Skip to main content

Language: English / Gàidhlig

Loading…
Chamber and committees

Public Audit Committee

Meeting date: Thursday, March 17, 2022


Contents


Section 22 Report: “The 2020/21 audit of the Scottish Environment Protection Agency”

The Convener

Agenda item 2 is consideration of “The 2020/21 audit of the Scottish Environment Protection Agency”. I am pleased to welcome our witnesses this morning, all of whom join us online, as does our deputy convener, Sharon Dowey. I welcome from the Scottish Environment Protection Agency: Jo Green, acting chief executive; Stuart McGregor, chief finance officer; and David Pirie, executive director, evidence and flooding. From the Scottish Government I welcome: Roy Brannen, interim director general, net zero; Helen Nisbet, director, defence, security and cyber resilience; and Kevin Quinlan, director, environment and forestry.

As we are quite tight for time this morning, I would appreciate succinct questions from committee members and succinct answers. On 31 March, the committee will take evidence on major information and communications technology projects in general, at which point we will look at some of the wider read-across from the cyberattack that SEPA sustained and the lessons that we need to learn. I encourage people to be as disciplined as possible, but I hope that our line of questioning will take that into account, too.

Jo Green and Roy Brannen should feel free to bring their colleagues in, if it will be helpful. If those who join us online want to come in at any point to give evidence in the conversation that we are having, they should type R in the chat function, and we will pick them up at the appropriate time.

I invite Jo Green, who had hoped to attend the meeting in person this morning, but is joining us virtually, to make a short opening statement.

Jo Green (Scottish Environment Protection Agency)

Good morning. SEPA was the victim of a determined and sophisticated cyberattack that was orchestrated by international serious and organised criminals and which has had a significant impact on our operations and ability to deliver our full range of services. The loss of access to data also impacted on our ability to report for financial year 2020-21 as well as produce our annual report and accounts.

Our focus throughout our response and recovery has been on protecting the environment and communities, protecting and supporting staff, ensuring the most critical service delivery on flooding and environmental regulation and, instead of building back, building new in a way that sets us up better to meet future environmental challenges. A key aim has been not only to learn from the cyberattack on us but to share that learning. In October, we published and widely shared independent reviews that we had commissioned. We have implemented 35 of the 44 recommendations that were made in the reviews and have made good progress on the remaining nine.

More than 12 months on from the attack, service delivery remains very challenging but, in difficult circumstances, our staff are still delivering important work for the environment and communities. We have now stabilised our most critical systems and are making good progress in the difficult and complicated job of recovering data, but there is still more to do. Experiencing such a sophisticated criminal attack has been very difficult for our staff, and I thank them all for their commitment, flexibility, hard work and resilience. We are also grateful for the support that has been provided by the Scottish Government, Police Scotland, the National Cyber Security Centre and the Scottish Business Resilience Centre.

Before I close, I would like to clarify one point relating to the evidence that the committee received on 10 February. One of the questions was about just 1.6GB of data being stolen, which might not seem so much. Although a very small amount of our data was stolen and published illegally on the dark web, the attack left most of our data inaccessible, as it encrypted or deleted that data and the systems that enable us to use it. That was what made the attack on us so significant.

I will lead for SEPA in answering the committee’s questions, but I am also joined by colleagues.

The Convener

Thank you very much, particularly for that very helpful clarification. Indeed, Willie Coffey will be asking questions on that particular subject later in the meeting.

Sharon Dowey, who, as I said earlier, is joining us via videolink, has a couple of questions to start us off.

Sharon Dowey (South Scotland) (Con)

Good morning. We know that the cyberattack is subject to an on-going police investigation, but are you able to confirm whether investigations are on-going to establish, as the report says,

“the exact route source of where the cyber-attack breached SEPA’s systems”?

Once those investigations are complete, will that information be shared with us or will it remain confidential?

Jo Green

We have a high degree of cybersecurity maturity, but the attack on us was very sophisticated. As you have said, the attack is subject to a live criminal investigation, so there is only a certain amount that we can say about the route in, but I will pass over to David Pirie to talk about that.

