DMFD104 Cyber Defence System: Contract Extension

1.1. Report LFC-0474y explains that in July 2019, the London Fire Commissioner (LFC) accepted a tender (LFC0152-D) from BT Global Services for the purchase of the Darktrace cyber defence system, at a cost of £212,000 for a two-year period, with an option for the LFC to extend for a further two years.

1.2. As outlined in the original decision (LFC0152-D), the security threat posed to organisations around the globe from cyber-attacks, malware and associated threats, has increased exponentially. Most will remember the “WannaCry” ransomware attacks that took place in 2017.

1.3. However, whilst “WannaCry” was perhaps one of the more high-profile attacks, it was one of several attacks that have been perpetrated since the early 2000s and was not actually the worst. Other worms—Conficker, MyDoom, ILOVEYOU—caused billions of dollars of damage in the 2000s.

1.4. The Brigade itself was unaffected by the WannaCry ransomware, due to the efforts of Information and Communication Technology (ICT) staff who worked to ensure that all reasonable precautions had been taken, to protect Brigade systems against this threat. This included isolating the Brigade from the internet for a period of time.

1.5. There is no reason to believe that the threat to systems around the world will do anything other than increase. Some 88% of UK companies have suffered a data breach in the last 12 months (Source: carbon black reports) and in October 2020, the London Borough of Hackney was subject to a cyber-attack that caused massive disruption to council operations and is the subject of a large scale cyber clean-up operation. Whilst the Brigade has multi-layered defence systems already in place, such as anti-virus scanning, web-filtering and a strategy to implement security patches regularly, it is essential that we maintain our existing cyber defence capability.

1.6. The Brigade is looking to take positive action in relation to the ever-changing cyber threat and this will include adhering to the “Cyber Essentials” certification (self-certification) process run by the National Cyber Security Centre (NCSC) and potentially seeking accreditation against the Cyber Essential Plus standard (which requires external accreditation). Initial gap analysis got under way in November 2020.

2.1. The objective of this report is to seek authorisation to commit revenue expenditure of up to £214,286 in order to extend the existing contract with BT Global Services in accordance with its terms for use of the cyber defence system provided by two years. This will allow the Brigade to continue using the system up to the end of July 2023.

Alternative Options Considered

2.2. The alternative to not seeking to use the contract extension available, would be to initiate a new procurement and either re-procure the existing product, or select an alternative depending upon the result of the tender evaluation. The procurement, selection and most notably installation of a cyber defence product is a very substantial undertaking and demands extensive resource allocation from the Brigade’s ICT security team.

2.3. If the Brigade were to install a new product, the post installation “learning” phase would be very time consuming, as staff work with the system to identify “false positives” and adjust sensitivity levels, to ensure that the Brigade’s business as usual and critical operations are not impacted.

2.4. At present the cyber threat within the UK is increasing and it is acknowledged that the cyber defence system provided is a leading cyber defence system, with around 4,000 customers world-wide. The product has worked well since its introduction and has recently taken action to quarantine devices when suspected “malware” was detected.

2.5. Several discussions were held by the Brigade with both Transport for London (TfL) and the Metropolitan Police Service in relation to collaboration opportunities, prior to the current system being selected. No collaboration opportunities were identified at the time. However, given that the proposal is to extend the existing contract for a further two years as the contract allows, we would seek to engage with partners in the GLA Group and in other fire and rescue services, prior to initiating the full re-procurement before July 2023, which would allow sufficient time to discuss the alignment of contract expiry dates and any potential aggregation of requirements.

2.6. Taking the above points into consideration the Brigade considers that the best course of action at this time is to extend the contract for a further two years, rather than initiate re-procurement.

Impacts

2.7. There will be no impact upon the Brigade, if the contract is extended to run for two years from its expiry date on July 2021, as long as the necessary approvals for the next procurement are in place prior to contract expiry.

2.8. If authorisation to extend the contract is not provided, a full re-procurement will need to be undertaken, which would incur additional procurement and potential further installation costs.

2.9. If a new procurement is to be undertaken, there will be a significant implication for ICT security staff. This will mean amending the ICT work plan with consequential impacts upon other projects.

3.1. The London Fire Commissioner and decision takers are required to have due regard to the Public Sector Equality Duty (s149 of the Equality Act 2010) when taking decisions. This in broad terms involves understanding the potential impact of policy and decisions on different people, taking this into account and then evidencing how decisions were reached.

3.2. It is important to note that consideration of the Public Sector Equality Duty is not a one-off task. The duty must be fulfilled before taking a decision, at the time of taking a decision, and after the decision has been taken.

3.3. The protected characteristics are: Age, Disability, Gender reassignment, Pregnancy and maternity, Marriage and civil partnership (but only in respect of the requirements to have due regard to the need to eliminate discrimination), Race (ethnic or national origins, colour or nationality), Religion or belief (including lack of belief), Sex, Sexual orientation.

3.4. The Public Sector Equality Duty requires us, in the exercise of all our functions (i.e. everything we do), to have due regard to the need to:
a) eliminate discrimination, harassment and victimisation and other prohibited conduct;
b) advance equality of opportunity between people who share a relevant protected characteristic and persons who do not share it; and
c) foster good relations between people who share a relevant protected characteristic and persons who do not share it.

3.5. Having due regard to the need to advance equality of opportunity between persons who share a relevant protected characteristic and persons who do not share it involves having due regard, in particular, to the need to:
a) remove or minimise disadvantages suffered by persons who share a relevant protected characteristic where those disadvantages are connected to that characteristic;
b) take steps to meet the needs of persons who share a relevant protected characteristic that are different from the needs of persons who do not share it; and
c) encourage persons who share a relevant protected characteristic to participate in public life or in any other activity in which participation by such persons is disproportionately low.

