National Cyber Resilience Advisory Board (NCRAB) minutes: 8 September 2021

Minutes from the meeting of the National Cyber Resilience Advisory Board (NCRAB) meeting on 8 September 2021.


Board members

  • David Ferbrache (Chair)
  • Bob Hayes (Vice-Chair) (BH)
  • Keith Nicholson (KN)
  • David McNeill (DM)
  • Anne Moises (AM)
  • Dave McClure (DMC)

Also in attendance

  • Head of Cyber Resilience Unit
  • CRU Public Sector Lead
  • CRU Private Sector Lead
  • CRU Third Sector Lead
  • CRU Learning and Skills Lead
  • CRU Communications and Policy Lead
  • CRU Strategy Impact Programme Lead
  • Programme Manager
  • Secretariat
  • Cade Wells, Acting Business Development Director, CENSIS – part attendance

Apologies

  • Helen Nisbet (HN)
  • DCC Malcolm Graham (MG)
  • David Aspinall (DA)
  • Louise Macdonald (LM)
  • Gordon McGuinness (GM)

Items and actions

Welcome, minutes and actions from previous meeting

Chair welcomed the members to the meeting.

Minutes were agreed and action log was reviewed.

Terms of reference sign off

It was agreed that the board will publish the names of the Chair and Vice-Chair and high level summaries of each meeting on its page on the Scottish Government website.

BH highlighted that Terms of Reference (TOR) do not formally recognise a role of Vice-Chair. The Chair suggested formally appointing BH for the role, seconded by CT.

1 September 2021: Secretariat to amend terms of reference to include the role of Vice-Chair.

A question on the tenure of members was raised, and the Chair clarified that he will be looking for new members and have individual discussions with existing members on the transition over the next 12 months.

A discussion was held on whether the board should have a minimum clearance level to allow for access to occasional sensitive material.

2 September 2021: board members to send final comments on the Terms of Reference by 31 October to the Head of the CRU, after which TOR will be approved.

Conflicts of interest

RA declared he sits on the Supervisory board for Information Security Forum and is also a Chair of Scottish branch of Chartered Institute of Information Security.

Cyber threat landscape

The recently announced services from NCSC were outlined – the public now can report fraud directly to NCSC and a new functionality may be added to Office 365 allowing to report possible fraudulent emails creating an automated process involving all parties. Links were shared with the board to access more detailed information.

With regards to the cyber threat, previous commonly-known vulnerabilities continue to be problematic and staff’s return to office may be a risk with dormant systems possibly becoming active when in the office.

Securing COP26 is a current focus for NCSC, and it is not guaranteed that the cyber criminal groups not active at the moment will not resume operations. CISA’s latest publication, Ransomware Awareness for Holidays and Weekends was recommended to the board.

The CRU Private Sector Lead shared that there has been no significant cyber incidents that he was aware of in Scotland since the last meeting, which allows to focus attention on exercising (national exercise planned for 6 to 8 October). With COP26 taking place soon, the press reported that Strathclyde Partnership for Transport may become a potential target for hacktivists. The CRU are part of the COP26 security operations.

Cyber Resiliance Framework delivery update

The Head of the CRU provided an update of the framework delivery programme, highlighting that the Programme Manager has put a programme plan in place allowing for better recording and analysis of work as well as recording risk management. The programme currently has 96 deliverables by a wide variety of partners from all sectors, including the Scottish Government.

The CRU Strategy Impact Programme Lead highlighted that changes at the outcome level cannot be said to be solely caused by the strategic programme, and whilst the programme contributes to the changes, other factors may have contributed to the change in outcome. The programme monitors both outcomes and outputs, and examples of outcome-level indicators were shared, some of which the Cyber Resilience Unit commissions directly.

A Measurement Tool is used to monitor the reporting process. Measures include target and stretch target statements, quality assessments, data providers, frequency and attribution level, with 143 outcomes identified and matched 104 to existing actions to date.

The CRU Public Sector Lead described recent key achievements in public sector, particularly the increase in the number of exercises and Exercise in a Box sessions, and the progress with the public sector CiSP group. He gave an overview of the next quarter major pieces of work, citing the care sector as next priority.
The CRU Private Sector Lead provided an update on the last quarter’s activity, highlighting the new Cyber Engagement Officer post at SBRC and continued funding to their helpline. Future actions will focus on engagement with senior executives, and work with Managed Service Providers. He also discussed more detailed data on the uptake of Cyber Essentials and Cyber Essentials Plus.

