National Cyber Resilience Advisory Board minutes: June 2023

Attendees and apologies

Board members

• David Ferbrache (Chair)
• Robert Hayes (Vice Chair) 
• Maggie Titmuss (MT)
• George Fraser (GF)
• Carla Baker (CB)
• Freha Arshad (FA)
• Rory Alsop (RA)
• DCC Jane Connors (JC) - Ex-Officio

Also in attendance

• NCSC Scotland Officer - (ON)
• Cyber Resilience Unit (CRU) Public Sector Lead 
• Scottish Cyber Coordination Centre (SC3) Cyber Incident and Vulnerability Co-ordination Lead 
• CRU Head of Policy and Programme 
• CRU Business Support Officer 

Apologies

• Head of the Cyber Resilience Unit (CRU)
• David Hartley (DH)
• Deryck Mitchelson (DM) 
• Jordan Schroeder (JS)
• David Aspinall (DA)
• Natalie Coull (NC)

Items and actions

Welcome, minutes and actions 

The Chair welcomed Members to the meeting, including JC to her first Board meeting. 

The Chair confirmed that this was his and the Vice-Chair’s last Board meeting. The Chair expressed gratitude to Board Members for their contributions and dedication to improving the cyber resilience of Scotland. While challenges still remained, the Chair felt Scotland’s size and reputation for piloting new ideas were positive in enabling it to be more agile in the face of cyber threats. The Chair confirmed that MT had been appointed as the new NCRAB Chair. MT welcomed the challenge ahead. 

The minutes of the March meeting were approved.

Conflict of interest

No conflicts of interest noted.

Cyber threat landscape 

ON provided an update on the cyber threat landscape. This focused on Snake malware for which the National Cyber Security Centre (NCSC)and international allies had published an advisory in May.  This sophisticated espionage tool was central to Russian cyber actors attempts to collect sensitive information. ON also referred to Volt Typhoon which was being deployed by Chinese state sponsored cyber criminals against critical infrastructure in the US.  There was the potential this could be used to target other nations, including the UK. The NCSC were also seeing a proliferation of cyber tools that reduced restrictions and increased ability for anyone to buy these tools and introduce new actors to the cyber landscape. 

ON shared that the NCSC had published a joint blog with ICO which focused on why cyber attacks go unreported and to dispel common misconceptions that discouraged organisations reporting cyber attacks. ON also shared an update on Advanced Cyber Defence (ACD) measures.  As not everyone was eligible for these measures, a lighter touch version called ‘Check your cyber security’ has been created and that a lighter touch version of ‘Mail Check’ was in development. 

The Chair asked ON if there was any further information from NCSC around events in Ukraine. ON commented that NCSC continued to monitor key sectors and patterns happening internationally in relation to the threat landscape. 

The SC3 Cyber Incident and Vulnerability Coordination Lead also provided an update on the threat landscape. He explained that the CRU had recently dealt with a cyber attack and worked on the potential exposure to risk of specific organisations but commented that limited information was provided by the affected organisation which impeded progress. Another recent cyber attack had drawn attention to exposure across the Public Sector and the CRU had written to Public Sector contacts to find out who else was exposed. The Chair commented that the scale of compromise from the attacks may not be known for some time. He then further asked what this meant for the Scottish Cyber Coordination Centre (SC3). The CRU SC3 Cyber Incident and Vulnerability Coordination Lead advised they were focused on building good relationships with organisations in order to nurture open and transparent lines of communications as well as assurance that the public sector was taking action. The Chair posited that this work would be vital to understand lessons learned from cyber attacks. 

GF commented that it was clear that resourcing within the Scottish Government was particularly challenging and asked what steps were being taken to try and reduce the impact of the vacancies. The Public Sector Lead explained that internal recruitment restrictions had eased since the beginning of the month and it was expected that a B3 position would be filled by end-June/July. However the CRU had a new vacancy, as the Programme Manager had now left the role. The SC3 Incident and Vulnerability Lead advised that the CRU was prioritising key work including a refresh of the national Action Plans, with the Public Sector Action Plan a key focus. As SC3 develops, its focus would change to adapt to circumstances.

Public Sector Cyber Assurance Survey – results and discussion

The CRU Public Sector Lead provided the Board with some initial findings of the Public Sector Cyber Assurance Survey (PSCAS). The Board heard that the CRU had received responses from 120 organisations (originally sent to around 172 public sector organisations), which was a response rate of around 70%, and this year included the NHS. There was coverage in responses across all sectors and analysis had identified some key priorities for focus. The Public Sector Lead noted that the Survey relied on reporting accuracy and there was still some under and over reporting of capabilities.  However there had been a change in relationship with the CRU and public sector organisations appeared to recognise that the CRU was seeking to assist them in times of cyber threat. 

