A renewed focus on national resilience was outlined on Tuesday as hundreds gathered for a sixth annual public sector cyber security conference in Glasgow.
Senior law enforcement officials, cyber experts, government officials and critical infrastructure security agencies came together to combat the rise of online harms and threat actors.
Delegates from many of Scotland’s regional councils, health boards, public agencies and third sector organisations joined the event at Strathclyde University’s Technology & Innovation Centre.
They heard how the Scottish Government has recently adapted its focus to cybercrime through the creation of a new directorship within the digital directorate.
Alan Gray, the recently appointed deputy director of the National Cyber Resilience and Security Division, described how new initiatives launching this year will focus on skills and diversity of recruitment in order to boost cyber resilience levels in government.
However, he said: “We need to be conscious that these initiatives and activities all take place against the landscape of the accelerating threat of cyberattacks. This is a contested world and the need to increase and sustain Scotland’s cyber resilience and provide operational support within this environment led to the launch last year of the Scottish Cyber Coordination Centre (SC3), established with the objective of improving Scotland’s capabilities to defend against and be resilient to cybercrime.
“SC3 is still in its infancy but it’s a really exciting development and it’s positioned to become the central coordination function for improved intelligence sharing, early warning, cyber exercising and major incident response coordination right across Scotland.”
SC3 is already sending out daily threat reports and weekly vulnerability summaries to all public organisations, Gray confirmed, and the government is working also to support frameworks for compliance and assurance to further enhance cyber protections. Another focus will be to build a “cadre” of cyber exercising professionals across the public sector, he said.
Law enforcement
Chief Superintendent Conrad Trickett, who leads the policing in a digital world programme for Police Scotland, emphasised the need for the force to stay ahead of cybercriminals. Similar to its approach to counter-terrorism, the force adopts the ‘Pursue Prevent Protect Prepare’ methodology to tackle cybercrime. That involves going after the cybercriminals, but also, where possible, preventing potentially susceptible people from going into online criminality, as well as supporting national, regional and international efforts to build greater resilience.
“What we want is for people to report the crimes to us. So, keeping up with horizon scanning is a really important thing to do,” added Trickett, who said the force has joined a City of London police initiative to develop a nationwide Police Cyber Alarm, to provide ‘proactive policing patrol of cyberspace’. However he singled out some of the emerging threats around AI, machine learning and deep fakes which are causing “genuine concern”. The force – which has expanded its digital forensics capabilities – has even started to train sniffer dogs to detect SD cards, Trickett said.
The scale of the challenge was outlined by recent statistics, with cybercrime ‘doubling’ post-pandemic as the world shifted online. There are now around 18,000 calls per year handled by the force for online fraud, a figure shared in a panel discussion by Jude McCorry, CEO of Cyber & Fraud Centre – Scotland. Questions from the audience raised concerns that the force was not doing enough to investigate the crimes in the first instance.
In the afternoon, DCI Norman Stevenson, outlined some of the threats faced by Police Scotland’s cybercrime investigations team, and how they work to tackle them. In a graph, he illustrated how the force has handled up to 300 cybercrime investigations per year in the last three years. One of the most recent alarming rises has been with cryptocurrency investigations. The figures showed that from fairly low levels in 2020, there were 207 investigations last year. The crimes range from the theft of cryptocurrency assets stored in online wallets to the perpetrators of ransomware frauds, who demand payment from victims often in digital currencies such as Bitcoin.
Infrastructure protection
Julie M Johnson, the London-based attaché for the U.S’s Cybersecurity and Infrastructure Security Agency (CISA), shared some insights into how the agency works to protect critical digital infrastructure across the US, and beyond. In the United States, CISA works with many private sector organisations to bolster their cybersecurity, supporting many former military personnel in newfound online security roles. “They’ve got to think more than guards, gates and guns,” she told the audience, whether that’s a “drilling site in Texas or a farm in California”. And in terms of CISA’s own staff, she said “we have literally an army of people” now across the US, working in local communities to beef up cyber resilience for organisations of all sizes. “Last year alone, they provided 374 cyber protection visits,” said Johnson.
Of that regionally-embedded model, she said: “There’s nothing better than having a personal relationship with the people who know where the problems are.”
Future planning for CISA may involve and expansion of its transatlantic partnerships with UK-based agencies, and possibly even a presence in Singapore, where there are global data hubs, Johnson said.
Cyber perspectives
The conference brought together for the first time the regional cyber resilience centres across the UK. Jude McCorry, CEO of Cyber and Fraud Centre – Scotland, was joined by Lorraine McCaffrey, head of Northern Ireland Cyber Security Centre, Jackie Wishart, head of cyber resilience, Northern Ireland Civil Service and Paul Peters, director of the Cyber Resilience Centre for Wales. Joining them was Jonathon Ellison OBE, director for national resilience and future technology at the National Cyber Resilience Centre (NCSC).
