Cyber resilience economic opportunity: key actions 2018-2021

7 Actions

7.1 This plan sets out the actions that the Scottish Government and its key partners will take in support of the plan's objectives through to 2021. Where there are strong links with, or dependencies on, other action plans this is made clear in the text.

7.2 This plan is focused on creating the right conditions to support supply-side cluster growth. As the cluster (and its surrounding ecosystem) evolves, so the actions required to support growth may change. Therefore, we will regularly review the actions through a process of monitoring and evaluation.

7.3 In developing this action plan, the Scottish Government and NCRLB have sought the views of various stakeholders, including Scotland's enterprise and skills agencies, academia, and Scottish industry. These partners will play a vital role in implementation and delivery of the action plan, and the Scottish Government and the NCRLB will ensure that arrangements are put in place for appropriate ownership, collaboration and delivery of activity.

7.4 The Scottish Government is clear that while it can work with partners to create the right conditions to help our Scottish cyber security cluster to thrive, achieving growth in this area will ultimately require leadership, commitment, ownership and resource from the Scottish cluster itself.

7.5 The actions are grouped under the five key objectives, A – E. Objective A: Develop the right market conditions to encourage and support the continued emergence of the cyber security business community in Scotland.

Action A1:

The Scottish Government, through an ongoing commitment to all five cyber action plans, will continue to clearly state and demonstrate its ambition to make Scotland a world-leading nation in cyber resilience, sending strong long-term demand signals to the supply-side that they can be confident in their own expansion. The Scottish Government will play a key role in proactively engaging in, and influencing policy development at Scottish, UK and EU levels to ensure there is an effective voice representing Scottish cyber security companies and interests. This includes engaging with the UK Government as it develops a royal charter body to support professionalisation and collaboration across the UK. This activity will be ongoing.

Scottish Ministers have signalled their desire to make Scotland a world-leading nation in cyber resilience (demonstrated by the formation of the Scottish Government's Cyber Resilience Unit, the NCRLB and the publication of the five cyber action plans). The Scottish Government believes that being a world-leading nation means more than adopting high standards and best practice: it also involves encouraging and supporting supply-side businesses to grow in number, scale and turnover, and to help create the right conditions for a cyber resilient Scotland. The NCRLB believes it is essential to Scotland's cyber cluster that these signals continue to be communicated over the long-term to create and ingrain a stable and informed landscape for supply-side investment decisions.

It is expected that the cyber action plans for the public, private and third sectors will have the effect of building demand for cyber goods and services in Scotland. The public sector action plan anticipates the introduction of appropriate, proportionate standards of cyber resilience for those bidding for support or contracts with the public sector. It also creates a cadre of public sector organisations ('cyber catalysts') who will work together to identify opportunities for the adoption of innovative approaches to cyber resilience, potentially adding to new local demand for cyber-related goods and services.

Action A2:

The Scottish Government will work in partnership with Scottish Enterprise, Highlands and Islands Enterprise and other key partners to encourage the ongoing development of innovative solutions to public and private sector challenges relating to cyber resilience. This will include launching calls to industry through mechanisms such Civtech, CAN DO, or Open Innovation Challenges. The first challenge will be launched in 2018.

Where an emerging market is reliant on the early pull of the public sector, it is vital that supply-side companies (both actual and potential) can see evidence of demand for innovation. This is often facilitated through procurement contracts (and this should continue where appropriate) but it is more successful in acting as a stimulant where 'funded innovation call' mechanisms are used. CivTech^[7] is an example of an initiative available for the public sector, and newer, larger-scale mechanisms such as the "CAN DO"^[8] initiative could also be considered in this context. Where innovative elements can be readily separated from incumbent IT contracts, such funded innovation calls will be used by the Scottish public sector.

Action A3:

The Scottish Government will work in partnership with Scotland's academic institutions to encourage growth in world-leading research, innovation and skills to stimulate market needs and create economic impact. This activity will be ongoing.

As an integral part of the cyber cluster, it is vital that academia is encouraged to innovate through collaboration with partner organisations, investors and industry. This will ensure our educational institutions create, harness and add value to economic opportunities arising from research, technology and know-how.

Through their research and innovation, universities will promote and champion Scotland's expertise to national and international audiences through joint research programmes, academic exchanges, conferences and publications. This will help develop international relationships and partnerships to 'sell' Scotland's "cyber brand", which will be essential to growing global business. It will also underpin inward investment opportunities for businesses attracted to Scotland from abroad who want to gain access to our markets and expertise.