David Pirie (Scottish Environment Protection Agency)

Good morning. As Jo Green has said, the attack was highly sophisticated. Following the attack, we undertook a number of reviews, one of which was a technical forensic review that informed the Police Scotland investigation. We have not published the technical forensic review as it is part of the criminal investigation, but the headline methodologies and headline information about how the attack happened were published in the SBRC review. The exact route into SEPA’s systems and the particular phishing email that originated the attack have not been identified, but the forensic investigation identified that a phishing email was the most likely source into SEPA’s systems.

Sharon Dowey

Paragraph 14 of the Auditor General’s report states that a

“SEPA staff member received a system alert at midnight on the morning of the 24 December 2020”

and that they

“were unable to reach the key senior management contact to escalate the issue at this point.”

The Auditor General has told us that SEPA reviewed its immediate response protocols following the cyberattack. Are you able to give us a brief outline of the changes that have been made as a result of the review?

Jo Green

Yes. To be clear, I point out that SEPA has a strong culture of resilience, governance and incident and emergency management, all of which kicked in quickly when the incident happened. Again, though, I will pass over to David Pirie to talk specifically about the issues that have been raised.

David Pirie

As has been said, we have taken on board the reviews and are working our way through the 44 recommendations. We have reviewed, renewed and updated all our cyber response procedures and playbooks on how we initiate our response to such incidents, but I should say that, on the evening of the cyberattack, our response was effective and worked to plan.

So you are happy that, with the new procedures that you now have in place, you will not have the same issues that you had on the night of the attack.

David Pirie

I do not think that the issue with regard to escalation was material to the impact of the attack—that is, I do not think that it made any difference in that respect—but I am confident that the new procedures that we have in place will be effective.

As I mentioned, Willie Coffey has a series of questions to ask.

Willie Coffey (Kilmarnock and Irvine Valley) (SNP)

Good morning, everybody. Jo Green said that progress has been made on the recommendations—you have implemented 35 out of 44 of them. I want to explore the back-up issue. We know from the previous paperwork that the back-up data was targeted first, which rendered it inoperable, and you could not perform a back-up. Could you tell us about the current back-up situation? Have you addressed that issue through the action that you have taken since then? Is the back-up data now entirely separate from the main systems data?

Jo Green

That is obviously a key issue in terms of cybersecurity. I stress that the attack on us was extremely sophisticated and had a number of components to it. We had implemented what was, at the time, best practice in back-up policy, but the attack specifically targeted back-up systems as our team tried to recover and restore back-ups. We have made a number of changes, and I will pass over to David Pirie to talk about the detail of those.

Is David still online?

The Convener

We have been having some problems with David Pirie’s connection. I cannot see him on my screen. We were going to put him on audio only, but he does not appear to be there.

Is there anyone else on your team who could pick that up? If not, I will ask Willie Coffey to move on to his next question.

Jo Green

Would it be possible to come back to that question, if we manage to connect with David Pirie, because he would be so good at answering it?

The Convener

That would be fine. We always have the option of asking you to provide us with a written response to any of our questions if, at this point, you are unable to answer them to the fullest extent that you would like to.

Willie Coffey

I thank Jo Green for that answer. David Pirie does not need to tell us about the details. The committee simply wants to be reassured that the back-up strategy is different from, and more secure than, the previous one. As we all know, another phishing email could come in on any day, through which—by clicking, linking, following or whatever—staff could inadvertently provide access to your systems data. I just want to get a sense that that issue has been recognised and that steps have been taken to provide additional protection for SEPA’s systems data.

Jo Green

We had three levels of protection around back-ups, which was in line with best practice at the time, but we have made improvements since then, based on the recommendations that were made in the audit.

Is there now physical separation between the main systems data and the organisation’s back-up data? To my mind, that would mean that any further attempts of a similar nature could not succeed.

Jo Green

Yes. As part of the 3-2-1 best practice that we had at the time, there was some physical separation in one layer of our back-ups. That was already there, but if David Pirie is able to join us, he can provide some of the detail, or we will follow up in writing to clarify that.

