Sir Edmund Burton is a retired general and an experienced and highly innovative senior executive with extensive experience within the UK defence and security community operating at both ministerial and board level. He has been a staunch advocate of the importance of treating information as a key business asset and of protecting it accordingly. Formerly executive chairman of the UK national Police IT Organisation leading a major business improvement programme, a knowledge adviser to the Cabinet Office, other government departments, private sector and academia on information assurance processes and the need for education and training.
At the age of 15, Edmund Burton made the decision to apply for a commission in the army. In doing so, he was following a tradition of a military service career which had been set by all of the male members of his family since the mid 19th century.
Edmund left school at eighteen and went to Sandhurst for the two-year commissioning course, during which he took the Cambridge University mechanical sciences qualifying exam.
He was commissioned into the Royal Regiment of Artillery and posted to one of the UK’s two army missile regiments, based in West Germany. He explains: “That tour of duty in Germany, which included education and training, provided my first experience of leading soldiers and of managing a key component of a complex system of systems. The practical experience with surveying, meteorology, radar and analogue computers that I gained from this initial period of service in the Missile Regiment was to provide me with an invaluable foundation for my degree course at Cambridge.”
Edmund also attended the Regimental Signals Officer course at the School of Artillery.
Edmund says that the time he spent based overseas influenced his thinking in two main areas, he explains: “The first one is the reality of the threat. The 1st British Corps was stationed in West Germany in the post-war years as a key component of the Northern Army Group of NATO. In the 1960s these troops numbered over 55,000 and were maintained at two hours’ notice to move out of barracks to operational deployment areas. The reality and the scale of the threat was clear. The forces of the Warsaw Pact and of the Soviet Union were visible across the inner German border, which was marked by a high barbed wire fence, minefields and watchtowers, stretching from the Baltic to the Adriatic. My second point is that of the crucial importance of physical and information security. The proximity of the threat presented by the forces of the Warsaw Pact and Soviet Union and their recognised expertise in monitoring and interfering with NATO communications obliged us to take communication security very seriously.”
In 1975 Edmund attended the Royal Military College of Science in Shrivenham, Wiltshire, where he studied for a one-year postgraduate science and technology course, which included lasers, image intensification, infrared imaging, IT and communications, guns, ammunition, armoured vehicle design and operation analysis. He says: “I realised in later years that this unique educational experience was to provide me with a foundation of knowledge and understanding for the rest of my professional career. In a nutshell, education is for life and it delivers understanding. When a system and set of processes fail, it is usually attributable to a lack of understanding.”
Edmund went on to attend the Royal Navy staff course in Greenwich.
Ministry of Defence
After attending the staff course in the mid-1970s, Edmund was appointed to a role at the Ministry of Defence responsible for the current and future specification and programming of equipment capabilities required for the accurate employment of artillery. He explains: “These capabilities included the early generations of IT, survey, meteorology, muzzle velocity measurement and their integration, in order to deliver optimal effects from the UK’s reducing force structure. At that time the most significant advance in gunnery was the Battlefield Artillery Target Engagement System known as BATES. As its name implies, this was conceived as a means of integrating the elements of the artillery target engagement system from observer, through the fire control system to the gun platforms. It was to replace the very successful ballistic computation equipment and represented a huge leap in thinking and in IT engineering. Indeed, in retrospect, I believe the scope of that requirement far exceeded the computing capability of the technologies of the day. The development of the BATES project was also to demonstrate many of the failures of subsequent major IT systems. The issue of complexity, the difficulty of capturing and stabilising requirements and the limitations of processor technology were major handicaps.”
In 1978 Edmund was posted to an artillery regiment close to the inner German border in command of a gun battery of six tracked self-propelled guns. Shortly after his arrival, his regiment were for a five-month tour of duty in Northern Ireland in the infantry role. He adds: “This involved a comprehensive, well-developed, training package and significant organisational changes.” The operational tour in Belfast involved developing tactics, techniques and procedures for the use of newly fielded technologies, including a new generation of weapon sights and an Automatic Number Plate Reading system (ANPR). Edmund adds: “This is an excellent example of the effective appliance of science and technology to deliver improved operational effectiveness. Some 40 years later, Automatic Number Plate Reading systems are widely deployed by UK police forces and, in the commercial sector, by large car park businesses, such as in airports.”
