioned. Are you saying that that is the nucleus of the proposed cybercrime centre, and that the expertise that Europol has acquired to set up the high-tech crime centre is what would be needed if it were allocated the task of becoming the cybercrime centre? Mark Bishop: I can explain some more about the high-tech crime centre if that would be useful. Created in 2002, it has expanded over the course of 2009 and 2010 to become a platform with three constituent sub-platforms: the internet crime reporting online system, known as ICROS; the dedicated analytical work file, the AWF, referred to as Cyborg; and the internet and forensic expertise recipient, IFOREX. I can go into some more depth about that or write to the Committee. The Chairman: If you could write to us, that would be helpful. We are getting a bit short of time.
Q353 Lord Avebury: Could you pick up the question about working with ENISA? How would the proposed cybercrime centre, if it were established within Europol, operate with ENISA? Sir Ian Andrews: ENISA would have to have a very close interface with the cybercrime centre. There are areas of mutual overlapping interest, so there would need to be a very close working relationship between the two. Precisely how that is achieved is an issue for 188 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency the Government and for policy-makers, but from an executive point of view that needs to be integrated in the most effective way that it can be.
Q354 Lord Avebury: The strategy encourages member states, in liaison with Eurojust, CEPOL and Europol, to develop cybercrime awareness and training facilities and to set up centres of excellence. Is that enough, or should the EU be doing more to develop awareness of the risks and to make cyberspace more difficult for criminals and others who seek to exploit it inappropriately? Sir Ian Andrews: What has struck me, not just over the past 18 months but particularly over the past six months, is the growing recognition of the nature and scale of crime exploiting cyberspace, whether to carry out traditional crime in more effective ways or to commit new crimes that are made possible by the cyberspace environment. That really has raised itself up within the public and governmental consciousness. It is a threat that is increasing. The individual user is actually the weakest link in the defences. We must therefore invest in raising awareness in individual users of the internet and in businesses, whether large or small, giving them the understanding to operate safely in an environment. The internet is hugely important in terms of the economic benefits that it brings to the country, but it also offers huge opportunities to criminals and the potential for huge damage to individuals. There has been a recognition of that. Indeed, the very fact that the Government allocated £650 million of additional funding to cybersecurity at a time when they were cutting back everywhere is evidence of that. Preventative measures, training and awareness are key. We therefore welcome the steps to develop awareness and understanding across the EU as well, because you are only as secure as your weakest link in this. But it is not just about training and awareness; it is about mobilising international partners, academia and non-government bodies so that we can make cyberspace that much more difficult for any criminal to exploit. This is probably one of the biggest challenges that faces us. In SOCA we are working hard with the internet service providers and internet governance bodies to see how we can influence behaviour and raise awareness of their responsibilities to do something in this area. A huge amount needs to be done, but there is real recognition that it can be done—or, at least, that we have to do it—and I find that in the conversations that I have with people across the UK and Europe, and internationally. This is the big challenge for the future.
Q355 The Chairman: Do you think that you are making sufficient use of the talents of the private sector?
Are you also making sufficient use of the younger generation, who are enormously imaginative and capable of understanding the whole of this growing sector? Are you and Europol—indeed, is the European Union—bringing them in enough, do you think, to take advantage of their skills? Sir Ian Andrews: I cannot speak about what Europe is doing at the moment, but certainly in the UK there is a huge effort being driven forward across Government. The National Security Minister is playing a key personal role in this. As I understand it, the Prime Minister is chairing a meeting next week to which senior leaders from across the private sector have been invited, because this is something where we simply have to mobilise all the effort and all the private sector capability that is there because Governments and law enforcement alone cannot even begin to tackle it. From the UK perspective, there is a very clear drive to make this happen, and it has to. 189 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Q356 The Chairman: Do you think that this message is getting through more widely in Europe, or is it something that we should be putting more effort into? Sir Ian Andrews: I believe that, certainly in the conversations and the dialogue that I have, this is a shared perception; it is not a unique view from the UK. There is real recognition that this needs to be part of the wider international agenda.
Q357 Baroness Eccles of Moulton: We have had a rather effective example over the past few weeks of a cybercrime affecting the whole of the EU: the theft of the trading emission permits. There are two parts to this question. The first is to help some of us in our ignorance of how any thief can actually acquire monetary advantage from stealing permits off the internet. The other is: do you think that the strategy is making progress towards being able to prevent some of these crimes? You have probably answered that question already, but there might be something that you could add to it. Sir Ian Andrews: I cannot comment on the specifics of that particular case other than to note that SOCA identified a potential threat and issued an alert to members of the EU electronic trading system towards the end of last year, so this was a recognised challenge. I am afraid that I will deal with the issue of how someone can exploit the sort of things that you are talking about at a very superficial level; if you create a market, then someone will find a way of exploiting it. You can be certain that this was a wake-up call but it had been recognised as a problem, and something needs to be done about the trading system and the carbon credits issue that you are talking about. There is a market, therefore there will be someone who exploits it. Electronic trading is a new dimension in terms of how that can be done. Beyond the specifics of the case, Europol creates the opportunity for sharing intelligence and information and for a dialogue to understand how these potential threats can emerge and impact. That is an area in which Europol should develop, and is developing, its expertise. You bring people together because this is not just an attack on one country; it is an attack on the European system, the whole global system. I think that that is recognised. Again, though, it comes back to people working together and knowing and trusting each other, and the sort of passion that Lord Judd was talking about earlier, agreeing that here is something that we have to work on together to achieve a result.
Q358 The Chairman: It certainly underlines the fact that there are some of the European institutions themselves whose cybersecurity is not particularly effective at the moment. Often in this sort of case you focus on what 27 member states can do collectively to strengthen their cybersecurity, but everyone momentarily forgets that there are European institutions that are penetrable by cyberattack and cybercrime and therefore could be as vulnerable or even more vulnerable than institutions in member states. Sir Ian Andrews: My perspective is that the UK is in a relatively much stronger position than other members but, as I said, we are only as strong as the weakest link. It is in all our interests to raise the common standard.
Q359 Lord Judd: Is the task complicated by what I personally detect as the increasingly blurred line between what is serious crime and what is organised state activity? Which is the criminal fraternity and what is state activity is sometimes not altogether clear. Sir Ian Andrews: I think it is a matter of record that many of the attacks on Estonia came from criminal groups. One might speculate on what caused that to happen, but criminal
190 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency surrogates are real players in this. It can be very difficult to trace the origin of a particular activity. You are right to talk about the blurring of that. I would also mention that the Minister for Crime Prevention, James Brokenshire, made a statement last week about the UK opting into the EU directive on attacks against information systems. Again, evidence there of the EU understanding the importance and the potential vulnerability of the sort of systems that the Chairman was talking about. The Chairman: At the conference I was at on the weekend, Professor Nye of Harvard, who is very expert in these matters and has written quite a lot, broke up the cyber sector into cybercrime, cyberespionage, which is states trying to steal either information or know- how of various kinds, and then cyberattacks as a form of warfare. He categorised these things in that way, and clearly there is some blurring between them.
Q360 Lord Judd: Do you have a problem with nest-sitting with information in the EU? Is there room for more information-sharing, and should there be a distinct regime for law enforcement agencies? While dealing with that, I wonder if you could also give us your views on the balance to be achieved between enhancing security and ensuring the protection of citizens’ fundamental rights, including the protection of their personal data. Sir Ian Andrews: One of the things that makes SOCA different is that the enabling legislation provides for the exchange of information where it is for the purpose of the investigation and prevention of organised crime, but it is a difficult balance to strike between, on the one hand, ensuring that citizens’ fundamental rights regarding their personal information are respected and protected and, on the other, the need to pursue investigations into those who are up to no good. I am very struck by SOCA’s professionalism and the emphasis that it places on getting the balance right. There are a lot of internal processes to make sure of that. SOCA manages huge quantities of data and passes information to international partners, to those who have a part to play, to other law enforcement partners and so on. We are of course also subject to the oversight of a significant number of the relevant regulatory commissioners, and our statement of information-handling policy—to which one of our non-executive directors, who is no longer with us but who was the first Information Commissioner, made a significant contribution— enshrines that policy approach. But it is a difficult balance to strike. You have to look at every case on its merits in terms of proportionality, necessity, reasonableness and so on.
Q361 Lord Judd: You say that every case has to be looked at in terms of proportionality and the rest. It is easy to say that but, with the pressures and challenges of the work, how far is that really possible, case by case? Sir Ian Andrews: As I say, it can be a difficult balance to strike. There are rules, regulations and procedures that need to be put in place, and where specific issues arise then you can look at that on a case-by-case basis.
Q362 Lord Judd: But the hazards of mistakes and errors are infinitely greater now. There was the case of the lost stick. That could have tremendous implications for personal data and so on. Sir Ian Andrews: You are right to focus on the issue and how difficult it can be, but I repeat what I have said: I have been hugely impressed by the way that SOCA looks at this and understands the issues about the protection of individuals’ data, and balancing that with the need to have sufficient information—
191 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Q363 Lord Judd: Could I be a bit direct about this? When someone in your position— and you have been very impressive and reassuring in your evidence today—says that he is hugely impressed by the seriousness that is given to this, does that help to instil the rigour in the commitment to what is at stake now? Should you perhaps, if I may give you a leading question, be saying, “We are determined to watch this issue like hawks because it is a very real fundamental human rights issue”? Sir Ian Andrews: That is probably another way of putting what I just said. You are absolutely right. The evidence that I have for that is not just my view; I talk to the regulatory commissioners and real experts who are drilling down and understanding this. I talk to the Information Commissioner and people like that. There is a real awareness in everyone who I talk to in SOCA of the importance of getting this right. You can put it in your terms or in mine, but I think we are saying the same thing.
Q364 The Chairman: We are coming to the last question now. It is on the European arrest warrant, which came up briefly in one of your previous answers. I want to ask you not about the policy, which is dealt with elsewhere, but about the impact of the use of the European arrest warrant in the fight against terrorism, internal security matters and all the things that SOCA deals with. To what extent is its utility undermined by its employment—as suggested from the evidence that we have had—in some really quite trivial cases by some member states, as well as by issues of human rights? Sir Ian Andrews: I will ask Mark to answer the detailed questions. SOCA is one of two UK central authorities responsible for processing European arrest warrants; the other is the Crown Office and the Procurator Fiscal Service in Scotland. As you say, we do not have a policy role; we provide an administrative service for our law enforcement partners in the UK. Our involvement ceases at the point of the execution being passed over to someone else. I believe also that the whole approach to extradition is the subject of a review by Sir Scott Baker, which is due to report later in the year—in September, I think. It is important to understand that for context. However, the use of the European arrest warrant has had a huge impact on organised crime. Mark Bishop: Since the introduction of the EAW in 2004, SOCA records show that from 1 January that year to 31 March 2010, the EAW has resulted in 447 suspected or convicted criminals being returned to the UK and 1,934 being sent from the UK to the requesting state to face criminal proceedings or serve prison sentences. There are some good news stories about how we deal with fugitive issues, and if you permit me I will give you two quick ones. Captura is a joint initiative with Crimestoppers, the Spanish authorities and UK law enforcement, launched in 2006. To date, we have identified 50 fugitives who are wanted on EAWs and believed to be living in Spain. Thus far, 38 of those 50 have been arrested. A similar scheme is running in the Netherlands; we are working with police there to target fugitives from UK justice. During the financial year 2009-10, 26 arrests were made, all for serious offences such as murder, drug trafficking and so on. A joint campaign with Crimestoppers was launched in March 2010, and thus far two of the 10 subjects featured have been arrested. So there are some positive examples in relation what we have done in relation to fugitives. There is also one positive example in relation to EU co-operation and how we have tried to pull this together. With funding from the European Commission, HMRC and SOCA have jointly hosted three EAW practitioner workshops, with colleagues from law enforcement, prosecution and the judiciary from seven EU member states—Ireland, France, Italy, Spain, the Netherlands and Poland, to date. The workshops have included a number of presentations and discussions around case studies. This is the very point that you were 192 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency making about operational people on the ground exchanging experience. The outcomes thus far include a variety of things: academic study by King’s College London on factors contributing to individuals becoming fugitives; closer collaboration with Crimestoppers on projects and to release details of wanted persons to the media; and an increased awareness of proceeds of crime with the production of a compendium detailing different countries’ legislation and system around EAWs. The issue of proportionality was raised. It would not be right, as I have said in previous answers, for SOCA to comment on that issue. I understand that Peter Storr from the Home Office gave evidence on this issue and pointed to the fact that in some countries there is a constitutional requirement to pursue any measure designed to bring a criminal to justice, but I cannot comment beyond that.
Q365 Baroness Eccles of Moulton: How much of what you have described to us would not have been possible without the European arrest warrant? Mark Bishop: I do not know whether it would not have been possible at all; it just would have taken a longer and more time-consuming route to achieve it. Let’s face it, the European arrest warrant facilitates a great deal of interaction between law enforcement agencies. The traditional extradition routes are primarily judicial-based ones, so you can see the difference in timeframes—were someone to look at this in any depth, not that we hold the figures— between extraditions as they occurred previously and as they occur now after the introduction of the EAW. It really is a useful mechanism for us. Sir Ian Andrews: I endorse that. There have been examples of individuals who have been identified, arrested and brought back into the UK in a matter of days. In case Mark gave any other impression, there is very much judicial control over the EAW process. In the case of extradition requests into the UK, Westminster Magistrates Court is the judicial gateway through which one has to go, the equivalent in Northern Ireland is the court in Belfast and the Procurator Fiscal has such arrangements in Scotland. So this is a law enforcement piece of machinery that enables us to move much more quickly but not outside judicial control.
Q366 Lord Mackenzie of Framwellgate: That brings us back to the point that you have consistently made: the importance of having proper standards of justice throughout the EU. Sir Ian Andrews: Again, this is a personal observation: the prosecution authorities across the EU and indeed internationally understand this as well. The CPS has magistrates in various places around the world who are very helpful in talking to prosecution authorities about how we do this, so it is becoming a really joined-up and effective mechanism. Baroness Eccles of Moulton: That is extremely helpful to set against the criticism that some people make of the European arrest warrant. Thank you. The Chairman: Thank you very much, Sir Ian and Mr Bishop, for being very patient and very full in your replies, and for the offers of some additional material including the paper that you put to COSI. That will be very valuable for our inquiry. It has been of great use to us to have your evidence today, and we will be working on it along with all the evidence that we have been taking. Hopefully, we will produce our report on the internal security strategy in about May, where I hope it will make an input both at the British end and the European end of these discussions that will be taking place in Brussels on all the component parts of the internal security strategy as the Commission comes forward with them.
