:00:16. > :00:23.The next item of business is the motion 5733 in the name of John
:00:24. > :00:35.Swinney. Achieving a cyber resilient Scotland. I call on John Swinney. 12
:00:36. > :00:39.minutes, please. Thank you, presiding officer. As we debate
:00:40. > :00:49.cyber security today our thoughts are with those affected by the
:00:50. > :00:53.despicable attack in Manchester. What has been emphasised over the
:00:54. > :00:57.last few weeks with cyber attacks against the National Health Service
:00:58. > :01:04.and Monday's attack is that we as an open society cannot prevent all
:01:05. > :01:07.harmful instances occurring. It is simply not possible. Opportunities
:01:08. > :01:11.have been and will unfortunately continue to be exploited by those
:01:12. > :01:16.who have the determination, the will and the capability to do so. What we
:01:17. > :01:19.must do is ensure we do not let such issues drive us away from living our
:01:20. > :01:26.lives to the fullest and also taking the action that can involve
:01:27. > :01:30.reasonable steps for any Government or as individuals to undertake to
:01:31. > :01:32.understand the nature of these attacks. And to take reasonable
:01:33. > :01:38.steps to prevent them from carrying. For those who are responsible, it is
:01:39. > :01:42.our duty to ensure our arrangements are such that we can respond
:01:43. > :01:47.effectively to prevent further harm and rigorously precede those who
:01:48. > :01:51.cause -- seek to cause societal harm and bring them to justice in all
:01:52. > :01:55.circumstances. Our focus on the saddening's to beat recognises the
:01:56. > :01:59.urgency for everyone to secure this technology, data and networks from
:02:00. > :02:02.the many threats that we face and proposes that citizens and
:02:03. > :02:06.organisations must become more resilient, aware of the risks and be
:02:07. > :02:11.able to respond and recover quickly from any kind of a cyber attack. On
:02:12. > :02:17.the 12th of May, there was a global cyber attack, the impact of wit
:02:18. > :02:22.effectively National Health Service across UK. The scale and speed of
:02:23. > :02:25.this attack was unprecedented and it demonstrates the absolute urgency
:02:26. > :02:30.for everyone to take steps to secure this technology, data and networks
:02:31. > :02:34.from the many threats that we face online. If we are to realise
:02:35. > :02:38.Scotland's full potential in the digital world and the opportunities
:02:39. > :02:41.it offers two our citizens, businesses and organisations, there
:02:42. > :02:46.we must also equally be aware of the new risks this environment presents
:02:47. > :02:55.and be able to respond effectively. Of course. I thank you forgiving
:02:56. > :02:59.way, he is quite correct response is vital, but so is prevention. One of
:03:00. > :03:03.the key issues in the recent attack was the volume of Windows XP
:03:04. > :03:07.installations in the health service. Does the Scottish Government have a
:03:08. > :03:12.target date for removing Windows XP from the IT a state across Scottish
:03:13. > :03:16.Government? I think the key question we have two addresses how do we
:03:17. > :03:20.establish and maintain the most rigorous level of security possible
:03:21. > :03:25.around all systems that are utilised? That is the key question
:03:26. > :03:28.that has to be answered, because there may well be in certain
:03:29. > :03:32.circumstances and appropriate use for some of the systems that Mr
:03:33. > :03:36.Johnston refers to, but the crucial thing is that the security
:03:37. > :03:40.arrangements have to be in place to ensure that the necessary
:03:41. > :03:43.precautions are taken. I will talk in more detail about all of these
:03:44. > :03:47.proportions. Fundamentally comic the key point I would say to Mr Johnston
:03:48. > :03:51.is that there is an important of ensuring that at all stages we take
:03:52. > :03:58.the necessary measures to address this point. If I look at some of
:03:59. > :04:02.these steps that we do take already, clearly our policy approach and the
:04:03. > :04:06.requirements we place on organisations are designed to
:04:07. > :04:09.achieve exactly that objective. There can be little doubt that the
:04:10. > :04:14.evolution of the Internet has been the most significant development of
:04:15. > :04:18.our age. For business, digital transformation is ever present. It
:04:19. > :04:22.has been a game changer, enabling increased efficiency and
:04:23. > :04:25.international reach, expanding markets, capabilities and
:04:26. > :04:30.opportunities. It has been and will continue to be a truly innovative
:04:31. > :04:35.force driving economic element and prosperity. Never before has data
:04:36. > :04:39.had such a value and in its digital form its availability, integrity and
:04:40. > :04:43.security is critical to all businesses. Criminal exploitation of
:04:44. > :04:47.the Internet is also growing rapidly, data is the target and
:04:48. > :04:55.businesses and citizens have lots of that detail. Unlike physical risks,
:04:56. > :04:57.cyber risks are much harder to grasp as criminals exploit both systems
:04:58. > :05:00.and human vulnerabilities. Business leaders must be prepared for the
:05:01. > :05:04.cyber threat and more importantly must ensure their organisations take
:05:05. > :05:10.all steps possible to mitigate that threat. We are used to managing risk
:05:11. > :05:15.in the digital age but we must also consider the cyber threat as another
:05:16. > :05:24.business risk. Any business that successfully can demonstrate that it
:05:25. > :05:29.has taken steps to respect. It is a strong position to grow in the
:05:30. > :05:34.digital age. Organisations that can demonstrate their to cybercrime can
:05:35. > :05:39.again a both a competitive advantage and increased consumer confidence.
:05:40. > :05:43.Developing a cyber resilience as a core part of an organisation's
:05:44. > :05:46.business strategy will ensure it continues to take full advantage of
:05:47. > :05:50.the Internet age and flourish into the bargain. I am pleased to say the
:05:51. > :05:55.Scottish Government and its partners are working together to build a
:05:56. > :05:59.strong and cyber resilient Scotland. We are taking action to ensure we
:06:00. > :06:03.are adequately prepared, but I want to be clear with Parliament this is
:06:04. > :06:06.not something that Government can do alone. This is also the
:06:07. > :06:10.responsibility of individuals and organisations, who need to take the
:06:11. > :06:17.necessary steps to ensure that they keep safe and secure online. It has
:06:18. > :06:20.been widely commented that 80% of cybercrime is indiscriminate and can
:06:21. > :06:25.be prevented by getting the basics right. This includes keeping
:06:26. > :06:28.software up-to-date, using proper antivirus software and making
:06:29. > :06:34.regular system back-ups. These are simple measures that all users can
:06:35. > :06:38.and should take. Often our technical defences are robust but are overcome
:06:39. > :06:43.by the inadvertent actions of an individual. Clicking on a link to a
:06:44. > :06:47.seemingly genuinely looking website or an infection potentially caused
:06:48. > :06:51.by opening attachments. Social engineering is one of the simplest
:06:52. > :06:56.ways of overcoming our technical defences. We should not blame users,
:06:57. > :07:00.they are not the weakest link, as is often said, the RSN to assets, links
:07:01. > :07:05.and attachments are common in the workplace and that's why they are
:07:06. > :07:09.exploited. Part of our response must be to get the basics of online
:07:10. > :07:13.security correct and this includes raising the knowledge and awareness
:07:14. > :07:18.level of all of our citizens to the risks and the steps they can take to
:07:19. > :07:21.reduce this. As we have learned from recent events, swift action in
:07:22. > :07:25.coordination and sharing information limited the impact of the NHS
:07:26. > :07:31.ransomware attack. However, we must also reflect upon this incident,
:07:32. > :07:35.identified the license and shared these lessons with our partners so
:07:36. > :07:40.we can help each other to put in place the appropriate and effective
:07:41. > :07:44.measures to combat cyber crime. Since I published safe, secure and
:07:45. > :07:48.prosperous, a cyber resilient strategy for Scotland back in
:07:49. > :07:51.November 2015, the Scottish Government has committed to