Edmund returned to the Ministry of Defence in 1980 taking on responsibility for the career management of all majors in the Royal Artillery. The Army had a severe shortage of people who understood Automatic Data Processing (ADP), and the Royal Artillery needed a qualified and confident generation of ADP IT experts and users. Edmund says: “In the context of this particular job I was able to guide selected officers towards ADP and IT programme management career paths and this was to be an important initiative to meet the increasing need for IT programme staff. Furthermore, it provided new career opportunities for the individuals concerned.”
Royal Military College of Science
Edmund’s next move was as an instructor at the Royal Military College of Science at Shrivenham in Wiltshire, which delivered science and technology, and management education to officers and civilians through bachelor and masters level programmes and through specialist short courses. Edmund was involved with teaching army mid-career students on Army Staff courses and at the postgraduate level, and managing a Master of Science course in gun systems design.
He says: “That appointment enabled me to develop and apply all that I had learnt in the previous twenty years of my career: in effect, the practical integration of capabilities to deliver combat effectiveness, as the commanding officer (CO) of an operational artillery unit in the 4th Armoured Division, based in West Germany. The experience of leading, training and developing the talents of men and women, taking responsibility for all aspects of their wellbeing and performance, is a demanding and rewarding experience. This might be summarised as ensuring that each person is able to achieve their full potential and in so doing to enable the regiment to deliver optimal operational effectiveness.”
Following on from his time as CO, Edmund spent two years in the MOD, where he was responsible for sponsoring the British Army’s surface-to-surface weapons and air defence and related IT capabilities.. This was followed by two years as Commander Artillery in support of the UK’s largest armoured division deployed in West Germany, within the 1st British Corps.
British Embassy in Washington DC
Edmund was posted to the British Embassy in Washington DC as the Military Attaché and Commander British Army Staff, just before Christmas 1988. He explains: “My role was as the representative of the UK Chief of the General Staff to his opposite number in the US Army. This proved to be particularly significant period in UK/ US relationships as the UK became a key contributor to the Desert Storm coalition operation. .” He adds: “As an experienced member of the British Army I was impressed by the huge scale of the US military regular and reserve forces, and by theintellectual rigour with which they developed their operational doctrine; their operational analysis; the thoroughness of their planning, both in their approach to post-Cold War force reductions and to the closure of many military bases around the world and in the continental US. . I was also impressed by the major scale of investment in research and development in the US and the appliance of science and technology to war fighting and by their single-mindedness in their approach to what they called ‘digitization’ of military capability: it was that observation during my time in Washington that enabled me to develop the digitisation theme in my next appointment as Commandant of the Royal Military College of Science at Shrivenham and subsequently in the Ministry of Defence.”
Royal Military College of Science II
Between 1991 and 1994, Edmund returned to the Royal Military College of Science in Shrivenham, Wiltshire as Commandant. During that period the College was a well-established partnership between the services and Cranfield University, providing undergraduate and postgraduate education and shorter technical specialist courses, principally to officers of all three services, and to MoD civilians. Edmund says: “The term partnership is significant. The ability to develop and sustain an efficient and effective partnership approach to delivering an outsourced service is crucial to delivering value for money to the taxpayer.”
The College delivered a range of courses, including short specialist courses on topics as diverse as bomb disposal and military operation analysis, to a programme of ten undergraduate and fourteen Masters courses in science and technology management, underpinning the principal Army Staff courses in defence technology and military studies.
