The SPCB has monitoring systems that are designed to provide early warning of cyberattacks and their origins. Although significant targeted cyberattacks against the Scottish Parliament are relatively rare, we encounter periodic smaller-scale attacks. So far, no attacks are known have been successful.
The distributed nature of the internet means that it is not always possible to attribute attacks to particular nation states, but the origin of some of the attacks is known to be outside the United Kingdom. As network users, we all share a responsibility to protect the security and cybersecurity of the Scottish Parliament.
I acknowledge James Kelly’s expertise in this area. The corporate body ensures that the level of protection that is offered to our systems meets or exceeds the baseline standards that are outlined in the public sector action plan on cyberresilience. That action plan was developed by the national cyberresilience leaders board and the national cyber security centre. It aims to ensure that Scotland’s public bodies have a common baseline of cyberresilience practice in place, and budgets will follow that. Or efforts in this area are independently assessed by the cyber essentials plus certification process.
The corporate body also recognises that cybersecurity measures must continue to evolve as new threats emerge. There are organisational procedures in place to ensure that we are kept aware of emerging threats and that we continue to update our systems while balancing the security of those systems with the flexibility that allows members and their staff to work at any time from anywhere.
If members such as James Kelly have any specific concerns—including about the budget—I am very happy for our cybersecurity expert to meet him for a more in-depth discussion.