Cyber Debate Scottish Parliament

The next item of business is the motion 5733 in the name of John

Swinney. Achieving a cyber resilient Scotland. I call on John Swinney. 12

minutes, please. Thank you, presiding officer. As we debate

cyber security today our thoughts are with those affected by the

despicable attack in Manchester. What has been emphasised over the

last few weeks with cyber attacks against the National Health Service

and Monday's attack is that we as an open society cannot prevent all

harmful instances occurring. It is simply not possible. Opportunities

have been and will unfortunately continue to be exploited by those

who have the determination, the will and the capability to do so. What we

must do is ensure we do not let such issues drive us away from living our

lives to the fullest and also taking the action that can involve

reasonable steps for any Government or as individuals to undertake to

understand the nature of these attacks. And to take reasonable

steps to prevent them from carrying. For those who are responsible, it is

our duty to ensure our arrangements are such that we can respond

effectively to prevent further harm and rigorously precede those who

cause -- seek to cause societal harm and bring them to justice in all

circumstances. Our focus on the saddening's to beat recognises the

urgency for everyone to secure this technology, data and networks from

the many threats that we face and proposes that citizens and

organisations must become more resilient, aware of the risks and be

able to respond and recover quickly from any kind of a cyber attack. On

the 12th of May, there was a global cyber attack, the impact of wit

effectively National Health Service across UK. The scale and speed of

this attack was unprecedented and it demonstrates the absolute urgency

for everyone to take steps to secure this technology, data and networks

from the many threats that we face online. If we are to realise

Scotland's full potential in the digital world and the opportunities

it offers two our citizens, businesses and organisations, there

we must also equally be aware of the new risks this environment presents

and be able to respond effectively. Of course. I thank you forgiving

way, he is quite correct response is vital, but so is prevention. One of

the key issues in the recent attack was the volume of Windows XP

installations in the health service. Does the Scottish Government have a

target date for removing Windows XP from the IT a state across Scottish

Government? I think the key question we have two addresses how do we

establish and maintain the most rigorous level of security possible

around all systems that are utilised? That is the key question

that has to be answered, because there may well be in certain

circumstances and appropriate use for some of the systems that Mr

Johnston refers to, but the crucial thing is that the security

arrangements have to be in place to ensure that the necessary

precautions are taken. I will talk in more detail about all of these

proportions. Fundamentally comic the key point I would say to Mr Johnston

is that there is an important of ensuring that at all stages we take

the necessary measures to address this point. If I look at some of

these steps that we do take already, clearly our policy approach and the

requirements we place on organisations are designed to

achieve exactly that objective. There can be little doubt that the

evolution of the Internet has been the most significant development of

our age. For business, digital transformation is ever present. It

has been a game changer, enabling increased efficiency and

international reach, expanding markets, capabilities and

opportunities. It has been and will continue to be a truly innovative

force driving economic element and prosperity. Never before has data

had such a value and in its digital form its availability, integrity and

security is critical to all businesses. Criminal exploitation of

the Internet is also growing rapidly, data is the target and

businesses and citizens have lots of that detail. Unlike physical risks,

cyber risks are much harder to grasp as criminals exploit both systems

and human vulnerabilities. Business leaders must be prepared for the

cyber threat and more importantly must ensure their organisations take

all steps possible to mitigate that threat. We are used to managing risk

in the digital age but we must also consider the cyber threat as another

business risk. Any business that successfully can demonstrate that it

has taken steps to respect. It is a strong position to grow in the

digital age. Organisations that can demonstrate their to cybercrime can

again a both a competitive advantage and increased consumer confidence.

