Meeting date: Wednesday, May 24, 2017
Meeting of the Parliament 24 May 2017
Agenda: Cycle Capacity (Railways), Business Motion, Security, Portfolio Question Time, Cyber-resilience, Business Motions, Parliamentary Bureau Motions, Decision Time, National Parks
- Cycle Capacity (Railways)
- Business Motion
- Portfolio Question Time
- Business Motions
- Parliamentary Bureau Motions
- Decision Time
- National Parks
The next item of business is a debate on motion S5M-05733, in the name of John Swinney, on safe, secure and prosperous: achieving a cyber-resilient Scotland.15:13
As we debate cybersecurity today, our thoughts are with those who were affected by the despicable attack in Manchester, and the implications for security that are now becoming clear and which were covered in the First Minister’s statement this afternoon.
What has been re-emphasised by the cyberattacks against the national health service and Monday’s attack is that, unfortunately, we, as an open society, cannot prevent all harmful incidents occurring. It is simply not possible. Opportunities have been and will, unfortunately, continue to be exploited by those who have the determination, the will and the capability to do so. What we must do is ensure that we do not let such issues drive us away from living our lives to the fullest, and we must also take the steps that it is reasonable for any Government or individuals to take to understand the nature of these attacks and prevent them from occurring.
For those in a response role, it is our duty to ensure that our arrangements are such that we can respond effectively to prevent further harm and can rigorously pursue those who seek to cause societal harm and bring them to justice in all circumstances.
Our focus in this afternoon’s debate recognises the urgency for everyone to secure their technology, data and networks from the many threats that we face, and proposes that citizens and organisations must become more resilient, aware of the risks, and able to respond and recover quickly from any kind of cyberattack.
On 12 May, there was a global cyberattack that affected the national health service across the United Kingdom. The scale and the speed of the attack were unprecedented, and it demonstrated the absolute urgency for everyone to take steps to secure their technology, data and networks from the many threats that we face online.
If we are to realise Scotland’s full potential in the digital world and the opportunities that it offers to our citizens, businesses and organisations, we must equally be aware of the new risks that that environment presents and be able to respond effectively.
The cabinet secretary is correct that our response is vital, but so is prevention. One of the key issues with the recent attack was the volume of Windows XP installations in the health service. Does the Scottish Government have a target date for removing Windows XP from the information technology estate across the Scottish Government?
The key question that we have to address is how we establish and maintain the most rigorous level of security possible on all systems that are used. In certain circumstances, there may be an appropriate use for the systems to which Mr Johnson referred. However, the crucial thing is that security arrangements must be in place to ensure that the necessary precautions are taken. I will come on to talk in more detail about all those precautions, but the key point is the importance of ensuring at all stages that we take the necessary measures to address that point. From some of the steps that we already take, it is clear that our policy approach and the requirements that we place on organisations are designed to achieve that objective.
There can be little doubt that the evolution of the internet has been the most significant development of our age. For business, digital transformation is ever present. It has been a game changer by enabling increased efficiency and international reach, as well as expanding markets, capabilities and opportunities. It has been, and will continue to be, a truly innovative force that drives economic development and prosperity.
Never before has data had such a value. In its digital form, its availability, integrity and security are critical to all businesses. Criminal exploitation of the internet is also growing rapidly. Data is the target, and businesses and citizens have lots of it. Unlike physical risks, cyber-risks are much harder to grasp, as criminals exploit systems and human vulnerabilities. Business leaders must be prepared for the cyberthreat and, more importantly, must ensure that their organisations take all steps possible to mitigate that threat.
We are used to managing risk in a digital age, but we must also consider the cyberthreat as another business risk. Any business that can successfully demonstrate that it has taken steps to protect its own and its customers’ data, as well as to respond to and bounce back from any cyberattack, is in a strong position to grow in the digital age. Organisations that can demonstrate their resilience to cybercrime can gain a competitive advantage and increased consumer confidence. Therefore, developing cyber-resilience as a core part of an organisation’s business strategy will ensure that the organisation continues to take full advantage of the internet age and to flourish into the bargain.
I am pleased to say that the Scottish Government and its partners are working together to build a strong and a cyber-resilient Scotland. We are taking action to ensure that we are adequately prepared. However, I want to be clear with Parliament that the Government cannot do that alone. It is also the responsibility of individuals and organisations, who need to take the necessary steps to ensure that they keep safe and secure online.
It has been widely commented that 80 per cent of cybercrime is indiscriminate and can be prevented by getting the basics right. That includes keeping software up to date, using proper antivirus software and making regular system back-ups. Those are simple measures that all users can and should take.
Often, our technical defences are robust but are overcome by the inadvertent actions of an individual who clicks on a link to a seemingly genuine website or potentially causes an infection by opening attachments. Social engineering is one of the simplest ways of overcoming our technical defences. We should not blame users. They are not the weakest link, as is often said; they are essential assets. Links and attachments are common in the workplace and that is why they are exploited. Therefore, part of our response must be to get the basics of online security correct. That includes raising the knowledge and awareness of all our citizens about the risks and the steps that they can take to reduce them.
As we have learned from recent events, swift action in co-ordination and sharing information limited the impact of the NHS ransomware attack. However, we must reflect on that incident, identify lessons and, more important, share those lessons with our partners so that we can help one other to put in place appropriate and effective measures to combat cybercrime.
Since I published “Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland” in November 2015, the Scottish Government has committed to providing strong leadership and direction to help individuals, businesses and organisations to make the most of the online world. We have laid the foundations to make Scotland a cyber-resilient country and achieved much already by focusing on the key strategic priorities of leadership and partnership, awareness raising, education, skills and professional development, and research and innovation.
Does the cabinet secretary agree that additional availability of computing skills teaching at all school levels would help to address some of those issues?
Obviously, computing science is an integral part of the curriculum, and it is part of some of the earliest stages of primary education. I have seen various coding initiatives in primary schools that have involved primary 3 and 4 pupils. I firmly support the importance of ensuring that young people are exposed at the earliest possible ages to computing education and that they are able to acquire the skills and attributes that are necessary for them to prosper.
Let me set out the focus of the work that has been undertaken as part of the Government’s strategy that was launched in November 2015. As part of the leadership effort, we established the national cyber-resilience leaders board in September 2016 to drive forward and implement the strategy across Scotland. That board is led by the director of the Confederation of British Industry Scotland, Hugh Aitken, and it is made up of key leaders from across the public, private and third sectors, who provide strategic direction across all our sectors.
The digital Scotland business excellence partnership has provided £400,000 to help businesses in Scotland to improve their cyber-resilience and work towards achieving the cyber essentials standard. We have focused efforts on raising awareness of cyber-risk and, since the beginning of this year, we have developed a joint cybercommunications calendar, which our partners have used to provide a consistent message across the board. We are linking closely in that work—this relates to Mr Greene’s amendment—with the UK national cyber aware campaign.
On learning and skills, we have already built cyber-resilience into the curriculum for excellence, and we are working to embed it in digital skills, as I explained in responding to Mr Lockhart’s question. We are looking at how we can fill our current gaps in the cybersecurity skills pipeline, particularly in apprenticeships and the qualifications that are on offer, and we are working to build the capacity of cybersecurity research across higher education. The University of Edinburgh recently became an academic centre of excellence in cybersecurity research, as acknowledged and endorsed by the national cybersecurity centre.
That work has been about ensuring that we have made early preparations so that we are equipped as a country to meet the challenges that we now habitually face.
I acknowledge the tremendous efforts of our national health service staff and the wider public sector in responding to the recent attack and providing assurances on the security of their networks. There was considerable cross-sector engagement during that event, and collaboration at that level is essential. It helps to demonstrate confidence in the public sector’s ability to respond to such acts.
The Government’s investment in the area is specifically to support a range of hardware and software measures to protect its information and communications technology systems, infrastructure and data; to improve its network monitoring capabilities; to boost staffing in the area, which is vital in order to have the skills available to handle the challenges; to establish and expand a cybersecurity operations centre; and for corporate education awareness and training across the board.
We recognise that, ultimately, the focus of our public sector work is about ensuring that we can gain our citizens’ trust as we increasingly move towards digital public services. With that outcome in mind, we have established a cross-public sector group on cyber-resilience, which is made up of technical and business experts from central and local government, health, procurement, education, academia and the third sector. All are focused on putting in place the necessary measures to protect public sector ICT skills.
It is essential that, across a range of different areas—on learning and skills, on the role of the private sector, on compliance with the European Union general data protection regulation and on the securing of our critical infrastructure—we make cohesive and coherent efforts to ensure that we are equipped to meet the challenges. That is the focus of the Government’s strategy and it lies at the heart of the approach that we are taking. We are doing that in an engaged and collaborative way with the private, third and public sectors to ensure that Scotland as a country is able to demonstrate cyber-resilience and that we are able to use our cybercapability as a foundation for economic opportunity in the years to come.