Edmund says the breadth and depth of expertise of those teaching “enabled the military and civilian staff to provide a unique mid-career educational stimulus for the services in the management of science and technology. This would be a key component of their knowledge base for all their future assignments. Science and technology provided a catalyst for the transformational changes needed then in the post-Cold War years of the early 1990s and now in the latter years of this decade. The College introduced new approaches to thinking and problem solving, such as brainstorming and mind-mapping, and provided every staff course student with a laptop, now very much taken for granted, but was then a radical step.”
As Edmund’s career progressed, he outlined the ‘capability approach’ which he advocated during the build-up to the Strategic Defence Review in mid 1990s. The approach is set against certain assertions and definitions as he explains: “The first point is to emphasise the importance of our people and the fact that our people and our information, knowledge and data are key enterprise assets, therefore, to be developed and protected accordingly. My second point is about the context of these thoughts. Our environment is increasingly complex and uncertain: organisations and systems are increasingly interdependent and risks must be identified and managed jointly by operational and commercial partners Risks cannot be outsourced as, in the last resort, they impact on the user/customer. Technology is advancing at an increasing rate and is available to law abiding users and villains alike. Worth noting here that procurement decisions for criminals with money to spend are made more rapidly than in most government departments, which are answerable for ethical practice, seeking best value for money through competition, taking account of through life affordability. Success may well depend on how effectively technology is applied in an operational environment. In this uncertain and fast-moving environment, I advocate the adoption of what I termed a capability approach, and this was the approach that we adopted during the build-up to the Strategic Defence Review in the mid-1990s.”
Edmund says the approach enables the UK to manage threats and opportunities. He goes on to outline the differences between it and a traditional approach and provides insight into seven essential principles that are needed in order to avoid failure.
Land Digitisation Programme
As the Cold War ended, Edmund says the democracies were quick to seize their peace dividend, something that he witnessed in 1989 when he joined the British Embassy in Washington DC as the Military Attaché and Commander British Army Staff. He explains: “Bold assumptions were being made by politicians, and military commanders were responding in order to deliver mandated savings. The core assumption was that the world had seen the end of conventional armoured warfare, the future would be asymmetric operations, for which light, agile, forces would be the dominant capability. None foresaw the invasion of Kuwait in 1990 and the deployment of large-scale, multi-national, heavy armoured, formations to the Gulf in order to liberate Kuwait.”
One outcome, which the US were among the first to identify from their experience of the Desert Storm operation, was the need for greater interoperability of systems.
Edmund adds: “The US Army and other services were well ahead of the British Army in their exploitation and deployment of commercial IT. However, when they deployed formations and units from around the globe and reserve forces from continental United States, the non-interoperability of these systems became a major issue.” Edmund adds: “With characteristic thoroughness the US leadership tackled that and many more themes, including what they termed ‘digitization’, and I was clear that the British Army had much ground to catch up.”
In the UK, the British Army ICT capabilities lagged behind those of the Royal Navy and the Royal Air Force. The Cold War deployment of the bulk of UK armoured forces in West Germany had concealed this shortcoming. Edmund says: “Such inadequacies could not continue as the UK sought to adapt its military capability to the new environment. For the British Army, the integration of information and data across the battlespace became a priority. This had to include the management of a legacy of stand-alone Cold War systems. The new capability, the integration of information, data and effects across the battlespace was, and is today, essential for the British Army to fulfil its operational doctrine. The initiative had to involve the whole British Army and constituted a major transformation programme. It also represented unfamiliar territory.”
In transforming its ICT capability, the Army sought advice from external experts in the Ministry of Defence research community, the Defence Evaluation Research Agency (DERA), and industry. Edmund adds: “The emerging thinking proved to be useful in our subsequent development of the Joint Battlespace Digitisation Initiative.”
In 1997 Edmund was appointed Deputy Chief to the Defence Staff (Systems) in the Ministry of Defence. That post held responsibility for the sponsorship of the equipment capabilities of the UK armed forces to 2020, and the underpinning applied research programme. Edmund explains: “It was clear that all future operations would involve all three services, undertaking ‘joint operations’. It followed that the traditional processes of requirements definition, procurement, acceptance into service and through service support should also be joint. For this to be a practical proposition there was a need for a jointly agreed set of principles to guide thinking and to deliver coherence. In this context the UK ‘Joint Doctrine’ provided the approach.”
