Details of cyber attacks on Scottish Government 2016-2017: FOI release

FOI reference: FOI/17/01932
Date received: 23 August 2017
Date responded: 4 September 2017

Information requested

Your asked us to provide information on:

1. Details of cyber attacks on the Scottish Government in 2016 and 2017
2. Details of any information that is believed to be hacked
3. Details of steps which were taken to halt attacks in the future

Response

I shall respond to each of your questions in turn.

1. Details of cyber attacks on the Scottish Government in 2016 and 2017

The information you have requested is available from FOI/17/01557

Under section 25(1) of FOISA, we are able to provide you with the above link which already patially answers your request. If, however, you do not have internet access to obtain this information from the website(s) listed, then please contact me again and I will send you a paper copy.

2. Details of any information that is believed to be hacked

To date, the Scottish Government has not lost any information as a result of a cyber attack.

3. Details of steps which were taken to halt attacks in the future

The Scottish Government has implemented robust defences and monitoring to mitigate cyber attacks and we continually review and improve these defences as new threats and intelligence emerge.

Whilst we are able to provide you with information on cyber attacks as per the details in parts one and two of this reply, part three is subject to an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs).

Disclosing this information would substantially prejudice our ability to protect government assets and digital information.

Providing specific details about the products and equipment we use in the Office of Protective Security and Cyber Security Operations Centre could subsequently be used by attackers or hackers to circumvent these defences. This could potentially enable them to target other types of attack or specific components of our defences and would constitute substantial prejudice to the effective conduct of public affairs in terms of the exemption.

This exemption is subject to the 'public interest test'. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognise that there is a public interest in disclosing information as part of open, transparent and accountable government.

However, there is a greater public interest in protecting government information systems from attack or compromise and ensuring that the Scottish Government is able conduct its business effectively. There is also greater public interest in ensuring that ensuring that any identified vulnerabilities could not be used to attack Scottish Government systems that hold information entrusted to us by the citizens for whom we provide online services, and for whom we also have responsibilities under the Data Protection Act to protect personal information.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses