National Cyber Resilience Advisory Board (NCRAB) minutes: March 2024

Attendees and apologies

Board members: 

Maggie Titmuss (Chair)

Deryck Mitchelson (Vice Chair - DM)

George Fraser (GF)

Jordan Schroeder (JS)
Carla Baker (CB)

Natalie Coull (NC)

Freha Arshad (FA)

Alan Gray, Deputy Director, National Cyber Security and Resilience Division, Scottish Government– Ex Officio (AG)

NCSC Engagement Lead for the Devolved Administrations, Crown Dependencies and Overseas Territories (IG2) – Ex Officio

Also in attendance: 

Head of the National Cyber Resilience Unit (NCRU)

Public Sector Lead (NCRU)

Head of Policy and Programme (NCRU)

Business Support Officer (NCRU)

Cyber Incident and Vulnerability Co-ordination Lead, Scottish Cyber Coordination Centre (SC3)

Partial attendance: 

Scottish Council for Voluntary Organisations (SCVO) Third Sector Cyber Resilience Coordinator

SCVO Digital Evolution Manager

Apologies: 

Deputy Chief Constable Bex Smith (BS) - Ex-Officio

Items and actions

Welcome, minutes and actions 

The Chair welcomed Members to the meeting. 

The Chair thanked the previous National Cyber Security Centre (NCSC) Scottish Liaison Officer for their support and contribution to the Board and welcomed the NCSC Engagement Lead for the Devolved Administrations, Crown Dependencies and Overseas Territories as a new Ex-Officio member of the Board. IG2 shared their support for the breadth of work the Board has been involved with and looked forward to providing input on the cyber threat at future meetings. 

The Deputy Director for National Cyber Security and Resilience Division, Scottish Government  was welcomed as  the new Ex-Officio member of the Board. He updated the Board on the organisational structure within the new Cyber Security and Resilience division in the Scottish Government (SG) and commented on the important role that the Board could offer to the division. The Chair was provided with an update from the Deputy Chief Constable of Police Scotland prior to the Board meeting. The Chair shared this update with the Board. The previous Deputy Chief Constable Jane Connors advised the Chair that due to portfolio changes, she was stepping down from her role within the Board and that the new Deputy Chief Constable, Bex Smith, would attend future Board meetings as an Ex-Officio member. 

The Cyber Resilience Unit (CRU) Business Support officer talked through previous meeting actions and members provided updates which are detailed below. 

Previous action:
DEC23/01: The Chair requested that CB fed back into the NCRAB with further developments of the DSIT working group

Update:
CB shared with the Board that that Department for Science, Innovation and Technology (DSIT) was working on a range of consultations on Code of Practices for businesses and organisations.  A Cyber Governance Code of Practice consultation closed on 19 March, with two further consultations planned in April. 

CB further shared that DSIT had undertaken further work on learning and skills. The challenge identified within learning and skills was that cyber security education is starting too late in schools.  

The Vice Chair asked for specific information on the target for CyberFirst Schools programme within Scotland and what progress had been made towards the target. 

The Head of the Cyber Resilience Unit shared that Education Scotland were in the process of becoming the lead for the NCSC Cyber First programme in Scotland and over 30 schools across Scotland are now branded as CyberFirst schools. The original target for Year 1 was to onboard 5 schools – so they have surpassed this. Many of these were also offering National Progression Awards which should help to develop a groundswell of capacity and pipeline of qualifications that could lead to take-up of college and university places in cyber security. 

FA queried how many schools were eligible to take part and how many actually participated. 

NC commented that the number of CyberFirst schools participating may increase as the closing date had not passed at the time of the Board meeting. 

MAR24/01: Head of CRU to report back on the number how many schools in Scotland are delivering cyber security qualifications, how many schools are eligible to take part in CyberFirst and how many schools have signed up to become a CyberFirst School after the closing date in March 2024.  

Previous action: 
DEC23/03: The Chair and the Head of the CRU to meet with the Cabinet Secretary for Justice and Home Affairs and the Minister for Small Business, Tourism and Trade to discuss the scale of the cyber threat and to demonstrate the impact of incidents – perhaps looking at the Wannacry incident for initial talks.

Update: 
AG had an introductory meeting with the Cabinet Secretary for Justice and Home Affairs. The Minister for Small Business, Tourism and Trade had also been briefed on the scale of the threat which included a meeting with the Director of Resilience at the NCSC. 

AG shared that he is looking into how the division needed to share security briefings with relevant Ministers and senior civil servants on a more regular basis.

MAR24/02: The CRU/DD to provide an update on security briefings and Ministerial engagement with cyber resilience matters at the December 2024 board. 

