Commonwealth Secretariat, Rule of Law
Division response to Consultation on
Proposal for a Cyber Resilience Strategy
for Scotland
INTRODUCTION
The Rule of Law Division of the Commonwealth Secretariat (the ‘Secretariat’) welcomes the
opportunity to respond to the Proposal for a Cyber Resilience Strategy for Scotland (the
‘Consultation Paper’).
Since 2011 the Secretariat has been working in furtherance of a mandate from
Commonwealth Heads of Government to develop responses to cybercrime across
Commonwealth jurisdictions for the purposes of “improving legislation and capacity in
tackling cybercrime and other cyber space security threats”.1 At their most recent meeting in
2013 Heads reaffirmed this mandate. This work is rooted in the resolution of the 2011
meeting of Commonwealth Law Ministers, attended by the Lord Advocate, to “recognise the
significant threat cybercrime poses to national security and law enforcement in all countries
of the Commonwealth”. This provides the basis for the Rule of Law Division’s ongoing
programme of works in relation to cybercrime.
BASIS FOR SUBMISSION
Under the UK’s devolved constitution, the agencies responsible for law enforcement and
criminal justice within Scotland play a key role in facilitating international cooperation. For
example, the Crown Office is designated Central Authority for receiving, acceding to and
ensuring the execution of Mutual Legal Assistance (‘MLA’) requests within the Scottish
jurisdiction.2 This is a critical component for effectively combating cybercrime and it is in
recognition of this role that the Rule of Law Division makes this submission.
The Rule of Law division has undertaken some significant activities in relation to the
development of cyber security strategies for Commonwealth member states. As such
considerable expertise in the development of effective strategies has been accrued.
UNDERLYING OBSERVATIONS
In addition to making specific points pertaining to the role of Scottish agencies and
authorities in a law enforcement context, certain limited observations are also made
regarding other aspects of the Consultation Paper. These are aimed ensuring that the
1
Commonwealth Heads of Government Meeting Communique 2011 at 7(i)
Requests for Mutual Legal Assistance in Criminal Matters Guidelines for Authorities Outside of the
United Kingdom – 12th Edition at 4, available at:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/415038/MLA_Guideline
s_2015.pdf
2
1
proposed strategy is grounded in a clear and firm relationship with two other publications.
These are the:

UK Cyber Security Strategy Protecting and promoting the UK in a digital world (the
‘UK Cyber Security Strategy’); and

Commonwealth approach for developing National Cybersecurity Strategies (the
‘Commonwealth Approach’)
The combating of cybercrime takes place in a resource constrained environment. As such a
critical aspect of the emphasis placed on the development of counter-cybercrime capacity by
Commonwealth Heads of Government has be the avoidance of duplication. It is critical that
there is clarity on the linkages between the proposed strategy and the pre-existing UK
strategy. This is particularly pronounced where the stakeholders will be embraced by both
strategies.
Further it is of critical importance that due deference is paid to existing international
commitments made by the UK government at the international level but being actioned
through the proposed strategy. In particular this would include the explicit recognition of the
values contained within the Commonwealth Charter, and specifically applied to a cyber
context by the Commonwealth Cybergovernance Principles3.
Assistance in developing a strategy in furtherance of these Principles is provided by the
Commonwealth Approach. This was developed by the Secretariat’s sister organisation the
Commonwealth Telecommunications Organisation (‘CTO’). While it is aimed at
Commonwealth member states, it provides effective guidance on the development of cyber
security strategies generally.
3
As adopted by Commonwealth ICT Ministers at their meeting in March 2014
2
RESPONSE TO CONSULTATION QUESTIONS
National leadership; Shared responsibilities; Working together; Protecting Scotland’s
values
Q1
Yes
Are the guiding principles right for this strategy?
No
Are there any other principles that should be considered when continuing to develop
the strategy?
Broadly these guiding principles appear appropriate.
In relation to guiding principle 4 (Protecting Scotland’s values), it is entirely
appropriate to make reference to Scottish values, however, there should also be
reference to pre-existing commitments the UK has made in relation to internet
governance, human rights and the rule of law4. In particular reference should be
made to the Commonwealth Charter and Cybergovernance Principles.
Consideration should also be given to whether or not the section should outline
further principles for the strategy’s design and delivery. It may be useful to have
regard to the Commonwealth Approach.
Our vision is for a cyber resilient Scotland that is safe, secure and prosperous
Q2
Yes
Do you agree with the vision?
No
This is a powerful aid in communicating the strategy, describing the end-state of the
activities called for by the strategy.
Strategic Outcomes:
1. Our citizens are informed, empowered, safe and confident in using online
technologies
The UK Cyber Security Strategy Protecting and promoting the UK in a digital world (November 2011)
at 2.16
4
3
2. Our businesses are resilient and can trade and prosper securely online
3. We all have confidence in the resilience of our digital public services
Q3
Yes
Do you agree with the strategic outcomes?
No
Are there additional outcomes that should be considered?
There should be a clearer linkage as to how these outcomes relate to and support
the broader UK National Strategy. This is critical to ensuring (i) the prevention of
duplication and (ii) reducing conflict. While reference is made to this relationship on
page 10 of the Consultation Paper it is not explicit that this will be recognised in the
proposed strategy.
Additionally, the UK Strategy makes express reference to upholding the Rule of
Law within cyber space5. Consideration should be given to how the Scottish
strategy supports this aim.
Key Objectives:
1. Provide effective leadership and promote collaboration
2. Raise awareness and ensure effective communication
3. Develop education and skills in cyber resilience
4. Strengthen research and innovation
Q4
Yes
Do you think these are the right objectives to focus on?
No
Are there additional key objectives that should be considered?
Consideration should be given to whether or not a specific Key Objective relating
to international partnerships should be included. There are two modes by which
Scottish authorities could participate in international efforts to combat cybercrimeparticularly cross-border investigations. These are through formal requests and
through informal networks.
As noted previously, the Crown Office (specifically the International Co-operation
Unit) is a UK central authority for the purposes of MLA requests, there should be
recognition of the role as a partner in cross-border investigations of cybercrime
involving the Scottish jurisdiction.
5
The UK Cyber Security Strategy Protecting and promoting the UK in a digital world (November
2011) at 2.16
4
In addition to formal modes of international cooperation, the UK is a participant in a
number of informal international partnership networks Commonwealth Network of
Contact Persons, Council of Europe Budapest Convention’s Article 35 24/7
Network, G8 24/7 Hi-tech Crime Network, Interpol 24/7 which can assist in
combating cybercrime. Through these networks requests could be transmitted to or
from Scottish law enforcement and Prosecutorial authorities for participation in
cross-border investigation. The key importance of such mechanisms to law
enforcement in Scotland was demonstrated by the action of the National Crime
Agency in effecting arrests in Scotland tied to the international investigation of the
Darkode dark marketplace- Operation Shrouded Horizon.
These opportunities for international partnership should be recognised and
encapsulated within the proposed strategy. However, it is critical that the linkages
between the UK Cyber Security Strategy- and the roles played by Scottish
agencies within that context- are clearly delineated and understood. So too must
be relationships with organisations such as the National Crime Agency and the
Interpol Bureau in Manchester who may well act as a conduit for requests for
cooperation to Scottish authorities.
Objective 1: Provide effective leadership and promote collaboration
Main areas of focus:

