Pass Notes - Thoughts On MOD Loss of Security Passes

 

The most powerful document in Government is an individual’s identity pass. It reveals who they are, confirms their identity and permits access to specific sites for work purposes. Every member of the armed forces possesses an official ID card, while everyone working on sites will (usually) be in possession of a site-specific pass. It is the one common unifying theme across all the Armed Services (regular and reserve), civilians and contractors will have in common – they should have an ID card or pass. The news therefore that the MOD has confirmed that 3800 passes have been reported as stolen or missing in 2023 has raised concerns in parts of the media.  The story, initially a Hansard question which was then picked up by the highly regarded UK Defence Journal and then republished with added comments in the Sun, has raised concerns that terrorists are able to use this information to conduct a terrorist attack. This included comments from Lord West, well known for leaving a briefcase full of secret material by a canal in the 1980s about security risks. The Labour Party (the UK Opposition party) has called for an official inquiry, but how serious an issue is this in reality?



Some 3551 passes were reported ‘lost’ and a further 285 ‘stolen’. On paper this represents roughly 1.5% of the total MOD / Military headcount of some 250,000 regular, reserve and civil service personnel. Trying to determine how the figure was reached is more complex than this. For starters, even if the passes were reported lost, it is not clear how many have then been found shortly afterwards. Those familiar with Murphys law will be equally familiar with the law that states that shortly after you’ve reported something missing, you will find it. This is too late for MOD, whose security teams will rightly take action when a lost pass is formally reported – it could be something as simple as a pass falling into a folder, or slipping under a car seat, which goes missing and then is found later on – there is no way to distinguish from this and individuals who lose their pass while out and about and never see it again.

The next question that needs to be clarified is whether this figure is drawn from permanent passes, or if it includes visitor passes too. If you visit an MOD site, you can expect to be given a pass that clearly shows you’re a visitor, and whether you need to be escorted or not – it is entirely normal for Military and Civil Service colleagues from other sites to be issued with these passes when visiting an MOD establishment that they don’t normally work at. If you consider how many visits occur daily at the thousands of MOD establishments around the world, it is easy to envisage circumstances where genuine mistakes are made, for example wandering off site and forgetting to hand your visitor pass in may result in the reception team reporting it as a lost pass – even if it is returned later on. Alternatively, someone may put the pass down, forget they have it and where they put. The visitor pass hasn’t gone missing, there is no security risk, but it still remains, even temporarily, unaccounted for. This is not to play down the threat from genuinely lost passes, but we do need to distinguish between those passes permanently lost and those which have been always in official hands and simply temporarily misplaced.

Finally, we need to ask who is losing these passes – is it only the ‘normal’ workforce or does this figure cover everyone who has been issued a pass, a figure that may include contractors, visitors, temporary pass holders or other circumstances? We should not assume that these passes have been solely lost by inept Civil Servants, and instead ask how have so many passes managed to be misplaced – is it as simple as improving the quality of lanyards to stop them falling off or our their holder. Is it a better accounting measure to ensure visitor or temporary passes are handed back (e.g. to be issued one you need to hand over a piece of formal ID) a good way to resolve this?

 

While it is easy to find people prepared to claim that these incidents represent a terrorist threat, there are multiple checks and balances within the system. The chain of events in which someone ends up losing a pass to the extent that someone finds it, copies it and can use it for nefarious intent is relatively unlikely. Even being able to copy a pass does not ensure that someone can gain access to a sensitive site – while this is not the location to discuss other measures that may, or may not, be in place, it is worth noting there are plenty of other mitigations and procedures which make it very unlikely that a missing pass can enable a terrorist attack to happen in isolation.

What these stats do remind us of though is the importance of trying to maintain a holistic approach to security. Passes are just one part of the equation when it comes to protecting sites. If you look at the wider perspective of security, what is of equal concern is the way staff willingly share important information online that can be of significant value to hostile intelligence services or terrorists. For example, look at LinkedIn and you’ll see plenty of military staff advertising their skills, experiences, and security clearances. Search for ‘Trident’ for example and its easy to find people able to talk about almost every aspect of the Nuclear Firing Chain. Similarly, groups like SC&DV Cleared jobs are a veritable intelligence officers collection dream, giving lots of people the chance to make out that they know the colour of the boathouse in Hereford.

