Cyber Resilient Scotland: strategic framework

Introduction

The Framework

The Strategic Framework for a Cyber Resilient Scotland ("the Framework") will enable the Scottish Government and its partners to achieve the following vision:

Scotland thrives by being a digitally secure and resilient nation

It builds on Scotland's first cyber resilience strategy, Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland, expanding on its achievements and addressing ongoing - and new - challenges.

Four outcomes will underpin this vision, whilst defining the principles and enablers that will guide and maximise delivery. These are as follows.

1. People recognise the cyber risks and are well prepared to manage them

2. Businesses and organisations recognise the cyber risks and are well prepared to manage them

3. Digital public services are secure and cyber resilient

4. National cyber incident response arrangements are effective

The outcomes within the Framework contribute to a number of national outcomes in Scotland's National Performance Framework (NPF). The table in Annex A shows how the Framework contributes to the NPF and how the NPF in turn contributes to the UN's Sustainable Development Goals.

The Framework itself is not time-bound, but a suite of four action plans will run from 2021 until 2023 - the delivery of which will be reviewed on an annual basis, see Annex C.

The UK Government is producing an interim National Cyber Security Strategy in 2021. Scotland's Framework and the UK Government's strategy are mutually supportive. We recognise the importance of an integrated approach but also opportunities for Scotland to lead, innovate and tailor support for communities, organisations and businesses in Scotland. The National Cyber Security Centre (NCSC) provides defence and deterrence against higher-end state threats for the whole of the UK and the Scottish Government works with them to increase active cyber defence activities in Scotland.

Getting the most out of digital technologies

It is hard to imagine life without digital technologies. Almost every aspect of our daily lives depends on the internet, data and devices. Indeed, much of our national infrastructure (such as our transport systems and utilities) relies on technologies and online connectivity.

At least 88% of Scottish households have internet access,^[1] and we find ourselves increasingly using - and being dependent on - digital technologies for work, doing business, learning, shopping and socialising. The COVID-19 pandemic has thrown this dependency into sharp focus. Businesses have moved wholly or partly online, many of us have increased our online financial transactions, and there has been a significant increase in the use of online platforms to connect with friends and family. During the national lockdown, children, young people and students have relied on digital access to continue their education.

Online digital technologies benefit individuals, our families, our communities, organisations, businesses, and society and the economy as a whole. The use of digital online technologies will only increase, becoming an even more critical enabler for our economic, social and cultural growth.

The Scottish Government's Digital Strategy (due for publication in Spring 2021) sets out how digital should be at the heart of everything we do - how we ensure no one is left behind as we move online, deliver economic growth, reform our public services, and prepare our children for the workplaces of the future.

Our forthcoming AI Strategy^[2] will seek to unlock the potential of Artificial Intelligence (AI) and position Scotland as a leader in the development and adoption of trustworthy and accountable artificial intelligence. Achieving this ambition requires that the very innovation, technological developments and infrastructure are secure and resilient to cyber attacks. AI in itself can help to protect networks from increasingly sophisticated cyber attacks. For instance, AI applications can be used in real-time monitoring and analysis of traffic, or use of services, to help identify and respond to potential threats.

As our use of digital technologies increases, and we become ever more dependent on them, it becomes critical that the services we use, our businesses and our country's systems and infrastructure are cyber resilient and "secure by design".

It is important that we see cyber resilience as a critical enabler to our digital ambitions, for digital public services, for digital inclusion, skills development, our business sector, the growth of our Tech sector, as well as meeting our statutory commitments to be a net zero society by 2045.

What we mean by cyber resilience

Cyber resilience is more than making technologies and systems secure. It is about our preparedness to meet cyber risk, and how well equipped we are to withstand, and defend against, manage, recover quickly and learn from cyber incidents. Features of cyber resilience include:

• Knowledge and awareness of risk and threat
• Access to guidance, tools and resources
• Understanding policy and processes
• Learning and skills
• Effective incident management, response and recovery processes.

Figure 1. Cyber resilience in action

Cyber Resilience

• learn from experience
• recognise the risks
• defend against and withstand attacks
• manage and resolve
• recover quickly

The rapidly evolving cyber threat

As the role of digital online technologies in our lives grows, so do the risks.

Cyber threats to our security continue to expand in number and sophistication. Hackers, organised crime and state-sponsored criminals are continually attempting to access personal information, bank accounts, intellectual property, critical national data and to disrupt our public services.

