Cyber resilience: public sector action plan 2017-2018

Introduction and Background

10. Safe, secure and prosperous: a cyber resilience strategy for Scotland ^[2] , was published in 2015. It set out the Scottish Government's vision for Cyber Resilience in Scotland:

Scotland can be a world leader in cyber resilience and be a nation that can claim, by 2020, to have achieved the following outcomes:

(i) Our people are informed and prepared to make the most of digital technologies safely.

(ii) Our businesses and organisations recognise the risks in the digital world and are well prepared to manage them.

(iii) We have confidence in, and trust, our digital public services.

(iv) We have a growing and renowned cyber resilience research community.

(v) We have a global reputation for being a secure place to live and learn, and to set up and invest in business.

(vi) We have an innovative cyber security goods and services industry that can help meet global demand.

These outcomes are interdependent – progress towards one may underpin or drive progress towards others.

11. "Safe, secure and prosperous" is closely aligned with the UK National Cyber Security Strategy ^[3] , which sets out the UK Government's strategic approach to making the UK secure and resilient in cyberspace. Cyber security is a reserved matter, but it has strong implications for the delivery and resilience of devolved services – as such, the Scottish Government works closely with key partners such as the UK National Cyber Security Centre to ensure appropriate alignment between work on cyber resilience at the UK and Scottish levels.

12. This action plan has been developed in partnership by the Scottish Government and the National Cyber Resilience Leaders' Board ( NCRLB). It sets out the action the Scottish Government intends to take, working closely with the NCRLB and its partners in the wider Scottish public sector, in order to make progress during 2017-18 towards outcome (iii) above:

We have confidence in, and trust, our digital public services.

This outcome aligns closely with the outcome set out in Scotland's Serious Organised Crime Strategy ^[4] for Scotland's public sector organisations to protect themselves from cyber threats.

13. The immediate focus of the action plan is on Scotland's public bodies ^[5] – timelines and monitoring requirements will apply to them as set out under the key actions in this document. The Scottish Government will also seek to work constructively with areas such as local government and the universities and colleges sector, in order to align action on cyber resilience across the wider public sector wherever possible, and facilitate the spread of good practice.

14. Work is also being taken forward by the Scottish Government, the NCRLB, and partners in the private and third sectors to make progress towards our strategic outcomes. The NCRLB is of the view that providing strong leadership on cyber resilience in the public sector will assist in raising awareness and activity in the private and third sectors. Every effort will be made to align the approach taken in the public sector with the approach taken in the private and third sectors.

15. This action plan will form part of wider work on improving the overall security and resilience of Scotland's public sector, including in respect of Critical Infrastructure. While a specific focus on cyber resilience is appropriate at this stage in view of the urgency of the cyber threat, our intention is that the actions set out in this plan should in due course form an integral part of coherent wider security and resilience arrangements, including in respect of physical and personnel security – both of which are key to cyber resilience.

16. While the focus of this action plan is on cyber resilience, the actions set out in this plan will also help ensure that Scottish public bodies are meeting key requirements in respect of protecting personal data, which will be strengthened by the General Data Protection Regulation ( GDPR) ^[6] from May 2018. The Information Commissioner has, for example, noted publicly that achieving Cyber Essentials accreditation can assist with preparing for GDPR. Public bodies should consider how work on cyber resilience aligns with their wider work on GDPR compliance.

The importance of cyber resilience to Scotland's public bodies

17. "Cyber resilience" means being able to prepare for, withstand, and rapidly recover and learn from deliberate attacks (or accidental events) that have a disruptive effect on interconnected technologies. Cyber security is a key element of being resilient, but cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures. By building understanding of cyber risks and threats, they are able to take the appropriate measures to stay safe and get the most from being online.

18. The importance of ensuring cyber resilience in Scotland's public bodies has never been greater, because of:

(i) The scale and nature of the cyber threat, and the risks it presents to our ambitions for Scotland's digital public services and our overall security and resilience: Scotland's refreshed digital strategy ^[7] makes clear that digital connectivity offers huge opportunities to redefine the relationship between Scottish public bodies and the people they serve. The Scottish Government is committed to establishing all new government organisations as digital businesses, designed around the needs of their users, in order to benefit from these new technologies. But with these opportunities come new threats and vulnerabilities. If we are to realise the enormous opportunities technology offers to our citizens, businesses, and public services, we must develop our understanding of the new risks the digital environment presents – and respond in an effective, coherent and proportionate way across all of Scotland's public bodies.