3.6. The steps involved in meeting the needs of disabled persons that are different from the needs of persons who are not disabled include, in particular, steps to take account of disabled persons' disabilities.

3.7. Having due regard to the need to foster good relations between persons who share a relevant protected characteristic and persons who do not share it involves having due regard, in particular, to the need to:
a) tackle prejudice; and
b) promote understanding

3.8. An equalities impact assessment was carried out as part of the original procurement. This indicated that the system will not have a disproportionately adverse effect on any persons with a particular characteristic. The cyber defence system works in the background and should be invisible to the user. It will, however, protect all users from the impacts that a cyber- attack can have on the day-to-day activities of the organisation. In fact, the key intended purpose of the software is to strengthen and protect individuals from a cyber security attack

Procurement and Sustainability

4.1. The LFC awarded the contract to BT Global Services following a mini competition utilising the Pan London ICT Framework Lot 4. The contract is for an initial term of two years and commenced on 18 July 2019. The contract also includes an optional further extension of two years exercisable by LFC if notice is given prior to expiry of the contract. The current expiry date is 17 July 2021, prior to enacting any further period of extension and with the last date to notify the supplier of the intention to extend being 17 April 2021. Extending the contract would see it terminate on 17 July 2023.

4.2. A price review is due on the anniversary of the contract in June 2021, which under the terms of the contract should be calculated by use of the consumer price inflation (CPI) applicable at the time. As this is a relatively volatile index and in order to provide certainty for LFB, BT Global Services have confirmed that should the extension be agreed the price increase (to be applied at the contract anniversary in June) will be 0.7%. The 0.7% figure was the most recent available from the data set from the Office for National Statistics (ONS) the CPI (October 2020) when the quotation for the extension was provided by BT Global Services. This figure agreed with BT has been included in the total figure in the recommended decisions above.

4.3. Consideration of Responsible Procurement requirements will be undertaken as standard process as part of the future re-tender. Responsible Procurement performance of the supplier, BT Global Services includes:
i. Compliance with the Modern Slavery Act with a published Statement;
ii. a Prompt Payment Code signatory and compliant with the Code’s target of 95%;
iii. operating an Environment Management System certified to ISO 14001; and
iv. reporting an average gender pay gap of one pence.

4.4. Responsible Procurement performance of the cyber defence product manufacturer includes:
i. A large supplier based on turnover;
ii. a published Modern Slavery Statement, although it is now out of date;
iii. reporting an average gender pay gap of 8.8% in favour of men; and
iv. no submitted reports on prompt payment performance.

Strategic drivers

4.5. The extension of the existing cyber defence contract will allow the Brigade to continue to ensure that a both operational and non-operational staff are able to carry out their roles, to serve and protect the people of London, by ensuring that all Brigade activities are able to continue, safe from attack by hostile actors.

5.1. This report requests authorisation to commit revenue expenditure in order for LDC to exercise a two-year extension to the existing Darktrace cyber defence system contract, which expires in July 2021, at a cost of up to £214,286 over two years (predominantly affecting the 2021/22 and 2022/23 financial years). This extension is provided for under the contract, which was previously awarded in 2019. Under the terms of the contract a price review takes place on the anniversary of the contract, and the agreed increase is 0.7%, which has been included in the total cost figure. The funding for the contract is contained in LFB’s current ICT (Server and Cloud - Software Off-the Shelf) budget.

5.2. It should also be noted that the 0.7% inflationary increase has been agreed with the supplier in advance of the usual date. As a result, if the inflationary increase in line with the original contract is higher or lower than this, there is a risk that the LFB would be incurring a different cost than if the increase was based upon the original date. It should be noted that a 1% variation would result in a £2K variation over the life of the contract extension.

5.3. There are no direct financial implications for the GLA.

6.1. Under section 9 of the Policing and Crime Act 2017, the London Fire Commissioner (the "Commissioner") is established as a corporation sole with the Mayor appointing the occupant of that office. Under section 327D of the GLA Act 1999, as amended by the Policing and Crime Act 2017, the Mayor may issue to the Commissioner specific or general directions as to the manner in which the holder of that office is to exercise his or her functions.

6.2. By direction dated 1 April 2018, the Mayor set out those matters, for which the Commissioner would require the prior approval of either the Mayor or the Deputy Mayor for Fire and Resilience (the "Deputy Mayor").

6.3. Paragraph (b) of Part 2 of the said direction requires the Commissioner to seek the prior approval of the Deputy Mayor before “[a] commitment to expenditure (capital or revenue) of £150,000 or above as identified in accordance with normal accounting practices…”.

6.4. The Deputy Mayor's approval is accordingly required for the Commissioner for such expenditure on the extension of the cyber defence system contract.

6.5. The original procurement of the cyber defence system is consistent with the Commissioner’s power under section 5A of the Fire and Rescue Services Act 2004 to procure services they consider appropriate for purposes incidental to their functional purposes.

6.6. Under section 2(1) of the Policing and Crime Act 2017, the Commissioner has a duty to keep under consideration whether entering into a collaboration agreement with one or more other relevant emergency services in England could be in the interests of the efficiency or effectiveness of that service and those other services.

6.7. The LFC’s General Counsel also notes that the cyber defence system was procured in compliance with the Public Contracts Regulations 2015, but that the two-year optional contract extension and the expenditure to cover the contract extension were inadvertently omitted from the approvals sought before the award of the contract.

Appendix 1: LFC – 0474y – Cyber Defence System: Contract Extension