193 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Sir Ian Andrews: Thank you very much, My Lord Chairman, to you and your colleagues for your very perceptive questions and your patience in listening to our answers.
194 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency
Supplementary written evidence, (ISS 17)
1. This note contains the following information, following oral evidence given by Sir Ian Andrews and Mark Bishop on 9 February 2011:
• further detail on work with EU countries to deny access to criminal assets; • information regarding ISEC; • information regarding the High-Tech Crime Centre; and • an explanation of how criminals acquire monetary benefit from the EU carbon trading scheme.
Further detail on work with EU countries to deny access to criminal assets
2. In an example of working across the EU to target criminal finances and profits, the UK is leading on a COSI project focused on tackling proceeds of crime, as part of the wider implementation of the EU pact against Drug Trafficking. This is being taken forward by the National Policing Improvement Agency, supported by SOCA. The group (seven Member States18, Eurojust, Europol and the Commission) first met in November 2010 and, as part of its objectives as set out in the Drugs Pact, it assessed the operational capabilities of Asset Recovery Offices (AROs). The group is working on establishing minimum standards for AROs in relation to the timelines for dealing with requests.
3. As set out in previous Home Office and SOCA evidence, there is more that can be done through improving practical cooperation between countries rather than the proposal in the Communication for new EU legislation. Practical cooperation being taken forward to target criminal assets includes building strong links through law enforcement, working closely with the FCO to push the importance of tackling organised criminal finances to foreign jurisdictions and putting asset recovery at the heart of future Mutual Legal Assistance Treaties.
4. Recent cases of working with European partners to target criminal assets include some good examples of criminal asset tracing through AROs: a UK police service contacted the UK ARO in relation to a share investment scam (or boiler room fraud) in which an elderly couple had parted with £160,000 of their savings, which was believed to then have been transferred overseas. Enquiries traced the funds to a bank in Cyprus. Timely liaison with the Cypriot ARO prevented the dissipation of the assets. The total sum of £160,000 was secured and a substantial amount of the monies stolen were repatriated back to the victims within a few days of the theft. The remaining funds are the subject of court action in Cyprus. The action also led to the identification of the suspects who are now the subject of an investigation by a UK law enforcement agency; UK ARO received a request for assistance from the Finland ARO to determine the whereabouts of funds stolen as part of an internet based fraud involving the sale of a fictitious motor vehicle. The victim in Finland transferred the funds to the UK. Action by the UK ARO alerted the financial institution to the fact that the funds might represent the proceeds of crime. In the period before an official request for mutual legal assistance could be forwarded from Finland to the UK, the suspects unsuccessfully attempted to withdraw
18 Project members are the UK, the Netherlands, Finland, France, Germany, Italy and Portugal. 195 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency the funds from the receiving bank. The UK ARO made the bank aware of the circumstances which prevented the payment of the funds. A criminal investigation is ongoing.
Examples such as these demonstrate the value of these new arrangements, notwithstanding the fact that a number of member states have still to designate their ARO.
5. Examples in respect of civil recovery/non-conviction based confiscation are limited. The UK is one of only a few countries in the world that has in place a non-conviction based asset forfeiture regime with a civil standard of proof. The issue of international co-operation is a complex one. However, in short, non-conviction based asset forfeiture on the Common Law civil standard of proof is not compatible with a number of civil code jurisdictions. To enable recognition may therefore require legal changes on the part of some jurisdictions, necessitating significant political will on their part and would take considerable time to implement. These legal differences restrict SOCA’s ability to gain international co-operation including obtaining evidence from abroad, freezing assets and the enforcement of civil recovery orders.
6. However, SOCA continues to work with international partners to explain the legal basis for civil recovery to countries that currently are not able to recognise non-conviction based asset forfeiture. This is valuable work because, even where full recognition is not forthcoming, it can lead to alternative solutions to full recognition which have the same impact on the criminal. SOCA welcomes the consideration of the mutual recognition of non-conviction based confiscation orders that the Communication proposes.
ISEC
7. ISEC is a funding programme run by the Directorate General for Home Affairs in the Commission which Member States bid for through subject-specific calls for proposals. It forms part of the wider programme ‘Security and Safeguarding of Liberties’ (Sécurité et protection des libertés). The initials stand for Internal Security, but it is more commonly referred to as the ‘Prevention of and Fight against Crime’ (Prévenir et combattre la criminalité).
8. In respect of improving the current ISEC funding mechanism, the application procedure for accessing European Union funding is set out in a Financial Regulation, which is reviewed by the Council on a triennial basis. The Commission has launched its review of the Financial Regulation and HM Treasury is the lead department. Negotiations are in the early stages and are expected to last until the summer, with changes not being reflected until 2012 European financial year.
High Tech Crime Centre
9. In 2002 Europol created the High Tech Crime Centre, which expanded over the course of 2009 and 2010 to become a platform with three constituent parts. These continue to be developed.
Internet Crime Reporting Online System (I-CROS) 10. A platform designed to convey information from EU Member States and third parties relating to cyber offences, in compliance with legal frameworks and security and data protection requirements at Europol. I-CROS is pending, awaiting the budget of the
196 Sir Ian Andrews and Mark Bishop, Serious Organised Crime Agency project to be secured.
Dedicated Analytical Work File (AWF Cyborg) 11. Standing for Cyber Organised Crime, AWF Cyborg strengthens the support given by Europol to Member States by combining individual investigative efforts to create a composite picture of the cybercrime threat. The aim of the AWF is to target financially-motivated organised cyber crime and identify active groups operating within or against Europe, and tackle them in concerted action.
12. The majority of SOCA’s interaction with Europol on cyber crime matters is through AWF Cyborg, which reflects SOCA’s operational focus and priorities.
Internet and Forensic Expertise Recipient (I-FOREX)
13. A platform for investigators to exchange expertise and best practice, and to support online group work. The key benefit for the UK is that I-FOREX is improving the ability and building the capability of all member states to work cooperatively in combating cyber crime.
EU Carbon trading scheme
14. The EU (carbon emissions) Electronic Trading Scheme (ETS) was created by the 1997 Kyoto Protocol. Within the EU the model of operation is known as a ‘cap and trade’ system. If a business is able to reduce CO2 emissions below its ‘capped’ limit, any surplus credits can be considered an asset and be ‘traded’ or sold on the commercial market. Traders within this market do not receive an allocation of carbon credits. Instead, they trade surplus carbon credits to meet the demand from businesses that are unable to meet their emission targets.
15. The carbon credits system provides the opportunity for criminals to commit fraud and other crimes. Any person in any country can apply to be a registered trader of this virtual commodity, and criminals actively seek ways to exploit the mechanisms of the system.
• Theft of Credits: Cyber criminals using malware and ‘phishing’ have successfully exploited the system, stealing credits from legitimate account holders and moving them quickly across multiple accounts without fear of detection.
• Missing Trader Intra-Community (MTIC) fraud can occur when a VAT-registered trader purchases carbon credits and sells them to another party in a foreign jurisdiction where the purchase price would include Value Added Tax (VAT). Once the sale is completed, the trader disappears taking the VAT as profit. The threat from this type of fraud has been minimised in the UK through ‘zero rating’, although this is still a high risk area for EU member states who still apply VAT on the trade in carbon credits.
2 March 2011
197 Sir Richard Mottram
Sir Richard Mottram Oral evidence, 16 February 2011, Q 367-404
Evidence session no 10 : heard in public
Members present
Avebury, L Dear, L Hannay of Chiswick, L (Chairman) Judd, L Mackenzie of Framwellgate, L Mawson, L Richard, L Tomlinson, L ______Examination of witness
Sir Richard Mottram
Q367 The Chairman: I think we might get started, since timeliness will be of the essence today. Thank you very much, Sir Richard, for coming along to give evidence to us in this inquiry. We attach importance to somebody who has your experience in many of the fields covered—cybersecurity, counterterrorism and so on—and who is not any longer actively involved on the government side. We are, of course, taking evidence from Home Office officials, from the Minister in the Home Office and so on. It is very valuable to us to have this input into our inquiry. As you know, the session is open to the public and a webcast of the session goes out live as an audio transmission and is subsequently accessible via the parliamentary website. A verbatim transcript will be taken of your evidence. This will be put on the parliamentary website. A few days after the session you will be sent a copy of the transcript to check it for accuracy. If, after this evidence session, you wish to clarify or amplify any points made during your evidence or have any additional points to make, you are welcome to submit supplementary evidence to us. Perhaps you would like to tell us the background that you bring to this inquiry. If you have any opening remarks, you are very welcome to make them. If not, we will go straight into questions, but if you do then we will listen and then pick up from your statement. Sir Richard Mottram: Thank you, Lord Chairman. I shall say a few words about my background as a way of informing the committee of the fact that there are aspects of this inquiry about which I know absolutely nothing. From 2005 to 2007, I was the official in the Cabinet Office responsible for the funding of our intelligence agencies and our counterterrorism strategy, until that function was transferred to the Office for Security and 198 Sir Richard Mottram
Counterterrorism. I was also the chairman of the Joint Intelligence Committee and responsible for resilience. Previously, I was for a period the Permanent Secretary in the Ministry of Defence, and I have a long track record in relation to defence. But I have never worked in the European Union and in my Civil Service career I was not posted to Brussels, so there are aspects of the way that the European Union works on which the members of the committee are all many times more expert than me. I do not often like to explain how little I know, but I thought it would be helpful. Perhaps I may make one more point. Among the jobs I have now is that I am chairman of the Defence, Science and Technology Laboratory, which is an agency of the Ministry of Defence. For clarity, I am not appearing on its behalf or using information that it has supplied me. The Chairman: Thank you for all those helpful clarifications. We well understand that you have not operated at the EU end, but of course you have had an opportunity to see the communication that we are thinking about. It will be valuable to us to have your thoughts on British policy in those areas and how it meshes with the ideas in the communication. Obviously, if there are any questions that you feel you cannot usefully address, please say so because that will not matter in the slightest. We have put together the questions in the format best designed to fill in the knowledge of the committee, but if you feel that a particular question is something you do not want to respond to because you do not have the knowledge, that will be fine.
Q368 Lord Richard: Could I ask a question before we start? Your background shows that you were responsible for intelligence, security and resilience in the Cabinet Office. What is resilience? Sir Richard Mottram: Resilience is essentially another word for civil protection and some of what we are shortly going to talk about. It covers civil emergency planning in its broadest. No doubt we will come on to this, but in its broadest sense it is the whole set of issues around how you protect infrastructure, prepare against risk and so on. It is just a label that people use. To be the Permanent Secretary responsible for resilience did, I must say, lead my colleagues to fall about laughing.
Q369 The Chairman: The civil protection issue was looked at by this committee during the previous Parliament because there was a Commission communication on it. We wrote a report, and of course it is one of the action points that Cecilia Malmström has identified in this strategy, so we will come on to that. Does anyone else have questions of a general kind before we go into the specifics? Perhaps we could begin by asking you, Sir Richard, what role you think the European Union should play in internal security and how that interacts with member states, which quite clearly, under the treaties, retain primary responsibility for national security. Perhaps as a secondary subset to that, what should be the EU’s priorities on internal security? Are they appropriately reflected in the strategy that we are looking at and in the actions proposed by the Commission’s communication? Are these sensible and achievable and what sort of impact would they have in this country? Sir Richard Mottram: To make a very obvious opening point, the way in which Governments, including the British Government, have come to think about what is now labelled the national security strategy has over the past five or 10 years developed in ways that focus much less on the risk of interstate war and much more on how risks might impact on individuals. You can see this in the various versions of the national security strategy that the previous and the present Government have published. Although much is made of the differences between them, actually there is an underlying thread that is very similar. Out of 199 Sir Richard Mottram that you get the result, on which the committee has had evidence. In what are now the tier 1, highest-priority things that the UK Government are thinking about in national security terms, right at the top of the list are counterterrorism, cybersecurity and disasters of various kinds alongside international risks. Meanwhile, in the context of the EU’s internal security, we find that the highest priorities are things like cybercrime, terrorism et cetera. So there is obviously a very substantial overlap which has grown between how national security is defined by those who put labels on things and how internal security is defined by those who basically come from the justice and police environment. This produces the issue that the committee has been wrestling with, which is how to distinguish between the contributions of the various players. I am not an intelligence official, but I have a background partly in the handling of intelligence. Clearly that dimension is very important when thinking about tackling issues like countering terrorism, some dimensions of cybersecurity and so on. Given that, in my view there is no possibility that Governments such as the UK Government will cede any of their prerogatives in relation to the way they handle intelligence, for a set of reasons which I think will be familiar to the committee. Underpinning the way in which national Governments address these issues are types of information that they are going to wish to keep under their control and to share in forums on a multilateral basis in defined ways that suit them. Where does that leave the role of the European Union? Quite clearly there are things where it is valuable to arrange information sharing and to produce legislation of various kinds on an EU basis. The British Government, when I worked for them, absolutely recognised this. The issue is where to draw the boundary. What I thought when I read these documents was that the strategy itself is expressed in grand terms—perhaps all EU documents are expressed like that, I do not know. However, the communication from the Commission is a much more practical and narrowly defined procedural set of things. The conclusion that I drew from that was that, except for all the rhetoric—no doubt there is the potential for a lot of tension between different players on these issues—how the Commission has framed its actions generally seems to be sensible and achievable. It would complement how national Governments are working in other forums and through other alliances both bilaterally and multilaterally on what is their space to do with national security. The Chairman: Thank you. Those are very helpful views because I think that they coincide with the views that we have formed about the relative impact of the internal security strategy, which was approved by the Council about a year ago, leading to the Commission’s action plan, which is what we are looking at now. Most of us would characterise it in the same way as you, but it is helpful to have it confirmed by a person of your experience. Does anyone have any supplementary points before we move on to the next question?
