National Cyber Resilience Advisory Board (NCRAB) minutes: December 2024

Attendees and apologies

Board members in attendance: 

Maggie Titmuss (Chair)
Deryck Mitchelson (Vice Chair - DM) 
Freha Arshad (FA)
George Fraser (GF)
Don Smith (DS)
Jordan Schroeder (JS)
Natalie Coull (NC)
ACC Andy Freeburn (AF) – Ex-Officio
Alan Gray, Deputy Director, National Cyber Security and Resilience Division, Scottish Government– Ex Officio (AG)

Apologies:

Carla Baker (CB)
Ollie Bray (OB)
Phil Ford (PF)

Also in attendance: 

Head of the National Cyber Resilience Unit (NCRU)
NCRU Head of Policy and Programme
NCRU Policy and Programme Officer
Scottish Cyber Coordination Centre (SC3) Service Lead 
SC3 – Cyber Incident and Vulnerability Co-ordination Lead
SC3 Cyber Assurance Lead
SC3 Threat Intelligence Sharing Lead.

Partial attendance:

National Cyber Security Centre (NCSC) Deputy Head (interim), Government Team, Resilience & Future Technology Directorate (NW)
NCRU Public Sector Lead
HEFESTIS, Chief Executive Officer
Swordbreaker, Founder & Chief Executive Officer
Lupovis, Co-Founder and Chief Security Officer
Lupovis, Chief Technical Officer
 

Items and actions

Welcome, introductions, last meeting actions and conflicts of interest

The Chair welcomed Members to the meeting. The Chair welcomed new Police Scotland ex-officio member, ACC Freeburn to the Board. 

The Chair also welcomed new member, DS, to the Board. The Chair highlighted that DS was a member of the National Cyber Advisory Board (NCAB) (UK Government), there would be greater opportunity to feed into that Board, enhance collaboration and reduced duplication of effort.  

The minutes of the September 2024 meeting were approved. 

The NCRU Policy and Programme Officer went through previous meeting actions and provided a number of updates. 

MAR24/02: The CRU/DD to provide an update on security briefings and Ministerial engagement with cyber resilience matters at the December 2024 board.

AG explained there had been significant positive engagement with the Permanent Secretary with matters of cyber resilience. He shared details of senior level discussions on what more could be done to implement a minimum baseline standard of cyber security policies, processes and procedures across Scottish public sector organisations. 

ACC AF was very supportive of this, and considered that good cyber hygiene would be vital in gaining a baseline standard of cyber security across the public sector. 

The Chair noted that while mandating cyber security processes and procedures was not possible at this time, it was encouraging to see increased positive engagement with matters of cyber resilience at senior government levels. 

DM stated that developing a minimum baseline standard was a move in the right direction and could be a stepping stone to mandating cyber security requirements across the public sector in Scotland in future years. 

DS added that any baseline standards implemented would need to be achievable. He also stressed the importance of training staff at all levels to understand cyber risks and take appropriate action. 

JS asked if local authorities could be sued for data breaches and suggested that the threat of legal action after a breach could also be considered a perceived risk in the event of a cyber incident and it was important that organisations were prepared for this. 

JUN24/02: NC to update Members on veterans training programme during December meeting.

NC shared that the veteran’s training programme continued with further modules scheduled for delivery in the new year, this included open-source intelligence (OSINT) modules. NC requested if any Members were able to support with training placements for participants to get in touch. 

DEC24/01: Members to contact NC if they can offer any placements to participants on the veterans training programme. NC to share relevant website links with NCRU Policy and Programme Officer when available for sharing with Members. 

JUN24:06: CRU and Chair to discuss the option of onboarding key official from the Local Authorities.

The Chair to make this approach. 

All other actions from previous meetings were closed. 

No conflicts of interest were noted. 

Scottish Cyber Coordination Centre (SC3) – progress overview

AG shared a general update on the progress of the Scottish Cyber Coordination Centre (SC3). 

AG introduced the recently in post SC3 Service Lead to Members. He further shared that SC3 has developed a Lessons Learned Review Good Practice Guide which would become available over the coming months. 

3. SC3 – Higher Education Further Education Shared Technology Information Service (HEFESTIS) - update

The Chief Executive Officer of HEFESTIS partly attended the meeting to provide Members with an update on the HEFESTIS Pathway project.

SC3 – CivTech 9.6 Challenge - updates

The Co-Founder/Chief Security Officer and Chief Technical Officer at Lupovis and the Chief Executive Officer/Founder of Swordbreaker partly attended the meeting to update Members on progress on their CivTech 9.6 Challenge projects. 

