Cyber Resilient Scotland: strategic framework

Understanding the Framework

Vision

"Scotland thrives by being a digitally secure and resilient nation"

Technology is key to Scotland's future. Scottish Ministers' vision is of a Scotland that thrives by being a digitally secure and resilient nation. Our forthcoming Digital Strategy will seek to realise Scotland's full potential by setting out how we will make sure that digital is at the heart of everything we do - how we ensure no one is left behind as we move online, deliver economic growth, reform our public services, and prepare our children and young people for the workplaces of the future.

We want Scotland to reap the benefits of an increasingly connected world: cyber resilience enables this.

There are four outcomes to achieve this vision:

1. People recognise the cyber risks and are well prepared to manage them

2. Businesses and organisations recognise the cyber risks and are well prepared to manage them

3. Digital public services are secure and cyber resilient

4. National cyber incident response arrangements are effective

Outcomes

Outcome 1: People recognise the cyber risks and are well prepared to manage them

"Cyber crime is increasing worldwide, and Scotland is determined to keep its people and communities safe. Police Scotland is working with partners to tackle the threat, risk and harm from online crime to individuals, families and communities."

DCC Malcolm Graham, Police Scotland

This outcome is about building a culture of awareness, knowledge and skills whereby people can use digital online technologies securely, keeping themselves and their families secure, and knowing what to do if they experience a cyber attack.

We know that almost 9 in 10 adults in Scotland use the internet either for work or personal use, with 86% of internet users accessing it through a smartphone. An increasing number of people are also using 'smart' technologies, for example to manage their heating, lighting, or security systems. The Scottish Household Survey reported that in 2019, 26% of people in Scotland used at least one type of smart appliance.^[9]

Such high levels of internet usage, however, expose people to a number of cyber threats: estimates for 2018/19 show that 8% of internet users in Scotland had their devices infected by a virus, and that 6% of adults had their credit and bank card details stolen (online or physically). Data also shows that the majority of victims of cyber crime choose not to report the incident to the authorities.^[10]

The focus to achieve this outcome will be on:

• building people's cyber awareness and resilience through practical, regular awareness campaigns targeted to different groups of people, including those with particular access needs
• making it easier for everybody to report cyber crime and get help from relevant, trusted organisations
• increasing the availability of, and improving the access to, trusted and authoritative information, advice, guidance and tools so people can be secure online
• increasing people's cyber resilience by embedding it into relevant curricula and qualifications
• building the cyber awareness and cyber resilience of people at work.

Outcome 2: Businesses and organisations recognise the cyber risks and are well prepared to manage them

"We live in a rapidly evolving, and hyper-connected, digitalised society that presents us with opportunities to flourish. This constantly evolving digital landscape in which our organisations and businesses find themselves in also presents new opportunities for criminal exploitation. A cyber resilient organisation is a competitively strong and trusted organisation."

Kate Forbes, MSP
Cabinet Secretary for Finance

Cyber risk needs to be seen as a business risk for any organisation.

This outcome is about ensuring that, across the public, private and third sectors, businesses and organisations are aware of the cyber risks they face, have access to up-to-date information, advice and guidance, and can withstand, respond to and manage incidents, knowing where to find the right kind of support.

Cyber threats can come from organised crime groups, business competitors, disgruntled employees, hackers, those driven by political or ideological factors. Some threats are more invasive and harmful than others, but they can all be disruptive for the unprepared victim.

The Cyber Breaches Survey 2020 identified that almost half of businesses in the UK (46%) and a quarter of charities (26%) reported having cyber security breaches or attacks in the previous twelve months, with an increasing number of businesses experiencing these issues at least once a week. The estimated average cost of cyber security breaches to businesses is £3,230. For medium and large firms, the average cost is £5,220.

Scotland is a nation of small and medium-sized enterprises (SMEs). Although small, they can be a vital part of the wider supply chain across sectors. Many are likely to be less aware of their exposure to cyber threats and have reduced ability to invest in cyber security skills and services than larger organisations. Some simply don't see it as a priority business or organisational risk. Often cyber attacks are untargeted and any organisation can fall victim. The impact on SMEs can be significant. Indeed, smaller businesses are often seen as the most vulnerable point in the supply chain. It is clear that cyber attacks are a risk for any business with a digital footprint.