Q370 Lord Mackenzie of Framwellgate: Good morning, Sir Richard. Moving from the general to the specific, and the important area of cybersecurity, do you think that the internal security strategy attaches an appropriate degree of urgency and importance to the issue of cybersecurity? Do its proposals offer the right balance between law enforcement activity and other “softer” approaches that are intended to raise awareness of the risks as well as influencing behaviour in cyberspace? Sir Richard Mottram: As I read the documents, they draw a distinction between cybercrime and the broader issue of cybersecurity. I know that you have taken evidence from the Cabinet Office about some of this, which I do not want to go into myself. But in relation to cybercrime, the challenge is that the way in which it is tackled is fundamentally an issue around how the private sector organises itself and its interaction with citizens, and 200 Sir Richard Mottram with how citizens organise themselves in their interaction with the broader economy. The challenge in dealing with cybercrime is to ensure that all necessary steps are being taken by the various industries that can impact on it and that the public have very high levels of awareness. What the communication is saying in essence is, “We look largely to member states to do this job”—which is probably right, and in the UK these issues have been under consideration for quite a long time—“but we will create frameworks, reporting mechanisms and alerting mechanisms that will enable co-operation across borders”. That is a sensible way of thinking. Ultimately, the issues around cyber are not, as is often thought, issues around technology in the narrow sense; they are much deeper and more difficult issues around how our societies are being transformed by the impact of the growing information and communications revolution that we are going through, how individuals interact with it and what that will imply for how society is organised in the future. That is obviously a set of softer issues, which are complicated and which I do not think any country has yet got its mind around.
Q371 Lord Mackenzie of Framwellgate: I agree with you and, of course, you can apply that to crime in general. Dealing with crime is generally a policing issue. Do you think that Europol is the right place for the proposed cybercrime centre? Does it have the skills and the capabilities to develop such a centre of activity, and can it really be established without additional EU funds being allocated for this purpose? Sir Richard Mottram: In a sense my answer is that I do not know because I have not had a great deal of personal experience of the work of Europol, although I have read the interesting evidence that was given to your committee. But beyond being rather unhelpful in saying that I do not know, I would say that if you were going to make a large investment in this area, and obviously there is a compelling logic to do that, then it would seem sensible to put it into an institution that already exists and has related responsibilities. My non-expert view would be that, yes, Europol is the right place for this to be. The second question was whether it can be done without additional resources, to which my generalised answer would be probably not, in the narrow sense of whether it would mean additional effort in Europol. What does that imply about the total envelope of the EU budget? Well, that is a choice. I am always suspicious, whether it is from the British Government, the European Union government or a British government department, of the argument that your highest priority, because it is new and difficult and needs to be tackled, calls for additional resources. It often calls for a reallocation of priorities.
Q372 Lord Dear: Dwelling on Europol, if I may, when sub-committees of this House have looked at that body before—I have been a member of some of those—and at risk of oversimplifying the case, but I do so to get to the main point, it is not so much a question of resources but more one of common understanding and co-operation. The theory of Europol is fine, but the way it can and sometimes does fall down is that individual countries and operatives within individual countries do not necessarily always trust one another, or alternatively they do not speak the same language. By that I mean that they have different definitions for common terms and so on. All of that is an impediment. I am not sure whether you have a view on that because, until those sorts of issues are put right, we cannot go forward properly and ask whether we need more money or whether we can exist on the same budget. Sir Richard Mottram: I do have a view in the sense that it applies rather more generally, but it applies particularly in relation to an issue such as cybersecurity, which is a very slippery issue. We need to invest in shared understandings. I spent many years in the Ministry of 201 Sir Richard Mottram
Defence, including in Lord Judd’s time, and while I was there I would rather downplay the significance of the military input on doctrine of various kinds. Since leaving, in the context of some of the ways in which issues around national security are being re-thought, I have become increasingly attracted to the importance of doctrine, by which I mean exactly what you are talking about. We need to have a shared understanding of the nature of the problem, its dimensions and, in the case of cybersecurity, which institutions are going to be responsible for what. That is a difficult set of issues because of the breadth of the potential label that can be attached to this problem. So we absolutely need that, and we need a shared language that is based on a language, so that it is not like NATO-speak, for example. Then, when you have done all that, you would by preference embed it in an institution that already existed rather than setting up what I think would be effectively a third institution alongside the one that is responsible for information management. I think you are right that there is, if I may say so, a prior question, which is: do we all understand what it is we are talking about?
Q373 Lord Dear: And often we do not. Sir Richard Mottram: Yes, and often we do not. Also, we often do not have sufficient mutual trust to engage. However, if both those things can be created, you will have an institution. But I would not create another one.
Q374 Lord Mawson: You were saying, Sir Richard, that technology has transformed our societies and that the way we operate as people and as communities has fundamentally changed. Do you have confidence in the systems that are presently in place? This morning I read a piece about carbon allowances that have been stolen. The report states: “‘At first people thought it was another phishing attack,’ said Olivia Hartridge of Morgan Stanley, who helped create the emissions trading system during a stint at the European Commission in Brussels. However, it soon became clear these criminals were far more sophisticated than that. ‘It was a whole other ball game,’ Ms Hartridge says”. Do you have confidence in the systems we have at the moment in terms of the relationships that need to be in place to deal with the ball game that is now in play? Sir Richard Mottram: We know quite clearly from examples like that, and others I can think of in the past but do not particularly want to talk about, that there are two or more dimensions to this. One is whether people understand the risk and the threat. The answer to that is not really, I think, and that would relate both to cybercrime and to activities of state and quasi-state bodies. The other is whether the procedures are appropriate. The answer to that is up to a point. In this country a lot of good work has been done on that issue on a shared basis between government and other sectors. Then, do people consistently apply those procedures once they have been agreed? The answer to that is no. Lastly, the question is whether there is a big issue around vulnerability to insiders, to which the answer is yes. So if you put all that together, I would not have a great deal of confidence, but this is just an example, and we can think of others.
Q375 Lord Mawson: I am referring not just to this but generally to security in Europe. What you are telling us is that you do not have confidence in those systems. Sir Richard Mottram: I would not have generalised confidence in those systems, no. Equally, there is a danger in issues like this that we talk as though they have just struck us: “My goodness, why have we not thought about them before?” I have spent a lot of my life in government thinking about security issues. In my last job, I and my colleagues were talking a lot to industry in this country. We have, for example, a well developed framework for giving
202 Sir Richard Mottram out security advice to other sectors. No doubt all those things can be improved, but we are not starting from a zero base. The Chairman: I think that the emissions trading raid, if we can call it that, so far as I understood it from the detailed article in the Financial Times yesterday, and from which I think Lord Mawson was reading, showed that there were vulnerabilities both at the centre, where the Commission runs the scene, and in some of the national offices, particularly the one in Budapest. However, there were several others. We have asked the Government to give us their best knowledge of what happened in this case, but it is pretty clear that cybersecurity was inadequate both in a number of the national offices that run the Emissions Trading Scheme and in Brussels. That would not be a particularly surprising discovery, but it does have important implications in terms of the need for the EU to do something about its own institutional security, as well as looking into the wider issue of all the Member States.
Q376 Lord Tomlinson: I would like to ask a supplementary question of Sir Richard. If it was suggested to you that at the level of the EU the role should be limited to the area of awareness raising, am I right in assuming, from your answer to Lord Mackenzie, that you would dissent from such a limited EU role? Sir Richard Mottram: Yes, I would dissent from it because there are other ways in which the EU can contribute. Perhaps I may add a point, although I am deeply conscious that it is rather obvious. What is interesting about the emissions trading case is that it illustrates a fundamental reason why we would want to think about issues beyond awareness raising because these are systems issues where, unfortunately, people can seek out the weakest point. So it is no use if the UK has the most fabulous security, which I do not suggest it has—except that I think that in many areas it has adequate security against a whole range of things—if it is also sharing information with others who are not anywhere near our level. You have systems issues all the time and, as we all know, in the modern world understanding how all these systems work and interact with each other is very difficult. People are sniffing out the vulnerabilities. There are wider roles for the EU and certainly it should focus a little on its own security because, as some of your evidence suggests, it did not seem to have realised until quite recently that it might be quite an attractive target. That rather took my breath away. The Chairman: I think that we are hoping to get a bit of read-out from the Government about the background to this episode, but it is obviously of deep concern. Thank you for your response.
Q377 Lord Judd: It is good to see you. It is tempting to go down memory lane about when we were at the Ministry of Defence in the mid-1970s, but there has been a lot of change since then. Just before I put the specific question, perhaps I could follow up on this point. I am intrigued that you distinguish quite firmly between cybercrime and the state security side of things. I am fascinated by the degree to which it is no longer really possible, in important respects, to distinguish between them. Sir Richard Mottram: I do not think it is possible to say that there is a sharp distinction in the sense that, both in terms of issues around technology and the sort of people who might engage in this activity, there are people who might do it for all sorts of purposes. But we face a problem because we have to make a distinction between those things that national Governments think are appropriate for the EU to be involved in, which includes cybercrime—no doubt that is why there is such a strong emphasis on it here—and other
203 Sir Richard Mottram aspects of cybersecurity that Governments regard as being very sensitive and not matters that are appropriate to the EU.
Q378 Lord Judd: But there is an issue here. Sir Richard Mottram: There is an issue. I do not want to suggest that there is a spectrum because it is rather more complicated than that, but it is possible to distinguish between the low end of things, where there is very profitable crime carried out in quite simple ways, such as accessing people’s bank accounts and other things of that sort, and the high end, where there are very sophisticated ways of seeking, for instance, to disable aspects of the national infrastructure of this country, the entire banking system and so on. The level of sophistication needed to do those things is different and the sort of people who are engaged in these activities might be different, but there could be an overlap.
Q379 Lord Judd: That brings me to my main question, which is about the international dimension. The reality is that we are dealing with a globalised phenomenon. Again, how far is it satisfactory just to see the role of the national state and not the degree to which it must co-operate? That is an important question. Also, the objective must be not just an idealistic concept but an urgent priority in order to get effective international co-operation. In that sense, what about China, Russia and the United States, of course, as well as NATO and other international institutions? Sir Richard Mottram: The answer to that, which is why it is so complicated, is that—while I hate the word “global”; it is a bit of an obsession of mine—this is one of those cases where there are global issues. The sophistication of societies and the risks vary in different places, but the point that one needs to get one’s mind around is not that this could be dealt with by nation states individually, because clearly it could not. Nation states need both to be taking appropriate action to protect the various things for which they are responsible and to be trying to create international regimes. I know that this committee has looked for all these things. The point about the EU is to clarify those places where co-operation at that level adds value compared with co-operation at other levels. That is the challenge all the time, in this as in other areas. By that I mean that if you are sitting in the UK Government and thinking about cybersecurity, there will certainly be, for you, a dimension to this problem which it is valuable to address at the EU level. There will be other dimensions to the problem that you do not address at that level. As the chairman knows much better than me, the Foreign Office will be thinking about all the dimensions involved in how one would multilaterally play this out. The issue is not that the EU is irrelevant, but that it may be the appropriate forum only for certain aspects of any given problem. I apologise if I am saying something rather obvious.
Q380 Lord Judd: Do you think that the EU can in some ways open gates to effective global co-operation more readily than we can individually? Sir Richard Mottram: It might conceivably have a part to play, but if we are talking about some of the more troublesome aspects of cybersecurity, I would not have thought it would be a big player in relation to those.
Q381 The Chairman: Thank you, that is helpful. We are getting into the territory that relates to the initiative that the Foreign Secretary took 10 days ago at Munich in his announcement that the Government would bring together some of the main players later this year, and obviously we will have to cover some aspects of that in our report. In fact,
204 Sir Richard Mottram when this committee looked at the earlier Commission document on cyber-attacks, we concluded that the Government ought to be doing more to try to work towards some rules of the road and, if possible, some international guidelines. So we flatter ourselves in thinking that we were a little ahead of that game. In any case, the Foreign Secretary has now taken this initiative and we will be taking some evidence on that when we see the Minister after our short Recess. Your answer is helpful, but I would add that Professor Joseph Nye of Harvard University, in chairing a panel of four on this at the recent Munich Security Conference, identified four aspects, which he divided into cybercrime, cyber-espionage, cyber-terrorism and cyber-attacks of an inter-state kind. He pointed out that they overlap, but they are four categorisations that illustrate how very slippery this area is and how even statements of the obvious have to be nailed down. I am sorry for making rather a long statement. Sir Richard Mottram: This is a better way of focusing on the point that I was trying to make. If we look at issues around cyber-terrorism, taking one of Joe Nye’s categories and without getting into any detail, obviously there are ways in which the UK Government are co-operating with other Governments, and there would be appropriate forums which the UK Government would be comfortable with for sharing in a deep way some aspects of that. There would then be other forums in which they would share other aspects. Similarly, the rules of the road in relation to cyber-activity between states are a very difficult area; it is uncharted and interesting and would, theoretically at least, end up at the UN level, would it not? It is helpful to accept that there are overlaps, to break the problem down, and to recognise that for good reasons, not simply distaste for multilateral institutions, there are different ways of dealing with the different parts of the problem.
Q382 Lord Mawson: I have two questions that pick up on some of this because I am trying to drill into the culture of all this. I think that the whole culture we are living in is changing fundamentally. The word we use is “transforming”, because I think that it is true. You spent 40 years in the Civil Service, a lot of that time at a very senior level in intelligence. How many people—I am not looking for exact numbers—have hands-on practical experience of the technology and how it works, as well as all the intricacies involved? How many are operating at senior level in this field in this country? Do you have a sense of what that is in Europe? Is the present cyber-culture of this Government and those in Europe capable of giving us the kind of security that we now need, or do we need to move far more seriously into whole systems thinking? What is your view on that, since you have been in the field for a long time? Sir Richard Mottram: If we are talking about this country, we have real strengths in the technical and intelligence aspects of what can broadly be defined as information security. We have highly capable people with a deep understanding of the technologies engaged in parts of government.
Q383 Lord Mawson: At what level? Sir Richard Mottram: At senior levels. We have senior people who have a deep understanding of the impact of these issues. If, for example, going back to the categories, we were talking about issues around cyber-espionage or cyber-terrorism, we have within our system those with a deep understanding of the technical as well as the policy background. Where the issue is unfolding more is in relation to cyber-warfare, potentially between states. That is both a set of technical issues and a set of much more complicated issues around how you might seek to frame rules that would channel this in ways that added to security. That 205 Sir Richard Mottram would be an enormously difficult set of issues. Then, going down the other end towards cybercrime, the issue that I was always acutely aware of when I was in government was whether it was around public engagement and business engagement, whether you had the range of ways of doing this appropriate to the problem and what the role of government was in relation to it. Again, if you have forums between people in government and people at quite senior levels in industry, they can bring to the table a deep understanding of the technology issues. Overlaying it all you have what I think is a very interesting issue. We have already seen the impact of living in a digital world. What might the impact be in five or 10 years’ time? Again, that is an area where there is scope to engage with academics and others in thinking about what the future might hold. There is a whole range of problems, but I do not think we lack people with technical understanding. I am not one of them, but we have people who understand the science as well as some of its impact. We are perhaps overfocused on the technical side and underfocused thus far on the social science, behavioural dimension to all of this. But, for example, and wearing another of my hats, I am engaged on an independent basis with the Economic and Social Research Council, which—here is the rub—is an unpaid role. With a group of academics, I help the Council to think about this dimension of the future as well as global uncertainties and so on. So wherever you look, increasingly you will find people thinking about these issues. The problem is to synthesise the knowledge and to reach conclusions about what it implies as regards policy.