Willie Coffey

What staff support, financial support or other support has SEPA had from the Scottish Government to get through the attack, recover from it and move forward? Other organisations are vulnerable to such attacks, not just SEPA. Have you been able to share your experience with other bodies to make them aware of what might happen and of the actions that you have taken that they might wish to consider implementing?

09:15  

Jo Green

I will talk about support and then learning. We are very grateful for all the support that kicked in quickly on the back of that significant and serious criminal attack on us. The Scottish Government moved quickly to support us. For example, our most critical staff, including our emergency team, had access to 120 secure Government laptops. We are really grateful for that. On the finance side, colleagues in SEPA worked closely with the Government.

We had strong support in the early days, especially from Police Scotland, the National Cyber Security Centre and the Scottish Business Resilience Centre. That enormous support was around us in the early stages of our response to the cyberattack.

On learning, that is one of the first things that we landed on. The situation was so serious that we knew not only that we could learn from the attack but that others could learn from it. We commissioned four independent reviews. Those were for us to learn from, but we shared them widely. Last October, we held an event to make public the lessons for us.

The reviews, including the Police Scotland one, were useful in that they made recommendations for us. Most of the recommendations were also for other public bodies, and it was clear what they could take from what had happened to us.

Thank you very much for that. If David Pirie comes back online, I might—

He is back.

Can I go back to him?

Of course.

Willie Coffey

Hello, David. I cannot see you on screen. I was asking about the back-up strategy and whether you could give the committee some assurance that the back-up procedure that is in place will, as far as possible, make the same type of cyberattack impossible to succeed, and that your back-up data is physically separate from the main systems data.

As I understand it, the hack reached the back-up data first, so you were unable to reinstate your systems. Have you taken steps to make sure that that data separation is physical, so that the back-up data cannot be attacked, should there be a future attack?

David Pirie

Yes, we have. We had a well-developed strategy for back-ups. The reviews have indicated that we broadly complied with best practice. We had three layers of back-up: a real-time synchronous back-up, off-site back-ups and air-gap back-ups.

When the attack happened, the criminals began encrypting our data. As they did so, they copied that to our synchronous back-up, so the synchronous back-up became encrypted in real time. The criminals targeted and deleted the off-site back-ups. Our air-gap back-ups covered some of our main data sets but not all of them.

Since the cyberattack, we have taken on board the recommendations and put in place new offline back-up arrangements that cover all our data.

Willie Coffey

I appreciate what you have said, but can you please confirm that, should something of a similar nature occur again, the back-up data could not be physically or logically accessed by any hackers who might wish to do that? There has to be complete separation of your data to protect it from future hacks.

David Pirie

Yes, I can confirm that.

Great—thank you very much for that.

I am conscious of the fact that Roy Brannen is on the panel and that the Scottish Government’s role was mentioned in that question. Do you want to come in?

Roy Brannen (Scottish Government)

As this was before my time as director general, I will bring in Helen Nisbet, who was there, but from what I can see, and as Jo Green said, there was a lot of activity and close working early doors on 24 December 2020. The on-call cyber resilience unit was contacted early doors and the chief information security officer was engaged, and both of them established the national cyberincident co-ordination arrangement that flowed through the day. As well as providing laptops, secure email accounts and information technology support, we allowed access to the cyberincident response company that provided the early help to SEPA. SEPA’s budget in 2021-22 was also uplifted by £2.5 million, but the organisation did not use that funding in its entirety. Support from the sponsor team was pretty good in the early days and continued through the year, with regular engagement with SEPA’s management on performance measures that we were tracking as we tried to help the organisation to recover.

Helen Nisbet might want to say a little bit more about the early response from our cyber colleagues.

Helen Nisbet (Scottish Government)

As you said, from the word go—I think that it was 11 o’clock on the 24th—the Scottish Government’s chief information security officer and the on-call cyber resilience team were notified by David Pirie of the incident, and it quickly became apparent that the attack was of such magnitude that we needed to stand up the incident management plan, which we did.

As for the incident management response company coming in, the critical thing in the early stages of an attack is to get to grips with what has happened, and a bit of time is always required to carry out that diagnostic work. By the time of our first cross-working meeting on 27 December, which brought together the National Cyber Security Centre, Police Scotland, the sponsorship team and, of course, SEPA colleagues, we had already started to push out across the broader public sector in Scotland—and beyond that to, for example, the NCSC, which we were obviously feeding into—our understanding of the attack, so that other companies and organisations could see whether similar activity had been happening in their own area and could take appropriate action. We continued that work in the weeks following the attack.

Are you content that, should there be another successful cyberattack attempt, the back-up data could not be accessed, encrypted, destroyed, stolen or otherwise?

Helen Nisbet

I am not a technical expert on such things, but action has been taken in accordance with the recommendations, and we are satisfied in that respect. As you will appreciate, such activity involves almost a constant game of cat and mouse; in some quarters, those who try to infiltrate systems see it almost as a game or challenge to overcome whatever measures are in place. We always face that challenge, but I am satisfied from the reports that we have received that SEPA has taken steps to meet the challenge and deal with the vulnerability that was exposed in the attack.

Thank you very much. David Pirie will be with us for the rest of the session, but on audio only.

Colin Beattie (Midlothian North and Musselburgh) (SNP)

Clearly there is still some distance to go with recovering data and so on. Do we have any feel for how much data has still to be recovered? How many systems need to be re-established or developed as a workaround?

Jo Green

In the early stages of the attack, we were really concerned about data and what could be recovered. The work is very difficult and complicated, but the headline is that we estimate that more than 80 per cent of our data has now been recovered. Access is still limited, because we need the systems to be able to get to the data, but really good progress has been made on recovering it.

David Pirie can talk about some of the other aspects that you have raised.

David Pirie

Yes, we have successfully recovered just over 80 per cent of our data. That includes all of our email correspondence and a large proportion of our finance and human resources records. Most important, it includes raw environmental data, such as ecological, chemical, hydrological and discharge results that represent our understanding of the state of Scotland’s environment and go back for almost 50 years.

We have recovered that data, but there are systems that we still need to recover, and about 20 per cent of our data remains encrypted or deleted and inaccessible to us. It will take a considerable time to rebuild the systems to give us free and easy access to the data that we have recovered. Recovery is the first step, but the second step is building systems that allow us to access that data.

Just to make it clear in my mind, when we say that data has been recovered, does that mean that data that was encrypted has been decrypted or that the information has been rebuilt, perhaps using manual records?

David Pirie

None of the data has been decrypted. We did not pay the ransom, so we do not have any decryption tools. The data has been recovered from offline back-ups of the sort that we were discussing earlier. It has mainly been recovered from offline back-ups, but some data has been recovered by restoring it from sources or locations that were not impacted by the attack, such as our website and other publicly available locations. Some data has also been recovered from manual paper-type records that we held.

None of the data has been decrypted. Do we have resources that are capable of doing that, or is it simply too difficult?

David Pirie

It is my understanding that it is too difficult. We certainly have not managed to decrypt any of the data. Very occasionally, decryption keys become available when criminal groups either fall out with one another or get caught by law enforcement agencies. It is not impossible that a decryption key will become available, but the advice that I have received from law enforcement agencies is that it is highly unlikely that we will get one.

Continuing on the same line, are there any services or projects that you are unable to provide or deliver at the moment?

Jo Green

Service delivery was obviously challenging in the immediate aftermath of the cyberattack, but our business continuity arrangements kicked in quickly. We were quickly able to provide our flood risk warning service and to do incident response and regulation. Our most critical services kicked back in very quickly, within a day.

After that, we have been on a phased and planned approach to recovery of services. In the early stages, there was a period when we were stabilising really basic services such as bringing our staff back online so that they could communicate and have access to email systems. There has been a gradual and planned approach to all of that.

Quite early on, we put weekly service updates on our website so that people could see the status of our services. Over time, we have brought services back online but, at the moment, it is still very challenging to deliver them, because we need to build the new systems to make it easier to operate in the organisation.

At this moment, are there any services that you are not providing?

09:30  

Jo Green

One service that we are not currently providing, which we normally would, is a public register. That relates back to data recovery. We have a planned approach to data recovery and to bringing things back online. We need to re-establish our public register.

Have any projects been seriously impacted—either delayed or put on the back burner—as a result of the attack?

Jo Green

Clearly, immediately after the attack, we pulled together a plan for the year—an annual operating plan. We are doing a series of projects to deliver and build back and we have kept largely on track with that during the year. The effort and flexibility of our staff to deliver projects in very difficult circumstances have continued throughout the year. I will just give some highlights of what we have managed to do.

We have been monitoring Covid in waste water—we have kept our labs going and have managed to do that. Our expertise in designing and implementing a monitoring network, coupled with our scientific capabilities, enabled us to make that contribution to the response to the pandemic. We are also responsible for the forecast and monitoring of Scotland’s water resources. We produce a weekly water scarcity situation report between May and September, and again we managed to keep that going. Similarly, we successfully monitored Scotland’s designated bathing waters.

In the key headline areas of priority, therefore, we continued to deliver during the year, but it was extremely difficult.

You have not said whether there are any services that you are not able to deliver at the moment.

Jo Green

The public register is one. We see that as very important and we will get it back online.

Are there any other services that have been impacted?

Jo Green

It has mainly been about services being delivered in different ways, rather than them being impacted. For instance, we have a significant role in responding to planning consultations and working with planning authorities. Clearly, in the early days, we had lost access to our data and files, so the initial communication was very difficult. Very quickly, our planning service kicked in and made direct links into each local authority to triage what was most important for us to get on with in order to provide advice to the planning authorities. We cleared the backlog and established a different way of operating with the planning authorities, which we intend to carry forward. There has been a lot of ingenuity and finding workarounds in difficult situations, but some of that is stuff that we will want to continue in the future.

Colin Beattie

I have one final question. I believe that you have established a figure of £17.9 million as the potential worst-case scenario for costs. Are you able to firm up on the cost to date and give a projection of the cost of the recovery and your responses?

Jo Green

Yes. We are doing work to pin down the cost of the cyberattack. We intend to publish that and make it available, which should be by the end of this month. It is imminent; we are doing that detailed work now. Clearly, it is not necessarily straightforward. As I say, we are not recreating all our old systems. We are building from new and some of that is investment that would have been needed in the coming years anyway, so it is quite tricky to pull together the accurate cost of the cyberattack. That is what we will do, and we will try to lay it out as transparently as possible so that people can see it.

I will just check whether Stuart McGregor, our finance officer, would like to come in on that question.

Stuart McGregor (Scottish Environment Protection Agency)

Thank you very much. I will take the question on the £17.9 million first. That was based on a paper that was prepared in 2019, which was part of our normal practice of doing some forward financial forecasting over a number of years. There were a number of forecasts in that on potential reductions and increases in grant funding, and there were some wide ranges. That was to give the board and the management team a feel for the potential challenges that we might face in the future. The £17.9 million was out there as the worst-case scenario that we should look at, but that is not coming to fruition. In the main, we have had flat-cash settlement budgets for grant in aid. Although that adds some complexities for us in covering wage awards, inflation and so on, the figure is certainly not near the £17.9 million value that was quoted in the report.

The on-year finances are looking okay. In 2020-21, we did not need to utilise the £2.5 million from the Scottish Government—we operated well within that. In the current year, we are looking at the forecast outcome against the planned budget being there or thereabouts. We work closely on forward forecasting with the Scottish Government sponsor and finance units, and we are nowhere near approaching the figure of £17.9 million.

Colin Beattie

[Inaudible.]—correctly. Obviously, there are costs. That is mitigated to a certain extent by SEPA accelerating the delivery of its digital strategy. I presume that that is within your budget in any case. I am not putting words in your mouth, but the impact on your budget should therefore be much less financially.

Stuart McGregor

Yes, that is the case. You have summed it up well. We look at our annual allocation—it is a one-year settlement—and we are working within that. We prioritise delivering the priority outcomes for SEPA in the budget strategy. We are not expecting major gaps, although there will be challenges across the public sector with the funding availability.

You are correct about moving forward with cyber. We have to bring forward some of the digital strategy, so we are reprioritising our spend within the year to do so. We are phasing over the period of time.

The Convener

Thanks, Mr McGregor. That is helpful.

I want to go back to a point that Jo Green made a few minutes ago. Jo, you told us that the public register is the one service that is not currently available as a result of the cyberattack. For the layperson, will you explain what information is captured in the public register and what we cannot see that we normally would be able to see? When do you expect the public register to come back online?

Jo Green

Our public register is where we make available all the information on the permits that we issue. I might check with David Pirie when it will come back online. We have had a planned approach to data recovery, and we are just going into the next phase of planning to set out what we are going to recover and when. I do not know whether we can say at this point exactly when the public register will come back online, but I will check with David Pirie.

David Pirie

We are bringing our services back online in a phased manner. Some services are already back online. Some of our licences for things such as septic tanks and some of our waste carrier notices are already online, but it will be a considerable time before we have all our services back up and online. When I say “considerable time”, I mean years. It will probably take us at least a couple of years to get all our services back up and online.

Wow—that is quite a stark conclusion to draw, isn’t it?

Craig Hoy (South Scotland) (Con)

Obviously, the impact of the cyberattack is significant, and it will be felt throughout the organisation. I have questions about staff training and future workforce planning.

You all seem to be in quite good spirits this morning, but you might want to say a little about the impact of the attack on staff morale and how that has been managed since December 2020.

Jo Green

I am glad that you asked about that—it has been uppermost in the minds of the exec team throughout. I come back to the point that being victims of such a significant cybercrime has been very difficult for staff, particularly when set against the backdrop of the pandemic and what everyone was already dealing with personally and professionally.

SEPA has a culture of resilience governance and incident and emergency management. We are used to responding to incidents, but the extraordinary levels of flexibility and commitment that we saw, which went even beyond that culture, were quite something. The attack happened on Christmas eve, and people voluntarily gave up their leave and just kicked in. Over many months, they have carried an awful lot.

We have talked about the loss of access to data and to some of our services, but we still have the skills, experience and ingenuity of 1,300 people in the organisation, which have allowed us to keep operating services without some of the systems and data that we talked about.

What did we do? We did a range of things. Communications were critical so, straight away, we started communicating with our staff weekly or sometimes more frequently. We pulled our managers together weekly in order to support them and enable them to support staff. Communications were a huge focus so that people knew what had happened, what was happening and what was coming next. It was critical to bring our staff back online, because people had lost access to email and the ability to communicate easily. Therefore, bringing people back online over a period was important.

The attack was a crime and, understandably, staff were concerned about their data having been stolen and staff protections. We made available antivirus software for their use at home, and Police Scotland pulled together great guidance to help our staff to understand the actions that they could take to protect themselves. We had a number of means of support from the organisation and others.

I will mention Unison’s efforts throughout this time. In SEPA, we have a strong collaborative working relationship with Unison, and the support that it provided to the organisation was key. We gave Unison a seat at the table for our emergency management team meetings, all-staff calls and manager calls. It played a significant role throughout.

Craig Hoy

As a result of the SBRC review, there was quite high awareness of and training in cybersecurity—95 per cent of staff underwent cybersecurity training in 2020. Since the attack, how have you approached the issue in order to raise awareness and develop skills among staff in relation to emerging and future risks to cybersecurity?

Jo Green

We had a good level of cyber awareness in the organisation already. As Police Scotland said, we are not a poorly protected organisation in terms of cyber. Training for staff is key, and I will ask David Pirie to talk about that.

David Pirie

As we developed our new systems and brought staff back on board, we had an induction session for every staff member and went through dos and don’ts. We utilised the National Cyber Security Centre’s security training, which all staff went through. Just this week, we have purchased new cybersecurity training and we are about to launch a second wave of cybersecurity training for our staff in the coming month.

As everybody was brought on board following the incident, they went through training and, this month, they will be going through a second set of cybersecurity training.

Craig Hoy

I will put this question to both David Pirie and Helen Nisbet for SEPA’s and the Scottish Government’s perspectives. Earlier, Helen described the situation as a game of cat and mouse, and cybersecurity is getting increasingly sophisticated. What impact is that having on workforce planning to ensure that public bodies—SEPA and the wider public sector—have the skills that they need to make sure that they can not only recover from this attack, in the case of SEPA, but safeguard against future attacks?

09:45  

David Pirie

Cybersecurity is an increasing threat and, as indicated earlier, it is a game of cat and mouse. There are two areas of our cybersecurity training: there is the general training that we talked about earlier for all staff, because staff are the first and best line of defence, so we need to keep them aware of the broad threats. The second area is the more detailed, advanced training for our information services specialists in relation to all the new and emerging threats.

I am pleased to say that, since the SEPA event, we have seen increased support in that second area from the Scottish Government. Since the SEPA cyberattack, regular forums have been held by Scottish Government cyber professionals, where they share intelligence, learning and approaches for some of our cybersecurity staff to make them aware of upcoming threats and things that they need to be aware of. That has proved very useful in recent months.

Helen Nisbet

David Pirie has described the SEPA experience. From our point of view, we rely heavily on the strategic framework for a cyber resilient Scotland that was launched in February 2021, which built on the original cybersecurity strategy that was published in 2015.

We are adopting a multifaceted approach. Rather than having a strategy to be reviewed every few years, we have a framework that can be built on with successive action plans.

We have four action plans covering 2021 to 2023 activity just now that seek to achieve the same things across the public, private and third sectors. The four overarching aims are that, across the piece, people recognise cyber risks and are well prepared to manage them; that businesses and organisations recognise cyber risks and are well prepared to manage them; that digital public services are secure and cyber resilient; and that our national cyber instant response arrangements are effective.

There is also a training and skills action plan. The key thing that we are trying to do with that is to embed cyber resilience and an understanding of the need for cyber resilience through the education system, starting with schools and going through into further and higher education, so that general awareness is established. We are also looking at what we can do to establish that pipeline of skills that brings properly qualified cyber resilience and cybersecurity people into the workforce because, as David Pirie has said, and as I said earlier, this is a growing problem and it is unlikely to diminish.

I will just add one last thing on what support we have been offering since the attack. The National Cyber Security Centre makes a number of products available that allow businesses to self-assess their cyber resilience. There is a base or foundation level known as cyber essentials that allows organisations to self-assess and there is a higher level known as cyber essentials plus, which is basically self-assessment. It is not accredited, but there are cyber technical challenges that allow organisations to be tested on their understanding to see whether there are any weaknesses. There is a product called exercise in a box, which is almost as it sounds. It is a packaged exercise that can be utilised by organisations to test their understanding. We have supported the use of that across Scotland in the past several months, both financially and through public awareness.

More recently, via the public sector cyber resilience network that has been established, we have been doing sessions to raise awareness of the current heightened level of risk as a consequence of the current events in Ukraine. We have set up a daily information-sharing cell to ensure that we pick up on anything that is happening. We have also been able to engage with the Scottish Government chief information security officer to offer surgeries, primarily to public sector bodies, to answer any technical questions on our current cyber resilience needs.

That is reassuring—thank you.

The Convener

As I mentioned, some of those broader themes will be picked up in the evidence session that we have planned for 31 March.

That brings us to the end of our short evidence session on the report on SEPA. I once again thank Jo Green, acting chief executive of SEPA, Stuart McGregor and David Pirie, who joined us visually and by audio only at points. Thank you very much for the evidence that you have given us, which has been valuable. I also thank Roy Brannen, Helen Nisbet and Kevin Quinlan from the Scottish Government, who also joined us. If there are any points that, on reflection, you feel that it would be useful for us to have, by all means submit them to us in writing—we would receive them gratefully.

I briefly suspend the meeting so that we can have a changeover of witnesses.

09:51 Meeting suspended.  

09:52 On resuming—