Scotland’s public bodies should work towards becoming exemplars in cyber resilience. So says a Scottish Government ‘action plan’ that sets out how Holyrood, Scottish public bodies and key partners will take to further cyber resilience. For the full 50-page document visit https://beta.gov.scot/publications/cyber-resilience-strategy-scotland-public-sector-action-plan-2017-18/.
In a foreword, John Swinney, Deputy First Minister and Hugh Aitken, Chair of the National Cyber Resilience Leaders’ Board (NCRLB), says: “This Public Sector Action Plan, developed jointly by the Scottish Government and the NCRLB, represents an initial, significant step towards establishing that wider culture of cyber resilience in Scotland. While many Scottish public bodies already have sound standards of cyber security in place, our aim is for the Scottish public sector as a whole to become an exemplar in this field over time.” Further plans for the private and charity sectors are to follow.
Covered are governance, monitoring, ‘active defence’, CISP (Cyber Security Information Sharing Partnership), the supply chain, incident response, and training. As the document says, the CISP is run by the London-based NCSC (National Cyber Security Centre) and Scottish public bodies that manage their own networks are to become ‘active members’ of the NCSC.
As for procurement in the public sector in Scotland, the plan says it seeks to ‘develop guidance on the need for recipients of public grant funding to have in place appropriate, proportionate and risk-based cyber security’.
It admits that the Wannacry malware of May 12, 2017 ‘had an impact on some areas of the NHS in Scotland and England’, and ‘underlined the potential seriousness of the cyber threat. The NCSC assesses that the number and severity of cyber incidents affecting public (and private) sector organisations will continue to increase. These threats come from a variety of sources, including hostile state actors, cyber criminals, political activists and others.’
As for what makes up cyber security, the document acknowledges that physical and personnel security are ‘key to cyber resilence’. As for definition, the document says that cyber resilience ‘means being able to prepare for, withstand, and rapidly recover and learn from deliberate attacks (or accidental events) that have a disruptive effect on interconnected technologies. Cyber security is a key element of being resilient, but cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures. By building understanding of cyber risks and threats, they are able to take the appropriate measures to stay safe and get the most from being online’.
On what to do about cyber, the document does not go into specifics, for instance calling for ‘coherent action’. It airs common security ideas; ‘in time, cyber resilience should be ‘baked into’ Scottish public sector processes and infrastructure. It emphasises that cyber resilience is as much a cultural issue as a technical one’. Scotland’s public bodies are called on to ‘understand and manage the cyber threat at Board/Senior Management level, and take action to promote a culture of cyber security at all levels of the organisation’.
For more details visit www.gov.scot/cyberresilience.
