National Cyber Resilience Advisory Board (NCRAB) minutes: September 2024

Attendees and apologies

Board members in attendance: 

Maggie Titmuss (Chair)
Deryck Mitchelson (Vice Chair - DM) 
Alan Gray, Deputy Director, National Cyber Security and Resilience Division, Scottish Government– Ex Officio (AG)
Freha Arshad (FA)
George Fraser (GF)
Carla Baker (CB)
Jordan Schroeder (JS)
Natalie Coull (NC)
Ollie Bray (OB)
Phil Ford (PF)

Apologies:

DCC Bex Smith (BS) - Ex-Officio

Also in attendance: 

Head of the National Cyber Resilience Unit (NCRU)
NCRU Public Sector Lead
NCRU Head of Policy and Programme
NCRU Policy and Programme Officer
Scottish Cyber Coordination Centre – Cyber Incident and Vulnerability Co-ordination Lead, (SC3)
DSU Andrew Patrick (DSU AP) -sub for DCC Bex Smith
NCRU – Intern (AB)

Partial Attendance:

National Cyber Security Centre (NCSC) Deputy Head (interim), Government Team, Resilience & Future Technology Directorate (NW)
Karen Meechan, Chief Executive Officer, ScotlandIS (KM)
Janice Andrews, Digitial Economy Skills Programme Manager, Skills Development Scotland (JA)

Items and actions

Welcome, minutes and actions 

The Chair welcomed Members to the meeting. 

The minutes of the June 2024 meeting were approved. 

The NCRU Policy and Programme Officer went through previous meeting actions and provided a number of updates. 

JUN24/02: NC requested that these actions remain open for an update at the December meeting. NC will meet with the IoC to determine the next steps for phase 2 of the veterans training programme. After which, she will circulate information on training module content with Members. Related to this:

SEP24/01: Head of the NCRU to make an introduction between NC and the Scottish Veterans Commissioners Office. 

JUN24/06: CRU and Chair to discuss option of onboarding a key official from Local Authorities/public sector to NCRAB. 

This action will remain open for an update at the December 2024 meeting. 

The NCRU Policy and Programme Officer advised Members that AG had briefed the Permanent Secretary on matters of cyber security and resilience. 
She also thanked Members for their feedback on the Scottish Cyber Coordination Centre (SC3) Strategic Plan 2024-2027 and informed Members that this was published on 2 September 2024. She shared the link to the published document with Members and advised this would also be circulated by email for awareness. 

SEP24/02: NCRU Policy and Programme Officer to share the published SC3 Strategic Plan 2024-2027 with Members via email. 

The NCRU Policy and Programme Officer thanked Members for their contribution to the CyberFirst and Cyber Security of AI Calls for Views. She advised the collective responses were shared with the relevant UK government departments. She further shared that the Department for Science, Innovation and Technology (DSIT) were in the process of drafting the official response to the Cyber Security of AI Call for Views along with next steps, and this would be shared for Members’ awareness when shared by DSIT. 

SEP24/03: NCRU Policy and Programme Officer to share CyberScotland Affiliate information to Board Members. 

SEP24/04: NCRU to invite The Big Partnership to the December meeting to outline the CyberScotland communications and marketing plan. 

Conflict of interest

No conflicts of interest were noted.

Horizon scanning

The Chair advised that she and JS had discussed how best to move forward with the horizon scanning ask. She has asked that AG helps to identify what information would be most useful for the NCRU and SC3. 

The Vice Chair commented it would be helpful to keep the scope of horizon scanning activity tight to add maximum value. He added that it would be important to make the horizon scanning process repeatable and replicable. 
The Chair agreed and suggested that timescales around horizon scanning would make this process more consistent. 

JS commented it would be useful to understand both the depth and purpose of information needed by the NCRU and SC3 to have the most impact on effective horizon scanning. 

AG agreed with Members’ comments. He said it would be helpful to get a steer from the Board on what they would consider to be the most pressing threats in the next three to five years. 

The Chair added there could be the opportunity to have support from outside organisations with horizon scanning, but that it would be imperative to be clear about what support was needed from those organisations. 

SEP24/05: NCRU Policy and Programme Officer to find time for the Chair, Vice Chair, JS and AG to discuss horizon scanning in more detail. 

Cyber threat landscape 

Detective Superintendent AP (DSU AP) provided Members with an update on the current cyber threat landscape in Scotland. He advised there was an increase in reporting of cyber crime from the public and businesses. 

DSU AP advised Members that identity fraud and online scams (such as shopping and investment scams) continue to be the most reported types of incidents by the public. 

