Professor Anthony Glees Dr Julian Richards University of ... - PCG

a level playing field. If present employment trends and government needscontinue it is likely that in the future there will be an increasing demand forsecurity freelancers in respect of national infrastructure work. This emphasisesthe risk of creating a skill shortage by allowing the demand that contractorspossess existing security clearances to override the need for technical skills.Our work shows that there should be no doubt whatsoever about PCG‟s totalcommitment to the need for effective security clearance. Its members fullyunderstand the need for national security. Few professionals in this area, wefound, have a greater respect for the security demands imposed on everyoneworking on contracts affecting our national security. PCG members are in nodoubt that rigorous security checks form a critical part of the UK‟s securitymeasures. But we have come across evidence which suggests that criticalproblems in the application of security clearance are effectively causingmarket failures and preventing certain roles being filled by the mostsuitable candidates. It is this issue which we, here, wish to target and resolve.It is precisely because no-one doubts the need for a security clearance regime,or that there are real and continuing security threats requiring strict protectionsof national security in personnel vetting and recruitment, that various solutionsare suggested for improving the process of managing security clearance.Our main proposal is to ensure that contractors without current securityclearances are properly considered for roles requiring such clearances, and thatthose who may already possess these clearances are not unfairly advantagedover them. On no account should recruitment agencies use possession (or nonpossession)of an existing clearance as a filter in the selection process. Indeed,it was pointed out that to do so may well contravene the formal stipulationunder the Official Secrets Act (OSA) that possession of such clearancesshould not be disclosed openly.Secondly, we propose that it become an obligation on the Cabinet Office toensure that a level playing field is applied. Monitoring the process properly mustultimately be a duty of government since no one else can perform it fully.10

costs incurred by “fast-tracking” the security clearance process for a potentialcandidate could be met by the contractor community itself in the form of a fee.However, we feel that further work would need to be undertaken to ensure theequity of such a proposal.To this end, we suggest urgent thought begiven to the establishment of a SecurityClearance Forum to bring together theCabinet Office, recruitment agencies,contractors, and end clients under anindependent chair, to review currentperformance in adhering to guidelines and toencourage fruitful conversations about thesematters between them. We are convinced by thecase that there are a series of detailed legal andcontractual issues that should be hammered outwithin this forum, and on which expert technicalwe suggest urgentthought be given tothe establishment ofa Security ClearanceForum to bringtogether the CabinetOffice, recruitmentagencies andcontractors, under anindependent chairguidance would be required. These issues could include making compliance withCabinet Office and Office of Government Commerce (OGC) guidelines acontractual obligation to be passed on to sub-contractors and agencies; thesubmission of evidence of an equal number of non-cleared and clearedapplicants having been interviewed for roles requiring clearance; and thoughtgiven to the reasons for so-called “short-term” and “urgent” appointments.However, although we would not wish in any way to challenge the need for theCabinet Office to retain exclusive ownership of all national security risks, itcannot follow that upholding this principle means any refinement of existingpolicy or thinking should be foresworn. We are firmly of the opinion that thenational interest is damaged, the government disadvantaged and the taxpayerdenied best value for money whenever the best qualified contractor is kept fromappropriate work through a failure to ensure guidelines and regulations areproperly adhered to. It is for government to ensure that this does not happenbecause it is only the government that is able to do so even if new legislation is12

equired to achieve this desirable goal (a point we believe has not yet beenreached and can hopefully be avoided).National security issues are rarely out of the news. Nor should they be. It is aprimary duty of government, perhaps the primary duty, to provide security forevery person in Britain to an appropriate level and consistent, at all times, withthe rule of law.Ensuring that our country is kept as secure as possible from states, groups andindividuals that would do us harm is a core part of a government‟s responsibilityfor delivering security. Making certain that those who work in government butalso for government are not security risks is one vital means of doing preciselythis. No one understands this better than our nation‟s private contractors whoundertake key work for government at the most secure levels.Everyone, whether a contractor working for government or an ordinary citizenwanting to live securely and peacefully in this nation, understands that theinterests of Britain and of everyone living here are always undermined whenthose working in, or for, government betray the trust that has been placed inthem. Even if the number of those who do so is extremely small and even if thedamage done is thankfully rarely catastrophic, the government rightly does whatit can to prevent such people from doing harm and where wrongdoing isuncovered seeks to bring the perpetrators to justice.For this reason, questions surrounding „vetting‟, the provision of securityclearances, who gives them, who gets them, and for what purpose is a criticalarea of wider national security policy and it is one that is absolutely necessary toget right. When the wrong people who betray this country and its values aregiven clearance or when no one thinks to vet them, we all accept that ournational interest and our national security have both been seriously anddetrimentally affected.13

such specific needs, very frequently the expert skills will be found only in themyriad ranks of this nation‟s freelancers.Increasingly complex technical problems, especially in the field of informationtechnology and information assurance, require specialists able to provide preciseand specific fixes which can lock into wider solutions. Private contractors –freelancers – are often the best qualified and most effective source of theanswers that government will increasingly need.What is more, all governments must always seek to employ not just those withthe best fit of skills for the specific work that needs to be done but at a pricewhich the country can afford. At a time of severe constraints on the publicpurse, this core requirement has special relevance and poignancy. In seeking tomatch needs to individuals, value for money considerations will and must neverbe far from centre stage. In searching for the right skills and for the best valuegovernment will invariably employ recruitment agencies. When privatecontractors are employed via agencies by government end-users, thegovernment and the country must be certain that the national interest is notsubjected to any unacceptable degree of risk.At the same time, precisely because expertise and value for money are soimportant, government must make sure that it is not excluding freelancersinadvertently and unnecessarily.As we explore in this report, since 1994 governments have done much to spellout in careful detail how the process of vetting is operated and that to meet itsvarious requirements everything is being done to bring the right people to theright task (and exclude those who might do harm). The government claims thatit has taken all necessary steps to rationalise and improve the process ofvetting, including reducing the time it takes to provide clearance (the installationof a new computer system known as Cerberus will allow basic level clearances tobe issues within fifteen days in routine cases). It also makes it crystal clear thatthe vetting process must not be used wrongly to exclude freelancers who may15

have exactly the expertise that government requires but does not hold, at thetime of applying, the clearance the job demands 1 . Indeed, this is a trulyfundamental issue because without a level playing field, the government cannotbe certain it is getting the experts it needs at the best price for the taxpayer.This is why the government spells out very clearly that pre-existing clearancesare not a requisite for most jobs for which vetting is required.The phrase a „Catch-22‟ situation has come into common parlance thanks to theAmerican novelist Joseph Heller who coined it in 1961. He used it to describehow a person (in this case an American Air Force pilot) was told he could notvolunteer to fly a highly dangerous mission unless he was deemed sane by hissuperiors but by volunteering for the mission he would be demonstrating tothem that he was in fact insane.In our context, the catch is that those applyingfor a post which should give them theopportunity to acquire security clearance cansometimes only gain the position if theyalready have security clearance. And thosewho do not have security clearance cannotapply for posts for which they would be able toobtain a clearance. We have seen clearevidence of this „Catch-22‟ situation affecting..the vetting processmust not be usedwrongly to excludefreelancers who mayhave exactly theexperience thatgovernment requiresbut does not holdprivate contractors seeking straightforward security clearance. Some of the bestfreelance experts in the UK are currently being denied government contractsbecause they are told they must have a pre-existing security clearance for theirapplications for government work to be considered. But, at the same time, theyare also told they can only gain a clearance once their application has beensuccessfully accepted. In these cases, no application can be successful withoutan existing security clearance; but no security clearance can be gained without asuccessful application: this is surely a „Catch-22‟ situation if ever there was one.1 Cabinet Office, ‘HMG Personnel Security Controls’. July 2010.16

It is the case that the „Catch-22‟ applies to the provision of the two lower levelsof security clearance, namely the Counter-Terrorism Check (CTC) and theSecurity Clearance (SC) but not of Developed Vetting (DV) because thoseseeking to obtain developed vetting will often have security clearances already.For this reason, and because far more people need a security clearance thanneed developed vetting, it is the former who are most definitely at the sharp endof the problem and their number is by far the greater.It is always a matter of very considerable public concern to the nation whenthere is hard evidence to show the vetting system has either failed or not evenbeen properly or intelligently employed and that this has allowed, in a number ofrecent high-profile cases, the wrong people to work for the government or in..the outcome is thatnational interest isdamaged and thetaxpayer is denied avalue-for-money,market-drivensolution to a specificneedroles alongside the high offices of state,including Parliament. The media, quite rightly,will always jump to report security vettinglapses.Although the media (and the wider public) maynever hear of it, it should be no less a matterof serious concern when those experts whopresent no security risk whatsoever and havepath-breaking expertise have been deniedaccess to contracts because the government‟sown guidelines have not been followed. Whether this is because the end user(the government) has been careless in its tendering or whether the recruitmentagencies on whom the government relies have for whatever reason failed tofollow the guidelines, the outcome is the same: the national interest is damagedand the taxpayer is denied a value for money, market-driven solution to aspecific need.In our report we examine why this is happening.17

We are satisfied, as we say, that it is the explicit position of the government thatthis should not be occurring. The government reasonably points to its guidelineswhich spell out that a pre-existing clearance is not a requisite for the vastmajority of jobs on offer and, no less reasonably, it draws everyone‟s attentionto the efforts made (at some cost) to speed up the process so that the provisionof basic level security clearances can take no more than fifteen days in allroutine cases. Whilst this is a vast improvement to the situation that existedbefore, fifteen working days is in fact three weeks; any market-drivenrecruitment agency may well conclude that faced with some contractors whomight happen to have a pre-existing and valid clearance and some who mighthave to wait three weeks for one, it would make sense to automatically excludethe latter in favour of the former. Some recruitment agencies may use anexisting clearance as a filter to reduce the number of applications that it isrequired to read and assess, suspecting, not unreasonably, that the end-user willwant staff who can be placed quickly. Indeed at the time of writing there isstrong evidence, supported by anecdotal reports from key players in therecruitment industry, to suggest that it is widely accepted that clients will prefera candidate with clearance already in place. This problem is amplified in the caseof freelancers as very often the engagement may just be short term.This can happen easily, for example, when recruitment agencies are hit by aplethora of applications and introduce a finite window for them. Anecdotal butwholly credible evidence from the roundtable meeting suggests that existingclearances can be used as a form of pre-selection to further reduce the workload involved in short-listing applicants.Sometimes, the evidence indicates, the fault lies with the end user who maydemand a higher level of clearance than is necessary which in turn requires afreelancer who does not have a pre-existing clearance either to undergo vettingor indeed exclude themselves from the process even where they have veryspecific skills the government says it requires. Again, anecdotally, it is possiblethat both end user and recruitment agency may make this mistake, an almost18

comprehensible variant of erring on the side of caution even if to do socontravenes the guidelines.At the same time the government has made it plain that it cannot, at thismoment in time, exercise a regulatory regime to attend to the problem. Equally,it is, for the government, a „line in the sand‟ that it must retain ownership of thenational security risks and associated vetting regime. The Cabinet Office is notopposed to „pre-clearance‟ services that help prospective contractors get theirpaperwork ready but our judgement is that this certainly provides no benefit inpractice. It seems to us that if the latter applies, as it surely does, then theformer must be adapted to meet its demands. Excluding the right person for thejob is, in its own way, every bit as grave as failing to exclude the wrong person.Only government can address this matter; indeed it is the responsibility ofgovernment to ensure the right contractor gets the appropriate job and if newlaw is needed, then new law should be made.Here we argue that because the matter at stake has to do with Britain‟s security,not just on one level (the exclusion of those who cannot be trusted) but also onanother (because the work which is being advertised is concerned either directlyor indirectly with our national security activity) we are presented with a situationof imbalance or unfairness which simply cannot be accepted.In the final analysis, we suggest, the government (or more precisely the CabinetOffice and, in particular, the Office of Government Commerce who oversee thepractice of contracting with government) cannot simply walk away from therequirement that there should be a regulatory regime and that where itsregulations are not followed, the recruitment agency in question will beprevented from filling vacancies unless and until it changes its processes andprocedures. Equally, we argue that more must now be done to engage in aprocess of education and awareness building both within the recruitmentagencies and the freelancing communities. Whilst contractors‟ organisations like19

contract (government end-user, recruitment agency, sub-agent and freelancer)may not always be the same (see figure 1).Figure 1: Differing pressures across the end-user to contractor spectrumIn particular, the sub-agent may wish to use pre-existing security clearances asa means of speedily supplying a suitable contractor to the recruitment agencyeven though the government‟s guidelines seek to outlaw this practice. The wordsused by a recruitment agency (for example, „security clearance will be required‟)are capable for more than one interpretation (either, as the guidelines state,that the security clearance will be required before the contract is awarded butthat this is not a barrier to any application, or that a security clearance will berequired before the application is considered). Conversely, such wording couldbe considered nothing more than lip-service to the guidelines.21

Indeed, there is some reliable but unverifiable witness evidence to indicate thatpossession of a pre-existing clearance has been used, in contravention of theguidelines, as a filter for job applications. What the witness, who possessedappropriate qualifications, personally experienced was a remarkably short timeinterval between the submission of their application and the receipt of arejection.It is important to emphasise that this may notnecessarily indicate any deliberate flouting ofthe regulations but rather a lack of detailedunderstanding of process on the part of theend user or an understandable, if wrong,desire on the part of the recruitment agency tocomplete the transaction in as short a time aspossible, with the accompanying saving of resources. Alternatively, therecruitment agencies may themselves be unaware that their sub-agents aretaking short-cuts and since the end result (the provision of some suitablyqualified candidates) will apparently have been achieved, the agencies maynever even suspect that best practice in line with the guidelines has not beenfollowed...the words ‘securityclearance will berequired’ are capableof more than oneinterpretationSurveyAn initial survey of PCG members‟s views and experiences on these issues wasconducted in late Spring 2011. The subsequent data provides importantindications for an early judgement on this matter to be made. However, adeeper investigation would be needed in order to offer firm conclusions.With more than 600 respondents, the sample size was large and the resultstherefore likely to be of statistical significance.22

The main points are:• More than three quarters of PCG members in the sample will regularlyapply for jobs requiring a security clearance: in only 24% of cases hadmembers not applied for any such jobs over the last 2 years• The majority of members in the sample (65% or broadly two-thirds) didnot have a security clearance in place when they applied for such jobs.The norm is not to have one in place• In 46% of cases where people applied for jobs requiring a securityclearance, they received a straight rejection. Of course, we cannot knowwhy. Rejections can have many causes and only a deeper survey wouldpermit us to draw conclusions as to whether those rejected wererepeatedly rejected, indicating that the lack of an in-place securityclearance was to blame, or whether the fit between the candidate and thejob was not strong enough. On the face of it, a straight rejection of almost50% of applicants is a cause for concern, given the special nature of theactivity at which we are here looking.• In a quarter of cases (24%) this rejection was received almostimmediately, i.e within 24 hours. This could suggest that somerecruitment agencies do employ an „automatic‟ filter system but thatothers do not, or that the speed with which applicants without securityclearances are filtered out may vary from company to company. Again afurther investigation would be appropriate but the stark fact that half ofthose who receive a straight rejection are rejected within 24 hours isplainly noteworthy.• Turning to the perceptions of contractors, it is striking that 74% of thesample (three-quarters) perceive it to be either „likely‟ or „very likely‟ thatagencies will automatically filter out non-SC holding applicants for jobsrequiring an SC.23

..a majority of privatecontractors do nothave confidence thatan automatic filteringsystem is not in place• 56% of the sample (just over half)either „disagree‟ or „strongly disagree‟with the statement that the CabinetOffice and OGC guidelines are sufficientto protect them from discrimination inthis area.It would appear to follow from this that contractors not only have a disturbinglynegative view as to whether guidelines are being adhered to, or not (which may,of course, deter well-qualified experts from applying for contracts) but that ifthere is a disconnect between what is perceived to happen and what actuallyhappens, far better communication and far better working relationships betweenthe various stakeholders must be established.The Cabinet Office must be concerned that a majority of private contractors donot have confidence that an automatic filtering system is not in place (that is,think such a filtering system is being used), and a significant proportion do notbelieve that the Cabinet Office and OGC guidelines are able to protect theirinterests.These are hard facts which must be addressed even if those who received astraight rejection did so simply because their qualification and expertise wasdeemed wrong for the contract in question. It is worth noting that PCG membersgenerally do not have Security Clearances in place when they apply for jobsrequiring them, and this may feed any suspicions and lack of confidence in thesystem if they are then rejected.Naturally, no selection process can be perfect and in any process, somecandidates will feel hard done by. Equally, recruitment agencies cannot beexpected to do their work flawlessly on every single occasion. The competitivepressure on the individual agent to find the candidate most likely to be chosen(that is, the candidate with a pre-existing clearance) is a commercial reality24

containing an inherent conflict of interest between contractor and agency.Markets are composed of human beings, and human beings are subject to hardnosedcommercial drivers and realities. Indeed, it would not always be counterintuitivefor an agency to think that someone with a pre-existing clearance wouldbe their best bet. The trouble with this is only too obvious -- that to act in thisway is contrary to the guidelines and disadvantages many contractors.For these reasons and because the introduction of the Cerberus scheme whichhas definitively marked a new chapter in the process of obtaining securityclearances, we believe the time is now ripe for an intensive and sustainedprogramme of education and awareness building, both within the industry and(because we are talking here of the national interest) outside of it. We feel itshould involve Parliament, the representatives of the people but also the mediaand anyone with a legitimate concern with national security policy. The aimshould be the provision of a level playing field to sustain value for moneyobjectives and the provision of the best people who have the best match of skillsto undertake the work that is so vitally necessary.We also believe that if the Cabinet Office or the Office of Government Commercecurrently lack the resources to provide a regulatory regime, then this issomething that government must rectify if the problem cannot be resolved byother means. There is little sense in the government spending money onreforming the systems and processes that are meant to deliver our nationalsecurity guidelines if there are then not the means to ensure the guidelines arebeing fully and effectively followed.The ancient Greeks believed that Cerberus, the name given to the DVA‟s newcomputer system for processing clearances was literally a hound from hell. Histask was to guard the gates of Hades and prevent those condemned to theUnderworld from trying to re-enter the world of light and life. This new electronicCerberus is part of a more complex task. Yes, it is to keep out of sensitive sitesthose who cannot be trusted with our national secrets and security. But it has25

another duty too: to admit into government contracting those who can betrusted, and who, because of their expertise, most definitely deserve to be.We note that the Cabinet Office regards its past relationship with PCG as strongand productive and keen for it to continue. It would wish PCG to take anassertive role in pressing the rights of its members in this area. It is happy to bechallenged and happy, too, to assist in any opportunity to audit arrangements.Were there ever hard evidence of discrimination or unfairness the Cabinet Officewould expect PCG to pass it on.We conclude that there are matters which should be urgently addressed by allthe stakeholders mentioned here (government, government end-users,recruitment agencies, sub-agents, freelancers and PCG.26