That the Parliament notes that the recent global cyber-attack demonstrates the urgency for everyone to secure their technology, data and networks from the many threats that are faced in the digital world; recognises the continuing and growing importance of cyber-resilience to Scotland’s safety, security and prosperity; resolves that citizens and organisations must be aware of the risks and be able to respond and recover quickly from any kind of cyber-attack if Scotland is to realise its full potential, and calls on leaders across all sectors in Scotland to consider their organisations’ resilience to cyber-attacks and take action to ensure that they have plans in place to respond and recover quickly from cyber-incidents.15:25
Less than two weeks ago, we witnessed one of the most severe co-ordinated cyberattacks that the world has ever seen. The attack was not restricted to either Scotland or the UK; our neighbours around the world reported attacks on their IT infrastructure that, in some cases, crippled their ability to deliver critical public services.
On our shores, our NHS electronic network was hit and doctors could no longer access patients’ files. The effects were felt as hospitals asked only urgent cases to come to accident and emergency departments in order to ease the pressure on them. Appointments and operations were cancelled, and general practice surgeries were unable to access medical records.
The so-called WannaCry ransomware attack also targeted Germany’s primary railway company, the Deutsche Bahn, and Spain’s Telefónica. It is estimated that the ransomware attack affected 230,000 computers in more than 150 countries, with Europol describing the attack as “unprecedented in scale”. We should make no mistake—the events of 12 May 2017 highlighted the fragility of public IT infrastructure the world over.
For all the benefits that economic digitalisation has brought us, the shift online has opened up an emerging threat from cybercrime and cyberterrorism. Estimates from the Scottish Business Resilience Centre put the cost to the Scottish economy from cybercrime at £393 million in 2015-16. Globally, that figure could be well over half a trillion US dollars per annum. In fact, cybercrime has become such a threat that a whole industry in cyberinsurance has sprung up in recent years.
The Scottish Conservatives will support any measures that the Scottish Government takes to increase our resilience against further cyberattacks. For that reason, we welcome the tone of the Government’s motion and will support it this afternoon.
The Scottish Government made references to cybersecurity in its “Realising Scotland’s full potential in a digital world: A Digital Strategy for Scotland”, which was published this year, and in its previous cyber-resilience strategy, which was published in 2015. Nevertheless, in the light of the recent attacks, we would like more detail on what specific action is being taken to protect public services, utilities and large public networks. In particular, we would like to know the monetary value of any such investment.
The UK Government has invested heavily in cybersecurity and last year announced £2 billion of investment. A new national cybersecurity centre was set up to operate out of London under the control of Government Communications Headquarters. It is there to assist businesses, Government bodies and academia across the UK—including in Scotland—in times of need. At the time, PricewaterhouseCoopers commented:
“The UK Government is leading the way with the cyber initiatives it is putting in place. However, the Government cannot protect the UK alone. Businesses must understand the cyber threat their organisation faces and take strong protective action themselves.”
That is a really important point. There is a shared responsibility on all of us to ensure that we are prepared to deal with online threats.
Our amendment asks the Scottish Government to ensure that it is having a proactive discussion with UK-wide enforcement and intelligence agencies and Government bodies to ensure that a collaborative approach is taken. I will personally liaise with my UK Government counterpart to highlight any areas in the Digital Economy Act 2017 pertaining to cybercrime and online protection that are relevant to Scotland.
It is clear, in the aftermath of the ransomware attack, that the evidence suggests that several hospitals did not install the updates that they had received prior to the attack, which left their systems vulnerable. Daniel Johnson was right to probe into that further today by asking whether the Windows XP replacements or updates will take place in our NHS, because a co-ordinated upgrade and end-of-life plan is a necessary part of any large-scale IT project. The public sector should be no different to mainstream corporations in that regard. Preparation is everything.
The European Commission’s 2016 “European Digital Progress Report” highlighted that half the European Union’s population access public services via online platforms. That number will surely only continue to grow. A crucial pillar in our preparedness against attacks is the understanding that the threat is truly global. In a digital world, we are not shielded by being an island: a hacker in North Korea can attack a database in North Queensferry.
DigitalEurope, the digital industry’s respected trade body, recently said:
“Cybersecurity is important. However the approach must be centered on better security practices to defeat evolving threats in a global landscape”.
The digital market is borderless and virtual and it is a workplace like no other, in which there are invisible but tangible threats.
The Scottish Conservatives will support the Scottish Government’s cybersecurity plans, but our support is conditional on realistic and measurable plans being put in place. We want the Scottish Parliament to be regularly informed of progress and we want close collaboration between all Governments and agencies to ensure that a truly UK-wide cybersecurity framework is in place.
Scotland could lead the charge against global cyberthreats and cyberterrorism. I say that because just last week another major Californian cybersecurity firm announced that it will be opening a new office in Belfast, which will create 120 new jobs in an already buoyant cybersecurity and tech sector in that city. The firm was attracted to Belfast by Invest Northern Ireland, which gave it a £780,000 grant towards the new venture. Invest NI also recently awarded £5.5M to Queen’s University Belfast to help to fund a new centre for secure IT, which brings total investment in the centre to £38 million. Belfast is becoming the world’s number 1 hub for cybersecurity, data analytics, finance technology—fintech—and blockchain technology. The skills that are required to fill those newly created posts are being nurtured locally in Queen’s University Belfast and Ulster University.
Although I appreciate the good work that is happening in Edinburgh, why cannot it also happen in Glasgow or Dundee? There must be more than words of goodwill and lip service paid to Scotland’s IT and tech industry. Targeted investment, a bank of suitably skilled workers and a can-do Government attitude can—and will—have a material and positive effect on the industry, and will open up real opportunities for jobs and growth.
Cybersecurity is so big in Northern Ireland right now that the sector has a zero per cent unemployment rate. While I let that potential sink in, I look forward to hearing the Government's response to my comments and to listening to the rest of the debate today. This is an important debate. We simply have to get this right.
I move amendment S5M-05733, to insert at end:
“; notes that cyber-crimes are often underreported and that more data is needed for a fuller understanding of the scale of such crimes; welcomes that both the UK and Scottish governments have published cyber-security strategies; notes that a number of government, security and enforcement agencies are involved in tackling cyber-threats, and believes that both governments should communicate closely to implement these strategies and to minimise the risk of attack.”15:33
The past few days have been very challenging and distressing for us all. It is a critical, on-going situation and it is right that we prioritise and focus on that. My thoughts are with all those families affected by the terrible attack on Monday night.
Turning to today’s debate, we must ensure that we are as safe online as we are offline. To many politicians, cybersecurity is an area in which it can often seem as if a different language is being spoken; the same is true for much of the public. As we heard in the recent debate on keeping children safe online, the internet is central to modern life, and while it brings many benefits, it also contains many risks. Cyber-resilience is an important strategy in protecting against vulnerability for individuals as well as our agencies.
The significant change to how we communicate, how we do business and how we create systems has brought considerable risks and we must always be vigilant. As quick and easy as it is for an MSP to send an email to a constituent, it can be just as quick and easy to send malware or to find the one weak spot among millions of lines of code.
I appreciate that, following the recent ransomware attack on our NHS, the Government has been active in helping businesses and organisations, but today’s debate appears to be reactive rather than proactive. Although a specific attack on a specific target is difficult to predict, the threat of such an attack is not. I appreciate the recent update from the Government on the extraordinary meeting of the national cyber-resilience leaders board, but should such meetings always have to be extraordinary?
The Scottish Government published “Safe, Secure and Prosperous: A Cyber Resilience Strategy for Scotland” in 2015. We are now two years into the five-year strategy, and it is clear that the recent attack on the NHS represents a setback to confidence in the security of information in our public services. Although I will support the Government’s motion and am inclined to support the Conservatives’ amendment, which welcomes the strategies of the UK and Scottish Governments, I want to mention the recent report of the UK Parliament’s Public Accounts Committee, which said that the UK Government needs to “raise its game” in this area and described significant skills shortages and the chaotic handling of personal data. In Scotland, we have the well-documented problems with i6 at Police Scotland and the problems at NHS 24, which raise questions of confidence in our infrastructure.
I appreciate that the Government has committed to providing a public sector action plan that will develop a set of guidelines and standards for all public sector bodies. However, as our amendment makes clear, investment is necessary to ensure that we can withstand future attacks. Improvements in infrastructure, investment in expertise and advice and the capability to build resilience all take resources, and it is difficult for our public services to prioritise when there is so much pressure on service delivery. The national cyber-resilience leaders board’s action plan is due to be approved by ministers in June, and I hope that Parliament will have the opportunity to scrutinise and monitor the plan’s implementation.
When it comes to cyberattacks, we in Scotland must not stand alone. We need to work across the UK and beyond to understand potential threats, to learn from best practice and to halt attacks as and when they strike. That process must begin with the recent attack on our NHS. We must ask why our hospitals and health centres were affected while the NHS in Wales was not. Did Wales take better pre-emptive action? Did the Scottish Government provide adequate instructions on cybersecurity prior to the attack? Was the issue given sufficient priority around the Cabinet table? I hope that those questions will be addressed by the Government in the closing speech.
According to the Government’s strategy,
“Cyber resilience is being able to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events in the online world.”
With the attack on the NHS, we know that Scotland is not yet fully prepared to withstand such attacks and, although it has appeared to recover and deserves credit for that, we must now ensure that we are able to learn.
The world is increasingly moving online. From socialising to shopping and learning to leisure, the public—old as well as young—are conducting large parts of their lives online. As local politicians, we know that many high street banks are closing; the argument is made that most transactions now take place online. That is true for our businesses and organisations: millions of pounds’ worth of transactions take place online every day.
