Taking Stock: report on progress towards a cyber resilient Scotland

Section 2: Executive Summary

Introduction and context

Since 2015, steps have been taken to defend Scotland against cyber threats, and to further develop Scotland’s cyber security posture.

Scotland’s first strategy, Safe, Secure and Prosperous was published in November 2015 and laid the groundwork for Scotland to become more cyber resilient. The Scottish Government (SG) reflected on this strategy in its progress report Firm Foundations, published in November 2020.

In February 2021, SG published its second cyber resilience strategy The Strategic Framework for a Cyber Resilient Scotland (the Strategy). The Strategy sets out the vision of Scotland thriving as a digitally resilient, safe and secure nation. It outlines four outcomes in response to evolving threats, emerging opportunities, and the need for collaborative action.

The Strategy has four Action Plans (Public Sector, Private Sector, Third Sector, and Learning and Skills) which set out the priorities for both government and partners. As the Strategy was designed to be responsive to changing needs, priorities can be added or adapted, so that its focus can shift according to the current cyber threat and political, economic and societal pressures.

The Strategy is aligned to the UK Cyber Strategy, which outlines pillars for the four nations to improve cyber security, with Scotland’s primary contribution focused on the Cyber Ecosystem and Cyber Resilience pillars.

This report, Taking Stock, is a review of the impact of our strategic activities since 2015, and sets out our priorities for the future.

The scale of the threat

The global landscape has changed substantially since the Strategy was published in 2021. The COVID-19 pandemic forced the people of Scotland, businesses and organisations to work, learn, socialise and trade online. While Scotland's online participation has many benefits, it also exposes us to an evolving threat landscape.

There has been a rise in the number and sophistication of cyber threats. Threat actors take advantage of our dependency on Internet-connected technologies in order for them to conduct malicious activities. Policing is also facing growing challenges to keep pace with the cyber criminals. Investigating, mitigating and countering cyber crime can be complex and resource-intensive, made more difficult by the borderless nature of cyber crime.

Cyber security workforce shortages continue to be a pressing challenge for governments, businesses and organisations, both in Scotland and internationally.

Global tensions are ever present, and we must be alert to protecting our population, our national interests and our prosperity, particularly during periods of uncertainty.

Progress and priorities going forward

Effective leadership and partnership

Key achievements:

• The Scottish Government has demonstrated leadership by engendering collaboration and coordination of cyber resilience activity between stakeholders and partners.
• Partnerships across sectors in Scotland, alongside the UK Government and the National Cyber Security Centre (NCSC), have enhanced Scotland’s ability to protect ourselves from cyber crime and respond more effectively to emerging threats.
• The establishment of two flagship entities: the CyberScotland Partnership (CSP) and the Scottish Cyber Coordination Centre (SC3).
• The CSP (a collaboration of national agencies and representative bodies) is helping to coordinate and augment cyber messaging across Scotland and is growing in strength with structured communications and events planning. The CSP is a single source of information and guidance via the CyberScotland portal and bulletins.
• The SC3 is in its infancy but is positioned to become the central coordination function for improved intelligence sharing, early warning and incident coordination in Scotland with strong connections into the NCSC and the UK Government’s Cyber Coordination Centre, which is also in development.
• The National Cyber Resilience Advisory Board continues to provide strategic advice and challenge to Scottish Ministers.

Looking ahead - key priorities:

• The Scottish Government, in collaboration with its partners across sectors, UK and beyond, will continue to take a leadership role to advance cyber resilience in Scotland.
• Partnership-working will be central to achieving our ambitions. National stakeholders will collaborate through the pro-active CyberScotland Partnership (CSP).
• The SC3 will be appropriately led, governed and resourced to be able to more effectively share intelligence, respond to evolving threats and help defend critical systems.

An innovative and joined-up cyber ecosystem

Key achievements:

• The Scottish Government’s leadership has helped to build Scotland's cyber security sector, but we continue to face challenges in meeting the growing demands for cyber talent in Scotland.
• Increased awareness of cyber threats among the general population with people’s cyber hygiene is broadly improving.
• The CSP is committed to building cyber resilience with its audiences, communities and networks.
• The skills pipeline is strengthening, with an increase in the offer of cyber security qualifications at all educational levels and in vocational training.
• General cyber resilience learning is now embedded in the 3-18 school curriculum with early evidence of effective learning and teaching taking place in an increasing number of schools.
• Many youth engagement organisations are running successful tailored campaigns from which we are beginning to see increased awareness of online risks amongst our younger population.
• Specific support and guidance is reaching Scotland’s SMEs.
• Growth in Scotland’s cyber security products and services industry is at a rate similar to that across the rest of the UK.
• Targeted work with older people and people with additional language and other barriers is beginning to help to build cyber confidence.

Looking ahead - key priorities:

• Continue to increase the reach and uptake of advice and guidance amongst the general public, businesses and organisations, through a range of means and measures.
• Focus on improving online protective behaviours of the general public in line with Cyber Aware messaging, with additional effort on raising the cyber resilience of young people and older people, and to reach people who need information to be presented in alternative or accessible formats.
• Encourage the reporting of cyber incidents to Police Scotland.
• Continue to increase cyber security skills and grow the talent pipeline to meet the increasing demand for cyber security jobs, and to enhance innovation and research.
• Increase diversity within the cyber security workforce.
• Supporting the roll out of professional cyber security standards in cyber security roles.
• Support the growth of the Scottish cyber security products and services industry.
• Promote the adoption of relevant cyber security standards of Managed IT Service Providers and encourage them to be clear on the extent of the cyber security support they offer.
• Encourage and support private and third sector organisations to increase their cyber resilience maturity through improved understanding of cyber risks and threat/intelligence sharing, adopting cyber resilience best practice measures including incident response planning and exercising.
• Build momentum in the adoption of Cyber Essentials in Scotland.
• Embed cyber risk into organisations’ board and senior management structures.

A maturing public sector

Key achievements:

• Scotland’s public sector organisations are becoming better prepared against the cyber threat, although there is much more to do.
• Increasing numbers of public bodies are reporting that their workforces, senior management, and board members are undertaking cyber security training. While most organisations now have an incident response plan in place, there is a need for them to regularly exercise and test their plans.
• Scotland’s national cyber incident response arrangements are in place and are regularly exercised.

Looking ahead – key priorities:

• The public sector continues to build its cyber capability, particularly around incident response, exercising, cyber awareness training for board members, threat/intelligence sharing and independent cyber assurance.
• Focus more national support on those public bodies where cyber incidents could be catastrophic.
• Maintain and reinforce our national cyber incident response and intelligence sharing arrangements through the evolution of the Scottish Cyber Coordination Centre.
• Support cyber security professional development across the public sector.
• Increase general cyber resilience awareness amongst the public sector workforce.

Conclusion

Scotland continues to be confronted by the challenges of an increasingly complex cyber threat environment. Cyber crime, online fraud and ransomware are increasing in volume and complexity. The evolution and use of advanced technologies such as Artificial Intelligence will only add to these challenges.

Scotland’s aim for security and prosperity in the digital age relies on leadership as well as partnership with local government and the public, private, and third sectors. The next iteration of the public, private and third sectors and learning and skills actions plans, due to be published in the autumn of 2023, will provide direction for us to achieve this.

Scotland must remain agile to the ever-evolving cyber threat. The Scottish Government will continue to protect against threats that target Scotland, working closely with the UK Government and the NCSC as well as it vital partners.