Developing a cyber resilience as a core part of an organisation's

business strategy will ensure it continues to take full advantage of

the Internet age and flourish into the bargain. I am pleased to say the

Scottish Government and its partners are working together to build a

strong and cyber resilient Scotland. We are taking action to ensure we

are adequately prepared, but I want to be clear with Parliament this is

not something that Government can do alone. This is also the

responsibility of individuals and organisations, who need to take the

necessary steps to ensure that they keep safe and secure online. It has

been widely commented that 80% of cybercrime is indiscriminate and can

be prevented by getting the basics right. This includes keeping

software up-to-date, using proper antivirus software and making

regular system back-ups. These are simple measures that all users can

and should take. Often our technical defences are robust but are overcome

by the inadvertent actions of an individual. Clicking on a link to a

seemingly genuinely looking website or an infection potentially caused

by opening attachments. Social engineering is one of the simplest

ways of overcoming our technical defences. We should not blame users,

they are not the weakest link, as is often said, the RSN to assets, links

and attachments are common in the workplace and that's why they are

exploited. Part of our response must be to get the basics of online

security correct and this includes raising the knowledge and awareness

level of all of our citizens to the risks and the steps they can take to

reduce this. As we have learned from recent events, swift action in

coordination and sharing information limited the impact of the NHS

ransomware attack. However, we must also reflect upon this incident,

identified the license and shared these lessons with our partners so

we can help each other to put in place the appropriate and effective

measures to combat cyber crime. Since I published safe, secure and

prosperous, a cyber resilient strategy for Scotland back in

November 2015, the Scottish Government has committed to

providing strong leadership and direction to help our individuals,

businesses and organisations make the most of the online world. We

have laid the foundations to make Scotland a cyber resilient country,

we have achieved much already by focusing delivery on key strategic

priorities of leadership and partnership, awareness raising,

education, skills and professional development and research and

innovation. Let me outline to Parliament the focus of our work to

date. Thank you. Would the Cabinet Secretary agree that additional

availability of teaching computing skills at all levels of school would

help address some of these issues? Obviously, competing signs is an

integral part of the curriculum and it is part of education in some of

the early stages of primary education. I have seen various

coding and initiatives in primary schools involving primary three and

primary for pupils. I am firmly supportive of the importance of

ensuring young people at the earliest possible ages are exposed

to education on a computing. And it able to acquire the skills and

attributes that are necessary for them to prosper. Let me set out to

Parliament some of the focus of the work that's been undertaken as part

of the Government strategy that was launched in November 20 15. Firstly,

as part of the leadership effort we establish the National cyber

resilient leaders board in September 20 16th to try and forward and

implement the strategy across Scotland. That board is led by the

director of CBI Scotland and the board is made of key leaders from

across the public, private and third sectors who are providing strategic

direction across all of our sectors. Secondly, the digital Scotland

business excellence partnership has provided ?400,000 to help businesses

in Scotland improve their cyber resilient and work towards achieving

the cyber essential standard. We focused efforts on raising awareness

to cyber risk, since the beginning of this year we have developed a

joint cyber German occasions calendar which has been used by our

partners to provide a consistent message across the board and we are

linking closely in this work and this relates to Mr Green's and

maiming today with the UK National cyber aware campaign. In terms of

learning and skills, we have built cyber resilience into the curriculum

for excellence and are working to build it with an digital skills. We

are also looking at how we can fill the gaps that we currently have in

terms of the cyber security skills pipeline, particularly around

apprenticeships and the qualifications that are on offer. We

are working to build the capacity of cyber security research across

higher education in Scotland. The University of Edinburgh has recently

become an academic centre of excellence in cyber security

research. Acknowledged and endorsed by the National safe Bilic cyber

security centre. This work has been about ensuring we took early

preparations to ensure we well equipped as a country to meet the

challenges we now face. I want to acknowledge the tremendous efforts

of our national health service staff and the wider public sector in

responding to the recent attack that took place and providing assurances

around the security of their networks. It was considerable cross

sector engagement during this event and collaboration at this level is

an essential element and helps to demonstrate confidence in the public

sector's ability to respond to such acts. The investment the Government

is making in this area is specifically to support the

arrangement of hardware and software measures to prevent the Government's

ICT systems, infrastructure and data, to improve the Government's

network monitoring capabilities. To establish and expand a cyber

security operations centre and corporate education awareness and

training right across the board. We recognise that ultimately the focus

of our public sector work is about ensuring we can gain our citizens

trust and we move towards digital public services. With that outcome

in mind, we have established a cross sector Public grip on cyber

resilience. This is made up of technical and business expert from

central and local Government, from health, procurement, academia and

the third sector, all of them focused on putting in place the

necessary measures to protect the public sector ICT school Dodt

skills. It is essential across a range of different areas, whether

learning or skills or the role of the private sector, compliance with

the EU General data protection regulations by the security of our

critical infrastructure that we take effort any cohesive and coherent way

to ensure that we are equipped to make these challenges. That is the

focus of the Government strategy. That lies at the heart of the

approach we are taking and we are doing that in an engaged and

collaborative way with the private, third and public sectors to ensure

that Scotland is a country that's able to demonstrate cyber resilience

but is also able to use our cyber kick ability as a foundation for

economic opportunity in the years to move amendment... Thank you. Less

than two weeks ago, we witnessed one of the most severe coordinated cyber

attacks the world has ever seen. This attack was not isolated to

Scotland, nor the UK are our neighbours across the world reported

attacks on IT infrastructure, in some cases crippling their ability

to deliver public services. On our shores are at NHS network was head,

doctors could no longer access patient's files. The effects were

felt as hospitals were asking only urgent cases to come to a and E to

ease the pressure on them, appointments were cancelled,

operations were cancelled, GP surgeries unable to access records.

The so-called ransomware attack also targeted Germany's primary rail

link, Deutsche Bank and Spain's Telefonica. It is estimated that the

ransomware attack affected 230,000 computers and over 150 countries.

Europe described this attack is unprecedented in its scale. Make no

mistake, the events of the 12th of May 20 17th highlighted the

fragility of public IT infrastructure at the world over.

