The Scottish Government isn’t taking Digital Security seriously

Yesterday, the Scottish Government published a “refresh” of its digital and cyber security strategy. It shows signs of already being out of date and, in contrast to the EU’s recently published digital sovereignty framework, lacks any concept of modern threats to Scottish digital security.

“The Strategic Framework for a Cyber Resilient Scotland 2025 - 2030” has been published five years after the previous framework was released and was announced as a response to the “ever-changing cyber threat landscape”. Unfortunately it appears to entirely revolve around relatively small-scale digital threats like fraud or identity theft. Modern threats, which have increasingly appeared over the course of this year but were apparent even before then, include large scale denial-of-service attacks from hackers, vulnerabilities like outages - accidental or deliberate - involving digital cloud services (including one that shut down the Scottish Parliament just a couple of weeks ago) and possibly even state-backed shutdowns where services that rely on foreign manufactured components or connections to internet servers in potentially hostile states can be used to spy on Scotland or to disrupt or shut down critical services (see this story about Norway’s concern about the possibility of Chinese electric buses containing effective kill-switches or this one about the possibility of Donald Trump ordering Microsoft to spy on EU citizens).

Shockingly, the Scottish strategic framework doesn’t just ignore the threat to Scotland via vulnerable cloud services but actually contains the sentence “A strategic, phased, risk-based approach is required, which may include…migrating services to cloud infrastructure, ideally designing services for the cloud”. From language in the document, the Government appears to be making the assumption that smaller organisations and public service offices will lack the digital skills required to keep an in-house IT system secure and therefore the best solution is to outsource and centralise security within the owners of the cloud infrastructure,

Given that these owners are often either unaccountable Chinese companies or American megacorporations in thrall to a petty and unstable President, rather than mitigating against the threat, the Scottish Government appears to be running directly into it.

Contrast this with the EU’s recently published cloud sovereignty framework which lays out several metrics around the risk of using cloud infrastructure that cannot be controlled via domestic regulation or legislation (e.g. because the physical servers are in the USA, as was the case with the disruption caused in Europe by a failure in Amazon’s AWS system). The EU framework lays out eight “pillars” of sovereignty covering EU control of aspects of critical digital infrastructure such as the legislation, technology, supply chain and others. They also score digital infrastructure on a scale from 0 - no effective EU control to 4 - full EU control with no non-critical, non-EU dependencies. Germany and other EU countries are already making strides in removing non-EU dependencies from their digital infrastructure, including publishing an Open Source office management system that public services and companies can use to remove Microsoft from their offices.

The EU framework isn’t perfect. In fact, its EU-centred “walled garden” approach risks swapping a US tech-oligopoly for an EU tech-oligopoly and this should be a concern for a small nation like the UK that is caught between but is outwith both spheres of influence, but the principles for Scotland are sound - if we cannot control our technology then we cannot control the public services that rely on that technology.

The release date of the Scottish framework is perhaps the explanation of why the strategy here is so light and out of date. The previous framework was released just prior to the Scottish elections and the Government likely made a promise to refresh it at some point during what is now the current Parliamentary session. We are now nearly at the end of that session and with three First Ministers having served in that time, it seems that little actual work was done to update the strategy. Thus simply publishing what they had was deemed enough to fulfil the promise made.

This isn’t good enough. When threats to Scottish digital services extend up to the possibility of our “allies” in the US spying on or potentially shutting down our democracy, then this should be reflected in our strategies to keep Scotland safe.

Common Weal will be publishing more on digital and cyber security over the course of next year. If you want to keep up to date with that work as it develops, subscribe to our newsletter and our daily briefing. If you’d like to support us in developing that work, please sign up as a donor here.