National Cyber Resilience Advisory Board (NCRAB) minutes: June 2024

Attendees and apologies

Board members in attendance: 

Maggie Titmuss (Chair)
Deryck Mitchelson (Vice Chair - DM) 
George Fraser (GF)
Carla Baker (CB)
Ollie Bray (OB)
Phil Ford (PF)
Alan Gray, Deputy Director, National Cyber Security and Resilience Division, Scottish Government– Ex Officio (AG)

Apologies:

DCC Bex Smith (BS) - Ex-Officio
Freha Arshad (FA)
Jordan Schroeder (JS)
Scottish Cyber Coordination Centre – Cyber Incident and Vulnerability Co-ordination Lead, (SC3)    Also in attendance: 
Head of the National Cyber Resilience Unit (NCRU)
Public Sector Lead (NCRU)
Head of Policy and Programme (NCRU)
CRU Business Support Officer (NCRU) 

Partial Attendance:

Natalie Coull (NC)
National Cyber Security Centre (NCSC) Deputy Head (interim), Government Team, Resilience & Future Technology Directorate (NW)

Items and actions

The Chair welcomed Members to the meeting. 

The Chair requested that the NCRU Business Support Officer arranged a meeting between herself and the Deputy Chief Constable for Crime and Operational Support. 

JUN24/01: NCRU Business Support Officer to arrange a meeting between the Chair and the DCC. 

This was OB and PF’s first attendance at NCRAB. OB introduced himself as the Strategic Director at Education Scotland. OB was delighted to join the Board and provide strategic support and direction in the coming months, particularly in relation to the Learning and Skills Action Plan. PF introduced himself as the Head of Sector Development, Digital Economy and Financial Services, at Skills Development Scotland. PF identified a link between the NCRAB and the Digital Economy Skills Group which he posited could be useful in supporting important strategic delivery objectives.

The minutes of the March 2024 meeting were approved. 

Outstanding meeting actions from previous meetings were presented with updates. 

Previous meeting action - DEC23/06: Board Members to contact NC directly, if they can offer support with cyber related training delivered to veterans. 

NC shared an update. She said there was a new cohort in the programme and the penetration testing module had been completed. She explained Abertay University had developed 10 modules  and the programme was due to end in March 2025. NC asked if any Members of the Board could support by offering work placements, of any length, for participants who have completed the programme. 

JUN24/02: Members to get in touch with NC if they can offer placements for participants on the veterans training programme. NC to share further information with NCRU on the programme, including what the modules cover and at what academic level the modules are offered. NCRU to share this information with the rest of the Board. 

JUN24/03: CRU to investigate what support the Scottish Government could provide to support NC’s cyber-related training for veterans over the course of the year. 

Previous meeting action – MAR24/01: Head of CRU to report back on the number of schools in Scotland who deliver cyber security qualifications, how many schools are eligible to take part in CyberFirst and how many schools have signed up to become a CyberFirst School after the closing date in March 2024

The Head of the NCRU reported:
•    there were 88 schools in Scotland delivering cyber security qualifications
•    there were 33 CyberFirst schools within Scotland (10 per cent of schools in Scotland in the first year that Education Scotland have run the programme)
•    any school in Scotland is eligible to become a CyberFirst school. 

The Head of the NCRU further shared that every school in Ayrshire had been exposed to the CyberFirst programme and explained that it was important for future planning to evidence how the programme had been successful across Scotland. 

GF added that for the programme to have even better reach across Scotland, it would be vital to have a CyberFirst lead teacher in every region in Scotland. The Head of NCRU explained Education Scotland planned to target specific regions within Scotland over the next year. She added that one of the key reasons for the initial success of the CyberFirst programme was because it had been embedded into the curriculum in Scotland, which is different from the rest of the UK where it is mostly delivered ex-curricular. GF suggested it would be helpful to see proposed timelines on planned work regarding CyberFirst so the Board could support. 

JUN24/04: OB to provide the Board with an indicative timeline of proposed CyberFirst delivery over the next few years so the Board can identify ways to support expansion of the programme in Scotland. 

The Deputy Director for the National Cyber Security and Resilience Division (AG) said the CyberFirst programme was incredibly important and it would be helpful for the NCRAB to devote time to supporting the expansion of CyberFirst within Scotland. He suggested the direction of support from the Board should be focused on the areas in Scotland where CyberFirst has had least impact.  
OB added that there were challenges related to expanding the CyberFirst programme within Scotland. There was a downward overall trend in young people taking computing science qualifications at SCQF level 5 and 6 though there has been an increase in uptake at other levels. He explained that getting teachers in post who were qualified to deliver CyberFirst had proven to be difficult which added to the downward trend in uptake of level 5 and 6 qualifications. He advised there was a distinct rhetoric around the computing science landscape, focused on coding which was not necessarily the focus of qualifications. He explained there were other aspects to computing science which were not as publicised and this had potentially had a detrimental impact on uptake of the qualification on a bigger scale. 