SC3 – CyberShield Malware Information Sharing Platform (MISP) - update 

The SC3 Threat Intelligence Sharing Lead updated Members on the progress of the Cyber Scotland Shield project (Malware Information Sharing Platform MISP). 

He shared that a proof of concept was initially developed and following this, model and supporting standards were established in 2021/2022. 

For 2023/2024, training packages (for beginners and advanced level) were developed and working and steering groups were established. There has been engagement with the National Cyber Security Centre’s MISP Group and further engagement with devolved governments and the Government Cyber Coordination Centre (GC3) on MISP capability, with the potential to join up communities. 

Next steps for the workstream were to develop MISP Central, liaise with UKG and devolved governments on standards and approach..  

SC3 – Cyber Observatory - update

The SC3 Cyber Assurance Lead updated Members on plans for the SC3 Cyber Observatory. 

SC3 – Exercising Cadre and webspace

The SC3 Incident and Vulnerability Coordination Lead updated Members on work within the exercising workstream of the SC3. He shared that plans were underway to develop NCSC Exercise in a Box written training materials into an improved interactive process. 

He added over 40 public sector staff had signed up to become part of the Scottish Public Sector Cyber Exercising Cadre, and most sign-ups had resilience or business continuity backgrounds. 

He further shared that two 2-day training courses on an Exercise Delivery Model based on NCSC exercising standards were delivered with support from IASME. 

He noted there had been an uptick in cyber exercising support requests from local authorities and the SC3 were looking to achieve NCSC Assured Cyber Incident Exercising Provider status. The SC3 Incident and Vulnerability Coordination Lead is assessed and certified as an IASME Cyber Incident Exercising Team Lead. 

He also shared plans to undertake a National Exercise in March 2024. 

He also provided an update on the planned SC3 web-space. He advised Members that relevant policies, guidance and templates, such as the updated Cyber Incident Response Toolkit, would be made available to the wider public, and a December 2024 launch was planned. 

Cyber threat landscape

ACC AF and the SC3 Incident and Vulnerability Coordination Lead provided Members with a cyber threat landscape update. 

There was discussion around the new iteration of Action Fraud called ‘Report Fraud.’ This was welcomed by Members as it was seen as a move towards a more cohesive national capability rather than previously disjointed across the nations. 

DEC24/02: ACC AF to update Board on Report Fraud developments. NCRU Policy and Programme Officer to add item to March 2025 agenda. 

JS asked if it was possible to find out how many businesses have closed as a result of a ransomware incident in Scotland. The SC3 Incident and Vulnerability Coordination Lead suggested that this information was difficult to collate as legal advice given to companies in the event of a cyber incident is often not to publicise the cause. 

DS suggested that, while ransomware was a significant concern for businesses, payment redirection fraud could potentially have more of an impact on business closure. He suggested that investigating cyber incidents as a whole on businesses would provide a clearer understanding of the impact of cyber incidents on businesses. 
He further noted that through the National Crime Survey, the UK government have access to statistics that help them to understand experiences of crime and if a question on cyber incidents was added to the survey, then this could provide an opportunity to glean statistically representative, actionable results. 

The Head of NCRU advised that Scottish Government also produces its own annual cyber crime statistics.

DEC24/03: Head of the NCRU and Chair to come together to discuss adding cyber crime questions into national crime surveys. 

Horizon scanning

The Chair asked DS if there were any developments in NCAB around horizon scanning which could be useful for the Board to be sighted on. 

DS advised that NCAB have three workstreams; ransomware, artificial intelligence (AI) and quantum technologies. 

DEC24/04: DS to provide a ransomware update at March 2025 meeting. 

The Vice Chair, JS and DS agreed to meet prior to the March meeting to discuss horizon scanning in further detail. 

DEC24/05: NCRU Policy and Programme Officer to arrange meeting between the Vice Chair, JS and DS. 

Review of Computer Misuse Act

The Chair advised she had been approached by ScotlandIS to provide a response to the 2024 Cyber Industry Survey on updating the Computer Misuse Act 1990. Members discussed and agreed to respond individually and share a summary of their main comments. 

DEC24/06: NCRU Policy and Programme Officer to share link to the 2024 Cyber Industry Survey on updating the Computer Misuse Act 1990. Members to respond individually and update NCRU with a summary of their response. 

Any other business

No other business was raised. 

Close

The Chair thanked members for their attendance and advised the next meeting would take place in March 2025 in Edinburgh.