Cybercrime is a threat that we are all aware of, but it is also one that we believe to be underreported. It can be prevented if the right security, firewalls and precautions are in place, but computers, data and personal details are often left inadvertently exposed. We would not leave the front door or the car unlocked, but computer systems are left wide open in exactly that way. As part of my research for the debate, I found out that Britain ranks below Brazil, South Africa and China when it comes to keeping phones and laptops secure, which is a concerning statistic. Around 80 per cent of cybercrime can be prevented if we just get the basics right. That involves having strong passwords; downloading, installing and—crucially—updating security software; protecting our mobile devices and wireless networks; and being aware of suspicious emails, which often claim to be from reputable sources.
As much as we must look to individuals and businesses to take responsibility, we must ensure that here in Scotland we have the resources to tackle such crimes once they take place. We are currently in the middle of the policing 2026 strategy, and cybersecurity is one of the major challenges facing Police Scotland. We need to ensure that the right people are being recruited to fill the right roles. There is a clear need for a balanced workforce in our policing, and efforts to tackle cybercrime would benefit from that.
We also need the best minds; after all, the recent NHS situation was resolved by a self-taught individual, and we must ensure that such people can work with Police Scotland to support our agencies in being cyber-resilient and able to avoid and tackle cybercrime. Last year, I visited the Scottish crime campus at Gartcosh, which is a world-leading facility hosting specialist crime fighters. It is proof of what can be achieved by setting high-quality, highly skilled jobs alongside the right resources, but, as we know, Police Scotland is facing a significant financial challenge. We need to ensure that all our public services—from the NHS, which was attacked earlier this month, to Police Scotland—have the proper resources and investment to withstand, prevent and tackle cybercrimes.
Finally, partnership is so important, and the Scottish Government must work with the UK Government and other devolved Assemblies and agencies throughout the UK to ensure that we have the capabilities, the knowledge and the resources to keep us all safe and secure online.
I move amendment S5M-05733.2, to insert at end:
“; supports investment in public services to ensure that they are well resourced and flexible to withstand future attacks, and calls for the Scottish Government to work with partners across the UK to ensure that Scotland has the capabilities, knowledge and resources to keep people safe and secure online.”
Thank you very much. We now move to the open debate, and I call for speeches of six minutes.15:41
On 9 February 1984, we saw the launch of the first real-time, high-value money transfer system: the clearing house automated payments system, or CHAPS. I was the project manager for the Bank of Scotland, which was the first bank ready to implement. I well remember our excitement later that year when we made our first real-time, irrevocable payment of over £1 billion pounds. By 2011, the system had processed £1 quadrillion of transactions—in other words, a thousand million million pounds, or a 1 followed by 15 zeros.
To secure the transactions, I had to gain permission from the US Department of Defense—and sign my life away—to use what was categorised as weapons-grade encryption and digital signing software. It operated from within a black box that self-destructed if someone attempted to open it to examine its contents. The technology was—and is—as secure as one could possibly imagine, and the objective today should be to ensure that every business and individual is in possession of similarly impenetrable security. We are, but we do not all choose to implement it. My point, however, is that even if we do so, we do not necessarily use it in a way that allows it to be as secure as we might imagine it to be. For the most part, it is not the technology that fails; it is humans who fail.
The motion says that
“citizens ... must be aware of the risks”.
Indeed, in his opening remarks, John Swinney said that this should not be the responsibility of the Government alone. The history of human failure to properly use secure data systems goes back a very long way. Two thousand years ago, slaves had their heads shaved. A message was written on their scalp; the hair grew back; and the slave and the message were sent elsewhere. That was all well and good—until people realised what method was being used. Having a secret method provides no real security, and that remains true today.
Indeed, effective data security systems rely on their having been published and scrutinised to confirm that their methods are sound. However, we need to keep the keys secret and change them frequently. In the 16th century, Mary Queen of Scots used a two-cover system to protect her confidential messages. The first was a secure box with two locks and a key for each—she had one key, while the other was held by the recipient; and no one else had access to either key. Mary put her message in the box, she locked it and then it went to the recipient, who used his key to lock his lock. The box came back to Mary, who unlocked her lock, and went back to the recipient, who unlocked his. It was a secure system for transmitting a message from A to B in the 16th century, because nobody shared the key or had access to it.
The second aspect of the system was encryption of the message inside the box through a letter-substitution system. However, that is where Mary fell down. She thought that the system was totally secure, because transmission was secure, but when the message came out of the box, she forgot that it was now a bit of paper that was available to anyone who might be passing. Queen Elizabeth I picked up one of her messages and was able to unscramble it, and it formed part of the evidence at Mary Queen of Scots’ trial, which caused her to be executed. Data security is quite important.
Napoleon had le grande chiffre—the great code. Common letters of the alphabet were not always coded in the same way, so that people could not break it by analysing frequency. However, encoders started to use some of the spare codes over and over again, as place names for where the fighting was, in order to save time and effort. Wellington’s code-breaker was a guy called George Scovell and, because of the weak way in which that good system was used, he managed to break in. When Wellington got to the battle of Waterloo, he knew what Napoleon’s plans were and that led to the end of an empire. Again, that was human error.
The Enigma machine, which the Germans thought was unbreakable until 1945, was actually broken by the Poles in 1932. Bletchley Park broke a later, improved version because, every day at 6 am, the Germans sent out an encrypted weather forecast. The fact that it was in the same format and at the same time every day enabled people at Bletchley Park to break what should have been a very secure system—of course, they had to do lots of other good things as well. Once again, there was human error.
Most of us know how to drive a car, but rather fewer of us know how the mechanical bits work or how to fix them when they fail. Most of us also know how to use a computer and perhaps even use the security functions that are provided with it. However, as with a car, if we do not get an expert to service it regularly or to fix it when it fails, disaster will loom. All businesses should have regular security check-ups. They will not be free, but the cost of not doing them will be even higher. It is like insurance; it is a product that a business cannot just buy when it wants it—when its reputation is trashed and its customers have flown, paying a little bit once a year will seem very cheap.
My final example of a security problem is from the modern world. I bought a good-quality second-hand car, as I usually do, and it had all the gadgets, including a Bluetooth connection for my phone. That is good technology, but an unaware previous owner of my car had left his phone’s entire contact list in the car’s memory. Do members realise that they could do that, too? I am a good guy and I deleted it, but suppose the chief executive—
You are such a good guy that you have to wind up now, intriguing though this is, Mr Stevenson.
In that case, Presiding Officer, let me caution chief executives and chairmen of companies not to use Bluetooth in their cars unless they know how to delete data from the memory. I am a good guy and I deleted it, but not everybody is as honest and trustworthy as I am.
Oh my goodness, Mr Stevenson, I cannot wait for your book to come out: “Facts You Didn’t Know But I’m Going to Tell You Anyway.”15:47
I refer to my entry in the register of members’ interests and the fact that I am on the board of two companies that invest in healthcare technology.
It is significant that, on a day when we are all still digesting the horrific news of a violent physical attack on our country, we are debating the need to protect ourselves from cyberattacks. The Deputy First Minister mentioned that, and I entirely endorse what he said.
Although nothing can surpass the tragic loss of so many innocent lives that Manchester witnessed, it seems to me that one of the greatest challenges that we face as a society is the sheer number and variety of threats that we must now guard against. Our enemies come in many forms, from the deadly and murderous suicide bomber of Monday night to the sophisticated cyberwarriors of two weeks ago. The ransomware attack on IT systems, which affected some 200,000 computers across 150 countries, was certainly one of the most unprecedented attacks that we have ever seen.
My comments will concentrate on our NHS, the attack on which was nothing short of spiteful, especially given the delays to patients’ treatment across the UK, and particularly in England. In Scotland, we were relatively lucky in that only 1 per cent of electronic devices were affected and the number of people whose operations required to be rescheduled was minimal. However, any delay to an operation, appointment or treatment as a result of the attack was frustrating, to say the least. Thirteen health boards were affected, and some GP surgeries.
The Cabinet Secretary for Health and Sport swiftly made a statement last week, and I am grateful for the clear manner in which she presented the known facts. Like her, I welcome the fact that there have been no reports of patient data being compromised.
I would also like to pay tribute to the IT staff in the NHS who worked extraordinarily hard to get all the affected systems back up and running. As was reported last week, very few people knew how to fix the problem, but it is a testament to those who were able to overcome it that they did so, so quickly.
I also want to thank our front-line NHS staff, who carried on serving the public as normal even if it meant a lesser reliance on IT systems to do the job. They should all be commended. The Health and Sport Committee heard yesterday from the Scottish Ambulance Service that there had been no operational impact and no loss of patient data during or after the attack.
It is plain that there are several aspects of the attack that need to be tackled, in order to ensure that future attacks can be thwarted as early as possible. Naturally, we cannot expect to prevent every attack, but as our reliance on various forms of IT continues to grow, so too will the likelihood of cybercrime. The cyberattack could have been far, far worse, and it is clear that we need to do more to ensure that our IT systems in the NHS are up to date and that we can respond to future attacks as effectively as possible.