Previous action: 
DEC23/05: The Head of the CRU to explore representation on the Board from SDS and Education Scotland to further pro-active education and skills development. 

Update:
The Head of the CRU advised the Board that meetings were planned between members of Education Scotland and Skills Development Scotland to discuss input to future Board meetings. 

One action from the December 2023 meeting was carried forward for Board members to action: 

DEC23/06: Board members to support with work placements for cyber related training for veterans after NC’s meeting with Open Source Intelligence (OSINT). Update to be provided at June 2024 meeting. 

The minutes of the December meeting were approved.

Conflict of interest

No conflicts of interest noted.

Public sector – broad status update

The CRU Public Sector Lead updated the Board on the work that had been underway with the public sector. 

He shared that the online version of Cyber Security Procurement Support Tool has ceased to function in December 2023 as expected and that an updated Scottish Public Sector Supplier Cyber Security Guidance Note, alongside supporting spreadsheet assurance documents were published on 22 December 2023. Further work would be needed on next steps.

The CRU had also recently funded a programme of cyber resilience awareness training to public sector board members. This was very positively received with 263 board members across 93 public sector organisations attending between November 2023 and March 2024.

He advised that issuing the Public Sector Cyber Resilience Survey (PSCRS) had been slightly delayed this year but was due to be issued in April 2024, after in-depth consultation with key colleagues and stakeholders.

The Public Sector Cyber Resilience framework v2.0 was in the process of being finalised, due to be released in April 2024. 

The CRU Public Sector Lead talked the Board through the process of prioritising public sector organisations and the latest findings from the surveys, demonstrating that training for board members and cyber incident exercising were the key common areas for improvement - noting that the survey was the reason that the board training had been introduced. 

In certain areas of the sector, independent assurance and risk management were highlighted as areas for attention in the year ahead.

The Public Sector Lead highlighted the challenges inherent in the current self assessment resilience survey model, explaining that the results could only give us a flavour of the maturity of the sector, in comparison with previous years as some of the questions had evolved. The CRU is looking at ways to hone in on specific areas of improvement. 

The Vice Chair commented that the Board needed to see evidence of valid and substantial exercising and training from the new survey.

JS stated that the narrow set of indicators within the survey may be impacting on the quality of responses and further suggested that there was a need for clear, high-level guidance to be issued alongside the survey to allow for better completion. 

AG commented that he would welcome the Board’s feedback on the indicators which the survey assesses. The Chair commented that it was imperative for the survey to become a Ministerial expectation.

AG commented this was something that the Scottish Cyber Coordination Centre may look to take forward in the future with potential for a process to allow sample quality checking of responses.

CyberScotland Partnership (CSP) and CyberScotland Week (CSW) 2024 update

The Head of the Cyber Resilience Unit who is also the Chair of the CyberScotland Partnership shared an update on the work of the CSP. 

Work was underway to onboard 4 member organisations as CyberScotland Affiliate members. These were; Centre for Education, Engineering and Development (CeeD), Scottish Sports Association (SSA), Scottish Chambers of Commerce and the Law Society of Scotland. The Affiliates will be asked to amplify the key coordinated cyber resilience messages, awareness and communications across their vast networks to support the aim of ensuring more cohesion in messaging, advice and guidance as well as building the reputation of the CyberScotland brand and portal as the one-stop-shop for all cyber resilience knowledge within Scotland. 

The Cyber and Fraud Centre had been grant funded to deliver CyberScotland Partnership Comms and Marketing until July 2024. Thereafter the work would be a contract and a procurement notice was issued on 21 March 2024 for an initial period of one year with an optional extension of one additional year. 

An update on the CSP Comms Plan for 2024/2025 was also shared with the Board, including a thematic timeline which will spread across the financial year. The ask was for the Board to actively promote the comms messaging through their own organisations.

MAR24/03: Board members to support the CSP Comms plan for 2024/2025 across their networks, showcasing where possible. The quarterly comms packs will be sent to them.

The Head of the Cyber Resilience Unit advised that CyberScotland Week 2024 was a huge success with 160 events held online, in-person and hybrid. The themes of the year were cyber resilience, diversity and collaboration. Some events covered multiple sectors, with 57 tailored specifically to the public sector, 108 community learning and development events and 63 business events. There was ministerial engagement at three key events: FutureScot, Third Sector Conference and the CeeD awards. The Deputy Director for National Cyber Security and Resilience Division gave his first speaking appearance in his new role at the FutureScot Conference. 

It is likely that CyberScotland Week 2025 will run again in the last week of February 2025; theme to be decided.  

Scottish Council for Voluntary Organisations (SCVO) Third Sector update

The SCVO Third Sector Cyber Resilience Coordinator and the SCVO Digital Evolution Manager provided an update on the third sector work that SCVO were grant funded by SG to deliver.