For businesses and organisations, the biggest issue was business email compromise and advised that ransomware continued to be significantly underreported. He added that supply chain vulnerability threats were also an issue for businesses and organisations. As Scotland is a nation of small businesses, smaller businesses and organisations may not have the same protection as larger ones. 

He further shared that Police Scotland, within their Policing in a Digital World function, continue to develop how they respond to these threats and have invested in staff cyber training and cyber capability programmes and will continue to align their internal structures to work more effectively. 

The Vice Chair commented that it appeared there was an overreliance on incident response for some organisations and suggested organisations should be more proactive about cyber hygiene, rather than being reactionary. He added it was vital for organisations to get the basics of good cyber hygiene right. He said that although many organisations may not have the capability or budget to enhance their cyber hygiene, the cost of being reactionary was far higher than being better prepared. 

The Vice Chair suggested identifying and circulating the median cost of a cyber incident for charities, other third sector organisations, local authorities, SMEs, and the wider public sector. He added it was vital to use all available tools to convince and influence businesses and organisations to increase their cyber maturity. 

JS added that it would be good to know how many SMEs in Scotland have been affected by cyber crime and if it were possible, to share those statistics with the cyber community in Scotland as this would effectively communicate the size and scale of the cyber threat faced. 

NW joined the meeting and provided a short cyber threat landscape update from the National Cyber Security Centre (NCSC). He shared that supply chain arrangements continued to be difficult to map in organisations more generally and this was often a conduit for threat actors to carry out malicious activity. He added that this was not just for smaller organisations or businesses but also affected large, global companies. 

He shared that the NCSC recently ran a health sector workshop which investigated supply chain risk vulnerability – this was broadened to include wider public sector organisations, private sector organisations and academic institutes and they found that the challenges and issues remained the same across sectors. 

The Vice Chair agreed that this was a large threat as all organisations manage their supply chain in different ways and questioned if there needed to be a framework or a tool which organisations could use to support securing their supply chain. 

NW commented that this would be difficult in practice as these tools did not always suit every business and had presented problems to some organisations. He agreed that action needed to be taken to establish effective supply chain security, but it remained challenging to enforce or give incentives as these costs would be passed to the customer in some way. 

The SC3 Cyber Incident and Vulnerability Co-ordination Lead provided the Board with an update on cyber incidents and vulnerabilities that required coordination from the Scottish Cyber Coordination Centre. 

JS asked if there had been any trends identified of those incidents and vulnerabilities. 
AG commented that multi-factor authentication (MFA) would provide significant support in preventing incidents and attacks. 
NW said there continued to be far too many successful cyber attacks through fairly basic cyber security failings and added that adoption of MFA would have a massive and positive impact both on attacker access and movement around networks. 

The Chair requested more time on future agendas for cyber threat landscape updates and Members agreed.

SEP24/06: Cyber threat landscape agenda item to be extended at future Board meetings. 

Public sector – Cyber Assurance Survey – interim findings and next steps

The NCRU Public Sector Lead provided the Board with an update on the Public Sector Cyber Assurance Survey (PSCAS). 

He explained that the Survey had been issued in 2018, 2019, 2022 and 2023 with proactive monitoring of certain elements. This year’s survey was issued at the beginning of June 2024. He explained the questions in this year’s survey partially overlap previous years’ survey questions but also touch on new areas of interest including network monitoring capability and multi-factor authentication. 
He made clear to Members that surveys are not 100% compatible with previous years, but trends have been identified where possible. 

The response rate for survey returns in 2024 was 92%. OB commented that this was a good return rate. The NCRU Public Sector Lead advised that the NCRU were awaiting a response from only one of the highest priority public sector bodies and that work was ongoing to get a return from them. 

He further caveated this year’s interim findings by stating that the NCRU could not verify the returns and were reliant on organisations reporting accurately. 

He shared interim findings for the overall public sector, as well as a breakdown for local authorities, health, colleges and universities. 

He explained that, on the whole, results were moving in the right direction. Governance, risk management, supply chain assurance, response plans, exercising, training and IT specific training were improving. However independent assurance was slightly down across all sectors. 

He also shared information on the uptake of Cyber Essentials (CE) and Cyber Essentials Plus (CE+). He explained that these statistics had not dropped as much as expected and hoped to see an increase in the next survey. 

Due to issues with the Cyber Information Sharing Partnership (CISP), this year’s survey was adapted to ask other questions about organisations’ access to threat intelligence. Results showed increased awareness of and subscription to the different threat reports provided by the SC3, as well as to other threat intelligence through the CyberScotland Portal with a smaller number of results that indicated usage of the Malware Information Sharing Platform (MISP). 

