National Cyber Resilience Advisory Board minutes: March 2023

 

Attendees and apologies

Attendees and apologies

Board members

• David Ferbrache (Chair)
• Robert Hayes (Vice Chair) 
• Maggie Titmuss (MT)
• Deryck Mitchelson (DM)
• George Fraser (GF)
• Carla Baker (CB)
• Jordan Schroeder (JS)
• Freha Arshad (FA)
• Natalie Coull (NC)
• David Aspinall (DA)
• Rory Alsop (RA)

Also in attendance

• (ON)
• Head of the Cyber Resilience Unit (CRU) 
• CRU Public Sector Lead
• CRU Programme Manager
• CRU Business Support Officer

Partial attendance

• Cabinet Secretary for Justice and Veterans
• CRU Learning and Skills Lead
• NHS National Services Scotland Head of Information and Cyber Security

Apologies

• DCC Malcolm Graham (MG)
• Christian Toon (CT)
• Helen Nisbet (HN)
• David Hartley (DH)

Items and actions

Welcome, minutes and actions 

The Chair welcomed the Cabinet Secretary for Justice and Veterans, Members and attendees. 
Previous minutes were approved.
There were no open actions.

Conflict of interest

No conflicts of interest noted.

The Chair announced his intention to step down and the next board meeting will be the last one he chairs. The Chair expressed it felt an appropriate time with the new members now onboarded, with the fresh expertise and perspective they brought to the board.

MAR23/01: Secretariat to inform members about the process to select new Chair.

Cyber threat landscape 

ON informed the board about the National Cyber Security Centre's (NCSC) new supply chain mapping guidance that includes guidance on cyber security and resilience of contracting, contract’s lifecycle management and sub-contracting (third, fourth-party vendors).
ON highlighted that spear phishing is becoming a significant threat, with individuals across sectors being targeted, including politicians and journalists. Personal accounts are also being targeted as they are less likely to have as strong security as corporate accounts. However, there is no change to the guidance in relation to this and the NCSC continues to advise following basic password hygiene measures and using multifactor authentication.  
Discussion on TikTok use being banned by governments and organisations in Canada, US and EU took place, at the moment NCSC does not have an official position or guidance, but it is expected.

The Chair inquired about any emerging general threat landscape trends. ON noted that ransomware is becoming more sophisticated, but the income from ransomware is lessening – particularly across public sector; it seems that the approach to paying ransom is changing, potentially due to governments legislating against paying.

The Cyber Resilience Unit (CRU) Public Sector Lead provided a short Scottish-specific threat update. 

DM suggested that more should be done to encourage sharing details of incident management and lessons learned at the executive level, including from private sector.
The CRU Public Sector Lead reminded the board that  the Public Sector Cyber Resilience Network, usually attended by about 150 representatives of Scottish public bodies, discusses  incidents and lessons routinely; including bringing in private or third sector victims to discuss their challenges and experiences. Noting that this heavily depends on volunteers willing to discuss their organisational arrangements and response details, the CRU Public Sector Lead would be happy to invite any other organisations to speak at future Public Sector Cyber Resilience Network meetings. 
The Chair highlighted that it is worth encouraging this level of maturity where incidents can be discussed to share learning and increase preparedness. The Cyber and Fraud Centre Scotland also hosts a weekly intel-share by financial organisations, Police Scotland, NCSC and The Scottish Government. 

The Head of the CRU reminded the board that one of the SC3’s core functions will be to improve intelligence sharing and provide a repository of lessons learned. 

Both DM and the Head of the CRU agreed that the private sector is more challenging to engage in this way.

Discussion with the Cabinet Secretary for Justice and Veterans

The Cabinet Secretary welcomed board members and attendees, congratulated new board members on their appointments and thanked the Chair for his service to the board in past years.

He noted that there is an understanding in the Cabinet on the seriousness of cyber threat, with it being recognised as a Tier 1 threat to national security and multiple examples showing its impact on Scotland.

The Cabinet Secretary noted that cyber security remains a reserved matter, and this poses some challenges, but also many benefits; this board has a key role in improving cyber resilience in Scotland.

He commented that the broader impacts of cyber incidents can be felt in the physical world, and in resilience the picture is often intertwined and complex – giving the example of damage to a cable to the Shetland Isles adversely affecting the island’s communities last October.

Following the incident where the email account of Stewart McDonald MP was hacked, the Cabinet received a security briefing including advice on measures that can be taken to minimise risk.

The Cabinet Secretary noted that Scotland’s partnership approach to cyber resilience, and the CyberScotland Partnership in particular, is progress to be proud of; commenting our ability to get the right people together in one room is Scotland’s strength, and that we need to continue exploiting it whenever possible.

The Cabinet Secretary echoed the Deputy First Minister’s previous words to the board that cyber resilience is not only government’s business, but everybody’s business. 

He highlighted that Estonia operated a model of paperless government, efficient digital public services and a high level of cyber security and resilience maturity that was possible due to Estonia’s particular circumstances; little or no legacy systems allowed the country to innovate easily.

Last year the Cabinet Secretary met with the Ambassador of Estonia to the UK, and he hoped for officials in the CRU to build a relationship with Estonian representatives for Scotland to benefit from their experiences.

The Chair shared his observations. The cyber community in Scotland is definitely a strength, working together is better than it’s ever been, and we tend to be more agile than other countries.

Commenting on challenges, the Chair posed a question whether looking back to previous big incidents, such as WannaCry, would Scotland be better equipped to deal with them now. The Scottish Cyber Coordination Centre (SC3) establishment process has proved itself to be a very painful and slow start to date, and there are questions on how the SC3 will move forward from the initial stage into its future shape, particularly due to the delay in recruiting a Head of Centre. 

Other challenges the Chair saw were embedding cyber into audit and assurance, and increasing the level of ownership of cyber issues at executive level.

The Chair invited members to comment.

MT highlighted that the financial constraints are affecting this important area. She commented that the Head of the SC3 still not being in post was problematic and there was a need for the right person to be employed in this role to serve as a public face of cyber resilience in Scotland. She welcomed the announcement of SC3, but was concerned that this may have raised expectations which are now going unfulfilled, and that any help from the Cabinet Secretary to progress this issue would be helpful. The Cabinet Secretary said he would be interested to hear about this delay in more detail from officials.

DM commented that organisations and businesses will always face constraints and cyber security needs to be seen as a core part of business, not as an extra that is not being resourced or financed when in financial difficulty; a change of the narrative was still needed.

The Cabinet Secretary posited that this seemed to be a matter of choices and priorities for organisations and that cyber security and resilience may not yet be perceived as a high enough societal priority, and that understanding and awareness still needed to be addressed. He suggested big tech companies could do more in this space.
GF followed up on Estonia’s cyber security and resilience maturity highlighting that Estonia has a lower GDP than Scotland; an analysis of the Estonian story may be helpful to understand the conditions that facilitated their success.

The Vice Chair suggested there is a fundamental issue with organisational cyber resilience. For instance, in his view, the percentage of organisations and businesses exercising regularly is not high enough, despite significant work being done to raise awareness of threat and risk. He felt more clarity was needed around audit (with a focus on measurability). 

The Vice Chair further seconded MT’s point on the Head of the SC3. He believed there was an opportunity to be creative in Scotland, and called for a daring, adventurous approach to the problems.

The Cabinet Secretary agreed on the importance of exercising, and in terms of a standard, he believes that the level of risk should be matched by level of preparedness.

MAR23/02: CRU to brief the Cabinet Secretary on the Head of SC3 recruitment.

The Chair commented that the voucher scheme for CE and CE+ was considered effective.

JS agreed with the Chair. He also highlighted that the Managed Service Providers (MSPs) work by ScotlandIS had been successful in building the MSPs cyber security and resilience capabilities. Ensuring that IT services used by small organisations are themselves cyber secure was an important step forward.
The Head of the CRU said that this work was funded by the Scottish Government through the cyber resilience programme.
 
The CRU Public Sector Lead commented that last year’s data indicated that 51% of public sector organisations exercised within the past 12 months. He said that he expected to see an increase this year, as a result of the continued work the CRU has led. 

One of the SC3 workstreams will focus on assurance, and will include public sector assurance. He highlighted that there was a range of standards in play across the public sector (Network and Information Systems Regulations (NIS)/Cyber Assessment Framework (CAF), Public Sector Cyber Resilience Framework etc.) but the gap was in the audit regime. 

The Head of the CRU highlighted that Board training project was due to start with the aim of encouraging every public sector board to have a cyber resilience lead.

CB commented that Cyber Essentials (CE)/CE+ (Cyber Essentials Plus) are good schemes, but wondered if more could be done to incentivise participation in assurance schemes. 

The CRU Public Sector Lead said that the requirements of Cyber Essentials certification were useful for organisations and businesses in supply chains where it was proportionate to the risk involved in contracts. However, there were concerns over placing additional burdens on organisations, particularly as there were in excess of 19,500 SMEs in Scotland registered with the Supplier Development programme, many of which would be excluded from public sector procurement should a blanket application of a standard be implemented.

