Browse content similar to Cyber Debate. Check below for episodes and series from the same categories and more!
Line | From | To | |
---|---|---|---|
The next item of business is the motion 5733 in the name of John | :00:16. | :00:23. | |
Swinney. Achieving a cyber resilient Scotland. I call on John Swinney. 12 | :00:24. | :00:35. | |
minutes, please. Thank you, presiding officer. As we debate | :00:36. | :00:39. | |
cyber security today our thoughts are with those affected by the | :00:40. | :00:49. | |
despicable attack in Manchester. What has been emphasised over the | :00:50. | :00:53. | |
last few weeks with cyber attacks against the National Health Service | :00:54. | :00:57. | |
and Monday's attack is that we as an open society cannot prevent all | :00:58. | :01:04. | |
harmful instances occurring. It is simply not possible. Opportunities | :01:05. | :01:07. | |
have been and will unfortunately continue to be exploited by those | :01:08. | :01:11. | |
who have the determination, the will and the capability to do so. What we | :01:12. | :01:16. | |
must do is ensure we do not let such issues drive us away from living our | :01:17. | :01:19. | |
lives to the fullest and also taking the action that can involve | :01:20. | :01:26. | |
reasonable steps for any Government or as individuals to undertake to | :01:27. | :01:30. | |
understand the nature of these attacks. And to take reasonable | :01:31. | :01:32. | |
steps to prevent them from carrying. For those who are responsible, it is | :01:33. | :01:38. | |
our duty to ensure our arrangements are such that we can respond | :01:39. | :01:42. | |
effectively to prevent further harm and rigorously precede those who | :01:43. | :01:47. | |
cause -- seek to cause societal harm and bring them to justice in all | :01:48. | :01:51. | |
circumstances. Our focus on the saddening's to beat recognises the | :01:52. | :01:55. | |
urgency for everyone to secure this technology, data and networks from | :01:56. | :01:59. | |
the many threats that we face and proposes that citizens and | :02:00. | :02:02. | |
organisations must become more resilient, aware of the risks and be | :02:03. | :02:06. | |
able to respond and recover quickly from any kind of a cyber attack. On | :02:07. | :02:11. | |
the 12th of May, there was a global cyber attack, the impact of wit | :02:12. | :02:17. | |
effectively National Health Service across UK. The scale and speed of | :02:18. | :02:22. | |
this attack was unprecedented and it demonstrates the absolute urgency | :02:23. | :02:25. | |
for everyone to take steps to secure this technology, data and networks | :02:26. | :02:30. | |
from the many threats that we face online. If we are to realise | :02:31. | :02:34. | |
Scotland's full potential in the digital world and the opportunities | :02:35. | :02:38. | |
it offers two our citizens, businesses and organisations, there | :02:39. | :02:41. | |
we must also equally be aware of the new risks this environment presents | :02:42. | :02:46. | |
and be able to respond effectively. Of course. I thank you forgiving | :02:47. | :02:55. | |
way, he is quite correct response is vital, but so is prevention. One of | :02:56. | :02:59. | |
the key issues in the recent attack was the volume of Windows XP | :03:00. | :03:03. | |
installations in the health service. Does the Scottish Government have a | :03:04. | :03:07. | |
target date for removing Windows XP from the IT a state across Scottish | :03:08. | :03:12. | |
Government? I think the key question we have two addresses how do we | :03:13. | :03:16. | |
establish and maintain the most rigorous level of security possible | :03:17. | :03:20. | |
around all systems that are utilised? That is the key question | :03:21. | :03:25. | |
that has to be answered, because there may well be in certain | :03:26. | :03:28. | |
circumstances and appropriate use for some of the systems that Mr | :03:29. | :03:32. | |
Johnston refers to, but the crucial thing is that the security | :03:33. | :03:36. | |
arrangements have to be in place to ensure that the necessary | :03:37. | :03:40. | |
precautions are taken. I will talk in more detail about all of these | :03:41. | :03:43. | |
proportions. Fundamentally comic the key point I would say to Mr Johnston | :03:44. | :03:47. | |
is that there is an important of ensuring that at all stages we take | :03:48. | :03:51. | |
the necessary measures to address this point. If I look at some of | :03:52. | :03:58. | |
these steps that we do take already, clearly our policy approach and the | :03:59. | :04:02. | |
requirements we place on organisations are designed to | :04:03. | :04:06. | |
achieve exactly that objective. There can be little doubt that the | :04:07. | :04:09. | |
evolution of the Internet has been the most significant development of | :04:10. | :04:14. | |
our age. For business, digital transformation is ever present. It | :04:15. | :04:18. | |
has been a game changer, enabling increased efficiency and | :04:19. | :04:22. | |
international reach, expanding markets, capabilities and | :04:23. | :04:25. | |
opportunities. It has been and will continue to be a truly innovative | :04:26. | :04:30. | |
force driving economic element and prosperity. Never before has data | :04:31. | :04:35. | |
had such a value and in its digital form its availability, integrity and | :04:36. | :04:39. | |
security is critical to all businesses. Criminal exploitation of | :04:40. | :04:43. | |
the Internet is also growing rapidly, data is the target and | :04:44. | :04:47. | |
businesses and citizens have lots of that detail. Unlike physical risks, | :04:48. | :04:55. | |
cyber risks are much harder to grasp as criminals exploit both systems | :04:56. | :04:57. | |
and human vulnerabilities. Business leaders must be prepared for the | :04:58. | :05:00. | |
cyber threat and more importantly must ensure their organisations take | :05:01. | :05:04. | |
all steps possible to mitigate that threat. We are used to managing risk | :05:05. | :05:10. | |
in the digital age but we must also consider the cyber threat as another | :05:11. | :05:15. | |
business risk. Any business that successfully can demonstrate that it | :05:16. | :05:24. | |
has taken steps to respect. It is a strong position to grow in the | :05:25. | :05:29. | |
digital age. Organisations that can demonstrate their to cybercrime can | :05:30. | :05:34. | |
again a both a competitive advantage and increased consumer confidence. | :05:35. | :05:39. | |
Developing a cyber resilience as a core part of an organisation's | :05:40. | :05:43. | |
business strategy will ensure it continues to take full advantage of | :05:44. | :05:46. | |
the Internet age and flourish into the bargain. I am pleased to say the | :05:47. | :05:50. | |
Scottish Government and its partners are working together to build a | :05:51. | :05:55. | |
strong and cyber resilient Scotland. We are taking action to ensure we | :05:56. | :05:59. | |
are adequately prepared, but I want to be clear with Parliament this is | :06:00. | :06:03. | |
not something that Government can do alone. This is also the | :06:04. | :06:06. | |
responsibility of individuals and organisations, who need to take the | :06:07. | :06:10. | |
necessary steps to ensure that they keep safe and secure online. It has | :06:11. | :06:17. | |
been widely commented that 80% of cybercrime is indiscriminate and can | :06:18. | :06:20. | |
be prevented by getting the basics right. This includes keeping | :06:21. | :06:25. | |
software up-to-date, using proper antivirus software and making | :06:26. | :06:28. | |
regular system back-ups. These are simple measures that all users can | :06:29. | :06:34. | |
and should take. Often our technical defences are robust but are overcome | :06:35. | :06:38. | |
by the inadvertent actions of an individual. Clicking on a link to a | :06:39. | :06:43. | |
seemingly genuinely looking website or an infection potentially caused | :06:44. | :06:47. | |
by opening attachments. Social engineering is one of the simplest | :06:48. | :06:51. | |
ways of overcoming our technical defences. We should not blame users, | :06:52. | :06:56. | |
they are not the weakest link, as is often said, the RSN to assets, links | :06:57. | :07:00. | |
and attachments are common in the workplace and that's why they are | :07:01. | :07:05. | |
exploited. Part of our response must be to get the basics of online | :07:06. | :07:09. | |
security correct and this includes raising the knowledge and awareness | :07:10. | :07:13. | |
level of all of our citizens to the risks and the steps they can take to | :07:14. | :07:18. | |
reduce this. As we have learned from recent events, swift action in | :07:19. | :07:21. | |
coordination and sharing information limited the impact of the NHS | :07:22. | :07:25. | |
ransomware attack. However, we must also reflect upon this incident, | :07:26. | :07:31. | |
identified the license and shared these lessons with our partners so | :07:32. | :07:35. | |
