Official Report 978KB pdf
The next item of business is a debate on cybercrime on behalf of the Criminal Justice Committee. I invite members who wish to speak in the debate to press their request-to-speak buttons.
15:27
I am very pleased to open this afternoon’s debate on behalf of the Criminal Justice Committee. I will start with the usual thank you to committee clerks and Scottish Parliament information centre colleagues for their support on this important piece of work.
This year, the committee has had a very busy programme—it has considered four separate bills at either stage 1 or stage 2—so the time that we had available for this inquiry was limited. However, we were aware that cybercrime is an important topic that we wished to consider, especially as it affects business, vulnerable individuals and wider society.
The short factual report that we have produced does not attempt to identify solutions. Rather, we wanted to identify the scope of the problem and to stimulate public debate. It is clear from the evidence that we have received that an increased focus on cybercrime and cybersecurity needs to be put front and centre every bit as much as our focus on the risks that are posed to us by issues such as climate change.
Turning to the impact on business, we undertook a one-off oral evidence session on 14 May with stakeholders representing the police, business and vulnerable individuals. That was followed up by written evidence from business, third sector groups and the Scottish Government. One issue that became immediately clear was the impact that cybercrime can have on all levels of businesses that play a vital role in our society. We heard from NatWest bank that it currently has to defend itself against an average of 100 million attempted cyberattacks every month. That requires a huge on-going investment in staff and technology, but such defensive actions are an essential part of modern-day business.
We also heard about the impact of a ransomware cyberattack on Scotland-based business Arnold Clark. Despite having an information technology department with more than 200 staff, 12 of whom were dedicated to cybersecurity, and having an IT budget of several million pounds per annum, cyber criminals were still able to breach Arnold Clark’s systems and steal large amounts of data. The attack, which was deliberately undertaken over the Christmas period to make it far more difficult for the company to respond, had a substantial impact on Arnold Clark’s business, with about 4,000 customers affected. Although the company recovered quickly, we were told that it is still feeling the after-effects of the attack today.
I am aware that the Economy and Fair Work Committee has recently been taking evidence on the use of artificial intelligence among Scottish businesses. The latest statistics show that 17.6 per cent of Scottish businesses use AI daily and that fraud accounted for about £1.7 billion last year, with most of it occurring through social and digital media. Last month, Forrit, an Edinburgh-based content management system company, told the committee that the AI tools that it has developed
“have blocked 3.9 million cyberattacks in the past three months”—[Official Report, Economy and Fair Work Committee, 5 November 2025; c 7.]
for one of its corporate clients. That shows that we can develop effective AI tools to protect businesses and our wider economy from cybercrime.
Our committee heard from Age Scotland about the continually evolving nature of the threat to vulnerable individuals. Although phishing emails and scam phone calls still represent a major problem, new AI tools that allow criminals to manipulate their image and voice present new risks to vulnerable groups. AI-enhanced fraud scams are making it increasingly difficult for people to identify that the person with whom they are engaging is not real. That allows criminals to build up trust with a victim, thereby increasing their ability to defraud people out of cash or valuable data. Research by Age Scotland shows that about 20 per cent of elderly people who experience online fraud do not report it to the police. Some do not report it because of embarrassment, whereas others do not do so because they believe that the police could do little to help them.
We learned that the type of fraud that is being perpetrated is changing. In the past, criminals would simply have sought money, but there is now a focus on stealing personal data, which cyber criminals can package and sell to other criminals on the black market. Helping members of the public to stay informed about the evolving threat and encouraging them to report such fraud to the police remains one of the greatest challenges that we face.
In relation to the policing response, prosecution and the law, using traditional policing methods to address cybercrime is extremely difficult. The borderless nature of the digital world means that it is virtually impossible to identify where a criminal might be located. Police Scotland told us that the action that it takes is often focused on gathering threat intelligence and finding out where the weaknesses are in the system, because its ability to trace and prosecute a criminal who could be based anywhere is far more limited.
The Cyber and Fraud Centre Scotland pointed out a loophole in the criminal law. At present, it is a criminal offence to handle stolen physical goods, but no such crime exists for handling or making use of data that has been stolen in a cybercrime. The law should seek to address that loophole.
I note that the UK Government’s Cyber Security and Resilience (Network and Information Systems) Bill has just been introduced in the House of Commons. Its focus is on the security and resilience of IT systems that we rely on to carry out essential activities, and it proposes stiffer penalties for cybercrimes. I would welcome hearing about the discussions that the Scottish Government is having with the UK Government on the bill.
This year marks the 30th anniversary of Microsoft’s launch of the Windows 95 home computer. Many people consider that to be the start of the general public’s move into the online realm. Since then, our everyday experience of the digital world has moved from it being an optional extra to it being a central part of our lives.
Anyone born after 1990 has grown up in the computer age, so a large percentage of our modern-day workforce is more cyber literate than our policies might recognise. However, we must continue to invest in cyber training for all employees to ensure that their resilience and awareness keep pace.
Unfortunately, many of our public sector IT systems have not kept pace, largely due to costs and the need to procure such systems on a large scale. Our evidence taking on both cybercrime and the budget highlighted the pressing need to ensure increased capital investment in vital public IT systems.
We saw earlier this year that cyberattacks on retailers left many Scottish communities with empty supermarket shelves. We also saw attacks targeting our local authorities, which impacted on schools and many other services. Our report points out a recent Audit Scotland analysis of a cyberattack on Western Isles Council, which highlighted various issues that local and national Government must address.
We also heard about the need to ensure that key criminal justice sector partners such as the police service, courts, the prosecution service and prisons are ready to meet new challenges as they move more of their operations on to digital platforms. Maintaining public confidence in how our criminal justice system responds to calls for help or gathers evidence of crimes must be central to the capital resources that we commit to modernising our IT systems.
As a digitally dependent society, we face many challenges from bad-faith actors—both individuals and nations. They wish to steal from us, sow discontent and undermine public confidence in democracy. Ensuring robust public and private sector IT systems and embedding cyber awareness as part of everyone’s daily life must be central to Scotland’s cyber resilience strategy.
I thank all those who gave evidence to the committee, and I look forward to hearing the rest of the debate.
I call the cabinet secretary, Angela Constance, to open on behalf of the Scottish Government.
15:37
Today’s committee-led debate is an ideal opportunity to set out the current picture of cybercrime in Scotland and the actions that we are taking and need to take across policing, Government, business and civil society to prevent harm, protect victims and strengthen our national resilience.
Cybercrime has changed the character of offending in Scotland. Five years ago, Police Scotland recorded 7,710 cybercrimes; today, the figure is 14,120—almost double pre-pandemic levels. Those are broad estimates from police records, but the direction is unmistakable. More crime—whether fraud, extortion or exploitation—is now committed online or enabled by digital means.
The public’s experience mirrors that. The Scottish crime and justice survey estimates 524,000 incidents of fraud and computer misuse in 2023-24, which means that roughly one in 10 adults is affected. When organisations suffer a cyberincident, the knock-on effects on people can be severe. The Co-op cyberattack in April, for example, disrupted operations and supply chains, leaving some of our rural and island communities with empty shelves in local shops.
When West Lothian Council’s schools IT systems were hit, many schools experienced operational challenges, although exams were not affected due to well-rehearsed contingency plans.
Those incidents are stark reminders of the growing cyber threat and the importance of resilience across all parts of society. What does that mean for our justice system? Our courts, law enforcement agencies and prisons handle enormous amounts of sensitive information, including criminal records, evidence and personal details of victims and witnesses. One breach could expose that data, endanger lives and derail investigations.
Cybersecurity is not just about protecting data; it is about protecting trust. If systems are hacked or evidence is tampered with, confidence in fair trials collapses and, with it, the rule of law. Today, most evidence—emails, closed-circuit television footage and forensic data—is stored digitally. That makes it vulnerable to alteration or deletion, which could lead to wrongful convictions or acquittals.
Let us not forget operational continuity. Courts and law enforcement rely on digital platforms for case management, e-filing and virtual hearings. A ransomware attack could halt proceedings, delay justice and create massive backlogs. Justice systems are prime targets for organised crime and even state-sponsored actors seeking to disrupt governance or influence outcomes. Cybersecurity is not just an IT issue; it is the cornerstone of justice that safeguards the fairness, reliability and resilience of our digital legal systems. That means that prevention, early warning and rapid, well-coordinated incident response arrangements are just as important as detection and prosecution.
Police Scotland has strengthened its specialist capability in cybercrime investigations and digital forensics. The newly established cyber and fraud unit is consolidating the prevention of cyberfraud and digital harm under one command. Innovation is also happening at the front line of policing through the deployment of digital forensic vans and digital evidence detection dogs and the exploration of AI-enabled efficiencies as part of the policing in a digital world programme.
Those changes matter, but we must be realistic about the constraints and challenges. Over 90 per cent of crimes now involve some form of digital evidence, and that places sustained pressure on our investigative capacity. The digital evidence-sharing capability programme, which is funded by the Scottish Government, is tackling that challenge and is now live across all police divisions. Across the justice system, we must—guided by the Christie principles—deliver integrated and secure services, providing better outcomes and best value for the public.
Legislation must evolve, too. The Computer Misuse Act 1990 remains the backbone of legislation on cyber-dependent crime, but it predates contemporary security research. The proposal by the UK Government of a statutory defence for legitimate security research is welcome, and we will continue to engage with the UK Government on that matter.
Alongside that, the UK Government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill, as mentioned by Ms Nicoll. The bill will widen the scope of existing regulations to include managed service providers and data centres, it will harden essential services, and it will strengthen reporting. The bill will matter for Scotland. Some of our critical services and suppliers sit within its scope, for example health and drinking water. We will work with UK partners, regulators and industry to ensure smooth implementation.
The Scottish Government’s refreshed “Strategic Framework for a Cyber Resilient Scotland 2025–2030” sets the vision for a digitally secure and resilient nation. It is a renewed commitment to protecting our people, organisations and future in an increasingly digital world. None of that can be achieved by Government alone. Prevention at scale is essential, and Scotland has established a national ecosystem to strengthen its ability to be more responsive and future focused.
The CyberScotland partnership helps to drive practical resilience and awareness across public, private and third sectors. The Scottish cyber co-ordination centre—SC3—provides intelligence and early warning and manages incident response co-ordination for the public sector. In partnership with the National Cyber Security Centre and Police Scotland, SC3 is helping us to stay ahead of the threat and respond effectively to minimise the impact of incidents when they occur. I recently launched the SC3 cyber observatory, which will gather and analyse cyberthreat data and maturity insights from the public sector, allowing us to better target support and intervention.
We are also investing £300,000 this year to equip the public sector workforce with the skills needed to safeguard our essential services. In line with the National Cyber Security Centre, we are positioning the cyber essentials standard as the baseline security standard for all organisations in Scotland. Alongside that, we are driving the adoption of multi-factor authentication and encouraging regular back-ups, incident response planning and the use of incident response exercises.
There are five priorities in our fight against cybercrime, as part of our need for a secure and efficient justice system. The first involves sustaining and targeting investment in policing capacity, completing the build-out of Police Scotland’s cyber and fraud unit and refreshing front-line digital tooling. The second priority is to build on exemplar collaboration programmes, such as the digital evidence-sharing capability programme, to modernise our justice systems. The third is to enable legislation evolution, so that our laws are fit for today and resilient for the future. The fourth is to scale up prevention and skills. We must continue to build and enhance the capabilities of SC3 and the CyberScotland partnership and accelerate targeted prevention campaigns for specific sectors and communities. Fifthly and finally, to embed accountability for public bodies and critical suppliers, we need to move to a place of mandating minimum-security baselines and transparent risk reporting.
Cybercrime is now a mainstream risk to our economy, our justice system and our people. Scotland has strong foundations in place: specialist policing capability, evidence of a maturing public sector, SC3, our national incident response and co-ordination centre, and an active partnership that reaches from Government into business and civil society. Our task is to lock in all those gains.
Our focus, as always, is to keep people safe, protect essential services, bring offenders to justice and ensure that Scotland remains digitally secure and resilient. I am very grateful to the Criminal Justice Committee for its work.
I take this opportunity to remind all those members who are seeking to speak in the debate to check that they have pressed their request-to-speak buttons.
15:46
I welcome this opportunity to discuss cybercrime and the devastating impact that it can have on people and businesses. I thank the Criminal Justice Committee clerks for all their work to arrange the evidence sessions and compile the committee’s report.
As was made clear throughout the evidence sessions, this problem is not going away—in fact, it is getting worse all the time, and more people are doing it. The technology that they are using is becoming more advanced. The criminals have more resources behind them—either from serious organised crime gangs, which always get themselves involved when they think that there is easy money to be made, or because of the increasing role that bad states such as Russia, Iran and North Korea are playing in this area.
This is a global problem, of course, but even the statistics for Scotland paint a grim story. According to official recorded crime data, there were an estimated 7,710 cybercrimes in Scotland in 2019-20. By 2024-25, the figure had almost doubled to 14,120. That equates to 38 incidents a day, which cover everything from fraud and extortion to sexual abuse and exploitation. We know that many such crimes are never reported, so the true picture is likely to be far worse.
The question that MSPs face is what to do about that. In the first instance, we must look to Police Scotland and the Scottish Government. I do not believe that this hugely complicated and difficult subject should be the source of an intense political blame game. Even if not a single person in Scotland was guilty of a cybercrime, the problem facing ordinary Scots from international threats would still be considerable. My contribution to the debate is therefore intended to be entirely constructive.
The police do great work in this area, but they need more support. The difficulties that the force faces when it comes to officer numbers and resources—not to mention the impossible environment in which the police work—have been well documented in the chamber. They have a specific ask on this topic, which I urge the Scottish Government to deliver in full.
Chief Constable Jo Farrell has said that Police Scotland needs £105 million just to stand still, in effect, when it comes to officer numbers, and that a further £33 million would enable her to strengthen the workforce. That includes £6 million specifically for tackling cybercrime. She has cited cybercrime as a major problem, while the Scottish Police Federation has said that the response to cybercrime is being weakened by a lack of cash.
When she delivers her budget in the new year, the Cabinet Secretary for Finance and Local Government must give the police every penny that they need. That money is important, because it has been proven that, when the justice authorities are supported, they can make an impact.
The banking protocol, whereby police work with bank staff to spot potential fraud in customer transactions, helped to save Scots £750,000 in the first three months of this year. Hundreds of incidents were prevented—often ones that would have involved elderly and vulnerable customers transferring money or handing over sensitive data to people who wanted only to exploit them and cause them harm.
The Edinburgh-based Cyber and Fraud Centre Scotland, which is headed by Jude McCorry, has done some great work to raise awareness and encourage businesses to work together to avoid themselves and each other being scammed. Its cyber and fraud hub has helped more than 500 victims over the past year, has prevented hundreds of thousands of pounds from being lost and, in some cases, has helped people to recover what was lost.
The organisation has also done great work on encouraging women to get involved in cybersecurity. Recent events brought together about 200 women and girls in the hope of guiding them towards a career in that area. We, in the chamber, are all well aware that, if we want the very best people to be involved, we cannot afford 50 per cent of the population thinking that it is not a subject area for them.
Cybercrime targets the most vulnerable people in our society. The despicable criminals who indulge in it do that on purpose. Their merciless exploitation of elderly people—taking advantage of the possibility that they are not up to date with technology or that they may be susceptible to being tricked—is inexcusable. Similarly, those who target young girls online in the hope of exploiting them sexually deserve the most severe punishments. We, in this country, can only do our bit while hoping that international agencies and foreign Governments step up, too.
Police in Scotland require more specialist skills, digital forensics and sustained investment. The Scottish Government must match its words with actions, to ensure that we have enough officers and capability in the wider justice system to hold to account those who are responsible.
Nobody is safe from cybercrime: from huge companies such as Jaguar and Marks and Spencer to small Scottish businesses; from major Government agencies, such as the Scottish Environment Protection Agency, to our smallest local authorities; and from wealthy individuals who are robbed of thousands to vulnerable people who lose everything that they own. That is why the problem deserves our utmost commitment and attention.
15:52
I am pleased to open on behalf of Scottish Labour. As a member of the Criminal Justice Committee, I thank my fellow committee members, the committee clerks and all stakeholders who were involved in the committee’s work on the issue.
The committee’s report is important and timely. Cybercrime rates across Scotland are at a significant level. As Sharon Dowey said, more than 14,000 cybercrimes were recorded in Scotland last year—a number that remains well above pre-pandemic levels. Cybercrime amounted to 5 per cent of all crimes recorded in Scotland last year, but digital technology and online spaces are being used to carry out more traditional crimes, too. We can see that from the fact that cybercrime accounted for 27 per cent of all sexual crimes reported last year.
In recent years, several high-profile cyberattacks have been launched against private companies and public bodies across Scotland—major companies such as Marks and Spencer, the Co-op, Adidas and H&M have been hit by cyberattacks this year alone. NatWest provided alarming evidence to the committee that its customers have to be protected from more than 100 million cyberattacks every month.
Earlier this year, Glasgow City Council, the City of Edinburgh Council and West Lothian Council all suffered cyberattacks that were aimed at disrupting online education services. Hackers managed to access a significant amount of information from NHS Dumfries and Galloway last year, including the confidential details of staff and patients. In 2020, SEPA endured one of Scotland’s worst-ever cyberattacks, when thousands of its digital files were stolen. Whether we look at cybercrime statistics or examples of cyberattacks, it is clear that cybercrime is an issue that affects all of Scotland, including individuals and organisations.
Two common themes emerged in the evidence that the committee heard on how we can better protect ourselves from cybercrime. The first theme was that the current state of Scotland’s cyber resilience is inadequate and must be improved. Digital participation in Scotland has continued to increase, particularly among older people, and more than 90 per cent of adults now use the internet for work or personal activities. That is to be welcomed, but it brings greater risks of cybercrime.
Previous results from the Scottish crime and justice survey found that nearly 5 per cent of internet users in Scotland had experienced computer viruses, received scam emails or had banking details stolen online. In addition, the Scottish household survey found that nearly 10 per cent of all adults in Scotland did not take any online security measures, such as not opening emails from unknown senders or not sharing personal information online. That is why some of the proposals in the Scottish Government’s cyber resilient Scotland framework that focus on improving cyber learning are welcome.
