National Cyber Resilience Advisory Board (NCRAB) minutes: September 2023

Attendees and apologies

Board members

• Maggie Titmuss (Chair)
• Deryck Mitchelson (DM)
• Christian Toon (CT)
• Jordan Schroeder (JS)
• George Fraser (GF)
• Carla Baker (CB)
• Freha Arshad (FA)
• Rory Alsop (RA)
• Deputy Director, Defence Security and Cyber Resilience – Ex Officio

Also in attendance 

• NCSC Devolved Administrations Lead (IG)
• Head of the Cyber Resilience Unit
• Cyber Resilience Unit (CRU) Public Sector Lead 
• Cyber Incident and Vulnerability Co-ordination Lead, (SC3)
• CRU Head of Policy and Programme 
• CRU Business Support Officer 
• Chief Superintendent, Policing in a Digital World Programme (CSCT)
• Education Scotland, Senior Education Officer (KMcF)
• Education Scotland, Education Officer (BC)

Apologies

• DCC Jane Connors (JC) - Ex-Officio
• David Hartley (DH)
• NCSC Scotland Officer (ON)
• David Aspinall (DA)
• Natalie Coull (NC)

Items and actions

Welcome, minutes and actions 

The Chair welcomed Members to the meeting. The Chair announced that this was DA’s last Board meeting and thanked him for all his support and advice. 

The minutes of the June meeting were approved.

The Head of the Cyber Resilience Unit (CRU) informed the Board that the CRU Learning and Skills Lead would be leaving his role and that work was underway to recruit a replacement. The Head of the CRU also informed the Board that a new member of staff was recently recruited and would be joining the CRU in October and would be supporting public sector work. The Head of the CRU updated the Board on broader moves happening internally- the CRU would be located within the Digital Directorate in the coming months. 
The Chair stated that opportunities would arise from this move with regards to the Board and discussions would take place between the Chair and the Head of the CRU on how best to utilise the wealth of knowledge and experience that should be utilised as much as possible, with a focus on 2-3 big challenges/sticky issues. 

Conflict of interest

No conflicts of interest noted.

Cyber threat landscape 

IG, CSCT and the Scottish Cyber Coordination Centre Cyber Incident and Vulnerability Coordination Lead provided the Board with an update on the current threat landscape. 

Education Scotland – school statistics and CyberFirst

Education Scotland’s Senior Education Officer (KMcF) and an Education Officer (BC) explained that Education Scotland was now in a formal partnership as a regional partner with the National Cyber Security Centre (NCSC) on the CyberFirst programme. KMcF stated that there had been significant engagement with the CyberFirst programme in Scotland, initially across the Central Belt, and that work was underway to help encourage every school in Scotland to become a CyberFirst school. KMcF stated that Education Scotland had a target of having 100 secondary schools taking part in the CyberFirst Girls competition in Scotland by the end of the year. 

BC provided a presentation to the Board showing statistics on the number of pupils taking computing studies courses within Scottish Secondary schools over the past decade. These showed a decline in the number of pupils undertaking computing studies courses within schools. BC explained that this decline was for a number of reasons. In 2014 and then again in 2019, new qualifications and processes were implemented and specifically in 2019, several local authorities, and by extension, schools, moved to a model where pupils had a smaller choice of subjects. Prior to these changes being implemented, pupils could choose between 7 and 8 subjects, but this reduced to between 4 and 6 after 2019. BC provided the Board with a brief history on computing studies within the curriculum and showcased that there was a marked change in what pupils were being asked to learn with regards to computing studies. These changes were made in 2014 and then in 2017 for the new National 5 qualification. BC further explained that there was a move away from ‘application based’ courses to more ‘coding based’ courses and with that, a move away from ‘computing studies’ to a focus more on ‘computing science’ and pupils can choose a range of computing science courses, rather than only computing studies. 

BC further explained that the number of schools presenting pupils for computing science qualifications had declined which could be a consequence of school rolls and fewer schools having dedicated computing teaching staff. BC stated that in 2010 around 85% of schools presented pupils for a National 5 computing science qualification and by 2022, this figure had fallen to around 82%. BC explained that while there had been a decline over the past decade, the trend was now on the up. BC further posited that the decline could be a result of more pupils favouring a more vocational type of qualification such as the NPA in Computing and Digital. 

BC advised that Education Scotland had seen an increase in female learners and in particular there has been year-on-year increases especially for those learners who undertook National 5 qualifications. 

KMcF told the Board that the number of learners who undertook Cyber Security courses had also increased over the years. She further explained that it was difficult for schools to introduce cyber security courses due to lack of provision of suitable hardware for courses like ‘Ethical Hacking’ and policies within some Local Authorities. She explained that Education Scotland were working with companies to create opportunities for this within schools which would work in line with the schools’ own risk assessments. 

KMcF informed the Board that there were a number of diverse routes into university including via college - they had recently run a showcase with the University of the West of Scotland to showcase the various routes for example a Higher National Certificate or Higher National Diploma in Cyber Security into university. 

KMcF also explained they worked closely with other large organisations to create new qualifications and are currently in the process of developing a level 6 qualification which is focused on ‘The Cloud’, data and artificial intelligence. 