For all the benefits that economic digitalisation has brought us, the

shift online has opened up an emerging threat from the cybercrime

and cyber terrorism. Estimates from the Scottish business resilience

centre put the cost to the Scottish economy from cybercrime at ?393

million in the year 2015, 2016. Globally that figure could be well

over half a trillion US dollars. In fact, it has become such a threat

that the whole industry in a cyber insurance has sprung up in recent

years. The Scottish Conservatives will support any measures the

Scottish Government is taking to increase a resilience against

further attacks, for that reason we welcome the tone of the Government

motion today and will be supporting it this afternoon.

The Scottish Government made references to cybersecurity

and in its previous cyber-resilience strategy,

Nevertheless, in the light of the recent attacks,

we would like more detail on what specific action is being

taken to protect public services, utilities and large public networks.

In particular, we would like to know the monetary value

The UK Government has invested heavily in cybersecurity

and last year announced ?2 billion of investment.

A new national cybersecurity centre was set up to operate

out of London under the control of Government

It is there to assist businesses, Government bodies and academia

across the UK, including in Scotland, in times of need.

"The UK Government is leading the way with the cyber initiatives

However, the Government cannot protect the UK alone.

Businesses must understand the cyber threat their organisation faces

and take strong protective action themselves."

There is a shared responsibility on all of us to ensure

that we are prepared to deal with online threats.

Our amendment asks the Scottish Government to ensure

that it is having a proactive discussion with UK-wide enforcement

and intelligence agencies and Government bodies to ensure that

I will personally liaise with my UK Government counterpart to highlight

any areas in the Digital Economy Act 2017 pertaining to cybercrime

and online protection that are relevant to Scotland.

It is clear, in the aftermath of the ransomware attack,

that the evidence suggests that several hospitals did not install

the updates that they had received prior to the attack,

Daniel Johnson was right to probe into that further today by asking

if the Windows XP replacements or updates will take place

in our NHS, because a co-ordinated upgrade and end-of-life plan

is a necessary part of any large-scale IT project.

The public sector should be no different to mainstream

The European Commission's 2016 Digital Progress Report

highlighted that half the EU's population

access public services via online platforms.

That number will surely only continue to grow.

A crucial pillar in our preparedness against attacks is the understanding

In a digital world, we are not shielded by being an island.

A hacker in North Korea can attack a database in North Queensferry.

DigitalEurope, the digital industry's respected trade

body, recently said cybersecurity is important.

However the approach must be centered on better security

practices to defeat evolving threats in a global landscape.

The digital market is borderless and virtual and it is a workplace

like no other, in which there are invisible but tangible threats.

The Scottish Conservatives will support the Scottish Government's

current cybersecurity plans, but our support is conditional

on realistic and measurable plans being put in place.

We want the Scottish Parliament to be regularly informed of progress

and we want close collaboration between all Governments and agencies

to ensure that a truly UK-wide cybersecurity framework is in place.

We think Scotland could lead the charge against global cyberthreats

I say that because just last week another major Californian

cybersecurity firm announced that it will be opening a new office

in Belfast, which will create 120 new jobs in an already buoyant

cybersecurity and tech sector in that city.

They firm were attracted to Belfast by Invest Northern Ireland,

which gave it a ?780,000 grant towards the new venture.

Invest NI also recently awarded ?5.5 million to Queens University

to help to fund a new centre for secure IT, which

brings total investment in the centre to ?38 million.

Belfast is becoming the world's number one hub for cybersecurity,

data analytics, fintech and blockchain technology.

The skills that are required to fill those newly created posts

Although I appreciate the good work that is happening in Edinburgh,

why cannot it also happen in Glasgow or Dundee?

There must be more than words of goodwill and lip service paid

Targeted investment, a bank of suitably skilled workers

and a can-do Government attitude can and will have a material

and positive effect on the industry, and will open up real opportunities

Cybersecurity is so big in Northern Ireland right

now that the sector has a zero per cent unemployment rate.

While I let that potential sink in, I look forward to hearing

the Government's response to my comments and to listening

I now call Claire Baker to speak. Miss Baker, seven minutes, please.

The past few days have been very challenging

It is a critical, on-going situation and it is right that we prioritise

My thoughts are with all those families affected by the terrible

Turning to today's debate, we must ensure that we are as safe

To many politicians, cybersecurity is an area

in which it can often seem as if a different language

is being spoken, the same is true for much of the public.

As we heard in the recent debate on keeping children safe online,

the internet is central to modern life, and while it brings

many benefits, it also contains many risks.

Cyber-resilience is an important strategy in protecting

against vulnerability for individuals

The significant change to how we communicate,

how we do business and how we create systems has brought

considerable risks and we must always be vigilant.

As quick and easy as it is for an MSP to send

an email to a constituent, it can be just as quick and easy

to send malware or to find the one weak spot among millions

I appreciate that, following the recent

ransomware attack on our NHS, the Government has been active

in helping businesses and organisations, but today's

debate appears to be reactive rather than proactive.

Although a specific attack on a specific target

is difficult to predict, the threat of such an attack is not.