OB further shared there had been ongoing discussions with the National Digital Academy and these discussions had the potential to affect delivery of the CyberFirst programme in Scotland. He suggested there was further work to be done to enhance understanding of using digital means to support delivery of the programme and would, in due course, discuss the plan for the next two years. 

Head of NCRU noted that there has been some evidence of a greater uptake of computing science in schools, where CyberFirst programme is evident. 

The Chair concurred with AG’s statement that CyberFirst was vital to build on within Scotland to enhance cyber resilience awareness, introduce cyber security skills and she would like the Board to support CyberFirst in as many ways as possible over the coming years. 

The Vice Chair asked how the Board could support the scaling of the CyberFirst Programme and how benefits of the programme could be measured. 

OB advised that there was some evaluation data that he could share with the Board. The Head of NCRU advised that Education Scotland could track young people taking NPAs and numbers reaching positive destinations in colleges.  

CB explained that, in England, it had been difficult to measure and quantify the outcomes of the programme so to support continued success in Scotland, she recommended that the Board provides support for the programme in Scotland. 

PF suggested an investigation into how teachers in Scotland perceive the value of CyberFirst and or cyber security qualifications in school. 

OB explained he would be happy to come to a future meeting and explain in-depth some of the complexities around CyberFirst, a general cyber security qualifications update and discuss the ongoing review of the curriculum. 

JUN24/05: OB to have CyberFirst, cyber qualifications and curriculum review item on the agenda at the next meeting so the Board can identify opportunities to enhance and support the expansion of the programme. 

OB suggested it could be helpful to have a representative from the Local Authorities on the Board as many decisions on school priorities were devolved from Local Authorities themselves. The Board could potentially offer support towards making cyber security awareness and development in schools a priority for Local Authorities. 

JUN24/06: CRU and Chair to discuss the option of onboarding key official from the Local Authorities

Conflict of interest

No conflicts of interest noted.

Horizon scanning

The Chair informed the rest of the Board that the horizon scanning working group had met briefly to discuss the direction of the agenda item in the future. 

The Chair advised a discussion was based around the SC3 and how the Centre would need to be forward-looking with a focus on operational stability. The Chair asked AG to use the Board to support the direction of SC3 and particularly how broader policy work would be embedded into the centre. 

GF asked if there were any legal or regulatory considerations which could be useful for future horizon scanning discussions. 

The Head of the NCRU asked if any Members of the Board could share information on new and emerging technologies. CB advised that she sat on a Department for Science, Innovation and Technology Group regarding emerging technologies with discussions based around 5 priority technologies: artificial intelligence (AI), Operational Technology (OT), quantum technologies, semiconductors and engineered biology. 

CB advised that across the cyber industry, there was a drive for a change in approach to understanding current threats as there were a number of different codes of practice which had been presented for views/discussion. CB said members of industry were concerned that meaningful change had been hindered by the slow development of codes of practice. However there was also concern that more Codes of Practice were not the answer.

The Chair was keen to know what would be most helpful for the NCRU and for the SC3 moving forward. 

JUN24/07: CB to send any information on the DSIT 5 priority technologies group to Secretariat. 

JUN24/08: The Chair, AG and Head of NCRU to discuss direction and support the Board could provide for the SC3 and for the NCRU. 

Scottish Cyber Coordination Centre (SC3) - update 

The Deputy Director for National Cyber Security and Resilience (AG) provided the Board with an update on the work of the SC3. He provided a visual of the proposed SC3 operating model. This operating model encompassed pre-breach and post-breach activity and was linked to the 5 main workstreams of the centre; threat intelligence, vulnerability management, standards and insights, cyber exercising and incident coordination. 

AG shared that SC3 was in the process of developing a strategic plan to 2028 with the expectation of significant evolution after 3 years. He explained that the focus of the SC3 would initially be on the public sector, but that in the future, the products and services would be available across most sectors in Scotland. He shared aspirations for the SC3 to become hugely data driven over the implementation of the strategic plan. 

AG stressed the importance of building a community-led exercising cadre as this was  a significant indicator into assessing cyber resilience maturity. He further advised that the SC3 would expand the input to the SC3 Core Partners over the coming months to ensure all elements of the public sector were represented

AG asked if the Board could provide input to the proposed strategic plan. He explained there would be feedback sought from a number of stakeholders but the request for feedback would be staggered, so as to incorporate suggestions and feedback in the most effective way. 

