Scot Gov: Cyber Resilience Debate Analysis

Some analysis on the Scottish Government’s Deputy First Minister, John Swinney’s opening statement during the “Safe, Secure and Prosperous: Achieving a Cyber-resilient Scotland” debate last week.

John Swinney Scottish National Party

“Our focus in this afternoon’s debate recognises the urgency for everyone to secure their technology, data and networks from the many threats that we face, and proposes that citizens and organisations must become more resilient, aware of the risks, and able to respond and recover quickly from any kind of cyberattack.”

The debate appears to be in response to wannacrypt, it may have been planned in advance I’m not sure. Regardless good that cyber security is still very close to the top of the agenda for the Scottish Government.

Daniel Johnson Labour

“… our response is vital, but so is prevention. One of the key issues with the recent attack was … Windows XP … Does the Scottish Government have a target date for removing Windows XP from … across the Scottish Government?”

John Swinney Scottish National Party

“The key question that we have to address is how we establish and maintain the most rigorous level of security possible on all systems that are used. In certain circumstances, there may be an appropriate use for the systems to which Mr Johnson referred.
However, the crucial thing is that security arrangements must be in place to ensure that the necessary precautions are taken.”

Sounds like mitigation is king, makes sense given the circumstances. But I also think a plan to ensure that unsupported Operating Systems are replaced, a desktop replacement programme at the very least. NHS Scotland should act as single entity to leverage the best deal during the procurement process.

Would be interesting to see what legacy requirements are dependent on windows XP. I understand that some of the systems purchased by the NHS are long term investments and these systems may require the use of Windows XP, but I would hope that these considerations are taken into the account when making such purchases, would it be that hard/expensive to include clauses in contracts that require vendors to ensure that these systems are fully secure and supported throughout their entire lifecycle? How do other countries or private health care providers manage this? Is Linux a viable option in terms of procurement? Would this be any more secure anyway? What would the total cost of ownership be?

John Swinney Scottish National Party

“Any business that can successfully demonstrate that it has taken steps to protect its own and its customers’ data, as well as to respond to and bounce back from any cyberattack, is in a strong position to grow in the digital age. Organisations that can demonstrate their resilience to cybercrime can gain a competitive advantage and increased consumer confidence. Therefore, developing cyber-resilience as a core part of an organisation’s business strategy will ensure that the organisation continues to take full advantage of the internet age and to flourish into the bargain.”

Very high level, standard but sensible advice, echoing what we have seen from the UK government.

John Swinney Scottish National Party

“Social engineering is one of the simplest ways of overcoming our technical defences. We should not blame users. They are not the weakest link, as is often said; they are essential assets. Links and attachments are common in the workplace and that is why they are exploited. … Therefore, part of our response must be to get the basics of online security correct. That includes raising the knowledge and awareness of all our citizens about the risks and the steps that they can take to reduce them.”

Little bit of spin here. I think highlighting user education is right, would be interesting to see if there is some follow up to citizen awareness line at the end there. Some kind of government sponsored education campaign to inform users of the risk of phishing, vishing and all its variants would be helpful and quick win for everyone involved.

In saying this I also believe that businesses need to take responsibility and run their own education programs for their users. From personal experience I know user education lowers risk.

Dean Lockhart Conservative

“Does the cabinet secretary agree that additional availability of computing skills teaching at all school levels would help to address some of those issues?”

John Swinney Scottish National Party

“Obviously, computing science is an integral part of the curriculum, and it is part of some of the earliest stages of primary education. I have seen various coding initiatives in primary schools that have involved primary 3 and 4 pupils. I firmly support the importance of ensuring that young people are exposed at the earliest possible ages to computing education and that they are able to acquire the skills and attributes that are necessary for them to prosper.”

Some good initiatives here and the Scottish government have made great progress in this area, (if anything I think Mr Swinney underplayed some of the work being done.) There is always more that can be done however.

I gave a talk to some primary 3 and 4’s recently and most of the knowledge these kids had on cyber security focused around game hackers. One thing was undeniable however the kids were very enthusiastic, engaged and willing to learn.

I think having some cyber security on the curriculum for all students nationwide for kids as young as 7 or 8 would be a great way to capitalise on this enthusiasm, it could be used to educate kids about general dangers of being online at the same time.

There is a lot impressive progress with older kids and young adults, especially in the further and higher education space which has been supported by the Scottish Government. Only time will tell if it is enough.

John Swinney Scottish National Party

“The digital Scotland business excellence partnership has provided £400,000 to help businesses in Scotland to improve their cyber-resilience and work towards achieving the cyber essentials standard.”

Good to see the Scottish government through its weight behind this scheme. One of the things I like about this scheme is that it gives a target for some basic baseline security controls over a number of domains, as well as introducing of a form of compliance for organisations that may not have any compliance requirements. I think external audits of any kind are great for sharpening the mind and focusing attention.

John Swinney Scottish National Party

“The Government’s investment in the area is specifically to support a range of hardware and software measures to protect its information and communications technology systems, infrastructure and data; to improve its network monitoring capabilities; to boost staffing in the area, which is vital in order to have the skills available to handle the challenges; to establish and expand a cybersecurity operations centre; and for corporate education awareness and training across the board.”

I like the idea of continuous monitoring and SoC’s, they are definitely a good way to spot and prioritise cyber risks quickly. Although from my experience there is a big skills gap in this area, whether this is down to the explosion of prevalence in SoC’s or not I do not know.

SoC’s needs to be implemented correctly if they are to work, there is no point in having a SoC if it isn’t running at operational maturity, and getting to maturity can be a painful process.

Many vendors now offer SoC as a service which is a good way for private organisations to get access to a SoC’s capabilities without massive cost or having to endure the painful maturation process. I do not think this would be an option for the public sector however due to national security concerns. This could prove expensive, especially if a dedicated Scottish Government SoC was rolled out to all local government, schools, hospitals etc. I can see this one being fully outsourced. (Which to be fair is probably the best way to go about it.)

John Swinney Scottish National Party

“It is essential that, across a range of different areas—on learning and skills, on the role of the private sector, on compliance with the European Union general data protection regulation and on the securing of our critical infrastructure—we make cohesive and coherent efforts to ensure that we are equipped to meet the challenges.”

A wild GDPR reference appears. This is an area the government should be focusing on and along with ICO doing everything they can to help Scottish Businesses be ready for. With fines of up 4% of revenue there is a real chance that this could impact the Scottish Economy. It look like the Scottish Government is ready to do its bit.

Full debate can be viewd here: