Taking Stock: report on progress towards a cyber resilient Scotland

Section 3: Introduction

This report considers how Scotland is progressing in its cyber resilience maturity. It details how the implementation of the Scottish Government’s (SG) cyber resilience policy has contributed to improving the cyber resilience of Scotland’s citizens, organisations and businesses.

The findings in this report will help inform the direction of SG’s priorities going forward as we continue in our collective work to realise our vision of Scotland thriving as a digitally safe and secure nation.

Cyber resilience

• recognise the risks
• defend against and withstand attacks
• manage and resolve
• recover quickly
• learn from experience

Cyber resilience goes beyond simply making technologies and systems secure. It also incorporates an understanding of the cyber threat, the acquisition of skills to become prepared to withstand and manage threats, as well as the ability to recover quickly and learn from cyber incidents.

Scale of the cyber threat

The financial costs of cyber crime are difficult to calculate, as they can include the financial loss to victims, reputational damage and the costs of responding to and recovering from an incident. Cyber crime is estimated to cost the UK billions of pounds each year^[1].

In 2022-23, Police Scotland recorded 14,890 cyber crimes.^[2] This number has been broadly stable over the past 3 years but represents a significant increase from the estimated 7,710 cyber crimes recorded in 2019-20. Part of the increase may be due to the COVID-19 pandemic, increased digital adoption as well as wider public awareness of how to report cyber crime. In 2022/23, an estimated 5% of all recorded crime was cyber crime and 51% of all fraud was cyber fraud. Cyber crime is underreported, so the actual numbers could be much higher.

The compromise of the supply chain and ransomware are currently two of the biggest threats to organisations and businesses. Ransomware was classified as a tier 1 national security threat in 2023^[3] and the UK was the third most impacted country (after the United States and Canada) in terms of the number of organisations that experienced a ransomware incident in 2022^[4].

Although ransomware has evolved in both sophistication and complexity, and is a significant business disruptor, most incidents do not involve specific targeting. Instead, they are part of automated, opportunistic campaigns with cyber criminals taking interest only when they identify vulnerabilities in an organisation’s defences.

In recent years, a business model has emerged known as Ransomware as a Service (RaaS). Ransomware operators create and sell ransomware to affiliates who launch the attacks. This reduces the barriers of entry to actors who wish to carry out ransomware attacks but lack the technical capability to develop the malware themselves.^[5]

Scotland has been affected by several ransomware incidents in recent years, including those faced by the Scottish Environment Protection Agency (December 2020), Scottish Association for Mental Health (March 2022), the NHS supplier One Advanced (August 2022) and Royal Mail (January 2023).

One of the most prolific ransomware gangs, Conti (which claimed responsibility for the Scottish Environment Protection Agency (SEPA) cyber incident in December 2020) caused breaches in over 600 organisations worldwide since its emergence in late 2020. The growth in their payment requests, from an initial $118 thousand in 2020 to an average of $1.78 million during 2021, reflects their growing capacity and activity.^[6]

The ransom is only part of the total cost to organisations. They may also lose intellectual property and data, experience reputational harm, and suffer costs associated with lost productivity as a result of having to restore and rebuild their systems and replace devices.

Supply chain attacks are another major threat to Scotland’s organisations. Most organisations rely on suppliers to deliver products, systems and services. However, supply chains can be large and complex. Securing the supply chain can be difficult because vulnerabilities can be inherent or introduced and exploited at any point in the supply chain.

Threat to political stability and democracy

Threat actors continue to seek to destabilise democratic processes for political purposes through a number of means. These include disinformation campaigns, disruption of online services and theft of sensitive information. The threat can become particularly heightened during election periods.

For example, in November 2022 the European Parliament’s websites were disabled by a Distributed Denial of Service (DDoS) attack, just a few hours after the resolution expressing support for Ukraine was passed. In 2021, ransomware was used to elicit support for protesting farmers in India. In this case, the victims were told they could recover their encrypted data only after the farmers’ political demands were met.

Government Ministers are advised not to use private email accounts to do government business; however, their private accounts are targeted as they are likely to be less secure than their corporate/official accounts. Gaining access to these private accounts can also make it easier for hackers to access official accounts and systems. As our electoral processes become progressively more digitised, there are increasing security considerations for those planning, and those running for, election. The Scottish Government and the NCSC continue to work closely with the Scottish Parliament to ensure that appropriate cyber mitigation measures are in place.

Scotland’s Cyber Resilience Policy

National action to improve cyber resilience in Scotland was first formalised by Scottish Ministers in 2015 with the publication of Scotland’s first cyber resilience strategy: Safe, secure and prosperous: a cyber resilience strategy for Scotland. It put in place many of the building blocks to strengthen Scotland’s ability to prepare for, withstand and recover from cyber attacks.

November 2015

Safe, Secure and Prosperous: A Cyber Resilience Strategy

November 2020

Firm Foundations Progress Report

February 2021

The Strategic Framework for a Cyber Resilient Scotland

October 2023

A Cyber Resilient Scotland: Taking Stock

When Scotland’s second strategy, The Strategic Framework for a Cyber Resilient Scotland was published in February 2021, Scotland faced many new and unexpected challenges including the severe disruption of the COVID-19 pandemic, the rapid shift to digital technologies and the Internet, and increased geo-political tensions.

Within this complex and ever-shifting landscape, cyber resilience clearly emerged as a critical enabler to ensure that people, businesses and organisations benefitted fully from digital and online services and solutions

Our strategic approach aligns closely with the objectives in The National Cyber Strategy, published by the UK Government in December 2021. It also aligns with the Scottish Government’s Digital Strategy and Building Resilient Communities, and delivers on the National Performance Framework.

Our Vision

Scotland thrives by being a digitally secure and reslilient nation

Outcomes to achieve our vision

People recognise the cyber risks and are well prepared to manage them

Business and organisations recognise the cyber risks and are well prepared to manage them

Digital public services are secure and cyber resilient

National cyber incident response arrangements are effective

Cross-cutting enablers

Knowledge of risk and threat

Tools, processes, standards, regulations and compliance

Learning and skills

Incident management, response and recovery

Access to cyber security technical expertise

Research and innovation

Principles for delivery

An inclusive and ethical approach

Whole-of-government approach

Strong leadership and good governance

Productive and collaborative partnerships

Effective communication

Adaptive and agile programme management

Robust evidence of impact

Delivery model

With our partners we will implement Actions Plans:

• the Public Sector
• the Private Sector
• the Third Sector
• Learning and Skills (including awareness raising)

Improving cyber resilience through strong governance and partnership

Governance

The Scottish Government’s Cyber Resilience Unit (SG CRU) is responsible for leading on the development, implementation and reporting on the impact of cyber resilience policy in Scotland. The National Cyber Resilience Advisory Board brings together leaders and influencers from across the private, public and third sectors to provide strategic advice, challenge and support to Scottish Ministers.

The SG CRU connects our work with that of the UK Government’s Cyber Strategy, inputting evidence into the UK Government’s cyber performance framework.

Partnership

The cyber threat to Scotland cannot be addressed by government alone. The SG CRU has led on forming a successful and pro-active partnership to drive forward cyber communication campaigns and deliver Cyber Scotland Week, reaching diverse audiences and communities across sectors in a coordinated and coherent way.

The CyberScotland Partnership (CSP) members include CENSIS, College Development Network, Cyber and Fraud Centre Scotland, Education Scotland, Highlands and Islands Enterprise, IASME Consortium, LEAD Scotland, NCSC, Police Scotland, ScotlandIS, Scottish Council of Voluntary Organisations (SCVO), Scottish Enterprise, Scottish Government, Scottish Social Services Council (SSSC), Skills Development Scotland (SDS), UK Cyber Security Council, YoungScot and YouthLink Scotland.

During CyberScotland Week 2023, 133 events took place across the country, raising awareness of the cyber threat, encouraging networking and promoting cyber security learning opportunities and careers.

Improving Scotland’s ability to share intelligence and respond to incidents

In 2022, Scottish Government’s Covid Recovery Strategy stated the need for a recognised, authoritative and collaborative central function to combat the accelerating cyber threat to Scotland.

The Scottish Cyber Coordination Centre (SC3) has been set up to pool expertise from partner organisations and centres of cyber security expertise (Police Scotland, NHS National Services Scotland, HEFESTIS, the Scottish Government, the Cyber and Fraud Centre Scotland, the Digital Office and the NCSC) to improve sharing of intelligence and response to risks. In its early stages, it will focus on intelligence collection and sharing, early warning notification and incident management coordination.

The Scottish Cyber Coordination Centre is a significant leap forward for Scotland and will raise our capabilities and capacity to tackle the threat, risk and harm that cyber incidents pose and cause. It is an integral part of our multiyear national strategy to build a cyber resilient Scotland.

David Ferbrache, OBE

Former Chair of the National Cyber Resilience Advisory Board

SC3 - Key functions

• Exercising
• Comms and engagement
• Cyber Assurance
• Threat intelligence
• Incident response

Measuring impact

The Strategy has four outcomes that contribute to a cyber resilient Scotland. Progress towards these outcomes is measured through a range of national data

Indicators, summarised in table 1.

Table 1: Measuring progress of The Framework against national indicators

Strategic Framework Outcomes

People recognise the cyber risks and are well prepared to manage them

Data Indicators

Percentage of adults taking various security measures online

Percentage of adults being confident in pursuing a number of online activities securely

Sources

Scottish Household Survey

Data Indicators

Young people's cyber security behaviours and knowledge

Sources

Young People in Scotland Survey

Young Scot DigiKnow social media campaign

Data Indicators

Older people's cyber security behaviours and knowledge

Sources

DigiKen TV adverts

Scotpulse surveys

Data Indicators

Number of young people taking part in cyber security learning and skills programmes at schools, colleges and universities

Sources

Higher Education Statistics Authority (HESA)

SQA statistics

Strategic Framework Outcomes

Digital public services are secure and cyber resilient

Data Indicators

Public sector bodies incorporating cyber security measures

Adoption of ACD measures

Participation in Cyber Essentials and Exercise in a Box training

Cyber incidents reported under the Notification Policy

Use of SG’s Cyber Security Procurement Support Tool

Sources

Annual Public Sector Cyber Assurance Survey

IASME statistics

NCSC ACD stats

SG CRU stats

The data indicators come from a range of sources including the annual Scottish Public Sector Cyber Survey, the UK Cyber Breaches Survey and the Scottish Household Survey. In most cases we are identifying correlation between the implementation of the Action Plans and positive change in these indicators, but we cannot claim causality. However, in the case of the Scottish Public Sector Cyber Assurance Survey, we are better able to identify a link between national support and impact.

The remainder of this report draws out evidence of progress in five key areas: Scotland’s people, public sector, third sector, private sector, and its cyber security industry and skills pipeline.