In general, we recommend that• In order to promote Best Practice, communications should be improvedbetween all stakeholders, including such issues as current timescales forcompleting vetting.• Joint working between the key stakeholders in the process can and shouldbe enhanced. This would help to bind stakeholders together, and improveunderstanding of where genuine operating problems may be arising andfinding shared solutions. PCG could again lead on activities in this area.Key Recommendation:• The Cabinet Office in conjunction with the Office of GovernmentCommerce must ensure that its Guidelines are being adhered to. It ispointless to issue guidelines but do nothing to enforce them.• It is not for us to make recommendations in respect of the recruitmentagencies, of course, other than to encourage them to participate in theprocesses we advocate within this report. We do however recognise thatthe Recruitment & Employment Confederation (REC) and the Associationof Professional Staffing Companies (APSCo) the major trade associationsfor the agencies, have on a regular basis reminded their members of theCabinet Office Guidelines. We hope that they will continue to monitor thebehaviour and educate their members in this area, to rigorously enforcethe guidelines.In respect of the Cabinet Office we can make the following strongrecommendations:• That it reconsider its reluctance to consider innovatory ways ofstrengthening good governance and compliance of procedures towards amandatory regime.27

• It should set up a Security Clearance Forum to bring together CabinetOffice, recruitment agencies and contractors, and specialist legal andtechnical advisors, under an independent chair, to review currentperformance in adhering to guidelines and to encourage fruitfulconversations about these matters between them. The Forum would alsoimplement the other recommendations in this Report. By bringingtogether the Cabinet Office, recruitment agencies and contractors, underan independent chair, to review current performance in adhering toguidelines and to encourage meaningful change, real improvements inpractice could best be achieved.• If the failure of a functioning regulatory regime is the result of a lack ofresource, this must be expeditiously addressed. The guidelines are thereto be met, not ignored.• The DVA believes there is evidence that end-users may ask for aninappropriately high level of clearance for some contracts where muchlower levels of clearance are necessary: this should be urgentlyinvestigated by the Cabinet Office.• Finally, because it is not in the national interest that best qualifiedcontractors be kept from appropriate work through a failure to ensureguidelines and regulations are properly adhered to, if new legislation toprevent this from happening is what it will take (and this may well not benecessary), then the government should consider doing precisely this.In respect of PCG specifically we recommend that• PCG develops a compelling and well-informed lobbying and media strategyto draw attention to the problems facing freelancers in respect of thevetting system as currently being applied.• PCG collects, collates and analyses any evidence showing that theguidelines have been breached whether by government end-users or byrecruitment agencies or their sub-agents and that PCG puts such evidencebefore the government, Parliament and the Recruitment and EmploymentConfederation (REC).28

• PCG acts as intermediary between its members, the freelancers, and therecruitment agencies in order to do away with the existing „Catch-22‟situation and to prevent any blacklisting of PCG members by agencies.• PCG should monitor developments in this field.29

This report was commissioned by the PCG – the Voice of Freelancing in late2010, to examine the issue of fairness in the awarding of contracts requiringsecurity clearance by the government to freelance contractors.The core issue at stake is whether the requirement for security clearance atdifferent levels in such contracts can act in a discriminatory manner – whetherinadvertently or otherwise – when the contractor bidding for the contract doesnot currently have the required level of clearance. A perception has arisen of a„Catch-22‟ situation facing some freelance contractors, whereby they cannot wincertain contracts without a security clearance, but cannot be sponsored for asecurity clearance without being awarded a relevant contract.There is evidence to suggest that current security clearance procedures arehindering the access of some freelance contractors to government contracts. TheCabinet Office has announced that it is continuing to review personnel securitypolicy and procedures and that in doing so, it will consider PCG‟s input. Thepurpose of this study is to help PCG to capture the various viewpoints that needto feed into any policy reform in this field.The Cabinet Office formulates policy on the requirement for security vetting ingovernment activities, including the letting of commercial contracts. This policywas updated and placed in the library of the House of Commons by the PrimeMinister in July 2010 2 , and included further description of the need forgovernment and their agencies letting contracts requiring security clearances toensure that the default position should not be that such clearances were neededimmediately, unless there were specific reasons for this to be the case. Suchguidance is generally circulated directly to the procurement departments of2 Cabinet Office, ‘HMG Personnel Security Controls’. July 2010.http://www.cabinetoffice.gov.uk/media/420689/hmg-personnel-security-controls.pdf30

government departments, and via the Office of Government Commerce (OGC),which is responsible for ensuring maximum compliance and efficiency in thegovernment‟s commercial interfaces. The OGC noted in 2008, for example, in aProcurement Policy Note issued to all government departments, that „routineinclusion of national security vetting requirements, and in particular,unnecessary requests for contractors to hold an existing national securityclearance, run counter to Government policy in this area and have the potentialto contravene the EU procurement rules‟ 3 . Such guidance is, however, just that,and despite the warning by the OGC about potential breaches of EU regulations,it is not enforceable legally in the same way as in the case with respect todiscrimination in recruitment or other activities on grounds of race, gender ordisability. This potentially opens the door for such guidance to be ignored oroverlooked during the recruitment and contract award process.John Brazier, the Managing Director of PCG, noted at the November 2010colloquium that PCG had formed an internal Working Party on Security Clearancein May 2007. This made it plain that government departments, their primecontractors and the recruitment agencies were expected not to ask for priorsecurity clearances when procuring contractors, other than in exceptionalcircumstances. The aim was to ensure a level playing field for contractors andenhanced value for money for the taxpayer, by stipulating that all contractorsshould compete for contracts, and only have to obtain clearance once thecontract had been secured. The guidance aimed to ensure that competition wasmaintained, and the government had access to a large pool of skilled workers.PCG immediately began monitoring the impact of these changes, and compiled adossier of its evidence in December 2007. Unfortunately, the revised guidancehad almost no impact. Advertisements and subsequent contacts betweenagencies and contractors continued to create barriers to the application of anycontractor without pre-existing clearance.In 2009, further meetings took place between the Cabinet Office, PCG and theRecruitment and Employment Confederation (REC). Following this, Michael3 Procurement Policy Note, Information Note 09/08, 14 July 200831

Shryane, Head of Policy at the government Security Secretariat (a small unitwithin the Cabinet Office, part of the Directorate for Security and Intelligence)wrote a letter to PCG members, confirming and reiterating the Cabinet Office‟spolicy position. The Cabinet Office also sent PCG an email address, whereexamples of adverts which contravened the guidance could be sent. This emailaddress is still in use with examples being monitored by a Cabinet Office official.The question is whether this informal process of monitoring is enough, and isresourced sufficiently, to ensure that the situation is robustly addressed.Michael Shryane has explained that the Security Secretariat‟s brief was todevelop protective security policy, very much in close conjunction with thenational and technical authorities. The unit was responsible for the developmentof effective proportionate and pragmatic protective security policies and thedelivery of advice and guidance to over 90 government departments. Within theframework of the government‟s transparency agenda it aimed to give muchclearer visibility to the costs of government and the costs of bureaucracy andespecially to try and drive down burdens of bureaucracy, and unnecessaryimpediments to efficient ways of working.It was important that the government‟s recent publication (HMG PersonnelSecurity Controls) published in the summer of 2010 should be carefully studied. 4It contained details about government personnel security and vetting policy; itdescribed the vetting process, the various levels of clearance; it described howthe process worked for contractors (and others) and it set out some veryimportant policy parameters. That document was one of a number of outputs ofa root and branch review of personnel security and vetting that the CabinetOffice had been driving. There were several key elements of that review thatwere worth stressing.4 http://www.cabinetoffice.gov.uk/media/420689/hmg-personnel-security-controls.pdf32