Cyber incidents vary in nature and in degree of impact. As new technologies and their applications develop and are adopted (for example, the Internet of Things (IoT) and AI), new threats will emerge. Responding to these threats in the context of rapid technological change, alongside other societal, economic and political changes, will require us to keep pace, adapt and evolve our systems of response and recovery. Agility and responsiveness are key.

As more people do business online, the payoffs from cyber crime increase, attracting more cyber criminals. From domestic use and businesses, to government and critical national infrastructure, we all face a constant and evolving threat.

It is not a straightforward task to identify specific cyber security risks, because the threats are so diverse and ever evolving. Mitigation can often be outside our direct area of control; for example, in relation to digital products or supply chains that are not secure.

The challenges for domestic users are unlikely to be the same challenges that our largest companies face. But it is clear that trust and confidence in the internet and our digital and online infrastructure are essential for Scotland: for our economy, for our society, and for our national security.

Police Scotland has a duty to protect the people of Scotland in the public, private and virtual space. Its strategy, Keeping people safe in the digital world,^[3] is a key part of our national response to address cyber crime and will contribute to all four outcomes of the Framework.

Most common types of cyber crime

Computer Misuse Offences

• Hacking
• Ransomware
• DDoS attacks

Financial/Economic Offences

• Business email compromise
• Fraudulent transactions and identity fraud
• Online shopping/auction frauds
• Scams
• Blackmail spam

Sexual Offences

Threatening Behaviour/Communications Offences

• Stalking
• Hate crime
• Hoaxes

Source: Police Scotland

Firm foundations - recognising achievements and challenges

In November 2020, the Scottish Government published a progress report on Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland. The report, entitled Firm Foundations,^[4] demonstrates evidence of progress and celebrates a number of successes, including:

• commitment and collaboration of national partners
• strong and productive relationship with the National Cyber Security Centre
• establishment of the National Cyber Resilience Advisory Board
• an increased take up of the NCSC's Active Defence Tools across the public sector
• increased awareness of the cyber threat in the third sector
• substantial developments in our education and lifelong learning system
• establishment of CyberScotland Week - an annual showcase of cyber security awareness raising and services in Scotland
• stimulation and early growth in Scotland's cyber security goods and services industry.

It also identified a number of areas requiring development, including in relation to:

• securing our hundreds of thousands of SMEs
• reaching our tens of thousands of third sector organisations
• further strengthening our skills pipeline, drawing on industry expertise.

The need for agile policy making and response in relation to cyber resilience

The COVID-19 pandemic has demonstrated to us the need for our strategic planning and response to external and unexpected incidents to be agile and adaptable.

The pandemic has led to an acceleration in the scale and speed of digital adoption, including increased reliance on digital technologies to enable home working, learning, shopping and communication. Official statistics for Scotland and the whole of the UK show that:

• At the end of January 2021, 40% of workers in Scotland had worked from home at some point in the previous seven days, with the majority doing so as a result of the COVID-19 pandemic.^[5]
• Between May and June 2020, 87% of parents said a child in their household had been learning at home because of the COVID-19 pandemic, with 44% of parents saying their children aged 16 to 18 had used real-time interactive online learning resources provided by schools (for example, live lessons) compared with 13% for children aged 5 to 10 years.^[6]
• In 2020, the amount spent on online retail sales increased by 46% when compared to 2019 as a whole, the largest annual increase since 2008. All retail sectors reported large increases in the total of online sales in 2020.^[7]

During this time the threat landscape has also changed, with the pandemic providing new opportunities for cyber criminals. According to EUROPOL data:^[8]

• COVID-19 has led to an increase in vulnerabilities - what they term "the attack surface" - as the fast shift to remote working means some companies have relaxed their IT security policies, with some responsibility being transferred to the users, where varying levels of training have created a new security gap.
• Fake items claiming to help prevent or cure COVID-19 have emerged on the Internet.
• A number of phishing campaigns have taken advantage of COVID-19.
• The volume of online child sexual abuse material and the livestreaming of child sexual imagery, and self-generated child sexual imagery, has increased, exacerbated by the COVID-19 restrictions.
• Business e-mail compromise has increased across most EU Member States as a result of COVID-19.

Scotland, like other countries, has had to respond rapidly to these difficult and unexpected circumstances and the need to be digitally secure has been a critical component to the COVID-19 response. Cyber resilience has been a key underpinning factor to ensure Scotland is able to develop secure smart digital solutions to meet the needs of the situation in the immediate and longer-terms.