At the heart of British defence doctrine lay the manoeuvrist approach, a key enabler of which is the concept of information superiority. This approach has been developed in the MoD’s thinking through what was originally termed Network Enabled Capability. Edmund adds: “The exploitation of information and its protection are, therefore, fundamental to the business of the MoD, the armed forces and their commercial partners. This dependence on accurate and timely information throughout the battlespace required that serious consideration should be given to the interoperability of systems and platforms. Since weapons, sensors, platforms and information systems are of different generations, this becomes a major systems integration challenge for programme and project managers.”
As the joint service sponsors, co-ordinators and advocates of the 4 key capability areas, the ‘Systems Area’ (as it was then termed) sought to address the issue of interoperability through planned ‘capability integration’, ensuring that projects and programmes were configured in a fashion that would guide ’technical integration’ throughout the procurement and in-service/through life support phases. This implied the establishment of an ‘Integration Authority’ within the procurement community, with the authority to mandate interoperability standards.
The outcome was the development by the Systems Area team of four capability areas, comprising all the former projects and programmes. Each of these capability areas was staffed by officers from all three services. Edmund explains: “Systems engineering principles obliged the Systems Area staff to integrate their thinking with the Defence Procurement staffs and with the then Defence Evaluation Research Agency (DERA), which undertook the MoD’s applied and corporate blue skies research programme. This harmonisation of thinking was subsumed by the UK Strategic Defence Review and, within that, the Smart Procurement Review, tasked by the MoD and undertaken by McKinsey’s, with significant input from the Systems Area and Procurement Staffs. Eventually that led to the new acquisition process, integrating processes across the partner communities.”
Joint Battlespace Digitisation Programme
The Joint Battlespace Digitisation Initiative stemmed from the land digitisation thinking and was concurrent with the transformational changes that led to smart procurement. Edmund explains: “Evolving joint doctrine required the effective timely integration of information throughout the battlespace and the ability to present it in an intelligible format to all entitled decision makers. While this integration of information offered a significant increase in the effectiveness of defence assets, it also presented new security risks. Integrating legacy systems implied the integration of their embodied risks. In an increasingly inter-dependent world, this remains a major risk area for government and commercial enterprises.”
In 2000 Edmund was tasked by the Cabinet Office and Director GCHQ to undertake two reviews and to make recommendations: these included recommendations around the arrangements for managing GCHQ new accommodation, now known as the Doughnut, in Cheltenham, and a second review addressing UK national information security. As a result of the reviews, Edmund was tasked to provide strategic advice to the director over the implementation of the recommendations.
Police IT Organisation (PITO)
Edmund was appointed by the Home Secretary, Jack Straw, to be executive chairman of the Police IT Organisation (PITO) in 2001 for a three-year assignment; a period that would see the start of the most significant re-equipment programme in the history of the police service. PITO, which was answerable to the Home Office, provided IT and communication systems and services to the police and other criminal justice organisations within the UK. This included operating and maintaining the Police National Computer, known as PNC.
Edmund says: “The challenge presented several key features. These included the police service customer and user community, which comprised three major constituencies: over 50 independent police forces, including Scotland, Wales and Northern Ireland; 52 police authorities; and the Home Office as the sponsor department. The increasing need for interoperability was facilitated by the deployment of the new Airwave nationwide secure communication system, beginning in 2001. However, the process for migration to an interoperable police information infrastructure lacked support across and within police forces. This was attributable, in part, to frustration over the incoherent approach to requirements definition, procurement, through life support and a lack of pace in meeting urgent operational needs. Major causes lay in the absence of an identifiable central customer to define current and emerging operational requirements and an absence of what I call a doctrine for policing. In sum, there was an absence of strategic governance and a management structure for the efficient and effective delivery of ICT capabilities for policing. Consequently, the police user/ customer community and their respective police authorities, were thoroughly dissatisfied with the service that was being provided for them. This state of affairs implied a fundamental review and redesign of the whole process for police ICT requirements definition, procurement and through service support.”