One of the most important points to understand was that the requirements ofthe system had to be informed by the threat. Across government there hadbeen concern some years ago that the vetting system itself was perhaps fallinginto disrepute because people were relying on it too heavily and applying it in amuch too blanket fashion across a number of organisations across contracts andso on. A first task, therefore, had been to revisit the purpose of vetting. If thequestion were put as to why so many people been put through this process(some 250,000 a year) the answer was that the vast majority of thoseclearances were at CTC and SC levels and not the more intrusive and involvedDV level of vetting. Even so, they were part of national security vettingnonetheless and this situation would not change.If one were to ask why organisations were relying so heavily on national securityvetting, one answer was that within government and across the governmentsector, an appropriate level of recruitment controls had been found to belacking. It had followed that end-users might have been too reliant on nationalsecurity vetting in a lot of instances instead of more appropriate recruitmentcontrols. One outcome of this had been that much work was done to develop amore appropriate set of recruitment controls for government contractors andpeople with access to government assets. These had been set down in theBaseline Personnel Security Standard which, again, had been made available bythe Cabinet Office on its website. 5The Baseline Standard and the recruitment checks had become a very importantelement in the discussion because those checks were very important checks ofidentity, something that the vetting process itself largely presupposed wouldhave been already checked and carried out. The recruitment checks – theBaseline Standard itself – had therefore become fundamental to underpinningthe vetting process. It had become clear that weight needed to be taken off thevetting process and that organisations needed to shift more towards recruitmentchecks, allowing them to ask themselves whether they would really be obliged toput people through the more intrusive, more labour-intensive, resource-5 http://www.cabinetoffice.gov.uk/media/45160/baseline-personnel-security-standard.pdf33

A key aspect of that system would be the creation of something that hadhitherto not existed, namely a coherent database of people with a nationalsecurity clearance. There had been examples of contractors saying that they hadbeen vetted six or seven times by different organisations but that no one hadknown their level of clearance, when this had happened, or what its outcomehad been. Cerberus would address this. Alongside this IT system, process andbusiness changes concerning the delivery of vetting had also taken place. Therehad been a move to a shared service approach to national security vetting.Before the current review, there had been some 90 organisations and all thepolice forces, all carrying out their own national security vetting, lots of littlecottage industries and government departments up and down the countryprocessing these bits. The position now was that the government was movingtowards a „shared service‟ approach. The anticipated outcome was that therewould in future be only two providers, the Defence Vetting Agency, the DVA andthe FCOS (Foreign and Commonwealth Office Services) which would establish amore agile, more expert system with dedicated resources. (See Appendix A for alook at the business of the DVA.)National security vetting was not a statutory regime; there was no NationalSecurity Vetting Act that would spell out government powers and the systemsinvolved. Rather, government would rely on what lawyers had described as apatchwork for its legal basis, on common law, on the Royal Prerogative in orderto carry out national security vetting, largely for the very good reason that itwas very difficult to define what was meant by national security and a definitionhad never been set down in legislation. This patchwork and various otherregulations had been brought together in a statement that the Prime Ministerhad made about the national security vetting process, derived from John Major‟s1994 statement, that described the generalities of vetting, what was meant bynational security and how people might be touched by these matters.Today the government believed, not least as part of the transparency agenda,that it needed to do more to show people how the system worked, what wasinvolved, and how third parties, for example, were touched by the vettingprocess. The July 2010 publication, already mentioned, contained a much fuller35

articulation of government policy in this area and a great deal of information forpeople subject to the vetting process.The policy statement had made it very clear that recruitment controls were thefirst step in all of this and that one of the most important things in terms ofpersonnel security was to undertake checks on identity, the right to work,employment history and so on and to ensure the basics were right beforeanything else was done. It had made it clear that vetting had to be carried out ina proportionate way which permitted a strong national security case to be madein order that the checks might be carried out, for example by using the SecurityService record in order to be able to check against the full criminal record on thepolice national computer and so on.In the particular context of today, the statement had also made clear hownational security vetting should affect people in the contracting community. Thegovernment had held what it described as useful discussions with PCG which hadallowed it to emphasise the point that apart from in a handful of quiteexceptional circumstances, no one should be expected to have a pre-existingsecurity clearance in order to apply for work on a sensitive contract or aparticular government post. This was the first time this explicit reference to thataspect of the policy in the Prime Minister‟s statement had been publicly made.This statement was, of course, not a „silver bullet‟. Difficulties with the contractorcommunity would remain but it had been made clear to different departmentsand private contractors that this was the government‟s approach. Iforganisations persisted in stating to potential contractors that they must have anexisting security clearance in order to apply for a job with a List „X‟ organisation,or to tender for a particular contract, then that might be to leave the door opento indirect discrimination. It was with this end in mind that the government hadcommunicated a dedicated email address to PCG in order that it may beinformed about instances of particularly bad practice in this area. It was notpossible to follow up every instance forwarded to government of individualcontractors who may have believed they had been excluded from opportunitiesbecause of the vetting regime. However, the government would regularly check36

for this, and had done so, and it had carried out polling surveys and, inparticular, had engaged with those recruitment organisations who had seemedto be getting this wrong.Approximately 250,000 people are vetted each year for security clearance. TheCabinet Office does not disclose the precise number of adverse decisions, but itis believed to be no more than 10 per cent of applications. The great majority ofthis total figure of applications are the two lower levels of security clearance,namely the Counter-Terrorism Check (CTC) or Security Check (SC), while thetop level of Developed Vetting (DV) accounts for a small proportion of the totalrequirement each year (less than 10 percent). Most vetting is conducted byeither the Defence Vetting Agency (DVA), based in York and with approximately140 Vetting Officers at their disposal; or by FCO Services (FCOS). Theintelligence agencies have their own Vetting Officers and conduct their own DVprocess. While most of the DVA‟s requests are sponsored by the Ministry ofDefence (MOD), they also handle miscellaneous applications for other personnel,such as non-List X contractors.The target set by the DVA for processing CTC and SC clearances is currently at30 days for the whole process, and this target is fairly consistently being met atpresent in routine cases 7 . (The DV process can take much longer, depending onthe applicant‟s background and circumstances. The current target for a DV is100 days.) In some cases a „priority service‟ can be requested, and awareness ofthis service may be less than it should be. Each applicant has to be sponsored bya government department, or, in the case of List-X companies, can be sponsoredby the company itself.Despite the DVA‟s strong performance in meeting its targets, the process willsoon be revolutionised by the introduction of the Cerberus online tool for7 PCG Roundtable “Security Cleared Contracting – Re-evaluating the system” 4 th November 201137

conducting the first level of checks pertaining to a security clearance. With thistool, the human interface at the beginning of the vetting process will be replacedby an applicant submitting their clearance application online (having beensponsored to do so), following which the first set of basic database checks will beconducted automatically. While an officer at the DVA or elsewhere will still needto sign off the end of the application, the initial legwork will be greatly reducedand the process shortened considerably.The transparency agenda has meant that the government now says a lot moreabout the vetting process than was said before, as shown in the July 2010Cabinet Office statement. With this said, there is a certain amount of „smoke andmirrors‟ around the vetting process, which necessarily gives it a deterrent value.The details provided in the recent guidance documents merely help contractorsto make an informed choice as to whether they are likely to get securityclearance.Our research established that the view of the Cabinet Office‟s Security PolicyDepartment is that they have „gone as far as they can‟ in establishing the policy,reiterating to government departments that policy must be followed in suchareas as fairness in letting contracts, and providing customers and suppliersalike with as much information about the process as they can. There is noappetite in the Cabinet Office to push for a strengthened governance orcompliance regime in these areas, not least as resources are limited andpriorities are probably stronger in other areas of government business. However,as is already clear, this is a view we believe should be challenged not merelybecause there is no point in having regulations but not regulating them andbecause it is not in the national interest that the present position be leftunchanged.At the same time, the „line in the sand‟ is that the Cabinet Office insists it wouldnever accept self-selected security clearances or vetting or discuss the role ofMI5 in any of this. They are determined to stick to the „neither confirm nordeny‟ mantra where specific cases and details are at question. It is important, in38

the Cabinet Office‟s view, that people should never voluntarily submit theirdetails to MI5. It was suggested that to do this would drive a coach and horsesthrough the process.Some companies have suggested „pre-screening‟ and „readiness management‟services, whereby contractors can apply to have initial basic checks conductedand fed through into their security clearance process, with the hope of oiling thewheels of the application 8 . With basic-level security taking routinely less than amonth to process with the introduction of Cerberus, this may be a moot proposalin practice.The experiences of PCG members, both as expressed during our November 2010roundtable and in subsequent documentation have been collated in compilingthis report. This study charts a series of relationships (between contractors,recruitment agencies and industry) which involve a high degree ofinterconnection: contractors are not clients of the agencies, strictly speaking, asvarious regulations preclude agencies from working on behalf of contractors butfreelancers must rely on agencies to place them. Industry and departments arethe clients of the agencies. Contractors contract to industry but industry is alsothe client of the contractor. The background to this work also involves a varietyof themes: the expertise of the contractor, the requirement of industry to benefitfrom that expertise and the competitive environment of the market place(involving contractor, recruitment agency, industry and the government) and thekey requirements of industry and government, to have the best possibleexpertise working for them, to work according to fundamental principles of valuefor money and efficiency and to do all this whilst safeguarding the UK‟s nationalsecurity.8 See for example Tubedale Ltd’s ‘White Paper on Pre- and Post-Employment Readiness Management Service’,17 May 2010, submitted to the Cabinet Office for consideration.39