we can help each other to put in place the appropriate and effective | :07:36. | :07:40. | |
measures to combat cyber crime. Since I published safe, secure and | :07:41. | :07:44. | |
prosperous, a cyber resilient strategy for Scotland back in | :07:45. | :07:48. | |
November 2015, the Scottish Government has committed to | :07:49. | :07:51. | |
providing strong leadership and direction to help our individuals, | :07:52. | :07:54. | |
businesses and organisations make the most of the online world. We | :07:55. | :07:59. | |
have laid the foundations to make Scotland a cyber resilient country, | :08:00. | :08:02. | |
we have achieved much already by focusing delivery on key strategic | :08:03. | :08:08. | |
priorities of leadership and partnership, awareness raising, | :08:09. | :08:10. | |
education, skills and professional development and research and | :08:11. | :08:14. | |
innovation. Let me outline to Parliament the focus of our work to | :08:15. | :08:23. | |
date. Thank you. Would the Cabinet Secretary agree that additional | :08:24. | :08:27. | |
availability of teaching computing skills at all levels of school would | :08:28. | :08:33. | |
help address some of these issues? Obviously, competing signs is an | :08:34. | :08:39. | |
integral part of the curriculum and it is part of education in some of | :08:40. | :08:44. | |
the early stages of primary education. I have seen various | :08:45. | :08:49. | |
coding and initiatives in primary schools involving primary three and | :08:50. | :08:55. | |
primary for pupils. I am firmly supportive of the importance of | :08:56. | :08:58. | |
ensuring young people at the earliest possible ages are exposed | :08:59. | :09:04. | |
to education on a computing. And it able to acquire the skills and | :09:05. | :09:07. | |
attributes that are necessary for them to prosper. Let me set out to | :09:08. | :09:14. | |
Parliament some of the focus of the work that's been undertaken as part | :09:15. | :09:18. | |
of the Government strategy that was launched in November 20 15. Firstly, | :09:19. | :09:23. | |
as part of the leadership effort we establish the National cyber | :09:24. | :09:26. | |
resilient leaders board in September 20 16th to try and forward and | :09:27. | :09:30. | |
implement the strategy across Scotland. That board is led by the | :09:31. | :09:34. | |
director of CBI Scotland and the board is made of key leaders from | :09:35. | :09:39. | |
across the public, private and third sectors who are providing strategic | :09:40. | :09:47. | |
direction across all of our sectors. Secondly, the digital Scotland | :09:48. | :09:48. | |
business excellence partnership has provided ?400,000 to help businesses | :09:49. | :09:52. | |
in Scotland improve their cyber resilient and work towards achieving | :09:53. | :09:55. | |
the cyber essential standard. We focused efforts on raising awareness | :09:56. | :09:59. | |
to cyber risk, since the beginning of this year we have developed a | :10:00. | :10:02. | |
joint cyber German occasions calendar which has been used by our | :10:03. | :10:06. | |
partners to provide a consistent message across the board and we are | :10:07. | :10:10. | |
linking closely in this work and this relates to Mr Green's and | :10:11. | :10:14. | |
maiming today with the UK National cyber aware campaign. In terms of | :10:15. | :10:18. | |
learning and skills, we have built cyber resilience into the curriculum | :10:19. | :10:21. | |
for excellence and are working to build it with an digital skills. We | :10:22. | :10:27. | |
are also looking at how we can fill the gaps that we currently have in | :10:28. | :10:31. | |
terms of the cyber security skills pipeline, particularly around | :10:32. | :10:34. | |
apprenticeships and the qualifications that are on offer. We | :10:35. | :10:39. | |
are working to build the capacity of cyber security research across | :10:40. | :10:42. | |
higher education in Scotland. The University of Edinburgh has recently | :10:43. | :10:45. | |
become an academic centre of excellence in cyber security | :10:46. | :10:48. | |
research. Acknowledged and endorsed by the National safe Bilic cyber | :10:49. | :10:54. | |
security centre. This work has been about ensuring we took early | :10:55. | :10:56. | |
preparations to ensure we well equipped as a country to meet the | :10:57. | :11:04. | |
challenges we now face. I want to acknowledge the tremendous efforts | :11:05. | :11:07. | |
of our national health service staff and the wider public sector in | :11:08. | :11:10. | |
responding to the recent attack that took place and providing assurances | :11:11. | :11:14. | |
around the security of their networks. It was considerable cross | :11:15. | :11:19. | |
sector engagement during this event and collaboration at this level is | :11:20. | :11:22. | |
an essential element and helps to demonstrate confidence in the public | :11:23. | :11:27. | |
sector's ability to respond to such acts. The investment the Government | :11:28. | :11:34. | |
is making in this area is specifically to support the | :11:35. | :11:38. | |
arrangement of hardware and software measures to prevent the Government's | :11:39. | :11:41. | |
ICT systems, infrastructure and data, to improve the Government's | :11:42. | :11:51. | |
network monitoring capabilities. To establish and expand a cyber | :11:52. | :11:56. | |
security operations centre and corporate education awareness and | :11:57. | :11:59. | |
training right across the board. We recognise that ultimately the focus | :12:00. | :12:03. | |
of our public sector work is about ensuring we can gain our citizens | :12:04. | :12:09. | |
trust and we move towards digital public services. With that outcome | :12:10. | :12:13. | |
in mind, we have established a cross sector Public grip on cyber | :12:14. | :12:17. | |
resilience. This is made up of technical and business expert from | :12:18. | :12:21. | |
central and local Government, from health, procurement, academia and | :12:22. | :12:24. | |
the third sector, all of them focused on putting in place the | :12:25. | :12:27. | |
necessary measures to protect the public sector ICT school Dodt | :12:28. | :12:32. | |
skills. It is essential across a range of different areas, whether | :12:33. | :12:38. | |
learning or skills or the role of the private sector, compliance with | :12:39. | :12:43. | |
the EU General data protection regulations by the security of our | :12:44. | :12:46. | |
critical infrastructure that we take effort any cohesive and coherent way | :12:47. | :12:50. | |
to ensure that we are equipped to make these challenges. That is the | :12:51. | :12:54. | |
focus of the Government strategy. That lies at the heart of the | :12:55. | :12:57. | |
approach we are taking and we are doing that in an engaged and | :12:58. | :13:01. | |
collaborative way with the private, third and public sectors to ensure | :13:02. | :13:05. | |
that Scotland is a country that's able to demonstrate cyber resilience | :13:06. | :13:09. | |
but is also able to use our cyber kick ability as a foundation for | :13:10. | :13:18. | |
economic opportunity in the years to move amendment... Thank you. Less | :13:19. | :13:26. | |
than two weeks ago, we witnessed one of the most severe coordinated cyber | :13:27. | :13:29. | |
attacks the world has ever seen. This attack was not isolated to | :13:30. | :13:34. | |
Scotland, nor the UK are our neighbours across the world reported | :13:35. | :13:38. | |
attacks on IT infrastructure, in some cases crippling their ability | :13:39. | :13:42. | |
to deliver public services. On our shores are at NHS network was head, | :13:43. | :13:49. | |
doctors could no longer access patient's files. The effects were | :13:50. | :13:53. | |
felt as hospitals were asking only urgent cases to come to a and E to | :13:54. | :13:56. | |
ease the pressure on them, appointments were cancelled, | :13:57. | :14:00. | |
operations were cancelled, GP surgeries unable to access records. | :14:01. | :14:06. | |
The so-called ransomware attack also targeted Germany's primary rail | :14:07. | :14:11. | |
link, Deutsche Bank and Spain's Telefonica. It is estimated that the | :14:12. | :14:17. | |
ransomware attack affected 230,000 computers and over 150 countries. | :14:18. | :14:22. | |
Europe described this attack is unprecedented in its scale. Make no | :14:23. | :14:27. | |
mistake, the events of the 12th of May 20 17th highlighted the | :14:28. | :14:30. | |
fragility of public IT infrastructure at the world over. | :14:31. | :14:35. | |
For all the benefits that economic digitalisation has brought us, the | :14:36. | :14:39. | |
shift online has opened up an emerging threat from the cybercrime | :14:40. | :14:45. | |
and cyber terrorism. Estimates from the Scottish business resilience | :14:46. | :14:48. | |
centre put the cost to the Scottish economy from cybercrime at ?393 | :14:49. | :14:55. | |
million in the year 2015, 2016. Globally that figure could be well | :14:56. | :15:00. | |