Moreover, there is a commercial advantage in a business positioning itself as being cyber resilient in its operation, its provision of goods and services and in the protection of data and information.

In the Scottish public sector, we have made significant headway with our public bodies, with the majority now routinely including cyber risks as part of their business risk management processes and utilising the Active Cyber Defence programme provided by the NCSC^[11] - the UK's national agency that provides cyber security advice and support for the public and private sectors. In addition, 88% of eligible Scottish public sector organisations have now achieved Cyber Essentials^[12] accreditation. However, public bodies and public services remain at significant risk from cyber threat and it is imperative that the public sector should continue to remain a key priority focus.

In relation to the Third Sector, UK research shows that between 2018 and 2019, 22% of charities identified cyber security breaches or attacks, with an average annual cost of lost data or assets of £9,470.^[13] It remains a priority that we work to support our third sector organisations to become more cyber resilient, and we will engage with national intermediary and regulatory bodies such as the Scottish Council for Voluntary Organisations (SCVO), the Association of Chief Officers of Scottish Voluntary Organisations (ACOSVO) and the Office of the Scottish Charity Regulator (OSCR) to achieve this.

There is a great deal of guidance and support available that, if used appropriately, could reduce organisations' exposure to cyber risk and help build cyber resilience.

The focus to achieve this outcome will be on:

• increasing businesses' and organisations' understanding of cyber risks, how to report cyber incidents, and get help from trusted sources of advice and support
• embedding cyber resilience into organisations' governance structures, policies and processes
• increasing awareness and building cyber resilient behaviours of staff in all posts at all levels
• increasing opportunities for professional development of cyber security professionals
• embedding cyber security standards, regulations and compliance across businesses and organisations, including into governance processes
• promoting and encouraging uptake of the range of tools and services within the NCSC's Active Cyber Defence programme
• increasing efforts to educate the supply chain and small businesses of cyber risks.

Outcome 3: Digital public services are secure and cyber resilient

"New technologies for delivering public services have brought incredible gains in terms of efficiency and effectiveness. However, they also bring new vulnerabilities. For the public to trust government with their data, we need to make sure that our digital services are secure and resilient by default."

Michael Matheson, MSP
Cabinet Secretary for Transport, Infrastructure and Connectivity

This outcome is about ensuring that our digital public services are secure and cyber resilient and where possible, security is built in by design.

The world is changing at pace. Innovation and technological advances, including artificial intelligence, quantum technology, the "Internet of Things", and 5G, are driving what is being referred to as the Fourth Industrial Revolution, and digital technologies have the power to reshape almost every sector. Scotland is well placed to capitalise on this global revolution, and we are already seeing the development of 'Smart City' approaches addressing urban challenges such as traffic congestion, waste management and pollution, as well as increasingly underpinning the critical services and infrastructure necessary to keep Scotland running. It is imperative that security is built in from the design stage of these connected technologies and the NCSC has produced guidance that will help ensure the security of a connected place and its underlying infrastructure.

As more public services go online, users need to be able to trust service providers with their data and interactions. This is especially the case for people who are reluctant to move to digital versions of familiar services. Strong security needs to be built in to digital public services by design.

The focus to achieve this outcome will be on:

• improving the security capabilities and resilience of digital public services
• protecting the digital systems that support Scotland's infrastructure and essential services
• ensuring a secure-by-design approach is adopted across the supply chain and aligning with the UK Government's proposal for regulating the cyber security of smart products
• ensuring that developments relating to Smart Cities and other new digital infrastructures build in cyber resilience from the outset, and by design
• encouraging Scotland-based cyber security companies to provide products and services that can meet the cyber resilience needs of our public sector and its digital public services.