Of course, perception and reality are not always the same and perceptions canchange depending on the viewpoint of the subject. Differing perceptions of thevarious actors involved in the business of contracting are significant ones. Forthe contractor, the biggest single concern is the perception of a „Catch-22‟situation affecting them. This is that they have seen that without an existingsecurity clearance some find it impossible to get contracts in industry wheresecurity and national security issues exist but that without a contract theycannot acquire a security clearance. From the perception of the government (inthis case the Cabinet Office who draw up the UK‟s guidelines on the acquisitionof security clearances) the „Catch-22‟ situation does not (or should not) existbecause the regulations are clear that the possession of a security clearancesshould not be a precondition for any successful bid by a contractor for work in anindustry where security clearances may be required. As discussed, the CabinetOffice feels it has done much to underscore this fact but also to speed up theprocess by which clearances can be obtained, making this a matter of daysrather than weeks or months. This process is likely to be further speeded up bythe introduction of Cerberus, now on-line. A complicating factor, of course, isthat presented by the necessary presence of the recruiting agencies who maynot be following the government‟s guidelines, or who may use a misreading ofthe guidelines in order to cut back on the numbers of applications for a contractthat they may receive. (It was generally accepted by most that the likeliestreason for so doing was a practical one of filtering a very large number ofapplications for a contract down to a more manageable amount of paperwork.)The competitive pressure on the individual agent to find the candidate mostlikely to be chosen (that is, the candidate with a pre-existing clearance) is acommercial reality containing an inherent conflict of interest between contractorand agency.On review of PCG members‟ experiences, the most common complaint concernsthe „Catch-22‟ situation in which they perceive themselves to be enmeshed (withrecruitment agencies repeatedly claiming either that an existing clearance wasrequired by the industry client or that whether or not this was consistent withthe government‟s guidelines, the agency would insist on clearances and40

prepared, plainly, to exclude anyone who objected). Additionally, PCG membersask important questions about whether security clearances should apply to aparticular person, or a particular job; they are unclear why there are a numberof clearances from which to choose and why different vetting agencies may beinvolved in providing them. Some cannot understand the focus on their financialposition and the checks into it that are required, feeling this to bedisproportionately intrusive. Others believe that the recruitment agencies areusing vetting agencies, especially the DVA, either as an easy means of deflectingany criticism from themselves about how they have gone about the contractingprocess or to reduce the number of applications they are required to examine.Questions were asked about whether some form of „pre-clearance‟ might beemployed and about the costs of clearance and whose costs these should be.The phrase a „costly paper chase‟ was used to describe the process. There weresome fundamental queries about the length of time a security clearance wasvalid and the fact that a clearance accepted by one government departmentwould not be accepted by another department. Some believed that a clearanceshould be obtainable by a contractor without a sponsor (one request mentionedan „unsolicited clearance application‟), others were uncertain what happened to aclearance when the contractor moved from one post to another within the periodof an existing clearance or why a clearance was required for a specific job in2006 but not required for the same job in 2010. Finally there were calls for a„generic clearance‟ where clearances would be produced „in abstract‟.While the Cabinet Office‟s Security Policy Department invites complaints ofmaltreatment from contractors, the officer of the Director of Business Resilience(DBR) has also undertaken some investigation of the roots of the „Catch-22‟problem. While examples of adverts for contracts stipulating that a securityclearance is required are manifold, the question is often asked as to whether thisis misinterpreted. For example, a job advert that says „security clearance isrequired for this post‟ does not necessarily mean that you have to have one inplace before applying – it could equally mean that you will ultimately need one,but could apply for it after establishing if you were going to be awarded thecontract.41

On at least one of the major job-boards (Jobserve) insertion of the correctwording („should hold or be prepared to undergo security clearance‟) requires asingle box to be ticked. In other words, it has been automated so that theagencies need do no more than tick the one box. The speed of automatic siftingwould indicate that in some cases the spirit of the guidelines is simply not beingfollowed.In the discussion at the November 2010 roundtable, it was clear that thegovernment was aware that current procedures were seen as a barrier byfreelance contactors. One freelance software developer explained how afterfifteen years of work, with a variety of security clearances, he has seen how thedemand for them can skew the market. Those who don‟t have one find it verydifficult to acquire and those who do make this a prime feature of theirapplication because they know this is the employment agencies in this field arelooking for. Indeed, rather than looking for contracts requiring specific IT skills(e.g Unix, Perl) the search is for „security clearance‟ or „developed vetting‟because those will be the terms that the advertisements will contain. Naturally,someone with these clearances will not find it easy to suggest that those withoutthem should be equally eligible but it would certainly drive costs down if thatwere the case. Similarly, because those doing this kind of work are a small pool,those outside it will find it very difficult to break in because the employmentagencies will not be interested in them. Another example was provided by anindependent programme manager, someone who in 2003 was working for theMoD on what is now the Atlas Programme. Having identified potential faults in ithe found that when the time came for a contractor to work to rectify them hewas not allowed to apply because his clearance had lapsed. He was told thatwithout clearance he could not apply to address something that he had himselfdesigned.A further example of the problem was provided by the Recruitment andEmployment Confederation (REC) who have found that whatever the policymight be, in practice employment agencies take their brief from their42

commissioning clients (employers, local government) who will demand CRBchecks and so forth. The policy may be understood but if the brief that has beengiven requires a quick start it is plain what the agencies will do. It is how thepolicy is transmitted to the front line, the line managers who take the bookingsthat matters. The speed of the system is plainly also now a factor. Areemployers prepared to wait for their contractors to be cleared?It was significant that strong and convincing anecdotal evidence of blacklistingby recruitment agencies does appear to exist. One contractor was told by asenior member of a recruitment agency that if a contractor were to challenge arequest for specific information from them, the agency would no longer deal withthem. Another, who was a Commonwealth nationality, had experience of beingasked whether they possessed security clearance, and if the answer was in thenegative, that was the end of it. It had also been suggested that it wasnecessary to be a British-born national for some contracts. All this had takenplace within the environment presented by data protection measures.At the same time, there was further anecdotal evidence to suggest thatcontractors who might refuse to be vetted were a tiny minority. Rather, theproblem was that those willing to be vetted had nonetheless been screened outby recruitment agencies. It was also the case that greater professionalism on thepart of recruiting agencies was now properly being asked for. Those agencyrepresentatives present at the November 2010 roundtable stressed robustly thatthey are keen to break the cycle and to prevent clearances being asked for if todo so is inappropriate. Blacklisting contravenes regulations and agencies‟ codesof practice. They run a complaints system and deal with several hundredcomplaints each year which are investigated. They take this process seriouslyand it could be that better publication of complaints procedures is nowwarranted. Its purpose, however, is not to rebuff the REC or its members but toindicate how contractors and recruitment agencies can best work together.Complaints might identify a single consultant who may be erring or who doesnot understand exactly what is required. Training must be preferable to askingpeople to leave but the latter would be done in extreme case. There is a43

eadiness to raise the bar on professionalism and this is down to the individualswho work on the front line in the sector.The largest recruitment agency in this arena is JobServe. It advertises jobs,generally permanent and contract, security-cleared and non-security cleared. Arecent snapshot, at a time when public sector contract opportunities wererelatively scarce, shows that nearly one quarter of database administrator jobsbeing advertised were requiring an existing security clearance or willingness toundergo security clearance. That‟s a big proportion of the market for a fairlycommonplace skill.In this snapshot survey, nearly one fifth of software engineering opportunities,10% of network managers, 10% of IT management, 10% of Sharepoint andJava opportunities required security clearance or a willingness to acquire one.When it comes to pure project managers, only about one in 20 needed to besecurity cleared, but that might represent the position only at this stage in thedevelopment of the market and not the situation in the long term. Yet withoutsecurity clearance, freelancers are in practice being excluded from a significantnumber of the opportunities on offer at any time.There is a distinction between what the regulations say about this and thereality. The Cabinet Office guidelines and the OTC‟s procurement guidelinesreflect the current and long-standing policy that only in exceptionalcircumstances should prior security clearance be required. But the practiceappears to be that the adverts only pay lip service to the guidelines.Experience on the ground has shown that CVs are actually being filtered toexclude those who lack prior security clearance. It was suggested that this wasrecently tested empirically by submitting a CV for a number of opportunities,requiring security clearance for someone who lacked it at that point. As soon asthe CV hit the system (and without allowing any time for anyone to look at it anddetermine the nature of the skills possessed) the message came back thatsufficient candidates had already come forward. This suggests that filtering is soembedded that it is actually automated. It may even be an issue of arequirement to tick a box which will insert a standard wording implying the letter44