over half a trillion US dollars. In fact, it has become such a threat | :15:01. | :15:04. | |
that the whole industry in a cyber insurance has sprung up in recent | :15:05. | :15:08. | |
years. The Scottish Conservatives will support any measures the | :15:09. | :15:12. | |
Scottish Government is taking to increase a resilience against | :15:13. | :15:16. | |
further attacks, for that reason we welcome the tone of the Government | :15:17. | :15:18. | |
motion today and will be supporting it this afternoon. | :15:19. | :15:21. | |
The Scottish Government made references to cybersecurity | :15:22. | :15:36. | |
and in its previous cyber-resilience strategy, | :15:37. | :15:39. | |
Nevertheless, in the light of the recent attacks, | :15:40. | :15:42. | |
we would like more detail on what specific action is being | :15:43. | :15:45. | |
taken to protect public services, utilities and large public networks. | :15:46. | :15:47. | |
In particular, we would like to know the monetary value | :15:48. | :15:50. | |
The UK Government has invested heavily in cybersecurity | :15:51. | :15:53. | |
and last year announced ?2 billion of investment. | :15:54. | :15:56. | |
A new national cybersecurity centre was set up to operate | :15:57. | :15:58. | |
out of London under the control of Government | :15:59. | :16:01. | |
It is there to assist businesses, Government bodies and academia | :16:02. | :16:13. | |
across the UK, including in Scotland, in times of need. | :16:14. | :16:18. | |
"The UK Government is leading the way with the cyber initiatives | :16:19. | :16:23. | |
However, the Government cannot protect the UK alone. | :16:24. | :16:26. | |
Businesses must understand the cyber threat their organisation faces | :16:27. | :16:28. | |
and take strong protective action themselves." | :16:29. | :16:30. | |
There is a shared responsibility on all of us to ensure | :16:31. | :16:35. | |
that we are prepared to deal with online threats. | :16:36. | :16:39. | |
Our amendment asks the Scottish Government to ensure | :16:40. | :16:46. | |
that it is having a proactive discussion with UK-wide enforcement | :16:47. | :16:48. | |
and intelligence agencies and Government bodies to ensure that | :16:49. | :16:51. | |
I will personally liaise with my UK Government counterpart to highlight | :16:52. | :17:00. | |
any areas in the Digital Economy Act 2017 pertaining to cybercrime | :17:01. | :17:02. | |
and online protection that are relevant to Scotland. | :17:03. | :17:07. | |
It is clear, in the aftermath of the ransomware attack, | :17:08. | :17:09. | |
that the evidence suggests that several hospitals did not install | :17:10. | :17:12. | |
the updates that they had received prior to the attack, | :17:13. | :17:20. | |
Daniel Johnson was right to probe into that further today by asking | :17:21. | :17:26. | |
if the Windows XP replacements or updates will take place | :17:27. | :17:28. | |
in our NHS, because a co-ordinated upgrade and end-of-life plan | :17:29. | :17:31. | |
is a necessary part of any large-scale IT project. | :17:32. | :17:34. | |
The public sector should be no different to mainstream | :17:35. | :17:37. | |
The European Commission's 2016 Digital Progress Report | :17:38. | :17:55. | |
highlighted that half the EU's population | :17:56. | :17:56. | |
access public services via online platforms. | :17:57. | :17:58. | |
That number will surely only continue to grow. | :17:59. | :17:59. | |
A crucial pillar in our preparedness against attacks is the understanding | :18:00. | :18:02. | |
In a digital world, we are not shielded by being an island. | :18:03. | :18:10. | |
A hacker in North Korea can attack a database in North Queensferry. | :18:11. | :18:16. | |
DigitalEurope, the digital industry's respected trade | :18:17. | :18:22. | |
body, recently said cybersecurity is important. | :18:23. | :18:25. | |
However the approach must be centered on better security | :18:26. | :18:28. | |
practices to defeat evolving threats in a global landscape. | :18:29. | :18:31. | |
The digital market is borderless and virtual and it is a workplace | :18:32. | :18:36. | |
like no other, in which there are invisible but tangible threats. | :18:37. | :18:41. | |
The Scottish Conservatives will support the Scottish Government's | :18:42. | :18:47. | |
current cybersecurity plans, but our support is conditional | :18:48. | :18:49. | |
on realistic and measurable plans being put in place. | :18:50. | :18:52. | |
We want the Scottish Parliament to be regularly informed of progress | :18:53. | :18:58. | |
and we want close collaboration between all Governments and agencies | :18:59. | :19:02. | |
to ensure that a truly UK-wide cybersecurity framework is in place. | :19:03. | :19:11. | |
We think Scotland could lead the charge against global cyberthreats | :19:12. | :19:14. | |
I say that because just last week another major Californian | :19:15. | :19:20. | |
cybersecurity firm announced that it will be opening a new office | :19:21. | :19:25. | |
in Belfast, which will create 120 new jobs in an already buoyant | :19:26. | :19:29. | |
cybersecurity and tech sector in that city. | :19:30. | :19:40. | |
They firm were attracted to Belfast by Invest Northern Ireland, | :19:41. | :19:42. | |
which gave it a ?780,000 grant towards the new venture. | :19:43. | :19:51. | |
Invest NI also recently awarded ?5.5 million to Queens University | :19:52. | :19:54. | |
to help to fund a new centre for secure IT, which | :19:55. | :19:56. | |
brings total investment in the centre to ?38 million. | :19:57. | :19:59. | |
Belfast is becoming the world's number one hub for cybersecurity, | :20:00. | :20:08. | |
data analytics, fintech and blockchain technology. | :20:09. | :20:10. | |
The skills that are required to fill those newly created posts | :20:11. | :20:17. | |
Although I appreciate the good work that is happening in Edinburgh, | :20:18. | :20:24. | |
why cannot it also happen in Glasgow or Dundee? | :20:25. | :20:27. | |
There must be more than words of goodwill and lip service paid | :20:28. | :20:30. | |
Targeted investment, a bank of suitably skilled workers | :20:31. | :20:34. | |
and a can-do Government attitude can and will have a material | :20:35. | :20:37. | |
and positive effect on the industry, and will open up real opportunities | :20:38. | :20:40. | |
Cybersecurity is so big in Northern Ireland right | :20:41. | :20:48. | |
now that the sector has a zero per cent unemployment rate. | :20:49. | :20:50. | |
While I let that potential sink in, I look forward to hearing | :20:51. | :20:53. | |
the Government's response to my comments and to listening | :20:54. | :20:56. | |
I now call Claire Baker to speak. Miss Baker, seven minutes, please. | :20:57. | :21:27. | |
The past few days have been very challenging | :21:28. | :21:29. | |
It is a critical, on-going situation and it is right that we prioritise | :21:30. | :21:33. | |
My thoughts are with all those families affected by the terrible | :21:34. | :21:37. | |
Turning to today's debate, we must ensure that we are as safe | :21:38. | :21:41. | |
To many politicians, cybersecurity is an area | :21:42. | :21:44. | |
in which it can often seem as if a different language | :21:45. | :21:46. | |
is being spoken, the same is true for much of the public. | :21:47. | :21:49. | |
As we heard in the recent debate on keeping children safe online, | :21:50. | :21:52. | |
the internet is central to modern life, and while it brings | :21:53. | :21:55. | |
many benefits, it also contains many risks. | :21:56. | :21:56. | |
Cyber-resilience is an important strategy in protecting | :21:57. | :21:58. | |
against vulnerability for individuals | :21:59. | :21:59. | |
The significant change to how we communicate, | :22:00. | :22:08. | |
how we do business and how we create systems has brought | :22:09. | :22:11. | |
considerable risks and we must always be vigilant. | :22:12. | :22:13. | |
As quick and easy as it is for an MSP to send | :22:14. | :22:16. | |
an email to a constituent, it can be just as quick and easy | :22:17. | :22:19. | |
to send malware or to find the one weak spot among millions | :22:20. | :22:22. | |
I appreciate that, following the recent | :22:23. | :22:24. | |
ransomware attack on our NHS, the Government has been active | :22:25. | :22:27. | |
in helping businesses and organisations, but today's | :22:28. | :22:29. | |
debate appears to be reactive rather than proactive. | :22:30. | :22:32. | |
Although a specific attack on a specific target | :22:33. | :22:35. | |
is difficult to predict, the threat of such an attack is not. | :22:36. | :22:39. | |
I appreciate the recent update from the Government | :22:40. | :22:42. | |
on the extraordinary meeting of the national cyber-resilience | :22:43. | :22:45. | |
leaders board, but should such meetings always have | :22:46. | :22:49. | |
The Scottish Government published their Safe, | :22:50. | :23:09. | |
Secure and Prosperous: Cyber Resilience Strategy | :23:10. | :23:10. | |