Embedding cyber learning in the school curriculum, expanding the availability of cyber learning resources and improving access to cyber learning opportunities for adults are all practical steps. The £300,000 that has been allocated for an upskilling fund to strengthen cybersecurity skills across the public sector is also very welcome.
However, I believe that the Scottish Government must do more to educate everybody—in particular, young men and boys—on the harmful effect that far-right and misogynistic online content can have on their behaviour, and to tackle the resulting sexism, misogyny and violence in schools. That is why I again call on the Scottish Government to bring forward a cross-campus strategy to tackle the issue. I think that that is relevant to today’s debate.
Although education is vital in improving cyber resilience, we must also look at other avenues to achieve that aim, such as legislation. The Online Safety Act 2023 has now come into force, and I urge the Scottish Government to work with the UK Government and Ofcom to ensure that it is effective, especially in the light of the fact that reports of online child abuse in Scotland have doubled in a year.
The Scottish Government should also make representations to the UK Government and Ofcom on ensuring that the provisions in the Online Safety Act 2023 that are designed to tackle fraudulent online advertising are implemented as soon as possible, and I encourage ministers to engage with the UK Government and Ofcom on how the Cyber Security and Resilience (Network and Information Systems) Bill will be implemented in Scotland, should it be passed at Westminster.
There are many other aspects of improving Scotland’s cyber resilience that I hope will be considered in today’s debate, such as the need for regulation to reduce the harms associated with AI technology, including deepfakes, and the need to ensure that digital technology that is used in the public sector is better protected from cyberattacks. I welcome the action that the Scottish Government is taking, such as its recent announcement on deepfakes.
The second theme that emerged in evidence to the committee in relation to tackling cybercrime was the need for the Scottish Government to invest more in cybersecurity. Organisations ranging from the Cyber and Fraud Centre Scotland to the Scottish Courts and Tribunals Service have identified the need for further investment. The committee heard from Police Scotland on the significant financial challenges that it faces, which Sharon Dowey mentioned, and how that affects its ability to tackle cybercrime.
I hope that the need for greater investment in cybersecurity will be explored further in today’s debate. It is important to note that the true scale of cybercrime across Scotland is likely to be greater than we expect, given that it often goes unreported by individuals and organisations. It is also likely to become a bigger issue in the future.
I hope that the Scottish Government will reflect on all the points that I have raised and that other members will raise on the need for cyber resilience and investment in cybersecurity.
15:59
I am grateful to the Criminal Justice Committee and all who contributed to the inquiry that resulted in the timely and important report that we are discussing today.
Cybercrime and cybersecurity are often discussed as abstract, technical or even distant issues. However, the report makes it unmistakably clear that they are none of those things. Cybercrime is not virtual harm—it is real harm. It is harm that lands on kitchen tables, in bank accounts, in workplaces and in the lives of people who are all too often already carrying the heaviest burdens.
The evidence that the committee gathered is sobering. Although there has been a recent decrease in estimated cybercrime compared with the previous year, levels remain far above those that were seen before the pandemic. Cybercrime now accounts for at least 5 per cent of all recorded crime in Scotland and for more than a quarter of sexual crimes. Nearly all crimes involving threat and extortion are now cyber enabled. Fraud, in particular, has been transformed by the digital environment, with estimates suggesting that almost half of all fraud now involves cyber methods.
Behind those statistics are people: older people who are targeted by increasingly sophisticated scams, often powered by AI and deepfake technology; workers whose personal data is stolen and traded repeatedly long after the original breach; staff in businesses and public services who are dealing with the stress, fear and disruption that is caused by ransomware attacks; island communities left without access to food because a supply chain was digitally attacked; and people in local authorities who are unable to deliver essential services because their systems have been compromised. The report rightly centres those human impacts.
I thank all those who gave evidence to the committee, and particularly those from organisations such as Age Scotland, who reminded the committee that many victims do not report cybercrime because they do not know where to turn, they fear that they will not be believed or they assume that nothing can be done. That is not a failure of those individuals; it is a failure of our systems. If people do not feel supported, trusted and protected, our response to cybercrime is already falling short.
The report also highlights a stark imbalance of power and resources. Large institutions such as banks are able to invest millions in cyber defence, employing hundreds of staff to monitor and block attacks, although even then, as the committee heard and as we have heard this afternoon, they are subjected to tens of millions of attacks every month. Small businesses, charities and third sector organisations simply do not have that capacity, nor do many public bodies that are forced to maintain ageing legacy systems while trying to meet growing digital demands. That imbalance matters. Cyber criminals need to succeed only once, and that one-time success can be devastating for people. Everybody else’s protections need to work all the time.
The approach of the Scottish Greens to the issue comes from a clear set of principles. We believe in safety and justice for all, but we also believe that how we pursue safety matters. We reject the false choice between security and rights. We do not believe that expanding mass surveillance, eroding privacy or normalising intrusive state powers will necessarily keep people safer in the long run. In fact, history tells us the opposite. That means that, although we support properly resourced, skilled and specialist policing to tackle cybercrime, we will always scrutinise proposals that risk widening surveillance without clear necessity, proportionality and democratic oversight.
Cybercrime is borderless and complex, but that cannot become an excuse for undermining civil liberties or treating everyone as a suspect by default. Instead, the report points us towards a more effective and more just approach. Prevention, resilience and accountability must sit at the heart of our response.
Prevention means investing in digital literacy and public awareness, particularly for older people and other groups that are most at risk. It means ensuring that reporting mechanisms are accessible, trusted and trauma informed. It means recognising that shame and fear are powerful silencers and that we must design systems that actively counter that.
Resilience means having sustained investment in public sector digital infrastructure, not piecemeal fixes. It means supporting small and medium-sized enterprises and the voluntary sector with practical help, and not just advice that they cannot afford to implement. It means recognising cybersecurity as essential public infrastructure and not as an optional add-on.
Accountability means asking difficult questions of those who profit from insecure systems. As the committee heard, stolen data can be traded again and again with devastating consequences, while responsibility is too often pushed back on to victims. We must seriously consider whether our legal frameworks adequately reflect the harm that is caused by the theft and trafficking of data, and whether corporations and platforms are doing enough to design systems that are secure by default.
One issue that emerged during the committee’s scrutiny that has not yet been touched on, and which relates to resilience, is insurance. Businesses are perhaps more able to absorb the cost of insurance, which is an important part of a business’s overall resilience to an attack.
Absolutely. Not everybody will be able to afford insurance, nor will everybody even think that it is something that they need to have. The fact that its affordability will put insurance out of reach of individuals or organisations needs to be part of our thinking about resilience and accountability.
The report does not offer easy answers, but it does offer clarity. Cybercrime is not just a policing issue; it is an issue of social justice, equality, workers’ rights and public services, and our response must be as interconnected as the systems on which our society now depends.
I look forward to hearing the rest of the speeches in the debate and then to working together to ensure that Scotland’s response to cybercrime is one that protects people, upholds rights and puts justice, not fear, at its core.
16:06
I join other speakers in thanking the members of the Criminal Justice Committee for allowing this debate to take place and, more important, for undertaking detailed scrutiny of this important issue. Audrey Nicoll comprehensively set out the breadth of issues that are covered in the report, which leaves little doubt about the amount of work that will need to be done to address the many and various challenges going forward.
Cybercrime often leaves victims, whether they are individuals or organisations, harmed in profound and lasting ways. Were we in any doubt about that, the subject of the item of business that preceded this debate should have dispelled that. Abuse by grooming gangs is a horrific exemplification of that, reflecting the way in which online harms are, as Maggie Chapman said, very real.
Those who have been the target of cyber-enabled fraud can lose their life savings and have their personal data harvested. The convener of the Criminal Justice Committee rightly pointed to the fact that, these days, data harvesting is often more of a motive for perpetrators than cash. Individuals who are subjected to the non-consensual distribution of private sexual images face enduring trauma, and companies whose online systems are compromised by hackers can be held to ransom and lose decades of work and the trust of customers.
Katy Clark and Audrey Nicoll spoke about the extent of cybercrime and the fact that large organisations can find themselves being subjected to millions of attacks over the course of a month. The investment that businesses put into IT departments to try to brace against those attacks has a cost. However, Maggie Chapman is right that, although businesses may be most at risk and most in need of resilience being put in place, all organisations in the public, private and third sectors need to have resilience.
Much of the crime is not new, but technology is allowing it to be carried out in a different and more effective way and to target a wider cohort of potential victims. The growing use of AI and other emerging technologies means that that trend is set to continue and get worse, as Sharon Dowey rightly said.
How do we rise to meet those growing challenges? More focus by the Parliament—including the type of inquiry that the Criminal Justice Committee carried out—is a start. If we, as legislators, are to put in place appropriate and robust safeguards and protections, we need to develop a detailed understanding of what is happening and how that is likely to change.
The nature of these issues means that we will require a collaborative working approach between Parliaments and Governments, not just here, in the UK, but internationally. As I said, building greater cyber resilience into systems and networks across the public, private and third sectors is crucial, and we need to continually raise awareness among the public of the risks and how to minimise them.
The scale of the challenge is shown by the fact that cyber-enabled fraud is estimated to account for nearly half of all frauds in 2024-25. The committee heard that, perhaps unsurprisingly, that type of crime increasingly targets more vulnerable groups, including the elderly. The demographic trend of an ageing population and the pace at which technological change is happening are creating a perfect storm. Perpetrators evolve and adapt their techniques and tactics, making the work that is done by Police Scotland, community organisations and others through public awareness campaigns exceptionally difficult. We are dealing with the ultimate moving target. That is why the Scottish Liberal Democrats have been clear in calling for Police Scotland to have enhanced support in the area and to be given the tools that it needs.