I appreciate the recent update from the Government

on the extraordinary meeting of the national cyber-resilience

leaders board, but should such meetings always have

The Scottish Government published their Safe,

Secure and Prosperous: Cyber Resilience Strategy

We are now two years into the five-year strategy,

and it is clear that the recent attack on the NHS represents

a setback to confidence in the security of information

Although I will support the Government's motion

and am inclined to support the Conservatives' amendment,

which welcomes the strategies of the UK and Scottish Governments,

I want to mention the recent report of the UK Parliament's

Public Accounts Committee, which said that the UK Government

needs to raise its game in this area and described significant

skills shortages and the chaotic handling of personal data.

In Scotland, we have the well-documented problems with i6

at Police Scotland and at NHS 24, which raise questions

I appreciate that the Government has committed to providing a public

sector action plan that will develop a set of guidelines and standards

However, as our amendment makes clear, investment is necessary

to ensure that we can withstand future attacks.

Improvements in infrastructure, investment in expertise and advice

and the capability to build resilience all take resources,

and it is difficult for our public services to prioritise

when there is so much pressure on service delivery.

The national cyber-resilience leaders board's action plan is due

to be approved by ministers in June, and I hope that Parliament

will have the opportunity to scrutinise and monitor

When it comes to cyberattacks, we in Scotland must not stand alone.

We need to work across the UK and beyond to understand potential

threats, to learn from best practice and to halt attacks

That process must begin with the recent attack on our NHS.

We must ask why our hospitals and health centres were affected

Did Wales take better pre-emptive action?

Did the Scottish Government provide adequate instructions

on cybersecurity prior to the attack?

Was the issue given sufficient priority around the Cabinet table?

I hope that those questions will be addressed by the Government

According to the Government's strategy,

cyber resilience is being able to prepare for, withstand,

rapidly recover and learn from deliberate attacks

or accidental events in the online world.

With the attack on the NHS, we know that Scotland is not yet

fully prepared to withstand such attacks and, although

it has appeared to recover and deserves credit for that,

we must now ensure that we are able to learn.

The world is increasingly moving online.

From socialising to shopping and learning to leisure,

the public, old as well as young, are conducting large parts

As local politicians, we know that many high street banks

are closing, with the argument made that most transactions

That is true for our businesses and organisations, millions

of pounds worth of transactions take place online every day.

Cybercrime is a threat that we are all aware of,

but it is also one that we believe to be underreported.

It can be prevented if the right security,

firewalls and precautions are in place, but computers,

data and personal details are often left inadvertently exposed.

We would not leave the front door or the car unlocked,

but computer systems are left wide open in exactly that way.

As part of my research for the debate, I found out that

Britain ranks below Brazil, South Africa and China

when it comes to keeping phones and laptops secure,

Around 80% of cybercrime can be prevented if we just

That involves having strong passwords, downloading,

installing and crucially updating security, protecting our

mobile devices and wireless networks and being aware

of suspicious emails, which often claim to be

As much as we must look to individuals and businesses

to take responsibility, we must ensure that here in Scotland

we have the resources to tackle such crimes once they take place.

We are currently in the middle of the policing 2026 strategy,

and cybersecurity is one of the major challenges

We need to ensure that the right people are being recruited

There is a clear need for a balanced workforce in our policing,

and efforts to tackle cybercrime would benefit from that.

We also need the best minds - for example,

the recent NHS situation was resolved by a self-taught

such people can work with Police Scotland

to support our agencies in being cyber-resilient and able

Last year, I visited the Scottish crime campus at Gartcosh,

which is a world-leading facility hosting specialist crime fighters.

It is proof of what can be achieved by setting high-quality,

highly skilled jobs alongside the right resources,

but, as we know, Police Scotland is facing a significant

We need to ensure that all our public services from the NHS,

which was attacked earlier this month, to Police Scotland

all have the proper resources and investment to withstand,

Finally, partnership is so important, and the Scottish

Government must work with the UK Government and other devolved

assemblies and agencies throughout the UK to ensure

that we have the capabilities, the knowledge and the resources

to keep us all safe and secure online.