JUN24/09:  AG to share the proposed SC3 strategic plan with the Board. The Board is to provide constructive feedback on the plan. 

AG clarified the proposed timeline of activity was not rigid, dependent on feedback received and further action required. He proposed in the future, there should be a ‘call for views’ which would welcome expertise and views from Members of the Board to direct the SC3 to priority areas of focus. He again highlighted the importance of Members’ views to ensure successful outcomes of the SC3. He was particularly interested in Members’ feedback on key risk landscape items such as risk themes, risk multipliers and thematic elements which the SC3 would need to consider for future success. 

GF asked specifically about supply chain. AG answered that the risk themes presented to Members were in order of priority, with supply chain at the beginning. He further shared that, based on the recent CivTech Challenge, there was a potential to have a new supply chain tool which could be provided to the public sector. He explained the SC3 aspiration was that the tool could be provided to assist the public bodies in tackling the challenge of supply chain cyber assurance and management, and also to provide information on the supply chain. This would allow key suppliers to the sector to be identified and more accurate and targeted threat/intelligence and vulnerability information to be served to the public bodies.

DM shared concerns around funding for the SC3 and concerns that SC3 may be overreaching with too many areas of focus. DM suggested caution with the ambitious targets AG had previously mentioned. He emphasised the importance of using tools and products which had already been developed. AG agreed with DM about the importance of re-use and added that re-use was one of the core operating principles of the SC3. He explained the ambition is to re-use existing products and processes, with adjustments made for the sector, in order to be as effective as possible. AG made clear the targets were ambitious by design and they were chosen to demonstrate the importance of the work the SC3 has undertaken which would support funding in the future. 

Public sector – update

The Head of Public Sector Cyber Resilience provided Members with an update on the Public Sector Cyber Resilience Survey (PSCRS). He informed Members the survey had been issued this week (3 June 2024) with responses due by end-July 2024. The survey aims to identify common areas for improvement across the sector to inform cyber resilience policy for the public sector.

JUN24/10: CRU to share interim findings from the Public Sector Cyber Assurance Survey 2024 with Members at the September 2024 meeting. 

The Head of Public Sector Cyber Resilience informed Members that a recent training programme, funded by SG, which was designed to provide cyber related training to board members across the Public Sector was in the process of being further developed. He shared that the intention was to generalise the material to be applicable to all sectors and to develop a detailed training pack so that any organisation could use it to train their own board members. This would eventually be hosted on the CyberScotland portal.

The Head of Public Sector Cyber Resilience further shared with Members that a Public Sector Cyber Resilience Network (PSCRN) meeting was planned for 27 June and would include a ‘show and tell’ on the SC3 and an update on the Malware Information Sharing Platform (MISP). 

The Head of Public Sector Cyber Resilience updated Members with some information on upcoming elections and briefing provided. He explained there was no electronic voting used in elections in Scotland. There is electronic counting in Scotland’s local and national elections but for the UK General Election, there would be manual counting only. He added that the UK Government retained responsibility for combatting disinformation. 

He said Valuation Joint Boards (VJB’s), Returning Officers, Electoral Registration Officers and the Electoral Management Board for Scotland had all been briefed in the past year on specific threats, including NCSC’s Guidance for organisations coordinating elections being issued to them in March 2024. The VJB’s uptake of the NCSC’s Active Cyber Defence (ACD) measures, had been reviewed with almost all employing all of the tools available to them and the remainder using suitable alternative solutions. 

UK Government – Call for Views

The Head of the NCRU asked for feedback from Members on the recently published Call for Views on the UK Governments’ future plans for the CyberFirst Programme.

The Head of the NCRU provided some background information on the Programme for Members’ awareness. She explained the programme started out as a bursary scheme delivered by Government Communications Headquarters (GCHQ) and the National Cyber Security Centre (NCSC). It then expanded to a large programme of events and courses and since 2016 there have been over 260,00 students who have participated across 2,500 schools in the UK, with 69,000 girls in the CyberFirst Girls competition. She emphasised the importance of the programme as it has changed the perception of computing science and noted that there has been a 12 per cent increase in computing science uptake where the CyberFirst Programme was present. 

The Head of the NCRU added that the programme was understood to be an extra-curricular activity across the rest of the UK, whereas in Scotland, CyberFirst has been embedded into the curriculum by Education Scotland. 
The Head of the NCRU said the Scottish Government was able to influence change with CyberFirst to move from being accessed by predominantly private schools to broader delivery – across all schools in Scotland. She further stated that CyberFirst can be an important pathway for young people who were interested in computing science: a school that was a CyberFirst school was able to take on Trailblazers which opened doors to National Progression Awards, Higher National Certificates, Higher National Diplomas, modern apprenticeships and degrees and within computing science. 

