John Swinney: Scotland is building cyber resilience
John Swinney says the threat of a category one cyber attack is one of the few things capable of keeping him awake at night.
The Deputy First Minister, who has responsibility for Scotland’s cyber security, has good reason to be worried, with the head of the UK’s National Cyber Security Centre warning that a major cyber attack on the UK is almost inevitable.
As Ciaran Martin put it last year: “I think it is a matter of when, not if, and we will be fortunate to come to the end of the decade without having to trigger a ‘category one’ attack.”
The threat of such an attack – taken to mean one which causes sustained disruption of essential services or affects national security, leading to severe economic or social consequences or loss of life – is probably somewhere towards the top of the list of things that stop Swinney from sleeping, but the risk of cybercrime is rising across the board.
In fact, according to data presented by Greg Iddon, senior product marketing manager at Sophos, 53 per cent of all reported crime in the UK is cybercrime.
There are thought to be around 2.2 billion stolen online passwords in circulation on the internet, globally, while Sophos detects over 500,000 new examples of malware every single day. In fact, according to Iddon, 75 per cent of the malware detected is only found in one organisation, because it was designed specifically for that particular attack.
Meanwhile, the number of devices owned by any individual constantly increases, with each app on each device offering a potential entry-point for criminals, while the technology used for attacks is more sophisticated than it is for defences.
So you can see why Swinney worries.
As the Deputy FM told Holyrood’s Public Sector Cyber Security Scotland conference, in discussing the growth of the digital economy over the last few years: “With new opportunities come new risks and threats, which must be identified, be carefully and effectively managed, to enable us to bear the fruits of the substantial opportunities which arise as a consequence.”
The most significant cyberattack in the UK’s history remains the WannaCry ransomware attack, in May 2017, affecting more than 300,000 computers across more than 150 nations, with American defence officials pointing the blame at North Korea. Despite significant disruption, part of the reason the attack was classified as ‘category two’, rather than ‘category one’, was that there was no loss of life.
Swinney’s responsibility for cyber resilience means maintaining regular dialogue with the National Cyber Security Centre, to prepare for attacks by both hostile states and cyber criminals.
In two years, the centre dealt with over 1,000 national cyber incidents, including 557 in the last 12 months.
But while concern over the UK’s cyber security runs right to the top of government, Swinney was clear that ministers alone cannot deal with the issue, with the Scottish Government’s cyber resilience strategy based on collaboration with partners in the public, private and third sectors.
“As attackers find more and more ingenious forms of attack,” he said, “they are, more often than not, attempting to exploit the same basic failings – poor patching, network configuration, and password management.
“By doing these basics properly, most attacks around the public sector can be prevented or mitigated. This is why a good foundation in cyber resilience across all of our public service providers is so important.
“The public sector action plan sets out the key actions that Scottish public bodies should implement to ensure this foundation is in place. They include robust cyber governance arrangements, active cyber threat intelligence sharing, clear cyber incident response protocols, and independent insurance of critical technical controls to defend against the most common cyber attacks.”
Swinney added, in closing: “Do I sleep easy in my bed at night, given the amount of dedication and hard work that has gone on across Scotland in the last year to make us a more cyber-resilient nation? Well, I do feel more assured by what’s been achieved to minimise the risk. I do feel we’re in a better place in terms of building in cyber resilience so we can recover more quickly and more effectively than ever before. But I am absolutely clear that we have not yet reached our destination.”