Q384 Lord Mawson: Is not this culture being driven by thinkers? The Government are being driven by people such as the young man I met this morning who is deeply involved in the security industry. He is worried about the disconnect between what he has to deal with in the technological world and where the Government are at. These are hands-on entrepreneurial people driving the technology platform. They are not people writing papers. The whole thing is evolving at quite a pace. By the time the papers are written, the technology has moved on six steps. Is that not a fundamental problem? It is not a paper- driven world. Sir Richard Mottram: Well, I suppose a fundamental benefit of the impact of the internet might be that it is no longer a paper-driven world. Is the young man’s complaint about the capacity of the Government to take up technological options? Is that what he was talking about?
Q385 Lord Mawson: He described a world in which a whole range of people from Russia, China and so on, comprising a very large community, spend a great deal of time on computers and using other technologies that lead to our systems. This is growing exponentially. Fundamentally, his worry as a practitioner in the middle of all that is that, while the Government are operating here, he is living in a very hands-on world that requires innovation, entrepreneurship and a whole way of thinking that is fundamentally different from the traditional processes of government. That is why I am trying to push you a bit on whether the Government are fit for purpose both here and in Europe for a world that you have described, rightly, as transforming our communities and human behaviour. Sir Richard Mottram: There is a serious issue about the pace of technological change, largely being driven by the private sector, and the capacity of government to reach decisions that depend on the incorporation of technology into government systems or advice to the public and so on. There is absolutely a big problem in that. A classic example would be in the defence space, where every time the Ministry of Defence sought to reach a conclusion about, let us say, a new generation of communications technology, the time-frame in which it 206 Sir Richard Mottram took its decisions was completely out of kilter. Fundamentally, you could not take a decision because by the time you had done so something was already obsolete. These are really serious issues, and there might be generational issues also—although the coalition Government seem quite youthful to me—between people at senior levels in government understanding the underlying aspects of this. I shall make two more points, although I am sorry to ramble on. There are people in government, including young people, who are very sophisticated and understand these problems and are in touch with the wider community. As long as their voice can be heard and taken up quickly, there is no problem about information management. My second point is that, if you look at the way in which government are seeking themselves to respond in the way in which they organise procurement and so on, they are acutely aware of the issue and are trying to speed things up, as well as engaging more with industry. So, again, in the defence space, for instance, there are devices by which people can put forward proposals that are looked at within 20 days. All of that is developing, but there is a fundamental issue in that people might not quite grasp the deep implications of what is happening.
Q386 Lord Avebury: You just said that technical change is being driven largely by the private sector. I wonder if, in your view, the communication sufficiently recognises the role that might be played in internal security, particularly in counter-radicalisation and cybersecurity, by civil society, including the private sector, voluntary and not-for-profit organisations, and academia. What should the EU’s priorities be within its own research programme? Sir Richard Mottram: Perhaps I can take that in bits. The communication recognises, although it is slightly different in relation to counterterrorism and cybersecurity or cybercrime, that these are fundamentally issues that require the engagement not only of that list of people but also of individuals. I would say that we have to focus on individual members of communities and how they are communicated with. What I think the communication is saying, which is fair enough, is that the EU sees this as fundamentally a matter for nation states. It sees this as a matter for the Member States because it understands the diversity of the challenge in the area of communications. I do not think it would make sense to seek to have an EU-wide counter-radicalisation policy that was expected to have an impact of a meaningful kind on the ground in individual localities. I cannot see how it would work. It is difficult enough for Governments nationally to try to make this work, as we all know and can see. No doubt there is scope for awareness raising in relation to, say, the cyber issue—without going back over the question you asked me—but again that is probably best handled at the national level. On research priorities, it is quite interesting that the Communication touches on that but does not really play it up, which is quite surprising given that, while I do not have the figures in my head, the EU research budgets involve considerable amounts of money. You might have expected—
Q387 The Chairman: It is considering a new EU-wide programme now. Sir Richard Mottram: Exactly. You might have expected that more would have been made of that dimension as part of the contribution that the EU as a whole can make to this problem. I think that the challenge in relation to research priorities is, first, to get the right balance between thinking about these problems as essentially being about science and technology as they are usually understood—that is, around the physics and the maths, which is the 207 Sir Richard Mottram traditional way of thinking about them—and recognising that in a number of important ways they are deeply embedded issues in society where we need to understand what will drive behaviour. That is certainly what we are trying to do in those bits of the UK area in which I have an involvement. We are trying to broaden out the way in which we think about these problems. Ensuring that there is a proper social science dimension to nearly all of the thinking about these issues has been a big priority over the recent past and will be a priority in the future. At the generalised headline level you can see what the priorities should be because they fall out of the strategy. How do you turn those into valid research proposals which are going to add value? I think you have to be cautious about thinking about these problems rather narrowly as being technical or technological. The second big problem in all this, to which I do not have a solution, I am afraid, but with which I certainly wrestled a little when I worked in government, is that expenditure on counterterrorism-related research has been an area of vast expansion. Perhaps it has been less so in relation to cyber, but I think that that will pick up fairly substantially. Alongside national actors you have the European Union contribution, and alongside both you have a very substantial US programme. Until now, we have all struggled to make sense of these programmes in a way that produces real value for money. So, fundamentally, if we are going to make sense of it, we need a much better sense of the inter-relationship between what is being done nationally, the EU contribution and the very substantial US contribution. There are other countries I can think of in which we have research co-operation where similarly there is a risk that everybody is doing the same sorts of things. That would be the biggest challenge: can we define requirements and then ensure that everyone is not working on the same problem. You need a contribution that is co-ordinated and adds value.
Q388 Lord Dear: Sir Richard, I think I share with you the fact that certainly I and perhaps most of my colleagues were surprised to find that the Internal Security Strategy is silent on the role of the military both in counterterrorism matters and disaster response. I can understand to some extent the silence on counterterrorism, but on disaster response you will know from your experience with the MoD, as I do, that there is quite a lot in this country about military aid to civil power, military aid to civil authority and so on. There are well tried procedures that could be invoked and often are for disasters or near disasters. But there does not seem to be anything in the EU programme to reflect either that—something that I would guess goes on in most countries—or, more particularly, the way in which, with those facilities, the various countries can put up a joint response across borders. Do you think that it is a mistake that they should have done that, or is there another reason for the silence? Sir Richard Mottram: I do not know why it is silent. It could be because of a concern that there would be an issue around encroaching into national security. I do not know. But one should step back and ask whether the military would have a role in relation to counterterrorism and the handling of certain types of counterterrorism incidents. In the case of the UK and in most other cases that I can think of, depending on the nature of the incident, we and other countries spend quite a lot of time rehearsing the various contributions of the military in relation to the EU, absolutely.
Q389 Lord Dear: And we would not want to talk widely about it for obvious reasons. It is highly classified. I understand that. Sir Richard Mottram: We would be quite happy to talk in fairly broad terms about how this is done. We have lots of co-operation with various countries that I can think of where essentially we are helping them to develop their capabilities. A lot of it is not a great secret, 208 Sir Richard Mottram although obviously you get to the point where there are some sensitivities that we can all think of. But the idea that we can help others is absolutely part of UK policy, and I can think of other EU countries that similarly are helping third countries. I guess that it was not there because of sensitivities around whether we are getting into the territory of national security. In relation to resilience, as you say, there are a number of potential incidents where in this country the military would act in support of the civil power and, indeed, has acted in that way.
Q390 Lord Dear: On not infrequent occasions, certainly for the civil authorities. Sir Richard Mottram: Yes, absolutely. But again, the point would be that it is a sort of last resort rather than the first resort, so to speak. The Ministry of Defence and the military have sought, quite rightly, to ensure that military resources are not used as an apparently free substitute for people unwilling to make appropriate provision. But, again, you would not devise an approach to civil emergency preparedness—particularly where we are describing quite serious events that might justify involvement on a cross-EU basis involving a number of countries or perhaps the EU as a whole, or the projection of an EU capability overseas— without military input. So I do not know why it is not there.
Q391 Lord Dear: Do you think it should be there? Sir Richard Mottram: Yes, I think it should be. But, having said that, I can see immediately how Governments might then say, “We are now getting into territory that is ours”. As I think was said in the evidence from my former colleagues in the Civil Contingencies Secretariat, there would be nervousness about the classic problems around pre-planning and the right of the EU to deploy, although obviously it could not have a right to deploy military assets because we could not guarantee that we could supply them and so on. There would also be issues around the pooling of resources. But that is not a reason not to recognise that there are circumstances where these things simply are not capable of being dealt with by the civil authority without the help of the military.
Q392 Lord Mackenzie of Framwellgate: Staying with the military—I seek just a brief response—do you think there should be a growing dialogue, or a dialogue at all, between NATO and the EU in this important area of cybercrime? I have skipped back to that issue. Also, given your background in the Ministry of Defence, do you think that a cyber-attack by one state on another amounts to an act of war? Sir Richard Mottram: On the first question, if the EU is to get into areas of cybersecurity— going back to Nye typology—that go beyond what we might call standard cybercrime, which looks like other forms of crime, then there would be obvious sense in a dialogue with NATO, which is also thinking about those issues. Could a cyber-attack constitute an act of war? Absolutely, if you could establish who had done it, of course. That is precisely why we need to think this through much more clearly and effectively. Is it feasible to imagine laws of war that could apply in relation to a cyber-attack? The answer is that it is feasible. Is it therefore feasible to imagine how they would be enforced, et cetera? It is a whole area which is increasingly being thought about by a lot of countries, and it is a very interesting area. The Chairman Lord Tomlinson, I wonder if you could phrase your question in a way that does not repeat exactly the ground that we covered about two questions earlier.
209 Sir Richard Mottram
Q393 Lord Tomlinson: I am already in front of you, Lord Chairman; I was going to preface my remarks by saying that this question has been partially answered in the response to the question asked by Lord Avebury. Nevertheless, I am concerned about the effectiveness of the efforts set out in the Internal Security Strategy to prevent or tackle the root causes of terrorism, such as counter-radicalism. Is there any useful role in excess of the awareness-raising role of member states for the EU over and above the efforts of individual Member States? If we relate that particularly to the counter-radicalism measures, are there any other measures that might attempt to prevent or attack the root causes of terrorism? Sir Richard Mottram: When I worked in government, we had an in-depth dialogue about these issues with a number of countries. Some of these were countries in the EU, while others were countries like the United States, Australia, Canada or whatever. If this is looked at from the perspective of just one Government and one official, we had well established networks that we marshalled to exchange information and ideas and to develop views, particularly as the nature of the terrorist problem became much less about the projection from outside into the UK or into the US or wherever, and increasingly focused on the home-grown problem. There has been a lot of exchange with, for example, joint research projects. Another example would be this. Certainly in my time we had a frank and full discussion with our French colleagues about different perceptions of how one should deal with international terrorism. It was a deep dialogue where we debated our views. I would be interested to know whether those views are perhaps converging in some ways, but I do not know, and that is not my point. So, a lot of this goes on. What should the EU do? The EU can do what is proposed in this document, and I personally am quite relaxed about it. I do not think that there is much more for it to do. It could sponsor academic research in this area, which is quite a sensitive one. It has already done some of that, but it could do more. All of that would be quite valuable. But the nature of the problem that different countries face is a compelling requirement to be tackled, although how you go about it differs in different EU states, and therefore you come back to the question, “What will work in relation to the terrorism problem I have which is linked to activity in other countries?”.
Q394 Lord Tomlinson: I am reluctant to put words in your mouth. Perhaps I may turn the question on its head. Would our efforts be less effective if we determined that the role was principally or even exclusively a responsibility of national states and that there was no real role for the EU? If we turned it on its head, would our efforts to deal with the root causes of terrorism be more or less effective? Sir Richard Mottram: To be honest, I do not think it would have any impact. I do not think it matters other than that the EU is a convenient forum to spread information of a valuable kind and to raise awareness in countries that might not realise that the problem is quite what it is. So perhaps my answer, when I think about it, is that it would matter, but the EU effort in this area is not going to be of compelling value to the British Government or the French Government in dealing with radicalisation in their countries. A lot of the EU effort is basically about awareness raising for those who might not have the capacity to generate information for themselves or who might not have appreciated the problem. That is a valuable role, but for countries like the UK it is mainly an export issue as opposed to an import issue.
Q395 The Chairman: But of course one could imagine circumstances further down the road where the obviously quite intelligent and ingenious people who are trying to do harm to us would recognise that some Member States of the EU, which of course have free access
210 Sir Richard Mottram to this country, could be a softer target than we are. One cannot exclude the possibility that there is an internal aspect to this. Sir Richard Mottram: One absolutely can imagine that. The only other question would then be: is the EU necessarily the appropriate forum for focusing on issues of this kind? As we have touched on, there are other intelligence co-operation forums that are marginally wider than the EU itself where quite a lot of useful work also goes on with regard to consciousness raising.