(if not the spirit) of Cabinet Office guidelines is being adhered to, namely thatthose willing to undergo security clearance would be considered. The perceptionis that, in practice, this is not happening.Recruitment agencies are highly competitive organisations, working in a highlycompetitive market. This is the commercial reality. Agencies know that if theyare competing to place a candidate in a contract, the contract will go to thecandidate with the best fit. If two equally qualified candidates presentthemselves, with equivalent technical qualifications, but only one has existing orrecent security clearance, the reality is that the one with that security clearancewill be preferred. Agencies will push hard to put forward a candidate with thatclearance, but not someone without one.In this instance, the freelancer won‟t ever get the opportunity to demonstratetheir skills to the end client because the agency will not let them. An agency hasno motivation to put forward someone who lacks a prior security clearance. Theinterest an agency has to provide the contractors that possess a securityclearance is very great, particularly if more than one agency has beenapproached. Even if the contracting department plays by the rules, the recruitingagency will still understand that a security cleared candidate will do better thanone who still has to acquire clearance.The use of Job Boards helps to reinforce this practice. It makes it easier to find asecurity cleared contractor first by giving recruiting agencies access to a muchwider population of contractors (making it much easier to find security clearedones) and secondly it allows smaller agencies to identify those areas where thereis difficulty in finding contractors enabling them to make direct approaches to tryto place their own ones. This extends the supply chain and although this mayseem no bad thing (because it increases the pool of potential contractors) it doesallow an individual agent who might leave a large agency to take with them theirown list of candidates. Whilst this may not be ethical, it does happen and is anunderstandable risk for PCG members. Indeed, it allows an individual‟s identityto be compromised, with an accompanying but as yet unidentified risk accruing.45

Michael Shryane at the Cabinet Office noted that he wanted contractors to bemore robust about many of the problems, and to issue challenges where theyfelt things were not right. This could apply as much to the fundamental questionof whether a particular job or contract really requires a security clearance at thelevel specified as to the „Catch-22‟ dilemma. We uncovered many suggestions inour research that the original government customer in a contract often defaultsto the need for a security clearance when it is not necessarily required, or setsthe requirement at too high a level (i.e. asking for a DV when a CTC mightsuffice). This call to be more challenging may have value, but many contractorsstated that they are nervous about „rocking the boat‟, particularly with potentialclients, for fear that they may end up either being excluded from the opportunityin question (an immediate loss of work) or on some sort of „blacklist‟ and bescreened out of future applications. Over time, a contractor without a clearanceis extremely unlikely to apply for a role requiring clearance since they see nochance of success. This has the effect of reinforcing the problem as agencies areabsolved of the need to deal with un-cleared contractors. The existence of suchblacklists may be more conspiracy theory than reality, but one can understandthe reticence of contractors chasing a small number of opportunities in acompetitive field. We offer a recommendation on this issue in the list ofconclusions at section 4.0 below.46

One concept which goes to the heart of the issues reviewed here is that of thegateway into government business in the security sector and providing for alevel playing-field for those who wish to pass through the gate. We need toensure that the gateway and playing-field are ones which specialist and mediumsized contractors are comfortable with. The most important single means ofdoing this is through monitoring, education, awareness building andtransparency. There was a well-grounded perception amongst specialistcontractors that it was hard for them to gain contracts unless they alreadypossessed a security clearance which the government said they were not obligedto possess.This came over to them, not unnaturally, as discriminatory and arestrictive practice. The government, on the other hand, say there were norestrictive practices. Indeed it would be curious if there were because it wouldrun counter to the point that the government is making, namely that it wants toencourage contractors to come forward.Questions were raised in our research about vetting, not about its necessity butabout whether it could be topped up, or purchased at a basis entry level, at anyrate, in order to facilitate entry into contracting. No one however doubted theneed for good security, given a series of national security threats to the UK andthe need to protect our country from them through the vetting system that hasbeen refined for more than half a century. Certainly it seemed plausible tobelieve a baseline clearance could be purchased but equally that there was nonecessity to do this as most things could now be so easily assembled by thefreelancer. The introduction of Cerberus may further streamline the process tosuch a degree that baseline „preparation‟ for clearance may not be necessary butit is still too early to be certain. Equally there might be security concerns aboutthe provider or questions about what they might do with the data they wouldgather. It seemed clear that the ownership of the risk and therefore of itsmanagement had to lie with the commissioning department in government andwith the recruiting agency acting on its behalf, and certainly not, of course, withthe potential contractor. Finally, there was evidence that the government and47

commercial worlds were increasingly intermingling with security implications forboth of them.If present employment trends and government needs continue it is likely that inthe future there will be an increasing demand for security freelancers in respectof national infrastructure work. This emphasises the risk of creating a skillshortage by allowing the demand for existing security clearances to override theneed for technical skills. If a department is faced with a choice between twocandidates with equal skill sets, the one with the existing clearance will bepreferred. This is not to create a level playing field for contractors but to subvertand distort it.There was a feeling that the government should think about what more it mightwant to do in order to discharge its obligations to specialist contractingenterprises. First and foremost, the government must ensure its guidelines arebeing adhered to. It should, of course, continue to promote awareness in themarket place and develop its education and transparency agendas: informingfreelancers about security requirements will further empower them and allowthem to deal robustly with any attempts by recruiting agencies to discriminatewrongly against prime contractors or sub-contractors. Government says itcannot do this for contractors nor could it support a regulatory regime but itdoes and must have an obvious interest in seeing poor agencies held to account.Whilst hearing what the Cabinet Office says, it is, in the final analysis, open tochallenge and we believe that challenge is called for. We challenge it here.Second, it should continue to encourage freelancers because doing so will bringmuch-needed specialist skills to the areas where they are needed and providethe best chance of delivering genuine value for money. With that said,contracting is complex and freelancers must be free to describe their expertise inwhat they regard as the most commercially attractive way. Equally, in acompetitive market place there will always be those who win and those who loseand those who have an edge over their competitors. Third, the governmentshould continue to emphasise that vetting is much more straightforward than ithas been, that it is faster and cheaper as well. At the same time, the needs of48

national security must be maintained by the government. There has to be a linein the sand and that will not be compromised.Voluntary submission to the Security Service would drive a coach and horsesthrough national security policy and would never be acceptable. On the otherhand, the principle of transparency makes for good governance and bringsrational thinking into the security market place. The government will reflect theguidelines it has issued in its dealings with potential contractors and agencies.Security clearances are part of this but only part. What is more, guidelines areprecisely that and are never going to be legally enforceable. Best practice meansthat what is done is done in the best way by those who are best equipped to doit. This is also about using the resources efficiently. Ongoing auditing ofarrangements is certainly desirable and where possible, and where coreconcerns are clearly set out to it, the Cabinet Office will use the limitedresources it possesses to participate in innovative suggestions put to it by PCG.From the perspective of the Cabinet Office, as policy owner for national securityvetting, there was no doubt but that it was valuable to explore these issues andreassuring to see how they have been dealt with. Questions about the gatewayand access to contractors have led to a strong analytical discussion whichcertainly emphasised the point that there is nothing in the vetting process that isdiscriminatory. Nor, in the view of the Cabinet Office, does the process createunfairness.However, against this, it seems reasonable to point out that even if the processis itself not discriminatory, it nevertheless appears to create the potential fordiscrimination elsewhere in the system.Equally, in terms of the vetting booklet and policy statement, comments aregenuinely sought and in terms of the guidelines it will be useful to revisitclearance times and associated concerns. It is helpful that the OGC is a closepartner here. Together they will work with the whole efficiency and reformagenda that the government is pursuing and the transparency aspects that gowith it: not just in terms of security but also exposing the costs and the burdens49

with the Data Protection Act. The DVA is fully DPA compliant. About fifty percent of applicants do ask to see their reports.There are two ways of working: List X Contractors who are grouped in a TrustedClub; they sponsor their own contractors, declaring the purpose of the vettingand status of the person. They sponsor but don‟t pay. A smaller sub-group willundergo Developed Vetting. Second, there are the Non-List X contractors andfreelancers.The DVA has no control over who works in parliament or on parliamentary orpolitical advisors even to ministers. Parliament does its own vetting but it doesnot undertake DVA-type national security vetting. Political advisors are notvetted because they are not classed as civil servants but rather as specialistsappointed for their expertise in special fields. When Tony Blair was primeminister a large number of applications from advisers were put forward fornational security vetting but since the elections of May 2010 this happens farless and it is not a formal requirement for posts of this kind.In the notification of clearance DVA has no supervisory role. The director ofbusiness resilience deals with national security vetting and how it works, theydeal with List X companies, they check up and supervise. The DVA does nothave the power to deny clearance. The DVA purely carries out the activity, it isnot a policy branch. It gathers information and refers to it. It has the power toaward clearances but not to withhold them.The DVA identifies risks through the vetting process which it will highlight to therisk manager. The risk manager will take this up within the planned place ofwork. It is here that a judgement would be reached either that a risk, if present,is too big or that the risk could be successfully managed. Much might depend onhow valuable the skills of the individual were deemed to be.Employers had to be prepared to accept risks. Where it is decided that a riskcan be managed and the risk is determined, an „after care strategy‟ can be put52

in place. A review of finances or sensitive overseas contacts can be undertakenannually. This is a DVA activity but significant changes to risk may go back tothe risk manager. They are delegated to do a certain amount or riskmanagement. Physical security measures come into play if subjects haveblackouts, for example, because where a problem is identified but the immediateline manager is not informed, this would be identified as a potential problem butData protection means the departments would not be told. If there werepersonal problems and they were aware of them, this would not justifywithholding clearance but a clearance might be reviewed after, say, 18 months.Where a high level of risk has not been identified, a security appraisal systemkicks in. This is an attempt to remind the department, through the departmentalsupervisor of the responsibility that goes with security clearance. The SecurityService, MI5, will check every name and whose name is found. MI5 will let theDVA know if there is any problem.The DVA does not believe that the time scales for clearance are too long, or thatthe system militates against those who don‟t already have them. This is becausetheir timescale targets are being kept. In the DVA‟s view, no more than a coupleof days will be saved if someone with clearance is employed over someone whodoesn‟t have it.People know if they have a foreign or an Irish background, for example, this willmean their clearance may take longer than the norm. But it is also possible thatrecruitment agencies will cite problems at the DVA for the sake of convenienceor for other reasons when in fact it is wrong to do so. Access to the nationalpolice computer is needed to do things properly – e.g. to uncover unspentconvictions, credit failures. But there is a need to disclose spent as well asunspent! The whole process of applying for SC or DV requires that the subjectdiscloses convictions and financial position and that the DVA then compareswhat subject says with what is on file. A failure to declare a conviction is one ofthe most common reasons for denying clearance. This test of integrity is veryimportant.53

The DVA would forward lists of complaints it might receive and in reviewingadvertisements it was discovered that, in many cases, it was not what was beingrequired that was the problem but the perception of it. An advert may say thatclearance was required but not that it could be acquired. There were 1-2complaints per month. This inevitably would produce a disconnect betweenperception and reality.With Cerberus on-line, security clearances will hopefully be done much quickly.An applicant will complete the request themselves if there is no sponsor. With asponsor, they get the keys to other checks – finance, CTC, which are completelyautomatic. This leaves only the checking of names against the data base.Cerberus will determine whether clearances are to be granted or not before theapplication even enters the DVA.If a List X company is involved it will tell the person where to access the forms,monitor that it‟s done and then physically send it to the DVA. They will scan it,decide what checks are needed – the police, MI5. This takes no more than acouple of days.So the Cerberus route will be much quicker and lead to eVetting completely forlower level clearances. But interviews for DV will still have to be done. It is anopportunity to cut staff and this is currently being discussed with the unions.Interviews remain a fundamental vetting tool for Developed Vetting. But herethings have changed too in respect of third party interviews (that is, notinterviews with the subject of the clearance). Such interviewees had beenconcerned that what they say might have consequences for them personally.Whilst there are indeed issues here, they are not insurmountable. This is, afterall, a voluntary process. The third parties don‟t have to be interviewed face toface but by telephone. However face to face interviews with the subject remainkey.54

It would be fair to say that most supervisors and managers can prefer to turn ablind eye if an annual check reveals anything. They will look at informationsupplied voluntarily to see if there is anything which might lead to furtherinquiries except where there has been information provided by MI5. MI5 may ifasked say the subject is not a problem or if it wishes explain what the problemis.The DVA has gone from being a covert to an overt organisation. It is completelyopen. The problem with information supplied by third parties during the processis that it might be very damning or that showing the accusation to the subjectmight break the confidentiality of the information.How many are turned down? On grounds of national security no precise figurecan be supplied (people could work out the various reasons for failure if theyonly knew some of them). If you told them how many failed because of financialreasons it might tell you how many fail because of Al-Qaeda or hostileintelligence service connections.If someone complained and the reason was an MI5 objection the DVA wouldcontact MI5 to find a form of words acceptable to MI5. Or MI5 might say thereshould be no mention of its involvement and this would then be neitherconfirmed nor denied. The DVA would say „cannot tell you the reason butclearance has been denied‟. The subject can then apply to appeal to Cb Officeand the department‟s case for denial has to be supplied. Where the primaryevidence was supplied by MI5 it is possible to employ a special advocate whocan be security cleared who can then give a form of words to the subject.Is it sensible to offer a life-long package? There are two factors here: the valueof clearance derives from a current sponsor who has knowledge of the subject.This value disappears in a life-long system. In any case if someone ceases towork for an organisation their clearance can be transferred to a new employerfor the number of years left on the clearance.55

Second, there is a question of resources. The DVA‟s resources are linked to thenumber of customers. If these were open ended it could be very difficult toestimate the need. One could greatly expand the role and number of branchsecurity officers but this would require huge resources.56

Why Vetting matters: a view from Sir David PepperOn the question of the current security threat picture which underpins the needfor the current vetting regime, Sir David Pepper usefully outlined the picture atthe 4 November 2010 colloquium. Sir David spent most of his career in anorganisation (GCHQ) where everybody was subject to the highest level ofsecurity vetting. It was part of his „mental furniture‟ to complete the forms thatthis requires every few years. His background is not as a security professionalbut a senior user of the security system with two or three particular exposuresto some of the issues here under review. He had experience supporting theSecurity Service (MI5) in counter espionage work, so had some input and someviews on the realities of espionage issues. In his last five years as Director ofGCHQ, one of his responsibilities was to be the final internal point of appeal forpeople to have their security clearance withdrawn. Here he learned a good dealabout the frailties of human nature.Another concern of his had been with the procurement process and howcontractors were used. This was a particular environment and his experienceshave been of that environment, but the principles which underlie this work arepretty much independent of environment. Threats and systems may havechanged in the two years since he left office. One thing is plain: the governmentnow says things about security which would not have been heard even threeyears ago. This is enormously reassuring and very positive.The focus here must be on three questions. The first concerns the nature of thethreats and risks; second, there is the question of how they can be mitigated;and finally what the implications of these might be for freelance contractors. It isimportant to bear in mind the overall philosophy behind the personnel securitysystem. It is but one part of a bigger set of security issues and what is veryimportant indeed is that security should be seen as a holistic system and thatsystem has to deal with personnel security but also physical security anddocument and IT security. Security cannot be properly considered without57

addressing all of these coherently. There is, for example, little sense in spendinglarge sums of money on personnel security if staff can enter a site entirelyunchecked or wander in and out of buildings without any control. It does notmake any sense to spend money on securing IT systems if one then pays noattention to the clearances of people using them. Personnel security is one leg ofa three-legged stool. Some aspects of it are reasonably objective. It is notdifficult to specify how strong a lock, or a barrier should be or how a site mightbe made secure. Personnel security, however, is not like that. It is an art andnot a science. It is a question of judging and managing risks. The 2003 case ofKatharine Gun is a case in point. 9 This woman took it on herself to send to somenewspapers GCHQ material because she was unhappy with UK policy withrespect to Iraq. She freely admitted she had done it and it wasn‟t difficult atthat point to say, this is not an acceptable security risk. What will also bringdown „the house of cards in security‟ is if someone has lied to their vetter. Butmost of the time one is a grey area, placing risks in context and asking whetherthey can be managed.There was a time when government could be fairly accused of being risk averse.It is no longer so, indeed, the position has changed steadily over the years.Almost always one is confronted by a case whereby one has identified a risk, andmust consider whether it can be accepted or not in that particular context.In analysing threat and risk, it makes sense to start at the generic level ratherthan personnel security problems. Having lived through the Cold War, it mightbe tempting to think of Russia as our new friend. To do so would be wrong.Indeed, we are told, openly these days, that there are about as many membersof the Russian espionage in London as there used to be when it was the KGB, soclearly there is something taking place. What are they after? Even allowing forchanges of national circumstances, the answer is what they have always beenafter: defence information, industrial information and industrial information ondefence. There is a lot that Russia wants to know and will want to know about us9 http://news.bbc.co.uk/1/hi/uk_politics/3659310.stm,58

and anybody in NATO. Russia will be seen very seriously as a threat in thesense that they are after information that we do not wish them to have.China, too, must be listed very much higher than a decade ago. It has a strongand wide-roaming appetite for defence and commercial information that we donot necessarily want them to have. That the Chinese are the origin of a largenumber of cyber attacks is widely talked about. There are proven cases wherethey have been caught involved in espionage in North America. For this reason,they should be put very much alongside Russia, but probably in terms of theamount of resources, given the scale of cyber attacks, they are probably thebigger challenge.Indeed, many other countries are also security threats. On the south bank ofthe Thames there is a building which it is widely suspected belongs to MI6.Many other countries have similar buildings and similar organisations. All ofthem have jobs to do, so it follows that there are lots of countries who areclearly potentially interested in espionage and the list is long. It would besurprising, for example, if Iran were not engaged in part with espionage in theUSA and it is not long since the Americans arrested an Israeli for espionage inthe United States.Al Qaeda must be taken as a very serious threat both in terms of their very cleardesire to disrupt life in any country in the world they regard as not friendly totheir purposes, which seems to cover all the world. They clearly want to disrupt.They may well want to be in a position to find out what we know about them aspart of their plan to disrupt. Al Qaeda is, therefore, both a source of potentialdisruption but also as a source of potential information-gathering. The recentsentencing of the young woman who tried to murder Stephen Timms MP shows anumber of things including the striking speed with which she was radicalisedsimply through the internet. The threat posed by Al Qaeda is a very powerfulone.Finally we should consider criminals, the mafia for instance and the activities ofthe media. One of the facts of life in serious organised crime, is the vast amountof money floating around. We are all familiar with the ways in which organised59

