Written evidence submitted by Ed Arnold


This submission is based on Ed Arnold’s current research on UK National Security Strategy, Strategic Defence and Security Reviews (SDSRs) and the National Security Council (NSC). It is also based on relevant operational experience working within and alongside Ministry of Defence and Home Office agencies and public bodies as a British Army Officer and a security consultant, in the areas of risk and crisis management, policy and intelligence collection.


Ed is not a bio-security expert and has therefore focused on responses to the set questions on resilience, response exercising and policy within a crisis management context. Recommendations are in bold.


The extent to which the Government has supported domestic preparedness against biosecurity risks in terms of: building and measuring resilience; designing emergency response mechanisms; testing and exercising that response, and building the lessons from exercises into active resilience planning and into resource allocation priorities; and anticipating required public communications campaigns, and devising means to measure their effectiveness.


  1. As an immediate caveat, it is difficult to currently assess the level to which HMG has supported domestic preparedness. As we are still very much in crisis mode, comparisons with different countries handling of the pandemic are limited and the data is not yet available to fully assess the response, and thus preparedness of the UK. However, available evidence suggests that HMG identified Public Health as a risk in 2010 but did not adequately prepare the UK to be able to respond to the Covid-19 pandemic in 2020, as other risks and threats were prioritised.
  2. Public Health has been a Tier 1 threat under the National Security Risk Assessment (NRSA) since the Strategic Defence and Security Review (SDSR) 2010 and reaffirmed in SDSR 2015. However, ‘Bio-security’ only features once in SDSR 2015 as a commitment ‘We will publish a national bio-security strategy in 2016, addressing the threat of natural disease outbreaks, as well as the less likely threat of biological materials being used in a deliberate attack’[1]. Again, ‘Bio-Security’ only features once in the National Security Capability Review (NSCR) 2018 as a reference to commitment 43 of the 89 SDSR 2015 principal commitments ‘We will publish a national bio-security strategy in 2016[2]. In the NSCR this commitment is labelled as ‘In progress or ongoing’ and was delivered two years behind schedule.
  3. The two-year delay for the Bio-security strategy is unremarkable in itself as at the time cross-Whitehall capacity and focus was consumed by Brexit. However, in addition, the refreshed CONTEST 4.0 CT strategy was planned for 2016 but published in 2018. The delays to these security strategies pose questions as to the drivers behind them.
  4. In the case of CONTEST, in 2017 – the year in-between the planned and actual publication date – the UK experienced a series of terrorist attacks (Westminster, London Bridge and Manchester), with a further number of attacks foiled. Therefore, it is unclear how critical the new strategy was as the extant guidance in these cases proved sufficient to respond and investigate these attacks to their conclusion.
  5. In the case of the bio-security strategy, the driver is unclear. In addition to the NRSA and SDSR commitments outlined in Paragraph 2, EXERCISE CYGNUS, a 2016 three-day simulation exercise of the impact of an influenza pandemic on the UK, are the main HMG artefacts to assess risks and preparedness for bio-security. The fact that there was a six-year gap between identifying the risk and first exercising it points that the driver for the strategy could have been for completeness’s sake as opposed to a specific risk or threat-based calculation. This would suggest that while Tier 1, the risk was given a lower priority to the other five Tier 1 threats that the UK had more recent experience of.
  6. The 2018 bio-security strategy contains no reference to the 2016 CYGNUS EXERCISE despite the report finding that The UK’s preparedness and response, in terms of its plans, policies and capability, is currently not sufficient to cope with the extreme demands of a severe pandemic that will have a nationwide impact across all sectors’[3]. One would expect the lessons identified/learnt of the exercise to form the bulk of the strategy as a baseline as the first significant exercise of its kind.
  7. Throughout my career I have been involved in the participation, planning, delivery and exploitation of various exercises at the strategic through to tactical level. It is incredibly difficult to replicate real life scenarios without significant effort and expense. However, I offer the following observations:
    1. Large scale exercises, especially when they across departments, are a significant undertaking. For operational departments, these are often seen as distractions from business as usual activity and are not given the attention they deserve. Moreover, if the exercise is led from a single department, the other departments can take less interest in it and its findings.
    2. Participating staff and organisations usually have advance warning of the exercise and are able to predict or find out serials, injects and objectives in advance. This often impacts the lessons learned process as the findings are not as reflective as an exercise with genuine surprise.
    3. Lessons learnt initiatives often focus on listing everything that went wrong or that could be improved, as opposed to focusing effort on mitigating and rectifying the behaviours, processes or chain of events that led to the performance issue. Furthermore, due to the relative infrequency of these exercises and the fact that most public-sector appointments are for two years, a continuous improvement culture isn’t present. This is the only way that HMG and Whitehall can always ensure that their response mechanisms are always the best that they can be to respond to a range of threats.
    4. Any crisis management or response exercise must also include a command and control element. When testing, it is useful to include frictions, some real, some imagined, to identify weaknesses in decision-making processes. As a lesson of the response to Covid-19, future exercises must also include the extensive use of secure and non-secure teleconferencing systems and key personnel being incapacitated at critical points of the crisis.
    5. Recommendation 1 Consider creating a centralised exercise team for cross-Whitehall responses to national security risks to support the delivery of Fusion Doctrine.
  8. Of the six Tier 1 threats in the NRSA, the UK had direct and recent experience of the other five, but not in ‘Public Health’. Planners and analysts possibly suffered from a ‘failure of imagination’ of fully grasping the potential impacts of a pandemic on the UK. Yes, they would have been modelled, but there is a real-life impact of directly experiencing how it actually unfolds. Similarly, pre-9/11 aviation security focused on the terrorist threat to blow up aircraft but didn’t fully consider the ability to use the aircraft itself as a delivery system for an attack.

