Scotland’s deputy first minister has launched a new ‘Strategic Framework for a Cyber Resilient Scotland’ as part of CyberScotland Week.

John Swinney said the days of cybersecurity being seen as an “IT issue” have passed and that digital resilience is now the “very backbone to every public service, to every business and to every community in Scotland”.

Mr Swinney, Cabinet Secretary for Education and Skills, said that the Covid-19 pandemic has highlighted our reliance on digital technologies in order to maintain a “functioning society and economy” and support critical national infrastructure.

In a foreword to the new 39-page government document, he writes: “Cyber resilience is key to operational resilience and business continuity, as well as our capacity to grow and flourish as we adapt to the demands of operating online. Our ability to deter, respond to and recover from national cyber-attacks is our top priority. We need to plan, exercise and reflect continually and collaboratively, to ensure that Scotland is prepared to withstand cyber threats.”

He said the cyber threats we face cannot be met by government alone and that the public, private and third sectors must “work together to minimise the harm and disruption that can result from a cyber incident, and thus making the very most of technological advances.”

And he also placed emphasis on a close working relationship with the UK government, which is due to produce its own interim National Cyber Security Strategy in 2021, as well as the National Cyber Security Centre (NCSC).

Building on Scotland’s first cyber resilience strategy, ‘Safe, secure and prosperous: a cyber resilience strategy for Scotland’, the document lays out four key principles underpinning the new vision.

These are that people recognise the cyber risks and are well prepared to manage them, businesses and organisations recognise the cyber risks and are well prepared to manage them, digital public services are secure and cyber resilient and that national cyber incident response arrangements are effective.

In terms of implementation there will be four ‘action plans’ that guide the delivery of the strategy over the next two years: for the public sector, private sector, third sector and on learning and skills.

The framework will also compliment two forthcoming government digital strategies: a refreshed national Digital Strategy, due for publication in the spring, and the national AI Strategy for the use of artificial intelligence in Scotland. Cyber is seen as being a ‘critical enabler’ of both visions.

David Ferbrache, OBE, Chair of the National Cyber Resilience Advisory Board, said: “The Strategic Framework sets out the approach Scotland will take to creating a digitally secure and resilient nation. A challenge which requires a community effort to raise the awareness of the cyber threat; to help prepare our people, our organisations and our businesses to deal with cyber risks and a growing cybercrime threat. Our approach must be founded in a partnership which brings the public and private sectors together to help raise cyber resilience awareness, skills, standards and our collective ability to respond to a major cyber incident. In the midst of COVID-19 we saw cybercrime change to exploit the fear, uncertainty and doubt created by the pandemic for profit.

“We also saw people working together across Scotland to help deal with that threat. That community spirit is something we want to build on through the creation of the CyberScotland Partnership to collaborate on cyber security awareness campaigns and practical advice on how to counter cybercrime. There are challenges in implementing any cyber resilience programme at a national level, and those often relate to achieving impact at scale, to embedding cyber resilience into the design and rollout of future services, and to a co-ordinated and effective response to a major cyber incident.”

He added: “Scotland is no different in this regard, and we will need to work closely with the National Cyber Security Centre to achieve these outcomes. Scotland is a nation of small and medium sized enterprises, and we will continue to raise awareness and support those enterprises in improving their cyber defence, working through the Scottish Business Resilience Centre, through public and third sector organisations to achieve this. The NCSC’s Active Cyber Defence programme will play a key role in protecting the broader community.” He said: Looking forward, we must embed cyber resilience into the design of Scotland’s future digital services, becoming a core element of the Digital Scotland strategy, as we ensure that the digital services, we build for the future are trustworthy and resilient. Recent cyber security incidents have demonstrated the need to be able to orchestrate a national response which can quickly mobilise the support which organisations need to detect, respond and recover from a major cyber attack. The time has passed when individual organisations can regard themselves as medieval castles each defending themselves. We now are all part of an increasingly interconnected digital ecosystem, requiring us to improve our collective threat intelligence, security operations and incident response capabilities.”