crime in many parts of the world finds its way into public life and candramatically change the way people behave. We are rightly worried about theftand fraud and the disrupting of public finances and commerce. Criminals may beused in this process. Finally, there‟s the media. Naturally, the media play anabsolutely fundamental role in guarding our democratic way of life. But, thereare cases where media behave irresponsibly and there is a difference betweenlegitimate publication of information about what the government is doing andpublication simply for the sake of sensation. Examples of the latter mightinclude the case of a member of the Cabinet Office, who having read the papersfor that day‟s Joint Intelligence Committee on his train to work, proceeded toleave them on the train. The citizen that found them thought this wassomething for the BBC. But the BBC behaved with impeccable responsibility.They broadcast the fact that the papers were Top Secret and revealedirresponsible behaviour. But not a word was said about the contents. On theother hand, there have been cases where papers have been leaked to the mediafor reasons of sensation and there are certain newspapers that threaten topublish in detail facts that would damage a current counter-terrorisminvestigation. This is certainly irresponsible. For this reason, some of the mediamust be included on any list of whom to worry about. Finally, it is clear that thePIRA and the IRA pose a very particular threat, which continues at the presenttime despite the progress made in the Peace Process.In turning to what issues we should worry about they will include individualspassing on information to those who should not be given it. This is the classicespionage threat. We must worry too about the physical theft of informationwhether of classified documents, or data, and whenever a laptop is stolen. Wemust also be concerned with disruption. Whereas classic disruption in the pastwill have included Irish terrorists coming over and throwing bombs intoreservoirs and so forth (there is a reservoir perched right above GCHQ on a hill)and even bombing the building, today we worry much more about electronicdisruption. The electronic systems on which we all rely for our daily life and onwhich our commerce relies, are eminently disruptable and that has to be aproblem. Some of the Chinese attacks have come as espionage attempts and60

sometimes their spies have brought little presents which will mature at somepoint of their choosing and will damage the economy. Fraud and financial theftcannot be ignored. The taking of information is akin to taking money and thatmight be fraud in government systems, it might be fraud and theft from thebanks.There are two categories of technique. One is for a hostile power or group to getsomeone inside an organisation and the other consists of working against theorganisation from the outside. To get somebody inside the system there are twomethods. The first consists of taking someone who may well be disloyal to thiscountry, attempting to infiltrate them into a sensitive organisation, and thenusing them for hostile purposes. It is at this point, of course, that securityclearances are of critical importance. The other method is to find someonealready in the organisation and offer them the kind of support andencouragement which will induce them to act as the hostile power or groupwishes. Similarly, radical ideology might be exploited to get individuals in situ tobetray this country. Here ongoing staff supervision to safeguard security is whatcounts.Just as Mr Timms‟s would-be assassin was radicalised into action against him, itwould not be difficult to imagine the same process being used where the personto be turned was already in a position of trust. If it should prove impossible toget an agent inside an organisation, it would be necessary to work from theoutside. This might involve physical theft, trading information andcommunication interception, in particular hacking into systems or a combinationof some or all of these. Coming in from the outside is sometimes easier thanrecruiting someone already on the inside.Turning to the personnel security, it is necessary to consider those we wouldwish to identify as risks and to exclude or manage the risks they represent. Thefirst, obvious category is existing ideology. In earlier days, this applied of courseto communists. Today individuals may favour in some way an organisation whichcauses government concern or support a world view which is seen as worrying.Alternatively they might have existing criminal connections. We must also be61

concerned with the potential individuals have for changing sides. Such peoplemay be perfectly sound when they are recruited but they may then change sidesonce they are inside. How far can one rely on those one recruits to stay on ourside? That is perhaps one of the most difficult things to spot because it is verydifficult to tell if a staff member has changed sides. They might, for example, bebeing pressurized via their families. Similarly, persons may have dividedloyalties, perhaps possessing one foreign parent, of having a foreign spouse,indeed anything at all in their lives where their wish to be a loyal UK citizen canbe undermined by their having another parallel loyalty. Personal weaknessesmay also be problematic. What worries security staff is not what people may getup to but the fact they may wish to keep it a secret. Formerly, being ahomosexual would probably be enough to exclude someone from sensitive work.This has ceased to be true but if an individual had a particular sexual preferenceabout which they did not want anyone to know, this causes vulnerabilities. Thereare other sorts of weaknesses, for example, alcoholism which may cause one towonder if the individual can control themselves and a whole raft of otherpersonal weaknesses (financial, a need for excitement, or arrogance) whichcould be exploited by the enemies of this country. The case of the GCHQ spyGeoffrey Prime is revealing. He was a very insecure person who was made tofeel important by the attention showered on him by the KGB. The careless andreckless person can only pose a security threat. The former is someone whounderstands the need to be very particular but is a scatterbrain and keeps goingout in the evening leaving his classified papers all over his desk just because hehas forgotten to file them away (we all do occasionally). The reckless persondisplays a form of arrogance by knowing the rules but believing they are forothers. This, then, is a list (not a complete list) of things that will cause thevetting process to say, „I wonder?‟It may seem bizarre to imagine that any of the above is plausible, that someonewould, these days, consider spying for Russia but experience suggests this is areal possibility. We should never underestimate the power of greed, the effect ofdebt which can lead to the potential for blackmail and the honey-trap, still aperfectly viable technique. People can change. Security clearance cannot be a62

adge that lasts for ever. It cannot be done once and then forgotten about. Allthis means that the key four stages of checking cannot be eschewed: thebackground check, the referees, the interview and the continued supervision areas important today as they have ever been. Indeed, depending on the risk,supervision may become a truly significant aspect of how all the risks can bematched without losing control. Mitigating the risks by keeping in touch with theperson involved, talking to them repeatedly to ensure the risk is being managed:these are vital parts of the package.For all these reasons, then, contractors must be subject to the same rules ascore staff. Over the years attempts were made to keep contractors fenced offand exposed to as little of the „business‟ as possible. But today more and morecontractors are not being fenced off. Contractors will be providing skills corestaff do not have. They become part of the „family‟ and should be exposed toappropriate information. They will be needed as part of the team. That changesthe rules of the game. Because they are part of the team they must be managedaccordingly. This represents a significant change of mindset, one that thegovernment was still going through two or three years ago. It is much harder tomanage contractors if they are working at arms‟ length. But it does mean thatthe government agencies who are employing contractors are having to developtheir own mindset about the way they go about managing the overall situation.The demand from freelance contractors is to establish four goals or ground rulesin contracting to government: fairness, transparency, efficiency and productivity.„Fair‟ is in fact a dangerous word. It can mean „not accepting the judgementthat has been made‟ on a person. Where „fair‟ means that everyone is treatedaccording to the same sort of processes, the same set of principles and the sameset of rules, that should not cause problems. But „everyone‟ here means we arecomparing contractors within PCG with those outside it. If it is in the nature ofthe security clearance system that it comes up with what might appearsuperficially to be different verdicts on similar contractors, that does not mean itis not „fair‟ but that after detailed examination different answers are produced ina different context. That is, after all, what a market is. Fairness certainly doesnot mean the government is obliged to accept a potential contractor‟s definition63

of risk. As for „transparency‟ it must mean that the process is understood.Current Cabinet Office documents must rank as impressive by any measure;they simply did not exist previously. But „transparency‟ does not mean thatpeople should be allowed access to the information collected by the vetters inattempting to appeal against an unfavourable decision because the informationwill often be gathered in confidence and would not have been provided if theyknew it would be passed back to the individual being vetted.Efficiency is a big concept. It can imply speed where speed is of the essence andthe slowness of the vetting process is as frustrating to the people withingovernment as to those on the other end of it. The system has been very heavilypaper based with files moving through the system even if it is automated. TheDV system is also heavily manually weighted, using referees in different parts ofthe UK. The emphasis is on managing the system as efficiently as possible bykeeping costs down. This may mean that an interview will have to wait for amonth until an appropriate officer is in the area. To do this more rapidlyrepresents a cost. Vetting can be done faster but at a cost. If government is notrequired to bear that cost, that is perfectly acceptable to it. Yet costs can fall indifferent places depending on interests may lie.That said, the pace of life has accelerated. Some departments may be happy tosay „come back within six months‟ but there won‟t be very many that do this.Instead they may be tempted to say that only those already vetted may applybecause, often for genuine reasons, the requirement is urgent. How does onecompare the cost of waiting before work can start with the cost of having lessdelay but faster vetting? In order to move forward it may be necessary toexplore this. It is not true that the system cannot work but it would be mistakento believe that vetting can be successfully undertaken in a week or two.As for the concept of productivity it must be said that this has to do withcontractors being able to work as soon as their clearances have been providedand as easily and productively as internal members of staff. Contractors shouldnot be fenced off but be treated, fully, as team members so that there is ashared goal applying to all.64

The final point to make is that in making recommendations it is vital to berealistic. In politics, on the government side, if the issue is whether to take a riskor the risk is seen as unmanageable then governments (who are always worriedabout negative publicity) will put security before being nice to contractors. Thethreats that face the UK are real and to be worried about, perhaps more so inrespect of those to do with terrorism and financial threats than espionage. Butthe responsibility for protecting our society will always loom very large in theminds of those taking decisions.65