We are now two years into the five-year strategy, | :23:11. | :23:13. | |
and it is clear that the recent attack on the NHS represents | :23:14. | :23:16. | |
a setback to confidence in the security of information | :23:17. | :23:18. | |
Although I will support the Government's motion | :23:19. | :23:21. | |
and am inclined to support the Conservatives' amendment, | :23:22. | :23:23. | |
which welcomes the strategies of the UK and Scottish Governments, | :23:24. | :23:25. | |
I want to mention the recent report of the UK Parliament's | :23:26. | :23:28. | |
Public Accounts Committee, which said that the UK Government | :23:29. | :23:30. | |
needs to raise its game in this area and described significant | :23:31. | :23:33. | |
skills shortages and the chaotic handling of personal data. | :23:34. | :23:35. | |
In Scotland, we have the well-documented problems with i6 | :23:36. | :23:41. | |
at Police Scotland and at NHS 24, which raise questions | :23:42. | :23:43. | |
I appreciate that the Government has committed to providing a public | :23:44. | :23:48. | |
sector action plan that will develop a set of guidelines and standards | :23:49. | :23:51. | |
However, as our amendment makes clear, investment is necessary | :23:52. | :23:59. | |
to ensure that we can withstand future attacks. | :24:00. | :24:01. | |
Improvements in infrastructure, investment in expertise and advice | :24:02. | :24:05. | |
and the capability to build resilience all take resources, | :24:06. | :24:10. | |
and it is difficult for our public services to prioritise | :24:11. | :24:13. | |
when there is so much pressure on service delivery. | :24:14. | :24:19. | |
The national cyber-resilience leaders board's action plan is due | :24:20. | :24:21. | |
to be approved by ministers in June, and I hope that Parliament | :24:22. | :24:24. | |
will have the opportunity to scrutinise and monitor | :24:25. | :24:28. | |
When it comes to cyberattacks, we in Scotland must not stand alone. | :24:29. | :24:35. | |
We need to work across the UK and beyond to understand potential | :24:36. | :24:38. | |
threats, to learn from best practice and to halt attacks | :24:39. | :24:43. | |
That process must begin with the recent attack on our NHS. | :24:44. | :24:48. | |
We must ask why our hospitals and health centres were affected | :24:49. | :24:51. | |
Did Wales take better pre-emptive action? | :24:52. | :24:57. | |
Did the Scottish Government provide adequate instructions | :24:58. | :24:59. | |
on cybersecurity prior to the attack? | :25:00. | :25:05. | |
Was the issue given sufficient priority around the Cabinet table? | :25:06. | :25:07. | |
I hope that those questions will be addressed by the Government | :25:08. | :25:10. | |
According to the Government's strategy, | :25:11. | :25:18. | |
cyber resilience is being able to prepare for, withstand, | :25:19. | :25:20. | |
rapidly recover and learn from deliberate attacks | :25:21. | :25:22. | |
or accidental events in the online world. | :25:23. | :25:24. | |
With the attack on the NHS, we know that Scotland is not yet | :25:25. | :25:28. | |
fully prepared to withstand such attacks and, although | :25:29. | :25:31. | |
it has appeared to recover and deserves credit for that, | :25:32. | :25:34. | |
we must now ensure that we are able to learn. | :25:35. | :25:36. | |
The world is increasingly moving online. | :25:37. | :25:39. | |
From socialising to shopping and learning to leisure, | :25:40. | :25:47. | |
the public, old as well as young, are conducting large parts | :25:48. | :25:50. | |
As local politicians, we know that many high street banks | :25:51. | :25:57. | |
are closing, with the argument made that most transactions | :25:58. | :25:59. | |
That is true for our businesses and organisations, millions | :26:00. | :26:07. | |
of pounds worth of transactions take place online every day. | :26:08. | :26:10. | |
Cybercrime is a threat that we are all aware of, | :26:11. | :26:12. | |
but it is also one that we believe to be underreported. | :26:13. | :26:15. | |
It can be prevented if the right security, | :26:16. | :26:17. | |
firewalls and precautions are in place, but computers, | :26:18. | :26:19. | |
data and personal details are often left inadvertently exposed. | :26:20. | :26:24. | |
We would not leave the front door or the car unlocked, | :26:25. | :26:27. | |
but computer systems are left wide open in exactly that way. | :26:28. | :26:30. | |
As part of my research for the debate, I found out that | :26:31. | :26:33. | |
Britain ranks below Brazil, South Africa and China | :26:34. | :26:35. | |
when it comes to keeping phones and laptops secure, | :26:36. | :26:38. | |
Around 80% of cybercrime can be prevented if we just | :26:39. | :26:46. | |
That involves having strong passwords, downloading, | :26:47. | :26:56. | |
installing and crucially updating security, protecting our | :26:57. | :26:58. | |
mobile devices and wireless networks and being aware | :26:59. | :27:00. | |
of suspicious emails, which often claim to be | :27:01. | :27:02. | |
As much as we must look to individuals and businesses | :27:03. | :27:06. | |
to take responsibility, we must ensure that here in Scotland | :27:07. | :27:08. | |
we have the resources to tackle such crimes once they take place. | :27:09. | :27:11. | |
We are currently in the middle of the policing 2026 strategy, | :27:12. | :27:14. | |
and cybersecurity is one of the major challenges | :27:15. | :27:16. | |
We need to ensure that the right people are being recruited | :27:17. | :27:20. | |
There is a clear need for a balanced workforce in our policing, | :27:21. | :27:24. | |
and efforts to tackle cybercrime would benefit from that. | :27:25. | :27:36. | |
We also need the best minds - for example, | :27:37. | :27:38. | |
the recent NHS situation was resolved by a self-taught | :27:39. | :27:40. | |
such people can work with Police Scotland | :27:41. | :27:44. | |
to support our agencies in being cyber-resilient and able | :27:45. | :27:46. | |
Last year, I visited the Scottish crime campus at Gartcosh, | :27:47. | :27:50. | |
which is a world-leading facility hosting specialist crime fighters. | :27:51. | :27:52. | |
It is proof of what can be achieved by setting high-quality, | :27:53. | :27:55. | |
highly skilled jobs alongside the right resources, | :27:56. | :27:58. | |
but, as we know, Police Scotland is facing a significant | :27:59. | :28:00. | |
We need to ensure that all our public services from the NHS, | :28:01. | :28:08. | |
which was attacked earlier this month, to Police Scotland | :28:09. | :28:11. | |
all have the proper resources and investment to withstand, | :28:12. | :28:13. | |
Finally, partnership is so important, and the Scottish | :28:14. | :28:16. | |
Government must work with the UK Government and other devolved | :28:17. | :28:21. | |
assemblies and agencies throughout the UK to ensure | :28:22. | :28:23. | |
that we have the capabilities, the knowledge and the resources | :28:24. | :28:25. | |
to keep us all safe and secure online. | :28:26. | :28:30. | |
Thank you very much. I've moved to the open debate. Mr Stevenson, | :28:31. | :28:40. | |
please. On 9th February 1984, we saw | :28:41. | :28:45. | |
the launch of the first real-time, high-value money | :28:46. | :28:54. | |
transfer system, CHAPS. I was the project manager | :28:55. | :28:55. | |
for the Bank of Scotland, which was the first bank | :28:56. | :28:58. | |
ready to implement. I well remember our excitement later | :28:59. | :29:00. | |
that year when we made our first real-time, irrevocable | :29:01. | :29:03. | |
payment of over ?1 billion. By 2011, the system had | :29:04. | :29:04. | |
processed ?1 quadrillion In other words, a thousand | :29:05. | :29:08. | |
million million pounds, To secure the transactions, | :29:09. | :29:17. | |
I had to gain permission from the US Department of Defense | :29:18. | :29:22. | |
and sign my life away to use what was categorised | :29:23. | :29:25. | |
as weapons-grade encryption It operated from within a black box | :29:26. | :29:27. | |
that self-destructed if someone attempted to open it | :29:28. | :29:33. | |
to examine its contents. The technology was, | :29:34. | :29:39. | |
and is, as secure as one and the objective today should be | :29:40. | :29:41. | |
to ensure that every business and individual is in possession | :29:42. | :29:45. | |
of similarly impenetrable security. We are, but we do not | :29:46. | :29:53. | |
all choose to implement it. My point, however, is that | :29:54. | :29:57. | |
even if we do so, we do not necessarily use it in a way that | :29:58. | :30:02. | |
allows it to be as secure For the most part, it is not | :30:03. | :30:05. | |
the technology that fails, "Citizens, we must be | :30:06. | :30:11. | |
aware of the risks." Indeed, in his opening remarks, | :30:12. | :30:18. | |
John Swinney said that this should not be the responsibility | :30:19. | :30:21. | |
of the Government alone. The history of human failure | :30:22. | :30:23. | |