Action A4:

On an ongoing basis, the Scottish Government will support opportunities for industry and academic experts to contribute to future cyber resilience policy development and thought leadership at the Scottish, UK and EU levels. In the immediate term, the Scottish Government will commission the collaboration of universities who make up the SICSA Cyber Nexus to work with industry and other partners to produce a research piece into the concept of digital communications infrastructure in Scotland as a "fifth utility". This will consider the current and expected future "state of the art", and the extent to which Scotland could achieve a competitive advantage by driving forward change in this area using existing or new powers. The findings of this research, to be delivered by summer 2019, will help inform wider policy development in respect of "secure by design".

Much of the work on cyber resilience in Scotland and the rest of the UK to date has focused on the measures that end users can take to protect themselves from existing cyber threats (for example, taking action to change default router passwords, or to make judgements themselves around the types of antivirus software they need or don't need). Some key private sector partners have argued that in the longer term, a more "provider-focused" approach to cyber security is required, treating digital services in a similar way to traditional utilities where service providers have a responsibility to ensure adequate levels of resilience and security within their service provision. Providers of such services would be required to take action to ensure consumers receive "clean" digital communications services, similar to what we have come to expect from other utility providers (for example, consumers of water are not generally required to fit filters in their own homes to feel confident that their supply is uncontaminated).

How or if this might work in practice is not fully understood. To improve our understanding of any potential economic opportunities in this area, the collaborative of universities who make up the SICSA Cyber Nexus will be commissioned to work with industry and other partners to produce a research piece into the concept of digital communications infrastructure in Scotland as a "fifth utility".

Related to this, the UK Government has begun to formally explore the topic of "secure by design^[9]", and the Scottish Government will continue to engage proactively with the UK Government and industry and academic experts as this thinking is developed.

6.5 Objective B: Develop the right academic research capability and capacity to support and grow business innovation in Scotland

Action B1:

Scotland has a growing capability and global visibility in cyber security research, innovation and skills benefiting the sector. The Scottish Government and the SICSA will build on the current government-funded SICSA programme of work to support academic institutions to expand this research. This work will aim to be of sufficient scale to attract and retain at least one globally renowned academic, provide for long-term facilities, and nurture junior research talent. It will also explore new ways of working that could better support the integration of academic ideas and expertise with the medium – to-long-term needs of industry. This action will be ongoing.

Successful clusters need access to the skills and resources that support innovative thinking and problem solving. The Scottish Government has provided funding under the UK National Cyber Security Funding Programme for an academically-focused Network Integrator and associated projects. These are helping to encourage and coordinate activity in the academic cyber security and resilience areas, and are supporting companies to find their way around the resources which currently exist there.

The NCRLB believes that the drivers for academics to work with companies in Scotland could and should be strengthened. There are various relevant initiatives (such as innovation centres), but areas of focus can sometimes be activity-based rather than strategic (involving long-term relationships and mutual planning). Cyber is an emerging and fast-moving topic, and as such there is a need to execute and deliver activities quickly to maintain a competitive advantage. However, it is important that this is tempered with longer-term planning to ensure activities are well placed to maximise return on investment, add value, fill gaps and align with long-term strategic objectives. As an emerging technical topic, cyber resilience has the inherent potential to be an area in which new ideas can be trialled. This creates a good opportunity to consider how, in trialling those new ideas, greater emphasis can be placed on the development of strong strategic relationships between academia and industry.

Action B2:

The Scottish Government will continue to work with the Scottish Funding Council to strengthen the requirements for cyber security research to be included within our university and college outcome agreements. This action will be ongoing.

As the national, strategic body for the funding of further and higher education in Scotland, the Scottish Funding Council's (SFC) role is to support colleges and universities in Scotland to deliver high-quality learning and teaching, world-leading research and greater innovation in the economy. Their investment enables our higher education institutions to carry out world-leading research.

The Scottish Government will continue to work with SFC to encourage our further and higher education institutions to build research capabilities in cyber security, in turn contributing to Scotland's economic growth.

Action B3:

The Scottish Government and its enterprise and skills agencies will continue to clearly state their support for the creation of a cyber-focused Centre for Doctoral Training in Scotland, and will work with SICSA, universities and industry to explore practical routes that all sectors could use to engage with, or support such a programme – for example through the provision of data. This action will be ongoing.