With the intent to accelerate the tempo of delivery of those operational capabilities that would offer the greatest operational and business benefit, while delivering projects on time, meeting performance and the cost criteria, Edmund worked with the Association of Chief Police Officers (ACPO), to develop a doctrine for policing and the appointment of a senior police officer and supporting staff, within PITO, to act as the central customer/sponsor of a coherent, affordable, portfolio of projects and programmes. The team members were duly selected and the project teams were adapted to align with the defined operational capabilities.. This provided the underlying approach for the transformation. The result was the delivery of significant police ICT capabilities, introduced in the early years of the millennium, including Airwave (the new secure digital police radio communication system), HOLMES 2 (the Home Office large major enquiry system), the National Automatic Fingerprint Identification System (NAFIS), and software improvements for the Police National Computer.
UK Telecommunication Industry Security Advisory Council
In 2004, as the principal telecommunications companies embarked on major infrastructure investment programmes, Edmund was invited by the Cabinet Office to establish a forum within which the principal Critical National Infrastructures (CNI) telecommunications providers could exchange information and contribute to the development of policy on mutual regional, national and international security issues, in order to provide a high degree of confidence in the reliability, security and the resilience of the UK’s Critical National Infrastructure. This became the Telecoms Industry Security Advisory Council (TISAC).
Edmund says: “This unique joint private/public sector body proved to be an invaluable forum for the discussion of issues of crucial importance to the reliability, security and resilience of UK’s Critical National Infrastructure.”
Information Assurance Advisory Council (IAAC)
In 2007, Edmund was invited to relieve Baroness Neville-Jones as chairman of the Information Assurance Advisory Council (IAAC). A unique not-for-profit organisation, IAAC brings together a community of 600 or so professionals to address information assurance and related challenges and opportunities faced by the information society.
Edmund explains: “It was originally set up in 1999 and since then it has been at the leading edge of many of the developments in IA and cyber security thinking in the UK, maintaining a non-partisan position on matters affecting the way society uses and protects information.” Significantly, IAAC has enabled the creation of an extended ‘Community of Interest’, bringing together academics, government and private sector leaders in order to facilitate the continuous exchange of knowledge, the development of a cyber/information assurance profession and the alignment of what is taught with what is needed; an ongoing challenge for the academic and training communities in consultation with UK employers in the public and private sectors.
IAAC focuses on six key areas including education and research themes such as the implications of cloud and mobile device standards and the need for revision, the issue of identity assurance, organising against cybercrime, addressing the risks and opportunities of social networking and social behaviour, looking at the impact between the citizen and the Internet of Things, and the development of the information assurance and cyber profession.
Edmund adds: “IAAC is an agile organisation and can respond very rapidly to new and emerging threats and opportunities with new thinking. The projects IAAC has undertaken include developing a framework for a young IAAC, now called IAAC Access, for young emerging cyber professionals; an initiative supporting the North West young people’s cyber security safety initiative; and undertaking a cyber security internship pilot scheme for the former Department of Business, Industry and Skills.”
The Burton Report
In 2007/8 three government departments (DWP, HMRC and MOD) incurred major data losses. The Cabinet Office tasked prompt reviews, which were collated into a single Cabinet Office data handling review – the Hannigan Report. Edmund was invited by the Secretary of State for Defence and the Permanent Secretary of the Ministry of Defence in January 2008 to undertake the review of the circumstances that led to the MOD loss of the data and to consider a broader MoD approach to data protection.
The detailed terms of reference for the review and report were to establish the exact circumstances and events that led to the loss by MoD of personal data. To examine the adequacy of the steps taken to prevent any recurrence and of MoD policy, practice and management arrangements in respect of the protection of personal data more generally, to make recommendations and to report to the MoD’s Permanent Secretary not later than the 30th April 2008.