to properly use secure data systems 2,000 years ago, slaves | :30:24. | :30:27. | |
had their heads shaved. A message was written | :30:28. | :30:35. | |
on their scalp; the hair grew back; and the slave and the message | :30:36. | :30:37. | |
were sent elsewhere. That was all well and good, | :30:38. | :30:40. | |
until people realised what Having a secret method | :30:41. | :30:43. | |
provides no real security, Indeed, effective data security | :30:44. | :30:49. | |
systems rely on their having been published and scrutinised to confirm | :30:50. | :30:56. | |
that their methods are sound. However, we need to keep the keys | :30:57. | :31:01. | |
secret and change them frequently. In the 16th century, | :31:02. | :31:06. | |
Mary Queen of Scots used a two-cover system to protect | :31:07. | :31:09. | |
her confidential messages. The first was a secure box | :31:10. | :31:13. | |
with two locks and a key for each - she had one key, | :31:14. | :31:17. | |
while the other was held by the recipient, and no-one else | :31:18. | :31:19. | |
had access to either key. Mary put her message in the box, | :31:20. | :31:24. | |
she locked it and then it went to the recipient, | :31:25. | :31:28. | |
who used his key to lock his lock. The box came back to Mary, | :31:29. | :31:33. | |
who unlocked her lock, and went back to the recipient, | :31:34. | :31:35. | |
who unlocked his. It was a secure system | :31:36. | :31:39. | |
for transmitting a message from A to B in the 16th century, | :31:40. | :31:42. | |
because nobody shared the key The second aspect of the system | :31:43. | :31:45. | |
was encryption of the message inside the box through | :31:46. | :31:50. | |
a letter-substitution system. However, that is | :31:51. | :31:54. | |
where Mary fell down. She thought that the system | :31:55. | :31:56. | |
was totally secure, because transmission was secure, | :31:57. | :31:58. | |
but when the message came out of the box, | :31:59. | :32:01. | |
she forgot that it was now a bit of paper that was available | :32:02. | :32:04. | |
to anyone who might be passing. Queen Elizabeth I picked | :32:05. | :32:08. | |
up one of her messages and was able to unscramble it, | :32:09. | :32:11. | |
and it formed part of the evidence at Mary Queen of Scots' trial, | :32:12. | :32:16. | |
which caused her to be executed. Napoleon had le grande | :32:17. | :32:20. | |
chiffre - the great code. Common letters of the alphabet | :32:21. | :32:28. | |
were not always coded in the same way, so that people could not break | :32:29. | :32:31. | |
it by analysing frequency. However, encoders started to use | :32:32. | :32:35. | |
some of the spare codes over and over again, | :32:36. | :32:38. | |
as place names for where the fighting was, in order | :32:39. | :32:43. | |
to save time and effort. Wellington's code-breaker was a guy | :32:44. | :32:45. | |
called George Scovell and, because of the weak way | :32:46. | :32:49. | |
in which that good system was used, When Wellington got to the battle | :32:50. | :32:54. | |
of Waterloo, he knew what Napoleon's plans were and that led to the end | :32:55. | :33:03. | |
of an empire. The Enigma machine, | :33:04. | :33:06. | |
which the Germans thought was unbreakable until 1945, | :33:07. | :33:13. | |
was actually broken Bletchley Park broke a later, | :33:14. | :33:15. | |
improved version because, every day at 6am, the Germans sent | :33:16. | :33:18. | |
out an encrypted weather forecast. The fact that it was in the same | :33:19. | :33:23. | |
format and at the same time every day enabled people at Bletchley Park | :33:24. | :33:27. | |
to break what should have been a very secure system, of course, | :33:28. | :33:30. | |
they had to do lots of other good Most of us know how to drive a car, | :33:31. | :33:34. | |
but rather fewer of us know how the mechanical bits work or how | :33:35. | :33:40. | |
to fix them when they fail. Most of us also know how to use | :33:41. | :33:45. | |
a computer and perhaps even use the security functions that | :33:46. | :33:49. | |
are provided with it. However, as with a car, | :33:50. | :33:50. | |
if we do not get an expert to service it regularly or to fix it | :33:51. | :33:56. | |
when it fails, disaster will loom. All businesses should have | :33:57. | :34:00. | |
regular security check-ups. They will not be free, | :34:01. | :34:02. | |
but the cost of not doing them It is like insurance - | :34:03. | :34:05. | |
it is a product that a business cannot just buy when it wants it, | :34:06. | :34:11. | |
when its reputation is trashed and its customers have flown, | :34:12. | :34:14. | |
paying a little bit once a year My final example of a security | :34:15. | :34:17. | |
problem is from the modern world. I bought a good-quality second-hand | :34:18. | :34:23. | |
car, as I usually do, and it had all the gadgets, | :34:24. | :34:27. | |
including a Bluetooth That is good technology, | :34:28. | :34:29. | |
but an unaware previous owner of my car had left his phone's | :34:30. | :34:34. | |
entire contact list Do members realise that | :34:35. | :34:40. | |
they could do that, too? I am a good guy and I deleted it, | :34:41. | :34:47. | |
but suppose the chief executive... You are such a good guy that | :34:48. | :34:50. | |
you have to wind up now, intriguing though this is, | :34:51. | :34:53. | |
Mr Stevenson. In that case, Presiding Officer, | :34:54. | :34:55. | |
let me caution chief executives and chairmen of companies not to use | :34:56. | :34:58. | |
Bluetooth in their cars unless they know how to delete | :34:59. | :35:02. | |
data from the memory. I am a good guy and I deleted it, | :35:03. | :35:04. | |
but not everybody is as honest Oh my goodness, Mr Stevenson, | :35:05. | :35:08. | |
I cannot wait for your book to come out: Facts You Didn't Know But I'm | :35:09. | :35:15. | |
Going to Tell You Anyway. I refer to my entry in the register | :35:16. | :35:26. | |
of members' interests and the fact that I am on the board of two | :35:27. | :35:29. | |
companies that invest It is significant that, on a day | :35:30. | :35:32. | |
when we are all still digesting the horrific news of a violent | :35:33. | :35:36. | |
physical attack on our country, we are debating the need to protect | :35:37. | :35:39. | |
ourselves from cyberattacks. The Deputy First Minister mentioned | :35:40. | :35:43. | |
that, and I entirely Although nothing can surpass | :35:44. | :35:46. | |
the tragic loss of so many innocent lives that Manchester witnessed, | :35:47. | :35:54. | |
it seems to me that one of the greatest challenges | :35:55. | :36:00. | |
that we face as a society is the sheer number | :36:01. | :36:02. | |
and variety of threats Our enemies come in many forms, | :36:03. | :36:04. | |
from the deadly and murderous suicide bomber of Monday night | :36:05. | :36:08. | |
to the sophisticated The ransomware attack on IT systems, | :36:09. | :36:12. | |
which affected some 200,000 computers across 150 countries, | :36:13. | :36:19. | |
was certainly one of the most unprecedented attacks | :36:20. | :36:23. | |
that we have ever seen. My comments will concentrate | :36:24. | :36:27. | |
on our NHS, the attack on which was nothing short | :36:28. | :36:32. | |
of spiteful, especially given the delays to patients' | :36:33. | :36:34. | |
treatment across the UK, In Scotland, we were relatively | :36:35. | :36:37. | |
lucky in that only 1% of electronic devices were affected | :36:38. | :36:43. | |
and the number of people whose operations required to be | :36:44. | :36:46. | |
rescheduled was minimal. However, any delay to an operation, | :36:47. | :36:50. | |
appointment or treatment as a result of the attack was frustrating, | :36:51. | :36:53. | |
to say the least. 13 health boards were affected, | :36:54. | :36:58. | |
and some GP surgeries. The Cabinet Secretary for Health | :36:59. | :37:02. | |
and Sport swiftly made a statement last week, | :37:03. | :37:05. | |
and I am grateful for the clear manner in which she | :37:06. | :37:07. | |
presented the known facts. Like her, I welcome the fact | :37:08. | :37:09. | |
that there have been no reports I would also like to pay tribute | :37:10. | :37:12. | |
to the IT staff in the NHS who worked extraordinarily hard | :37:13. | :37:17. | |
to get all the affected systems As was reported last week, | :37:18. | :37:20. | |
very few people knew how to fix the problem, | :37:21. | :37:24. | |
but it is a testament to those who were able | :37:25. | :37:27. | |
to overcome it that they did I also want to thank our front-line | :37:28. | :37:29. | |
NHS staff, who carried on serving the public as normal even if it | :37:30. | :37:35. | |
meant a lesser reliance on IT The Health and Sport Committee | :37:36. | :37:38. | |
heard yesterday from the Scottish Ambulance Service | :37:39. | :37:44. | |
that there had been no operational impact and no loss of patient data | :37:45. | :37:47. | |