According to the Scottish Business Resilience Centre, cybercrime cost Scotland around £394 million in 2015-16. It is an exceptionally lucrative market for those who know how to code and wish to use their talents to act maliciously. That is why we need to be on guard, but we also need people within our NHS and the wider public and private sector who possess the relevant skills to combat attacks, as and when they happen. That in turn requires people who are able to stress-test IT systems continually, so that they are protected from new viruses and malicious attacks.
I am sure that others, like me, received an interesting briefing from the University of Abertay on that point. It said that defensive cybersecurity is already fairly well established in both undergraduate and postgraduate programmes at university, with skills such as cryptography and intrusion-prevention being taught. However, it points out that offensive cybersecurity courses are not as common, and that there is a real need to consider investing in that particular avenue of learning. It says, quite simply, that
“the best way to catch a thief is to think like a thief”.
While it is clear that major ethical questions will arise, particularly in giving a new generation the skills and abilities to hack maliciously, degree programmes such as that might help to fill a skills vacancy that is all too evident across Scotland, Britain and the wider world.
Turning back to the NHS, I will focus on why the issues that I have mentioned are particularly pertinent. We know that many of our NHS health boards continue to use out-of-date software, which in many cases cannot be updated for fear of having a negative impact on the technology that is used to serve and heal patients, such as magnetic resonance imaging scanners. That software, and that updating, needs to be reviewed. The Cabinet Secretary for Health and Sport stated last week that she would seek to ascertain whether health boards have regular patching regimes in place. It would be interesting to understand whether that is indeed the case, and I hope that the cabinet secretary will report back to Parliament with an update on that in the near future.
It is abundantly clear that lessons need to be learned. Now is not the time for political posturing on the issue, but for all of us to debate, as we have, the actions that are required to ensure that such incidents are dealt with swiftly without causing public fear and panic. We must take every precaution possible to protect one of the most vital public services—the NHS. Fundamentally, I believe that long-term solutions are required for an issue such as this; short-term fixes simply will not suffice. We need to be constantly aware—let us learn from that incident and improve things.15:53
Dr Christopher Frei, Secretary General of the World Energy Council said 12 months ago:
“We’re in the stone age of cyber security”.
That was his assessment. He went on to add that
“Real learning will only come after the 1st major incident”.
Whether the recent global cyberattack will act as a catalyst for the real learning that Dr Frei talked about remains to be seen, but it is abundantly obvious, as all speakers have acknowledged, that this is an area that will demand far greater attention in future than it has perhaps commanded to date.
In that context, I welcome the opportunity to take part in this debate on creating a cyber-resilient Scotland and I confirm that the Scottish Liberal Democrats will support the Government’s motion at decision time. Unfortunately, due to a funeral back in my constituency, I will be unable to stay until the end of the debate and for that I apologise to you, Presiding Officer, to the cabinet secretary and to my MSP colleagues.
John Swinney’s motion makes a number of important points about the serious threats that are posed and the need for far greater vigilance on the part of individuals and organisations, and he reinforced those points in his remarks. I also welcome the amendments that were lodged by Jamie Greene and Claire Baker, which helpfully reinforce the need to improve the way in which we report on and capture the scale of cybercrimes, as well as the importance of building resilience across our public services and ensuring the closest possible working and co-operation between the UK and Scottish Governments and their partners. Without those elements at the core, our collective ambition to create a safe, secure, prosperous and cyber-resilient Scotland will inevitably be frustrated.
In the brief time available to me, I will concentrate my remarks on those and related areas. It is worth acknowledging at the start that there are two types of cybercrime. There is that that uses computer software as the tool and the end target for attacks, such as the recent ransomware attack that caused so much disruption, notably across our health service—I pay tribute to those in the health service for their endeavours in that regard. There is also cyber-enabled crime, which uses computers simply as a conduit for criminal activities that also take place offline, such as identity theft and money laundering.
It is safe to say that cyberattacks across the board have been on the increase in recent years. Unfortunately, we appear some way short of being able to assess the true extent and scale of those attacks. As Her Majesty’s inspectorate of constabulary in Scotland highlighted in its crime audit last year,
“There is currently no comprehensive data on the extent of cyber-enabled crime in Scotland”.
It went on to recommend that Police Scotland develop the ability to tag all incidents and crimes that have a cyber element and that it assess the demands on policing in Scotland. Since HMICS carried out its audit, it has acknowledged that police officers have now been instructed to tag crime reports with cybercrime markers, but that still does not appear to extend to cyber-related incidents. Indeed, as recently as November last year, the Cabinet Secretary for Justice acknowledged in response to a parliamentary question from me that
“work is required to improve the evidence base on cybercrime”.—[Written Answers, 29 November 2016; S5W-4784.]
He also acknowledged that work is needed on the way in which such crime is defined, recorded and reported.
We are not clear on the extent to which Police Scotland’s failed i6 programme is inhibiting the force’s ability to track and combat cybercrimes. It has certainly deprived Police Scotland of the cost savings promised by ministers at the time of the merger of the previous forces, and that in itself will make more difficult the task of matching police resources to the scale of the cyber challenge.
The Scottish crime recording board has been asked to consider the extent to which current crime recording practice adequately captures the scale of cyber-enabled sexual crime and victimisation, particularly for children and young people. It would be helpful if the justice secretary, in concluding the debate, updated Parliament in that regard. In the meantime, we perhaps need to take care in talking about lower levels of crime overall if we are still unsure about the extent to which there has been a shift online rather than a reduction. Even now, there seems to be enough evidence to suggest something of a displacement effect, with all the challenges that that presents through issues such as identification, recording and investigation.
As I said, John Swinney is absolutely right to emphasise the need for increased vigilance and care on the part of individuals. We all have a responsibility to do what we can to protect ourselves, albeit that some will inevitably need more help in achieving that than others. At the same time, however, the way in which Government and public bodies treat personal data and information requires greater care and consideration. Mr Swinney will be aware of the concerns that Scottish Liberal Democrats had about the Scottish Government’s recent plans to create a superidentification database. Those concerns were shared by independent experts as well as the public. It is not acceptable to sacrifice personal data in the interests of administrative efficiency, so I very much welcome the recent change of heart on that.
There seems to be growing recognition of the importance of the issue among organisations and businesses. However, as the Association of British Insurers points out in its briefing, although awareness levels among businesses about cybersecurity is high, only around half of them have the basic technical controls necessary. Moreover, although preventing such attacks has to be the priority, when they occur, it is imperative that organisations and businesses have the advice, support and wherewithal to recover as quickly as possible.
Not surprisingly, the ABI makes the case for the benefits of cyberinsurance, but it is worth acknowledging, as the Government did in its 2015 strategy, that we are fortunate in the UK to have an innovative cybersecurity, goods and services industry that can help us to meet demand not just here, but globally. For that reason, I hope that the Government will agree that it is in all our interests to ensure that that sector, alongside the work being done in our world-class research community, is nurtured.
In an increasingly digital age, our future prosperity depends on our ability, individually and collectively, to embrace and make the most of digital technologies. Although those technologies open up a bewildering array of opportunities, so too do they expose us to new risks. Preventing risk completely is as impossible in the digital arena as it is anywhere else, but we can and must minimise the risks by raising awareness, being vigilant and building resilience. I welcome the opportunity for Parliament to reinforce that message this afternoon.16:00
I declare an interest as a member of the British Computer Society, and I associate myself with my colleagues’ remarks on the appalling incident in Manchester this week.
Richard Phillips Feynman was an American theoretical physicist who was known as a pioneer of quantum mechanics and quantum computing, and for introducing the concept of nanotechnology. He was also awarded the Nobel medal for physics. During his lifetime, Mr Feynman became one of the best-known scientists in the world, and the British journal Physics World ranked him as one of the 10 greatest physicists of all time. He assisted in the development of the atomic bomb during world war two, and in the 1980s he became widely known to the public as a member of the Rogers commission, which investigated the Challenger space shuttle disaster.
I would like to highlight Mr Feynman’s experience at Los Alamos and his earlier adventures. Mr Feynman was a joker and a mischief. To pass the time while working on the Manhattan project, he grew interested in locks and security. As he was working on perhaps the most sensitive project in human history, he took it upon himself to probe the security around him. That was a cause of much frustration and annoyance to the great and the good, but he believed that he was providing a necessary check to their balances. Today, we might describe Mr Feynman as a friendly ethical hacker, but I am sure that his bosses described him as something else.
Richard Feynman did not understand how to crack safes, but he knew how to break a security system at its weakest point: the human element within it. If the Presiding Officer will allow me, I will highlight just a few of the human vulnerabilities that he exposed and detailed in his essay “Safecracker Meets Safecracker”.
Mr Feynman could pick locks. He said:
“All the secrets of the project—everything about the atomic bomb—were kept in filing cabinets”
that were locked with three-pin padlocks, which
“were as easy as pie to open.”
After he exposed the weakness of the first set of filing cabinets, they were replaced. Mr Feynman discovered that when the new cabinets were left open, it was easy to identify the first two digits of the combination lock—indeed, it was as easy as pie. After about two years of practice in Los Alamos, he was able to do that within seconds, and to do it on the Manhattan project safes, which had the same locking mechanisms as some of the filing cabinets. He discovered that when a safe was left open, he could find out at least the first two digits of its combination.