The Burton Report was published in two parts with an executive summary. The first part set out events leading to the loss of data on 9th January 2008, covering issues relating to the Training, Administration and Financial Management Information System (TAFMIS) and the related policies and procedures. The second part addresses the broader MoD approach to personal data protection.
Edmund says: “I strongly recommend IA and cyber professionals should revise or read them (his 51 recommendations) for the first time if they have not already done so. The Secretary of State and the Defence Board accepted all 51 recommendations and directed that the Board should supervise their implementation.” The full report is available for download on the Ministry of Defence’s website.
Edmund continues: “It’s worth making four major observations in this interview. First, information, knowledge, data and our people are critical enterprise assets to be developed and protected accordingly. However, information risk was not on MoD’s risk register.
Unknown to the user – second point – the lost laptop, which was one of several stolen from parked cars, in clear breach of security regulations, contained some 600,000 personnel records and up to 400,000 records of family and next of kin.
Third point – The database, which was not encrypted, breached most of the principles underpinning the Data Protection Act.
Fourth point, the recommendations fell into four main categories:
- Processes – 31 recommendations;
- People – 11 recommendations;
- training and education – 5; and significantly,
- technology – only 3. I suspect that many people thought that technology was a major issue, it was not.”
Edmund concludes: “The lessons are there for you to see; processes and people were dominant, but training and education, delivering understanding and proper processes, are key. Technology is a neutral issue; education delivers understanding; training shapes behaviours; effective leadership of well-motivated people and careful management of resources, processes and contracts enables information risk to be minimised.”
Main Issues for Cybersecurity Today
Looking at the issues of cybersecurity today, Edmund says: “I believe the UK must concentrate on delivering the objectives set out in the UK Cybersecurity Strategy, which was published in 2016. In particular, concentrating on achieving a real improvement in the coverage and quality of the provision of cybersecurity education and training. Work is in hand to tackle this important issue, but progress since the launch of the first information assurance strategy in 2003 has been disappointingly slow. The tempo must be raised with close attention being applied by the leadership across schools, colleges, universities and enterprises; all are involved.”
Challenges and Issues Related to IT and Security in the Next Five Years
While Edmund believes that prediction is an uncertain business, he envisages “an increasing emphasis and resources being given to addressing ICT and cybersecurity understanding and enhancing skills, both for the benefit of society and to meet the needs of employers across the public and private sectors.” He says: “Legislation and regulation continue to lag technological advances. The gap may narrow, but will continue to be a concern. The ethical issues arising from ICT innovation are not being addressed with sufficient vigour or rigour. The medical profession has tackled emerging ethical issues over recent years. Significantly, the ICT communities must do likewise, seeking good practice and appropriate insights from other disciplines and professions. Users of ICT systems and services are being presented with flawed software. This is unacceptable. Legislation and regulation have addressed this issue in the hardware domain: increasing attention must be given by private sector providers, and by customers to insistence on trustworthy software.
Traditionally, professional institutions have evolved to support the development of professions and to encourage a good proportion of well-motivated young people to join. However, the reality of interdependence across national, international and enterprise boundaries and the dependence of all on the integrity, resilience, availability and assurance of our ICT infrastructures, and the data they carry, obliges nations, enterprises and individuals to treat cybersecurity and resilience as a cross-disciplinary, cross-community issue of vital importance. The professional institutions must develop means of working co-operatively to ensure that technical and ethical issues are identified and resolved jointly.”
Proudest Career Moment
Reflecting on his career, Edmund says: “I think that being allowed to work with teams of well-motivated, highly capable and committed young people who are determined to make a real and enduring difference has been the most memorable and proudest aspect of my whole career.”
Honours and Awards
2013 DL Appointed Deputy Lieutenant County of Cheshire
2008 Doctor of Science (honoris causa) Cranfield University
2017 Doctor of Science (honoris causa) University of Chester
Interviewed by: Elisabetta Mori on the 26th February 2019 at BCS London
Transcribed by: Susan Nicholls
Abstracted by: Lynda Feeley