The Head of the NCRU set out the changes being proposed for the CyberFirst programme. These included CyberFirst being led by an alternative body, outside of government as it was believed that industry could generate more funding; adaptation of the programme to encompass different regions, sectors and businesses; and commercialisation of some parts of the CyberFirst brand.  The CyberFirst bursary for universities would stay with the NCSC. She asked for Members’ thoughts on the risk of the proposed changes to the CyberFirst programme in Scotland. 

The Chair questioned how Scotland would be able to access funding for the programme if it was outsourced to an entity outside of government. She added it was difficult to generate industry funds into education and skills within Scotland. 

PF added it was sometimes challenging to gain industry engagement with regards to education. 

CB expressed her support for the approach Scotland had taken to incorporating the CyberFirst programme into the curriculum, and noted that it would present a challenge if the programme continued to be perceived as an additional extra-curricular across the UK. She further remarked that it was difficult to visualise how an alternative body would be able to deliver the programme. She expressed concerns about adequate funding and explained there were nine members who could contribute to the programme but queried how those members would generate adequate funding to provide support for graduate schemes or internships moving forward. She posited that it would be challenging to understand who would be responsible for governing the programme if it was set up as an entity in its own right. 

OB added that Education Scotland were keen to see CyberFirst develop within Scotland and as a result, if responsibility for the programme was given to another organisation, they would support this with the caveat that CyberFirst continued to be embedded into the Scottish curriculum. He said it was important to ensure the programme linked into the wider Scottish cyber ecosystem. He remarked that a benefit of government delivering the programme is that the government was not commercially motivated to deliver the programme, it was being delivered in order to enhance understanding of cyber security and computing science more generally. 

AG added there was the potential to have an instant, negative perception of the CyberFirst brand if it was commercialised which would affect the delivery of the programme in Scotland. He proposed that the NCRU draft a response to the Call for Views for this to be shared with the Chair and Vice Chair for approval. 

JUN24/11: Secretariat to draft a response to the CyberFirst Call for Views based on the  Board’s discussions, then send to the Chair/Vice Chair for approval. It will then be submitted on behalf of the Board.  

The Head of the NCRU stressed the importance of the CyberFirst programme as a vital part of generating interest in pursuing ‘cyber’ as a career. CB added that the competition element of CyberFirst was good so work should be done to ensure the competition continued into future years. OB added if there was more time to embed CyberFirst into schools from the outset, then it would capture the interest of young people throughout their entire school careers and support the consideration for a career within cyber security or resilience. 

The Head of the Cyber Resilience Unit shared information on two other Call for Views which were recently announced by the UK Government. The Cyber Security of Artificial Intelligence (AI) and the Code of Practice for Software Vendors. 

JUN24/12: NCRU to share key questions for these Calls with Members and determine if a collective response is required. 

AG suggested that we should continually seek to clarify what we mean by AI when we discuss AI capabilities moving forward. 

JUN24/13: NCRU/SC3 to always consider what AI definition they are referencing when discussing AI capabilities in a quickly evolving landscape. 

Cyber threat landscape

The representative from the National Cyber Security Centre (NCSC) provided Members with a short update on the current threat landscape. 

The Deputy Director for National Cyber Security and Resilience (AG) provided Members with an update on the current threat landscape in Scotland. 

CyberScotland Partnership - update

The Head of the National Cyber Resilience Unit provided the Board with a short update on the work of the CyberScotland Partnership (CSP) over the last few months. She advised the CSP had released the first themed communications asset pack – ‘Cyber Secure Banking’. She explained the goal of asset packs were to further awareness of cyber resilience in a more coherent and coordinated fashion. The second quarter asset pack will be themed ‘Secure Summer’. CSP partners can adapt key cyber resilience messaging and share across their organisations and networks. The efficacy of the asset packs will be evaluated.  

JUN24/14: Board members to share the CSP Comms asset pack across their networks. 

The Head of the National Cyber Resilience Unit added that there were three new affiliate members of the CyberScotland Partnership (Cente for Education, Engineering and Development (CeeD), The Law Society of Scotland and The Scottish Sports Association) who would seek to disseminate key cyber resilience messaging across their membership organisation networks. 

JUN24/15: Members to get in touch with NCRU if they are aware of any membership organisation who could become an affiliate during the next phase. 

Any other business (AOB)

There was no other business raised during this meeting. 

Close

The next Board meeting will be on 3 September 2024 ,10.00 – 12:45. This meeting will be hybrid.