National Cyber Resilience Advisory Board (NCRAB) minutes: March 2025

Attendees and apologies

Board members in attendance: 

Maggie Titmuss (Chair)
Freha Arshad (FA)
Carla Baker (CB)
George Fraser (GF)
Don Smith (DS)
Jordan Schroeder (JS)
Natalie Coull (NC)
Ollie Bray (OB)
Phil Ford (PF)
ACC Stuart Houston (SH) – Ex-Officio

Also in attendance: 

Head of the National Cyber Resilience Unit (NCRU)
NCRU Head of Policy and Programme
NCRU Public Sector Lead
Scottish Cyber Coordination Centre (SC3) Service Lead 
NCRU Policy and Programme Officer

Partial Attendance:

Alan Gray, Deputy Director, National Cyber Security and Resilience Division, Scottish Government – Ex Officio (AG)
National Cyber Security Centre (NCSC) (NW)

Apologies:

Deryck Mitchelson (Vice-Chair – DM)
Martyn Wallace (MW)

Items and actions

Welcome, introductions, last meeting actions and conflicts of interest

The Chair welcomed Members to the meeting. The Chair welcomed new Police Scotland ex-officio member, ACC Houston to the Board. 

The minutes of the December 2024 meeting were approved. 

The NCRU Policy and Programme Officer ran through outstanding meeting actions: 

DEC24/01: Members to contact NC if they can offer any placements to participants on the veterans training programme. NC to share relevant website links with NCRU Policy and Programme Officer when available for sharing with Members. 

NC advised the current modules had received positive feedback and members of the Police, transitioning to their second careers, were due to be enrolled in the programme. The action was closed. 

DEC24/02: ACC AF to update Board on Report Fraud developments. NCRU Policy and Programme Officer to add item to March 2025 agenda.

ACC SH advised that this action would be revisited at a future meeting. 

DEC24/03: Head of the NCRU and Chair to come together to discuss adding cyber crime questions into national crime surveys.
The Head of the NCRU updated the members on sources of crime data. She advised of three: 
•    Cyber Breaches Survey (UK Government, Department for Science, Innovation and Trade, DSIT)
•    Scottish Crime and Justice Survey (Scottish Government)
•    Recorded Crime in Scotland survey (Police Scotland and Scottish Government)

Head of NCRU added that while these surveys provided invaluable insight into the scale of cyber crime across Scotland, the results were not always comparable year-on-year. She advised that DSIT were reviewing how to make future surveys more comparable. 

The Chair added that cyber crime continues to be one of the most under-reported crimes in the UK and getting statistics that were accurately representative of the scale and effects of cyber crime continues to prove challenging. 

No conflicts of interest were noted. 

Cyber threat landscape

The NCSC representative provided a cyber threat landscape update to the Members. 
This update included a discussion around developments in the Artificial Intelligence (AI) space and further discussion on post-quantum cryptography. 

The SC3 Service Lead provided Members with a short operational update on key SC3 workstreams. He advised that the SC3 were investigating ways to improve their responsiveness and were looking into tooling which would support speeding up analysis. 

The Chair queried if any Members present were able to offer support to the SC3 in this matter and both DS and FA offered their support. 

Strategic Framework for a Cyber Resilient Scotland refresh

The Head of the NCRU informed Members that a refresh of the Strategic Framework for a Cyber Resilient Scotland for the next five years was currently underway after gaining approval from both the First Minister and the Cabinet Secretary for Justice and Home Affairs. This refresh would continue to be aligned with UK cyber strategies, including those in development. 

She explained that Scotland’s previous cyber resilience strategies have built the foundations and created the right conditions for a cyber resilient Scotland. The Head of the NCRU considered that there was good momentum to build on. This included the good relationship developed between the NCRU and CISOs within the Scottish public sector organisations and that through this relationship, the Scottish public sector was now in a stronger position with regards to their cyber maturity. 

She also referred to the establishment of the effective CyberScotland Partnership (CSP) which has supported awareness raising for individuals, businesses and organisations through cohesive and coordinated cyber resilience messaging. 

The development of the Scottish Cyber Coordination Centre (SC3) has also been vital to establishing Scotland as a cyber resilient nation. She advised the SC3 will support with development of standards and regulations across Scotland as well as sharing threat intelligence and early warning notices. 

The Head of the NCRU advised that the intention with the strategy refresh would be to move forward to scale up and strengthen Scotland’s collective cyber resilience. There would be consultation with a range of key stakeholders, including cross-government as well as NCRAB. She suggested a particular focus for NCRAB should be on key indicators of success. AG requested that Members look to advise on quantifying success and measuring progress. The Head of the NCRU asked if the Chair would contribute to a joint foreword for the strategy refresh. 

MAR25/01: NCRU to arrange an extraordinary meeting of the Board to consult on proposed strategy development in May 2025. 

MAR25/02: NCRU to work in collaboration with Chair to draft a foreword for the strategy refresh. 

Horizon scanning

JS, as head of the horizon scanning sub-group, shared an update on development of AI in relation to cyber crime and cyber security. He highlighted new guidance published by the NCSC, on 20 March 2025, for migrating to post-quantum cryptographic (PQC) algorithms to replace existing encryption methods. He reiterated that the advice is to migrate to PQC options when they become available. 

JS highlighted AI as being dominant in the current threat landscape. While geopolitical tensions, quantum computing and changing attack methods remained a threat, it was agreed that for this meeting a focus would be placed on how different aspects of AI presented a range of threats which required special focus and attention. 