They set out that the Scottish third sector was diverse with 46,000 organisations and over 20,000 community groups, most of which were run by small numbers of volunteers. These organisations were vital and trusted, often working with the most vulnerable people in Scotland.  While the sector was becoming more digitally capable, there was limited expertise in cyber security across the sector. 

The Coordinater set out that the programme of work has been based on the Third Sector Action Plan for Cyber Resilience alongside recent third sector research with a focus on making cyber security information more easily digestible and shareable across the third sector. They had also reestablished the Third Sector Working Group on Cyber Resilience. She shared that over 100 people attended the recent Third Sector Cyber Resilience Conference which was well received, particularly the panel sessions.  Feedback showed an engaged audience who were eager to make a difference. 

The Board was shown the third sector cyber resilience plan. The current focus is on locating a single source for third sector information and a training campaign. It was explained that phase 2 will be heavily dependent on the outcomes of phase 1, but the Working Group would establish direction and scope. 

The Chair thanked the representatives from SCVO for attending the meeting and opened the floor to questions from the members. The Vice Chair commended the work undertaken and was delighted to see some positive, measurable movement within the third sector. 

The Chair suggested that NC could support the work of SCVO by finding cyber security students who may have been looking for projects for their undergraduate/postgraduate degree certifications. The Third Sector Cyber Resilience Coordinator commented that both IASME and NCSC were involved in the ongoing research project to help support at a national level. 

Cyber threat landscape

NCSC Engagement Lead for the Devolved Administrations, Crown Dependencies and Overseas Territories (IG2) and  AG provided the Board with verbal updates on the current threat landscape

Scottish Cyber Coordination Centre (SC3) update

AG updated the Board on progress of the SC3. 

He spoke about the governance of the centre and capability integration across the division. He briefly updated on a forecasted delivery roadmap for 2024/2025. He asked the Board to, when ready, consult on the planned 3 Year Strategic Plan (up to end financial year 2027/2028). 

MAR24/04: SC3 to share 3 Year Strategic Plan with NCRAB for consultation in 2024 (specific date TBC). 

AG presented four key principles for SC3 development; insight, scale, re-use and agility. This encompassed data driven approaches to target capabilities and maximise effectiveness; develop high-quality baseline services (minimum viable products) that could scale up via automation and self-service to multiply impact; avoid re-inventing wheels, build relationships to identify and promote good practices, processes, standards, tools and approaches; and define objectives while working in an agile way to respond quickly and effectively to changing conditions, threats, trends and operational requirements. He was clear that he saw the Board as an important group of experts to support the direction of the centre.

The Scottish Cyber Coordination Centre Cyber Incident and Vulnerability Co-ordination Lead updated the Board on key workstream activities which had been carried out to better understand the cyber landscape, the needs of the sector and  add value (and not duplicate). He informed the Board that the SC3 Threat Reports were now available via the CyberScotland Portal for anyone to receive via subscription. He shared that feedback on the reports to date had been extremely positive from users across sectors. He also shared that work was underway with SCVO to adapt reports to suit third sector audiences too, thus expanding and increasing the user base. 

The SC3 Cyber Incident and Vulnerability Co-ordination Lead highlighted key cyber incidents the SC3 had been supporting over the past three months in terms of response and recovery. 

FA commented she would like to see a presentation from one of the victims of a cyber incident mentioned on their experience of the incident and their recovery. Some other members agreed this would be a good idea for a future meeting.

The CRU Public Sector Lead suggested that the recovery was not quite complete yet, and a ‘lessons learned’ review was still some time away, therefore would not recommend this at this moment in time. 

Horizon scanning

The Chair requested approval from the Board for a new standing agenda item here: ‘Horizon Scanning’. https://www.gov.scot/groups/national-cyber-resilience-advisory-board/

The Chair asked for members to come to future meetings with updates on what they were seeing as the most immediate threats and what could be done to reduce the impact and harm of these. 

The Board agreed to add this as a new standing agenda item. 

The Vice Chair posited that a small working group could be formed to take horizon scanning work forward for the next Board. 

The Vice Chair volunteered to be part of the working group and the Chair noted that she had colleagues outwith the Board who were keen to contribute. 

MAR24/05: Board members were to get in touch with the Chair to participate in the horizon scanning working group ahead of the June meeting. 

Any other business (AOB)

The CRU Business Support Officer informed the Board that multi-factor authentication would be enabled on the workspace used to share meeting papers and documents from the day of the meeting.   

Close

The next Board meeting will be on 4 June 2024, 10.00 – 14:00, 5 Atlantic Quay, Glasgow.