Thank you very much. I've moved to the open debate. Mr Stevenson,

please. On 9th February 1984, we saw

the launch of the first real-time, high-value money

transfer system, CHAPS. I was the project manager

for the Bank of Scotland, which was the first bank

ready to implement. I well remember our excitement later

that year when we made our first real-time, irrevocable

payment of over ?1 billion. By 2011, the system had

processed ?1 quadrillion In other words, a thousand

million million pounds, To secure the transactions,

I had to gain permission from the US Department of Defense

and sign my life away to use what was categorised

as weapons-grade encryption It operated from within a black box

that self-destructed if someone attempted to open it

to examine its contents. The technology was,

and is, as secure as one and the objective today should be

to ensure that every business and individual is in possession

of similarly impenetrable security. We are, but we do not

all choose to implement it. My point, however, is that

even if we do so, we do not necessarily use it in a way that

allows it to be as secure For the most part, it is not

the technology that fails, "Citizens, we must be

aware of the risks." Indeed, in his opening remarks,

John Swinney said that this should not be the responsibility

of the Government alone. The history of human failure

to properly use secure data systems 2,000 years ago, slaves

had their heads shaved. A message was written

on their scalp; the hair grew back; and the slave and the message

were sent elsewhere. That was all well and good,

until people realised what Having a secret method

provides no real security, Indeed, effective data security

systems rely on their having been published and scrutinised to confirm

that their methods are sound. However, we need to keep the keys

secret and change them frequently. In the 16th century,

Mary Queen of Scots used a two-cover system to protect

her confidential messages. The first was a secure box

with two locks and a key for each - she had one key,

while the other was held by the recipient, and no-one else

had access to either key. Mary put her message in the box,

she locked it and then it went to the recipient,

who used his key to lock his lock. The box came back to Mary,

who unlocked her lock, and went back to the recipient,

who unlocked his. It was a secure system

for transmitting a message from A to B in the 16th century,

because nobody shared the key The second aspect of the system

was encryption of the message inside the box through

a letter-substitution system. However, that is

where Mary fell down. She thought that the system

was totally secure, because transmission was secure,

but when the message came out of the box,

she forgot that it was now a bit of paper that was available

to anyone who might be passing. Queen Elizabeth I picked

up one of her messages and was able to unscramble it,

and it formed part of the evidence at Mary Queen of Scots' trial,

which caused her to be executed. Napoleon had le grande

chiffre - the great code. Common letters of the alphabet

were not always coded in the same way, so that people could not break

it by analysing frequency. However, encoders started to use

some of the spare codes over and over again,

as place names for where the fighting was, in order

to save time and effort. Wellington's code-breaker was a guy

called George Scovell and, because of the weak way

in which that good system was used, When Wellington got to the battle

of Waterloo, he knew what Napoleon's plans were and that led to the end

of an empire. The Enigma machine,

which the Germans thought was unbreakable until 1945,

was actually broken Bletchley Park broke a later,

improved version because, every day at 6am, the Germans sent

out an encrypted weather forecast. The fact that it was in the same

format and at the same time every day enabled people at Bletchley Park

to break what should have been a very secure system, of course,

they had to do lots of other good Most of us know how to drive a car,

but rather fewer of us know how the mechanical bits work or how

to fix them when they fail. Most of us also know how to use

a computer and perhaps even use the security functions that

are provided with it. However, as with a car,

if we do not get an expert to service it regularly or to fix it

when it fails, disaster will loom. All businesses should have

regular security check-ups. They will not be free,

but the cost of not doing them It is like insurance -

it is a product that a business cannot just buy when it wants it,

when its reputation is trashed and its customers have flown,

paying a little bit once a year My final example of a security

problem is from the modern world. I bought a good-quality second-hand

car, as I usually do, and it had all the gadgets,

including a Bluetooth That is good technology,

but an unaware previous owner of my car had left his phone's

entire contact list Do members realise that

they could do that, too? I am a good guy and I deleted it,

but suppose the chief executive... You are such a good guy that

you have to wind up now, intriguing though this is,

Mr Stevenson. In that case, Presiding Officer,

let me caution chief executives and chairmen of companies not to use

Bluetooth in their cars unless they know how to delete

data from the memory. I am a good guy and I deleted it,

but not everybody is as honest Oh my goodness, Mr Stevenson,

I cannot wait for your book to come out: Facts You Didn't Know But I'm

Going to Tell You Anyway. I refer to my entry in the register

of members' interests and the fact that I am on the board of two

companies that invest It is significant that, on a day

when we are all still digesting the horrific news of a violent

physical attack on our country, we are debating the need to protect

ourselves from cyberattacks. The Deputy First Minister mentioned

that, and I entirely Although nothing can surpass

the tragic loss of so many innocent lives that Manchester witnessed,

it seems to me that one of the greatest challenges

that we face as a society is the sheer number

and variety of threats Our enemies come in many forms,

from the deadly and murderous suicide bomber of Monday night

to the sophisticated The ransomware attack on IT systems,

which affected some 200,000 computers across 150 countries,

was certainly one of the most unprecedented attacks

that we have ever seen. My comments will concentrate

on our NHS, the attack on which was nothing short

of spiteful, especially given the delays to patients'

