Swinney: Scotland's cyber security strategy 'will not involve monitoring the internet'

“Be worried, be very worried,” Edinburgh Napier University professor, Bill Buchanan, tells delegates at Holyrood’s cyber security conference. It followed a live demonstration in which the director of the centre for distributed computing, networks, and security showed – in a matter of minutes – how more than 900 million Android devices could be compromised as a result of Google’s decision not to patch a vulnerability in earlier versions of the software. “If you now have Jellybean 4.1.2, don’t click on a link that I send you [as] I’m watching you,” Buchanan jokes amid an echo of nervous laughter around the room.

A “dynamic, risk-based, context aware” security approach focused on the application and the user is necessary to tackle today’s threat, Gary Newe, a technical director with F5, explains. “[One] that understands that I’m on an iPhone [or] an iPad, that I’m in Edinburgh now and that I cannot possibly be in Hong Kong in 45 minutes. Simple things like that, to pull all that information together and dynamically create policies that allow the good people in and keep the bad people out.”

High-profile attacks such as the one on Target, which saw at least 40 million payment card numbers and 70 million other pieces of customer data stolen, have served to underline the cost of failure. That data breach, which set the US retailer back $148m and financial institutions a further $200m, owed its roots to a heating and ventilation contractor that serviced their stores. “It is clear that supply chain security is becoming vitally important to business in Europe and beyond, so for our SMEs [small and medium sized enterprises] to maintain their attractiveness as business partners, they have to be able to use digital technology, which means they must be able to demonstrate that they are cyber secure,” says Deputy First Minister and Cabinet Secretary for the Economy, John Swinney. 

Given SMEs are the “lifeblood of our economy” – constituting 99.3 per cent of all private sector enterprises in Scotland with an estimated 1.1 million jobs – this is not a commitment only a proportion can sign up to, he adds. It is against this backdrop that the DFM has created a new cyber security and resilience unit within government to lead on the development of a cyber resilience strategy for Scotland. A consultation on the strategy will take place this spring with publication scheduled for autumn. “We believe it will be the blueprint to ensuring our infrastructure and people are protected and our economy reaps the rewards of doing business online,” says Swinney, insisting the strategy will “complement” rather than replicate the work of the UK Cyber Security Strategy unveiled a little over three years ago.

A level below central government, East Renfrewshire Council is unique among local authorities in that it has a budget set aside for information security rather than it being part of a larger IT infrastructure pot. “The organisation can take a proactive instead of reactive approach to incidents, emerging threats, and forward planning strategies – there’s no need to vie with other project requests for a pot of money or find a project sponsor,” says the council’s information security officer, Carol Peters, who suggests that all public sector agencies should be mandated to have the equivalent of her post. 

Doing so, though, requires a strong skills base. “There should be a wholesale review of how the computing curriculum is delivered in schools and how teachers are supported to make that delivery interesting and relevant to young people,” says head of standards and qualifications at e-skills UK, Dr Tony Venus, who sits on a recently formed group in Scotland mapping progression pathways into the digital sector. The Scottish Qualifications Authority are currently devising a range of national progression awards in cyber security, the first school-based courses in this specific field in Europe.   

“Our pursuit of cyber security will not involve monitoring the internet,” Swinney reassures delegates at Holyrood’s conference. “The government believes in the privacy of its citizens, we will protect personal privacy, and I’m firmly committed to the fact that the internet is open and free and should remain as such.”