Q396 Lord Avebury: Given that the ideologies that are driving terrorism today, whether it be home grown or emerging from some foreign country, are all based on the same set of ideas, surely the more multinational the examination of those ideologies, the more likely we are to arrive at solutions that will apply across the board. Is there not room at the EU level for this counter-radicalisation ideology, or counter-radicalisation anti-ideology, to be developed on a European basis? Sir Richard Mottram: If we are talking about the challenge of so-called Islamist terrorism as opposed to other forms of terrorism that we might be more concerned about, which are much more local or regional, there is probably value in thinking about how that is tackled on an EU level, but ultimately a much wider group of countries have an interest in this. Agreeing the right strategy among that wider group of countries is the much bigger prize. When I was involved in counterterrorism, the countries that I really cared about were those on the receiving end, obviously—us, the United States, France, Germany and a few others—and then those potentially on the exporting end. Different European countries face different challenges in relation to something that goes under the label of Islamist terrorism. They need to think about how they relate to those communities in their country which are linked into potential terrorist networks in other countries. Put simply, France has traditionally had a very serious problem in relation to potential terrorism from North Africa. We have had problems in relation to links between some of our communities and, say, Pakistan. What you have to watch out for is the point that the Lord Chairman was making. If I was sitting in Pakistan or wherever thinking about how I might seek to attack the UK or the United States. I might think that it was not a frightfully good idea to seek to do this through accessing the countries that are most acutely aware of the issue, so I would go via somewhere else. So there is an awareness issue. I personally do not think that the way to tackle this problem is to wrap it all up as a single problem and to try to find a single solution to it. The way to tackle it is to break it down, disaggregate it and focus on how we can best tackle it in individual countries and in the individual circumstances that they face, and play it down as this vast, overwhelming single problem, because as we play it up as a vast, overwhelming, single ideology problem, we are playing into the hands of the people who are seeking to present themselves in that way. I do not know whether I have explained myself clearly. I am a person who believes in disaggregating these problems, not aggregating them. I doubt that a debate in the EU about how to tackle them would add more value than a debate among those countries most focused on the dimensions of this problem both at home and abroad.
Q397 Lord Judd: To go back to the Lord Chairman’s point about the difficulties of some member countries of the EU not being as rigorous and as beefed-up as we are, I am not quite sure that you have covered the point. It seems to me that terrorism is an international phenomenon. There might be things being done with weaker Member States in this context that are terribly important in strengthening the effectiveness of a terrorist operation. The Chairman: Counterterrorism? 211 Sir Richard Mottram
Lord Judd: No, I mean the building up of terrorism. In that context, the failure to have effective co-operation within the European Union is making our task more difficult. I understand the point that you are making about there being an element of self-fulfilling prophecy about it. You are saying that it is not effective and therefore we have to see the EU as a useful forum but we will actually do this stuff ourselves. I am perhaps being a bit unfair in my summary, but that is how it comes across. Of course it is not either/or, but surely we have to be working at beefing-up the European Union as a whole and its role in this, strengthening the contribution that is made by all Member States. Sir Richard Mottram: I am trying to say that it is horses for courses. Let us take the case of aviation security. It is fundamentally important that every European Union country has adequate arrangements, because otherwise you are into the point made by the Lord Chairman. But equally it is no use our all having wonderful arrangements for aviation security if in a third country—I will not get into names—there are very inadequate arrangements. So in that case we have chosen to try to frame a multilateral approach, supported by an international body and a whole set of conventions and a capacity to check up, and a capacity of individual Member States to support the work of other countries to drive up aviation security on a global basis. I am not denying that the EU has a role in all this. I am saying that we should think, in relation to each function and each challenge, about the optimum way of seeking the result that we want. You may have the impression that I am anti-EU; I am not at all anti-EU as a person. The point I am trying to make is that it is horses for courses. For some things, if we organise a lot of co-operation at EU level, it does not tackle the problem. But we certainly can use the EU as one means of mobilising awareness and standards. I have no problem with the idea that we should all have exemplary aviation security through all the airports in the European Union. I have no problem with the EU Ministers all sitting around in the Transport Council, as they no doubt do, saying that this is a very big priority for us. That is fine, but we need a framework in that particular case that deals with the threat. That threat is not simply internal to us. The Chairman: That point is well taken, if I may say so. We have come across it in other contexts. I think we must move on now.
Q398 Lord Richard: I would like to ask you a question that I do not think has anything to do with what we have been talking about for the last 20 minutes. The strategy itself talks about developing more integrated borders, including the greater use of technology to facilitate border crossing, as well as the creation of a European border guard. What relationship do you think these developments will have with future UK border control activities, including the e-borders system? As I say, that is not really connected with what we have been talking about. Sir Richard Mottram: My answer to that is that I do not really know. I have never dealt with the e-borders issue other than recognising its importance in the UK’s counterterrorism strategy, but I have never been in charge of it. It is very important that if we choose to do these things ourselves, we do them in ways that are readily inter-operable with and learn lessons from our partners in Europe. The Chairman: I think we agreed at the beginning that, where there was an area where you did not have a direct input to make, we should not pursue the matter.
Q399 Lord Dear: Not a million miles away from borders would be the requirement for what is called PNR or PNI—the passenger names index or registry—which, as you know, 212 Sir Richard Mottram flowed from the attack on the Twin Towers and elsewhere in the US. The Americans insist on certain information being given before flights can enter their airspace. There is now a suggestion that that should be extended into the EU for intra-EU flights. We have experience and we have to comply when flying to America. Many of us have done that. Should we have a much more complex system for the short-haul and medium-haul flights around Europe? Do you have any views on that? Sir Richard Mottram: Yes, my simple view is that I am in favour of it. Okay, there are issues around how much it costs and how you organise it, and so on, but I can see that there are potentially real security advantages, so I would be in favour of it. However, all these things are only as good as the quality of the intelligence you have, which you are comparing with the flight information.
Q400 Lord Dear: Taking the issue of the quality of information, which of course is a given—if it is a false identity, then one is struggling—but assuming it is correct and it is for intra-European flights, the next logical extension is into crossing Europe by road or by boat. Where should one stop? How does that sit in relation to the fact that the majority of countries in Europe do not have border controls? Once you are inside Europe, you move around freely. Sir Richard Mottram: I think you stop pragmatically. You could very quickly come back to me and say that, if we introduced this for internal flights, people of potential concern would simply move around by other means. The answer is that if you can do this and it does not have a huge resource cost, I would be in favour of it. If it involved a huge resource cost, you would have to ask whether it was likely to be defeated anyway by people understanding that you were doing it and switching.
Q401 Lord Avebury: There are a number of proposals in the strategy to make it easier to seize, freeze and confiscate criminal assets, including revision of the money-laundering Directive and increasing the powers of the asset recovery officers. Do you think these proposals will make EU’s efforts in this area more effective? Sir Richard Mottram: I think it is quite useful to have in the Communication and the strategy the importance of focusing on this. I am not an expert, but I suggest that UK experience shows how difficult it is to turn this into a practical reality that has real bite. I think it is a sensible thing, but one would have to be quite cautious about what the impact is going to be.
Q402 Lord Judd: Obviously we want to be protected, but in the end, with all your vast experience, do you have any anxieties about the impact of the Internal Security Strategy on the freedoms and fundamental rights that make our society worth protecting? How do we achieve the integration of the protection of those rights with effective action? Sir Richard Mottram: When I read the various things that the Commission was proposing, I cannot say that I thought that they were a fundamental challenge to our human rights as citizens, but again, rather as with the point we have just made, it all depends. If you are going to have a lot of data sharing, it all depends on what happens to that data. You need to focus on data protection. You need to focus all the time on the proportionality of how these various measures are being implemented. I was interested to see the various efforts you have been making in relation to the European arrest warrant, to try to establish in what contexts and for what purposes, in the terrorist context, it had been used. Those are the issues that one has to have in mind. In the UK context, you can see why certain powers are
213 Sir Richard Mottram given to the police. You then worry about the way in which they are used. You have to have a dual focus, or even a triple focus, actually. You have to worry about whether the coverage is such that, fundamentally, our ability to go about our lives without feeling that we are in a police state has been compromised. Secondly, if you are sharing all this information, is it being shared effectively? Thirdly, is the way in which it is being implemented proportionate?
Q403 Lord Judd: Just going back to Lord Avebury’s question, if you take academic freedom, for example, as an essential element in a free and open society worth living in, as all this moves forward is there a danger of a chilling effect on honest communication about original, challenging thought? Sir Richard Mottram: Why? Lord Judd: Let me be specific. I can think of a university that I am involved in where I have seen an internal memo that reminded researchers and others of the context in which they are operating and the need to take this seriously. Sir Richard Mottram: The terrorist risk inside universities? What can I usefully say? There are a number of trade-offs here. For example, there are already serious constraints on who can be engaged in certain sorts of research in universities because of the risk that the knowledge that would be generated will head elsewhere in ways that would be fundamentally damaging. There is no absolute right for a university to conduct research into a particular area with whomever it wishes to employ as a researcher. There are obviously trade-offs here. In relation to the trade-off you are talking about, there is a very serious issue around academic freedom and debate, alongside the fact that it is quite clear that a number of younger people in universities have been radicalised in ways that present a real risk.
Q404 Lord Judd: One does not dispute that this is a balance. I am asking whether you do feel there is an issue here and whether we need to keep it constantly in mind. Sir Richard Mottram: Yes, there is an issue here and we need to keep it constantly in mind. The strategy does not really describe how it has balanced it—I am not criticising it—but it has clearly in mind the fundamental point about the nature of the society. I shall back off one little bit. The strategy rather confusingly says both that we cannot move to a zero-risk society and that we are going to try to protect people. The way some of my colleagues and I thought when I was in government is reflected in the UK’s counterterrorism strategy. There is no way you can imagine of giving the public reassurance that there will be zero risk of a terrorist attack. If you aspired to it, you would create a society that was not one that you wished to live in. In relation to every measure you think about, you have to have in mind— this is reflected in the language of the EU documents—the type of society we wish to live in. That is a society where, fundamentally, we live in freedom and the state and its agents operate within the rule of law. There is a separate judicial process to ensure that they are doing that. I would not compromise any of that—to be fair, this talks about the values of the European Union, for example—in relation to being able to do certain things that might, at the margin, improve our security. But in each individual case—universities are an acute example—you get these issues and you have to have them constantly in mind. Universities should not do what the state tells them, for example, and they do not. Lord Tomlinson: Lord Chairman, I indicated to you that I would like to ask a supplementary, but Sir Richard has answered it so there is no need. The Chairman: Thank you very much. I have dropped the last question that we forwarded to you, because it seemed to be very much involved with the EU’s internal organisation, which you said you did not have any direct experience of. Since you have given 214 Sir Richard Mottram us an hour and a half of your time, I would like to thank you very warmly. Speaking for myself, and I think for other members of the committee, we have all benefited a great deal from your answers and the evidence you have given us. It is very helpful to have someone who is not any longer involved directly, day to day, in these matters, but who has looked at them very broadly. I found your evidence very useful indeed. Thank you very much. Sir Richard Mottram: Thank you very much. That was very kind of you.
215 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons
James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons Oral evidence, 2 March 2011, Q 405-447
Evidence session no 11 : heard in public
Members present
Hannay of Chiswick, L (Chairman) Eccles of Moulton, B Hodgson of Astley Abbotts, L Judd, L Mackenzie of Framwellgate, L Tomlinson, L ______Examination of witness
James Brokenshire MP, Parliamentary Under Secretary of State, Home Office and Emma Gibbons, Head of EU Section, International Directorate, Home Office
Q405 The Chairman: Good morning, Minister. Thank you very much for coming along. Before I go into the preliminary script, I should just explain that this is our last evidence session that we are holding on this inquiry. It is therefore, from the Committee’s point of view, an important one. The length of the set of questions that we gave you in advance I think explains itself, because in this evidence session we are trying to cover the whole field and make sure that we have the Government’s views at political level on the whole range of issues that are covered in the Commission’s communication and which will be covered in our report. So I am afraid this may take a little bit of time because of that, but I am sure you will understand that the purpose of it is to enable our report to be as well informed and up- to-date as it is possible to be. James Brokenshire: Thank you. I appreciate that, and obviously I will try and deal with your questions as fully but as succinctly as I can, given that I do appreciate that there is a lot of ground to cover in this session. The Chairman: Thank you very much. As you know, the session is open to the public. A webcast of the session goes out live as an audio transmission and is subsequently accessible via the parliamentary website. A verbatim transcript will be taken of the evidence and this will be put on the parliamentary website. A few days after our session today you will be sent a copy of the transcript to check it for accuracy. If after this evidence session you wish to clarify or amplify any points made during your evidence or have any additional points to make you are welcome to submit supplementary evidence to us.
216 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons Perhaps if you could just introduce yourself and your colleague and if you have any statement that you want to make at this stage it would be very welcome to the Committee if you make it, but if you wish to go straight into questions that would be perfectly acceptable too. James Brokenshire: Lord Chairman, thank you very much. Can I introduce Emma Gibbons, from our international department at the Home Office, who is sitting alongside me this morning? Obviously, I am the Parliamentary Under-Secretary of State at the Home Office, with responsibility for the broad EU-related matters within Justice and Home Affairs as they impact upon the Home Office. I did consider having an opening statement, but I was considering the ground that we were likely to cover and, therefore, I am quite happy to go straight into any questions that you may have around the Internal Security Strategy.
Q406 The Chairman: Thank you very much. Then let’s get started on the questions. I think we would like to hear from you what your view is of the role that the EU plays, and should play, in internal security and how well it does that; and how it should fit with Member States’ primary responsibility for national security, which remains established under the treaties. What should be the EU’s priorities in the internal security field? Are these appropriately reflected in the strategy that was adopted by the Council and in the communication that we are looking at and writing a report on? James Brokenshire: I think there are two elements here. One is the EU role and how that fits together with the responsibilities of Member States. I think that there is a role for the EU in internal security. Member States cannot do everything unilaterally, when we know that the threats that we face cross borders. I am sure we will come on to the issue of cyber crime and cyber security, but that highlights that. I think it puts it into stark relief in terms of the challenges that we face internally within this country, and therefore the need for us to be able to work with Member States, and how that relationship with Member States can also assist in giving greater leverage with third countries as well. On the second point, I think that the strategy does broadly capture the priorities that we would seek to see addressed in an Internal Security Strategy. We might give more weight perhaps to the cyber crime/cyber security issues, given the importance and the significance that we place upon them in this country and how the new Government has, I think, telegraphed that very, very clearly. But in some ways you could also say, “Well, have these threats evolved? Have they changed? Is there something that’s different?” I think in many ways the threats do continue from organised crime, the issues of terrorism, the issues of cyber crime and cyber security that have been flagged up, and obviously also the issues of border security and natural and manmade disasters. I think that they do capture properly the broad range of issues that are relevant. There are points of the detail, which I am sure that we will get into in this session, but I think that they do, on a macro level, address the challenges that are faced across the EU.
Q407 The Chairman: So, broadly speaking, the Commission has the priorities right in the implementation of what was after all a pretty broad brush Internal Security Strategy? James Brokenshire: Yes.