I am grateful to the Scottish Police Authority for its briefing, which sets out many of the ways in which Police Scotland has sought to invest and adapt to the changing challenge. I suspect that, during the past decade, when there has been a bit of an obsession with officer numbers—for reasons that I understand—we have perhaps lost sight of the debate that we need to have about the types of skills and resourcing that policing requires now and into the future. Staying one step ahead of organised crime gangs and other types of criminals is not straightforward, but our police and, indeed, our entire criminal justice system need to be given a fighting chance. Others have pointed to the need for resourcing to enable that.
As an islander, I was interested in, although not surprised by, the evidence that Jude McCorry of the Cyber and Fraud Centre gave on how island communities are at a particular risk of being left without food supplies due to cyberattacks on supermarkets and supply chains.
As we try address the digital divide, we recognise that the digital space is levelling the playing field and opening up access to services in a way that is hugely beneficial, but at the same time it expands the risk of individuals and organisations being susceptible to becoming victims of fraud. As somebody who represents an island community, I see that very clearly. If we are to continue to move towards the modernisation of critical services, which is clearly necessary, we must be prepared to address the myriad of cybersecurity risks that will accompany that process.
It would be remiss of me not to return to the growing issue of online sexual violence and abuse, which has been amplified by the availability of deepfake technology and other generative AI tools, and which disproportionately impacts young women and girls. That issue has been driven largely by the rise in toxic masculinity in our society—Katy Clark made that point—and it will therefore require reform on a systemic level. Education will be key to changing attitudes, but there will also be a role for industry to play. Technology companies should not be given free rein to introduce new tools, systems or platforms into the market unless they have been built with safeguarding and responsibility in mind. Regulators must be proactive while also making clear the responsibilities and obligations on technology companies that operate in that space.
As a former member of the Criminal Justice Committee, I do not want to tell its current members what they should be doing, but it could recommend in its legacy report that future committees should return to the issue regularly. Putting my convener’s group hat on for a second, I note that it is also an issue that would benefit from cross-committee working.
For now, I thank Audrey Nicoll and the members of the committee for allowing this debate to take place. We will need to do more work on the subject, but this has been a decent start.
We now move to the open debate. I advise members that there is some time in hand.
16:14
I welcome the opportunity to speak in this debate on the very short report that the Criminal Justice Committee has published on cybercrime and cybersecurity in Scotland.
Unlike Liam McArthur, who is a former member of the committee, I am current member of the committee, but I was not a member at the time that it undertook the activity or its report. I commend the convener and my colleagues for the work that they undertook.
The report makes it clear that cybercrime is no longer a marginal or technical issue. It is now a central challenge for justice, for economic security and for democratic resilience. Although the most recent figures show a reduction in recorded cybercrime compared with the previous year, as Katy Clark set out, levels remain significantly higher now than they were before the pandemic. As Police Scotland told the committee, it estimates that cybercrime constitutes around 5 per cent of all recorded crime. Cyber-enabled offending now makes up a substantial proportion of fraud, sexual crime and threats and extortion, so its impact is very real and significant.
Even then, those figures tell only part of the story, because, as Sharon Dowey mentioned, many cybercrimes go unreported, particularly when victims feel embarrassed, uncertain or powerless—something that we know is often a feature of someone’s experience when they have been caught out by a scam.
The evidence from Age Scotland was particularly striking in highlighting the impact of cybercrime on older people. AI-enabled scams, impersonation and increasingly convincing fraudulent communications are eroding confidence and causing real distress. The fact that a significant proportion of victims do not report those crimes should concern us deeply. Prevention, education and accessible reporting mechanisms are therefore essential.
We should recognise that cybercrime does not affect all people or organisations equally. Larger institutions, such as banks, have the means and ability to invest heavily in sophisticated cyberdefences. The evidence from the financial sector illustrated the scale of the attacks that it faces and the scale of the resource that is required to defend against them. I do not denigrate the seriousness of the impact on our financial institutions, but, by comparison, small businesses, charities and individuals simply do not have their capacity, yet are also exposed to the threat of cybercrime. That imbalance is one of the challenges that we need to consider as we move forward.
The committee heard evidence from businesses such as Arnold Clark that demonstrated that even well-resourced organisations can be brought to a standstill by a single successful attack. The consequences were not limited to data loss or financial costs; individuals were affected as well—customers were stranded, staff were unable to work and essential services were disrupted. We should bear in mind that when a business is impacted, individuals are also impacted.
Cybercrime should therefore not be understood only as theft but as a form of disruption with tangible human and economic consequences. That same point applies in the public sector and has been made about the substantial attack on SEPA. Cyberattacks on local authorities, public bodies and supply chains can interrupt education, social care, food distribution and transport. In an increasingly interconnected digital environment, disruption in one system can quickly cascade into many others. I believe that that reality should concern us all, because it speaks directly to societal results.
It is important to recognise—this has been touched on in the debate—that not all cyberthreats originate from criminal networks that are motivated solely by financial gain. We now operate in a global context in which hostile state actors routinely use cyber capabilities as tools of influence, espionage and destabilisation. Attacks on public institutions, democratic processes and critical infrastructure demonstrate that cyberactivity has, sadly, become a normalised instrument of hostile state power, and Scotland is not insulated from those dynamics. Our public services, universities, research institutions and digital infrastructure are part of a wider international system. Hostile cyberactivity may not always target Scotland directly, but it can still have direct effects here through attacks on UK-wide systems and supply chains, or through disinformation, which I believe is one of the greatest challenges of our age. Such activity is designed to undermine trust in democratic institutions.
The overlap between state-sponsored cyberactivity and organised criminal methods, including ransomware and data theft, further complicates detection and response. That is why co-ordination and partnership are critical. Effective responses to cyberthreats, whether criminal or state sponsored, depend on close co-operation between Police Scotland, UK agencies, international partners and the private sector. I therefore welcome the continued engagement with the National Cyber Security Centre and the work of the CyberScotland partnership and the Scottish cyber co-ordination centre.
Liam McArthur is probably right that there has been too much emphasis on the headline figures for police officer numbers. We should be turning our attention to whether the police force and other parts of the system are properly equipped to respond to the threats that we face.
Audrey Nicoll rose—
I see that the convener wants to intervene. She may be about to make this point, but I will make my point and then hear hers.
We will have to consider the issue through the committee’s budget scrutiny of the evidence that has been provided to us thus far.
On the point that Jamie Hepburn has eloquently set out about how organisations or individuals respond, one point that came out in committee was the narration by Arnold Clark of how it responded to a unique, unusual, significant and serious event, and what should be done, particularly when a ransom is demanded. That is an important part of the overall resilience strategy.
I agree. That speaks to the need for us to ensure that Scotland continues to build its own cyber resilience. The elements that Audrey Nicoll laid out must be part of that.
The refreshed cyber resilient Scotland framework for 2025 to 2030 is an important step. Of course, that has to be matched by investment and practical support, particularly for smaller businesses, charities and community organisations, which might lack in-house expertise.
There is also a broader question about whether our legal frameworks are keeping pace with the realities of cybercrime, particularly in relation to stolen data. The harm that is caused by data breaches can be repeated and prolonged, affecting victims long after the initial attack.
Cybercrime sits at the intersection of criminal justice, economic security, national resilience and democratic trust. It is driven by organised crime, enabled by rapid technological change and, increasingly, exploited by hostile states that seek to undermine open societies. Addressing it requires more than reactive enforcement; it requires prevention, partnership, investment and public confidence. I agree with Liam McArthur that the area warrants further attention, which the Parliament should continue to give it.
16:22
I thank the Criminal Justice Committee for bringing the debate to the chamber. I am sure that I am not alone in worrying about the rise of cybercrime in Scotland. We can see from the Criminal Justice Committee’s report that cyber criminals were able to nearly double their output overnight in response to the pandemic, as their supply of in-person victims dried up.
In addition, certain crimes lend themselves much more readily to becoming cybercrimes; there is a statistical propensity for that with sexual crimes and with threats and extortion. New technologies such as deepfakes and generative AI have enabled a whole new kind of fraud and deception. Many of our constituents are worried that they or a loved one will fall victim to an AI-generated request for money, although that pales in comparison with the violation of deepfake pornographic imagery.
The Scottish Government must ensure that Police Scotland is adequately resourced and prepared, not for the crimes of the last century, but for the crimes of this century and beyond. That includes ensuring that the police have the powers to investigate and act if a new type of crime has been committed. The Parliament must be swift and flexible, and it must bring in appropriate legislation accordingly.
However, the ability to identify crime will not be enough. As often as not, the culprits are far outside the UK, and a stronger cyberdefence is paramount. Schools should be our first port of call in giving children the experience of identifying unfriendly links and invitations. That needs to be an active Government initiative, not simply a hope that teachers who are already hard stretched will be able to rise to the challenge.
Schools and community centres should also be hubs where parents and grandparents can learn what to do should their child—or even they—fall victim to cybercrime, because it will be a learning curve for us all. Maybe we should resurrect the old 1950s public information films, just to make people aware.