during or after the attack. It is plain that there are several | :37:48. | :37:50. | |
aspects of the attack that need to be tackled, | :37:51. | :37:55. | |
in order to ensure that future attacks can be thwarted | :37:56. | :37:58. | |
as early as possible. Naturally, we cannot expect | :37:59. | :38:02. | |
to prevent every attack, but as our reliance on various forms | :38:03. | :38:05. | |
of IT continues to grow, so too The cyberattack could have been far, | :38:06. | :38:09. | |
far worse, and it is clear that we need to do more to ensure | :38:10. | :38:15. | |
that our IT systems in the NHS are up to date and that we can | :38:16. | :38:19. | |
respond to future attacks According to the Scottish | :38:20. | :38:22. | |
Business Resilience Centre, cybercrime cost Scotland around | :38:23. | :38:27. | |
?394 million in 2015-16. It is an exceptionally lucrative | :38:28. | :38:33. | |
market for those who know how to code and wish | :38:34. | :38:36. | |
to use their talents That is why we need to be on guard, | :38:37. | :38:38. | |
but we also need people within our NHS and the wider public | :38:39. | :38:43. | |
and private sector who possess the relevant skills to combat | :38:44. | :38:46. | |
attacks, as and when they happen. That in turn requires people | :38:47. | :38:51. | |
who are able to stress-test IT systems continually, | :38:52. | :38:54. | |
so that they are protected from I am sure that others, like me, | :38:55. | :38:57. | |
received an interesting briefing from the University of Abertay | :38:58. | :39:07. | |
on that point. It said that defensive cybersecurity | :39:08. | :39:09. | |
is already fairly well established in both undergraduate | :39:10. | :39:12. | |
and postgraduate programmes at university, with skills | :39:13. | :39:15. | |
such as cryptography and intrusion-prevention | :39:16. | :39:17. | |
being taught. However, it points out that | :39:18. | :39:20. | |
offensive cybersecurity courses are not as common, | :39:21. | :39:23. | |
and that there is a real need to consider investing in that | :39:24. | :39:25. | |
particular avenue of learning. It says, quite simply, that, | :39:26. | :39:29. | |
"the best way to catch a thief While it is clear that major ethical | :39:30. | :39:32. | |
questions will arise, particularly in giving | :39:33. | :39:38. | |
a new generation the skills and abilities to hack maliciously, | :39:39. | :39:39. | |
degree programmes such as that might help to fill a skills | :39:40. | :39:43. | |
vacancy that is all too evident across Scotland, | :39:44. | :39:46. | |
Britain and the wider world. Turning back to the NHS, | :39:47. | :39:48. | |
I will focus on why the issues that I have mentioned | :39:49. | :39:53. | |
are particularly pertinent. We know that many of our NHS health | :39:54. | :39:56. | |
boards continue to use out-of-date software, | :39:57. | :39:59. | |
which in many cases cannot be updated for fear of having | :40:00. | :40:02. | |
a negative impact on the technology that is used to serve and heal | :40:03. | :40:06. | |
patients, such as magnetic That software, and that updating, | :40:07. | :40:08. | |
needs to be reviewed. The Cabinet Secretary for Health | :40:09. | :40:16. | |
and Sport stated last week that she would seek to ascertain | :40:17. | :40:19. | |
whether health boards have regular It would be interesting | :40:20. | :40:22. | |
to understand whether that is indeed the case, and I hope | :40:23. | :40:26. | |
that the cabinet secretary will report back to Parliament | :40:27. | :40:29. | |
with an update on that It is abundantly clear that | :40:30. | :40:31. | |
lessons need to be learned. Now is not the time for political | :40:32. | :40:37. | |
posturing on the issue, but for all of us to debate, | :40:38. | :40:40. | |
as we have, the actions that are required to ensure that such | :40:41. | :40:43. | |
incidents are dealt with swiftly without causing public | :40:44. | :40:46. | |
fear and panic. We must take every precaution | :40:47. | :40:49. | |
possible to protect one of the most Fundamentally, I believe that | :40:50. | :40:52. | |
long-term solutions are required for an issue such as this, | :40:53. | :40:58. | |
short-term fixes simply We need to be constantly aware - | :40:59. | :41:01. | |
let us learn from that Thank you very much. I call Liam | :41:02. | :41:08. | |
McArthur, Mr McCarthy, please. Dr Christopher Frei, | :41:09. | :41:23. | |
Secretary General of the World Energy Council said 12 | :41:24. | :41:25. | |
months ago: "We're in the Stone Age | :41:26. | :41:26. | |
of cyber security." He went on to add that: "Real | :41:27. | :41:28. | |
learning will only come Whether the recent global | :41:29. | :41:31. | |
cyberattack will act as a catalyst for the real learning that Dr Frei | :41:32. | :41:35. | |
talked about remains to be seen, but it is abundantly obvious, | :41:36. | :41:38. | |
as all speakers have acknowledged, that this is an area that | :41:39. | :41:41. | |
will demand far greater attention in future than it has perhaps | :41:42. | :41:43. | |
commanded to date. In that context, I welcome | :41:44. | :41:47. | |
the opportunity to take part in this debate on creating a cyber-resilient | :41:48. | :41:50. | |
Scotland and I confirm that the Scottish Liberal Democrats | :41:51. | :41:55. | |
will support the Government's motion Unfortunately, due to a funeral | :41:56. | :41:59. | |
back in my constituency, I will be unable to stay | :42:00. | :42:03. | |
until the end of the debate and for that I apologise to you, | :42:04. | :42:06. | |
Presiding Officer, to the cabinet John Swinney's motion makes | :42:07. | :42:09. | |
a number of important points about the serious threats that | :42:10. | :42:16. | |
are posed and the need for far greater vigilance on the part | :42:17. | :42:19. | |
of individuals and organisations, and he reinforced those | :42:20. | :42:21. | |
points in his remarks. I also welcome the amendments that | :42:22. | :42:24. | |
were lodged by Jamie Greene and Claire Baker, which helpfully | :42:25. | :42:27. | |
reinforce the need to improve the way in which we report | :42:28. | :42:29. | |
on and capture the scale of cybercrimes, as well as | :42:30. | :42:32. | |
the importance of building resilience across our public | :42:33. | :42:35. | |
services and ensuring the closest possible working | :42:36. | :42:38. | |
and co-operation between the UK and Scottish Governments | :42:39. | :42:42. | |
and their partners. Without those elements at the core, | :42:43. | :42:45. | |
our collective ambition to create a safe, secure, | :42:46. | :42:47. | |
prosperous and cyber-resilient Scotland will inevitably | :42:48. | :42:51. | |
be frustrated. In the brief time available to me, | :42:52. | :42:54. | |
I will concentrate my remarks It is worth acknowledging | :42:55. | :42:57. | |
at the start that there are two There is that that uses computer | :42:58. | :43:05. | |
software as the tool and the end target for attacks, | :43:06. | :43:09. | |
such as the recent ransomware attack that caused so much disruption, | :43:10. | :43:11. | |
notably across our health service-I pay tribute to those | :43:12. | :43:15. | |
in the health service There is also cyber-enabled crime, | :43:16. | :43:17. | |
which uses computers simply as a conduit for criminal activities | :43:18. | :43:23. | |
that also take place offline, such as identity theft | :43:24. | :43:26. | |
and money laundering. It is safe to say that cyberattacks | :43:27. | :43:29. | |
across the board have been Unfortunately, we appear some way | :43:30. | :43:32. | |
short of being able to assess the true extent and scale | :43:33. | :43:36. | |
of those attacks. As Her Majesty's inspectorate | :43:37. | :43:41. | |
of constabulary in Scotland highlighted in its crime audit last | :43:42. | :43:43. | |
year, "There is currently no comprehensive data on the extent | :43:44. | :43:45. | |
of cyber-enabled crime in Scotland." It went on to recommend that | :43:46. | :43:49. | |
Police Scotland develop the ability to tag all incidents and crimes that | :43:50. | :43:52. | |
have a cyber element and that it assess the demands | :43:53. | :43:56. | |
on policing in Scotland. Since HMICS carried out its audit, | :43:57. | :44:00. | |
it has acknowledged that police officers have now been instructed | :44:01. | :44:02. | |
to tag crime reports with cybercrime markers, | :44:03. | :44:06. | |
but that still does not appear to extend to | :44:07. | :44:09. | |
cyber-related incidents. Indeed, as recently as November last | :44:10. | :44:12. | |
year, the Cabinet Secretary for Justice acknowledged in response | :44:13. | :44:15. | |
to a parliamentary question from me that, | :44:16. | :44:17. | |
"work is required to improve He also acknowledged that work | :44:18. | :44:19. | |
is needed on the way in which such crime is defined, | :44:20. | :44:27. | |
recorded and reported. We are not clear on the extent | :44:28. | :44:29. | |
to which Police Scotland's failed i6 programme is inhibiting the force's | :44:30. | :44:32. | |