JS advised that the accelerated nature of AI presents individuals, companies and the government with short, mid and long-term threats. These included but were not limited to: inherent risks of AI as a technology such as regulatory issues and developer bias but also the increasing threat of AI-supported cyber attacks, including distributed denial of service (DDoS) and increasingly sophisticated social engineering. 

JS suggested that government and regulators need to upskill on the rapidly evolving technology and provide support, guidance and infrastructure to safely leverage AI as a technology that can help Scotland thrive in the digital economy. The Board noted the recent publication by DSIT of a Code of Practice for the Cyber Security of AI and the proposed creation of global standards through ETSI.

He added that AI can make existing threats faster, more scalable, more adaptive and more personalised or customised. Threat actors are using AI to lower the bar to entry, increasing the number of threat actors and giving them much greater maturity in their attacks, much sooner than they would normally have before AI. 

JS felt more investment for cyber professionals to understand and be able to defend against these risks was needed, as well as increased investment for more defensive AI (including automated responses for defenders and decision and planning support for management). He further proposed that more awareness raising should be undertaken and updated guidance provided on the impact of AI on existing threats such as phishing.and social engineering using for example, deep fakes. 

The Board discussed the balance required between secure by design approach and not stifling company innovation. AG suggested inviting the Scottish Government’s Chief Data Officer to a future NCRAB to further discuss the Board’s AI concerns. 

UK Cyber Security and Resilience Bill 

The NCRU Public Sector Lead advised Members that a policy statement was imminent from the UK Government on a proposed Cyber Security and Resilience Bill.

The UK Cyber Security and Resilience bill is being drafted following UK Government consultations in 2022.

The Bill has three main objectives: 
•    Objective 1 – bring more entities into scope of regulations
•    Objective 2 – put regulators on a stronger footing
•    Objective 3 – enable government to act decisively on emerging threats. 

The Bill will introduce changes to reporting timescales for organisations under the Network and Information Systems regulations, powers of direction and potential for critical suppliers, Managed Service Providers and data centres to be regulated. 

Members shared concerns over the lack of further public consultation, practicality of reporting timescales and increasingly diverse reporting routes, regulation of cross sector critical suppliers and overlaps with other security legislation. The Head of NCRU said that her unit continues to engage with the UKG on this, in order to understand the impact this will have on Scottish organisations. 

Ransomware Consultation

The NCRU Policy and Programme Lead advised Members of the current UK Government Ransomware Consultation. The consultation, run by the Home Office, has three main objectives:
1.    Reduce the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations
2.    Increase the ability of operational agencies to disrupt and investigate ransomware actors by increasing the UK’s intelligence around the ransomware payment landscape
3.    Enhance the UK Government’s understanding of the threats in this area to inform future interventions, including through cooperation at international level. 

The Home Office has set out three specific proposals designed to achieve these objectives, which are likely to be applicable across the UK. The Home Office is seeking feedback on the proposals and will also use evidence from the consultation to support future advice and guidance for the victims of ransomware attacks. 
The proposals are: 
1.    Targeted ban on ransomware payments for all public sector bodies including local government, and for owners and operators of Critical National Infrastructure (CNI), that are regulated or have competent authorities
2.    A new ransomware payment prevention regime (to cover all potential ransomware payments from the UK)
3.    A ransomware incident reporting regime (this could include a threshold-based mandatory reporting requirement for suspected victims of ransomware attacks). 

The Board were broadly supportive of the intent of the consultation proposals but had concerns around their implementation and felt further details would be required. Members questioned the practicality of enforcing the ban and how CNI/non-regulated CNI would be managed under the suggested proposals. It was noted that primary legislation would be required to establish a ransomware payment prevention regime given that existing legislation meant that making a ransomware payment is a criminal offence. Members also highlighted concerns about establishment of further reporting routes and voiced a strong preference for a single reporting mechanism to reduce the burden on ransomware victims.

MAR25/03: NCRU to draft a response to the UKG Ransomware Consultation and share with Members for sign-off before the deadline. Members to respond to the consultation individually if they choose. 

CyberScotland Week 2025 - update

The Head of the NCRU shared an update on CyberScotland Week (CSW) 2025. 

She advised the theme was ‘Can’t hack it!?’ which highlighted everyday actions that people can take to improve their cyber resilience. 

There were over 100 events online, in person and hybrid and some events covered multiple sectors. She shared key highlights such as the FutureScot Cyber Security 2025 conference which focused on themes of building partnerships and strengthening defences. A Cyber Ladies Afternoon Tea with the Minister for Justice in attendance, and a LEAD Scotland parliamentary reception also took place. 

She further added that CSW 2026 would likely take place in February 2026, and that themes and dates were still to be confirmed. 

Future meeting – Cabinet Secretary for Justice and Home Affairs – key discussion points

The Cabinet Secretary for Justice and Home Affairs will be in attendance at a future meeting. Members are to think about what the key considerations should be for that meeting. 

MAR25/04: Chair, AG and Head of NCRU to decide on key discussion points for future meeting when the Cabinet Secretary for Justice and Home Affairs will be in attendance. 

Any other business

The Head of the NCRU asked if any Members would be interested in writing some blogs to increase awareness and offer their thoughts on cyber resilience.

MAR25/05: NCRU to get in touch with Members re blogs. 

PF advised there were substantive changes happening with regards to the Post-16 Skills Reform. He further advised that the apprenticeship function was moving from Skills Development Scotland to the Scottish Funding Council, contingent upon changes to legislation and there would be further changes in the future.

Close

The Chair thanked members for their attendance and advised the next ordinary meeting would be in August 2025. A separate session would be arranged to consult on the Strategic Framework refresh.