National Cyber Resilience Advisory Board (NCRAB) minutes: December 2021

Attendees and apologies

Board members

• David Ferbrache (Chair)
• Bob Hayes (Vice-Chair)
• DCC Malcolm Graham (MG)
• Dave McClure (DMC)
• Keith Nicholson (KN)
• (CT)
• (RA)

Part attendance

• Louise Macdonald (LM) 
• Helen Nisbet (HN)
• David McNeill (DM)
• Anne Moises (AM)
• (ON)

Also in attendance

• Head of Cyber Resilience Unit
• CRU Private Sector Lead
• CRU Third Sector Lead
• CRU Learning and Skills Lead
• CRU Communications and Policy Lead
• CRU Strategy Impact Programme Lead
• CRU Programme and Policy Lead
• programme manager
• secretariat
• Head of Information Compliance, SG NIS Regulations Team – part attendance
• digital economy specialist, Scottish Enterprise – part attendance
• head of ScotlandIS Cyber – part attendance
• team leader, SG Child Protection Team – part attendance

Apologies

• Gordon McGuinness (GM)
• David Aspinall (DA)
• (DH)
• CRU Public Sector Lead

Items and actions

Welcome, minutes and actions from previous meeting

The Chair welcomed the members to the meeting. Minutes were agreed and action log was reviewed.

Conflicts of interest

The Chair declared a potential conflict as he had facilitated the National Cyber Exercise (pro-bono) that will be discussed later today.

Overview of the UK cyber strategy

The Head of the Cyber Resilience Unit gave the overview of the UK Cyber Strategy, describing its vision and five pillar structure. Overall, the Strategy is considered to align well with the Strategic Framework for a Cyber Resilient Scotland.

The biggest challenge was ensuring that the CRU was round the table at the relevant times, as having a presence is vital to ensuring that solutions put in place at the UK level are fit for purpose for Scotland.

The Head of the Cyber Resilience Unit highlighted that the UK Cyber Strategy includes plans for a cyber coordination centre with the aim of improving intelligence-sharing, early warning and response arrangements within the UK Government itself.

DEC21/01: Share lines to take with Board Members regarding the launch.

Members discussed the language used in the UK Cyber Strategy and how it compares to the Scottish style of messaging around cyber.

Cyber threat landscape

ON talked about the Apache Log4j (Log4Shell) vulnerability with its rapidly moving picture. The two biggest risks around this vulnerability are its commonality and the possibility of a remote code execution. Current advice from the NCSC is being distributed amongst all sectors (i.e. to update immediately where the use of Log4j is known, to look for yet unknown uses of Log4j within an organisation, and to deploy specific protective measures).
ON made the Board aware that NCSC is asking organisations to register any successful exploitation of Log4j in the UK to gauge impact and potential impact, as well as gathering views on the organisational and operational impact of patching in general.

The CRU Private Sector Lead highlighted that the resolution of this will be a long process. It was confirmed that the Cyber Resilience Early Warning was sent out to the public sector in Scotland and to other members of Scottish Group on CiSP. The Scottish Business Resilience Centre (SBRC) and Police Scotland are active in supporting the situation, and the CRU remains ready to deploy national coordination arrangements if needed.

Cyber resilience framework delivery update

The Head of the Cyber Resilience Unit provided an overview of the current status of the Framework delivery –97 activities are currently being delivered by the CRU and partners, and the PMO is checking the depth and breadth of coverage of the Framework actions. The next step will be to align the ongoing and future work with the UK Strategy.

The CRU Strategy Impact Programme Lead advised that CRU has already received several progress updates from delivery partners and that there has been good feedback from delivery partners on the measurement tool and process. The tool and process allow real-time monitoring and pivoting/intervention if need be, and are vital for the interim progress report scheduled for publication in Autumn. Some key indicators and data around this were looked at in detail.

DEC21/02: CRU to consider what can be done to gather a richer data set on cyber crime to get a fuller picture – not all cyber crime is reported to the police.

DEC21/03: CRU to share the findings of the Young People Survey with the Board.

The Head of Cyber Resilience Unit updated the Board with the progress of delivering the Public Sector Action Plan, highlighting key achievements such as the National Cyber Exercise and the start of the Scotland Shield (MISP) project. Future work for the public sector is being informed by the SEPA incident report recommendations.

The CRU Private Sector Lead talked about the key developments in delivering the Private Sector Action Plan, noting the remarkable satisfaction rate for the Cyber Executive Education training and the uptake of the Exercise in a Box sessions. He briefly outlined the work for next quarter.