treatment across the UK, In Scotland, we were relatively

lucky in that only 1% of electronic devices were affected

and the number of people whose operations required to be

rescheduled was minimal. However, any delay to an operation,

appointment or treatment as a result of the attack was frustrating,

to say the least. 13 health boards were affected,

and some GP surgeries. The Cabinet Secretary for Health

and Sport swiftly made a statement last week,

and I am grateful for the clear manner in which she

presented the known facts. Like her, I welcome the fact

that there have been no reports I would also like to pay tribute

to the IT staff in the NHS who worked extraordinarily hard

to get all the affected systems As was reported last week,

very few people knew how to fix the problem,

but it is a testament to those who were able

to overcome it that they did I also want to thank our front-line

NHS staff, who carried on serving the public as normal even if it

meant a lesser reliance on IT The Health and Sport Committee

heard yesterday from the Scottish Ambulance Service

that there had been no operational impact and no loss of patient data

during or after the attack. It is plain that there are several

aspects of the attack that need to be tackled,

in order to ensure that future attacks can be thwarted

as early as possible. Naturally, we cannot expect

to prevent every attack, but as our reliance on various forms

of IT continues to grow, so too The cyberattack could have been far,

far worse, and it is clear that we need to do more to ensure

that our IT systems in the NHS are up to date and that we can

respond to future attacks According to the Scottish

Business Resilience Centre, cybercrime cost Scotland around

?394 million in 2015-16. It is an exceptionally lucrative

market for those who know how to code and wish

to use their talents That is why we need to be on guard,

but we also need people within our NHS and the wider public

and private sector who possess the relevant skills to combat

attacks, as and when they happen. That in turn requires people

who are able to stress-test IT systems continually,

so that they are protected from I am sure that others, like me,

received an interesting briefing from the University of Abertay

on that point. It said that defensive cybersecurity

is already fairly well established in both undergraduate

and postgraduate programmes at university, with skills

such as cryptography and intrusion-prevention

being taught. However, it points out that

offensive cybersecurity courses are not as common,

and that there is a real need to consider investing in that

particular avenue of learning. It says, quite simply, that,

"the best way to catch a thief While it is clear that major ethical

questions will arise, particularly in giving

a new generation the skills and abilities to hack maliciously,

degree programmes such as that might help to fill a skills

vacancy that is all too evident across Scotland,

Britain and the wider world. Turning back to the NHS,

I will focus on why the issues that I have mentioned

are particularly pertinent. We know that many of our NHS health

boards continue to use out-of-date software,

which in many cases cannot be updated for fear of having

a negative impact on the technology that is used to serve and heal

patients, such as magnetic That software, and that updating,

needs to be reviewed. The Cabinet Secretary for Health

and Sport stated last week that she would seek to ascertain

whether health boards have regular It would be interesting

to understand whether that is indeed the case, and I hope

that the cabinet secretary will report back to Parliament

with an update on that It is abundantly clear that

lessons need to be learned. Now is not the time for political

posturing on the issue, but for all of us to debate,

as we have, the actions that are required to ensure that such

incidents are dealt with swiftly without causing public

fear and panic. We must take every precaution

possible to protect one of the most Fundamentally, I believe that

long-term solutions are required for an issue such as this,

short-term fixes simply We need to be constantly aware -

let us learn from that Thank you very much. I call Liam

McArthur, Mr McCarthy, please. Dr Christopher Frei,

Secretary General of the World Energy Council said 12

months ago: "We're in the Stone Age

of cyber security." He went on to add that: "Real

learning will only come Whether the recent global

cyberattack will act as a catalyst for the real learning that Dr Frei

talked about remains to be seen, but it is abundantly obvious,

as all speakers have acknowledged, that this is an area that

will demand far greater attention in future than it has perhaps

commanded to date. In that context, I welcome

the opportunity to take part in this debate on creating a cyber-resilient

Scotland and I confirm that the Scottish Liberal Democrats

will support the Government's motion Unfortunately, due to a funeral

back in my constituency, I will be unable to stay

until the end of the debate and for that I apologise to you,

Presiding Officer, to the cabinet John Swinney's motion makes

a number of important points about the serious threats that

are posed and the need for far greater vigilance on the part

of individuals and organisations, and he reinforced those

points in his remarks. I also welcome the amendments that

were lodged by Jamie Greene and Claire Baker, which helpfully

reinforce the need to improve the way in which we report

on and capture the scale of cybercrimes, as well as

the importance of building resilience across our public

services and ensuring the closest possible working

and co-operation between the UK and Scottish Governments

and their partners. Without those elements at the core,

our collective ambition to create a safe, secure,

prosperous and cyber-resilient Scotland will inevitably

be frustrated. In the brief time available to me,

I will concentrate my remarks It is worth acknowledging

at the start that there are two There is that that uses computer

software as the tool and the end target for attacks,

such as the recent ransomware attack that caused so much disruption,

notably across our health service-I pay tribute to those

in the health service There is also cyber-enabled crime,

which uses computers simply as a conduit for criminal activities

that also take place offline, such as identity theft

and money laundering. It is safe to say that cyberattacks

across the board have been Unfortunately, we appear some way

short of being able to assess the true extent and scale

of those attacks. As Her Majesty's inspectorate

of constabulary in Scotland highlighted in its crime audit last

year, "There is currently no comprehensive data on the extent

