Cyber Resilient Scotland: strategic framework

Joint Foreword

The past year has challenged us like no other time in recent history, but it has also served to highlight just how critical digital technologies are to our lives, and to the functioning of society and the economy.

Whether working or learning from home, running a business, or keeping in touch with friends and family, digital technologies have underpinned much of our response to the COVID-19 pandemic and they continue to support our Critical National Infrastructure.

Digital technologies cut across everything we do - as our forthcoming Digital Strategy will demonstrate. The secure and resilient ways we use them cannot be an afterthought. Cyber resilience cannot be viewed simply as an "IT issue". It is, in fact, the very backbone to every public service, to every business and to every community in Scotland. It is a critical part of our economic and societal recovery and renewal, especially as Scotland embraces new technologies such as Artificial Intelligence, Smart Cities and 5G wireless networks.

Cyber resilience is key to operational resilience and business continuity, as well as our capacity to grow and flourish as we adapt to the demands of operating online. Our ability to deter, respond to and recover from national cyber attacks is our top priority. We need to plan, exercise and reflect continually and collaboratively, to ensure that Scotland is prepared to withstand cyber threats.

The Strategic Framework for a Cyber Resilient Scotland sets out what we need to do to make Scotland a digitally secure and digitally resilient nation. The cyber threats we face cannot be met by government alone. We all have a role to play in protecting ourselves, our families and our communities. Our public, third and private sector organisations need to work together with the Scottish Government to minimise the harm and disruption that can result from a cyber incident, and thus making the very most of technological advances.

The pandemic has reminded us of the importance of resilience and agility. We will review the implementation of our Framework regularly, monitoring indicators against the four outcomes and the action plans that will guide delivery.

The UK Government plans to produce an interim National Cyber Security Strategy in 2021, and the Scottish Government will continue to work closely with the Cabinet Office to ensure alignment of our mutual strategic aims and ambitions. We will also continue to work closely with the National Cyber Security Centre and Police Scotland as we drive forward our shared aim to make Scotland digitally secure and resilient.

It is my wish that the National Cyber Resilience Advisory Board should continue to take national oversight of the Framework, providing drive and advice, and challenging me, my colleagues and the Scottish Government to maximise the digital opportunities. I thank the Board for its work to date, and extend my gratitude to all partners involved in delivering our shared strategic aims.

I look forward to working with you all to achieve our shared vision of Scotland that thrives as a digitally secure and cyber resilient nation.

The Strategic Framework sets out the approach Scotland will take to creating a digitally secure and resilient nation. A challenge which requires a community effort to raise the awareness of the cyber threat; to help prepare our people, our organisations and our businesses to deal with cyber risks and a growing cyber crime threat.

Our approach must be founded in a partnership which brings the public and private sectors together to help raise cyber resilience awareness, skills, standards and our collective ability to respond to a major cyber incident. In the midst of COVID-19 we saw cyber crime change to exploit the fear, uncertainty and doubt created by the pandemic for profit. We also saw people working together across Scotland to help deal with that threat. That community spirit is something we want to build on through the creation of the CyberScotland Partnership to collaborate on cyber security awareness campaigns and practical advice on how to counter cyber crime.

There are challenges in implementing any cyber resilience programme at a national level, and those often relate to achieving impact at scale, to embedding cyber resilience into the design and rollout of future services, and to a co-ordinated and effective response to a major cyber incident. Scotland is no different in this regard, and we will need to work closely with the National Cyber Security Centre to achieve these outcomes.

Scotland is a nation of small and medium sized enterprises, and we will continue to raise awareness and support those enterprises in improving their cyber defence, working through the Scottish Business Resilience Centre, through public and third sector organisations to achieve this. The NCSC's Active Cyber Defence programme will play a key role in protecting the broader community.

Looking forward, we must embed cyber resilience into the design of Scotland's future digital services, becoming a core element of the Digital Scotland strategy, as we ensure that the digital services we build for the future are trustworthy and resilient.

Recent cyber security incidents have demonstrated the need to be able to orchestrate a national response which can quickly mobilise the support which organisations need to detect, respond and recover from a major cyber attack. The time has passed when individual organisations can regard themselves as medieval castles each defending themselves. We now are all part of an increasingly interconnected digital ecosystem, requiring us to improve our collective threat intelligence, security operations and incident response capabilities.