There then followed a discussion on Cyber Essentials (CE) and Cyber Essentials Plus (CE+). The Board noted that there was a marked drop in the percentage of organisations who had CE or CE+. ON posited that this could have been the result of enhanced requirements for CE+. The SC3 Cyber Incident and Vulnerability Coordination Lead explained that it was important that small and micro businesses used CE and CE+ as these were more suited to smaller businesses. However the reduction in SMEs using CE or CE+ may be due to the perceived costs associated with it. He further advised that NCSC/IASME were in the process of developing a pilot pathway project to look at alternatives to CE and CE+ for big businesses and the conclusions of this would be of interest. 

The CRU Public Sector Lead shared with the Board that a board training pilot was due to be launched shortly and sessions will be rolled out to public sector organisations later this year.  He noted that within the survey returns, 80% of public sector board members considered themselves to have adequate training which does not correlate with the rest of the survey results. It was possible that organisations were delegating responsibility to Audit and Risk Committees.

The CRU Public Sector Lead led discussion on the survey results surrounding organisations exercising their incident response plans. While the ideal target was 100%, the actual number of organisations had dropped to 48% which was disappointing. The Board expressed concern about this figure as exercising was considered to be the most effective way of ensuring organisations were cyber resilient and secure. The CRU Public Sector Lead commented that this may be due to a lack of clarity around what ‘exercising’ means. The Vice Chair commented that exercising discussions had taken place with multiple Cabinet Secretaries and that attention must be focused on ensuring and encouraging the development of exercising capabilities within organisations. A target number of organisations exercising may be the way forward as this would have the largest impact on increasing cyber resilient behaviours across organisations. 

JUN23/01: The CRU Public Sector Lead to include a specific requirement in the refreshed Public Sector Cyber Resilience Framework for exercising. 

CT further commented that if this proposed exercising requirement was referred to in a ministerial letter to accompany the refreshed Framework or to be sent to organisations when requesting completion of the PCSAS, then the CRU should seek to include specific examples or scenarios which would make it easier for organisations to understand what exercising meant and looked like in real terms. It may also be useful to include this in the Action Plan. The Chair seconded this and further stated that the expectations of exercising for public sector organisations should be as clear as possible to increase the numbers of organisations exercising their cyber incident response (CIR) plans. The SC3 Cyber Incident and Vulnerability Coordination Lead commented that this was a good idea as organisations did not seem to be learning from previous attacks and that many characteristics of cyber attacks were shared. The CRU Public Sector Lead then suggested that exercising CIR plans may not be enough and there may need to be further breakdown of exercising to include; cyber scenarios, cyber incident response and cyber consequences and results. 

A short discussion on update of Active Cyber Defence (ACD) measures followed. 

JUN23/02: The CRU to seek to compare Scotland’s ACD results to the wider UK results to benchmark progress. 

JUN23/03: The CRU Public Sector Lead to emphasise exercising  in the Ministerial letter. 

The CRU Public Sector Lead shared findings on insurance and/or CIR company retainers and suggested this was something the SC3 could explore in the future. There had been a small increase in the percentage of organisations with a CIR company relationship but a decrease in the percentage of organisations with insurance. The Chair suggested that a move to a form of government procurement could be a way forward and something worth exploring. The Vice Chair commented that for many organisations, the coverage offered by insurance was so weak, that many organisations felt it better to spend money on improving their security rather than insurance. The SC3 Cyber Incident and Vulnerability Coordination Lead stated that NCSC was currently in the process of establishing a second level (Level 2) of technical assurance for CIR companies that would deliver expertise for smaller companies and organisations across the UK, including local governments.  ON advised that CIR2 was still in development.  

CB commented that it could be useful to have a form of ‘Show and Tell’ about what CIR companies could offer, which would allow for a more tailored approach as there was no ‘one size fits’ all CIR for an organisation. 

JUN23/04: The CRU Public Sector Lead to explore how to include a showcase on CIR during a Public Sector Cyber Resilience Network meeting. 

Progress and impact report 

The Chair thanked the Vice Chair for his previously issued comments (via email to the NCRAB inbox) on the draft progress report on years one and two of the Strategy and invited comments from the rest of the Board. 

MT shared the Vice Chair’s views that the report needed more balance and while it was great to see all of the achievements in the first two years, it was as important to see where the challenges still lie. MT further stated that there were some contradictory statistics and statements in places. CB expressed similar views and wanted to see balance within the report. 

The CRU Public Sector Lead asked the Board to comment on what was missed in the report. CB suggested she would like to see some of the PSCAS survey results included in the final version of the report. JC stated she would like to see a wider communications piece in the report as well. 

The Chair commented that the progress report needed to be revised to enable the Board to consider endorsing it and suggested that a further iteration was shared with the Board for comment/consideration.  This could also align in some target setting within the revised Action Plans moving forward. 

JUN23/05: The new Chair (MT) and the Head of the CRU to discuss the intended readership of the report, its content and the Board’s role in endorsing the report before it was published. 

Strategic priorities 2023-2025

The CRU Public Sector Lead advised the Board that work was currently ongoing to refresh the national Cyber Resilience Action Plans, taking into account what had worked well and where further progress was still required.  There was discussion on the planned direction for the Public Sector Action Plan for 2023-2025, which would be informed by the survey discussed earlier in the meeting. 

He further advised the Board that the Scottish Government was undergoing the ‘Gov Assure’ process and the importance of this process to many public sector organisations who relied on SG. He also updated the Board on the Cyber Security Information Sharing Partnership (CISP) platform and plans for a new version of this which is imminent . The re-launch of the new Cisp will be used to drive our community back onto the Scottish Public Sector Group which will be the primary route for SC3 sharing threat intelligence. The SC3 had also procured and is assessing an Open Source Intelligence (OSINT) tool to examine how this could add value to SC3 customers and improve access to threat intelligence.

On supply chain management, the CRU Public Sector Lead told the Board that the Cyber Security Procurement Support Tool (CSPST) had received an extension to end December 2023. An invitation to tender had been issued for revising the tool but no bids were received which was disappointing as there had been increased interest over recent months in organisations wanting to use the tool, including NHS.  The Chair asked if this was due to pricing issues. The CRU Public Sector Lead explained that the platform the tool used was being phased out and the changes required to make the tool more robust were too much for the suppliers of the platform to manage. 

The CRU Public Sector Lead advised he would be working to create sensible guidance around the CSPST, which would involve discussion with the legal department to revise procurement processes for public bodies. The Chair commented that there was a level of risk involved in the CSPST being removed. The CRU Public Sector Lead commented that he and the new B3 being recruited would take forward work to develop new procurement templates. In parallel, there would also be assessment of other commercial options to replace the tool as well as consideration of the potential for a CivTech Challenge. 

The Chair expressed concerns around the future of the CSPST as it could pose an exposure problem for the public sector, and asked what more the Board could do to move things forward. The CRU Public Sector Lead indicated that the Board could offer advice in the longer term about what other solutions could be produced  beyond solely guidance. 

The Board was then updated on the direction of the Third Sector Plan for 2023-2025. A report on the cyber security of the third sector was due to be published and the Scottish Council for Voluntary Organisations (SCVO) were to be given funding to take forward development of a programme of activities for the Third Sector. This would be supported by a governance group to determine and oversee the programme. 

In relation to the Private Sector, the SC3 Cyber Incident and Vulnerability Coordination Lead advised that the UK Government was developing a new website aimed at small businesses to provide a one-stop portal of advice and support.  A meeting was taking place later in the week to discuss these proposals.  He hoped that Cyber Scotland Partners would then be able to link to the site and the solutions it would offer for small and micro businesses.

In relation the Learning and Skills, the CRU Public Sector Lead advised that the overarching aims would remain largely unchanged, but there would be some reframing for emphasis.  For example, on diversity in the talent pipeline and raising standards of cyber professionals.

JUN23/06: CRU to share revised action plans with the Board and the Board to then share what might be missing. 

The CRU Public Sector Lead provided the Board with a short update on the structural changes which would be taking place for the CRU in due course. 

Scottish Cyber Coordination Centre (SC3) update

The SC3 Cyber Incident and Vulnerability Coordination Lead updated the Board on the progress of the SC3 to date. The Board expressed concern that there was still not a Head of Centre in place 2 years down the line and asked what they may be able to do to encourage movement as it ran the risk of becoming an undeliverable commitment. The SC3 Cyber Incident and Vulnerability Coordination Lead advised that the Head of Centre role may be filled by a Deputy Director but that this was still to be confirmed.  The Chair noted this but felt that as well as a titular Head of Centre, it would be helpful to have an Operational Lead.  FA commented that it was unclear what the SC3 would be when it was an entity and asked what the function of the SC3 would be when it was fully formed. She suggested that the early functions of SC3 were unclear and further clarity on the role of SC3 was required. The SC3 Cyber Incident and Vulnerability Coordination Lead commented that the early functions of SC3 had focused on vulnerabilities but that it would be for the Head of Centre to set out functions going forward.

The Chair asked for an update to be given at the next Board meeting.

CyberScotland Partnership (CSP) update

The SC3 Cyber Incident and Vulnerability Coordination Lead updated the Board on the CSP. He explained that the chairship of the CSP was on a rotational basis every two years and that the chairship was now with the Head of the CRU. The priorities for the CSP this year was to focus more on collaboration across the key partner organisations with more active communication campaigns. The Chair welcomed the update and suggested it would be helpful to have more of a ministerial commitment to CSP events as this would greatly raise the profile of cyber resilience matters to the public. 

Security and Business Continuity Board  

The Vice Chair announced his intention to step down from his role on this Board and suggested that it would be good to have a bridge between NCRAB and the Security & Business Continuity Board. He recommended that a member of NCRAB be put forward to the co-Chairs of Security & Business Continuity Board. for consideration.  

JUN23/07: New Chair (MT) and Head of the CRU to discuss how best to move forward with a new appointment. 

Any other business (AOB)

No AOB

Close

The next Board meeting will be on 5 September 2023, 10am to 2pm in St Andrews House, Edinburgh.