Cybersecurity and its role in delivering digital public services to citizens

delivering digital public services to citizens
John Swinney, Deputy First Minister of the Scottish Government

John Swinney, Deputy First Minister of the Scottish Government shares his thoughts on the importance of cybersecurity and why it is an essential component of delivering digital public services to citizens

Across the globe, our ability to inform and interact with citizens is being transformed by digital opportunities and Scottish public bodies, businesses and charities are developing ambitious plans to embrace these opportunities. However, the scale and nature of the cyber threat is indisputably on the rise and this presents a risk to Scotland’s ambition to be a world-leading nation in cyber resilience.

Worldwide, public services are being routinely and mercilessly subjected to low-level but high-volume attacks which capitalise on the complacency around basic cybersecurity measures, as well as more sophisticated and targeted cyber-attacks which in turn are impacting on the ability to provide essential health, social care and community services. This can also serve to undermine trust and confidence in the public sector.

The impact of a significant cyber-attack on any one organisation can be potentially catastrophic, but it does not necessarily stop at that one organisation. Cybersecurity must be viewed by the boards and senior management across all public, private and third sector organisations as an essential component of delivering digital public services to citizens.

In the wake of cyber-attacks in 2017, which affected some public services in Scotland, the Scottish Government committed to accelerating the development of an action plan on cyber resilience which would ensure that Scotland’s public services are ready to deal with the emerging cyber threats. Published in November 2017, the Public Sector Action Plan on Cyber Resilience asks the public sector in Scotland to undertake a number of actions to further strengthen our cyber resilience.

In the short term, I want to see a common baseline of cyber resilience measures implemented across the Scottish public sector, including a commitment from boards and senior management to having appropriate governance arrangements in place to manage the cyber risks. We want active membership of the NCSC’s Cybersecurity Information Sharing Partnership to ensure better awareness of cyber threats, independent assurance of critical cybersecurity controls to help protect against the most common internet-borne attacks and implementation of the NCSC’s Active Cyber Defence Programme. Furthermore, there should be training and awareness raising arrangements for individuals at all levels of the organisation and robust cyber incident response plans as part of wider response arrangements.

Looking to the medium term, we will aim to promote a common, effective, risk-based approach through the development of a Scottish Public Sector Cyber Resilience Framework, which will help make sense of the wide range of standards Scottish public bodies are, or will be, required to comply with, such as the NIS Directive, the GDPR and cross-government security standards.

The cybersecurity of any one organisation within the chain is potentially only as strong at that of the weakest member of the supply chain. We are therefore developing a proportionate, risk-based policy in respect of supply chain cybersecurity, aligned with GDPR requirements, which we will then encourage public bodies to apply in all relevant procurement processes. A group of public bodies, the cyber catalysts, have committed to work towards becoming exemplars in respect of cyber resilience, helping identify common issues and solutions and sharing knowledge and learning with the wider public sector.

The Public Sector Action Plan forms part of a suite of plans that we committed to developing in the Programme for Government, in order to drive Scotland towards our vision of being a world leading nation in cyber resilience by 2020. These plans are designed to create concrete actions which will help our citizens operate safely and confidently in the digital world, drive up levels of fundamental cyber resilience in the private and third sectors and support the economic opportunities that innovation and cutting-edge research in cybersecurity presents.

I often remark that “resilience is everyone’s business”. Nowhere is this more true than in the area of cyber resilience. The complex nature of the cyber threat, its lack of respect for any boundaries and our increasing reliance on interconnected digital networks means that we ALL have a stake in making our nations safer places to live and flourish online.

I also have no doubt there will be challenges as we take forward work together to develop and implement our action plans on cyber resilience. But I truly believe that, if we can create an environment where we work together, with a common goal and build on one another’s strengths and knowledge, the vision for Scotland being a world leading cyber resilient nation is within our reach.


© Crown copyright

delivering digital public services to citizens
John Swinney, Deputy First Minister of the Scottish Government

John Swinney

Deputy First Minister

Scottish Government

Tel +44 (0)300 244 4000


Please enter your comment!
Please enter your name here