“We need your help in building better cyber hygiene behaviours right across the economy,” said Ellison. “We see way too many incidents that occur because of poor cyber hygiene.” He added that organisations also need to be vigilant about addressing known software vulnerabilities. “Basic cyber hygiene – whether that’s regularly updating and patching – whether it’s backing up critical data, whether or not it’s developing an incident response plan when the worst does happen can get you a long way.”
Ellison said that organisations who are certified to the Cyber Essentials standard are “80% less likely” to make a claim on their cybersecurity insurance than those who are not certified. “It has a demonstrable impact in terms of reducing the risk to you, your organisation, your company,” he said.
However, when it comes to supporting companies across the UK – many of whom are handling sensitive data – the NCSC finds it difficult to scale its funded support for Cyber Essentials across the UK, especially to reach the five-and-a-half-million small businesses who don’t have the cyber maturity that would prevent them from being targeted by cybercriminals. “We have got a long way to go and that’s why we need your help across all four nations to get there,” Ellison said.
Jude McCorry used the session to launch the new Threat Intel app, designed by the Cyber and Fraud Centre – Scotland to provide actionable insights into how organisations can better protect themselves online. “We will pick out the things that will be harmful, so these will be red amber and blue threats, and we will be able to push those notifications to your phones,” she said. From April, there will also be a charitable arm of the organisation focused on addressing the rise in pernicious online fraud, many of which target elderly people.
Lorraine McCaffrey explained how in Northern Ireland there is an internal and external focus in terms of cyber resilience. In her role at the Northern Ireland Cyber Security Centre, she works to support local businesses, local councils and citizens with the latest cybersecurity best practice and training, whereas Jackie Wishart has an internal focus protecting the Northern Ireland civil service from online harms. In the last year, McCaffrey said the centre has worked hard to extend its reach through partnerships with business chambers of commerce and small business federations. “That’s been very, very important to allow us to amplify our message,” she said.
Those partnerships have also extended to Scotland, and as a result of working closely with the Cyber and Fraud Centre – Scotland, NI Cyber Resilience Centre also now offers the Exercise in a Box cybersecurity training programme in Northern Ireland. The inspiration from Scotland’s Cyber Week will also now be replicated in Northern Ireland, with its first iteration due to kick off next week, she added.
Detective superintendent Paul Peters set up the regional cybercrime unit for southern Wales in 2014, and now leads the Cyber Resilience Centre for Wales. Peters echoed the sentiment that it’s important to ‘get the basics right’ in terms of cyber hygiene, and that his centre’s focus is on SMEs, third sector organisations and micro-businesses, and ‘amplifying’ the NCSC message. The centre operates a membership model and utilises the skills of students to help businesses bolster their cyber resilience and get ‘real-world experience’. But he said it’s still hard to get busy people to follow-up with commitments to implementing cybersecurity measures.
He said: “What we’ve introduced is an initiative where we actually go out to the business community – I have a detective inspector who works for me, he’ll link in with the local cyber protect officer from the local force and one of the PCSOs from the community team and we’ll choose a town – whether it be a town centre or industrial estate – and actually go business to business and spend time talking to those businesses about some basic cyber hygiene.”
Healthcare
Protecting the NHS in Scotland from cyber harms is not just a matter of operational resilience, it’s now part and parcel of “reducing clinical risk”, said Scott Barnett, head of information and cybersecurity at NHS National Services Scotland. Barnett said the model the NHS has in Scotland is a ‘very simple one’, whereby they will pool and share intelligence about online harms among the 22 health boards across the country to ensure they can collectively defend against cyber risks. “It’s a model that’s already starting to work,” he said. “It’s built around our security operations centre at the moment, but eventually we are going to have other pillars and other services.”
But the threats are all-encompassing now for the organisation and its 174,000 members of staff in Scotland. Barnett said: “We are facing up against malware attacks on a daily basis – we see huge amounts of phishing emails every day; cybercriminals are testing each one of our members of staff through social engineering on a constant basis and we’re trying to keep them aware of some of the latest techniques.”
Barnett described how a ransomware attack on a third party supplier two years ago caused a ‘big impact’, meaning they had to be disconnected from NHS Scotland services to insure the malicious code did not spread onto NHS networks. But it nevertheless meant after hours care services across 14 territorial health boards were disrupted by the outage, leading to them having to use business continuity measures, resorting “in some cases to pen and paper”.
Although unable to disclose much detail about it, Barnett alluded to a current live incident at a regional board in Scotland, which the NHS has been alerted to by Police Scotland, with an ongoing investigation.
But he pointed to a future whereby the ‘manual scrolling’ of feeds to assess which cyber risks need to be acted on will have to be an automated process. “We have to analyse that information quickly, and that’s where machine learning and artificial intelligence is going to play an increasingly important part in the future, because it can make those decisions far faster, at a far greater scale than we can as humans.”