Outcome 4: National cyber incident response arrangements are effective

"Digital technologies and the internet offer significant economic, social and personal benefits for Scotland and its people. Harnessing these benefits also creates risks. Managing cyber risks is a shared responsibility. The Scottish Government, business and individuals have a collective responsibility to safeguard their use of the internet and digital systems, being prepared and able to withstand and manage the cyber threat. Effective cyber resilience cannot be achieved in isolation. Partnerships between the Scottish Government, other governments, law enforcement and the cyber security industry are key to advancing and protecting Scotland's interests online through co-ordinated national leadership in relation to incident response."

John Swinney, MSP
Deputy First Minister and Cabinet Secretary for Education and Skills

This outcome is about ensuring that our national cyber incident response arrangements are effective.

We only have to look back to 2017 and the global Wannacry incident to understand how a large part of the public sector (on that occasion, the health sector) was affected by a single malicious operation. In 2020 the Scottish public sector saw significant disruptive attacks on Dundee and Angus College and the Scottish Environment Protection Agency. At the end of 2020 the SolarWinds global cyber incident focused attention on supply chain vulnerability. In this instance a total of 18,000 SolarWinds customers worldwide fell victim to a compromised software update. It is thought that the purpose of the attack was to target a small number of key organisations, however the consequences of the attack, including the cost of clean-up, have been felt across a much wider customer base.

Cyber attacks can have far-reaching consequences, and it is critical that the Scottish Government has national arrangements in place to manage and co-ordinate its response to incidents with a focus on potential wider consequences and impacts resulting from the original attack. This will ensure that incidents are managed effectively, involving relevant partners such as Police Scotland's cyber threat intelligence team, the NCSC and the National Cyber Crime Unit within the National Crime Agency, and in turn, help maintain public confidence in Scotland's ability to deal with cyber incidents.

Figure 2: Cyber incident response process

• Ready
• Respond
• Recover
• Restore

Building on its tried and tested civil contingency arrangements, the Scottish Government has developed national cyber incident processes to co-ordinate responses to critical national incidents. These align with existing civil contingency planning and the UK's cyber incident management arrangements. Testing and exercising are key requirements to ensure that Scotland is prepared to handle a national cyber incident effectively.

The focus to achieve this outcome will be on:

• regularly testing, exercising and reviewing our national cyber incident co-ordination arrangements
• raising awareness of the national cyber incident co-ordination arrangements across government and its agencies
• continuing to develop our cyber threat intelligence, monitoring, detection and response capabilities
• communicating clearly with affected parties during and after a national cyber incident
• ensuring effective ongoing cross-agency collaboration.

Cross-cutting enablers

There are a number of cross-cutting enablers that will help realise our national strategic ambitions. These enablers will ensure consistency of effort and impact across sectors, and assist with reporting against specific activities. We use them to structure our action plans relating to the public, private and third sectors.

Enabler 1: Knowledge of risk and threat

Actions relating to this enabler will contribute to the achievement of Outcomes 1, 2, 3 & 4.

Cyber threat intelligence and knowledge are core to cyber resilience. When used properly, this knowledge can enable better-informed security and business decisions and ultimately allow organisations to take decisive action to protect their users, their data, finances and reputations against adversaries.

This knowledge may come from different sources. The Scottish Government will work with key partners across all sectors to improve organisations' understanding of the cyber threats they face.

We will improve the co-ordination and amplification of threat messaging and encourage access to and use of threat intelligence, situational awareness reports and alerts, to inform the risk picture. We will encourage use of the National Cyber Security Centre's Cyber Security Information Sharing Partnership (CiSP).

Enabler 2: Tools, processes, standards, regulations and compliance

Actions relating to this enabler will contribute to the achievement of Outcomes 1, 2, 3 & 4.

Standards and regulations help ensure that organisations take appropriate steps to protect their data and the data of their users or customers. Compliance with regulations and standards can drive investment and ensure that organisations keep pace with technological advancements and take proportionate, risk-based decisions to avoid cyber incidents affecting the delivery of critical services. Regulations such as the Network Information and Systems (NIS) Regulations 2018 help to secure our critical sectors and the General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals.

