Scottish Government public sector cyber resilience action plan aims to address lack of guidance on cyber security

Cyber security - Image credit: Holyrood

A new action plan aimed at protecting Scotland’s public bodies from cyber attacks has been published by the Scottish Government.

The new public sector cyber resilience action plan will require public bodies to put in place common cyber security measures across their organisations.

The tightening up of cyber security comes in the wake of the WannaCry ransomware attacks across the world, which affected a number of NHS boards across Scotland.

The Scottish Parliament was also recently the target of an unsuccessful ‘brute force’ cyber attack that attempted to break through passwords.

RELATED CONTENT

• MSPs urged to be vigilant after 'brute force' cyber attack on Holyrood
• Ransomware attack on NHS
• Action plan for cyber resilience in Scotland to be accelerated following cyber attacks on NHS
• National Cyber Security Centre considers setting up Scottish branch

The action plan highlights a lack of monitoring and reporting in place currently to check that public bodies have the necessary procedures in place.

It says: “There is currently a lack of guidance making clear the minimum standards of cyber resilience that all Scottish public bodies should strive for.

“Nor is there any well-defined monitoring and reporting framework to allow Scottish ministers, the NCRLB [National Cyber Resilience Leaders’ Board] and the Scottish Parliament to secure a clear picture of cyber resilience across the Scottish public sector.

“Unless we address this, measuring progress and providing assurance to citizens and businesses will be challenging, with the potential for knock-on consequences for our public services and our digital economy.”

While the plan’s focus is on public bodies, the Scottish Government has said it will work with other parts of the public sector, such as colleges and universities and councils, wherever possible.

This plan, which lists 11 action points, aims to ensure that public bodies acts as leaders in promoting higher standards of cyber resilience across Scotland.

The actions, most of which are required to be in place by June 2018, include developing a “common, effective, risk-based approach” to cyber resilience across the public sector.

This will be set out in a cyber resilience framework, which will be developed by the Scottish Government in partnership with the NCRLB, the National Cyber Security Centre (NCSC), Scottish public sector cyber catalysts and others.

A new public sector cyber catalyst scheme will see a number of bodies commit to becoming exemplars for cyber resilience, helping identify common issues and solutions, and sharing knowledge with the wider public sector.

All public bodies will be required to have minimum cyber risk governance arrangements by the end of June 2018.

By the same date, public bodies that manage their own networks must become active members of the NCSC’s Cybersecurity Information Sharing Partnership (CiSP) to promote the sharing of information about cyber threats.

Funding will be made available for public bodies to undergo Cyber Essentials “pre-assessments”, by the end of March 2018.

The plan will also have an impact on purchasing of goods and services, with the Scottish Government planning to consult on a “proportionate” policy on supply chain cyber security – aligned to GDPR – in early 2018 and recipients of public grant funding also needing to have appropriate cyber security arrangements in place.

Delivery of the action plan will be coordinated and led by the Scottish Government’s Cyber Resilience Unit, working in partnership with the NCRLB and Scottish public bodies.

The plan was launched today at CBI Scotland’s annual cyber security conference.

Commenting on the action plan, Deputy First Minister John Swinney said: “I want Scotland to be a world-leading nation in cyber-resilience by 2020.

“The Scottish Government recently committed to developing a range of action plans to help meet this ambition, including in the key areas of learning and skills, economic opportunity, and public, private and third sector cyber resilience.

“Today marks the first of those plans being published.

“Our public sector action plan will encourage all public bodies, large or small, to achieve common standards of cyber-resilience.

“I want our public sector to lead by example on strengthening cyber-security, to help ensure Scotland is ready to deal with all emerging threats.”

Dr Keith Nicholson, joint chair of the NCRLB Public Sector Steering Group, said that one of the strengths of the Scottish public sector was its willingness to work together and share good practice and the Public Sector Action Plan on Cyber Resilience was “the embodiment of that spirit”.

Further actions plans for the private and third sectors will also be developed in partnership with those sectors.