Going forward the focus of support from the NCRU will be on: encouraging organisations to have incident response plans in place, have them tested and exercise. SC3 has planned a programme of work to increase organisations testing and exercising. 

The NCRU and SC3 continue to wait for the release of the DSIT Cyber Essentials Impact Evaluation report and hoped this would become a lever to push more mandating of CE and CE+. 

The NCRU Public Sector Lead added that supply chain management continued to be a priority as referenced during the Board meeting by NW and by Felicity Oswald when she spoke to the National Cyber Security and Resilience Division earlier in August 2024. He also stressed the importance of increasing use of MFA across the public sector and added the SC3 will take forward the work in this space. 

The Chair thanked the NCRU Public Sector Lead for presenting his findings but also noted the challenges of self-reporting. The NCRU Public Sector Lead advised that a rigorous sampling exercise was in development to understand some of the high priority returns and to see where support could be enhanced. 

The Vice Chair asked if, on the basis of received responses, could the Board have confidence in organisations’ ability to block or manage incidents effectively as he had little confidence based on initial reports of recent incidents. He returned to his earlier point around the importance of organisations taking steps to ensure their basic cyber hygiene was robust. 

FA asked the NCRU Public Sector Lead if there had been any movement on dip sampling mentioned at a previous meeting. The NCRU Public Sector Lead advised that options were being considered but currently spending restrictions made this work difficult. NCRU would look to investigate ways to carry out this work.

Cyber industry into the classroom

The CEO of ScotlandIS (KM) and the Skills Development Scotland Digitial Economy Skills Programme Manager (JA) provided the Board with an update on their current work to introduce the tech industry into the classroom. 

JA shared information on a tech industry into the classroom partnership facilitated by SDS which included partners such as Education Scotland, ScotlandIS and Founders4Schools. JA added that industry colleagues gaining access to schools could be difficult due to the vetting required to visit schools.

JA shared that SDS created a specific page on the SDS website which hosts resources and guidance, pulled together by the partnership to support anyone in industry who wished to attend a school to provide a session. It provides guidance on session structure, format and supports that individual to capture any findings in a coherent and pragmatic way. 

She further shared that SDS had recently overhauled their MyWorldofWork site in June. The site can take an individual on their journey to explore roles, develop their skills and find the right job for them. OB commented that the new website was particularly good. 

JA further shared information on the SDS Marketplace where individuals could sign up to engage. There were specific cyber clubs developed in schools and from one online seminar, twenty-four students continued with a related National Progression Award (NPA). 

KM shared information on ScotlandIS scholarship support. She highlighted that given skills gap in the sector, ScotlandIS have done work in this space for a number of years and last year (2023), ScotlandIS launched their ScotlandIS Scholarships. 

KM explained they put a group of students through 6-week scholarships supported by industry expertise with a specific focus on technology and cyber. The results from this were positive and ScotlandIS were twenty per cent oversubscribed for the programme. 100% of students fed back that they were more interested in cyber and science, technology, engineering and maths (STEM) than prior to participating in the scholarship. KM advised that ScotlandIS were awaiting results to see what those students did next and if they continued in STEM or cyber pathways.

KM shared information on the Digital Critical Friends programme to create a talent pipeline coming from higher and further education (HEFE). Digital Critical Friends took industry professionals into schools and matched them to computing or Information and Communications Technology (ICT) teachers with the hope of sparking the imagination of cyber as a career and highlighted pathways into cyber. She added that there were twenty-four active digital critical friends in twenty-four schools across Scotland (of which five are cyber specific Digital Critical Friends) and there were another sixteen waiting to be matched across another sixteen Scottish schools. Of the sixteen to be matched, four Digital Critical Friends were cyber specific. 

KM explained that Digital Critical Friends were all Protecting Vulnerable Groups (PVG) checked and partnered with STEM ambassadors. Links were made between the Digital Critical Friends programme and the SDS offering, which ensured a partnership approach across the programme. KM shared that the goal of the programme was to have a Digital Critical Friend in every school in Scotland. 

KM also shared that ScotlandIS created an e-placement for colleges and universities in partnership with Edinburgh Napier University. She explained this provided paid placement opportunities for students across Scotland which lasted between three and twelve months. KM added 92% of students who participated gained part-time employment from the e-placement and were also able to continue their studies. 

