Taking Stock: report on progress towards a cyber resilient Scotland

Section 1: Forewords

The Strategic Framework for a Cyber Resilient Scotland was published in February 2021, during a period of significant disruption. The global pandemic accelerated Scotland’s transition to a digital economy and society, transforming the way we work, learn, shop, socialise and use public services. The possibilities of digital technologies will continue to shape how we live, and how the public and private sectors operate.

Interconnectivity has great benefits, but it can also make us, our communities, our businesses and institutions vulnerable.

We continue to see an increase in cyber risk to our organisations, businesses and personal security. Threats such as ransomware, online fraud, data theft and disruptive attacks are growing in sophistication and frequency. Hostile state actors and cyber criminals target our critical national infrastructure, our public services, our businesses, and scientific research. The borderless nature of cyberspace increases the risk and complicates our response. The Scottish Government takes the growing risk seriously, and works closely with the UK Government, the National Cyber Security Centre (NCSC), Police Scotland and many others, to put in place appropriate mitigations.

The Scottish Government’s priority has been on helping to build the public sector’s capacity to withstand and manage cyber risk, and I am reassured that we are beginning to see improvements. We have also been endeavouring to protect individuals, especially the most vulnerable in our communities, and to equip them to stay safer and more secure online. At the same time, we have been working to grow a more diverse cyber security skills pipeline to meet the skills gap that Scotland shares with the rest of the world, and we are gaining international recognition for our advances in this area.

Now that the worst of the pandemic is behind us, it is time to take stock of our work to date. I am pleased to present this report, which recognises what has been achieved in Scotland, but which also identifies the risks, opportunities and gaps in our current approach, as well as setting out our future priorities.

I want to thank all the partners involved in getting us to where we are today, and I look forward to continuing our work alongside all stakeholders to build a more secure, resilient and prosperous Scotland.

Angela Constance, MSP

Cabinet Secretary for Justice and Home Affairs

The Strategic Framework sets out the approach Scotland is taking to create a digitally secure and resilient nation and is deliberately broad reflecting Scotland’s ambitions.

We recognise that we live in turbulent times and as we embrace new technology and rely on interconnected technology – both for public services and for our own personal use – the attack surface is changing and expanding, offering threat actors such as criminals and hostile states an increased opportunity to attack us for disruption or monetary gain. It is vital that we are prepared as a nation to deal with the threat and to be resilient to it.

This report shows how far we have come since the Framework was launched; but this is not the time to be complacent, rather, we need to be ambitious. Our adversaries are better funded and better resourced than we are - they are agile and can embrace technology and tools much quicker and they can change attack direction as new opportunities arise. If we do not continue to invest in being cyber resilience, we will fall behind and this will adversely impact our citizens and our businesses.

We recognise this is not something which can be done by government alone, nor indeed Scotland alone. We rely on our partnerships across the UK nations and build upon what has already been achieved.

There are three key areas where I feel we need a step change in delivery:

Skills – the report highlights progress, which is really encouraging, but the pace of change and the numbers delivered are insufficient for the vacancies across the public and private sectors. Employers have highlighted that candidates lack the skills for vacancies which they cannot fill. We must do more to ensure that Scotland gives students from all backgrounds the opportunity not only to learn cyber security, but to know about the substantial number of cyber security career opportunities open to them. Also, we need to take the opportunity to upskill and retrain specific groups in cyber security, such as our veterans who may be able to plug the vacancy gaps in cyber.

When considering cyber careers in public sector bodies such as Police Scotland and local authorities, the public sector cannot compete with private sector salaries. We need to develop ways to share resources across sectors which enable the public sector to mature and protect our citizens. And we need innovative technology to deal with the volume of data allowing skilled resource to make quicker evidence-based decisions. This is the second step change I would like to see happen.

We rely on our partnerships and collaboration across the UK, our work with the public and private sectors to raise awareness of the cyber threat and our work to deliver skills for old and young. Our investment to help small businesses, part of the lifeblood of our economy, improve their cyber defence is key to economic growth. I am also enthused by Scottish Ministers’ decision to establish the Scottish Cyber Coordination Centre (SC3). The successful delivery of a fully operational SC3 is the third priority which will require sustained investment if we are to truly improve our abilities to manage and response to cyber incidents.

This is a whole team game, and as Chair of the National Resilience Advisory Board, I can confirm that my Board is committed to working with Ministers, officials and our strategic partners to deliver against each of the programmes of work to build a safe, secure and resilient future for Scotland.

Maggie Titmuss, MBE

Chair of the National Cyber Resilience Advisory Board