I, too, have been approached by many older residents who are out of their comfort zone with digital platforms. The Bank of Scotland’s decision to close the last branch in Larkhall highlighted that issue, with many feeling that in-person services were the last backstop between them and cyber criminals.
The Government should do all that it can to protect in-person banking services, in particular to prevent older constituents from falling victim to financial cybercrime. Some criminal ploys have existed for a long time—fleecing emails, for example, and malign links on social media, often in the guise of bots. However, AI has introduced a new level of capability to mislead vulnerable groups and businesses on an industrial scale.
I would hope that all my colleagues would be against those things, but I read a few weeks ago that the First Minister was in favour of the Iranian bots because they are pro-independence for some reason. That aside, at some point or another, everyone in this chamber will have been on the receiving end of abuse and insults because of some point of view that they might have held in the past. Basically, doing that on social media is a cybercrime and should never be considered acceptable.
Cybercriminality, in any shape or form, regardless of how it is manifested, is committed by calculated cold villains and no one is immune from it. The Scottish Government needs to be industrious and dynamic in its legislation to protect the public and businesses, and criminals need to be prosecuted with vigour. No doubt the worst is yet to come. As technology rapidly improves, those who are currently considered immune from AI deception may be the most vulnerable. It may be that entirely new types of cybercrime emerge that are far beyond what we can comprehend today.
We are at the start of a fantastic journey, on which we will see lots of great things. However, we should take heed, as we do not know where we will end up or what perils await in these uncharted waters.
16:27
We are all potential victims of cybercrime—and the sad fact is that thousands of people in Scotland have been. Since 2019, the annual number of recorded cybercrimes has doubled from 7,710 to just over 14,000. That is probably the tip of the iceberg, because those are only the numbers that are recorded.
We all rely on websites, apps, systems and data in our daily lives. Although they bring great benefits, the convenience comes at a cost. Cyberoffending, coupled with online harm, is increasing, whether that is people who are seeking to exploit the vulnerable or using online activities as a vehicle for offending behaviour.
It is, indeed, the growing crime of our times, which is why cyber resilience and digital safety are more important than ever. I am pleased to hear about the many Scottish Government initiatives that the cabinet secretary outlined.
Cyberthreats are evolving rapidly, technology is ever-changing and becoming more sophisticated, and it is our shared responsibility to meet the challenges that Scotland faces. That is why I was pleased that the Criminal Justice Committee took such valuable evidence to allow us to produce a report on cybercrime, which is about where we are now and where we must go in the future.
We listened to fascinating but sometimes chilling evidence from banks, charities, retailers, Police Scotland and organised crime experts about the toll that combating this ever-growing scourge is taking on them. We learned that some cyberthreats cannot realistically be fully mitigated, regardless of how much preventative spending takes place. Major systemic vulnerabilities often have roots in legacy technologies and outdated practices, so wider digital and cultural transformation is often required to tackle the underlying cause.
For other risks, making the best use of the systems and services that are already in place is often more effective and better value for money than buying in advanced security solutions.
On the plus side, there is no doubt that the digital economy is driving Scotland’s economic growth and shaping our future, and that it brings great opportunities. The Scottish Government’s approach is built on strong partnerships across sectors, reinforcing the point that collective effort is critical if we are to safeguard people and unlock the economic potential of our secure digital future. That includes continued engagement with the UK Government and the National Cyber Security Centre on reserved security matters, alongside our European partners.
That is why the Scottish cyber co-ordination centre promotes effective detection and response processes with a strategic framework. The framework details actions and supports to help people, businesses and organisations across Scotland to recognise and prepare for the inevitable cyberthreats. In addition, the centre’s cyber observatory, in particular, will be vital in alerting organisations to potential threats. The centre aims to improve incident response, recovery and intelligence sharing, and to get a much better understanding of cybersecurity.
Collaboration is at the heart of the SNP Government’s strategy, because no Government can tackle cyber challenges alone—Scotland is no exception. Speaking about the challenges of investigating cybercrime, Assistant Chief Constable Stuart Houston of Police Scotland told the committee:
“these crimes are often borderless and are, on occasion, perpetrated outwith the UK.”
He went on:
“Quite often, a network of people are involved in the larger ransomware attacks. In the past, organised crime groups would operate in networks of people who knew one another, but we need to be alive to the fact that people now often operate in networks where they have only seen someone through a screen.”
David Keenan, chief information officer with Arnold Clark, who was mentioned earlier, spoke to the committee about the impact of a major cyberattack that happened to the business in December 2022. It was a ransomware attack in which a large amount of sensitive customer and corporate employee data was stolen. The criminals deliberately planned the timing of the attack over the Christmas period, when staffing levels in the organisation would be reduced and it would take longer for staff to detect and respond to the attack.
Mr Keenan said:
“In the days immediately after the attack on Arnold Clark, when we were unable to operate our systems for a period, more than 4,000 customers were expecting to come and make use of our services. More than 700 people who had bought a car were expecting to take delivery of that vehicle. Some 2,000 people who either had their car in for a service or had booked in to have their car serviced were unable to have that work done. We were unable to provide our rental service to more than 1,500 people who had planned to make use of it, many of whom were holidaymakers who were travelling from abroad ... That was the direct impact on customers.”
He went on to say that the cyberattack also had a major impact on the wellbeing of staff of Arnold Clark and their ability to do their job. He said:
“At the time of the incident, we had well over 200 members of staff in IT, with a multimillion-pound budget and 12 members of staff who were dedicated to cybersecurity, but that still was not enough to protect us.”
He went on:
“Ultimately, a cybercriminal has to be lucky only once, but we have to be lucky against every single attack.”—[Official Report, Criminal Justice Committee, 14 May 2025; c 5, 7.]
That was a very well-made point.
In her oral evidence to the committee, the chief constable of Police Scotland, Jo Farrell, said:
“Poverty, geopolitics, cybercrime and civil unrest are driving a high level of demand, and the challenge for policing is evolving rapidly. That is illustrated by the increase in online harm and threat and in violence associated with organised crime, as well as a high level of protests. The threat is now.”—[Official Report, Criminal Justice Committee, 5 November 2025; c 26.]
That is a fitting remark to end with. The threat is now, and we must continue to innovate to find ways to combat it.
16:33
Like other members, I am delighted to speak in the debate as a member of the Criminal Justice Committee. Scotland thrives when it is confident, connected and secure in today’s world, and that means being a digitally secure and resilient nation. Digital technology can no longer be considered a separate sector of our economy. It underpins almost everything that we do, from how businesses trade and grow, how public services are delivered and how families stay in touch to how communities organise themselves. Digital systems shape our daily lives and Scotland’s future prosperity. They are driving economic growth, opening up new opportunities and helping Scotland to compete in a global stage.
As other members have said, however, that opportunity brings responsibility. As our reliance on digital technology grows, so, too, does the importance of cyber resilience and digital safety. We all depend on websites, apps, systems and data, often without even giving it a second thought. They make life more convenient, efficient and connected, yet, in a digitally connected world, convenience comes at a cost.
Cyberthreats are increasing in scale and sophistication. Incidents of cyberoffending and online harm are increasing in number, whether that is criminals seeking to exploit vulnerable people, disrupt essential services or use online activity as a gateway to wider offending. The point was made to us as a committee that such risks are no longer abstract or confined to large organisations but affect individuals, families, small businesses, charities, schools and public bodies alike. In many cases, crimes that we once thought of as traditional, such as fraud, domestic abuse, stalking and exploitation, now have a clear cyber or digital dimension.
The new reality has profound implications for policing and public safety. This morning, ahead of the debate, the Scottish Police Authority wrote to the committee about that. Police Scotland’s 2030 vision, which was launched last year, recognises the changing landscape and has a clear focus on safer communities, less crime, supported victims and a thriving workforce. Crucially, it includes a commitment to strengthen Scotland’s response to cybercrime and fraud, which includes establishing a dedicated cyber and fraud unit and developing specialist skills and training across the workforce. The SPA provides robust oversight of that work through its policing performance committee, which ensures transparency, scrutiny and public accountability.
We are already seeing tangible progress. Police Scotland has established its cyber and fraud unit, which will continue to evolve as demand grows. Work is already under way to join the UK-wide fraud and cybercrime reporting and analysis service, which will help to improve intelligence, consistency and victim support. Alongside that, the policing in a digital world programme is equipping officers and staff to respond to cybercrime using the four Ps approach: pursue, protect, prepare and prevent.
Innovation plays a vital role. The introduction of tools such as the child abuse image database, which uses face-matching technology, has transformed how officers work by using artificial intelligence to reduce the time that is spent reviewing images and to allow greater focus on identifying victims and safeguarding children. Digital forensic vans are speeding up investigations and reducing the time that people are separated from their devices. Police Scotland’s cyber alarm is supporting businesses and organisations across Scotland to identify vulnerabilities and protect themselves from attack.
We must be clear about the scale of the challenge. The number of recorded crimes with a cyber element continues to grow, and new performance measures that have been introduced by Police Scotland show a rising volume of cyber-tagged crimes. However, those figures still underestimate the true picture. Many offences, from fraud to domestic abuse, are enabled by everyday technology and leave a digital footprint, even if they are not yet consistently recorded as cyber-related. Improving our understanding of that complexity is essential if policing resources are to be effectively directed and victims are to be properly supported.
Digital forensics is therefore central to modern justice. The ability to identify, extract and present digital evidence is now integral to investigations, yet demand is increasing faster than capacity. The Scottish Police Authority continues to scrutinise Police Scotland’s approach to building a sustainable digital forensic capability, because it recognises that evidential integrity, public trust and victim confidence all depend on it. Meeting those challenges is a shared responsibility, and the Government has a vital role to play, but it cannot act alone, which is a point that has just been made by Rona Mackay. The Scottish National Party Government is determined to do everything that it can within its powers to strengthen cyber resilience. It will work closely with Police Scotland, the Scottish Police Authority, the UK Government and the National Cyber Security Centre on reserved matters, and it will work, where appropriate, with our European partners.
Our wider approach is rooted in partnership. We work with industry, academia, the third sector and local government, because collective effort is essential if we are to safeguard people and unlock the economic potential of a secure digital future. Collaboration is not an optional extra; it is the only effective response to threats that constantly evolve. That is why Scotland places such emphasis on preparedness, detection and response. The Scottish cyber co-ordination centre plays a crucial role in promoting effective incident response and recovery, which helps organisations to act quickly and confidently when incidents occur. That work is guided by the strategic framework for a cyber resilient Scotland, which was developed with partners through the CyberScotland partnership. A key development in that framework is the cyber observatory, which will strengthen intelligence sharing, improve early warning of emerging threats and help to target support to where it is needed most. Together, those efforts will help to ensure that cyber resilience is embedded across sectors rather than treated as an afterthought.
A secure digital environment builds trust. Trust enables investment. Investment supports growth and inclusion. Growth, in turn, strengthens Scotland’s ability to thrive in an increasingly digital world. Cyber resilience, at its best, fosters confidence to innovate, connect and ensure that Scotland is ready to meet the challenges of today and tomorrow. By continuing to work together, we can ensure that Scotland remains not only digitally connected but digitally secure, resilient and fit for the future.
Like other members, including Liam McArthur, I thank the Criminal Justice Committee, particularly its clerks, for allowing us to provide good scrutiny of the matter. We must continue to scrutinise it well into the future, particularly as the threat of cybercrime grows.
We move to closing speeches.
16:40
I am very grateful for the contributions that have been made during the debate. It is clear that there is a shared recognition across the chamber that cybercrime poses a profound and evolving challenge for Scotland. Where we might differ is not on the seriousness or urgency of the threat but on how we respond to it.
The committee report that we are debating is careful, evidence based and grounded in lived experience. It shows us that cybercrime is not confined to laptops and servers. Such crime reaches into every corner of our society. It disrupts businesses, undermines public services, damages mental health and erodes trust, and it does so in ways that disproportionately affect those with the least power and the fewest resources.
That is why the Scottish Greens will continue to argue that any response to cybercrime must start with people, not technology alone. Victims must be believed, supported and protected. Reporting systems must be clear, accessible and properly resourced. Prevention must be given at least as much weight as enforcement. As Liam McArthur and other members noted, that all means that the education, awareness raising and support that we provide for people must be appropriately tailored to the right audience, whether it is older people at risk of scams, young people who spend more and more of their lives in digital spaces or organisations that hold valuable data and information.
Maggie Chapman has made the point that the pathways for reporting cybercrime and cyberfraud must be as empathetic and supportive as they can be. As a number of members have observed, people often feel a sense of shame about what has happened. Particularly with elderly people, there can often be a sense that admitting to what happened might call into question their capacity, which might have wider consequences, so we must be as empathetic and supportive as we can be. However, I think that it is inevitable that it will be very difficult to get everybody to feel confident in reporting such crimes.
I absolutely agree. That is why we need to take a holistic view and ensure that everybody who supports older people has conversations to reassure those people that they will not be treated as daft or stupid and that their admissions about what happened to them will not be used as an excuse to change their care situation or anything like that. That is imperative.
Sharon Dowey, Davy Russell and other members spoke clearly about the need to ensure that Police Scotland has the resources that it needs. I want to be clear: we support investment in specialist skills, modernised systems and co-operation across borders when crime is transnational. Police Scotland, the courts and the wider justice system must be equipped for the world that we now live in, not the one that we wish still existed. That might mean having challenging conversations with some people. Policing is changing, so we cannot just do more of what we did decades ago, even if that is what some people expect or want.
As we have heard, some of our legislation will need radical updating in order to be fit for purpose. However, I will continue to sound a note of caution: cybersecurity must not become an excuse or a gateway for expanding intrusive surveillance or weakening fundamental rights. Safety that is built on fear, secrecy or overreach is not sustainable. Trust is created not by treating everyone as a potential threat, but by ensuring transparency, accountability and respect for human rights.
Several members, including Rona Mackay and Fulton MacGregor, have spoken about artificial intelligence and emerging technologies. Those developments raise urgent questions not only about how crime is committed but about how power is exercised. We must ensure that new tools do not deepen existing inequalities, embed bias or create systems that are impossible to challenge or understand.
We have also heard this afternoon, from Jamie Hepburn and others, that our public services—and, indeed, many of the other services that we all rely on at different points in our lives—are targeted by different ill-intentioned actors. We must ensure that the services—and the infrastructure that they rely on—are secure and resilient; we cannot just patch systems that are already creaking under the strain of technological advancement.
The report also reminds us that responsibility cannot rest solely with individuals. Too often, people are told to be more vigilant, to be more careful and to be more cyber aware, while operating in digital environments that are designed without their safety in mind. We need stronger expectations and regulations for organisations, platforms and suppliers to build security into systems from the outset and to take responsibility when failures occur.
Cybercrime exposes the cracks in our social and economic structures. It exploits isolation, poverty, underinvestment and digital exclusion. Therefore, addressing it effectively means addressing those underlying conditions as well.
I welcome the committee’s decision to draw Parliament’s attention to these issues, and I urge the Scottish Government to respond with ambition as well as urgency. Cyber resilience must be treated as core public infrastructure. Support for small businesses, charities and local authorities must be practical and sustained, and any legislative or policy changes must be rooted firmly in human rights and social justice. The challenge before us is not simply to become more secure but to become more just. If we rise to that challenge, Scotland can lead not only in technological resilience but in showing that safety and freedom are not opposites—they are mutually reinforcing partners.
16:46
I thank the clerks and the witnesses who gave evidence on which to draw up the report, which I found very interesting. Onlookers might not find the subject matter interesting, but I do. The inquiry drew to my attention the importance of the Criminal Justice Committee taking time to tackle the issue.
The current levels of cybercrime are around double pre-pandemic levels. We are living more of our lives online, and our children are therefore more exposed to the risk of cybercrime. In fact, cybercrime is one of the most serious threats to national security. If anyone has the chance to watch the “Panorama” programme, it is definitely worth doing so—it is actually quite scary.
Cybercrime is usually associated with data theft and ransomware, but it also includes offences such as child abuse and human trafficking. Its growth does not just affect large corporations—as Maggie Chapman and others have said, small businesses are commonly targeted, as they tend to have weaker defences.
Davy Russell made an important point about intimate image-based abuse, which is an area that I have been doing work in. The rise in the number of deepfakes is alarming, particularly in relation to pornography. It is very important that we are vigilant and legislate accordingly.
I welcome Police Scotland’s recent establishment of the cyber and fraud unit. The pressure on Police Scotland to investigate crime that is increasingly complex due to a cyber or digital component is greater than ever. It is also extremely important that we have the relevant expertise in our National Crime Agency to be able to deal with it, because there are clever people behind such crimes, as we know.
Last month, the chief constable, Jo Farrell, told the Criminal Justice Committee that there has been
“an increase in the use of cyber to commit crime, including fraud”.
She also noted that money laundering was on the rise—I was surprised that people still use money. In a cashless economy, the greater threat is to vulnerable individuals, as many members have talked about, and to the economy itself.
The chief constable also noted that there has been a dramatic rise in reports of online abuse of children. She said that, last year, Police Scotland
“received just in excess of 700 notifications in relation to suspicions, information and intelligence about online harm relating to children. In one year, that number has increased to nearly 1,500.”—[Official Report, Criminal Justice Committee, 5 November 2025; c 28.]
She went on to say that we are seeing online-enabled violence against young people.
Online child abuse takes many forms, but it can include sexual exploitation, grooming—as we know—and communication with children for sexual purpose. It also includes sexting and cyberbullying.
The most common type of cybercrime remains ransomware attacks, which Rona Mackay talked about. There is a type of malware that prevents people from accessing their device and the data that is stored on it, and it works by encrypting their files. An astonishing number of companies have paid a ransom in such circumstances, although they might not say that they have done so. Miles Bonfield from the National Crime Agency said at a Criminal Justice Committee meeting earlier this year:
“Ransomware that is used for financial gain remains the foremost serious organised crime cyberthreat to the whole UK, including Scotland.”—[Official Report, Criminal Justice Committee, 14 May 2025; c 4.]
There were an estimated 19,000 attacks on UK businesses last year, and the typical ransom demand was about £4 million. The incident that is probably familiar to most people is Marks and Spencer falling victim to an attack, with hackers managing to blag their way into the system in, as we now know, quite a simple way. The company’s online store closed for seven weeks and the incident reportedly cost it more than £300 million in lost profits. Marks and Spencer will not say whether it paid the ransom. However, in all likelihood, it did, because reports tell us that 25 per cent to 30 per cent of companies pay the ransom. It is therefore a profitable crime. There is now debate about whether outlawing ransom payments, especially from public bodies, is the right thing to do. Ransomware attacks are one of the most difficult and challenging crimes to investigate, but they are also one of the most profitable for criminals. Early detection is important, as, once files are locked by hackers, it is extremely difficult for anyone else to unlock them.
The scale of the threat is staggering. Chris Ulliott from NatWest came to speak to the committee this year. He said that an average of
“about 100 million attacks per month ... try to break past the organisation’s defences.”—[Official Report, Criminal Justice Committee, 14 May 2025; c 6.]
That figure of 100 million attacks a month is quite scary.
Ransomware is also a national security threat. We cannot lose sight of the fact that it is a borderless crime. Many of the hackers are based in Russia or in states that were previously part of the Soviet Union. In 2022, a Russian-speaking hacker called Cl0p breached the security of South Staffs Water, which provides drinking water to 1.7 million members of the public. That is one of the cases that is covered by the “Panorama” programme, which showed a graphic representation. It was believed that there was a serious threat that could have resulted in the poisoning of the water. Of course, the water company said that that would not be possible, but it is still worth studying the case as an example of how serious such threats can be.
This year, in West Lothian, a group going by the name of Interlock attacked 12 schools, stealing data, including personal and sensitive data. It is unclear whether we are ready for a cyberattack that targets Scotland’s public bodies and other vital services, but the message is clear that we need to be. Two years ago, the UK Parliament’s Joint Committee on the National Security Strategy warned that critical infrastructure in the UK is vulnerable to ransomware. Its report warned that the UK is unprepared for the high risk of a
“catastrophic ransomware attack”
that could
“cause severe disruption to the delivery of core Government services, including healthcare and child protection”
and
“bring the UK to a standstill”.
The digital space is growing rapidly. It is a growing frontier of crime, and Scotland needs to be better prepared to tackle the dangers presented. I believe that the importance of the Criminal Justice Committee’s report is obvious. I am sure that, when future Parliaments look back in years to come, the report’s existence will show how important it was to do that work.
16:53
From listening to today’s debate, one thing should be clear to us all: cybercrime is not a niche concern but a widespread problem that affects more and more of our society. The chief constable has spoken about the significant growth in digital crime, and the chair of the National Cyber Resilience Advisory Board has described how cyberattacks are now growing to be the norm.
The statistics—some of which we have already heard today—underscore that it is a widespread and growing problem. The Scottish Government’s crime figures show that more than 14,000 cybercrimes were recorded in 2024-25, which is the equivalent of almost 40 a day. Within that, there were more than 4,000 cases of sexual cybercrime—almost 1,500 of which involved children—and more than 7,500 cyberfraud cases.
To show just how much cybercrime underpins crime as a whole, consider this: more than a quarter of sexual offences feature cybercrime; likewise, almost half of all fraud cases and almost 95 per cent of threats and extortion do, too.
We all recognise the scale of the problem and the serious risk that it will only grow, given the advent of artificial intelligence. If we expect the police to tackle it, we must recognise that they require specialist skills, such as in digital forensics—they need cryptocurrency experts and data scientists. The advent of AI is only going to add to the complexity.
The Scottish Government needs to be in listening mode—specifically, listening to Police Scotland when it says that it needs almost £6 million to bolster its cyber capabilities. We all understand that there are budget pressures, but I point out to ministers that almost one in 10 Scots experienced fraud last year, almost 40 per cent of which involved cybercrime, and that Scotland’s small businesses are estimated to lose an eye-watering £384 million a year to cyberattacks, according to analysis by Vodafone.
On the point that the member was making about Police Scotland and building capacity to respond to cybercrime, does the member agree that it is also important for our skills strategy to take account of our future needs with regard to cyber resilience, not just across policing but in other sectors including businesses?
I whole-heartedly agree with the member. It is not just about skills for Police Scotland and businesses; it concerns individual householders and consumers protecting themselves against cybercrime as far as they can.
On Police Scotland, £6 million is a relatively small sum in terms of Government expenditure. It is a small price to pay to help prevent and mitigate serious harm to individuals and businesses. I am sure that ministers do not need reminding that the Scottish Police Federation has been warning for some time about the risks of underfunding the police. Ignoring such warnings simply means that we will end up playing catch-up to the criminals.
The police need the training and the tools to combat cybercrime, but the police cannot do everything, so it is important that we ensure that the public are well informed about how to protect themselves from cybercrime where possible.
I have already spoken about the widespread impact of fraud, but what really struck me was that Age Concern reports that around one in five cyberfraud victims do not report it. That was down to uncertainty about where to make a report and whether anything would even be done about it. That is important, because reporting incidents helps the police to gather intelligence on the criminals behind the scams. There is scope for the Government to help educate the public and, in the process, help to build valuable intelligence and public trust in the police’s ability to tackle the scammers.
I want to highlight a matter raised by Scottish Chambers of Commerce in a letter to the Criminal Justice Committee: the growing gap between smaller and larger businesses when it comes to cybersecurity. The organisation noted that its predominantly SME membership has raised concerns about falling behind on this front due to a lack of resources and expertise. It makes the point that cyber essentials certification can cost a small business more than £1,000, which is not an easy ask when many businesses are running on razor-thin margins. I encourage ministers to look at the SCC’s suggestion of publicly funded training at the local or regional level to help mitigate such barriers.
I urge the Scottish Government to step up and put in the resources where they are needed: in the police, public awareness and business support. Making that investment now will have a huge positive impact for many years ahead.
I call Richard Leonard.
Do you mean a different Richard?
My apologies—I meant Richard Lochhead. It was a test, minister. [Laughter.] Please go ahead.
16:59
I would have been content to pass on the responsibility to the other Richard, if he were here and he wanted to reply. [Laughter.]
In my role as Richard Lochhead, I begin by thanking the Criminal Justice Committee for securing the debate. I add my thanks to those expressed by other members to the committee for bringing this important subject to the chamber, and I welcome the valuable contributions made by members from all parties. As Sharon Dowey said, this issue is not going to go away; I have no doubt whatsoever that it will return to the chamber more and more in the years ahead.
As many members have said, the message is clear: cybercrime is not some distant threat. It is here, it is growing and it affects every single part of our society—public services, private businesses, charities and individuals. No one is immune. As many have said, too, cybercrime does not include victimless offences; it targets the vulnerable. On that note, on a recent visit to the Virgin Money branch in Keith in my constituency, the bank staff showed me how they had helped some customers—particularly vulnerable people—to spot scams and frauds. It is certain that vulnerable people are being targeted.
Cybercrime also exploits trust and undermines the principles of fairness and equality that we, as a country, strive to uphold. When a hospital system is locked down by ransomware, when a small business loses its data or is targeted, or when an individual’s identity is stolen, those injustices ripple right through our society. Cyber resilience is not only about protecting victims; it is about safeguarding the future of our country. Such resilience can no longer be seen solely as a technical issue—achieving it is a national imperative.
Digital technology is the engine of our economic growth. It drives innovation, attracts investment and connects Scotland to global markets. We welcome that, but, as Rona Mackay and others have said, we have to be clear that our economic ambitions will fail if we do not embed security and resilience at the heart of those ambitions. Every business transaction, public service and supply chain now depend on secure digital systems. A single breach can disrupt hospitals or courts, close schools or paralyse businesses and can erode public trust. The cost is not only financial; it harms our reputation and could undermine confidence in our country as a safe place in which to do business, invest, work and live.
We also recognise that the rise in cybercrime affects all sectors and that we, collectively—the Government and all our partners—need to work together to keep people safe and to secure our public and essential services. New and emerging technologies, such as AI and machine learning, bring massive opportunities for the economy and for people, but it is crucial that we are aware of the risks that they bring and the further opportunities that they offer to cybercriminals. The world is changing so fast, and we have to change at the same pace.
Cyberthreats are becoming increasingly complex and aggressive, and are being driven by nation-state activity, AI-enabled cybercrime and ransomware. We see supply chain vulnerabilities, data theft and rising regulatory demands—all those will become persistent risks. We also need to recognise the on-going geopolitical tensions that add another layer of complexity to the cyberthreat landscape. State-sponsored—[Interruption.]
I am sorry—I thought that someone was making an intervention.
State-sponsored cyberattacks primarily target state institutions and critical infrastructure and are aimed mainly at data theft, but they can also seek to influence campaigns around important elections—something that we are about to experience and that we take very seriously. Ministers certainly take the threat to elections and to our democracy very seriously.
As the cabinet secretary said in her opening remarks, we are taking action. We have the refreshed “Strategic Framework for a Cyber Resilient Scotland 2025–2030”, which the cabinet secretary launched in November, to ensure that our approach is current, ambitious and aligned with the fast-changing nature of cyberthreats and cybercrime.
Our vision is clear: Scotland thrives by being a digitally secure and resilient nation. We have to aim for that outcome. We want Scotland to be a place where individuals, organisations and businesses thrive in that secure and connected digital environment.
That approach requires a whole-nation effort and cross-party consensus. I am pleased that some members and parties have said that we must work together on the issue and that there needs to be political consensus on it. We must build the structures to make that happen through the CyberScotland Partnership and the Scottish cyber co-ordination centre.