of cyber-enabled crime in Scotland." It went on to recommend that

Police Scotland develop the ability to tag all incidents and crimes that

have a cyber element and that it assess the demands

on policing in Scotland. Since HMICS carried out its audit,

it has acknowledged that police officers have now been instructed

to tag crime reports with cybercrime markers,

but that still does not appear to extend to

cyber-related incidents. Indeed, as recently as November last

year, the Cabinet Secretary for Justice acknowledged in response

to a parliamentary question from me that,

"work is required to improve He also acknowledged that work

is needed on the way in which such crime is defined,

recorded and reported. We are not clear on the extent

to which Police Scotland's failed i6 programme is inhibiting the force's

ability to track and It has certainly deprived

Police Scotland of the cost savings promised by ministers at the time

of the merger of the previous forces, and that in itself will make

more difficult the task of matching police resources to the scale

of the cyber challenge. The Scottish crime recording board

has been asked to consider the extent to which current crime

recording practice adequately captures the scale of cyber-enabled

sexual crime and victimisation, particularly for children

and young people. It would be helpful

if the Justice Secretary, in concluding the debate,

updated Parliament in that regard. In the meantime, we perhaps need

to take care in talking about lower levels of crime overall

if we are still unsure about the extent to which there has

been a shift online Even now, there seems to be enough

evidence to suggest something of a displacement effect,

with all the challenges that that presents through issues

such as identification, As I said, John Swinney

is absolutely right to emphasise the need for increased vigilance

and care on the part of individuals. We all have a responsibility to do

what we can to protect ourselves, albeit that some will inevitably

need more help in achieving At the same time, however,

the way in which Government and public bodies treat personal

data and information requires Mr Swinney will be aware

of the concerns that Scottish Liberal Democrats had

about the Scottish Government's recent plans to create

a superidentification database. Those concerns were shared

by independent experts It is not acceptable to sacrifice

personal data in the interests of administrative efficiency,

so I very much welcome the recent There seems to be growing

recognition of the importance of the issue among organisations

and businesses. However, as the Association

of British Insurers points out in its briefing,

although awareness levels among businesses about cybersecurity

is high, only around half of them have the basic technical

controls necessary. Moreover, although preventing such

attacks has to be the priority, when they occur, it is imperative

that organisations and businesses have the advice, support

and wherewithal to recover Not surprisingly, the ABI makes

the case for the benefits of cyberinsurance, but it is worth

acknowledging, as the Government did in its 2015 strategy,

that we are fortunate in the UK to have an innovative cybersecurity,

goods and services industry that can help us to meet demand not just

here, but globally. For that reason, I hope

that the Government will agree that it is in all our interests

to ensure that that sector, alongside the work being done

in our world-class research In an increasingly digital age,

our future prosperity depends on our ability,

individually and collectively, to embrace and make the most

of digital technologies. Although those technologies

open up a bewildering array of opportunities,

so too do they Preventing risk completely

is as impossible in the digital arena as it is anywhere else,

but we can and must minimise the risks by raising

awareness, being vigilant I welcome the opportunity

for Parliament to reinforce Thank you, Mr McCarter. I call

Claire Adamson. I declare an interest as a member

of the British Computer Society, and I associate myself

with my colleagues' remarks on the appalling incident

in Manchester this week. Richard Phillips Feynman

was an American theoretical physicist who was known as a pioneer

of quantum mechanics and quantum computing, and for introducing

the concept of nanotechnology. He was also awarded

the Nobel medal for physics. During his lifetime,

Mr Feynman became one of the best-known scientists

in the world, and the British journal Physics World ranked him

as one of the ten greatest He assisted in the development of

the atomic bomb during World War II and in the 1980s he became

widely known to the public as a member of the Rogers

commission, which investigated the Challenger space

shuttle disaster. I would like to highlight Mr

Feynman's experience at Los Alamos To pass the time while working

on the Manhattan project, he grew As he was working on perhaps

the most sensitive project in human history, he took it upon himself

to probe the security around him. That was a cause of much

frustration and annoyance to the great and the good,

but he believed that he was providing a necessary

check to their balances. Today, we might describe Mr Feynman

as a friendly ethical hacker, but I am sure that his bosses

described him as something else. Richard Feynman did not

understand how to crack safes, but he knew how to break a security

system at its weakest point, If the Presiding Officer

will allow me, I will highlight just a few of the human vulnerabilities

that he exposed and detailed in his essay "Safecracker

Meets Safecracker". He said: "All the secrets

of the project, everything about the atomic bomb,

were kept in filing cabinets" that were locked with

three-pin padlocks, which of the first set of filing cabinets,

they were replaced. Mr Feynman discovered that

when the new cabinets were left open, it was easy to identify

the first two digits of the combination lock, indeed,

it was as easy as pie. After about two years

of practice in Los Alamos, he was able to do that

within seconds, and to do it on the Manhattan project safes,

which had the same locking mechanisms as some of

the filing cabinets. He discovered that when a safe

was left open, he could find out at least the first two digits

of its combination. He understood humans

as well, and he knew that, more often than not,

the combination would be significant Having got the first two digits,

he was able to look at significant dates for the people involved

and their family, and then guess He also knew that people

wrote down lock codes. Even if they used a cipher,

they would almost always use a common mathematical cipher,

which he could decipher because he He also discovered that people