Cyber Essentials Plus underpins the cyber resilience standards of much of our public sector as part of the Scottish Public Sector Cyber Resilience Framework.

The NCSC provides tools, resources and services to help organisations operate securely, including a Response and Recovery Guide, Top Tips for Staff Training guidance and a suite of Active Cyber Defence (ACD) measures. The ACD programme seeks to reduce the impact of internet borne cyber attacks, reduce harm and protect against a range of cyber security threats.

We will ensure that organisations and businesses are aware of the standards and regulations that they need to comply with, and where to find tools and guidance.

Enabler 3: Learning and skills

Actions to drive learning and skills are contained within the Learning and Skills Action Plan and contribute to Outcomes 1, 2, 3 & 4.

The Scottish Government will work with key partners to embed cyber awareness and resilience into workplace learning and development at all levels, and maximise employers' access to cyber security skills, so that roles and functions within organisations can be filled. We will align our plans with activity taken forward under the STEM Education and Training Strategy.^[14]

We will continue to build a robust cyber security skills pipeline, embedding cyber security learning and skills development opportunities across our education and lifelong learning system.

As highlighted in the 2020-21 Programme for Government, the cyber security industry can play an important part in the economic recovery of Scotland and it is important that we are able to meet the demand for cyber security professionals, through meeting skills shortages. In the development of skills, we need to address the skills base, which is currently predominantly male and white. Our work in this area will seek to grow access to cyber security skills and careers for women, neurodivergent people and people from black and minority ethnic backgrounds and disadvantaged communities. We will also seek to better co-ordinate the role of industry in supporting cyber security skills development, from early engagement and inspiration, through to providing work experience, mentoring and other vocational learning opportunities.

Enabler 4: Incident management, response and recovery

Actions relating to this enabler will contribute to the achievement of Outcomes 2, 3 & 4.

A fundamental aspect of cyber resilience relates to incident management, response and recovery planning. All organisations need to regard cyber risk as a business risk and put in place incident response plans that are tested regularly through exercising.

We will encourage businesses and organisations to develop cyber incident response plans or include these into existing Business Continuity Plans.

We recognise that smaller businesses and organisations are often unclear on what to do, or who to turn to, if faced with a cyber incident. The Scottish Business Resilience Centre and its partners (including the NCSC, Police Scotland and the Scottish Government) offer a Cyber Incident Response "triage" service to help small businesses take the necessary steps to respond to and recover from a cyber security incident.

Enabler 5: Access to cyber security technical expertise

Actions relating to this enabler will contribute to the achievement of Outcomes 2 & 3.

Access to technical expertise in cyber security is critical to cyber resilience.

Cyber security service providers, including managed services, can help protect businesses and organisations. The growth of the cyber security industry in recent years reflects the scale of the cyber challenge facing organisations.

"I learned in government that whether it’s in the UK, Europe, the US or globally, the common cyber threats we face can only be solved if there is a strong, innovative private sector taking care of huge swathes of the problem.

That presents enormous economic opportunities for talented technologists and entrepreneurs.”

Ciaran Martin
Former Head of the National Cyber Security Centre

The UK's cyber security industry is now worth an estimated £8.3 billion, with total revenues in the sector up 46% in 2017.^[15]

The number of cyber security products and services companies in Scotland has increased substantially over the past five years, with the number now standing at around 230. There has been significant growth in revenue and employment and we are beginning to see investment in early-stage companies. This growth has been aided by a number of factors, including Scotland's growing innovation in technology sector, talent pool and academic research.

There is potential for growing an eco-system between the private and public sectors to find solutions and to develop innovative services.

We will work with our key partners to raise awareness amongst businesses and organisations of the range of cyber security technical expertise available to them.

Enabler 6: Innovation and academic research

Actions relating to this enabler will contribute to the achievement of Outcome 1, 2, 3 & 4.

It is important that Scotland's cyber security research capabilities and capacity continue to grow and evolve, and that our universities continue to expand knowledge by collaborating closely with industry. We will seek to embed an evidence-based approach to drive innovation and to find solutions to emerging challenges that support Scotland's businesses and organisations to increase their cyber resilience.