:07:52. > :07:54.providing strong leadership and direction to help our individuals,
:07:55. > :07:59.businesses and organisations make the most of the online world. We
:08:00. > :08:02.have laid the foundations to make Scotland a cyber resilient country,
:08:03. > :08:08.we have achieved much already by focusing delivery on key strategic
:08:09. > :08:10.priorities of leadership and partnership, awareness raising,
:08:11. > :08:14.education, skills and professional development and research and
:08:15. > :08:23.innovation. Let me outline to Parliament the focus of our work to
:08:24. > :08:27.date. Thank you. Would the Cabinet Secretary agree that additional
:08:28. > :08:33.availability of teaching computing skills at all levels of school would
:08:34. > :08:39.help address some of these issues? Obviously, competing signs is an
:08:40. > :08:44.integral part of the curriculum and it is part of education in some of
:08:45. > :08:49.the early stages of primary education. I have seen various
:08:50. > :08:55.coding and initiatives in primary schools involving primary three and
:08:56. > :08:58.primary for pupils. I am firmly supportive of the importance of
:08:59. > :09:04.ensuring young people at the earliest possible ages are exposed
:09:05. > :09:07.to education on a computing. And it able to acquire the skills and
:09:08. > :09:14.attributes that are necessary for them to prosper. Let me set out to
:09:15. > :09:18.Parliament some of the focus of the work that's been undertaken as part
:09:19. > :09:23.of the Government strategy that was launched in November 20 15. Firstly,
:09:24. > :09:26.as part of the leadership effort we establish the National cyber
:09:27. > :09:30.resilient leaders board in September 20 16th to try and forward and
:09:31. > :09:34.implement the strategy across Scotland. That board is led by the
:09:35. > :09:39.director of CBI Scotland and the board is made of key leaders from
:09:40. > :09:47.across the public, private and third sectors who are providing strategic
:09:48. > :09:48.direction across all of our sectors. Secondly, the digital Scotland
:09:49. > :09:52.business excellence partnership has provided ?400,000 to help businesses
:09:53. > :09:55.in Scotland improve their cyber resilient and work towards achieving
:09:56. > :09:59.the cyber essential standard. We focused efforts on raising awareness
:10:00. > :10:02.to cyber risk, since the beginning of this year we have developed a
:10:03. > :10:06.joint cyber German occasions calendar which has been used by our
:10:07. > :10:10.partners to provide a consistent message across the board and we are
:10:11. > :10:14.linking closely in this work and this relates to Mr Green's and
:10:15. > :10:18.maiming today with the UK National cyber aware campaign. In terms of
:10:19. > :10:21.learning and skills, we have built cyber resilience into the curriculum
:10:22. > :10:27.for excellence and are working to build it with an digital skills. We
:10:28. > :10:31.are also looking at how we can fill the gaps that we currently have in
:10:32. > :10:34.terms of the cyber security skills pipeline, particularly around
:10:35. > :10:39.apprenticeships and the qualifications that are on offer. We
:10:40. > :10:42.are working to build the capacity of cyber security research across
:10:43. > :10:45.higher education in Scotland. The University of Edinburgh has recently
:10:46. > :10:48.become an academic centre of excellence in cyber security
:10:49. > :10:54.research. Acknowledged and endorsed by the National safe Bilic cyber
:10:55. > :10:56.security centre. This work has been about ensuring we took early
:10:57. > :11:04.preparations to ensure we well equipped as a country to meet the
:11:05. > :11:07.challenges we now face. I want to acknowledge the tremendous efforts
:11:08. > :11:10.of our national health service staff and the wider public sector in
:11:11. > :11:14.responding to the recent attack that took place and providing assurances
:11:15. > :11:19.around the security of their networks. It was considerable cross
:11:20. > :11:22.sector engagement during this event and collaboration at this level is
:11:23. > :11:27.an essential element and helps to demonstrate confidence in the public
:11:28. > :11:34.sector's ability to respond to such acts. The investment the Government
:11:35. > :11:38.is making in this area is specifically to support the
:11:39. > :11:41.arrangement of hardware and software measures to prevent the Government's
:11:42. > :11:51.ICT systems, infrastructure and data, to improve the Government's
:11:52. > :11:56.network monitoring capabilities. To establish and expand a cyber
:11:57. > :11:59.security operations centre and corporate education awareness and
:12:00. > :12:03.training right across the board. We recognise that ultimately the focus
:12:04. > :12:09.of our public sector work is about ensuring we can gain our citizens
:12:10. > :12:13.trust and we move towards digital public services. With that outcome
:12:14. > :12:17.in mind, we have established a cross sector Public grip on cyber
:12:18. > :12:21.resilience. This is made up of technical and business expert from
:12:22. > :12:24.central and local Government, from health, procurement, academia and
:12:25. > :12:27.the third sector, all of them focused on putting in place the
:12:28. > :12:32.necessary measures to protect the public sector ICT school Dodt
:12:33. > :12:38.skills. It is essential across a range of different areas, whether
:12:39. > :12:43.learning or skills or the role of the private sector, compliance with
:12:44. > :12:46.the EU General data protection regulations by the security of our
:12:47. > :12:50.critical infrastructure that we take effort any cohesive and coherent way
:12:51. > :12:54.to ensure that we are equipped to make these challenges. That is the
:12:55. > :12:57.focus of the Government strategy. That lies at the heart of the
:12:58. > :13:01.approach we are taking and we are doing that in an engaged and
:13:02. > :13:05.collaborative way with the private, third and public sectors to ensure
:13:06. > :13:09.that Scotland is a country that's able to demonstrate cyber resilience
:13:10. > :13:18.but is also able to use our cyber kick ability as a foundation for
:13:19. > :13:26.economic opportunity in the years to move amendment... Thank you. Less
:13:27. > :13:29.than two weeks ago, we witnessed one of the most severe coordinated cyber
:13:30. > :13:34.attacks the world has ever seen. This attack was not isolated to
:13:35. > :13:38.Scotland, nor the UK are our neighbours across the world reported
:13:39. > :13:42.attacks on IT infrastructure, in some cases crippling their ability
:13:43. > :13:49.to deliver public services. On our shores are at NHS network was head,
:13:50. > :13:53.doctors could no longer access patient's files. The effects were
:13:54. > :13:56.felt as hospitals were asking only urgent cases to come to a and E to
:13:57. > :14:00.ease the pressure on them, appointments were cancelled,
:14:01. > :14:06.operations were cancelled, GP surgeries unable to access records.
:14:07. > :14:11.The so-called ransomware attack also targeted Germany's primary rail
:14:12. > :14:17.link, Deutsche Bank and Spain's Telefonica. It is estimated that the
:14:18. > :14:22.ransomware attack affected 230,000 computers and over 150 countries.
:14:23. > :14:27.Europe described this attack is unprecedented in its scale. Make no
:14:28. > :14:30.mistake, the events of the 12th of May 20 17th highlighted the
:14:31. > :14:35.fragility of public IT infrastructure at the world over.
:14:36. > :14:39.For all the benefits that economic digitalisation has brought us, the
:14:40. > :14:45.shift online has opened up an emerging threat from the cybercrime
:14:46. > :14:48.and cyber terrorism. Estimates from the Scottish business resilience
:14:49. > :14:55.centre put the cost to the Scottish economy from cybercrime at ?393
:14:56. > :15:00.million in the year 2015, 2016. Globally that figure could be well
:15:01. > :15:04.over half a trillion US dollars. In fact, it has become such a threat
:15:05. > :15:08.that the whole industry in a cyber insurance has sprung up in recent
:15:09. > :15:12.years. The Scottish Conservatives will support any measures the
:15:13. > :15:16.Scottish Government is taking to increase a resilience against
:15:17. > :15:18.further attacks, for that reason we welcome the tone of the Government
:15:19. > :15:21.motion today and will be supporting it this afternoon.
:15:22. > :15:36.The Scottish Government made references to cybersecurity
:15:37. > :15:39.and in its previous cyber-resilience strategy,
:15:40. > :15:42.Nevertheless, in the light of the recent attacks,
:15:43. > :15:45.we would like more detail on what specific action is being
:15:46. > :15:47.taken to protect public services, utilities and large public networks.
:15:48. > :15:50.In particular, we would like to know the monetary value
:15:51. > :15:53.The UK Government has invested heavily in cybersecurity
:15:54. > :15:56.and last year announced ?2 billion of investment.
:15:57. > :15:58.A new national cybersecurity centre was set up to operate
:15:59. > :16:01.out of London under the control of Government
:16:02. > :16:13.It is there to assist businesses, Government bodies and academia
:16:14. > :16:18.across the UK, including in Scotland, in times of need.
:16:19. > :16:23."The UK Government is leading the way with the cyber initiatives
:16:24. > :16:26.However, the Government cannot protect the UK alone.
:16:27. > :16:28.Businesses must understand the cyber threat their organisation faces
:16:29. > :16:30.and take strong protective action themselves."
:16:31. > :16:35.There is a shared responsibility on all of us to ensure
:16:36. > :16:39.that we are prepared to deal with online threats.
:16:40. > :16:46.Our amendment asks the Scottish Government to ensure
:16:47. > :16:48.that it is having a proactive discussion with UK-wide enforcement
:16:49. > :16:51.and intelligence agencies and Government bodies to ensure that
:16:52. > :17:00.I will personally liaise with my UK Government counterpart to highlight
:17:01. > :17:02.any areas in the Digital Economy Act 2017 pertaining to cybercrime
:17:03. > :17:07.and online protection that are relevant to Scotland.
:17:08. > :17:09.It is clear, in the aftermath of the ransomware attack,
:17:10. > :17:12.that the evidence suggests that several hospitals did not install
:17:13. > :17:20.the updates that they had received prior to the attack,
:17:21. > :17:26.Daniel Johnson was right to probe into that further today by asking
:17:27. > :17:28.if the Windows XP replacements or updates will take place
:17:29. > :17:31.in our NHS, because a co-ordinated upgrade and end-of-life plan
:17:32. > :17:34.is a necessary part of any large-scale IT project.
:17:35. > :17:37.The public sector should be no different to mainstream
:17:38. > :17:55.The European Commission's 2016 Digital Progress Report
:17:56. > :17:56.highlighted that half the EU's population
:17:57. > :17:58.access public services via online platforms.
:17:59. > :17:59.That number will surely only continue to grow.
:18:00. > :18:02.A crucial pillar in our preparedness against attacks is the understanding
:18:03. > :18:10.In a digital world, we are not shielded by being an island.
:18:11. > :18:16.A hacker in North Korea can attack a database in North Queensferry.
:18:17. > :18:22.DigitalEurope, the digital industry's respected trade
:18:23. > :18:25.body, recently said cybersecurity is important.
:18:26. > :18:28.However the approach must be centered on better security
:18:29. > :18:31.practices to defeat evolving threats in a global landscape.
:18:32. > :18:36.The digital market is borderless and virtual and it is a workplace
:18:37. > :18:41.like no other, in which there are invisible but tangible threats.
:18:42. > :18:47.The Scottish Conservatives will support the Scottish Government's
:18:48. > :18:49.current cybersecurity plans, but our support is conditional
:18:50. > :18:52.on realistic and measurable plans being put in place.
:18:53. > :18:58.We want the Scottish Parliament to be regularly informed of progress
:18:59. > :19:02.and we want close collaboration between all Governments and agencies
:19:03. > :19:11.to ensure that a truly UK-wide cybersecurity framework is in place.
:19:12. > :19:14.We think Scotland could lead the charge against global cyberthreats
:19:15. > :19:20.I say that because just last week another major Californian
:19:21. > :19:25.cybersecurity firm announced that it will be opening a new office
:19:26. > :19:29.in Belfast, which will create 120 new jobs in an already buoyant
:19:30. > :19:40.cybersecurity and tech sector in that city.
:19:41. > :19:42.They firm were attracted to Belfast by Invest Northern Ireland,
:19:43. > :19:51.which gave it a ?780,000 grant towards the new venture.
:19:52. > :19:54.Invest NI also recently awarded ?5.5 million to Queens University
:19:55. > :19:56.to help to fund a new centre for secure IT, which
:19:57. > :19:59.brings total investment in the centre to ?38 million.
:20:00. > :20:08.Belfast is becoming the world's number one hub for cybersecurity,
:20:09. > :20:10.data analytics, fintech and blockchain technology.
:20:11. > :20:17.The skills that are required to fill those newly created posts
:20:18. > :20:24.Although I appreciate the good work that is happening in Edinburgh,
:20:25. > :20:27.why cannot it also happen in Glasgow or Dundee?
:20:28. > :20:30.There must be more than words of goodwill and lip service paid
:20:31. > :20:34.Targeted investment, a bank of suitably skilled workers
:20:35. > :20:37.and a can-do Government attitude can and will have a material
:20:38. > :20:40.and positive effect on the industry, and will open up real opportunities
:20:41. > :20:48.Cybersecurity is so big in Northern Ireland right
:20:49. > :20:50.now that the sector has a zero per cent unemployment rate.
:20:51. > :20:53.While I let that potential sink in, I look forward to hearing
:20:54. > :20:56.the Government's response to my comments and to listening
:20:57. > :21:27.I now call Claire Baker to speak. Miss Baker, seven minutes, please.
:21:28. > :21:29.The past few days have been very challenging
:21:30. > :21:33.It is a critical, on-going situation and it is right that we prioritise
:21:34. > :21:37.My thoughts are with all those families affected by the terrible
:21:38. > :21:41.Turning to today's debate, we must ensure that we are as safe
:21:42. > :21:44.To many politicians, cybersecurity is an area
:21:45. > :21:46.in which it can often seem as if a different language
:21:47. > :21:49.is being spoken, the same is true for much of the public.
:21:50. > :21:52.As we heard in the recent debate on keeping children safe online,
:21:53. > :21:55.the internet is central to modern life, and while it brings
:21:56. > :21:56.many benefits, it also contains many risks.
:21:57. > :21:58.Cyber-resilience is an important strategy in protecting
:21:59. > :21:59.against vulnerability for individuals
:22:00. > :22:08.The significant change to how we communicate,
:22:09. > :22:11.how we do business and how we create systems has brought
:22:12. > :22:13.considerable risks and we must always be vigilant.
:22:14. > :22:16.As quick and easy as it is for an MSP to send
:22:17. > :22:19.an email to a constituent, it can be just as quick and easy
:22:20. > :22:22.to send malware or to find the one weak spot among millions
:22:23. > :22:24.I appreciate that, following the recent
:22:25. > :22:27.ransomware attack on our NHS, the Government has been active
:22:28. > :22:29.in helping businesses and organisations, but today's
:22:30. > :22:32.debate appears to be reactive rather than proactive.
:22:33. > :22:35.Although a specific attack on a specific target
:22:36. > :22:39.is difficult to predict, the threat of such an attack is not.
:22:40. > :22:42.I appreciate the recent update from the Government
:22:43. > :22:45.on the extraordinary meeting of the national cyber-resilience
:22:46. > :22:49.leaders board, but should such meetings always have
:22:50. > :23:09.The Scottish Government published their Safe,
:23:10. > :23:10.Secure and Prosperous: Cyber Resilience Strategy
:23:11. > :23:13.We are now two years into the five-year strategy,
:23:14. > :23:16.and it is clear that the recent attack on the NHS represents
:23:17. > :23:18.a setback to confidence in the security of information
:23:19. > :23:21.Although I will support the Government's motion
:23:22. > :23:23.and am inclined to support the Conservatives' amendment,
:23:24. > :23:25.which welcomes the strategies of the UK and Scottish Governments,
:23:26. > :23:28.I want to mention the recent report of the UK Parliament's
:23:29. > :23:30.Public Accounts Committee, which said that the UK Government
:23:31. > :23:33.needs to raise its game in this area and described significant
:23:34. > :23:35.skills shortages and the chaotic handling of personal data.