KM also shared other information on work ScotlandIS have done in schools – since May there have been seven sessions over six schools (primary and secondary) on cyber upskilling. They brought in specific devices which pupils were able to use and they were focused on technology with elements of engineering, and always included cyber security and risks online. 

The Vice Chair expressed his disappointment with the lack of computing science teachers in schools and added that he understood that the number has declined since last year and he saw this as a real challenge. 

The Chair said that Members around the table could support with these initiatives. 

SEP24/07: Members to contact JA (SDS) or KM (ScotlandIS) if they know of any individuals or organisations interested in supporting the tech industry into the classroom partnership or the Digital Critical Friends programme. The NCRU Policy and Programme Officer can share contact details for those interested.

CB agreed with the Vice Chair and asked what was underway to ensure cyber literacy was a regular activity to ensure sustained interest. 

KM responded that the Digital Critical Friends programme was a continuous programme of activity, and they were matched with a school for the entire school year and the school will set the pace as they are aware of what would have the biggest impact for their pupils. 

The Head of the NCRU added that Education Scotland were overseeing mapping engagement industry has with schools around cyber security, so it would be important SDS and ScotlandIs feed into Education Scotland on their engagement. This would provide clearer picture of activity and gaps. 

SEP24/08: Education Scotland, SDS and ScotlandIS to connect over industry supporting cyber learning in the classroom. 

The Head of the NCRU added it would be important to map career pathways to understand the longer-term impact of these initiatives. 

JA commented that there was a delay in gaining this information because it was reliant on information being recorded and stored accurately and it continued to prove challenging to bring that information together. 

NC questioned if these initiatives could be shared with guidance teachers in schools as they were influential in a pupil’s learning journey and could enhance take up of cyber security as a career. 

SEP24/09: JA to action a briefing to school careers guidance teachers on cyber security careers.  

CyberFirst, cyber qualifications and curriculum review

OB discussed CyberFirst as part of a suite of strategies that looked to embed digital skills across the curriculum. He shared that 100% of schools in South Ayrshire have the bronze CyberFirst award and Education Scotland’s goal would be to have all schools in Scotland with at least bronze CyberFirst accreditation. Education Scotland’s next steps are to replicate this in Glasgow and Stirling and expand the network. He added that embedding this into the curriculum takes more time but it is significantly more sustainable. 

He added that with the 2023 CyberFirst girls’ competition, Scottish schools accounted for 15% of schools that participated and 35% of all girls who participated. He added that he expected this number to double next year. 

OB shared information on national qualifications. He displayed an uptake in National 5, Higher and Advanced Higher Computer Science qualifications. He added that it was important to note that there were a number of different National Progression Awards (NPA), which included Cyber Security, Data Science and Digital Literacy, among others. He showed an upward trend in graded computing qualifications between 2020 and 2024. 

OB further shared information on the planned curriculum improvement cycle that the Cabinet Secretary for Education announced in December 2023. He added that Digital Literacy was included as a core competency and should be prominent. Work had been underway with teachers, industry partners and academics to understand new planned core competencies. Within Digital Literacy, four ‘Big Ideas’ have been developed; digital citizenship, cyber resilience and internet safety, information and media literacy and digital environment. OB said Education Scotland will take this opportunity to ensure these are embedded within the curriculum framework. 

OB asked if he could provide a regular update on CyberFirst, cyber qualifications and the curriculum to the Board. Members agreed. 

SEP24/10: OB to have item on the agenda at every second Board meeting to discuss CyberFirst, cyber qualifications, teaching capacity and capability and the curriculum review for Members to support and comment. 

The Vice Chair would like to understand what works well and what the ultimate standard of digital education was. The Chair added that there were two important aspects of digital education. These were to ensure there was a basic standard of digital literacy for all children and basic standards of internet safety. 

OB added that Computing Science qualifications may no longer be fit for purpose, with the exception of Advanced Higher. In order to drive interest and attainment, changes should be made to attract and retain pupils as growth could be seen when pupils were able to show autonomy in projects relating to computer science. 
OB added that CyberFirst (provided by NCSC) as a resource in schools was invaluable. In Scotland, teachers are given agency to create their own lesson plans. For teachers to incorporate cyber security into this, they would need to carry out their own research and this proved to be challenging as they did not know where to begin. It would be good to work in partnership with industry on this to ensure any materials developed would be more relevant, easy for teachers to understand and adapt for their pupils. 

Any other business (AOB)

There was no other business raised during this meeting. 

Close

The next Board meeting will be on 3 December 2024 ,10.00 – 14:00. This meeting will in person in Atlantic Quay in Glasgow.