Proposed strategy avoids specifics in favour of asserting principles as basis for security
The Scottish Government has said it will hold public authorities to account, but not legislate, in its efforts to boost cyber resilience in public services
It has outlined the plan in making itself the standard bearer for the country’s cyber resilience, with the publication of a consultation document on its proposals for a national strategy.
While the document extends into providing a lead for businesses and individuals, it could have the most direct relevance to the public sector, over which the Scottish Government can exert a level of authority. But it refrains from becoming strongly prescriptive, placing the emphasis on a generalised vision and set of principles.
It is notable that one of the three strategic outcomes that it aims to achieve is that everyone becomes confident in the resilience of Scotland’s digital public services. (The other two are that people are safe and confident in using online technologies, and businesses are resilient and can trade securely online.)
It says central government should provide a lead for the public sector in best practice in cyber resilience, and that it will “hold to account” other public bodies for the resilience of their online services. It makes clear that it does anticipate backing this up with legislation, instead emphasising collaboration, sharing knowledge and raising the profile of cyber security across other policy areas.
The more specific measures in the proposals are for the Scottish Government to lead a national strategic implementation group to evaluate the impact of the strategy, for ministers to report on progress across its agencies, and for it to make its own standards available to service users.
This is backed up by plans for the Scottish Government to help raise public awareness of cyber resilience by promoting its Get Safe Online and e-Crime Scotland websites, and to work with the UK government and businesses on a network to share information about threats and vulnerabilities.
There are also proposals to promote education on cyber resilience in schools and colleges, and to work with the police on assessing a baseline of the cost to Scotland of cyber crime.
This is all underpinned by a set of benchmarks around a step change in cyber resilience, but it is notable that the emphasis in on general perceptions rather than anything that could be quantified: for example, having trusted and effective online public services, developing a global reputation as a secure place for business, and ensuring that critical infrastructure will continue to work in the face of a cyber attack.
The assessment of progress to date in the public sector is positive, pointing to the adoption of best practice and Scottish public authorities taking up the UK Cyber Essentials scheme and adopting the 10 Steps to Cyber Security.
It is light on specifics, but reflects the need for discretion around security arrangements. Similarly, the continually evolving nature of cyber threats makes it almost impossible to be technically specific.
It could be argued that there could be a clearer structure in the plans for sharing best practice and building a cyber security culture, but the document provides scope for readers to suggest other areas that should be considered.
The consultation is open until 28 August and its results will feed into the plan for digital connectivity across Scotland by 2020.
Image: By flickrtickr2009 from Wikimedia, Creative Commons Attribution 2.0 Generic