Q408 The Chairman: Now the devil will be in the detail, of course, but they have the right things in their sights and they are asking the Member States to talk together about the right things? That is the broad picture? 217 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons James Brokenshire: I think that if you look at the emphasis that we are placing domestically around national security-related issues, it should not be too much of a surprise to see that they are broadly in line with the sorts of issues that we are seeking to deal with. So I think the answer to your question is in that broad sense, yes, it is.
Q409 The Chairman: Yes. It brings out the fact that the countries of Western Europe do face rather similar threats and quite a few of them have to be faced collectively. James Brokenshire: Hence the reason why there is the responsibility, as you rightly telegraph, in terms of the treaties for national security issues to be dealt with by Member States, but the need for co-operation and that practical approach between Member States, so that we are best able then to fulfil our duties and our obligations internally, respecting the fact that this is a primacy issue for Member States in that way.
Q410 Lord Tomlinson: Minister, evidence that has been given to us from the Home Office appears to suggest that the Commission proposals are welcome, subject to a couple of caveats, that they do not go beyond the Stockholm Programme and that they do not involve significant additional expenditure. Is that a correct summary of the position of the Home Office? Following that up, if it is, is it an adequate response to a programme designed to cover a period of years when we are not able to read the future with the precision that we would like, and would the strategy in the United Kingdom, therefore, not benefit from more proactive involvement by the UK, both Ministers and officials? James Brokenshire: I think that you are rightly pointing to the explanatory memorandum that we issued alongside the communication. I would not want to give the impression to this Committee that the Government’s response is to say that it needs to be limited in issues of expenditure. Yes, of course, in a time of austerity we feel it is important to query the costs involved with any new proposals, but simply because we are querying the costs of programmes does not mean that we do not actively want to be engaged in the strategy or are committed to internal security in that way. I think our emphasis on a number of different fronts has been on practical co-operation, how that is absolutely imperative, how we can better do that, because a lot of the building blocks and processes are there. It is about how we can make them operate more effectively. Hence the arrangements that we have taken, say, with COSI on the work that SOCA has sought to do to provide a practical input into COSI to seek to take that work forward in that way. What we do not want to do is to reinvent the wheel. We have the Stockholm Programme that clearly sets out the basis of our approach around Justice and Home Affairs, and we do not want to then somehow create parallel or expanding out processes that go beyond the vision that was envisaged within the Stockholm Programme. There are concerns that we have about going beyond that, about seeking to create new structures or new systems when existing systems and procedures already exist. I suppose that is perhaps the cautionary note that we have levelled on this, but that does not mean that we are not committed to actively engaging around the work. As I say, I think the practical approach that we have taken in relation to COSI is a very good example of that.
Q411 Chairman: Thank you. I think that is a very helpful way of looking at it because, as you look around the world at the moment, it is rather evident that one cannot simply say that the Stockholm Programme is the final word in wisdom by which we can navigate for the next five years, and I think your response shows that you are conscious of that.
218 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons James Brokenshire: I think, clearly, we have set out that the Stockholm Programme should be the basis of our approach, particularly on new legislative requirements that are coming forward. There are a few that are suggested by the Internal Security Strategy, which we questioned that that is the right approach and that is the right way to go down. It is this practical co-operation that I have always stressed at Justice and Home Affairs Councils that I have attended as being really imperative. There is so much that can be done around this that I think would really aid the delivery of greater internal security.
Q412 Lord Hodgson of Astley Abbotts: Minister, 18 months ago we held an inquiry into cyber security and cyber crime and at that time it was considered a subject slightly on the edge. Since then there has been a veritable deluge of events and news about it. Do you think the Internal Security Strategy document still attaches the appropriate degree of urgency and importance to this cyber security problem? Do we have the right balance between the law enforcement and other issues, raising awareness of the risks, which I think are still quite low, as well as influencing behaviour in cyber space generally?
James Brokenshire: First of all, I would say that clearly I am pleased that it is stated there as one of the five key issues highlighted within the strategy. I think that is a positive thing. Does it go far enough? Well, we probably think that it does not in terms of the emphasis that domestically we are now giving to cyber crime and cyber security, the emphasis that has been highlighted in the Strategic Defence and Security Review around this, the funding streams that we are committing to enhance and really strengthen our response around this arena. Certainly cyber crime and cyber security is an issue that I have personally taken a very close interest in for a number of years and is very close to my heart in relation to how work in Government needs to be developed further in a preventative sense—and I think you are right to highlight that—as well as obviously from a law enforcement and also a co-operation sense within Member States as well.
We have the existing Council of Europe Convention in relation to cyber crime, which the Government has been working forward towards ratification, which I regard as important, and clearly now we have the new directive that, at an EU level, we have obviously signalled that we are opting into. I do regard it as very important. I think it does need to be stressed further. It is something that domestically we are doing, and I do want to see that enhanced and promoted at an EU level as well.
Q413 Lord Hodgson of Astley Abbotts: Do you think that within the EU we are doing enough to encourage people to report cyber crime? Does the iceberg principle apply—that organisations are concerned to report it because it may be seen as a reflection on their stability, their safety and their efficiency. As a result we have only a small amount recorded but underneath the water there is a great deal more going on, that somehow we are not able to persuade people it is in their interests to report or to comment upon? James Brokenshire: I think that the reporting line is a very relevant factor. It is something that I have been conscious of for some time. If you look at other examples internationally: you can look at the United States with IC3, as it is referred to, the Internet Complaints Center that they have there. It is something that we are examining, as part of our domestic cyber crime approach, and we hope to publish further details in relation to that later this year.
219 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons Where I hesitate, though, is that I see that as a Member State requirement to encourage our citizens to understand the risks and the threats that are posed in that way. Where I think it goes too far is to mandate all sorts of different things, to then report that into the centre and mandating from an EU level that certain things will happen in that way. Yes, of course, we do need to share information and share intelligence. It is just the sort of rigidity that may be attached to that that I think is perhaps the wrong emphasis that may be applied.
Q414 The Chairman: Could you give us any idea of the timetable for ratification of the Council of Europe Convention? You mentioned that you are working your way towards it, which sounds like one of those wonderful phrases that could mean one month, one year or 100 years. James Brokenshire: No, I know. I remember in opposition when I was asking questions around this to the previous Government and warm words were given on this to give me assurance. It will be this year and we are literally in the final stages of dotting the i’s and crossing the t’s in relation to ratification, because I think for me it always sends an important statement of our intent on co-operation. This is something across borders and boundaries and, therefore, we need to take into account that more international aspect to it. The fact that we had signed the treaty many, many years ago and had not ratified it I think perhaps portrayed an indication, maybe wrongly, that this country was not serious on this. We are serious about this, which is why we are taking these steps. The Chairman: It is not the only one that we have signed and not ratified. James Brokenshire: No, no. The Chairman: But it is welcome, and without prejudging these things I think you can be sure that our report will encourage you in the path that you are going down.
Q415 Baroness Eccles of Moulton: Minister, with your longstanding and particular interest in the subject of cyber security you no doubt have a view about whether Europol is the right place for the proposed Cyber Crime Centre. Seeing as how they concentrate very much on law enforcement, do you consider that they have the skills and capabilities to be able to cover the other important areas as well, which you have already mentioned? Also, can these priorities be achieved without further funding, and maybe even new legislation, if Europol is decided to be the centre? James Brokenshire: In terms of the first answer to your question, I think that Europol is the right place to have a Cyber Crime Centre. Europol’s core business is to provide support to relevant authorities in the EU in their fight against organised crime and terrorism, and therefore in that context, when you look at some of the methodology of the approaches that are taken in relation to these issues, I think there is a clear linkage there. I do not think there is any reason to question that Europol would have the skills and capabilities to develop a centre. The High Tech Crime Centre has been housed in Europol since I think around 2002, and provides valuable experience in this area that can be drawn upon. So I think in that sense it is the obvious place to put this. Again, it has the capabilities to develop some of the preventative issues that I think Lord Hodgson has rightly highlighted in terms of how the approach needs to be balanced in that way. We think that it can do that within existing resources, and perhaps reflecting some of my initial comments in opening. In terms of further legislation, we do question whether this would be required. I think, for a number of the reasons I have already given about the practical steps and approaches that are
220 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons being taken, that we do question legislation. Obviously, we have the directive that operates more generally across Member States and perhaps that is where the emphasis needs to lie.
Q416 The Chairman: One question that has slightly baffled us, because whenever we have asked it the person we have questioned has said they do not know very much about it, is the vulnerability of European institutions, which has been rather clearly shown up by the cyber crime attacks that were made on the EU’s emissions trading scheme in recent weeks, which appear to have affected not only the central scheme operated out of Brussels but also some of the national centres for dealing with this. I do not know whether you are able to say anything about that to us but I imagine you would at least agree that this shows that there is a vulnerability in the European institutions, which needs to be dealt with if we are not to find these systems falling down. James Brokenshire: I cannot comment on the detail of the case, but obviously I know that SOCA have been engaged around that specific issue and we are not aware that it posed any domestic issues for us here internally. However, I think it does rightly highlight to Member States and to EU institutions the need and the challenge in the way in which IT systems and the architecture that sits behind the various processes have to be a relevant factor. It is something that, in terms of our information communications systems as we move to our computing and different environments, has to be very much at the forefront of everybody’s attention in the way that we move to e-government, the way that we rely increasingly on electronic communication to do business, to transact, to interact with each other, and how security by design—if you can use that terminology—is I think very relevant in the approaches that we all need to take in this arena.
Q417 Lord Judd: What part do you think the EU could, should indeed, play in its relationships with other countries, particularly the US, China and Russia, but one also thinks of countries like Canada, Australia, India, Brazil, South Africa, south-east Asia, and with international actors, including NATO and the UN, to reduce the risk of cyber crime and other hostile activity in cyber space? We have all heard that the Foreign Secretary stated at the Munich Security Council that the UK will hope to host an international conference later this year. What can you tell us about this conference: its timing, who is going to be invited, and what its agenda will be? Will the objective be to secure an international agreement at the conference? By the same token, when does the UK intend to ratify the Council of Europe Cyber Crime Convention, which it signed on 23 November 2001? I should say that I was a member of the Parliamentary Assembly of the Council of Europe at the time. James Brokenshire: That is very good to hear, Lord Judd, and, as I have indicated, we do intend to ratify the treaty later this year. It is something that I do regard as important in telegraphing a clear message around international co-operation in this arena. To deal with the specifics of the conference that the Foreign Secretary announced, that will be held in the autumn. Details of the date and venue will be announced in due course. While attendance will be by invitation, we expect it to include Governments with major stakes in cyber security policy and international organisations with relevant mandates around this arena. We would also expect the private sector to be involved, as well as academics with an interest in the subject. The Foreign Secretary set out seven broad principles, which we would see as important but these are not set out in stone by any stretch of the imagination. We want to start a process and therefore, in terms of some of the issues that you are questioning on, we do not want to necessarily prejudge what the outcome of that process would be. Obviously, there is a
221 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons value in formal mechanisms, as I have highlighted, by virtue of the Budapest Convention and obviously by virtue, on a strictly EU level, of the directive itself. To take us back to the opening question that you asked about that inter-relationship between the EU and countries outside the EU, certainly we want the EU to press for co- operation on tackling cyber crime with those external countries as part of the general threats that we all face individually. We would welcome the benefits of the work of Europol and the European Network and Information Security Agency to be available to share, where appropriate, such identified threats and trends and information on how the public and business can prevent and protect themselves, and I suppose, in many ways, to develop further the point that Lord Hodgson raised in his question.
Q418 Lord Judd: If I might just follow that up, it would be fair to say that you want the conference that is proposed to be as relevantly inclusive as possible, rather than an exclusive occasion. Do I get the impression that, while you are not committing yourselves to achieving an agreement at this conference, you recognise that an agreement ultimately could be a good thing? Could I just underline that by saying that I am one of those who believes that all this is an international reality. It is not a matter just of how we can here and there and in different ways co-operate with others; we simply have to get effective international action because in the end it is all going to be as strong as the weakest link. Therefore, we have to be beefing people up everywhere and getting people committed to high standards of operation everywhere. In that sense, it seems to me it would be interesting to hear whether you think an agreement would have a part to play. James Brokenshire: As I think I have said, Lord Judd, I do not want to prejudge the outcome of that conference. Lord Judd: I think that is quite wise. James Brokenshire: So, while I am tempted by your question, as I say, I think that there is important work that needs to be undertaken around practical co-operation, sharing information, sharing of approaches and, while we recognise the importance of more formal structures, I certainly would not like to pre-empt what may come out of the conference. As I think I have indicated, this is the start of a process. There is more work to be done. But it is, I think, a very useful way of drawing various different strands together and drawing important players that need to be involved together in this way.
Q419 The Chairman: I was at Munich when the Foreign Secretary made his speech, which I thought was well received, because I think a lot of people at that conference, and more widely, had concluded that it was time that somebody took a grip of this rather slippery subject. It is a huge subject and it was suggested at the conference by Professor Nye that we are dealing really with four things, which are cyber crime, cyber espionage, cyber terrorism, and cyber attacks by nation states. That just gives you some idea of the scope of it. James Brokenshire: The interrelationship between those as well, given that the attack vectors or the threats can cross over between something that—say, denial of service attack—could be criminally focused or it could have parastatal implications, and so it is a complex arena.
222 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons Q420 The Chairman: Yes, and it brought home, I think, the fact that NATO was doing a great deal of work on it, and the NATO commander responsible was there and clearly has a role to play in a conference like this, but so does the European Union because of cyber crime; in particular the cyber crime area, and the possibility of cyber attacks on civilians, cyber infrastructure, and so on. I think it is welcome that you say the Foreign Secretary will be taking a rather inclusive approach to this. Of course, some of the people invited may not always take an entirely innocent approach to these matters. I think excluding people would not be the right approach, but that sounds to me as if that point has been taken. James Brokenshire: I certainly welcome your comments as well, Lord Hannay, and I am sure that they will be noted.
Q421 Lord Mackenzie of Framwellgate: Good morning, Minister. The Internal Security Strategy says nothing about the role of the military in dealing with cyber crime, in dealing with the natural response to disasters. Do you think it is wise for it to remain silent in this area? James Brokenshire: I think it is the position that you put military assets in. Our view is, for example, that they can provide significant support to disaster relief but should only be used where there are no civilian alternatives. I know that some Member States take a slightly different view; for example, I think it is the Netherlands that does not make that sort of distinction. But if you take another example, the operational response to terrorist acts is led by the police; terrorism is a crime. We have tried and tested arrangements in place for providing military support to the police in a range of areas, including in response to a terrorist attack, and decisions on the deployment of military assets will be taken on a case-by-case basis. I think that our approach on any specific proposals for military support to disaster or civil response in that way has to be considered on a case-by-case basis. Therefore, specifying it too rigidly I think would not necessarily be the right way to take that forward.