We live in a digital world where people think little of their digital footprint or how the information they post may assist others. Look for instance at how in the 2010s people were posting photos of their loadout on HERRICK, usually hosted on an open internet site, that would have enabled hostiles to understand the composition of a typical US or UK infantry patrol and who was carrying what weapons and equipment. Very minor information, but potentially useful in an ambush scenario.  Similarly, if you look online you’ll see a plethora of valuable collection information ranging from the composition of nuclear weapon convoys through to the specific roles of certain buildings in the Coulport facility, which is where the UK stores a significant proportion of its nuclear warheads. It is also surprising that unlike in France or other European countries, there is no blurring of sensitive sites on online mapping. If you look at key French military bases you cannot see them – there is just a blur. In the UK (and US) most nuclear sites are completely observable from above – again, a minor intelligence issue given that the key powers that do care already have better imagery of these sites, but when overlaid with information about the buildings role, suddenly it helps allow low level intelligence collection for both state and non-state actors.

Security needs to be more than just about whether a pass is stolen or lost and far more about the all-encompassing approach that makes MOD sites a ‘hard target’. This ranges from not wearing your pass outside to ensuring that you don’t talk about work on social media or give information away that could be used to help build pattern of life activity on potential targets. There is little point making out that a site is incredibly secret if you then upload your Strava heatmap that goes to prove its existence – for example if you look at Djibouti, its very easy to find out where foreign military forces are based and the location of perimeter fences. When overlaid with the fact that you can spot US military facilities highlighted on imagery means that it is ridiculously easy to spot where people are operating and exercising.

Similarly it is also worth remembering the importance of all the key security disciplines and in protecting not just passes but also IT assets too. Another Hansard question reveals that the in the last year the MOD has lost 185 laptops, 98 phones, 70 external hard drives and 30 memory sticks – not an ideal situation to be in, even if the devices were remotely disabled. Getting people in the mentality of protecting all assets and data is critical. While pass discipline matters, we should be realistic about the extent to which it protects sites in isolation. What matters far more is training people not to give information away, making it harder for individual targets to expose their value as either a terrorist or intelligence opportunity and put in place the right discipline and skills needed to ensure that people remember ‘security is everyone’s responsibility’

 

Comments

Post a Comment

Popular posts from this blog

OP WILMOT - The Secret SBS Mission to Protect the QE2

Image
  In April 1973 the iconic Cunard cruise liner ‘Queen Elizabeth 2’ (QE2) steamed out of Southampton docks on a private chartered cruise. Her voyage would take her through the Mediterranean Sea to Israel to mark the 25 th anniversary of the founding of the Israeli state. The risks were high though, with an increase in terrorism around the world, particularly targeting Israelis, and there was considerable hostility from other regional states. There was a clear concern about the security of passengers onboard, which is why when the QE2 sailed, she was carry 29 heavily armed Royal Marine members of the Special Boat Section (SBS) as both overt and covert passengers onboard to deal with any threat. This is the story of that operation, known as OP WILMOT. UK MOD © Crown copyright The QE2 was chartered to sail on 15 April from Southampton with around 700 passengers onboard, many of whom were believed to be American. The plan for the cruise involve calls at Lisbon, call at the ports of A...
Read more

"One of our nuclear warheads is missing" - The 1971 THROSK Incident

Image
On a dark February day in early 1971 off the coast of Plymouth, there was rising concern about the fact that the unthinkable had happened. The small elderly Naval Armaments Vessel (NAV) THROSK, on passage to the Royal Navy Armaments Depot Coulport, in Scotland, and carrying Polaris nuclear warhead sub-assemblies, had vanished. Warships put to sea, and helicopters from RNAS Culdrose were launched in a desperate search operation to find her. Despite this, no sign could be found. At 0824 that morning, Flag Officer Plymouth sent a SECRET signal initiating the procedures for a possible ‘Nuclear Weapon Accident’ and the Royal Navy prepared for the previously unthinkable reality that one its strategic nuclear warheads was missing… This sounds the stuff of good Cold War fiction, or a scenario from a disaster planning exercise. In fact it is completely true and represents an all but forgotten story of the early days of the Polaris force and the challenges faced by the Royal Navy as it set up ...
Read more

"The Bomber Will Always Get Through" - The Prime Minister and Nuclear Retaliation.

Image
  The 2024 UK General Election has been held, and a new Government returned. For only the 4 th time in 45 years, there has been a handover of power, on this occasion between the Conservative and Labour party. The new Prime Minister, Sir Keir Starmer MP had, within hours of his election victory assumed office in a peaceful and smooth transition of power, the sort of moment that makes you realise how truly fortunate the UK is to enjoy an election where the outcome is accepted without question or debate. Now that the Prime Minister is settled in No 10 Downing Street, the detailed business of the transition of power has begun. If you believe various media accounts, practically the first thing that happens is that the newly appointed Prime Minister is given a briefing on the nuclear deterrent, a pad of paper and a pen, and ask to discreetly write down their views on what the end of the world should look like. Known as the ‘Letters of Last Resort’ these documents have assumed a near myt...
Read more