International Cyberattacks

– in the Scottish Parliament on 5th March 2020.

Alert me about debates like this

Photo of James Kelly James Kelly Labour

5. To ask the Scottish Parliamentary Corporate Body what recent evidence has been received that its information technology systems have been subject to cyberattacks from international sources. (S5O-04194)

Photo of David Stewart David Stewart Labour

The SPCB has monitoring systems that are designed to provide early warning of cyberattacks and their origins. Although significant targeted cyberattacks against the Scottish Parliament are relatively rare, we encounter periodic smaller-scale attacks. So far, no attacks are known have been successful.

The distributed nature of the internet means that it is not always possible to attribute attacks to particular nation states, but the origin of some of the attacks is known to be outside the United Kingdom. As network users, we all share a responsibility to protect the security and cybersecurity of the Scottish Parliament.

Photo of James Kelly James Kelly Labour

Is the SPCB security budget adequate to protect our systems from those attacks, and has it been increased to ensure that we keep up to date with developments in information technology security?

Photo of David Stewart David Stewart Labour

I acknowledge James Kelly’s expertise in this area. The corporate body ensures that the level of protection that is offered to our systems meets or exceeds the baseline standards that are outlined in the public sector action plan on cyberresilience. That action plan was developed by the national cyberresilience leaders board and the national cyber security centre. It aims to ensure that Scotland’s public bodies have a common baseline of cyberresilience practice in place, and budgets will follow that. Or efforts in this area are independently assessed by the cyber essentials plus certification process.

The corporate body also recognises that cybersecurity measures must continue to evolve as new threats emerge. There are organisational procedures in place to ensure that we are kept aware of emerging threats and that we continue to update our systems while balancing the security of those systems with the flexibility that allows members and their staff to work at any time from anywhere.

If members such as James Kelly have any specific concerns—including about the budget—I am very happy for our cybersecurity expert to meet him for a more in-depth discussion.