Q422 Lord Mackenzie of Framwellgate: That should apply in each country presumably? James Brokenshire: I think it is for Member States to determine. I have highlighted that, for example, the Netherlands may take a slightly different view on this than we would in terms of military support being used only where the civilian alternatives are not there, but I think that is certainly the view of the Government on this.
Q423 The Chairman: If I could follow that line up a little bit. There is, of course, a capability in Brussels to provide military advice and co-operation in the Military Committee of the European Union. I think we were struck that this is one of those areas that bridges internal civil disasters and external ones in which the European Union might play a major role in trying to relieve the problems caused by the disaster, like Haiti or wherever it may be. What struck us, I think, and why we asked this question is because in some such circumstances one can envisage the military as being far the most effective way of dealing very rapidly, which is when of course most people die in the very early stages of these disasters, and we were struck by the fact that there was no reference in the Commission’s proposal to this. If I understood what you were saying, you certainly do not exclude the possibility of the military being brought into these things but they should be looked at on their own merits. 223 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons James Brokenshire: I think that is right, and obviously I am cognisant of the Lisbon Treaty solidarity clause, which includes reference to military resources, and the extent to which its implementation could integrate civilian and military instruments is unclear. But I think that we do need to look at this on a case-by-case basis and, as I say, underpinned by the approach that we would take that that should be where there are no civilian alternatives that are available.
Q424 Lord Mackenzie of Framwellgate: Minister, you have already touched on COSI. Could I ask you your view of how COSI is working so far, should it be made more transparent and, if so, how? How could COSI help to make the multitude of Council working groups far more effective—all of which bodies obviously currently have a role in internal security—and make them operate in a far more coherent manner? James Brokenshire: COSI has met, I think, now seven times since its creation and, while it might be fair to say that it has not necessarily hit the ground running, I think that it does have a very important role to play. I think that there have been some positive outcomes that are now being achieved. I made reference to the paper that SOCA put forward, and a number of the points that have been highlighted in that paper have been supported by COSI. I think that highlights some of the practical ways in which it can operate as a committee and I think does have a role in co-ordinating other Council working groups. I do not think it should set the agenda, though. I see it as perhaps more of a practical step rather than as a co-operation type step, if you can describe it that way. Clearly there is a role for it in co-ordination but I would not say that is its principal role. I think its principal role is providing an important forum to draw together the relevant agencies within Member States to look at the very practical steps that can be undertaken. I suppose that perhaps is where I see its greatest strength. It is now starting to move forward in that way, and that is perhaps where I think it needs to have its emphasis moving forward, rather than morphing into something that, frankly, it isn’t. As a consequence of perhaps that practical approach that is being taken, I think that there is a need for it to be better understood in that practical sense, that it isn’t some sort of body that it isn’t. We are seeking to provide better information, as the Home Office, as to what COSI actually is in that very practical way. I hope that doing so will assist perhaps in understanding its perspective, what its role is, and therefore, as it makes recommendations to the Council of Ministers, the Justice and Home Affairs Council, clearly there is scrutiny that is applied at that level. That perhaps is the right way to view it: a very practical body that might make recommendations in a practical sense, with the scrutiny, the examination and the transparency being applied around that as any other recommendations coming before the Council would do.
Q425 Lord Mackenzie of Framwellgate: It needs to improve its own image? James Brokenshire: I think it needs to explain better what its functions and roles are. I think that is starting to happen. We have a role to play ourselves in assisting around that, and I think there has perhaps been some misapprehension or misunderstanding as to what COSI actually is. Therefore, it is something that we are conscious of and take on board the need to telegraph that explanation more clearly.
Q426 The Chairman: Presumably you would hope, among other things, that it would be a kind of giver of advice to and sounding board for the Commission, so that they get a feel from how Member States are approaching these issues and, also, can carry Member States
224 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons along in the implementation process. Do you think it also has a role in trying to rationalise a bit the rather baroque structure that exists at the moment with large numbers of working groups and overlapping and so on? Do you think in the long term it could perhaps move things in a more rational direction? James Brokenshire: I think COSI’s focus on facilitating practical co-operation means it is well positioned to take responsibility for monitoring implementation of the Internal Security Strategy and measures in the communication. I am sure that COSI will present its own evaluation as part of the end of year report on the state of EU internal security. I think it is very well placed to be able to do that. In terms of a broader role, I just caution that because if it is about practical co-operation then if it starts to branch out beyond that I think perhaps that raison d'être, that essence of what COSI is, may get diminished or it may get transmuted in some way. So it is a practical group and that, I think, is where our emphasis lies and our engagement has been around it. But clearly it does have a role in informing, in monitoring, in assessing and I hope ensuring that we do deliver, having that key role and delivering on internal security.
Q427 The Chairman: It surely is the case that the JHA Council last week widened its role quite a bit. I read those conclusions, which I assume you have adopted by now, which seem to me to be a rather helpful rationalisation of how it was going to work in the future. Could you perhaps confirm that they did agree those conclusions? James Brokenshire: You will have seen the conclusions have been agreed and I can confirm that. Although, as the conclusions state, it does invite the Commission to co-operate with COSI within its mandate. I suppose that is the key role in terms of “within its mandate” on practical co-operation. That is why I suppose I also made reference to the implementation of the ISS. It does have an essential role in that, and I think that is reflected in the conclusions, but in that very practical sense.
Q428 The Chairman: We have not yet in fact had a report on the JHA Council. You very helpfully gave us the draft conclusions in advance, and I would like to thank you for that because that is part of the new system under which you share limited documents with the Committees, and we are able to agree exceptionally that the decision could be taken without an override. James Brokenshire: Can I thank you for that. That was very helpful. The Chairman: But it would be helpful if we could have your report on and analysis of the JHA Council. That would be useful for our report, if you could let us have that in the reasonably near future. James Brokenshire: Thank you. We will seek to provide that.
Q429 Lord Judd: How effective are the efforts set out in the Internal Security Strategy to tackle or prevent the root causes of terrorism, such as counter-radicalisation initiatives? We all know that the Prime Minister spoke very strongly about his views on multiculturalism at Munich. Without getting involved in what might be rather a lively discussion about that speech, could I concentrate on the matter in hand and ask: in view of the fact that there are very large ethnic minority communities right across the European Union, does the European Union have a useful role to play—perhaps a key role to play—in helping the work of Member States in dealing with this very difficult issue?
225 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons James Brokenshire: Obviously, as I think we discussed earlier in this session, national security is where Member States have primacy. The EU can play a co-ordinating role; I think it is that co-ordinating approach that is the key element behind this, as I have already said, in relation to perhaps where the Internal Security Strategy is based around. But we are concerned that some of the initiatives outlined in the Internal Security Strategy perhaps duplicate existing work at a bilateral level, without clearly adding obvious value to that. So, for example, on the specific issue that you were highlighting, the creation of a radicalisation awareness network does duplicate the ongoing work of the Policy Planners’ Network, a group of eight Member States who meet regularly to share best practice on tackling radicalisation. I think there are issues of overlap and whether that is the right approach to take, and the Government believes that the Commission should give further thought to what practical measures can usefully be taken at an EU level.
Q430 Lord Judd: Can I just pursue that. I am rather interested by that answer because it seems to me that what you are saying is that there is duplication. James Brokenshire: The risk of it, yes. Lord Judd: Yes, you are saying there is duplication, and I do not argue that, but what you seem to be suggesting is that the duplication at the European level therefore needs to be tackled, because it is not helpful to have duplication. But if you accept that this is an international issue with which we are dealing, a threat that is global and international, and that there is therefore the need for a very effective international action—the point I made earlier about only being as strong as the weakest link is relevant here—is it not possible to argue that perhaps we ought to look at where we are duplicating the international work that we should be concentrating on? James Brokenshire: I suppose it is a question of where you view this, and I see it as the individual Member States, reflecting their treaty position, as having the primacy on this. The fact is that each Member State faces different levels of threat, different patterns of radicalisation. Therefore, it is not clear to me that there are many core activities that the EU itself can usefully engage in. I think there is a facilitating co-operation, but where there is existing co-operation that is working well and effectively how does duplication then assist that? I suppose it is then taking it back to that practical co-operation type of approach that I have stressed through this session that there are the benefits of. But if there are things that are working well how does that necessarily assist? All I am saying is you need to look at this quite carefully in terms of how this moves forward.
Lord Judd: If the Lord Chairman will allow me just one last supplementary. I am still a bit uneasy about your answer, frankly, because it seems to me that it can be interpreted as saying, “Look, we’re running the show, and we realise that there are international things that can be done that will help us tackle it”. What I am asking you about is whether we have a problem here that has to be tackled internationally and we have to see how we play into that. There is a very important point here about the emphasis of the direction of policy, within the Home Office and elsewhere, as to whether it is about getting effective international action and what part we can play in that, or strengthening national action and seeing where international action might support it. James Brokenshire: The Home Secretary has announced a review, for example, of some of the counter-terrorism work and that is ongoing. To take it back to where the EU does have an important role to play or where it could assist, for example improved access to funding for individual community-led projects tailored to the specific needs of a particular community or country could be one concrete way in which the EU could take matters 226 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons forward. So I would not want to suggest that there is no position or that there is not that intra-relationship that is there. I think it needs to be examined quite carefully in the context of the Member States’ position in relation to national security and what the EU can do to best harness that overall protection, respecting the individual rights of Member States in their ability to provide national protection to their citizens.
Q431 The Chairman: I sometimes have the feeling myself that a little discussion between EU leaders as to what they really mean when they talk about multiculturalism might not come amiss either, because I do not think they always mean quite the same thing when they refer to it because of each country having a different experience of it. But I think you are rather confirming that the Commission’s pretty cautious approach in this area is probably about the right one, and that there is nothing that we should be unduly alarmed about in the Commission’s approach, which seems to me not to be very far reaching in that respect. James Brokenshire: As I say, I think it is one that we do need to look at in a cautious way, yes.
Q432 Lord Hodgson of Astley Abbotts: The strategy talks about more integrated borders and the technology associated with that, which leads to the creation of a European border guard and border surveillance system, EUROSUR. I think we would like to hear what you feel the implications are of these proposals, particularly given the fact that we are committed to endorsing and helping Frontex, the existing agency, and indeed the implication for our own border control arrangements, including the e-border system now coming in. James Brokenshire: We certainly take a close interest in developments that will strengthen security and surveillance of the existing Schengen borders. I might ask Emma Gibbons to supplement any specific points around the EUROSUR and the arrangements there. We do lend UK support and expertise where we think it will be of the most value. Obviously, we are not directly party to the Frontex arrangements, but we have supported its operational activities with human and technical resources. For example, they have helped to expose the extent of nationality swapping that takes place at the external borders and thereby harms the effective working of the EU asylum system. So we do have that engagement, not engaged directly in Frontex but assisting it, and we do recognise the important role that it does have to play. Emma, I do not know if you want to add anything further? Emma Gibbons: Just to clarify, obviously we are actively working with Member States on the development of EUROSUR but we will not be part of EUROSUR when it is established, as the Minister indicated, because it builds on that part of Schengen we are excluded from.
Q433 Lord Hodgson of Astley Abbotts: So our relationship with EUROSUR will be exactly the same as Frontex, watching the party but not part of it and helping the party get going? Emma Gibbons: I think in terms of Frontex we are excluded from the legal base but we work with Frontex, and I would anticipate a similar arrangement here. We do have an interest in making sure these arrangements strengthen the Schengen external border, so it is proactive but outside the legal channels and legal set up for both Frontex and EUROSUR.
Q434 The Chairman: Could I ask you on that: is this all totally informal therefore, because we are not part of the legal basis, or is there some sort of agreement as to how we 227 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons are going to operate to strengthen Frontex, to help EUROSUR be set up and so on? I am just a little bit vague as to how this is all done. James Brokenshire: Clearly we are outside of the regulations and it is, I suppose, a practical assistance that we provide. In that sense, my understanding is that it is informal, because by its nature we are not within that legal base on Frontex and EUROSUR. But I think that from a practical way we certainly do recognise the practical benefits of ensuring that they operate effectively but doing it in such a manner that is in a practical way rather than bound in some sort of formal mechanism, because we are, by nature, outside of it.
Q435 The Chairman: This has no disadvantages that it is so informal? James Brokenshire: We certainly have not seen that it has disadvantages, no. I think that we are not part of Schengen and therefore, respecting that, it would be strange if we were then bound in in some sort of more structured way. I think so much of this is about practical assistance, about expertise, about providing where needed some sort of input in a practical way. That does seem to have operated constructively and we are not minded to change those sorts of arrangements.
Q436 The Chairman: Thank you. Perhaps we could look a little bit now at the PNR issue, on which the Commission’s proposal has fairly recently been tabled. I wonder whether you could say how useful you think an EU directive on PNR is likely to be in counter- terrorism operations and the fight against serious organised crime, and whether it is still the Government’s view that it should cover intra-EU flights or whether that has changed in any way? Perhaps we could then go on, after you have responded to that, as to whether the United Kingdom is planning to opt into the directive, which of course it has to do before the end of April if it is to do so. Could we perhaps cover that group of questions? James Brokenshire: I would be pleased to. I think we have said clearly that the use of PNR data is a proven and vital tool for the prevention and detection of serious crime and terrorism. The proposed directive will assist air carriers flying to and from EU Member States and help ensure that, where appropriate, PNR information can be shared, both between carriers and Member States and between enforcement bodies, quickly and securely, with all the necessary data protection safeguards in place. Obviously, I think that is an important point. In terms of the intra-EU flights, the volume of journeys between Member States is three times greater than between Member States and third party countries and a directive that provides cover only for travel to and from third countries, in our judgement, would limit Member States’ ability to tackle criminal activity. So that is an issue that we do regard as being very important, and certainly we are continuing to actively engage around this issue and to make the case as to why covering intra-EU journeys is very important.