Mr Feynman understood humans as well, and he knew that, more often than not, the combination would be significant to the person who set it. Having got the first two digits, he was able to look at significant dates for the people involved and their family, and then guess at the locks’ combinations. He also knew that people wrote down lock codes. Even if they used a cipher, they would almost always use a common mathematical cipher, which he could decipher because he was a mathematical genius. He also discovered that people frequently used the same combination for different locks.
When speaking to a senior military officer while visiting a uranium storage facility at Oakridge, Mr Feynman explained the dangers of leaving the cabinets and safes open. When he returned a few months later, hoping to see new security measures in place, he discovered that he had been identified as the problem. He was no longer allowed to be left alone in a room and he was accompanied at all times, but there was no instruction to keep cabinets and safes locked.
Mr Feynman’s most significant discovery, which perturbed him because he thought that he had discovered a safe-cracker, happened when he was asked to open a safe that had been locked by a military commander who was no longer on site and which needed to be opened immediately. It was his greatest challenge, so he was very excited, but when he entered the room he discovered that the safe had been opened by a technician. After months and months of worry, with attempts to work out what had happened and discussions with the chap to get to the bottom of it, eventually all was revealed. The default setting of the safe when it was delivered by the manufacturer had never been changed, and the technician knew what the default setting was.
That highlights issues around passwords being reused, systems being left unsecured and default settings being left. Anyone who was affected by the phone hacking scandal knows how easily those things have been used just recently.
There can be a false sense of security from having a physical safe in the corner or hearing that little tick on antivirus software. There can be a failure to implement the solutions when the threat is revealed.
All that tells us that, if we do not understand the threat, we cannot protect against it. The British Computer Society has produced a number of leaders briefings and strategy documents. Part 2 of the society’s most recent set is on security. There are five tips, none of which is about computing. They are all about humans, and they concern leadership from management, cybersecurity policies, face-to-face delivery of training and a culture of openness that allows people to admit when they have made mistakes. It is a human problem that requires a human solution.16:06
As events this week so tragically demonstrate, there are people who will wilfully seek to attack, in various ways, individuals, communities, our services and the nation’s vital infrastructure. In the area of cybercrime, it is increasingly apparent that threats and potential threats are becoming ever-more organised and, sadly, effective.
What we saw happen 10 days ago was not a random or one-off attack on the nation’s infrastructure; rather, it was the result of a predetermined and, indeed, determined act by organised forces. That is why our response and preparedness to deal with such attacks must also be determined. Eleven health boards were affected, as was the Scottish Ambulance Service. Planned procedures were cancelled. People were asked not to visit A and E unless they needed urgent and immediate action. The response from the Scottish Government was swift, although I fear that it was too late. We had been warning the Scottish Government for some time of the need for proper preparedness on the part of Scottish public bodies to the growing threat of cybercrime.
In December 2016, freedom of information requests found that more than half of our NHS boards had been subject to ransomware attacks. At that time, we called for an urgent review of cybersecurity. As recently as January, there was a similar attack on Scotland’s NHS staff, with their details being hacked. On 25 January, ministers were informed of that attack and data breach. Again, we called for a review of cybersecurity.
My colleague Richard Simpson, who is no longer in the Parliament, had regularly been asking questions on cybersecurity, specifically on Windows XP, as far back as 2010. Despite those questions, it appears that little or no action has been taken by the cabinet secretary or fellow ministers. That is quite alarming. It is also disappointing that the Cabinet Secretary for Health and Sport is not in the chamber, given that a direct attack was made on our NHS infrastructure.
I have a few specific questions that I hope the Deputy First Minister can address, and I would be happy to take interventions from him if he wants to respond directly on them. It is in all our interests to get this right.
First, why was the NHS in Scotland adversely affected by the recent cyberattacks, whereas the NHS in Wales was not? Why do we still have antiquated computer systems in our public sector infrastructure when we would not expect to have them in our homes, in our parliamentary offices or indeed here in the chamber?
Why was pre-emptive action not taken, as was done for example in Wales and which helped to prevent the cyberattacks there? What specific warnings or advice has the cabinet secretary issued to NHS Scotland to ensure that adequate resilience against cyberattacks is in place? When was any such advice given and, if it was given, will the cabinet secretary publish it as it would be welcomed by other institutions that might also face similar attacks?
What additional resources has the Scottish Government allocated in 2016-17 to specifically improve security against cyberattacks on NHS Scotland, on Scottish Government departments, and on all other agencies and organisations for which the Scottish Government has responsibility?
It would be interesting to know whether any agency or department for which the Scottish Government has responsibility has ever paid any ransom to those responsible for ransomware attacks. What advice has the Scottish Government issued on the required response to ransom demands from those responsible for cyberattacks and will that advice be published?
It is clear for all to see that the attack could have been prevented or less destructive if we had been better prepared and better resourced. The past 10 days have acted as a wake-up call to us all.
The Government has said that it will develop a set of standards and guidelines; I welcome that, but I say with regret that doing it by 2018 is not ambitious enough. Surely we can all do better than that. These are immediate attacks that are affecting our institutions right now, so 18 months is too long to wait before setting out robust guidelines and standards. I hope that the cabinet secretary will address that point in his closing remarks.
In its first three months, the national cybersecurity centre’s chief executive officer reported that the centre had handled 188 high-level cyberattacks. It has also been reported that the centre has blocked 34,550 potential attacks on Government departments and members of the public in the past six months—that is 200 cases a day. I do not think we should be waiting 18 months to put a strategy in place. We should also be quicker in moving towards accreditation of all public sector organisations to make sure that they have the essential minimum standards in place so that they can respond in a much clearer and more consistent way.
I hope that the Deputy First Minister and the Cabinet Secretary for Justice will address those issues head on. I hope that they have listened to my genuine concerns about what is happening around our infrastructure, that we can end the catalogue of IT failures that we have seen across the public sector, and that we can focus and make sure that such attacks do not happen again.16:12
The motion, which we will support tonight, calls on
“everyone to secure their technology”,
and that is wise advice. We all know about the steps that we can take for personal security; we have been given guidance from Police Scotland. Most of us know roughly what to do about cybersecurity, and the cabinet secretary highlighted some of the training that has been done to inform people for the future.
However, I am concerned about the whole IT industry, to be perfectly honest. I was told that the equipment that I use in here would have to be replaced because we no longer support older versions. When it comes to IT, it is clear that others tell us what to do and the price that it will cost us. That is consumerism writ large. Stewart Stevenson’s car analogy does not therefore apply, because they would not say, “As of next year, we will stop repairing your car and you won’t be able to get spare parts for it.” That knocks out the standard procedure that we should all go through of inspecting, repairing or replacing something.
I am told that they do, so if that is the case, it is a further example of consumerism. The fact is that these corporations are holding us to ransom.
Cybercrime is underreported and it is important that we assess all risks and put in place mechanisms to reduce those risks. The risks are largely known, and many believe that the source of the risks that turned into the recent attack was also known. Specific hacking tools in the attacks were developed by the US National Security Agency. I would have to ask whose interests are served by such action. The tools were recently leaked by a group that was thought to be pre-empting retaliation by the US security services for the hacking of the Democratic national committee in the run-up to the presidential election. That might sound like a movie plot, but it had a significant effect.
A number of people have talked about the NHS being targeted, but that was not the case, and how we frame the attack is important. We should, quite rightly, ask those whose starting point is that the NHS was targeted why people would attack a health system. The NHS was not attacked, but its Windows vulnerability was targeted. Like many, I thank the public servants who responded so positively to that.
Regardless of where people were, this was a global attack and something that will require international co-operation. Something like the attack was widely expected. I will quote my colleague Patrick Harvie, who has said:
“the resilience of systems needs to be thought of more in line with public health than acute care”.
That is a health analogy that has some relevance. The security services and the Ministry of Defence will no doubt assure us that they have appropriate protection levels. Indeed, we heard from Stewart Stevenson earlier that a number of decades ago weapons-grade encryption was entirely possible as far as finance was concerned. There is no doubt a big cost associated with that, but we know that when a Government is prepared to spend over £200 billion on replacing a weapon system, money is not a problem.
As I said, we also know that we need to assess the risks. In that regard, I commend to members the report by the Jimmy Reid Foundation called “No Need To Be Afraid”. The motion talks about “safety, security and prosperity”, which is entirely right, and we know that in liberal democracies across the world the risks are all the same. The first and foremost one is cyberattack and the secondary ones relate to climate change and access to food and water, then onwards to individuals acting alone, none of which Trident would address. We should therefore be careful how we frame this debate.
We need a free and open internet, and it is the role of Government to protect its citizens from undue surveillance and cyberattacks, because the surveillance results in the state and the private sector using data and metadata to monitor and manipulate citizens.
I am intrigued to know what the Green Party’s position is on the Government being able to access encrypted data that we know is being used for terrorist purposes.
The Green Party is supportive of all reasonable measures to do that, but it is about proportionality. The level of surveillance that is being suggested by the UK Government—indeed, the level that takes place at the moment—does not help things at all. Taking people with us is the way to deal with things. The level of surveillance has the potential to impact on democratic participation as well, which is about more than just voting.
I have been encouraged to talk about the Shadow Brokers, who are apparently
“a group of hackers who dumped a set of files a collection of several alleged NSA hacking tools for Microsoft Windows systems, likely including multiple unknown exploits, or zero-days.”