She further explained the gender gap in males and females who have undertaken cyber-related courses was not as big within the Scottish central belt, but more of a problem within rural communities. 

DM posited that Scotland was failing as a digital nation. He said that Ministerial ambitions were not matching the reality of only small increases in the number of students undertaking computing science courses and stated that these increases should be shooting up year-on-year.  BC agreed that small increases were not enough.  

FA stated that a lot of entry level jobs within cyber security still had a degree requirement and wanted to see more about what is being done or what is planned to tackle that requirement. 

SEP23/01: Education Scotland will provide a short two page on the key data from their presentation and the CRU Business Support Officer will share with the Board. 

Taking Stock report and priorities going forward 

The Head of the CRU provided the Board with some key information and findings from the first 2 years of the Strategic Framework for a Cyber Resilient Scotland. The Head of the CRU stated that work undertaken thus far aligned to the UK government’s National Cyber Strategy; specifically, Pillar 1: strengthening the UK cyber ecosystem and Pillar 2: building a resilient and prosperous digital UK. She explained the delivery programme of the four action plans (public sector, private sector, third sector and learning and skills), many of which are delivered by partners. The Head of the CRU explained the breadth and complexity of the collaborative activity between all of the partners to deliver on the action plans. 

The Head of the CRU set out how the strategy outcomes are measured. Each delivery output contains a target/s, a target timeframe, and to which strategic outcome it contributes. 

In terms of measuring national change in cyber resilience, certain indicators from national surveys have been identified. The Head of the CRU explained that any change in cyber resilience from these indicators could not be attributed to the Strategy directly, but correlation could be inferred. For example, the improvements relating to cyber resilient behaviours in people in Scotland as demonstrated in the Scottish Household Survey can only be correlated to the strategic work programme being delivered. She further stated that there can be more confidence in the impact of strategic activity regarding the cyber security maturity of the public sector. 

The Head of the CRU then advised the Board on the key priorities, moving forward, for all four of the strategic outcomes (the public sector, the private sector, the third sector and learning and skills). 

SEP23/02: CRU to provide the Board with specific cyber indicators and measurements for comment. 

SEP23/03: The Board to reply with any final comments or feedback on the Taking Stock report and revised Action Plans by 8 September 2023. 

RA posited that the CRU should strengthen the links and budget available to schools and use stronger language within the report. The Chair concurred and stated that if we did not use stronger wording then the Board and the CRU would be doing themselves a disservice. The Chair suggested strengthening her foreword in the Taking Stock report. 

FA suggested that more commentary on the Active Cyber Defence (ACD) measures, and a clearer explanation of what ‘exercising’ means and what could be classed as exercising would be better for the next Public Sector Cyber Assurance Survey. FA further said that the information contained within the report had to be contextualised with relevant and explanatory information to remove any vagueness. 

DM suggested that SG looks at metrics and controls deemed critical in assessing the cyber security of the country. He suggested that we have members on the Board who do this as part of their day job and those members could form a small working group to look into this. The Head of the CRU explained that the Strategic work programme’s focus is on creating the conditions to build cyber resilience and improvements are monitored via the evaluation process. However, the cyber security of the country wholesale would be extremely difficult to measure. There are some areas where we can get an assessment of the maturity as a result of the regulations (e.g., Health and NIS), but this does not exist for the whole of Scotland’s infrastructure and population. 

The Scottish Cyber Coordination Centre (SC3) Cyber Incident and Vulnerability Coordination Lead stated that government was not a regulator but is there to lever and encourage organisations to aspire to a particular security maturity or level. The SC3 Assurance workstream will look at this in greater depth once the lead is recruited.  

CSCT posited that there was a limit to what the CRU could mandate but the Board was not held by similar restraints and could be more challenging in what it did and said to provide further encouragement. 

Scottish Cyber Coordination Centre (SC3)

The Scottish Cyber Coordination Centre Cyber Incident and Vulnerability Coordination Lead provided an update on progress. He advised that:
- the Head of Centre (DD) recruitment was in its final stages
- a dedicated on-call number was established to manage incoming incidents
- a core SC3 partnership agreement is being agreed
- an online communication channel has been developed to enable easier collaboration between each organisation. 
- recruitment for a Support Officer in train

The SC3 Cyber Incident and Vulnerability Coordination Lead also updated the Board on progress within each of the SC3 workstreams. 

CyberScotland Partnership (CSP) update

The Head of the CRU updated the Board on current key CyberScotland Partnership activities, and shared dates of important events with the Board for their information.  

Any other business (AOB)

The CRU Head of Programme and Policy provided the Board with an update on the Vice Chair position.   As set out in NCRAB Terms of reference, the Vice Chair was appointed by existing Board members on the recommendation of the Chair.   Board Member interested in being considered for the Vice-Chair position were invited to send expressions of interest to the NCRAB mailbox by COB Friday 15 September. Officials would then collate and share these with the Chair for consideration.

The Chair shared details of the Insider Threat Conference taking place on 28 September 2023 for their information. 

Close

The next Board meeting will be on 5 December 2023, 10.00 - 14.00 Atlantic Quay, Glasgow.