Chamber and committees

Recent statistics on the uptake of early learning and childcare funded hours demonstrate the Scottish National Party Government’s investment in supporting children and families. What assessment has the minister made of those figures in relation to the evaluation of ELC expansion?

ScotWind is one of the most significant green investment opportunities of the just transition, with the potential to create thousands of high-quality jobs, strengthen our domestic supply chains and generate considerable public revenue. Will the First Minister further outline how the Scottish Government is ensuring that communities across Scotland, particularly in coastal and island areas, will see lasting economic and social benefits from ScotWind, while it also furthers our future energy security?

On the point that Liam Kerr made about resilience and supporting organisations that are working on the front line, we must not forget about funding to support some of the organisations and third sector organisations that are working to do ground-level, granular work. That funding can be small amounts of money, but it is important.

On the point that the member was making about Police Scotland and building capacity to respond to cybercrime, does the member agree that it is also important for our skills strategy to take account of our future needs with regard to cyber resilience, not just across policing but in other sectors including businesses?

On the point that Jamie Hepburn has eloquently set out about how organisations or individuals respond, one point that came out in committee was the narration by Arnold Clark of how it responded to a unique, unusual, significant and serious event, and what should be done, particularly when a ransom is demanded. That is an important part of the overall resilience strategy.

One issue that emerged during the committee’s scrutiny that has not yet been touched on, and which relates to resilience, is insurance. Businesses are perhaps more able to absorb the cost of insurance, which is an important part of a business’s overall resilience to an attack.

I am very pleased to open this afternoon’s debate on behalf of the Criminal Justice Committee. I will start with the usual thank you to committee clerks and Scottish Parliament information centre colleagues for their support on this important piece of work.

This year, the committee has had a very busy programme—it has considered four separate bills at either stage 1 or stage 2—so the time that we had available for this inquiry was limited. However, we were aware that cybercrime is an important topic that we wished to consider, especially as it affects business, vulnerable individuals and wider society.

The short factual report that we have produced does not attempt to identify solutions. Rather, we wanted to identify the scope of the problem and to stimulate public debate. It is clear from the evidence that we have received that an increased focus on cybercrime and cybersecurity needs to be put front and centre every bit as much as our focus on the risks that are posed to us by issues such as climate change.

Turning to the impact on business, we undertook a one-off oral evidence session on 14 May with stakeholders representing the police, business and vulnerable individuals. That was followed up by written evidence from business, third sector groups and the Scottish Government. One issue that became immediately clear was the impact that cybercrime can have on all levels of businesses that play a vital role in our society. We heard from NatWest bank that it currently has to defend itself against an average of 100 million attempted cyberattacks every month. That requires a huge on-going investment in staff and technology, but such defensive actions are an essential part of modern-day business.

We also heard about the impact of a ransomware cyberattack on Scotland-based business Arnold Clark. Despite having an information technology department with more than 200 staff, 12 of whom were dedicated to cybersecurity, and having an IT budget of several million pounds per annum, cyber criminals were still able to breach Arnold Clark’s systems and steal large amounts of data. The attack, which was deliberately undertaken over the Christmas period to make it far more difficult for the company to respond, had a substantial impact on Arnold Clark’s business, with about 4,000 customers affected. Although the company recovered quickly, we were told that it is still feeling the after-effects of the attack today.

I am aware that the Economy and Fair Work Committee has recently been taking evidence on the use of artificial intelligence among Scottish businesses. The latest statistics show that 17.6 per cent of Scottish businesses use AI daily and that fraud accounted for about £1.7 billion last year, with most of it occurring through social and digital media. Last month, Forrit, an Edinburgh-based content management system company, told the committee that the AI tools that it has developed

“have blocked 3.9 million cyberattacks in the past three months”—[Official Report, Economy and Fair Work Committee, 5 November 2025; c 7.]

for one of its corporate clients. That shows that we can develop effective AI tools to protect businesses and our wider economy from cybercrime.

