Cover story: Security issues when working on defence related contracts

But while there may be opportunities for contracts to be won in the defence and related sectors, those opportunities come at a cost; dealing with ministries and other interested parties means companies may well have to adopt an entirely new approach to the way they do business. And that applies just as much in house as it does outside the office. e2v Technologies delivers solutions, subsystems and components to a range of markets, including aerospace and defence. Amongst the systems to which it has contributed are the US Patriot air and missile defence system and the Eurofighter Typhoon. But it has also been involved in electronic warfare systems and, drawing on its 60 year heritage, radar. Headquartered in Chelmsford, but with manufacturing and design sites around the world, e2v employs about 1600 people. In its last financial year, it turned over some £200million. Defence and related activities are an important part of the company's operations, contributing some 40% of annual revenues. e2v is a leading producer of magnetrons, thyratrons, compact modulators, microwave receiver protection and microwave receivers for use in defence radar systems. It is also a leader in the design and manufacture of helix travelling wave tubes, producing the first glass tube devices in the 1950s, then developing metal/ceramic tubes in the 1960s. And it is devices like these which are covered by a range of regulations; even the ceramics used in their construction are deemed restricted materials. Darrin Bowler, divisional engineering manager, electron devices and subsystems, said: "Ceramics became subject to export controls because the supplier understood the regulations and the fact that if the component goes into a export controlled product, then the ceramic is also controlled." So what are the abilities which an aspiring defence contractor needs? Graham Gooday, general manager, defence, within e2v's rf power solutions division, said: "The main elements are: security; a breadth of technical skills, but with specialisms; and project management." Unsurprisingly, involvement in this world is not straightforward. "You don't get a straight purchase order. There is a lot of interaction along the way. The customer wants to manage risk and we need to interface with its technical people, its procurement team, its system managers and its quality department. All this has to be done within the appropriate security arrangements." Security comes in a number of guises – data, physical and personal – and companies need to understand the implications. "If a project has classified elements," Gooday pointed out, "these will be outlined in the Security Aspects Letter, or SAL." This identifies what is classified and to what level, as well as who the customer is. "The SAL might deem that some elements are 'UK eyes only', while other elements may be discussed on a 'need to know' basis. As a project manager, you have to know all of this." Data security is an obvious element. "Document control is important," Gooday said, "not only in house, but also how information is released. For example, regular email is off limits, but there are methods which allow us to communicate with others; encrypted messages, for instance." All defence projects are housed on a secure IT network and each user needs access clearance. Maintaining data security during the design process is one thing, but the systems to which e2v contributes technology have life times in excess of 25 years, so data also needs to be archived. Bowler said: "We keep some hard copies of documents, with a register, but also store soft copies on a separate secure network." Making sure data cannot be accessed by unauthorised people is another important element and it is here that companies and individuals can fall foul of the ITAR requirements (see panel). Gooday said: "We have to be careful with information, particularly when it's stored on a laptop, as data can be subject to an export license. If a laptop has design parameters for a UK controlled project and its user flies to the US, for example, this could be illegal. Information is just as important as the product." Then there's physical security. Gooday noted. "Areas need to be physically isolated and people working within these areas need to be aware of who is around them. If they think someone shouldn't be there, they have to lock down and clear their desks. The SAL shows what people can and can't do." Similarly, test and manufacturing areas need to be secure. Gooday pointed out e2v's use of frosted glass and added that people working in those areas also need clearance. Meanwhile, anyone working in a secure area needs clearance. "Even if they have clearance," Bowler said, "do they have a 'need to know'? Some senior managers at this site don't know everything about secure programmes, even though they need to run the business." The defence business is international and governed by security. "The US has particular requirements," Gooday noted. "e2v has to provide the types of nationals who can work on the project. For instance, the US government may say 'US and UK nationals only'." Bowler added that the aim of any project was to run with the minimum clearances necessary. "But this can be a problem," he noted, "particularly if people don't have a clear