National Cyber Resilience Advisory Board minutes: December 2022

Attendees and apologies

Board members 

• David Ferbrache (Chair) 
• Maggie Titmuss (MT)
• Deryck Mitchelson (DM)
• George Fraser (GF)
• Jordan Schroeder (JS)
• Freha Arshad (FA)
• Natalie Coull (NC)
• David Aspinall (DA)
• (RA)
• Christian Toon (CT) 
• David Hartley (DH)

Also in attendance

• (ON)
• Head of the Cyber Resilience Unit (CRU) 
• CRU Public Sector Lead
• CRU Private Sector Lead
• CRU Programme Manager
• CRU Business Support Officer

Partial attendance

• CRU Learning and Skills Lead
• Education Officer, Education Scotland
• Frances O’Neill, Founder, Story Learning Ltd

Apologies

• DCC Malcolm Graham (MG)
• Keith Nicholson (KN)
• Carla Baker (CB)
• Helen Nisbet (HN)
• Robert Hayes (Vice Chair)

Items and actions

Welcome, minutes and actions 

The Chair welcomed members to the meeting. Minutes were approved and action log reviewed.

ON gave the members an update on the research around scams relating to the cost of living crisis and a paper will be shared with members following the meeting.

It was noted that the low reporting of cyber crime, including fraud, remains a problem, and has historically been an issue in discussing cyber crime-related matters.

Members agreed that whilst the reporting number remains low, anecdotally the number of attempts and people falling victim to scams seems to be rising.

The Head of the Cyber Resilience Unit (CRU) gave an overview of the comms and stakeholder reach (including via the CyberScotland Partnership) used to amplify its messages, including around scams.

DEC22/01: CRU to share cyber aware messaging with Board Members which Members will then share wider within their individual networks. 

Conflict of interest

No conflicts of interest noted.

Cyber threat landscape 

ON provided an update on the current threat situation, highlighting that it is crucial to understand the wider heightened threat context for any incidents – according to the National Cyber Security Centre's (NCSC) annual review, 18 ransomware incidents required a nationally coordinated response.

The Board then had a short discussion on risk attitudes of specific groups, their impact on number and the severity of cyber incidents that people experience and how it is understood by policy-makers.

DEC22/02: CRU to consider existing evidence on what groups are the most vulnerable and susceptible to scams.

A discussion on the Scottish threat landscape and recent press coverage of incident response and handling took place, with members commenting on supply chain security and post-incident assurance.

In the future, the Scottish Cyber Coordination Centre (SC3) is hoped to be able to look deeper across the incidents for commonalities and patterns.

DEC22/03: CRU to contact the Scottish public bodies with a reminder about the heightened threat and the notification procedure in the context of the upcoming Christmas break.

DEC22/04: The Secretariat to add to next meeting’s agenda time for a discussion on cyber incidents lessons learned (with an invitation extended to the National Health Service National Services Scotland (NHS NSS) colleagues).

Due to urgent parliamentary business the attendance of the Cabinet Secretary for Justice and Veterans (CSJV) did not take place. A future date will be arranged.

DEC22/05: The Secretariat to arrange CSJV attendance at future board meeting.

Framework delivery update, including Scottish Cyber Coordination Centre (SC3) update

The Head of the CRU spoke to Paper 1, with a short update on each of the Framework’s Action Plans. 

The CRU Programme Manager gave an overview of the logic modelling process and how it relates to the levels of data being collected. 

The public sector action plan was discussed in more detail, with the CRU Public Sector Lead highlighting the current challenges being experienced around procurement. 

The Board spoke briefly about the skills pipeline in Scotland expressing an interest in understanding the learning landscape. 

DEC22/06: The Secretariat to invite senior education official from Education Scotland to the next board meeting to provide an overview of computing science and cyber security take up in Scotland.

The CRU Private Sector Lead briefly outlined key achievements in the past quarter and the expected milestones in the next quarter. 

The Head of the CRU provided an overview of the activity related to the third sector action plan. 

DEC22/07: CRU to include appropriate information on a shared Chief Information Security Officer (CISO) concept and its benefits to organisations into the planned board training programme of work.

The Head of the CRU updated the board on the latest developments in the learning and skills action plan delivery.

CT commented that other protected characteristics and disabilities are not as clearly represented in the action plans. This was noted by CRU.

MT suggested that the veterans could receive targeted information campaign or other support to begin careers in the cyber industry to address the skills gap. She also suggested to include cyber resilience into the ready for release skills for prisoners. CRU noted.

DEC22/08: Secretariat to invite the Chief Executive Officer (CSO) of the UK Cyber Security Council to a future  Board meeting to provide an update on the work on the cyber professions.

The Head of the CRU discussed open issues. The Programme Manager briefly discussed open risks.

DEC22/09: CRU to update the risk register and the issues log to reflect the discussion.

DEC22/10: Chair to consider communicating the board’s concerns on risk of delays in recruitment to decision-makers.

Further discussion centred around funding and funding cycle, with the Chair drawing out the key issues for more detailed consideration.

The Head of the Cyber Resilience Unit updated the board on the latest position regarding the SC3, its workstreams and deliverables that will be achieved with the current staffing levels.

DM questioned how the deliverables will be completed with the slippage so far and the staffing situation. 

GF posed that an external consultancy may be worth considering at this stage to move the project forward.

Private sector sub-group update 

FA noted that there had been limited progress on the work of the private sector sub-group. 

DEC22/11: CRU to share the private sector action plan delivery data with the group.

DEC22/12: CRU to provide the group with an outline of which private sector organisations and representative bodies have been engaged.

DEC22/13: Secretariat to invite DH to the next sub-group meeting.

Cyber resilience for the youngest readers: The Bongles

CRU Learning and Skills Lead introduced the education officer from Education Scotland and the founder of Story Learning Ltd.

They presented to the Board selected pages from the planned book, previously printed books in the series and mascots. The book will introduce fundamental aspects of cyber resilience and a concept of security in a positive way to 60,000 Scottish Primary 1 pupils in the next school year.

The story is in line with the learning experiences and outcomes of the Curriculum and will have learning and teaching materials to match. The book will also be made available in Gaelic.

Board Members welcomed the positive tone of the book’s narrative.

Any other business

There was none.

Close

The next Board meeting will be on 6 March 2023, 10.00 - 14.00 at the cyberQuarter in Dundee.