Our committee heard from Age Scotland about the continually evolving nature of the threat to vulnerable individuals. Although phishing emails and scam phone calls still represent a major problem, new AI tools that allow criminals to manipulate their image and voice present new risks to vulnerable groups. AI-enhanced fraud scams are making it increasingly difficult for people to identify that the person with whom they are engaging is not real. That allows criminals to build up trust with a victim, thereby increasing their ability to defraud people out of cash or valuable data. Research by Age Scotland shows that about 20 per cent of elderly people who experience online fraud do not report it to the police. Some do not report it because of embarrassment, whereas others do not do so because they believe that the police could do little to help them.

We learned that the type of fraud that is being perpetrated is changing. In the past, criminals would simply have sought money, but there is now a focus on stealing personal data, which cyber criminals can package and sell to other criminals on the black market. Helping members of the public to stay informed about the evolving threat and encouraging them to report such fraud to the police remains one of the greatest challenges that we face.

In relation to the policing response, prosecution and the law, using traditional policing methods to address cybercrime is extremely difficult. The borderless nature of the digital world means that it is virtually impossible to identify where a criminal might be located. Police Scotland told us that the action that it takes is often focused on gathering threat intelligence and finding out where the weaknesses are in the system, because its ability to trace and prosecute a criminal who could be based anywhere is far more limited.

The Cyber and Fraud Centre Scotland pointed out a loophole in the criminal law. At present, it is a criminal offence to handle stolen physical goods, but no such crime exists for handling or making use of data that has been stolen in a cybercrime. The law should seek to address that loophole.

I note that the UK Government’s Cyber Security and Resilience (Network and Information Systems) Bill has just been introduced in the House of Commons. Its focus is on the security and resilience of IT systems that we rely on to carry out essential activities, and it proposes stiffer penalties for cybercrimes. I would welcome hearing about the discussions that the Scottish Government is having with the UK Government on the bill.

This year marks the 30th anniversary of Microsoft’s launch of the Windows 95 home computer. Many people consider that to be the start of the general public’s move into the online realm. Since then, our everyday experience of the digital world has moved from it being an optional extra to it being a central part of our lives.

Anyone born after 1990 has grown up in the computer age, so a large percentage of our modern-day workforce is more cyber literate than our policies might recognise. However, we must continue to invest in cyber training for all employees to ensure that their resilience and awareness keep pace.

Unfortunately, many of our public sector IT systems have not kept pace, largely due to costs and the need to procure such systems on a large scale. Our evidence taking on both cybercrime and the budget highlighted the pressing need to ensure increased capital investment in vital public IT systems.

We saw earlier this year that cyberattacks on retailers left many Scottish communities with empty supermarket shelves. We also saw attacks targeting our local authorities, which impacted on schools and many other services. Our report points out a recent Audit Scotland analysis of a cyberattack on Western Isles Council, which highlighted various issues that local and national Government must address.

We also heard about the need to ensure that key criminal justice sector partners such as the police service, courts, the prosecution service and prisons are ready to meet new challenges as they move more of their operations on to digital platforms. Maintaining public confidence in how our criminal justice system responds to calls for help or gathers evidence of crimes must be central to the capital resources that we commit to modernising our IT systems.

As a digitally dependent society, we face many challenges from bad-faith actors—both individuals and nations. They wish to steal from us, sow discontent and undermine public confidence in democracy. Ensuring robust public and private sector IT systems and embedding cyber awareness as part of everyone’s daily life must be central to Scotland’s cyber resilience strategy.

I thank all those who gave evidence to the committee, and I look forward to hearing the rest of the debate.

Thank you very much. We are near the end of our time, but I would like to follow up on a couple of points. In our previous line of questioning, we talked about existing practice and arrangements. Emma Forbes spoke about how long it can take for processes and arrangements such as MARAC to roll out—I remember when MARAC was first introduced in Scotland, and it feels like a lifetime ago.

To come back to Detective Superintendent Brown and Glyn Lloyd on the disclosure scheme, would any of the bill’s provisions change how decisions are made around disclosure or what would be disclosed? Is there sufficient awareness of the disclosure scheme? I do not think that we teased out those points earlier, so any comments that you have would be helpful.

Do you agree that there would be significant implications for the operational officers and staff who would have to inform that process? That is my concern. It would ultimately be another new responsibility that, to a certain extent, would draw people away from front-line responses. Is that a fair assessment?

The implications for resources were certainly brought out in your submission. Thank you for that.