ON said that questionnaires may not be the best way of measuring cyber resilience, and that any of the measures are indicative only. Instead, technological or automated monitoring of compliance with standards may be the direction to go, going forward.
The NCSC has some data on reporting chains, which may give insight into some of the issues around incident reporting. 

MAR23/03: NCSC (ON) to discuss with reporting chains data with CRU. 

The Chair expected businesses in the supply chain to be under pressure soon with changes expected from DSIT and NIS 2 Regulations over the coming year.

The Chair summarised the challenges brought up in discussion: 
-    senior level engagement is still low and organisations and businesses have a limited understanding of what consequences and impacts a cyber incident may have on their operations; 
-    the strong community in Scotland could lead to the creation of safe environments to share learning and experiences; 
-    Scotland is the right size for creative and bold solutions; 
-    building national capabilities is paramount;
-    SC3 needs strong leadership in place.

The Cabinet Secretary left the meeting.

MAR23/04: The CRU to provide a summary of the discussion to the Cabinet Secretary.

Framework delivery update 

The Head of the CRU opened with a reminder to the members about the Framework’s vision and CRU’s priorities in terms of its work programme. Budgets and recruitment were challenging. The main constraint was the current complex and lengthy recruitment processes. 

The board expressed concerns about the number of vacancies within the CRU and the effect it may have on delivering the work programme. 

The Head of the CRU said that there will be a report on progress and impact of the work programme in early summer 2023. 

MAR23/05: CRU to share a draft of the report with the board when ready.

The CRU Public Sector Lead updated the board on the progress in Q4. Recruitment was the main challenge, and vacancies were causing delays to delivering work.

The Vice Chair commended the work that was being delivered by a very small team, but was concerned by ongoing vacancy levels. 
GF referred to guidance for statutory board members and cyber resilience and he felt boards members should be in a position where they can challenge existing cyber security and resilience arrangements within their own organisations. 

The CRU Public Sector Lead highlighted that there would be board training for the Public Sector this financial year, which he hoped would help to empower senior board members on this very topic. 

The Head of the CRU informed the board that the CRU was working with the Scottish Council for Voluntary Organisations (SCVO) to map out key priorities for the Third Sector. 

The CRU Learning and Skills Lead presented progress in Q4, and outlined challenges.

MAR23/06: The CRU Learning and Skills Lead to engage with MT, CB and RA to explore ideas for sustaining sources of funding from industry to support cyber resilience learning and skills projects. 

The risk register was presented to the board. 

MAR23/07: The CRU to amend the issues register to reflect the discussion.

Scottish Cyber Coordination Centre update

The Head of the CRU provided an update on partners, workstreams, staffing and deliverables relating to the Scottish Cyber Coordination Centre (SC3) for year 1. Deliverables had been reviewed to match current capacity, with a focus on mapping the cyber ecosystem, including intelligence gathering and sharing, and exercising.

The Chair noted that much had been delivered despite the constraints; however he found the Paper presented the situation in an overly optimistic manner. 

The board would be interested to understand the issues and concerns that were hindering progress, in order to provide better advice and support. 

The board welcomed the updates on progress, achievements and issues but felt they would benefit from more information on challenges and how they may impact on the delivery of priorities going forward. 

The Vice Chair again expressed concerns around resourcing and sustainability for the CRU and SC3, due to the apparent overlap of staffing.

The Head of the CRU explained that the SC3 deliverables for year 1 were revised due to staffing limitations and that the focus has been on understanding the landscape and pinpointing gaps and improvements needed for intel sharing, response and recovery. This was approved by the senior responsible officer (SRO). 

MAR23/08: The CRU to review reporting processes for NCRAB. 

NHS National Services Scotland (NHS NSS) Centre of Excellence presentation

NHS NSS Head of Information and Cyber Security presented an overview of the current state and planned developments of the NHS NSS Centre of Excellence (CoE).  

NHS NSS Head of Information and Cyber Security was keen to ensure that the links between the NCRAB, SC3 and the wider public sector are bolstered to ensure a ‘once-for-Scotland’ approach and reduce duplication of effort.

Private Sector Working Sub-group update

FA informed the board that the NCSC created a cross-government short-life working group to target SMEs, which the CRU Private Sector Lead attends. The CyberScotland Partnership will help to amplify the work of this group. Further comms are expected in the summer.

AOB 

No AOB.

Close

The next Board meeting will be on 6 June 2023, 10.00 - 14.00 in Glasgow, 5 Atlantic Quay.