Members can see that I am reading aloud about something that I do not know much about. Apparently, a
“Zero-day is a bug that’s unknown to the software vendor, or at least it’s not patched yet, meaning it’s almost guaranteed to work.”
We need to have international co-operation and we need to understand the relationship between the expenditure of public money and IT systems. As our “Digital rights are civil rights” document concludes,
“It should not be left to the Googles and Apples of the world to dictate the future and entice the rest of us to come along for the ride; government and society must create the space for shared consideration of the challenges and opportunities which lie ahead.”16:18
There is nothing new or surprising about ransomware and the havoc that it can cause to vital data and computer systems. What is probably more worrying is that organisations were caught out by the latest one. Talk to software people and none of them will be surprised at all at its extent or the speed with which it managed to propagate itself around the world. It did not specifically target our NHS and it got through to about only 1 per cent of its systems, but that was still about 1,500 systems in total that should not have been exposed.
The WannaCrypt malware that caused the problem is basically in the same class of ransomware that has been doing the rounds for years, starting with the AIDS Trojan in 1989, which encrypted file names but not the data itself. Even then, the demand was that a ransom be paid to restore the file name encryption back to normal. This current one was both a Trojan that masquerades as something else that is recognisable and a worm that propagates itself around the network looking for hapless victims without the protection that they need. It is of little surprise that it had such a quick impact and was so widespread.
Interestingly, the virus software contained what is called a kill switch, which is a simple line of computer code that checks whether a web address is registered and can be located on the internet; if it is, the virus does not activate itself. As I understand it, that is how the virus was spotted and then stopped. The web address was simply registered, which stopped the virus from further executing.
So why did it happen at all? It was simply because some computer systems were out of date and were not protected from the virus. It is a wee bit like forgetting to modernise the locks on our doors and windows or the alarm systems in our house, when the clever burglar is outside with more sophisticated means than ever before of bypassing them to gain entry.
It was no surprise that this occurred, and I have no doubt that it will occur again. We have to stop using outdated computer systems that are no longer protected but are still connected to servers and networks. Data-critical systems should be upgraded and we must make sure that we regularly accept software security patches that are on offer. In fact, I do not think that it is possible to turn off Windows 10 security updates—some experts in the chamber might be able to advise us on that.
To protect data itself, experts suggest adopting what they call a 3-2-1 back-up strategy. That means that we should have three copies of all our data, two of which are on local devices but different mediums and one of which is off-site somewhere in case of the obvious risk of physical damage to or loss of the premises.
There is an on-going debate about the role of the National Security Agency in the USA, which John Finnie mentioned. It is claimed that the NSA knew about the malware some time ago but did not tell Microsoft about it to allow it to fix the problem. Microsoft had already stopped providing security updates for Windows XP around 2014, so anybody using XP was increasing vulnerable. Ironically, the NSA was then hacked and its data was dumped online, exposing that vulnerability, which was duly exploited by the malware writers—the result was what happened earlier this month.
That clearly raises serious questions about data security, even within Government agencies in the USA, and whether there should be a presumption in favour of protecting systems as soon as a threat is known or whether it is acceptable to withhold information about cyberattacks in the interest of intelligence gathering.
Members might be aware that, a year tomorrow the European Union’s general data protection regulation, which the cabinet secretary mentioned, will come into effect. I anticipate that the Scottish Government’s action plan, which will be published next month, will embrace that and offer guidance to all our public sector data users. I am pleased to note, too, that the UK Government will implement the EU regulation, despite its intention to leave the EU. That is perhaps another example of how we cannot really leave the digital single market in Europe. The regulation applies to data controllers and processors. If someone is covered by the Data Protection Act 1998, it is likely that they will also be covered by the GDPR.
The regulation covers such things as an individual’s right to be informed, rights of access, the right to have errors rectified and the right to have personal data deleted if one requests it, which is sometimes known as the right to be forgotten. Crucially, in the context of today’s debate, article 5 of the regulation sets out the data security requirements.
There are clearly many difficult challenges for all organisations that control and process personal data. From what I can see, any breaches of the regulation could result in fines of up to €20 million or 4 per cent of one’s turnover, whichever happens to be greater.
Data security is increasingly important in the modern world in which we live. With risks ranging from the lone hackers who might engage in attacks for mischief to the organised international criminals and terrorists who might be financially or politically motivated, the challenges are real and the risks are substantial. Good resourcing and planning, intelligence, vigilance and keeping systems and data up to date and safe are probably our best and only lines of defence against the inevitable further attempts to control our data that will surely come our way soon. Let us hope that we are ready for all those challenges when they come.16:24
Digital technology is at the centre of our lives, our society and our economy. Whether it is new tech start-ups developing apps in the garages of suburbia, stock markets where money flies between countries in the blink of an eye, smartphones that we are glued to, or the internet of things, with every new breakthrough it can seem that the opportunities are endless. However, with opportunities come challenges—and threats.
The recent WannaCry ransomware attack was the biggest of its kind in history and demonstrated again the need for urgency and vigilance. It hit between 200,000 and 300,000 computers in 150 countries around the world—computers that were being run by organisations as varied as Renault, Deutsche Bahn, Telefónica, FedEx, Russia’s Ministry of Internal Affairs and, of course, the NHS across this country. The attack showed just how digitally interconnected we are, the risks that arise and how anyone, anywhere can be a hero—or a villain. It was a damaging and cowardly attack, and those who are responsible must be held to account.
The reasons why people hack are various, and there is no one type of cybercriminal. They could be the bored adolescent, testing their new skills against security systems. I saw in relation to the WannaCry attack that some experts suspect that one teenage hacker was responsible. They could be organised gangs pursuing fraudulent or illegal deals online, or they could be politically motivated hackers trying to find and leak state secrets. They could be state or commercially sponsored spies trying to grab classified papers. In that regard, according to today’s The Times, North Korea has emerged as a credible suspect for the WannaCry virus. The hackers could be terrorist groups looking to hack at the very fabric of our society.
Accordingly, attacks can be hard to predict, detect and destroy, which is why cyber-resilience is so important in preparing for attacks and building up firewalls brick by brick and code by code, for withstanding an onslaught when it comes, for rapidly recovering from an incident, and for learning from attacks so that they are not repeated.
As Donald Cameron did earlier, I note Abertay University’s briefing suggesting that we refocus and move from an overly defensive approach that involves cryptography and intrusion prevention to an approach that involves organisations looking at offensive cybersecurity and engaging security agents who think and act like malicious hackers and use the same tools and techniques. If that proposition is accepted, we have a need to train those people. That suggestion is worthy of consideration, so I note with interest that university’s proposals on an industry cluster cyberquarter in Dundee, and the cabinet secretary’s earlier comments about the University of Edinburgh.
Who is responsible for keeping us safe and secure online? In a way, we all are—individuals and businesses. However, the Royal Society of Edinburgh suggested in 2015 that 30 per cent of Scots lack basic digital skills. I would be interested to hear from the Government, in the cabinet secretary’s closing speech, how that will be addressed.
According to the Scottish Business Resilience centre, 42 per cent of Scots use the same password for multiple accounts, and many did not change it when they were advised to after a security breach. As individuals, we can create stronger passwords, update software, install antivirus software, use screen locks on our mobiles and exercise caution on public wi-fi.
Liam McArthur was right to refer earlier to the Association of British Insurers’ document, “Making Sense of Cyber Insurance: A Guide for SMEs”, which states that, although 74 per cent of businesses say that cybersecurity is a high priority, only 52 per cent have the basic technical controls that are outlined in the Government’s cyber essentials scheme.
A UK Government survey estimated that, in 2014, 81 per cent of large corporations and 60 per cent of small businesses suffered a cyberbreach, with an average cost of between £600,000 and £1.15 million for large businesses and £65,000 and £115,000 for small and medium-sized enterprises, and that 66 per cent of businesses did not consider their businesses to be vulnerable to cyberthreats in the first place.
Of course, the Scottish and UK Governments have a significant role to play, along with the public sector more generally, in leading by example. The Conservative amendment rightly welcomes the fact that both the UK and Scottish Governments have published cybersecurity strategies. As the UK Government’s recent strategy puts it, we need to “defend, deter and develop” in relation to our cybersecurity capabilities. We should be factoring cyber-resilience in to all new services and encouraging sharing of information about threats.
We should strengthen our critical national infrastructure sectors including energy, transport and the wider economy. Law enforcement must have the tools to track, apprehend and prosecute cybercriminals and to hit back, where that is appropriate.
Promoting awareness and education is key. Our tech-savvy children and young people should be encouraged to think about cyber-resilience. We should teach cybersecurity basics to the pensioner who is setting up online banking for the first time or Skyping their family overseas.
There are economic reasons to develop IT skills. An estimated 11,000 new IT jobs are needed each year to meet current demand, and average full-time earnings for tech specialists are 30 per cent higher than the Scottish average.