The CRU Third Sector Lead gave an update on progress of the Third Sector Action Plan and highlighted the key future pieces of work.

A brief discussion about accessibility of the materials followed.

DEC21/04: CRU to share the third sector maturity journey draft with the Board.

The CRU Learning and Skills Lead briefly spoke about the key achievements in the last quarter and outlined the plans for future work, including the targets for increasing the Cyber Security Modern Apprenticeship uptake.

The CRU Communications and Policy Lead provided the Board with an overview of recent activities and the plans for next quarter. Discussion centred around the progress of CyberScotland Week planning in light of COVID-19 precautions.
DEC21/05: CRU welcomes suggestions from the Board Members on events for CyberScotland Partnership to attend or have a presence at.

The Head of the Cyber Resilience Unit talked about current risks with a high or very high rating, and informed the Board there were no open issues rated high or very high.

The Chair commended CRU for the work and progress. LM seconded that.

Further discussion centred around identified risks and potential new risks.

DEC21/06: CRU to update the risk register to reflect the discussion.
DEC21/07: The Vice-Chair and HN to discuss the SG Resilience Board and the reporting of SG’s own cyber security.

DEC21/08: CRU to share a draft of the Framework’s interim progress report with NCRAB before publishing in Autumn.

Audit short-life working group update

The CRU Programme and Policy Lead updated the Board with the progress of the Audit short-life working group and how this links to the recommendations from the relevant paper that the Board endorsed at its previous meeting.

Discussion about the barriers centred around the typical cycle of information security and inconsistencies across the sector with no standard audit approach in use.

The Vice-chair said he is very impressed by how much has been achieved in such a short time. LM seconded this. Work will continue with this.

Overview of the network and information system regulations audit findings for the health sector

The Head of Information Compliance of SG NIS Regulations Team within the Health and Social Care Directorate provided an overview of the current situation and the wider landscape.
KN gave an overview of the NIS Regulations, and of the NIS audit cycle and process, outlining its key steps. He broadly discussed high level results of the audits.

Next steps are to continue setting up the working groups on the operational level, gathering good practice with the potential to share it further, and to look at the matter in a business continuity context.

The cyber security industry in Scotland and the priorities going forward

The Digital Economy Specialist of Scottish Enterprise reminded the Board that the original brief for the paper was to outline the private sector’s challenges with regard to the supply chain development and adoption, and in a broader ecosystem and international context. It was highlighted that the ongoing cluster work improves understanding of how to best support the multiple initiatives and schemes to capitalise on gains, and identifies the gaps.

The Head of ScotlandIS Cyber shared the latest data around the cyber security industry in Scotland. The community is well connected and engaged, and ScotlandIS has been working on identifying the specialisms within it: industrial control systems and operational technology, digital identity, online safety technology (with Edinburgh highlighted as a hot spot within the UK by DCMS), 5G and IoT.

Space technology shows a huge investment growth, and ScotlandIS is keen to work with them to make it cyber-secure.

Plexal is providing support to develop a business case around the concept of the innovation hub for Scotland which aims to address the gap in the current landscape (no clear route to the UK-wide initiatives, no platform for showcasing the cyber strengths), and more in-depth information can be shared on request.
DEC21/09: The Head of ScotlandIS Cyber to share the slides with the Board.

DEC21/10: The paper to be discussed further at the next Board meeting.

Blue ice national exercise

The CRU Private Sector Lead presented an overview of the exercise with the structure, objectives and aims, and the Board discussed key findings.

Update from child protection policy area

The SG Child Protection Team Leader outlined the ongoing work relating to online child safety.

A Safer Internet Day communications campaign in February will target parents and carers of 9-11 year olds, highlighting what they can do to keep children safe online. It builds on the success of the initial campaign from the beginning of the lockdown.

Parent Club website (the main channel that the SG uses to communicate with parents and carers) is being refreshed and updated.

Work on the Online Safety Bill continues, and is an important step to protect children from being exposed to inappropriate and harmful materials online.

The CRU will continue to stay in regular contact with the Child Protection Policy Team.

Scottish cyber co-ordination function update

The CRU Programme and Policy Lead informed the Board that the funding for the first year of central coordination function has been granted and was announced last week in the Scottish budget. Inclusion of the importance of cyber resilience and the need for this coordinated central function in the DFM’s Integrated Review for post-pandemic recovery has helped to progress this and the CRU Programme and Policy Lead is now leading on the project initiation as it works with key partners on scoping the work streams and staffing needs of year one.

AOB

No AOB.

Close

Next Board meeting: 8 March 2022, 09:30 – 14:30.