As others have said, Police Scotland is playing its role by strengthening its cybercrime capacity, investing in its digital forensics capability and expanding international co-operation to pursue perpetrators right across the world. Working alongside the National Crime Agency, Europol and the Federal Bureau of Investigation, Police Scotland has participated in a number of global operations to target cybercrime gangs. In addition, we are working with the Crown Office and Procurator Fiscal Service to ensure that prosecutors have the right tools at their fingertips and the expertise to bring cyber criminals to justice.
It is also important that victims of cybercrime are supported. Through Police Scotland and our partners, we are improving access to clear, practical advice for individuals and organisations. We must embed trauma-informed approaches for victims of cybercrime and ensure that support services are accessible and responsive.
We are investing in cybersecurity learning in schools to build the talent pipeline, which, as Audrey Nicoll and others mentioned, is so important. Graduate pathways and diversity initiatives are in place to ensure that the cyber workforce meets future demand. When I was the Minister for Further Education, Higher Education and Science, I visited many colleges and universities, whose cybersecurity courses are producing amazing people who are playing a valuable role on behalf of the rest of the country.
On industry growth, more than 400 cybersecurity companies are now operating in Scotland, creating jobs, developing innovative products and strengthening resilience across sectors. Indeed, a few months ago, I cut the ribbon at Acumen Cyber’s new security operations centre in Glasgow. Acumen Cyber is a small Scottish company, and it was something to behold to see a massive screen on the wall that was monitoring tens of thousands of incidents. That shows what is happening out there. We might not be aware of all those things every second of every hour of every day, but we have a number of companies that are at the front line in trying to protect us and keep our organisations and our economy safe.
I could go on to list a whole number of other initiatives that are happening. This country has a lot of expertise in tackling cybercrime, but we must always make sure that we move forward, that we have the right resources available and that we have all the necessary discussions. Cybercrime is a major threat to our society and to our economy. As I said, it is very good that the committee has brought the issue to the chamber for debate, because, as technology is advancing all the time, that brings not only opportunities but threats.
As has been said, the issue will not go away. We will return to the chamber to debate it time and again. We must keep in front of it and on top of it to make sure that we protect the people of Scotland and our economy at the same time.
I call Liam Kerr to wind up the debate on behalf of the Criminal Justice Committee.
17:07
It has been a useful and important debate. On behalf of the Criminal Justice Committee, I thank all those members who have taken part in it, and I commend the Parliament for allocating time to debate what is such an important issue.
In its second paragraph, our report set out that our aim was to
“inform parliamentary debate and raise awareness of the impact of cybercrime and cyber-security.”
Rona Mackay told us that such cases are at double their pre-pandemic levels, which shows just how important it is that we put the issue on the agenda. Pauline McNeill referred to the fact that the chief constable told us that there has been significant growth in complex digitally enabled and globally driven crime, including reported sexual offending and fraud, but today’s debate has made that real.
The committee heard about “The Cost of Cyber Crime” report, which—members should note that this figure is 14 years old—set out that the estimated cost of cybercrime to the UK was £27 billion per annum. That was 14 years ago. Maggie Chapman brought that right up to date by telling us about the recorded crime in Scotland statistics, according to which cybercrimes account for more than 5 per cent of total reported crime, including more than a quarter of sexual crimes, nearly all threats and extortion crimes and nearly half of all frauds.
The Scottish crime and justice survey said that approximately 37 per cent of last year’s reported fraud involved cyber, such as online banking scams, investment scams and phishing. An estimated 4,070 sexual crimes that were recorded last year were cybercrimes, nearly 1,500 of which involved victims under the age of 18. Jamie Hepburn and many others made the point that many such crimes will not be reported. Maurice Golden raised the evidence from Age Scotland that around 20 per cent of victims of fraud-related crime do not report it. That means that the true figures are likely to be much higher.
We have heard this afternoon about some of the forms that these crimes take and just how disruptive they are. A Vodafone business survey estimated that small businesses in Scotland lose about £386 million annually due to cyberattacks. Katy Clark told us that NatWest protects us from 100 million attacks per month. That requires huge investment to defend our money.
Jamie Hepburn raised the attack on Arnold Clark in December 2022, in which a large amount of sensitive customer and corporate employee data was stolen. That sort of attack has a massive impact on employees and customers.
Pauline McNeill talked about the £300 million in lost profits at Marks & Spencer, and Liam McArthur raised the issue of the elderly, who might be targeted through emails or text messages. As Age Scotland told the committee, developments in AI and deepfakes can make things look very convincing and difficult to differentiate from the real thing.
As the cabinet secretary said, cyberattacks can cause massive disruption, reducing trust in institutions and, in our interconnected world, resulting in outcomes such as islanders being left without food, as happened following an attack on the Co-op.
The police told us how such crimes are often borderless. Rona Mackay raised an interesting point about how such crimes might involve networks of people who do not know each other except through a screen. At an individual level, life savings can be lost and data stolen, and there is the trauma that is caused by the non-consensual sharing of images and the impact of ransomware.
As the convener said when she opened the debate, it is not always easy to identify solutions, and the public, private, commercial and charitable sectors must work with the Government, the police, security services and key cybertechnology partners to develop a whole-society approach to cybercrime and cyber resilience.
This week, in her first speech in post, Blaise Metreweli, the new director general of MI6, made an interesting point when she said that
“the front line is everywhere”
in our shared struggle against cybercrime.
We have heard that there is lots of good work out there. The cabinet secretary told us of the strategic partnership between CyberScotland and the Scottish cyber co-ordination centre. Rona Mackay told us of the Scottish Government engaging closely with the UK Government and the National Cyber Security Centre. In November 2025, the Scottish Government published “The Strategic Framework for a Cyber Resilient Scotland 2025-2030”. The police have told us that they actively push out a prevention message and that, although they are there to investigate and get a positive outcome, they are also helping businesses to recover from cyberattacks. Age Scotland told the committee that people need to become more confident in reporting what has happened to them, which Maurice Golden was quick to highlight.
How do we move forward from this debate? Maggie Titmuss, the chair of the national cyber resilience advisory board, said:
“The message is clear: we must be proactive. That means building the awareness to recognise threats, the discipline to reduce risk and the readiness to respond swiftly and confidently when, not if, an attack comes.”
Fulton MacGregor raised the update that we received this morning from the SPA, which announced many welcome developments, including a new key performance indicator that counts every crime in relation to which a cyber tag has been applied on the crime system, in order to improve understanding of the scale and complexity of crime involving a cyber element. That addresses the exact point that was made about reporting.
Liam McArthur made what I thought was a really important point on the police. Cybercrime demands specialist policing skills, an investment in digital forensics, cyber and fraud specialists, cryptocurrency experts, data scientists and intelligence officers. At the outset of the debate, Sharon Dowey reminded us of the importance to the police of funding and resources, and Police Scotland’s budget submission explicitly requests additional funding for digital and cyber capability. Maurice Golden put the figure that is required at £6 million. I hope that that is in the mind of the Government when it comes to setting the budget.
Bringing things back to the proceedings of this place, I understand that the Criminal Justice Committee can look forward to receiving a written response to our report from the Cabinet Secretary for Justice and Home Affairs by mid-February next year. In that, I hope that the Scottish Government will take the opportunity to set out its progress with key partners on delivering the objectives of the cyber resilient Scotland 2025 to 2030 strategic framework.
The Scottish Government might also then update us on its progress regarding discussions with the UK Government on ensuring that the new Cyber Security and Resilience (Network and Information Systems) Bill, which is currently before the House of Commons, is fit for purpose. It is my great hope that that bill will protect citizens and the vital public and commercial IT systems on which our society relies. However, it is important that we know about the issue in Scotland.
Richard Lochhead told us about the many good companies that are working on the front line to protect us. Sharon Dowey went into that and talked about the cyber and fraud hub, which is empowering women to get involved in cybersecurity. At this point, it is important to note that Marie McNair MSP is hosting an event tomorrow on the national cybersecurity centre’s cyberfirst secondary 2 girls competition, which aims to inspire young women who have a passion for technology to explore careers in cybersecurity.
On the point that Liam Kerr made about resilience and supporting organisations that are working on the front line, we must not forget about funding to support some of the organisations and third sector organisations that are working to do ground-level, granular work. That funding can be small amounts of money, but it is important.
That is an important point and it was well made. I hope that it will be in people’s minds during the budget process and also during CyberScotland week, which will be from 23 to 28 February 2026. Such representations will be important at that time.
The Parliament’s scrutiny responsibilities for issues around the digital economy, such as AI tools, safety and resilience and prosecuting cybercrime, currently lie between the Economy and Fair Work Committee and the Criminal Justice Committee. As Liam McArthur said, it is for members in the next parliamentary session to decide what issues should be debated in that session. However, the point has been well made that we must keep those issues in mind, and the Criminal Justice Committee needs to be cognisant of them when drafting its section 6 legacy report for its successor committee.
I again thank all those who provided the Criminal Justice Committee with written and oral evidence on cybercrime and cyber resilience. That was a worthwhile piece of work and this has been a worthwhile debate. It is exactly the kind of topic that we should be debating and keeping on the agenda, and I am grateful to all the members who have contributed to the debate.
That concludes the debate on cybercrime.
Previous
Protecting Children From HarmNext
Pension Schemes Bill