The events of a fortnight ago showed us the need for vigilance in, and the urgency of, protecting ourselves online. As everything in our daily lives becomes more connected, the challenges will only get more complex. However, there are practical steps that individuals, Governments and businesses can take to take the sting out of the tail of attacks and, ideally, to stop them happening in the first place. That is why I will vote for the motion today, albeit that I will also vote for the amendments in Jamie Greene’s and Claire Baker’s names, which rightly add to the debate.16:30
We live in an age in which technology is fundamental for individuals, businesses and the public sector alike. Whether we are communicating with family and friends, accessing information, selling a product or providing social services such as healthcare, technology and the vast amounts of data that go with it are everyday components of our society.
Because technology has become commonplace, it is easy to overlook the security measures that are vital for defence against cyberattacks. Digital security is difficult to picture. It is not as palpable as locking the door against intruders and does not come with the urgency of a highly trained police and military force to protect against would-be attackers. However, as technology has become the norm, so too have threats from people who seek to use technology to inflict damage or harm. That is why, as the chair of the national cyber-resilience leaders board, Hugh Aitken, said,
“Cyber security is everyone’s business and we need to ensure all organisations have appropriate safeguards in place.”
Indeed, we witnessed the need for that nearly two weeks ago, when NHS computer systems across the UK were impacted by a cyberattack that reached most corners of the world. More than 200,000 computers across 150 countries were affected, including—as we have heard already—some of the biggest businesses including FedEx, Renault and Telefónica. Thankfully, no patient data from Scottish health boards were compromised, and steps were taken immediately to isolate computer systems that were affected by the attack. The ransomware that wreaked that global havoc—WannaCry, or WannaCrypt, as it is sometimes known—was stopped only after a security researcher from Devon found what is known as its kill switch.
The reality is that such cyberincidents and attempted cyberattacks will continue. It is no longer sufficient to be merely cybersecure; we must also be cyber-resilient. Organisations, businesses and the public sector must be prepared to respond, react and then get up and running again as soon as possible. Debi Ashenden, who is a leading cybersecurity professional and academic, uses the phrase “people and not patches”. Patches help to close loopholes that malware can exploit, but there is often a vulnerability in the workforce: employees can be targets, so turning them into the strongest line of defence is both important and possible.
The WannaCrypt ransomware exploited a vulnerability in the Windows server message-block protocol, but it likely gained entry via a phishing attachment or so-called social engineering, both of which use deception and are becoming more frequent and more sophisticated. According to data from Wombat Security Technologies, there were 1.2 million phishing incidents worldwide in 2016—up 65 per cent on the previous year. That research also found that work-related phishing scams are the most successful at getting people to click on them. Therefore, decisions that employees make every day can be instrumental in organisational cybersecurity.
Organisations can invest in employee education to improve their security. Simulation tools—which are short and snappy, include up-to-date, current scenarios and are run multiple times throughout the year—are ideal for improving employee awareness.
We all have a shared responsibility to ourselves, our families and our workplaces to ensure that the right protections are in place in the various technologies that we use. As we have heard, 80 per cent of cybercrime can be prevented by basic software updates, particularly for antivirus software, and by making regular or even daily system back-ups. Otherwise, it is like ensuring that the windows are shut and the door is bolted or even having a security guard posted outside and then accepting an unscheduled parcel delivery while being distracted by talking on the phone.
At national level, the antivirus vendor Cylance showed that not much is off-limits when it demonstrated hacking of the USA’s most popular voting machine and showed that tallies could be altered by outside interference. A national shield that would sit on top of existing cybersecurity systems, hunt for threat actors, analyse on-going events and behaviours, and then flag up suspicious activity may be needed. Avi Chesla of Empow described that as potentially an
“intelligent layer that sits on top ... observing”
and monitoring, which could be part of a defence infrastructure that would be able to collaborate and share information across national boundaries. That is important.
Following a meeting of the national cyber-resilience leaders board in Scotland on 16 May, delivery on an action plan to defend against potential cyberattacks in Scotland in the future was accelerated. That plan will include support for 121 public sector organisations to ensure that they get the proper training and accreditation that are needed to fight on-going cyberincidents.
The Scottish Government is taking steps to enhance resilience. Exercises are being organised for health boards and other agencies to learn lessons and mitigate the risks of future incidents. In addition, the Government’s refreshed digital strategy, which was published in April, will be supported by a £36 million digital growth fund over the next three years to help businesses to develop cybersecurity, data analytics and software engineering skills in their staff. Those positive actions will help us to achieve the Government’s goal of making Scotland a world leader in cyber-resilience, so that we approach threats with urgency, keep our data and networks secure, and stay aware of the constant cyber-risks and ensure that they never outstrip the benefits that technology brings to our society.
We move to closing speeches. I call Mary Fee. You have up to six minutes, please.16:37
In discussing our shared ambitions to make Scotland a safer place online, I want to start by talking about issues that are still very raw and emotional, given the past 48 hours in Manchester. My heart is with the families of the young people whose lives were cruelly taken, with the injured, and with the people of Manchester. The response that immediately followed the senseless bombing shows the care and humanity that remain and that will strengthen, because we will not give in. The response came in all forms. First responders bravely ran into unknown dangers; emergency services assisted the injured; strangers took others to safety; and the wider community offered shelter, food and transport.
Online communication played a vital role in assisting people, which shows how integral it is in our lives. That is why we must promote safety and security in all our online activities and communications.
In our increasingly technological world, means of communicating are expanding—sometimes it seems that they are expanding almost daily—and making our world a much smaller place. The Government’s vision highlights the need for people to be informed and prepared, for businesses and organisations to recognise risk, and for a growing cyber-resilient community. No one can argue with that ambition.
We all have a responsibility to protect ourselves and we need to think about our own online security. How many of us use the same password or similar passwords when we are online? We shop online more, we order food and drink online, we bank online, and we talk and share thoughts and memories online. To many people, including me, the concept of being online brings new opportunities.
Online commerce is growing in Scotland and, working with the business community, we must ensure that the internet remains a safe place to carry out business. I will not pretend to be as informed as some are about cybersecurity and cyber-resilience. However, reading through the Scottish Government’s strategy to prevent and tackle cyberattacks, I see a lot of positive ambition. I believe that, to continue to prevent further attacks and promote online safety, we must place a much greater emphasis on education. The internet will continue to play a major part in our society, and teaching young people at school is a preventative step for generations to come. We rightly promote online access to the internet for our ageing and vulnerable population, but that must go hand in hand with online safety as well as the right support and help to allow them to access the internet.
Countries around the world need to respond to the increased risk of cyberattack, because we need a global response to ensure that we are all safe.
As Claire Baker pointed out, much of what we are talking about in relation to cybersecurity can sound like a foreign language to the public and to some politicians. The recent ransomware attack has brought the issue to light and has raised awareness of the threat that hackers can pose. Our public services need to have the resources available to them to ensure that further attacks do not bring down computer systems and affect service users.
Following the statements in Parliament last week and today, Anas Sarwar has raised concerns and warned of the dangers for the NHS, highlighting freedom of information requests and parliamentary questions that were asked by my former colleague Dr Richard Simpson. Those questions date back to 2010, but the Government’s response has been less than satisfactory. Action is needed—and it is needed now.
The evolving nature of online crime changes year on year. Although the Government produced a positive and ambitious strategy, it is vital that the strategy is updated every year and that the chamber is kept informed of the level of risk and attack that our public bodies face.
This has been a timely, consensual and constructive debate, with agreement across the chamber on the need to improve our online safety. We must work with the rest of the UK on the issue, which is why a future Labour Government would include cyberwarfare and cybersecurity in a complete strategic defence and security review. It is vital that cybersecurity forms an integral part of our defence and security strategy, and a Labour Government would introduce a cybersecurity charter for companies that work with the Ministry of Defence.
Several members have highlighted the role that education can play. Jamie Greene spoke of the global impact of the latest attack and Stewart Stevenson, in his own inimitable way, spoke of human failings across the centuries. Liam McArthur talked about cybercrime.
Scottish Labour’s amendment speaks of the importance of investing in our public services to ensure that they are safe and secure across their networks. Local authority budgets are under pressure, but the Government should ensure that local authorities are supported to develop and maintain cybersecurity across all our public bodies. Similarly, third sector organisations and businesses will benefit from a collaborative approach.
The Scottish Government’s aim is to create a cyber-resilient Scotland, and we will work with it to do that. We will support the Government’s motion as well as the Tory amendment, and I hope that the Government will support our amendment.16:43
We have had an interesting debate in which a wide range of issues have been discussed. We have heard some remarkable data about the central role of the digital world in every aspect of our lives nowadays, and I will add a couple of other data points. In a business context, the contribution of the digital economy in the UK is now more than £1 billion a year. In a global context, there are more than 1.3 billion daily active users of Facebook, including many members in this chamber, I am sure. Closer to home, in the UK, we spend more time on media and communications than we spend sleeping. I am sure that members will recognise that.
We have heard that, when things go wrong, a cyberattack can have a massive impact, as the recent attack on the NHS highlighted. I add my commendations for the remarkable response of the NHS, first to the cyberattack two weeks ago and, now, to the on-going tragic events in Manchester.
Given our growing dependence on online technology and the risks that we face, we welcome today’s cross-party support for the need to increase cyber-resilience in Scotland. This evening, we will support the Government’s motion and Labour’s amendment.
I will pick up three points that were raised in the debate. First, what the term cyber-resilience means; secondly, what the key risks are that we need to address in this increasingly digital world; and, thirdly, what steps we can take to maximise cyber-resilience.