The extent to which the Government's planning for pandemics in the 2015 Strategic Defence & Security Review, the subsequent National Security Capability Review and the 2018 Biosecurity Strategy helped in guiding that preparedness.

  1. In addition to Paragraphs 1-5, planning for pandemics may have suffered from a misunderstanding of risk assessments. In my experience, having a completed risk assessment is viewed as an end in itself. However, a risk assessment utilised as such is simply a long list of things that may go wrong at some point in the future. The focus must be in continually exploring mitigation measures for each risk, especially as new technologies or teams are created, so that it can be reduced to as low as practically possible. In the case of the NSRA, it is difficult to consider how ‘Public health’ could have been categorised as Tier 1 in 2010, reaffirmed in 2015, with a cross-government strategy not implemented until 2018, based on an exercise conducted in 2016.
  2. Recommendation 2 – As part of the NRSA process and SDSR process more broadly, consider switching focus away from risk identification and towards risk mitigation. This focus should include how Fusion Doctrine can enable better ways of working and how technological advancements can continually mitigate risk more effectively.

The extent to which policy-making in this area draws on cross-government input, and how well preparedness plans have taken a genuinely 'fusion doctrine' approach (that should optimally combine UK capabilities to promote 'security', 'influence' and 'prosperity' objectives)

  1. Fusion Doctrine experienced notable success in 2017 in response to the poisoning of the Skripals in Salisbury. This is in stark contrast to the hesitant and partial response to the 2006 Litvinenko poisoning. From a governance perspective, the key difference between 2006 and 2017 was the establishment of the NSC and its ability to coordinate a response at the centre of government.
  2. Fusion doctrine acknowledges that ‘Many capabilities that can contribute to national security lie outside traditional national security departments and so we need stronger partnerships across government and with the private and third sectors’[4]. Again, it is difficult to assess the response at such an early stage but the Department for Health and Social Care (DHSC), Public Health England (PHE), the private sector and local government have been central. In this sense, Covid-19 might be the agent that has highlighted the requirement to have a much broader range of stakeholders input into policy-making.
  3. The Secretary of State for Defence, Rt Hon Ben Wallace MP, in an evidence session to the House of Commons Defence Committee on Wed 22 April 2020, stated that the NSC had ‘not met since the crisis started’ and that NSC (Officials) ‘met last week (W/C 13 April 2020)[5]. It is very concerning that the NSC did not meet in response to a Tier 1 National Security threat of 10 years and poses an existential question for the NSC itself and the process for conducting NSRAs.
  4. There is no universally accepted crisis management framework, with each organisation and government tailoring their approach to their specific requirements and culture. However, there are some accepted principles that if followed, can enhance the chances of ‘having a good crisis’.
  5. The governance structure that has materialised to respond to Covid-19 is ad hoc and HMG has seemed to create another crisis management model. A principle of crisis management is that in times of crisis, one must be able to trust the institutions and processes that have been designed, tested and built exactly for that purpose. What has occurred during the Covid-19 response in the UK would strongly suggest that the impact of a pandemic wasn’t sufficiently stress tested or exercised ahead of the outbreak and was unlikely a sufficient learning outcome of EXERCISE CYGNUS.
  6. It is unclear exactly how policy has been formed during the pandemic response or whether it has followed a genuinely fusion approach. COBR immediately supplanted the NSC as the de facto crisis management institution. However, the NSC, with a permanent core membership and staff, would have been the more obvious entity to respond and enable the much-needed coordination, especially as a pandemic was a Tier 1 National Security threat.
  7. COBR has also evolved into an ad hoc membership, with ad hoc chairmanship, depending on the nature of the crisis. It is supported by further ad hoc thematic committees each leading strands of the response which are not currently making the necessary coordinated impact. The following sub-committees were stood up in addition to the other NSC and Cabinet sub-committees:
    1. Public Sector – Chaired by Chancellor of the Duchy of Lancaster
    2. International – Chaired by the Foreign Secretary
    3. Healthcare – Chaired by the Health Secretary
    4. Economy – Chaired by the Chancellor.[6]
  8. The product of this reactive change to governance was a more confused policy making picture. In the case of the Covid -19, as opposed to a likely response to another Tier 1 threat, this confusion was increased due to many senior ministers and advisers contracting the virus. From a national security perspective this list included the Prime Minister, Foreign Secretary and First Minister of State, Secretary of State for Defence and the National Security Adviser. It is unclear whether EXERCISE CYGNUS tested command and control and the friction of decision-making in such circumstances but should have definitely been an assumption within the design of the exercise itself.

In regard to the oversight of such policy-making and the management of biosecurity risks within overall national security risks: the roles and responsibilities of the National Security Council, relevant Government departments and agencies, and how their work is coordinated with that of the Devolved Administrations.

  1. Public Health is different to the other Tier 1 risks in the NRSA as it has involved decentralised decision and policy making at a Devolved and local government level as the pandemic has affected different parts of the country at different times. Generally, responses to other Tier 1, or Tier 2 risks, are led by central government as in the case of International Military Conflict, or with central government supporting a region, for example in response to Major National Hazards such as severe flooding. The response to Covid-19 is unusual as it has necessitated both a centralised and decentralised response of which we are now experiencing friction between the two. This has direct impact on speed of decision-making which is critical for effective crisis management.

19 October 2020


[1] Strategic Defence and Security Review 2015, p43.

[2] National Security and Capability Review 2018, p47.

[3] The Guardian, What was Exercise Cygnus and what did it find?, 7 May 2020 (Accessed 12 Oct 2020)

[4] National Security and Capability Review 2018, p11.

[5] Rt Hon Ben Wallace MP, Secretary of State for Defence, Evidence to House of Parliament Defence Select Committee, 22 April 2020.

[6] Ibid.