:23:36. > :23:41.In Scotland, we have the well-documented problems with i6
:23:42. > :23:43.at Police Scotland and at NHS 24, which raise questions
:23:44. > :23:48.I appreciate that the Government has committed to providing a public
:23:49. > :23:51.sector action plan that will develop a set of guidelines and standards
:23:52. > :23:59.However, as our amendment makes clear, investment is necessary
:24:00. > :24:01.to ensure that we can withstand future attacks.
:24:02. > :24:05.Improvements in infrastructure, investment in expertise and advice
:24:06. > :24:10.and the capability to build resilience all take resources,
:24:11. > :24:13.and it is difficult for our public services to prioritise
:24:14. > :24:19.when there is so much pressure on service delivery.
:24:20. > :24:21.The national cyber-resilience leaders board's action plan is due
:24:22. > :24:24.to be approved by ministers in June, and I hope that Parliament
:24:25. > :24:28.will have the opportunity to scrutinise and monitor
:24:29. > :24:35.When it comes to cyberattacks, we in Scotland must not stand alone.
:24:36. > :24:38.We need to work across the UK and beyond to understand potential
:24:39. > :24:43.threats, to learn from best practice and to halt attacks
:24:44. > :24:48.That process must begin with the recent attack on our NHS.
:24:49. > :24:51.We must ask why our hospitals and health centres were affected
:24:52. > :24:57.Did Wales take better pre-emptive action?
:24:58. > :24:59.Did the Scottish Government provide adequate instructions
:25:00. > :25:05.on cybersecurity prior to the attack?
:25:06. > :25:07.Was the issue given sufficient priority around the Cabinet table?
:25:08. > :25:10.I hope that those questions will be addressed by the Government
:25:11. > :25:18.According to the Government's strategy,
:25:19. > :25:20.cyber resilience is being able to prepare for, withstand,
:25:21. > :25:22.rapidly recover and learn from deliberate attacks
:25:23. > :25:24.or accidental events in the online world.
:25:25. > :25:28.With the attack on the NHS, we know that Scotland is not yet
:25:29. > :25:31.fully prepared to withstand such attacks and, although
:25:32. > :25:34.it has appeared to recover and deserves credit for that,
:25:35. > :25:36.we must now ensure that we are able to learn.
:25:37. > :25:39.The world is increasingly moving online.
:25:40. > :25:47.From socialising to shopping and learning to leisure,
:25:48. > :25:50.the public, old as well as young, are conducting large parts
:25:51. > :25:57.As local politicians, we know that many high street banks
:25:58. > :25:59.are closing, with the argument made that most transactions
:26:00. > :26:07.That is true for our businesses and organisations, millions
:26:08. > :26:10.of pounds worth of transactions take place online every day.
:26:11. > :26:12.Cybercrime is a threat that we are all aware of,
:26:13. > :26:15.but it is also one that we believe to be underreported.
:26:16. > :26:17.It can be prevented if the right security,
:26:18. > :26:19.firewalls and precautions are in place, but computers,
:26:20. > :26:24.data and personal details are often left inadvertently exposed.
:26:25. > :26:27.We would not leave the front door or the car unlocked,
:26:28. > :26:30.but computer systems are left wide open in exactly that way.
:26:31. > :26:33.As part of my research for the debate, I found out that
:26:34. > :26:35.Britain ranks below Brazil, South Africa and China
:26:36. > :26:38.when it comes to keeping phones and laptops secure,
:26:39. > :26:46.Around 80% of cybercrime can be prevented if we just
:26:47. > :26:56.That involves having strong passwords, downloading,
:26:57. > :26:58.installing and crucially updating security, protecting our
:26:59. > :27:00.mobile devices and wireless networks and being aware
:27:01. > :27:02.of suspicious emails, which often claim to be
:27:03. > :27:06.As much as we must look to individuals and businesses
:27:07. > :27:08.to take responsibility, we must ensure that here in Scotland
:27:09. > :27:11.we have the resources to tackle such crimes once they take place.
:27:12. > :27:14.We are currently in the middle of the policing 2026 strategy,
:27:15. > :27:16.and cybersecurity is one of the major challenges
:27:17. > :27:20.We need to ensure that the right people are being recruited
:27:21. > :27:24.There is a clear need for a balanced workforce in our policing,
:27:25. > :27:36.and efforts to tackle cybercrime would benefit from that.
:27:37. > :27:38.We also need the best minds - for example,
:27:39. > :27:40.the recent NHS situation was resolved by a self-taught
:27:41. > :27:44.such people can work with Police Scotland
:27:45. > :27:46.to support our agencies in being cyber-resilient and able
:27:47. > :27:50.Last year, I visited the Scottish crime campus at Gartcosh,
:27:51. > :27:52.which is a world-leading facility hosting specialist crime fighters.
:27:53. > :27:55.It is proof of what can be achieved by setting high-quality,
:27:56. > :27:58.highly skilled jobs alongside the right resources,
:27:59. > :28:00.but, as we know, Police Scotland is facing a significant
:28:01. > :28:08.We need to ensure that all our public services from the NHS,
:28:09. > :28:11.which was attacked earlier this month, to Police Scotland
:28:12. > :28:13.all have the proper resources and investment to withstand,
:28:14. > :28:16.Finally, partnership is so important, and the Scottish
:28:17. > :28:21.Government must work with the UK Government and other devolved
:28:22. > :28:23.assemblies and agencies throughout the UK to ensure
:28:24. > :28:25.that we have the capabilities, the knowledge and the resources
:28:26. > :28:30.to keep us all safe and secure online.
:28:31. > :28:40.Thank you very much. I've moved to the open debate. Mr Stevenson,
:28:41. > :28:45.please. On 9th February 1984, we saw
:28:46. > :28:54.the launch of the first real-time, high-value money
:28:55. > :28:55.transfer system, CHAPS. I was the project manager
:28:56. > :28:58.for the Bank of Scotland, which was the first bank
:28:59. > :29:00.ready to implement. I well remember our excitement later
:29:01. > :29:03.that year when we made our first real-time, irrevocable
:29:04. > :29:04.payment of over ?1 billion. By 2011, the system had
:29:05. > :29:08.processed ?1 quadrillion In other words, a thousand
:29:09. > :29:17.million million pounds, To secure the transactions,
:29:18. > :29:22.I had to gain permission from the US Department of Defense
:29:23. > :29:25.and sign my life away to use what was categorised
:29:26. > :29:27.as weapons-grade encryption It operated from within a black box
:29:28. > :29:33.that self-destructed if someone attempted to open it
:29:34. > :29:39.to examine its contents. The technology was,
:29:40. > :29:41.and is, as secure as one and the objective today should be
:29:42. > :29:45.to ensure that every business and individual is in possession
:29:46. > :29:53.of similarly impenetrable security. We are, but we do not
:29:54. > :29:57.all choose to implement it. My point, however, is that
:29:58. > :30:02.even if we do so, we do not necessarily use it in a way that
:30:03. > :30:05.allows it to be as secure For the most part, it is not
:30:06. > :30:11.the technology that fails, "Citizens, we must be
:30:12. > :30:18.aware of the risks." Indeed, in his opening remarks,
:30:19. > :30:21.John Swinney said that this should not be the responsibility
:30:22. > :30:23.of the Government alone. The history of human failure
:30:24. > :30:27.to properly use secure data systems 2,000 years ago, slaves
:30:28. > :30:35.had their heads shaved. A message was written
:30:36. > :30:37.on their scalp; the hair grew back; and the slave and the message
:30:38. > :30:40.were sent elsewhere. That was all well and good,
:30:41. > :30:43.until people realised what Having a secret method
:30:44. > :30:49.provides no real security, Indeed, effective data security
:30:50. > :30:56.systems rely on their having been published and scrutinised to confirm
:30:57. > :31:01.that their methods are sound. However, we need to keep the keys
:31:02. > :31:06.secret and change them frequently. In the 16th century,
:31:07. > :31:09.Mary Queen of Scots used a two-cover system to protect
:31:10. > :31:13.her confidential messages. The first was a secure box
:31:14. > :31:17.with two locks and a key for each - she had one key,
:31:18. > :31:19.while the other was held by the recipient, and no-one else
:31:20. > :31:24.had access to either key. Mary put her message in the box,
:31:25. > :31:28.she locked it and then it went to the recipient,
:31:29. > :31:33.who used his key to lock his lock. The box came back to Mary,
:31:34. > :31:35.who unlocked her lock, and went back to the recipient,
:31:36. > :31:39.who unlocked his. It was a secure system
:31:40. > :31:42.for transmitting a message from A to B in the 16th century,
:31:43. > :31:45.because nobody shared the key The second aspect of the system
:31:46. > :31:50.was encryption of the message inside the box through
:31:51. > :31:54.a letter-substitution system. However, that is
:31:55. > :31:56.where Mary fell down. She thought that the system
:31:57. > :31:58.was totally secure, because transmission was secure,
:31:59. > :32:01.but when the message came out of the box,
:32:02. > :32:04.she forgot that it was now a bit of paper that was available
:32:05. > :32:08.to anyone who might be passing. Queen Elizabeth I picked
:32:09. > :32:11.up one of her messages and was able to unscramble it,
:32:12. > :32:16.and it formed part of the evidence at Mary Queen of Scots' trial,
:32:17. > :32:20.which caused her to be executed. Napoleon had le grande
:32:21. > :32:28.chiffre - the great code. Common letters of the alphabet
:32:29. > :32:31.were not always coded in the same way, so that people could not break
:32:32. > :32:35.it by analysing frequency. However, encoders started to use
:32:36. > :32:38.some of the spare codes over and over again,
:32:39. > :32:43.as place names for where the fighting was, in order
:32:44. > :32:45.to save time and effort. Wellington's code-breaker was a guy
:32:46. > :32:49.called George Scovell and, because of the weak way
:32:50. > :32:54.in which that good system was used, When Wellington got to the battle
:32:55. > :33:03.of Waterloo, he knew what Napoleon's plans were and that led to the end
:33:04. > :33:06.of an empire. The Enigma machine,
:33:07. > :33:13.which the Germans thought was unbreakable until 1945,
:33:14. > :33:15.was actually broken Bletchley Park broke a later,
:33:16. > :33:18.improved version because, every day at 6am, the Germans sent
:33:19. > :33:23.out an encrypted weather forecast. The fact that it was in the same
:33:24. > :33:27.format and at the same time every day enabled people at Bletchley Park
:33:28. > :33:30.to break what should have been a very secure system, of course,
:33:31. > :33:34.they had to do lots of other good Most of us know how to drive a car,
:33:35. > :33:40.but rather fewer of us know how the mechanical bits work or how
:33:41. > :33:45.to fix them when they fail. Most of us also know how to use
:33:46. > :33:49.a computer and perhaps even use the security functions that
:33:50. > :33:50.are provided with it. However, as with a car,
:33:51. > :33:56.if we do not get an expert to service it regularly or to fix it
:33:57. > :34:00.when it fails, disaster will loom. All businesses should have
:34:01. > :34:02.regular security check-ups. They will not be free,
:34:03. > :34:05.but the cost of not doing them It is like insurance -
:34:06. > :34:11.it is a product that a business cannot just buy when it wants it,
:34:12. > :34:14.when its reputation is trashed and its customers have flown,
:34:15. > :34:17.paying a little bit once a year My final example of a security
:34:18. > :34:23.problem is from the modern world. I bought a good-quality second-hand
:34:24. > :34:27.car, as I usually do, and it had all the gadgets,
:34:28. > :34:29.including a Bluetooth That is good technology,
:34:30. > :34:34.but an unaware previous owner of my car had left his phone's
:34:35. > :34:40.entire contact list Do members realise that
:34:41. > :34:47.they could do that, too? I am a good guy and I deleted it,
:34:48. > :34:50.but suppose the chief executive... You are such a good guy that
:34:51. > :34:53.you have to wind up now, intriguing though this is,
:34:54. > :34:55.Mr Stevenson. In that case, Presiding Officer,
:34:56. > :34:58.let me caution chief executives and chairmen of companies not to use
:34:59. > :35:02.Bluetooth in their cars unless they know how to delete
:35:03. > :35:04.data from the memory. I am a good guy and I deleted it,
:35:05. > :35:08.but not everybody is as honest Oh my goodness, Mr Stevenson,
:35:09. > :35:15.I cannot wait for your book to come out: Facts You Didn't Know But I'm
:35:16. > :35:26.Going to Tell You Anyway. I refer to my entry in the register
:35:27. > :35:29.of members' interests and the fact that I am on the board of two
:35:30. > :35:32.companies that invest It is significant that, on a day
:35:33. > :35:36.when we are all still digesting the horrific news of a violent
:35:37. > :35:39.physical attack on our country, we are debating the need to protect
:35:40. > :35:43.ourselves from cyberattacks. The Deputy First Minister mentioned
:35:44. > :35:46.that, and I entirely Although nothing can surpass
:35:47. > :35:54.the tragic loss of so many innocent lives that Manchester witnessed,
:35:55. > :36:00.it seems to me that one of the greatest challenges
:36:01. > :36:02.that we face as a society is the sheer number
:36:03. > :36:04.and variety of threats Our enemies come in many forms,
:36:05. > :36:08.from the deadly and murderous suicide bomber of Monday night
:36:09. > :36:12.to the sophisticated The ransomware attack on IT systems,
:36:13. > :36:19.which affected some 200,000 computers across 150 countries,
:36:20. > :36:23.was certainly one of the most unprecedented attacks
:36:24. > :36:27.that we have ever seen. My comments will concentrate
:36:28. > :36:32.on our NHS, the attack on which was nothing short
:36:33. > :36:34.of spiteful, especially given the delays to patients'
:36:35. > :36:37.treatment across the UK, In Scotland, we were relatively
:36:38. > :36:43.lucky in that only 1% of electronic devices were affected
:36:44. > :36:46.and the number of people whose operations required to be
:36:47. > :36:50.rescheduled was minimal. However, any delay to an operation,
:36:51. > :36:53.appointment or treatment as a result of the attack was frustrating,
:36:54. > :36:58.to say the least. 13 health boards were affected,
:36:59. > :37:02.and some GP surgeries. The Cabinet Secretary for Health
:37:03. > :37:05.and Sport swiftly made a statement last week,
:37:06. > :37:07.and I am grateful for the clear manner in which she
:37:08. > :37:09.presented the known facts. Like her, I welcome the fact
:37:10. > :37:12.that there have been no reports I would also like to pay tribute
:37:13. > :37:17.to the IT staff in the NHS who worked extraordinarily hard
:37:18. > :37:20.to get all the affected systems As was reported last week,
:37:21. > :37:24.very few people knew how to fix the problem,
:37:25. > :37:27.but it is a testament to those who were able
:37:28. > :37:29.to overcome it that they did I also want to thank our front-line
:37:30. > :37:35.NHS staff, who carried on serving the public as normal even if it
:37:36. > :37:38.meant a lesser reliance on IT The Health and Sport Committee
:37:39. > :37:44.heard yesterday from the Scottish Ambulance Service
:37:45. > :37:47.that there had been no operational impact and no loss of patient data
:37:48. > :37:50.during or after the attack. It is plain that there are several
:37:51. > :37:55.aspects of the attack that need to be tackled,
:37:56. > :37:58.in order to ensure that future attacks can be thwarted
:37:59. > :38:02.as early as possible. Naturally, we cannot expect
:38:03. > :38:05.to prevent every attack, but as our reliance on various forms
:38:06. > :38:09.of IT continues to grow, so too The cyberattack could have been far,
:38:10. > :38:15.far worse, and it is clear that we need to do more to ensure
:38:16. > :38:19.that our IT systems in the NHS are up to date and that we can
:38:20. > :38:22.respond to future attacks According to the Scottish
:38:23. > :38:27.Business Resilience Centre, cybercrime cost Scotland around
:38:28. > :38:33.?394 million in 2015-16. It is an exceptionally lucrative
:38:34. > :38:36.market for those who know how to code and wish
:38:37. > :38:38.to use their talents That is why we need to be on guard,
:38:39. > :38:43.but we also need people within our NHS and the wider public
:38:44. > :38:46.and private sector who possess the relevant skills to combat
:38:47. > :38:51.attacks, as and when they happen. That in turn requires people
:38:52. > :38:54.who are able to stress-test IT systems continually,
:38:55. > :38:57.so that they are protected from I am sure that others, like me,
:38:58. > :39:07.received an interesting briefing from the University of Abertay
:39:08. > :39:09.on that point. It said that defensive cybersecurity
:39:10. > :39:12.is already fairly well established in both undergraduate
:39:13. > :39:15.and postgraduate programmes at university, with skills
:39:16. > :39:17.such as cryptography and intrusion-prevention
:39:18. > :39:20.being taught. However, it points out that
:39:21. > :39:23.offensive cybersecurity courses are not as common,
:39:24. > :39:25.and that there is a real need to consider investing in that
:39:26. > :39:29.particular avenue of learning. It says, quite simply, that,
:39:30. > :39:32."the best way to catch a thief While it is clear that major ethical
:39:33. > :39:38.questions will arise, particularly in giving
:39:39. > :39:39.a new generation the skills and abilities to hack maliciously,
:39:40. > :39:43.degree programmes such as that might help to fill a skills
:39:44. > :39:46.vacancy that is all too evident across Scotland,
:39:47. > :39:48.Britain and the wider world. Turning back to the NHS,
:39:49. > :39:53.I will focus on why the issues that I have mentioned
:39:54. > :39:56.are particularly pertinent. We know that many of our NHS health
:39:57. > :39:59.boards continue to use out-of-date software,
:40:00. > :40:02.which in many cases cannot be updated for fear of having
:40:03. > :40:06.a negative impact on the technology that is used to serve and heal
:40:07. > :40:08.patients, such as magnetic That software, and that updating,
:40:09. > :40:16.needs to be reviewed. The Cabinet Secretary for Health
:40:17. > :40:19.and Sport stated last week that she would seek to ascertain
:40:20. > :40:22.whether health boards have regular It would be interesting
:40:23. > :40:26.to understand whether that is indeed the case, and I hope
:40:27. > :40:29.that the cabinet secretary will report back to Parliament
:40:30. > :40:31.with an update on that It is abundantly clear that
:40:32. > :40:37.lessons need to be learned. Now is not the time for political
:40:38. > :40:40.posturing on the issue, but for all of us to debate,
:40:41. > :40:43.as we have, the actions that are required to ensure that such
:40:44. > :40:46.incidents are dealt with swiftly without causing public
:40:47. > :40:49.fear and panic. We must take every precaution
:40:50. > :40:52.possible to protect one of the most Fundamentally, I believe that
:40:53. > :40:58.long-term solutions are required for an issue such as this,
:40:59. > :41:01.short-term fixes simply We need to be constantly aware -
:41:02. > :41:08.let us learn from that Thank you very much. I call Liam
:41:09. > :41:23.McArthur, Mr McCarthy, please. Dr Christopher Frei,
:41:24. > :41:25.Secretary General of the World Energy Council said 12
:41:26. > :41:26.months ago: "We're in the Stone Age
:41:27. > :41:28.of cyber security." He went on to add that: "Real
:41:29. > :41:31.learning will only come Whether the recent global
:41:32. > :41:35.cyberattack will act as a catalyst for the real learning that Dr Frei
:41:36. > :41:38.talked about remains to be seen, but it is abundantly obvious,
:41:39. > :41:41.as all speakers have acknowledged, that this is an area that
:41:42. > :41:43.will demand far greater attention in future than it has perhaps
:41:44. > :41:47.commanded to date. In that context, I welcome
:41:48. > :41:50.the opportunity to take part in this debate on creating a cyber-resilient
:41:51. > :41:55.Scotland and I confirm that the Scottish Liberal Democrats
:41:56. > :41:59.will support the Government's motion Unfortunately, due to a funeral
:42:00. > :42:03.back in my constituency, I will be unable to stay
:42:04. > :42:06.until the end of the debate and for that I apologise to you,
:42:07. > :42:09.Presiding Officer, to the cabinet John Swinney's motion makes
:42:10. > :42:16.a number of important points about the serious threats that
:42:17. > :42:19.are posed and the need for far greater vigilance on the part
:42:20. > :42:21.of individuals and organisations, and he reinforced those
:42:22. > :42:24.points in his remarks. I also welcome the amendments that
:42:25. > :42:27.were lodged by Jamie Greene and Claire Baker, which helpfully
:42:28. > :42:29.reinforce the need to improve the way in which we report
:42:30. > :42:32.on and capture the scale of cybercrimes, as well as
:42:33. > :42:35.the importance of building resilience across our public
:42:36. > :42:38.services and ensuring the closest possible working
:42:39. > :42:42.and co-operation between the UK and Scottish Governments
:42:43. > :42:45.and their partners. Without those elements at the core,
:42:46. > :42:47.our collective ambition to create a safe, secure,
:42:48. > :42:51.prosperous and cyber-resilient Scotland will inevitably
:42:52. > :42:54.be frustrated. In the brief time available to me,
:42:55. > :42:57.I will concentrate my remarks It is worth acknowledging
:42:58. > :43:05.at the start that there are two There is that that uses computer
:43:06. > :43:09.software as the tool and the end target for attacks,
:43:10. > :43:11.such as the recent ransomware attack that caused so much disruption,
:43:12. > :43:15.notably across our health service-I pay tribute to those
:43:16. > :43:17.in the health service There is also cyber-enabled crime,
:43:18. > :43:23.which uses computers simply as a conduit for criminal activities
:43:24. > :43:26.that also take place offline, such as identity theft
:43:27. > :43:29.and money laundering. It is safe to say that cyberattacks
:43:30. > :43:32.across the board have been Unfortunately, we appear some way
:43:33. > :43:36.short of being able to assess the true extent and scale
:43:37. > :43:41.of those attacks. As Her Majesty's inspectorate
:43:42. > :43:43.of constabulary in Scotland highlighted in its crime audit last
:43:44. > :43:45.year, "There is currently no comprehensive data on the extent
:43:46. > :43:49.of cyber-enabled crime in Scotland." It went on to recommend that
:43:50. > :43:52.Police Scotland develop the ability to tag all incidents and crimes that
:43:53. > :43:56.have a cyber element and that it assess the demands
:43:57. > :44:00.on policing in Scotland. Since HMICS carried out its audit,
:44:01. > :44:02.it has acknowledged that police officers have now been instructed
:44:03. > :44:06.to tag crime reports with cybercrime markers,
:44:07. > :44:09.but that still does not appear to extend to
:44:10. > :44:12.cyber-related incidents. Indeed, as recently as November last
:44:13. > :44:15.year, the Cabinet Secretary for Justice acknowledged in response
:44:16. > :44:17.to a parliamentary question from me that,
:44:18. > :44:19."work is required to improve He also acknowledged that work
:44:20. > :44:27.is needed on the way in which such crime is defined,
:44:28. > :44:29.recorded and reported. We are not clear on the extent
:44:30. > :44:32.to which Police Scotland's failed i6 programme is inhibiting the force's
:44:33. > :44:34.ability to track and It has certainly deprived
:44:35. > :44:39.Police Scotland of the cost savings promised by ministers at the time
:44:40. > :44:42.of the merger of the previous forces, and that in itself will make
:44:43. > :44:45.more difficult the task of matching police resources to the scale
:44:46. > :44:49.of the cyber challenge. The Scottish crime recording board
:44:50. > :44:51.has been asked to consider the extent to which current crime
:44:52. > :44:54.recording practice adequately captures the scale of cyber-enabled
:44:55. > :44:59.sexual crime and victimisation, particularly for children
:45:00. > :45:02.and young people. It would be helpful
:45:03. > :45:04.if the Justice Secretary, in concluding the debate,
:45:05. > :45:07.updated Parliament in that regard. In the meantime, we perhaps need
:45:08. > :45:11.to take care in talking about lower levels of crime overall
:45:12. > :45:14.if we are still unsure about the extent to which there has
:45:15. > :45:17.been a shift online Even now, there seems to be enough
:45:18. > :45:21.evidence to suggest something of a displacement effect,
:45:22. > :45:27.with all the challenges that that presents through issues
:45:28. > :45:28.such as identification, As I said, John Swinney
:45:29. > :45:33.is absolutely right to emphasise the need for increased vigilance
:45:34. > :45:36.and care on the part of individuals. We all have a responsibility to do
:45:37. > :45:40.what we can to protect ourselves, albeit that some will inevitably
:45:41. > :45:43.need more help in achieving At the same time, however,
:45:44. > :45:48.the way in which Government and public bodies treat personal
:45:49. > :45:50.data and information requires Mr Swinney will be aware
:45:51. > :45:54.of the concerns that Scottish Liberal Democrats had
:45:55. > :45:57.about the Scottish Government's recent plans to create
:45:58. > :45:59.a superidentification database. Those concerns were shared
:46:00. > :46:01.by independent experts It is not acceptable to sacrifice
:46:02. > :46:06.personal data in the interests of administrative efficiency,
:46:07. > :46:08.so I very much welcome the recent There seems to be growing
:46:09. > :46:14.recognition of the importance of the issue among organisations
:46:15. > :46:18.and businesses. However, as the Association
:46:19. > :46:20.of British Insurers points out in its briefing,
:46:21. > :46:21.although awareness levels among businesses about cybersecurity
:46:22. > :46:24.is high, only around half of them have the basic technical
:46:25. > :46:27.controls necessary. Moreover, although preventing such
:46:28. > :46:30.attacks has to be the priority, when they occur, it is imperative
:46:31. > :46:33.that organisations and businesses have the advice, support
:46:34. > :46:35.and wherewithal to recover Not surprisingly, the ABI makes
:46:36. > :46:40.the case for the benefits of cyberinsurance, but it is worth
:46:41. > :46:44.acknowledging, as the Government did in its 2015 strategy,
:46:45. > :46:47.that we are fortunate in the UK to have an innovative cybersecurity,
:46:48. > :46:51.goods and services industry that can help us to meet demand not just
:46:52. > :46:55.here, but globally. For that reason, I hope
:46:56. > :46:57.that the Government will agree that it is in all our interests
:46:58. > :47:00.to ensure that that sector, alongside the work being done
:47:01. > :47:02.in our world-class research In an increasingly digital age,
:47:03. > :47:09.our future prosperity depends on our ability,
:47:10. > :47:11.individually and collectively, to embrace and make the most
:47:12. > :47:14.of digital technologies. Although those technologies
:47:15. > :47:18.open up a bewildering array of opportunities,
:47:19. > :47:20.so too do they Preventing risk completely
:47:21. > :47:24.is as impossible in the digital arena as it is anywhere else,
:47:25. > :47:28.but we can and must minimise the risks by raising
:47:29. > :47:31.awareness, being vigilant I welcome the opportunity
:47:32. > :47:36.for Parliament to reinforce Thank you, Mr McCarter. I call
:47:37. > :47:48.Claire Adamson. I declare an interest as a member
:47:49. > :47:51.of the British Computer Society, and I associate myself
:47:52. > :47:53.with my colleagues' remarks on the appalling incident
:47:54. > :47:56.in Manchester this week. Richard Phillips Feynman
:47:57. > :47:59.was an American theoretical physicist who was known as a pioneer
:48:00. > :48:03.of quantum mechanics and quantum computing, and for introducing
:48:04. > :48:07.the concept of nanotechnology. He was also awarded
:48:08. > :48:12.the Nobel medal for physics. During his lifetime,
:48:13. > :48:15.Mr Feynman became one of the best-known scientists
:48:16. > :48:18.in the world, and the British journal Physics World ranked him
:48:19. > :48:21.as one of the ten greatest He assisted in the development of
:48:22. > :48:33.the atomic bomb during World War II and in the 1980s he became
:48:34. > :48:35.widely known to the public as a member of the Rogers
:48:36. > :48:38.commission, which investigated the Challenger space
:48:39. > :48:39.shuttle disaster. I would like to highlight Mr
:48:40. > :48:42.Feynman's experience at Los Alamos To pass the time while working
:48:43. > :48:48.on the Manhattan project, he grew As he was working on perhaps
:48:49. > :48:53.the most sensitive project in human history, he took it upon himself
:48:54. > :48:59.to probe the security around him. That was a cause of much
:49:00. > :49:02.frustration and annoyance to the great and the good,
:49:03. > :49:05.but he believed that he was providing a necessary
:49:06. > :49:09.check to their balances. Today, we might describe Mr Feynman
:49:10. > :49:12.as a friendly ethical hacker, but I am sure that his bosses
:49:13. > :49:17.described him as something else. Richard Feynman did not
:49:18. > :49:22.understand how to crack safes, but he knew how to break a security
:49:23. > :49:28.system at its weakest point, If the Presiding Officer
:49:29. > :49:36.will allow me, I will highlight just a few of the human vulnerabilities
:49:37. > :49:42.that he exposed and detailed in his essay "Safecracker
:49:43. > :49:46.Meets Safecracker". He said: "All the secrets
:49:47. > :49:50.of the project, everything about the atomic bomb,
:49:51. > :49:52.were kept in filing cabinets" that were locked with
:49:53. > :49:55.three-pin padlocks, which of the first set of filing cabinets,
:49:56. > :50:04.they were replaced. Mr Feynman discovered that
:50:05. > :50:09.when the new cabinets were left open, it was easy to identify
:50:10. > :50:13.the first two digits of the combination lock, indeed,
:50:14. > :50:16.it was as easy as pie. After about two years
:50:17. > :50:19.of practice in Los Alamos, he was able to do that
:50:20. > :50:22.within seconds, and to do it on the Manhattan project safes,
:50:23. > :50:27.which had the same locking mechanisms as some of
:50:28. > :50:31.the filing cabinets. He discovered that when a safe
:50:32. > :50:36.was left open, he could find out at least the first two digits
:50:37. > :50:41.of its combination. He understood humans
:50:42. > :50:44.as well, and he knew that, more often than not,
:50:45. > :50:46.the combination would be significant Having got the first two digits,
:50:47. > :50:50.he was able to look at significant dates for the people involved
:50:51. > :50:53.and their family, and then guess He also knew that people
:50:54. > :51:00.wrote down lock codes. Even if they used a cipher,
:51:01. > :51:05.they would almost always use a common mathematical cipher,
:51:06. > :51:09.which he could decipher because he He also discovered that people
:51:10. > :51:15.frequently used the same combination Explaining this to a senior military