The global cyber-attack on 12 May 2017, which affected more than 150 countries worldwide and had an impact on some areas of the NHS in Scotland and England, underlined the potential seriousness of the cyber threat. The NCSC assesses that the number and severity of cyber incidents affecting public (and private) sector organisations will continue to increase. These threats come from a variety of sources, including hostile state actors, cyber criminals, political activists and others.

(ii) Forthcoming legislative changes and their potential legal, financial and reputational impact: The new General Data Protection Regulation ( GDPR) and the Security of Network and Information Systems ( NIS) Directive both come into force in May 2018, and place new duties on public (and private and third) sector organisations to ensure the protection of personal data, and the continuity of essential services reliant on network and information systems, and to report cyber security breaches. Public sector organisations could face significantly increased administrative fines of up to €20 million for data breaches and/or cyber security failures leading to service failure. The UK Government has indicated its intention to implement GDPR and the NIS Directive in full.

(iii) Economic opportunity: There is a significant opportunity for Scotland to leverage work on cyber resilience in the public, private and third sectors to promote economic growth. The Scottish Government's goal is to ensure that the demand created by an enhanced focus on cyber resilience, along with the wider reputational benefits of ensuring cyber resilient organisations, results in the growth of a world-leading cyber security goods and services sector in Scotland, with benefits for inward investment and exporting.

19. Scottish Ministers have made clear their expectation that Scottish public bodies will play a leadership role in driving forward higher standards of cyber resilience in Scotland. Whether provided by central or local government, executive agencies, non-departmental public bodies ( NDPBs), emergency services, NHSScotland, our education sector, or other public bodies, it is crucial that our citizens, businesses and organisations have confidence in, and can trust digital public services.

20. The NCRLB has articulated its view that, in time, cyber resilience should be "baked into" Scottish public sector processes and infrastructure. It emphasises that cyber resilience is as much a cultural issue as a technical one. They view it as vital that Scotland's public bodies understand and manage the cyber threat at Board/Senior Management level, and take action to promote a culture of cyber security at all levels of the organisation. Coherent action is required across organisations in both the technical and personnel domains to ensure a genuinely effective response to the cyber threat.

Current levels of cyber resilience in Scotland's public sector

21. A strong strategic framework for action across all sectors already exists in the form of Scotland's Cyber Resilience Strategy ("Safe, Secure and Prosperous"). In the public sector, many bodies are already taking forward work to improve their cyber resilience, with reference to a range of existing standards, guidelines and controls. These include:

• The Public Service Network ( PSN) Connection Obligations
• The Public Service Network in Policing ( PSNP) Obligations
• The NHS Security Policy Framework (aligned to ISO 27001 and the SANS Top 20 critical controls)
• The UK Government Security Policy Framework
• Cyber Essentials (Plus)
• The 10 Steps to Cyber Securitys
• ISO 27001
• Payment Card Industry Data Security Standard ( PCIDSS) accreditation

22. The overall picture of cyber resilience across the Scottish public sector remains unclear, partly as a result of a complex and confusing landscape of different standards and guidelines that public bodies are operating to.

23. Important work is underway to improve our understanding of the picture in respect of Critical National Infrastructure in the Government Sector. Work to develop this action plan has also provided further assurance that many Scottish public sector organisations have a range of robust measures in place to protect against cyber risks. It is clear that some public bodies have complex IT infrastructures that include legacy systems, and an effective approach to managing the risk presented by these arrangements is required. Given the pace of technological development in this area, it is important that Scottish public bodies are monitoring, and can respond to, future cyber threats, including in areas such as the Internet of Things (IoT).

24. There is currently a lack of guidance making clear the minimum standards of cyber resilience that all Scottish public bodies should strive for. Nor is there any well-defined monitoring and reporting framework to allow Scottish Ministers, the NCRLB and the Scottish Parliament to secure a clear picture of cyber resilience across the Scottish public sector. Unless we address this, measuring progress and providing assurance to citizens and businesses will be challenging, with the potential for knock-on consequences for our public services and our digital economy.

The goals of this action plan

25. This action plan aims to ensure that:

• Scottish public bodies work to become exemplars in respect of cyber resilience, and play a leadership role in driving higher standards of cyber resilience in Scotland and further afield.
• A common, effective, risk-based approach to cyber resilience is in place across all Scottish public bodies, providing appropriate assurance to Ministers, Parliament, and the public.
• The public sector sends strong messages to the private and third sectors about the importance of cyber resilience, and supports the economic opportunity that work on cyber resilience brings.