work history or if they can't supply references for a certain time. Security clearance needs to be well managed." Typically, an e2v defence project may take up to two years to develop, then move into manufacturing for a further five years. But once in a while, an Urgent Operational Request arrives. "This brings a different set of requirements," Gooday said. These requests, by their very nature, are short term. "Then we have to do the project management, obtain clearances and so on, quickly. We may have to set up to deliver within 30 days, but still within our secure framework," Gooday continued. "Project managers have to bring teams together quickly and with a plan." Bowler pointed out this typically means other projects will lose people. "We can't just bring in contractors to cover the shortfall," he said, "so we build in the flexibility to react to capacity, capability and clearance issues. But we can't drop the ball on other programmes." Finally, the time comes to deliver products and another set of requirements appears: compliance with export controls. Bowler said: "We have to demonstrate, in some cases, the components involved are non ITAR. Some components may start life as a lump of tungsten, but the way in which we turn them into, for example, a cathode makes them restricted." And there are particular regulations which define restricted products in terms of frequency or power. "It's important to understand these regulations," Bowler insisted. "Something that operates in the MHz range may be exempt, but if the same device operates into the GHz range, it may then be subject to an export license." As an example of the extent of the regulations, he pointed out that satellite broadcast truck technology is now licensable. Gooday and Bowler said it's critical to understand the customer's requirements and to get involved at the specification and design stages. "Interaction with the customer is very important," Bowler concluded. "Customers are becoming more difficult to please and our response has to be to better understand their requirements, capture them and manage them." Darrin Bowler's top tips: • Understand export licence controls. Some controls specify frequency or power. While devices that operate in the MHz range may be uncontrolled; those which operate in the GHz range may be subject to restrictions. • Understand people. Be clear about your requirements. Security clearance has to be well managed. • Control information on a day to day basis. Who has access to information? • Make sure you have a Technical Assistance Agreement in place. This says who is on the programme and shows they have the appropriate clearance levels. How secret? • Protectively marked material falls into five categories. • Top secret: Release of this material would cause 'exceptionally grave damage' to national security. • Secret: Such material would cause 'grave damage' to national security if it were publicly available. • Confidential: Such material would cause 'damage' or be 'prejudicial to' national security if publicly available. • Restricted: Release of this material would have 'undesirable effects' if publicly available. • Unclassified: Used for government documents that do not have a classification. Such documents can sometimes be viewed by those without security clearance. What's ITAR? ITAR, or the International Traffic in Arms Regulations, is a set of US government regulations that control the export and import of defence related articles and services on the United States Munitions List (USML). In practice, ITAR dictates that information and material pertaining to defence and military related technologies may only be shared with US persons, unless specifically authorised. While you may think that ITAR relates only to hardware, theoretical access to the USML items overseas or by foreign persons is sufficient to constitute a breach of ITAR. Just carrying files on a laptop – whether opened or not – can be in breach of the regulations. List X 'List X', which has been in existence for 70 years, refers to contractors or subcontractors undertaking work marked confidential or higher 'on the company premises'. Companies wanting to get List X status have to be sponsored by a Contracting Authority (CA). The CA can be: • An MOD department • An existing List X company acting as prime contractor to one or more subcontractors (all of whom must be approved by the original CA) • Overseas governments and defence contractors • NATO • Other UK Government departments There are a number of key requirements for List X status: • A contract at confidential or above • A requirement for the work to be done on the contractor's premises or for protectively marked information to be held on site SALs and TAAs A Security Aspects Letter defines which aspects of an invitation to tender or a contract are to be marked and protected as confidential, secret or top secret. The SAL is the legal instrument under which a UK contractor may be prosecuted under the Official Secrets Act. Technical Assistance Agreements (TAAs), part of ITAR, deal with the exchange of confidential technical information. A TAA is used when one company is granting another company the use of its technical information. It names the parties involved, the information that will be exchanged and the terms, obligations and requirements for the use of this information.