Activities to take forward research, innovation and to improve links between academia and industry are included in the Learning and Skills Action Plan. The sectoral action plans will also include actions to better link organisations and sectors, possibly through representative, intermediary and membership bodies, to take advantage of cutting-edge knowledge and capabilities.

Principles for Delivery

The Framework is underpinned by a set of guiding principles. We are committed to transparency and accountability in government, reducing inequality and promoting sustainable economic development. Our approach embodies the principles of the Christie Commission, which is ten years old in 2021. Christie's pillars of Prevention, Partnership, Workforce Development and Performance Improvements chime well with the principles for delivery of our Framework and associated Action Plans.

Principle 1: An inclusive and ethical approach

The Scottish Government stands by an inclusive and ethical approach to cyber resilience. This includes encouraging responsible behaviours online, promoting individuals' rights online and increasing the participation of disadvantaged groups, for example, in cyber security skills development. Cyber resilience is a matter for everyone, and we need to have a keen focus on accessibility around messaging, information, advice and guidance - especially for people who require information in alternative and accessible formats.

Principle 2: A whole-of-government approach

Digital technologies and cyber resilience are increasingly relevant to the achievement of Scotland's ambitions, as set out in the National Performance Framework. We will continue to engage across the Scottish Government's directorates to support the embedding of cyber resilience within Ministerial portfolios and policies, taking a meaningful, whole-of-government approach with shared workstreams, outcomes and indicators where possible.

Principle 3: Strong leadership and good governance

Scottish Ministers take lead responsibility for this Framework and task the National Cyber Resilience Advisory Board (NCRAB) to continue its role in taking the lead on advice, guidance, advocacy and challenge in relation to the implementation of the Framework and its Action Plans (see the governance structure at Annex B). The Action Plans (Annex C) are intended to drive activity that will support Scotland to become a cyber-resilient nation, with one plan for each sector, and a fourth that will drive developments in cyber-related learning and skills across our education and lifelong learning system.

The Scottish Government will align this Framework to broader digital and resilience governance structures.

Principle 4: Productive and collaborative partnerships

Collaboration has been a huge success factor in the effective delivery of Scotland's first cyber resilience strategy. The continued commitment of partners will be critical to the successful delivery of this Framework and how we monitor progress and continuously improve.

We will build on our success to date by formalising the CyberScotland Partnership which brings together our national partners (further details in Annex E). The Partnership will help to ensure access to authoritative sources of advice, guidance and information for different audiences and provide leadership around shared national initiatives such as the annual CyberScotland Week.

Principle 5: Effective communication

We will continue to communicate with our partners, our stakeholders and across government to help us achieve our vision, looking at ways to continually improve the effectiveness of our messaging and the extent of our reach. We will report on progress towards the outcomes under our vision each year.

Specifically we will seek to amplify key messages from the National Cyber Security Centre and other authoritative sources. We will do this by utilising the collective co-ordination and collaboration provided by the formation of the CyberScotland Partnership and the online portal cyberscotland. We will also develop a National Cyber Resilience Communications Plan to support effective communication across the Partnership.

Principle 6: Adaptive and agile programme management

Cyber risks are continually evolving and it is essential that we can flex to meet rapidly changing situations. Cyber criminals can be adept at exploiting vulnerabilities. We responded rapidly to new cyber criminal activity during the COVID-19 pandemic and will plan to meet new, unexpected challenges, based on learning from this experience.

We will manage the implementation of the Framework and Action Plans using agile programme management approaches to ensure our activity is proactive, current and responsive.

Principle 7: Robust evidence of impact

We will take a robust approach to evidencing impact, drawing on up-to-date national and international qualitative and quantitative data. We have taken an outcome-focused approach and used logic models that are linked to measurable indicators to ensure we can measure progress towards our outcomes. The table in Annex D outlines the indicators we have identified at this stage to measure our progress. New indicators and/or sources of evidence may become available as we move forward, and we will include these where appropriate.