Ensuring there is sufficient cyber-related PhD research capacity in Scotland will have an impact on both supply-side academic capacity and industrial collaboration capacity. The establishment of a Centre for Doctoral Training (CDT) would be a core mechanism to ensure that PhD places could be made available, in volume, in Scotland. The Learning and Skills action plan^[10] also includes a commitment from the SICSA to work with the Scottish Government to consider the establishment of a CDT or other forum to bring industry together with researchers. The establishment of a CDT relies on having appropriately accredited academic departments, numbers of which are growing in Scotland. At the time of writing, Scotland-based CDT applications to the UK authorities are already in progress. If successful, that may address the challenge of growing Scotland's PhD capacity. However, if not successful, there will be a requirement to consider alternative means for addressing this challenge.

6.6 Objective C: Develop the right cluster management arrangements to ensure the approach is coordinated and has impact

Action C1:

Scottish Enterprise will work with the Scottish Government and other key partners to establish a cluster management function for cyber within an accredited CMO, with enough resource, capacity and capability to match the ambition of developing a globally relevant cluster. This will include steps to help the CMO achieve EU accreditation standards to agreed levels within a realistic timeframe. The CMO will be expected to participate in appropriate national advisory forums, work closely with partners to determine how best Scotland can benefit from UK wide industry initiatives emanating from UK Government and NCSC, and encourage the development of networks, coherence and partnership working, particularly with other aligned clusters such as Fintech. The CMO will initially be established by autumn 2018.

Most successful clusters in Europe are underpinned by a professional CMO. Even in mature clusters, these CMOs usually have a degree of public co-funding as much of the benefit they add goes to the wider economy as well as their member companies.

As the cyber security cluster develops, it will be important for organisations to have the opportunity to network and collaborate, promote effective cyber security practices, share learning and knowledge, capitalise on opportunities, and to have a voice that can influence national decision making, skills development, and technological development.

The cyber security community in Scotland has not yet matured enough to substantially resource a CMO that can provide coordination and highlight challenges and source opportunities for that community. However, there is a well-understood path from today's phase, (of largely government provision of network integrators), developing through a risk-sharing phase between private and public sector, to a mature, steady state phase, involving a fully-fledged CMO. The CMO would be expected to demonstrate a clear commitment to develop such a road map, with significant engagement and buy in from industry.

One early task for the CMO would be to use targeted resources to improve the information available around Scotland's export capabilities in cyber-related goods and services to international markets, and ensure a balanced approach to supply-side campaigns aimed domestically and internationally.

There is clear overlap between the cyber security opportunity in Scotland and the emerging opportunity known as Fintech. Making secure, robust, efficient private financial transactions is at the core of much of the rising demand for disruptive technology in the financial services sector. A cyber CMO will need to liaise with its sister organisations in Scotland to develop understanding of when to collaborate over common topics and when to differentiate.

The UK Government is making significant investment in supporting and growing cyber security companies. This includes the Cyber Growth Partnership^[11], which aims to boost the UK's global market position in cyber security products and services, and other activities being undertaken by the NCSC such as:

• Cyber Accelerator, which gives innovative startups access to cyber expertise^[12]
• Industry 100, which enables industry reps to work alongside the NCSC^[13]
• NCSC-funded cyber work placements, which aim to build relationships with talented young people and potentially offer future employment^[14]
• Cyberinvest, which aims to encourage industry investment in cyber research^[15]

The CMO will need to work closely with the Scottish Government and its partners to ensure that Scotland benefits from these and other relevant initiatives.

6.7 Objective D: Develop the right supporting institutions to stimulate innovation and renewal within the cluster

Action D1:

The CMO, Scotland's enterprise agencies, and the Scottish Government will work together to develop a comprehensive shared understanding of Scotland's cyber security landscape. This will include identifying our strengths (in both a UK and global context), mapping out the current picture in terms of the various hubs and centres of expertise that exist across Scotland, and understanding the effectiveness of existing models and mechanisms for innovation, support and coordination of activity. This first phase of activity will be completed by summer 2019.

We expect this action to raise to the surface any need for additional support mechanisms that could help to rapidly accelerate growth in the cluster, and further specific actions may flow from this as a result.

Cyber resilience has many dimensions. There are currently various facilities and centres of expertise in Scotland (and potentially more will be created, for example through City Deal or other new/scale up activities). Ensuring these are well-coordinated and do not duplicate effort would reduce the need for one all-encompassing cyber centre in Scotland.

Action D2:

The Scottish Government and Scotland's enterprise agencies will work with supporting institutions and innovation centres (such as CivTech, CENSIS and The Data Lab) to ensure cyber security is embedded into any centrally-funded technology innovation activity. This includes ensuring that the outputs of publicly-funded innovation projects are developed with adequate, proportionate levels of cyber security in mind, and that innovation centres are equipped to advise or signpost on such issues. This will be in place by autumn 2019.

Accelerators are a particular type of institution that support new or scaling businesses. There are various views on the current situation and the precise solution in Scotland. Scotland may benefit from a globally-accredited technology accelerator (either with cyber security as a cross-cutting theme or as a dedicated focus), and if deemed appropriate this could be realised through encouraging and inviting globally trusted accelerators to open here, or through growing our own indigenous service providers to global standards. Consideration should also be given to how best to link with and build on NCSC's existing cyber accelerator approach. If a dedicated accelerator is not appropriate, it is vital that any technology accelerator in Scotland which receives public funds embeds cyber-security support as part of their offering to clients.

Scotland is most likely to develop a reputation as a world-leading nation in cyber resilience where the development of digital solutions is secure by design^[16], with cyber resilience "baked-in" from the start. This quality proposition could be a strong differentiator for Scotland compared to the production of goods quickly, cheaply and without consideration being given to cyber resilience as a fundamental part of product/service development. If the Scottish brand is to be regarded as robust and trusted, then it would be illogical for our institutions to support the development of low quality technology. The public sector must be vigilant in what it funds, and impose the necessary diligence to ensure it does not support technology-based initiatives that work against any such national brand or messaging. This extends across all government initiatives and partners and includes any hubs or centres that are centrally funded.

6.8 Objective E: Develop the right brand to help promote Scotland's cyber security cluster across the UK and internationally, grow cluster exports, and reflect Scotland's emerging position as the place to be for researching, developing and supplying cyber goods and services

Action E1:

The CMO will work with industry, universities and other key partners such as the Scottish National Investment Bank to maximise the impact of existing investment platforms, to support Scottish cyber security entrepreneurs in getting exposure to potential investors, and to support potential investors to make more informed decisions. This action will be ongoing.

The private equity investment scene for the cyber security cluster in Scotland is not unique – it has the usual characteristics found across all digital markets in Scotland. The main requirement is to ensure that potential investors are well informed about cyber and the growth opportunities that could be generated, helping to stop cyber specific investment opportunities being lost in the general digital background. Focussed work would allow campaigns to be developed, aimed at increasing investor sophistication regarding this niche cluster.

Action E2:

The CMO will work closely with Scotland's enterprise agencies, in particular Scottish Development International, to attract direct foreign investment and increase exports in the area of cyber security. This will include developing a strong international proposition. To ensure maximum impact, the CMO and enterprise agencies will work with the UK Government's Department of International Trade to identify collaborative opportunities. This action will be ongoing, with the first phase – developing a proposition – completed by summer 2019.

Scotland's own fundamental cyber resilience position is significant in providing the proof-point for any international proposition it can make for its cyber goods and services offering. The action plans on public, private and third sector resilience, along with the learning and skills action plan, set out how progress towards this fundamental cyber resilience is to be achieved.

With market demand for cyber-related goods and services being so diverse, any international proposition needs to be able to be tailored to suit the particular target at any time. There should be a universal brand with core messages and proof-points which can be adapted with specific case studies for each sector, geography or application area. This is a resource-intensive activity.

This plan clearly states that Scotland's cyber offering will be based around quality rather than a sector focus. In creating a differentiated story for Scotland, the approach should be consistent with that overarching aim, with a focus on quality first and foremost (with the balance of focus across sectors being driven by market demand, rather than creating top down artificial silos for particular sectors). Consideration will be given to how the national digital infrastructure story (which is a key element of positioning Scotland as a world-leading nation in cyber resilience) could, over time, be made into a significant international differentiator by design, implementation and operation.

Action E3:

The CMO, the Scottish Government and Scotland's enterprise agencies will work together with other key partners to maximise engagement, increase impact, and amplify messages across our international networks (such as trade ambassadors, global-scots, and other in-market actors and connections). This activity will be ongoing.

In developing a Scottish brand, we will ensure awareness of any broader activities or initiatives (for example, the UK Cyber Export Strategy^[17]), and consider if and how it might be appropriate to share activity, resource or messaging to amplify our reach and impact.

Although no single individual represents Scotland as a "cyber resilience ambassador" at present, Scotland has wide-reaching international networks. There is an opportunity to better utilise these networks in a coherent fashion in order to promote Scotland's cyber security offering. The impact and usefulness of these networks must be fully understood before considering what other additional resources might be required – including a specific ambassadorial role for cyber security.