ability to track and It has certainly deprived | :44:33. | :44:34. | |
Police Scotland of the cost savings promised by ministers at the time | :44:35. | :44:39. | |
of the merger of the previous forces, and that in itself will make | :44:40. | :44:42. | |
more difficult the task of matching police resources to the scale | :44:43. | :44:45. | |
of the cyber challenge. The Scottish crime recording board | :44:46. | :44:49. | |
has been asked to consider the extent to which current crime | :44:50. | :44:51. | |
recording practice adequately captures the scale of cyber-enabled | :44:52. | :44:54. | |
sexual crime and victimisation, particularly for children | :44:55. | :44:59. | |
and young people. It would be helpful | :45:00. | :45:02. | |
if the Justice Secretary, in concluding the debate, | :45:03. | :45:04. | |
updated Parliament in that regard. In the meantime, we perhaps need | :45:05. | :45:07. | |
to take care in talking about lower levels of crime overall | :45:08. | :45:11. | |
if we are still unsure about the extent to which there has | :45:12. | :45:14. | |
been a shift online Even now, there seems to be enough | :45:15. | :45:17. | |
evidence to suggest something of a displacement effect, | :45:18. | :45:21. | |
with all the challenges that that presents through issues | :45:22. | :45:27. | |
such as identification, As I said, John Swinney | :45:28. | :45:28. | |
is absolutely right to emphasise the need for increased vigilance | :45:29. | :45:33. | |
and care on the part of individuals. We all have a responsibility to do | :45:34. | :45:36. | |
what we can to protect ourselves, albeit that some will inevitably | :45:37. | :45:40. | |
need more help in achieving At the same time, however, | :45:41. | :45:43. | |
the way in which Government and public bodies treat personal | :45:44. | :45:48. | |
data and information requires Mr Swinney will be aware | :45:49. | :45:50. | |
of the concerns that Scottish Liberal Democrats had | :45:51. | :45:54. | |
about the Scottish Government's recent plans to create | :45:55. | :45:57. | |
a superidentification database. Those concerns were shared | :45:58. | :45:59. | |
by independent experts It is not acceptable to sacrifice | :46:00. | :46:01. | |
personal data in the interests of administrative efficiency, | :46:02. | :46:06. | |
so I very much welcome the recent There seems to be growing | :46:07. | :46:08. | |
recognition of the importance of the issue among organisations | :46:09. | :46:14. | |
and businesses. However, as the Association | :46:15. | :46:18. | |
of British Insurers points out in its briefing, | :46:19. | :46:20. | |
although awareness levels among businesses about cybersecurity | :46:21. | :46:21. | |
is high, only around half of them have the basic technical | :46:22. | :46:24. | |
controls necessary. Moreover, although preventing such | :46:25. | :46:27. | |
attacks has to be the priority, when they occur, it is imperative | :46:28. | :46:30. | |
that organisations and businesses have the advice, support | :46:31. | :46:33. | |
and wherewithal to recover Not surprisingly, the ABI makes | :46:34. | :46:35. | |
the case for the benefits of cyberinsurance, but it is worth | :46:36. | :46:40. | |
acknowledging, as the Government did in its 2015 strategy, | :46:41. | :46:44. | |
that we are fortunate in the UK to have an innovative cybersecurity, | :46:45. | :46:47. | |
goods and services industry that can help us to meet demand not just | :46:48. | :46:51. | |
here, but globally. For that reason, I hope | :46:52. | :46:55. | |
that the Government will agree that it is in all our interests | :46:56. | :46:57. | |
to ensure that that sector, alongside the work being done | :46:58. | :47:00. | |
in our world-class research In an increasingly digital age, | :47:01. | :47:02. | |
our future prosperity depends on our ability, | :47:03. | :47:09. | |
individually and collectively, to embrace and make the most | :47:10. | :47:11. | |
of digital technologies. Although those technologies | :47:12. | :47:14. | |
open up a bewildering array of opportunities, | :47:15. | :47:18. | |
so too do they Preventing risk completely | :47:19. | :47:20. | |
is as impossible in the digital arena as it is anywhere else, | :47:21. | :47:24. | |
but we can and must minimise the risks by raising | :47:25. | :47:28. | |
awareness, being vigilant I welcome the opportunity | :47:29. | :47:31. | |
for Parliament to reinforce Thank you, Mr McCarter. I call | :47:32. | :47:36. | |
Claire Adamson. I declare an interest as a member | :47:37. | :47:48. | |
of the British Computer Society, and I associate myself | :47:49. | :47:51. | |
with my colleagues' remarks on the appalling incident | :47:52. | :47:53. | |
in Manchester this week. Richard Phillips Feynman | :47:54. | :47:56. | |
was an American theoretical physicist who was known as a pioneer | :47:57. | :47:59. | |
of quantum mechanics and quantum computing, and for introducing | :48:00. | :48:03. | |
the concept of nanotechnology. He was also awarded | :48:04. | :48:07. | |
the Nobel medal for physics. During his lifetime, | :48:08. | :48:12. | |
Mr Feynman became one of the best-known scientists | :48:13. | :48:15. | |
in the world, and the British journal Physics World ranked him | :48:16. | :48:18. | |
as one of the ten greatest He assisted in the development of | :48:19. | :48:21. | |
the atomic bomb during World War II and in the 1980s he became | :48:22. | :48:33. | |
widely known to the public as a member of the Rogers | :48:34. | :48:35. | |
commission, which investigated the Challenger space | :48:36. | :48:38. | |
shuttle disaster. I would like to highlight Mr | :48:39. | :48:39. | |
Feynman's experience at Los Alamos To pass the time while working | :48:40. | :48:42. | |
on the Manhattan project, he grew As he was working on perhaps | :48:43. | :48:48. | |
the most sensitive project in human history, he took it upon himself | :48:49. | :48:53. | |
to probe the security around him. That was a cause of much | :48:54. | :48:59. | |
frustration and annoyance to the great and the good, | :49:00. | :49:02. | |
but he believed that he was providing a necessary | :49:03. | :49:05. | |
check to their balances. Today, we might describe Mr Feynman | :49:06. | :49:09. | |
as a friendly ethical hacker, but I am sure that his bosses | :49:10. | :49:12. | |
described him as something else. Richard Feynman did not | :49:13. | :49:17. | |
understand how to crack safes, but he knew how to break a security | :49:18. | :49:22. | |
system at its weakest point, If the Presiding Officer | :49:23. | :49:28. | |
will allow me, I will highlight just a few of the human vulnerabilities | :49:29. | :49:36. | |
that he exposed and detailed in his essay "Safecracker | :49:37. | :49:42. | |
Meets Safecracker". He said: "All the secrets | :49:43. | :49:46. | |
of the project, everything about the atomic bomb, | :49:47. | :49:50. | |
were kept in filing cabinets" that were locked with | :49:51. | :49:52. | |
three-pin padlocks, which of the first set of filing cabinets, | :49:53. | :49:55. | |
they were replaced. Mr Feynman discovered that | :49:56. | :50:04. | |
when the new cabinets were left open, it was easy to identify | :50:05. | :50:09. | |
the first two digits of the combination lock, indeed, | :50:10. | :50:13. | |
it was as easy as pie. After about two years | :50:14. | :50:16. | |
of practice in Los Alamos, he was able to do that | :50:17. | :50:19. | |
within seconds, and to do it on the Manhattan project safes, | :50:20. | :50:22. | |
which had the same locking mechanisms as some of | :50:23. | :50:27. | |
the filing cabinets. He discovered that when a safe | :50:28. | :50:31. | |
was left open, he could find out at least the first two digits | :50:32. | :50:36. | |
of its combination. He understood humans | :50:37. | :50:41. | |
as well, and he knew that, more often than not, | :50:42. | :50:44. | |
the combination would be significant Having got the first two digits, | :50:45. | :50:46. | |
he was able to look at significant dates for the people involved | :50:47. | :50:50. | |
and their family, and then guess He also knew that people | :50:51. | :50:53. | |
wrote down lock codes. Even if they used a cipher, | :50:54. | :51:00. | |
they would almost always use a common mathematical cipher, | :51:01. | :51:05. | |
which he could decipher because he He also discovered that people | :51:06. | :51:09. | |
frequently used the same combination Explaining this to a senior military | :51:10. | :51:15. | |
officer while visiting a uranium storage facility at | :51:16. | :51:30. | |
Oakridge, he explained the dangers of leaving | :51:31. | :51:31. | |
the cabinets and safes open. When he returned a few months later, | :51:32. | :51:33. | |
hoping to see new security measures in place, he discovered that he had | :51:34. | :51:37. | |
been identified as the problem. He was no longer allowed to be | :51:38. | :51:40. | |