Q437 The Chairman: If I could interrupt there. So you are convinced that the cost benefit balance is positive, because from the figures you give, three times as much, it is going to be a huge cost. Is the benefit going to outweigh the cost? Is that the Government’s view? James Brokenshire: I think our concern is that we need to look at the intra-EU issues and consider whether, rather than perhaps solving some of these factors, it displaces problems. That is why we think it is important to look at this in the round and that there are the
228 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons benefits that I have highlighted in terms of the PNR data and how that impacts on combating terrorism and serious organised crime and why that is very important. I am conscious I have not come on to address your second point as to whether we will be opting into the directive or not. I was put in slight mind of my first appearance to this Sub- Committee before Christmas when I said that we would be respecting the eight-week time period on not making or announcing decisions in relation to directives to allow scrutiny to take place. I appreciate that we are well within that time period. We have not reached a decision as to whether we will be opting in or not, and clearly there will be the scrutiny and the consideration that you will wish to apply to this. Although I recognise it is important that we make an announcement when we have made a decision on this as early as possible, given that I do recognise that 2 May falls potentially within a recess time period and therefore, while respecting the desire for your Committee to scrutinise these issues properly, the Government will seek to announce as early as it is able to.
The Chairman: Thank you for that. I think I should say at this stage that we, of course, have it under scrutiny at the moment and we are likely to put forward some views on that to the Government, either in the form of a letter to yourself or the Home Secretary or in the form of a report, in which case there would be a debate in the House. We have not yet taken a view on that but it is likely to be one or the other, and I do not think we can probably take that further this morning.
Q438 Lord Tomlinson: Minister, if I can turn to the proceeds of crime, in the strategy document there are a number of proposals to make it easier to seize, freeze, manage or confiscate criminal assets, including the proposal for a revision of the money laundering directive and increase in the powers of asset recovery. In your opinion, will these proposals make the EU’s efforts in this area more effective? James Brokenshire: Certainly, I do welcome, and the Government welcomes, the focus on confiscating criminal assets and we must target the financial incentive that drives organised crime; something that we have been emphasising domestically on being able to take down and take out organised criminal groups and using asset recovery, asset denial and financial investigation as an essential tool in helping to deliver that. I think we do need to carefully monitor and consider the development, for example, of any legislative proposals in this area, particularly where they go beyond the Stockholm Programme, because there is, I think, an awful lot of capability and an awful lot of law that is there. In terms of the asset recovery offices, for example, not all of them have been established and the powers to enable them to function more effectively are already there but they need to be better utilised. So our emphasis, again, is on using the structures, the systems and procedures that are there—and we think there are a lot of very effective tools that are there—more effectively, and that it is that very practical sense that is likely to make the real difference. Is the focus right to be that? Absolutely it is, and I do regard the use of these sorts of techniques as a very important part of combating organised criminality.
Q439 The Chairman: Perhaps you could help our Clerks when we come to draft our report with giving us an absolutely up-to-date position on which Member States do not have fully functioning asset recovery offices so that we have an accurate picture of that. I think it would be helpful to the Government’s case if we were to put in the report a clear reflection of where there are shortcomings in this. I personally share your view that it is, as usual, very
229 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons important that the European Union actually does what it says it is setting out to do before having an enormous list of other things that it wants to do. I think it would help us if you could give us a very up-to-date view on that. It need not be a formal communication but just so that we get it right in our report. James Brokenshire: I am sure that we would be pleased to do that to aid in your consideration of this issue.
Q440 The Chairman: Now, civil protection again. There has been some suggestion in the evidence that we have taken that there could be a kind of tension between some set of circumstances that was deemed to be an EU crisis and a national crisis, although, of course, by definition any EU crisis would inevitably be a national crisis as well. We are a bit puzzled by the implications of implementing the Solidarity Clause. Do you think there is a real tension between these things or is it more just a semantic problem? James Brokenshire: Certainly there is the first point, in perhaps taking us back, and the fact that the internal security I think stresses disaster prevention and anticipation as important work. On that, just to say that I think the anticipation point is an important one to stress in terms of the risk analysis and some of the work that we do as a Member State ourselves and how that is important to apply more broadly. In some ways, if there is that focus on the prevention strand, this could and should enhance Member States’ resilience and, therefore, reduce the likelihood of national crises becoming EU crises. I suppose that is why I place the emphasis on that anticipation aspect that is contained within the strategy. I suppose a national crisis may take on an EU dimension when the response capability of an affected Member State is overwhelmed to the extent the Member State calls for mutual assistance from EU partners through the civil protection mechanism; when designated European critical infrastructure is affected under the terms of the relevant directive; when I suppose an emergency affects a number of Member States. I think you are right to highlight it. The Solidarity Clause does oblige the EU to use all available instruments, including, as we talked about earlier on, potentially military resources placed at its disposal by Member States, and this could include, potentially, deployment within the EU. The decision on implementing arrangements requires unanimity when there are defence implications. But I think that the proposals for implementation should not directly affect the obligations of Member States to assist each other on request, or the ways in which Member States might choose to meet such requests. So I think that there is certainly further thought and consideration that needs to be applied around the solidarity provisions in this way.
Q441 Lord Judd: All that we have been discussing is about protecting what makes our society a society worth living in, and fundamental citizens’ rights are central to that. Of course, there are inherent complexities and difficulties in this work in the interplay between citizens’ rights and security measures. How do you feel we can ensure—and the European Union, indeed, can help to ensure—that at all times what we are doing is designed to strengthen and enhance the quality of our civilisation? In the end it is that quality that will give it the spirit to survive. James Brokenshire: I was just casting my eye over the explanatory memorandum. I think, as we set out in there, we do support the focus within the Commission’s communication on the protection of civil liberties issues and how, intrinsically, that is a factor within the way in which this moves forward. Certainly, we are committed to protecting the security of our borders but also to protecting civil liberties, and certainly this was a debate that we had in our House yesterday in relation to the Protection of Freedoms Bill, which I was winding up 230 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons on the Front Bench last night, and how there is that balance that needs to be struck between individual freedom and collective freedom from harm. I think it is important that that is a factor within this. Protection of the public is the first duty of Government, but that duty must not be discharged without due regard for our fundamental freedoms and civil liberties. I think we certainly do welcome the fact that the strategy recognises a security model but must be based on certain principles and values of the Union itself, and I think that those do include respect for human rights and fundamental freedoms, the rule of law, democracy, dialogue, tolerance, transparency, solidarity. I suppose I could go on, but I think that is intrinsically a part of how this moves forward and that must be respected in terms of the way in which the Internal Security Strategy develops.
Q442 Lord Judd: Do you feel it is helpful, in approaching this very difficult issue, to talk about the balance between individual rights and community rights? Isn’t it a matter of how you ensure, within the context of the community’s rights, the rights of the individual are being fulfilled? Would you not agree that there is a danger that when one starts talking about balance one starts talking about trade-offs and compromises and what one wants is an integrated approach on this? James Brokenshire: It is an interesting point, but on that terminology of balance it almost implies that security and the values and those issues are, in some way, in conflict or in opposition. I think responsible governments must provide security for their citizens and protect their privacy. Therefore I do not accept the premise that being safe and being free are in some way at variance or at odds with each other. I think that both are possible and to suggest otherwise is, I think, taking a false premise on that.
Q443 Lord Judd: That is exactly my point, that one wants an integrated approach rather than saying we have two different things here that we somehow have to get into balance. James Brokenshire: But, as I say, I think that you can do both. That is at the heart of what we are seeking to achieve, both domestically and in terms of our relationship with the EU and the development of the Internal Security Strategy. So, I hope that perhaps we—
Q444 The Chairman: Do you identify a broad common view across the Member States on this sort of issue, or are there many tensions, and are there tensions between the Member States collectively and the European Parliament, for example? James Brokenshire: When you look at some of the developing roles of the Parliament, I think that initially you can point to perhaps some examples where the relationship and the issues had not been developed at that point in time; the important role that the Parliament had. I think that that is changing. I think that has moved on in many ways over the last months. So perhaps the initial tensions that were highlighted initially have dissipated, is certainly my sense. Clearly, issues of liberty and freedom are issues that I think are directly relevant to all Member States. Therefore it is something that will be, I am sure, a core part of ongoing discussions in the context of the Internal Security Strategy and I am conscious that there are other issues that will be coming up into, for example, further communications around data protection that we may well be expecting later this year as well. I think this all fits together. This is all part of how we deliver both safety and security and delivering on the freedoms and protections at the same time.
231 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons The Chairman: We have in a small way done our best to have a dialogue with the European Parliament on it, because we took evidence from the Rapporteur when we went to Brussels in December and I also talked to the Chair of the LIBE Committee. Of course, our report on this will come out before any report the European Parliament is also making on the Commission communication, so I hope that there will be some mutual feed across there.
Q445 Lord Hodgson of Astley Abbotts: Can we turn lastly to the European Arrest Warrant and its value in the fight against terrorism and internal security? There have been a lot of questions raised about its value and the proportionality. There are a huge number of EAW requests from Poland, because of the nature of the Polish criminal justice system; problems about bail systems; problems about access to interpreters in legal proceedings overseas. Would you like to give us your thoughts on that? I know Scott Baker is going to look at it. James Brokenshire: Yes, I slightly hesitate in that regard because, as you will know, the Government has announced a review of extradition more generally, and this is intended to cover the European Arrest Warrant, EAWs. To confirm to the Committee, we are expecting the report to be published in the autumn of this year and, therefore, obviously I would not want to prejudge how that review will engage. Therefore, probably it would not be appropriate for me to provide a detailed blow-by-blow assessment or analysis of EAW, given the ongoing work that is taking place. However, I think it is worth mentioning that the European Arrest Warrant, since 2004, has led to the return of a number of suspected criminals to face justice; 447 suspected or convicted criminals being returned to the UK to face criminal proceedings or to serve prison sentences since its introduction. I think it has had a role in relation to dealing with suspected offenders. Obviously there are issues that have been highlighted in relation to proportionality, which is, I am sure, something that the Committee will be examining more carefully. To give some current examples, we have Operation Captura, which I do not know if the Committee is familiar with, which is an arrangement between SOCA and the Spanish authorities in relation to some criminals who may be located in Spain and highlighting their activity and seeing them returned to the UK. I think you can certainly look at some of the practical impact that has been achieved but, at the same time, recognising some of the concerns, some of the criticisms that have been raised around the European Arrest Warrant and how it has operated in certain cases, which is why I think the review that is being undertaken by Sir Scott Baker is very important in informing our approach and our thoughts in relation to this.
The Chairman: For the avoidance of all misunderstanding, we are not proposing to take a broad view about the European Arrest Warrant in this report, because it is not the job of this Committee to do so. It is our sister committee, Sub-Committee E, that does that. What we are going to look at in this report is the extent to which the Government, the Home Office, SOCA and others believe that the European Arrest Warrant has been a useful tool in the fight against terrorism and serious crime, and I think that is very helpful that you have addressed that. But we will be limiting our views to that aspect, not trying to dip our toe into the water of the overall European Arrest Warrant issue. James Brokenshire: Understood. 232 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons Q446 Lord Judd: I am very interested because in the table that you supplied, very kindly and helpfully, about arrests and surrenders there is a quite significant figure against the description “other”, and if we are going to get a proper grip on what is happening “other” could cover a multitude of sins, literally. It would be very interesting to have a little bit more information on what “other” covers. James Brokenshire: Lord Judd, can I say to the Committee that we will take that away and see if there is anything other— Lord Judd: It is quite a significant figure. James Brokenshire: —that can be added to the “other” in that regard, in terms of seeking to be helpful to this Committee. I do not know whether there is any further information that can be provided, but I do take your point. The Chairman: Thank you very much. That is very helpful.
Q447 Lord Hodgson of Astley Abbotts: While we have the Minister trapped here, he referred earlier to the Government’s plan to produce in the autumn some thoughts about internet security for individuals, raising awareness and possibly trying to provide a complaint system and so on. I have an involvement with internet shopping and this is an area that has become increasing used to skim. The criminals put a couple of pounds on someone’s credit card and they do not check it because they think it is too difficult to check, it takes too long. A simple answer would be to require the internet company to supply its own name and the nature of the goods supplied as a way of showing whether or not a sensible transaction took place. Credit cards often have completely meaningless data on it and people do not bother to follow up. A couple of quid replicated many times over can amount to a very significant sum indeed. James Brokenshire: I am certainly conscious that sometimes it can be that these sorts of online frauds are seeking to use only small sums of money, but sometimes that can be a precursor to then taking a lot more money, to see whether a small transaction has been successful and then taking much, much more thereafter, in other words, to validate and confirm that perhaps details through identity fraud have been utilised in that way. We are conscious and cognisant of these issues as part of the work that we are doing on our organised crime strategy and also the cyber crime strategy that will sit alongside that. I hear the point that you have made. Obviously I note the suggestion that you have made, but we are certainly looking at all of these issues in the round as we develop our policy in this arena. The Chairman: Thank you, Minister, very much indeed for being so generous with your time and I think we have found your answers very informative. Thank you very much indeed. James Brokenshire: Thank you, Lord Chairman. The Chairman: I would like to, through you, thank everyone in the Home Office and in other agencies who have given evidence in this inquiry, because we have had some useful evidence sessions and we are very grateful for that. We will keep you in touch with our confabulations, which will emerge in the form of a report in about May, I think, probably, and then after that there will be a debate in the House on the report, I would hope. That sometimes gets a bit delayed. Thank you very much. James Brokenshire: Thank you. That is very helpful.
233 James Brokenshire MP, Parliamentary Under Secretary of State, Home Office, and Emma Gibbons
Supplementary written evidence, James Brokenshire MP (ISS 18)
Asset Recovery Offices & The European Arrest Warrant
During the evidence session on the Internal Security Strategy that took place on 2 March, the Committee made two requests for further information, one in relation to Asset Recovery Offices (ARO) and the other to the European Arrest Warrant (EAW).
Asset Recovery Offices
The Committee enquired as to which Member States had not yet established Asset Recovery Offices. The countries that have not yet established AROs are Slovenia, Italy, Portugal, Malta and Romania.
European Arrest Warrant
The Committee also enquired as to the range and type of offences, which, under the European Arrest Warrant, were categorised as ‘Other’. The term ‘other’, as used in the figures provided on the European Arrest Warrant, refers to a number of types of offence which do not fall within the broader categories of offences listed in the figures. Though the list is not exhaustive, EAWs categorised under ‘other’ could include, for example, offences such as driving offences, witness intimidation or public disorder offences.
March 2011
234