What cyber-resilience means is not necessarily clear to everyone. John Swinney and Jamie Greene highlighted that the concept of cyber-resilience stretches far beyond what we might consider to be cybersecurity. It is not just about having a firewall or downloading a new patch to prevent viruses getting through; cyber-resilience involves a whole range of other measures. It is about preparing for and defending against attacks or accidental system failures and it is about being ready to rapidly recover from those events and having contingency plans in place.
Cyber-resilience is particularly important for large organisations, such as the NHS or large banks, that might cause systemic risks if they are attacked. For such organisations, cyber-resilience is about having a whole-system approach to cyber-risk. The World Economic Forum has set out a list of cyber-resilience measures that it recommends that large organisations that may have a systemic risk should implement.
First, they should have the very latest operating systems and platforms in use. As we saw with the attack on the NHS, if up-to-date systems are not in place, a virus can easily spread.
Secondly, the organisations should have in place contingency plans that are ready to activate if there is a systems failure. I commend everyone involved in the NHS’s rapid response to the recent cyberattack for getting the system back up and running.
Thirdly, there needs to be better digital training for everyone within the organisation. A recent report by the Royal Society of Edinburgh indicated that 30 per cent of the Scottish population lacks basic digital skills. As Liam Kerr said, we need to address that.
Large organisations that may develop a systemic risk need to develop a culture of awareness of what cyber risk might look like. Cyberattacks often focus on the weakest link in an organisation. We have heard that that can often be individuals opening emails that, although addressed to them, are an entry point for the cyberattack.
We have heard that human weakness in encryption has been a common factor throughout history. I did not expect to refer to Mary Queen of Scots or Napoleon during a debate on cyber-resilience, but Mr Stevenson made sure that we had a bit of historical context within which to view today’s topic.
Smaller organisations that might not have the scale or the budget for some of the measures that I have set out, as recommended by the World Economic Forum, can still take important steps, as was explained by Willie Coffey, by keeping software updated as far as possible, externally backing up data, installing antivirus software, using strong passwords, training staff and raising awareness.
Enterprise agencies have a role to play in providing support and training in cyber-resilience. In phase 2 of the enterprise and skills review, we recommend that consideration be given to putting in place policy measures that require the enterprise agencies to prioritise cyber-resilience as part of their portfolio.
We must recognise that although all the additional measures will involve significant investment across the public and the private sectors, the risks and costs of neglecting cyber-resilience are significantly higher. We saw graphic examples of that, as Donald Cameron said, in the context of the attack on the NHS 10 days ago.
Attacks are also increasing in the private sector. According to the British Chambers of Commerce, one in five British firms was hit by a cyberattack last year and only a quarter of firms in the UK consider that they have in place adequate security measures to protect themselves. Last year, the Scottish Business Resilience Centre estimated the cost of cybercrime in Scotland to be about £394 million; UK wide, the figure is a staggering £11 billion.
Given the cost of what can go wrong if we do not have the necessary protections in place, we believe—as our amendment sets out—that additional steps need to be taken, and that additional investment and education and greater awareness of cyber-resilience are necessary.
What steps can be taken to maximise Scotland’s cyber-resilience? Our amendment sets out some of them. We support the Scottish Government’s current cybersecurity plans, but we would like specific proposals in response to the recent cyberattacks to be presented to Parliament for debate. We also want there to be closer collaboration with the UK Government and the new national cybersecurity centre. That should include active participation with the UK-wide industrial strategy as a platform to expand our skills base in the digital sector, in which the UK Government is investing more than £2 billion, and to develop our digital technology.
In addition—I raised this with the Cabinet Secretary for Education and Skills—we want action to be taken to increase the number of science, technology, engineering and mathematics teachers across Scotland. In particular, we want there to be an increase in the number of teachers who are qualified to teach computing skills, as that will be critical in enabling future generations to deal with the increasingly complex digital world.16:51
I am very grateful for the valuable contributions that members have made, in which they raised many notable and interesting points that deserve further consideration.
We intend to accept both amendments to the motion. The tone and the nature of the debate have demonstrated a genuine interest in making sure that, as a country, we do as much as we can to enhance and improve our cybersecurity.
There is no doubt that the digital revolution has the potential to enhance the lives of everyone in Scotland, but it is vital for our security and our economy that, in using digital technology to run essential services and support our critical infrastructure, we do so with a system that is safe, secure and—importantly—resilient.
No member should be under any illusion about the threat and the enormous challenge that Scotland, the UK and countries across the world face from cyberattacks. Whether we work in the public sector, the private sector or the voluntary sector, we all have an important role to play in addressing cybersecurity and treating the need to deal with the threats that we face online as a shared responsibility. Neither the Scottish Government nor the UK Government, or even the EU, can tackle the issue alone—we must all accept that we have a collective responsibility to work collaboratively to address the risks to cybersecurity that exist.
Jamie Greene highlighted the importance of collaboration and working in partnership to tackle the issue. As a Government, we take that very seriously, as we set out in the strategy that the Deputy First Minister published back in November 2015. Bringing together the Scottish and UK Governments is a key part of that, but as well as bringing together the work that we do with the work that the new national cybersecurity centre is doing, we must bring together all the different sectors that have a part to play in the delivery of cybersecurity—in other words, the public sector, the private sector and the voluntary sector. There is no point in our taking a particular approach and having robust systems in place in the public sector if we do not share that understanding and expertise with the private sector. Harnessing and utilising the expertise of the private sector in our public and voluntary sectors is equally important, and that is the approach that we are determined to take.
I do not disagree with anything that the cabinet secretary has said, but what would be the means of collaboration between the public sector, with its own investment in IT, and the private sector—and vice versa?
I was about to come on to that very issue. That is why the Deputy First Minister created the national cyber-resilience leaders board, which is chaired by the chief executive of CBI Scotland and includes the voluntary sector, the public sector and the private sector. We now have various organisations working collaboratively to learn from and support one another in tackling some of the issues with cybersecurity, and Scotland is the only part of the UK with such a structure in place to ensure such collaboration. There is no doubt that our experience over the past few weeks of collaboration and support in dealing with the recent cyberattack provides a lesson that could be utilised in other parts of the UK, and we are more than happy to share with the UK Government our experience and the benefits that could come from it.
I turn to some of the issues that have been raised; indeed, I will address some of the myths that have been peddled in the debate, particularly the claim that this was an attack on the NHS. It was not a cybersecurity attack on the national health service; as Jamie Greene and others have pointed out, more than 150 countries were affected by it. Public sector and private sector organisations in different parts of the world were affected. It is not about the public sector not doing enough; it is about the increasing complexity of the cybersecurity challenges that we face. The reality is that many of our public sector bodies, including the NHS, and private sector companies are facing security attacks and cybercrime every day.
I fully accept the cabinet secretary’s point that it was not an attack on the NHS; if I suggested as much in my speech, I think that that was due to the impact of the limitations of time on my explanation of the situation. However, the fact that the NHS was affected by a global attack has exposed some weaknesses in our public sector that need to be addressed.
Absolutely. It is very important that we recognise the effect of the attack on some parts of our NHS, and there are clear lessons to be learned. The NHS in Wales was affected, too; at the meetings of the Cabinet Office briefing room A—COBRA—committee in which I participated and discussed the issue, the Welsh Government was represented because of some of the challenges that it was facing. There was also no doubt that the NHS in England was more adversely affected than any other part of the NHS in the UK. I also point out that two of our biggest boards in Scotland were not affected; others were affected to a limited degree; and others still were affected to a greater degree. We have to understand why that was the case. Why were some of our NHS boards not affected at all, some only on a limited basis and others to a greater degree?
So why was that?
I will make this point first, if the member does not mind. That is why the important measures that we are taking forward through the national leaders board that we have established will include a lessons-learned exercise involving NHS Scotland and the wider public sector, the private sector and the third sector in Scotland. Fortunately, we also have the benefit of the expertise of KPMG, which has offered to host the event to ensure that we learn as much as we can from such attacks.
Will the cabinet secretary give way?
I do not recall the member being in the chamber for the debate. In any case, I want to make progress on addressing the points that members have made.
Cybercrime is an important and growing issue that is also growing in complexity. The organisations that are behind such crimes are not individuals who operate from their bedrooms, but sophisticated serious organised crime groups that use multimillion-pound systems to perpetrate cyberattacks. That is why we, as a country, need to make sure that we work in a collaborative fashion.
I have had the benefit of the insight that is provided through the European cybercrime centre—EC3—programme, which is run by Europol and which works in a collaborative fashion right across Europe to tackle cybercrime. It is crucial that we maintain and protect that partnership because we know that cybercrime is underreported and that it is a growing issue. As we move forward with our policing 2026 programme, we also need to make sure that we have a workforce in the police service that is able to respond to the issues effectively.
I will draw my remarks to a close, Presiding Officer. Many valuable points were raised during the debate, and I have no doubt that the Deputy First Minister will take them away and consider them as we move forward with looking at how we can improve the delivery of cybersecurity in Scotland. Key to that is a recognition that we all have a part to play as individuals, given the ways in which we operate our computer-based systems, and that companies and the public sector play important roles in tackling cybercrime. With the work that we will take forward under the strategy, we are determined to make sure that that is what we will do here in Scotland.