:51:16. > :51:30.officer while visiting a uranium storage facility at
:51:31. > :51:31.Oakridge, he explained the dangers of leaving
:51:32. > :51:33.the cabinets and safes open. When he returned a few months later,
:51:34. > :51:37.hoping to see new security measures in place, he discovered that he had
:51:38. > :51:40.been identified as the problem. He was no longer allowed to be
:51:41. > :51:43.left alone in a room and he was accompanied at all times,
:51:44. > :51:47.but there was no instruction to keep But his most significant discovery,
:51:48. > :51:57.which perturbed him because he thought that he had
:51:58. > :51:59.discovered a safe-cracker, happened when he was asked to open
:52:00. > :52:02.a safe that had been locked by a military commander who was no
:52:03. > :52:05.longer on site and which needed It was his greatest challenge,
:52:06. > :52:17.so he was very excited, but when he entered the room
:52:18. > :52:21.he discovered that the safe had been After months and months of worry,
:52:22. > :52:25.with attempts to work out what had happened and discussions
:52:26. > :52:27.with the chap to get to the bottom of it,
:52:28. > :52:29.eventually all was revealed. The default setting of the safe
:52:30. > :52:31.when it was delivered by the manufacturer had never been
:52:32. > :52:34.changed, and the technician knew That highlights issues around
:52:35. > :52:41.passwords being reused, systems being left unsecured
:52:42. > :52:44.and default settings being left. Anyone who was affected by the phone
:52:45. > :52:54.hacking scandal knows how easily False sense of security
:52:55. > :53:02.from having a physical safe in the corner or hearing that
:53:03. > :53:10.little tick on antivirus software. Failure to implement the solutions
:53:11. > :53:12.when the threat is revealed. All that tells us that,
:53:13. > :53:15.if we do not understand the threat, The British Computer Society has
:53:16. > :53:21.produced a number of leaders' Part two of the society's most
:53:22. > :53:28.recent set is on security. There are five tips,
:53:29. > :53:32.none of which is about computing. They are all about humans,
:53:33. > :53:35.and they concern leadership from management, cybersecurity
:53:36. > :53:39.policies, face-to-face delivery of training and a culture
:53:40. > :53:42.of openness that allows people to admit when they
:53:43. > :53:45.have made mistakes. It is a human problem that
:53:46. > :53:57.requires a human solution. I call Three, to be followed by John
:53:58. > :54:03.Finney. As events this week so tragically
:54:04. > :54:05.demonstrate, there are people who will wilfully seek to attack,
:54:06. > :54:08.in various ways, individuals, communities, our services and
:54:09. > :54:10.the nation's vital infrastructure. In the area of cybercrime,
:54:11. > :54:12.it is increasingly apparent that threats and potential threats
:54:13. > :54:16.are becoming ever-more organised What we saw happen ten days ago
:54:17. > :54:23.was not a random or one-off attack on the nation's infrastructure;
:54:24. > :54:27.rather, it was the result of a predetermined and, indeed,
:54:28. > :54:30.determined act by organised forces. That is why our response
:54:31. > :54:33.and preparedness to deal with such 11 health boards were affected, as
:54:34. > :54:42.was the Scottish Ambulance Service. People were asked not to visit A
:54:43. > :54:49.unless they needed urgent The response from the Scottish
:54:50. > :54:52.Government was swift, although I fear that it
:54:53. > :55:03.was too late. We had been warning
:55:04. > :55:05.the Scottish Government for some time of the need for proper
:55:06. > :55:08.preparedness on the part of Scottish public bodies to the growing
:55:09. > :55:10.threat of cybercrime. In December 2016, freedom
:55:11. > :55:12.of information requests found that more than half of our NHS boards had
:55:13. > :55:16.been subject to ransomware attacks. At that time, we called for
:55:17. > :55:22.an urgent review of cybersecurity. As recently as January,
:55:23. > :55:25.there was a similar attack on Scotland's NHS staff,
:55:26. > :55:31.with their details being hacked. On 25 January, ministers
:55:32. > :55:33.were informed of that Again, we called for
:55:34. > :55:43.a review of cybersecurity. My colleague Richard Simpson,
:55:44. > :55:47.who is no longer in the Parliament, had regularly been asking questions
:55:48. > :55:51.on cybersecurity, specifically Despite those questions,
:55:52. > :55:59.it appears that little or no action has been taken
:56:00. > :56:02.by the Cabinet Secretary It is also disappointing
:56:03. > :56:10.that the Cabinet Secretary for Health and Sport is not
:56:11. > :56:13.in the chamber, given that a direct attack was made
:56:14. > :56:17.on our NHS infrastructure. I have a few specific
:56:18. > :56:19.questions that I hope the Deputy First Minister can
:56:20. > :56:22.address, and I would be happy to take interventions from him
:56:23. > :56:26.if he wants to respond It is in all our interests
:56:27. > :56:30.to get this right. First, why was the NHS
:56:31. > :56:34.in Scotland adversely affected by the recent cyberattacks,
:56:35. > :56:39.whereas the NHS in Wales was not? Why do we still have antiquated
:56:40. > :56:43.computer systems in our public sector infrastructure
:56:44. > :56:46.when we would not expect to have them in our homes,
:56:47. > :56:51.in our parliamentary offices Why was pre-emptive action not
:56:52. > :57:00.taken, as was done for example in Wales and which helped to prevent
:57:01. > :57:04.the cyberattacks there? What specific warnings or advice has
:57:05. > :57:09.the Cabinet Secretary issued to NHS Scotland to ensure that adequate
:57:10. > :57:11.resilience against When was any such advice given
:57:12. > :57:18.and, if it was given, will the Cabinet Secretary publish
:57:19. > :57:23.it as it would be welcomed by other institutions that might also
:57:24. > :57:27.face similar attacks? What additional resources has
:57:28. > :57:30.the Scottish Government allocated in 2016-17 to specifically improve
:57:31. > :57:36.security against cyberattacks on NHS Scotland, on Scottish Government
:57:37. > :57:40.departments, and on all other agencies and organisations
:57:41. > :57:43.for which the Scottish Government It would be interesting to know
:57:44. > :57:50.whether any agency or department for which the Scottish Government
:57:51. > :57:54.has responsibility has ever paid any ransom to those responsible
:57:55. > :57:59.for ransomware attacks. What advice has the Scottish
:58:00. > :58:02.Government issued on the required response to ransom demands
:58:03. > :58:05.from those responsible for cyberattacks and will that
:58:06. > :58:11.advice be published? It is clear for all to see
:58:12. > :58:15.that the attack could have been prevented or less destructive
:58:16. > :58:19.if we had been better prepared The past ten days have acted
:58:20. > :58:31.as a wake-up call to us all. The Government has said that it
:58:32. > :58:36.will develop a set of standards and guidelines, and I welcome that,
:58:37. > :58:39.but I say with regret that doing it Surely we can all do
:58:40. > :58:44.better than that. These are immediate attacks that
:58:45. > :58:48.are affecting our institutions right now, so 18 months is too long
:58:49. > :58:52.to wait before setting out I hope that the Cabinet Secretary
:58:53. > :58:59.will address that point In its first three months,
:59:00. > :59:04.the national cybersecurity centre's chief executive officer reported
:59:05. > :59:07.that the centre had handled It has also been reported
:59:08. > :59:12.that the centre has blocked 34,550 potential attacks on Government
:59:13. > :59:15.departments and members of the public in the past six
:59:16. > :59:26.months, that is 200 cases a day. I do not think we should be
:59:27. > :59:30.waiting 18 months We should also be quicker in moving
:59:31. > :59:34.towards accreditation of all public sector organisations to make sure
:59:35. > :59:37.that they have the essential minimum standards in place so that they can
:59:38. > :59:40.respond in a much clearer I hope that the Deputy First
:59:41. > :59:47.Minister and the Cabinet Secretary for Justice will address those
:59:48. > :59:51.issues head on. I hope that they have listened
:59:52. > :59:55.to my genuine concerns about what is happening
:59:56. > :59:58.around our infrastructure, that we can end the catalogue of IT
:59:59. > :00:01.failures that we have seen across the public sector,
:00:02. > :00:04.and that we can focus and make sure that such attacks
:00:05. > :00:08.do not happen again.