frequently used the same combination Explaining this to a senior military

officer while visiting a uranium storage facility at

Oakridge, he explained the dangers of leaving

the cabinets and safes open. When he returned a few months later,

hoping to see new security measures in place, he discovered that he had

been identified as the problem. He was no longer allowed to be

left alone in a room and he was accompanied at all times,

but there was no instruction to keep But his most significant discovery,

which perturbed him because he thought that he had

discovered a safe-cracker, happened when he was asked to open

a safe that had been locked by a military commander who was no

longer on site and which needed It was his greatest challenge,

so he was very excited, but when he entered the room

he discovered that the safe had been After months and months of worry,

with attempts to work out what had happened and discussions

with the chap to get to the bottom of it,

eventually all was revealed. The default setting of the safe

when it was delivered by the manufacturer had never been

changed, and the technician knew That highlights issues around

passwords being reused, systems being left unsecured

and default settings being left. Anyone who was affected by the phone

hacking scandal knows how easily False sense of security

from having a physical safe in the corner or hearing that

little tick on antivirus software. Failure to implement the solutions

when the threat is revealed. All that tells us that,

if we do not understand the threat, The British Computer Society has

produced a number of leaders' Part two of the society's most

recent set is on security. There are five tips,

none of which is about computing. They are all about humans,

and they concern leadership from management, cybersecurity

policies, face-to-face delivery of training and a culture

of openness that allows people to admit when they

have made mistakes. It is a human problem that

requires a human solution. I call Three, to be followed by John

Finney. As events this week so tragically

demonstrate, there are people who will wilfully seek to attack,

in various ways, individuals, communities, our services and

the nation's vital infrastructure. In the area of cybercrime,

it is increasingly apparent that threats and potential threats

are becoming ever-more organised What we saw happen ten days ago

was not a random or one-off attack on the nation's infrastructure;

rather, it was the result of a predetermined and, indeed,

determined act by organised forces. That is why our response

and preparedness to deal with such 11 health boards were affected, as

was the Scottish Ambulance Service. People were asked not to visit A

unless they needed urgent The response from the Scottish

Government was swift, although I fear that it

was too late. We had been warning

the Scottish Government for some time of the need for proper

preparedness on the part of Scottish public bodies to the growing

threat of cybercrime. In December 2016, freedom

of information requests found that more than half of our NHS boards had

been subject to ransomware attacks. At that time, we called for

an urgent review of cybersecurity. As recently as January,

there was a similar attack on Scotland's NHS staff,

with their details being hacked. On 25 January, ministers

were informed of that Again, we called for

a review of cybersecurity. My colleague Richard Simpson,

who is no longer in the Parliament, had regularly been asking questions

on cybersecurity, specifically Despite those questions,

it appears that little or no action has been taken

by the Cabinet Secretary It is also disappointing

that the Cabinet Secretary for Health and Sport is not

in the chamber, given that a direct attack was made

on our NHS infrastructure. I have a few specific

questions that I hope the Deputy First Minister can

address, and I would be happy to take interventions from him

if he wants to respond It is in all our interests

to get this right. First, why was the NHS

in Scotland adversely affected by the recent cyberattacks,

whereas the NHS in Wales was not? Why do we still have antiquated

computer systems in our public sector infrastructure

when we would not expect to have them in our homes,

in our parliamentary offices Why was pre-emptive action not

taken, as was done for example in Wales and which helped to prevent

the cyberattacks there? What specific warnings or advice has

the Cabinet Secretary issued to NHS Scotland to ensure that adequate

resilience against When was any such advice given

and, if it was given, will the Cabinet Secretary publish

it as it would be welcomed by other institutions that might also

face similar attacks? What additional resources has

the Scottish Government allocated in 2016-17 to specifically improve

security against cyberattacks on NHS Scotland, on Scottish Government

departments, and on all other agencies and organisations

for which the Scottish Government It would be interesting to know

whether any agency or department for which the Scottish Government

has responsibility has ever paid any ransom to those responsible

for ransomware attacks. What advice has the Scottish

Government issued on the required response to ransom demands

from those responsible for cyberattacks and will that

advice be published? It is clear for all to see

that the attack could have been prevented or less destructive

if we had been better prepared The past ten days have acted

as a wake-up call to us all. The Government has said that it

will develop a set of standards and guidelines, and I welcome that,

but I say with regret that doing it Surely we can all do

better than that. These are immediate attacks that

are affecting our institutions right now, so 18 months is too long

to wait before setting out I hope that the Cabinet Secretary

will address that point In its first three months,

the national cybersecurity centre's chief executive officer reported

that the centre had handled It has also been reported

that the centre has blocked 34,550 potential attacks on Government

departments and members of the public in the past six

months, that is 200 cases a day. I do not think we should be

waiting 18 months We should also be quicker in moving

towards accreditation of all public sector organisations to make sure

that they have the essential minimum standards in place so that they can

respond in a much clearer I hope that the Deputy First

Minister and the Cabinet Secretary for Justice will address those

issues head on. I hope that they have listened

to my genuine concerns about what is happening

around our infrastructure, that we can end the catalogue of IT

failures that we have seen across the public sector,

and that we can focus and make sure that such attacks

do not happen again.