The CRU Third Sector Lead highlighted the work in the third sector in the last quarter and described the plans to continue to work on the cyber maturity journey for organisations in the sector and to carry out a prioritisation of the organisations most at risk/vulnerable. 

The CRU Learning and Skills Lead provided an overview of last quarter key achievements and outlined the actions expected to be completed within next three months. Main challenges are around supporting teaching cyber security in the schools and the digital access infrastructure.

The CRU Communications and Policy Lead highlighted that through the CyberScotland Partnership we are able to produce and promote more cyber-related content that fits in well with the existing schedule of monthly Bulletins. He outlined actions to be completed in the following three months, very much around the preparation for CyberScotland Week (28 February to 4 March 2022).

 The Head of the CRU briefly discussed the risks designated high and very high, and mentioned that there are currently no open issues. She summed up describing the confidence levels across different Action Plans of the programme and highlighted key dates.

The Chair recommended that we clarify the difference in risk of delivery of the work programme and the risk to the country’s cyber resilience.

The Chair commented that the pack was a very impressive piece of work with a good range of deliverables and it was a credit to the Cyber Resilience Unit and the Head of the CRU. DM seconded that.

3 September 2021: MG to provide an update on the SRP sub-group regarding cyber and physical resilience at the next board meeting.

4 September 2021: Programme Manager to clarify the risk register to distinguish between risks to the delivery of the work programme and the risks to the country’s cyber resilience.

Cyber assurance - progress

BH reminded the board of the origin of the paper and briefly outlined the issues. He suggested that the main problem with providing the cyber assurance of the public sector is that the picture is fragmented, with a number of agencies applying a number of different ranging standards.

He described the main challenges ahead: no real leverage to get those who don’t have to use the Scottish Public Finance Manual to use it and that there is limited information sharing on assurance, thus not allowing for effective analysis at a national policy level.

He suggested constituting a short-life working group to produce a business case on developing an assurance process that could answer some of the challenges.

AM was entirely supportive of the recommendations, and believed that the most effective way of engaging with the public bodies to provide assurance is to get cyber resilience it into the Scottish Public Finance Manual. This was seconded by CT and RA.
KN highlighted that the data protection and GDPR content in the Scottish Public Finance Manual could be a good driver to introducing the wider cyber resilience aspects.

BH thanked MC and the CRU Public Sector Lead for their work on the paper.

Paper was endorsed by the board.

5 September 2021: BH to add that the conclusions in the Public Sector Finance Manual do not mention resilience or wider business disruption into his Paper.

6 September 2021:The Head of the CRU and the CRU Programme and Policy Lead to work with Chair and BH to produce a covering letter for the paper for the DFM, setting out options for a short-term working group to consider the report findings and make recommendations to address the issues contained therein.

SC3 Proposal paper

The Head of the CRU presented a summary of the proposal for a central coordination function, asking the board for comments and views.

Feedback and discussion centred around communicating more clearly that NCSC’s work would not be duplicated by this function and to consider possible ways to involve the cyber security industry.

The board agreed that the paper is a well-positioned proposal to move Scotland’s cyber resilience forward and they endorsed the paper with the Option three as preferred.

07 September 2021: The Head of the CRU and the CRU Private Sector Lead to meet with KN and AM to discuss the development of a business case.

CENSIS update on cyber programme

The Chair welcomed Cade Wells, the Acting Business Development Director of CENSIS, who provided the board with an overview of the cyber work being undertaken by CENSIS, particularly its IoT Cyber Challenge Programme.
Chair thanked the speaker and commended CENSIS for the impressive work.

8 September 2021: Secretariat to distribute presentation slides to board members.

9 September 2021:The CRU Communications and Policy Lead to follow up with the speaker on IoT Hackathon event for CyberScotland Week 2022.
10 September 2021: The Head of the CRU and the CRU Private Sector Lead to link in with the speaker to discuss future work.

AOB

The CRU Learning and Skills Lead updated the board on the DCMS licensing/regulation of the cyber security profession proposal. In November, the Cyber Resilience Unit will disseminate the call for views.

11 September 2021: The CRU Learning and Skills Lead to arrange a DCMS or Council representative to attend next board meeting to outline the proposal.

Summary and date of next meeting

Chair summarised the meeting and thanked the attendees.

Extraordinary meeting: 13 October, Wednesday, 10:00 to 11:00.
Next meeting: Tuesday, 7 December 10:00 to 13:00.

Close

Back to top