left alone in a room and he was accompanied at all times, | :51:41. | :51:43. | |
but there was no instruction to keep But his most significant discovery, | :51:44. | :51:47. | |
which perturbed him because he thought that he had | :51:48. | :51:57. | |
discovered a safe-cracker, happened when he was asked to open | :51:58. | :51:59. | |
a safe that had been locked by a military commander who was no | :52:00. | :52:02. | |
longer on site and which needed It was his greatest challenge, | :52:03. | :52:05. | |
so he was very excited, but when he entered the room | :52:06. | :52:17. | |
he discovered that the safe had been After months and months of worry, | :52:18. | :52:21. | |
with attempts to work out what had happened and discussions | :52:22. | :52:25. | |
with the chap to get to the bottom of it, | :52:26. | :52:27. | |
eventually all was revealed. The default setting of the safe | :52:28. | :52:29. | |
when it was delivered by the manufacturer had never been | :52:30. | :52:31. | |
changed, and the technician knew That highlights issues around | :52:32. | :52:34. | |
passwords being reused, systems being left unsecured | :52:35. | :52:41. | |
and default settings being left. Anyone who was affected by the phone | :52:42. | :52:44. | |
hacking scandal knows how easily False sense of security | :52:45. | :52:54. | |
from having a physical safe in the corner or hearing that | :52:55. | :53:02. | |
little tick on antivirus software. Failure to implement the solutions | :53:03. | :53:10. | |
when the threat is revealed. All that tells us that, | :53:11. | :53:12. | |
if we do not understand the threat, The British Computer Society has | :53:13. | :53:15. | |
produced a number of leaders' Part two of the society's most | :53:16. | :53:21. | |
recent set is on security. There are five tips, | :53:22. | :53:28. | |
none of which is about computing. They are all about humans, | :53:29. | :53:32. | |
and they concern leadership from management, cybersecurity | :53:33. | :53:35. | |
policies, face-to-face delivery of training and a culture | :53:36. | :53:39. | |
of openness that allows people to admit when they | :53:40. | :53:42. | |
have made mistakes. It is a human problem that | :53:43. | :53:45. | |
requires a human solution. I call Three, to be followed by John | :53:46. | :53:57. | |
Finney. As events this week so tragically | :53:58. | :54:03. | |
demonstrate, there are people who will wilfully seek to attack, | :54:04. | :54:05. | |
in various ways, individuals, communities, our services and | :54:06. | :54:08. | |
the nation's vital infrastructure. In the area of cybercrime, | :54:09. | :54:10. | |
it is increasingly apparent that threats and potential threats | :54:11. | :54:12. | |
are becoming ever-more organised What we saw happen ten days ago | :54:13. | :54:16. | |
was not a random or one-off attack on the nation's infrastructure; | :54:17. | :54:23. | |
rather, it was the result of a predetermined and, indeed, | :54:24. | :54:27. | |
determined act by organised forces. That is why our response | :54:28. | :54:30. | |
and preparedness to deal with such 11 health boards were affected, as | :54:31. | :54:33. | |
was the Scottish Ambulance Service. People were asked not to visit A | :54:34. | :54:42. | |
unless they needed urgent The response from the Scottish | :54:43. | :54:49. | |
Government was swift, although I fear that it | :54:50. | :54:52. | |
was too late. We had been warning | :54:53. | :55:03. | |
the Scottish Government for some time of the need for proper | :55:04. | :55:05. | |
preparedness on the part of Scottish public bodies to the growing | :55:06. | :55:08. | |
threat of cybercrime. In December 2016, freedom | :55:09. | :55:10. | |
of information requests found that more than half of our NHS boards had | :55:11. | :55:12. | |
been subject to ransomware attacks. At that time, we called for | :55:13. | :55:16. | |
an urgent review of cybersecurity. As recently as January, | :55:17. | :55:22. | |
there was a similar attack on Scotland's NHS staff, | :55:23. | :55:25. | |
with their details being hacked. On 25 January, ministers | :55:26. | :55:31. | |
were informed of that Again, we called for | :55:32. | :55:33. | |
a review of cybersecurity. My colleague Richard Simpson, | :55:34. | :55:43. | |
who is no longer in the Parliament, had regularly been asking questions | :55:44. | :55:47. | |
on cybersecurity, specifically Despite those questions, | :55:48. | :55:51. | |
it appears that little or no action has been taken | :55:52. | :55:59. | |
by the Cabinet Secretary It is also disappointing | :56:00. | :56:02. | |
that the Cabinet Secretary for Health and Sport is not | :56:03. | :56:10. | |
in the chamber, given that a direct attack was made | :56:11. | :56:13. | |
on our NHS infrastructure. I have a few specific | :56:14. | :56:17. | |
questions that I hope the Deputy First Minister can | :56:18. | :56:19. | |
address, and I would be happy to take interventions from him | :56:20. | :56:22. | |
if he wants to respond It is in all our interests | :56:23. | :56:26. | |
to get this right. First, why was the NHS | :56:27. | :56:30. | |
in Scotland adversely affected by the recent cyberattacks, | :56:31. | :56:34. | |
whereas the NHS in Wales was not? Why do we still have antiquated | :56:35. | :56:39. | |
computer systems in our public sector infrastructure | :56:40. | :56:43. | |
when we would not expect to have them in our homes, | :56:44. | :56:46. | |
in our parliamentary offices Why was pre-emptive action not | :56:47. | :56:51. | |
taken, as was done for example in Wales and which helped to prevent | :56:52. | :57:00. | |
the cyberattacks there? What specific warnings or advice has | :57:01. | :57:04. | |
the Cabinet Secretary issued to NHS Scotland to ensure that adequate | :57:05. | :57:09. | |
resilience against When was any such advice given | :57:10. | :57:11. | |
and, if it was given, will the Cabinet Secretary publish | :57:12. | :57:18. | |
it as it would be welcomed by other institutions that might also | :57:19. | :57:23. | |
face similar attacks? What additional resources has | :57:24. | :57:27. | |
the Scottish Government allocated in 2016-17 to specifically improve | :57:28. | :57:30. | |
security against cyberattacks on NHS Scotland, on Scottish Government | :57:31. | :57:36. | |
departments, and on all other agencies and organisations | :57:37. | :57:40. | |
for which the Scottish Government It would be interesting to know | :57:41. | :57:43. | |
whether any agency or department for which the Scottish Government | :57:44. | :57:50. | |
has responsibility has ever paid any ransom to those responsible | :57:51. | :57:54. | |
for ransomware attacks. What advice has the Scottish | :57:55. | :57:59. | |
Government issued on the required response to ransom demands | :58:00. | :58:02. | |
from those responsible for cyberattacks and will that | :58:03. | :58:05. | |
advice be published? It is clear for all to see | :58:06. | :58:11. | |
that the attack could have been prevented or less destructive | :58:12. | :58:15. | |
if we had been better prepared The past ten days have acted | :58:16. | :58:19. | |
as a wake-up call to us all. The Government has said that it | :58:20. | :58:31. | |
will develop a set of standards and guidelines, and I welcome that, | :58:32. | :58:36. | |
but I say with regret that doing it Surely we can all do | :58:37. | :58:39. | |
better than that. These are immediate attacks that | :58:40. | :58:44. | |
are affecting our institutions right now, so 18 months is too long | :58:45. | :58:48. | |
to wait before setting out I hope that the Cabinet Secretary | :58:49. | :58:52. | |
will address that point In its first three months, | :58:53. | :58:59. | |
the national cybersecurity centre's chief executive officer reported | :59:00. | :59:04. | |
that the centre had handled It has also been reported | :59:05. | :59:07. | |
that the centre has blocked 34,550 potential attacks on Government | :59:08. | :59:12. | |
departments and members of the public in the past six | :59:13. | :59:15. | |
months, that is 200 cases a day. I do not think we should be | :59:16. | :59:26. | |
waiting 18 months We should also be quicker in moving | :59:27. | :59:30. | |
towards accreditation of all public sector organisations to make sure | :59:31. | :59:34. | |
that they have the essential minimum standards in place so that they can | :59:35. | :59:37. | |
respond in a much clearer I hope that the Deputy First | :59:38. | :59:40. | |
Minister and the Cabinet Secretary for Justice will address those | :59:41. | :59:47. | |
issues head on. I hope that they have listened | :59:48. | :59:51. | |
to my genuine concerns about what is happening | :59:52. | :59:55. | |
around our infrastructure, that we can end the catalogue of IT | :59:56. | :59:58. | |
failures that we have seen across the public sector, | :59:59. | :00:01. | |
and that we can focus and make sure that such attacks | :00:02. | :00:04. | |
do not happen again. | :00:05. | :00:08. |