Civil contingencies, resilience planning and cyber risks
by Mick Free, civil protection advisor working with the City of London, Association of Greater Manchester authorities and Gloucestershire's local resilience forum on a pilot cyber resilience project
Structured and consistent planning for civil contingencies is a relatively new concept and one that has rapidly evolved over a short period of time. With the ever developing threat of cyber attacks, it is now time to firmly embed cyber into national and local civil protection arrangements.
Legislation to define and govern the preparation for civil emergencies in the UK is a 21st century concept (previous civil protection legislative provisions were predicated on ‘cold war’ planning arrangements).
The Civil Contingencies Act 2004 (CCA) was born out of the series of incidents that started with serious flooding in 1998. This was followed in 2000 by the national fuel crisis; the national foot and mouth outbreak in early 2001; and globalisation of the radical Islamic terrorist threat following the attacks in the United States on 11 September 2001.
Following the events of 9/11 the UK Government established the Civil Contingencies Secretariat (CCS) within the Cabinet Office to co-ordinate resilience planning across all government departments. This included the establishment of both a ministerial and an official level committee to provide national leadership and oversight of UK resilience arrangements. Since 2010 these have been sub-committees of the National Security Council (NSC).
The CCS also developed and continues to maintain the National Risk Assessment (NRA) – a matrix of national threats and hazards – and the UK Capabilities Programme (now National Resilience Capabilities Programme - NRCP). Produced after 9/11 this provides a programme of work, under ministerial leadership, that covers three areas:
- Structural arrangements – to make sure that the frameworks for coordinating and directing an emergency response are in place.
- Central response – Cabinet Office supports central government departments to work together effectively in responding to an emergency.
- Functional workstreams – including mass casualties, mass fatalities and infectious diseases (each with a designated lead department).
The UK now has well established resilience planning arrangements with the focus on local executive leadership through the work of the local resilience forums (LRFs).
Generally mirroring police force areas, their main purpose is to ensure that each category 1 responder (primarily emergency services, local authority and other key government agencies) within the LRF can deliver its functions as far as necessary or desirable, to prevent or mitigate the effects of an emergency. Each LRF should consider both the NRA and the supporting national resilience planning assumptions (NRPA) in developing a local risk register and contributing to the NRCP.
However, despite publication of the National Cyber Security Strategy 2016–21 and being listed as a tier 1 threat in the 2016 National Security Strategy, cyber threats are not part of the NRCP. It would appear that the omission of cyber from the NRCP has contributed to it not being included in the resilience arrangements of the majority of LRFs.
The inclusion of cyber resilience as a workstream within the NRCP would have a number of substantial benefits. It would assist in:
- Helping to place this area firmly on the agenda of LRFs.
- Identifying clear ministerial leadership and support for cyber issues within local resilience partnerships.
- Contributing to shaping and assisting the work of the National Cyber Security Centre.
- Supporting the National Cyber Security Strategy, strategic outcome three (under Defend), by which the UK has the capability to manage and respond effectively to cyber incidents to reduce the harm they cause to the UK and counter cyber adversaries.
Matters of local resilience (including cyber) can only be effectively dealt with through the LRFs. Anything less undermines the CCA and the concept of joint resilience planning and response where it matters most – in local communities.
Hopefully, the work we are now doing looking at cyber resilience with the Association of Greater Manchester Authorities, the City of London and Gloucestershire will help to formulate a model for other LRFs to imbed this into their local resilience programmes.
This article was first published in Local Leadership in a Cyber Society: Being Resilient by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.