The Scottish Government to set up and lead a national strategic
implementation group to implement, monitor and evaluate the impact of this
strategy

The Scottish Government to be at the forefront of providing safe and secure
services, and sharing their knowledge with other organisations

Collaborating with partners, the Scottish Government will lead and coordinate
efforts to develop national cyber resilience

Ministers and their officials continue to raise the profile of the importance of
cyber resilience across a range of policy areas

Ministers report on the Government’s progress in building a culture of cyber
resilience and good practice across the Scottish Government and its agencies

The standards of cyber resilience adopted by the Scottish Government’s online services – and those of other public agencies - will be available to service
users.
Q5
Do you agree with the main areas of focus for effective leadership and
collaboration?
Yes
No
Are there other areas that should be considered?
It is appropriate that the Scottish Government should adopt standards of cyber
5
resilience for online services, however, the Scottish Government should not seek
to develop its own standards where possible. To do so increases costs and risks.
Instead internationally recognised standards such as ISO-27000 series,
augmented by more detailed controls, such as the Information Security Forum’s
Standard of Good Practice, should be employed.
Objective 2: Raise awareness and ensure effective communication
Main areas of focus:

The Scottish Government alongside its partners to co-ordinate general
awareness raising activity to promote a culture of cyber resilience among all
Scottish citizens, including promoting the national online safety websites Get
Safe Online and E-crime Scotland across Scotland

Stakeholders and partners to implement audience-specific awareness raising
activity - targeted at employees, educators, leaders and board members

Working alongside the UK Government, the Scottish Government and partners
from across the business world to form a network to share information about
online threats and vulnerabilities

Industry professionals develop and promote best practice in cyber resilience
Q6
Do you agree with the main areas of focus for raising awareness and ensure
effective communication?
Yes
No
Are there other areas that should be considered?
None.
Objective 3: Develop education and skills in cyber resilience
Main areas of focus:

The Scottish Government and its partners promote the development and
delivery of cyber resilience education in early learning and childcare settings,
schools, colleges, universities and other learning settings

Business partners build cyber resilience capabilities within workforces

Scottish Enterprise and other business partners help develop the cyber
security and resilience goods and services industry in Scotland
Q7
Do you agree with the main areas of focus for developing education and skills
in cyber resilience?
6
Yes
No
Are there other areas that should be considered?
No comments.
Objective 4: Strengthen research and innovation
Main areas of focus:

The Scottish Government, Police Scotland and partners progress with
research to baseline the cost of cybercrime to Scotland

Partners undertake and share research on understanding “what works” in
preventing cybercrime, using knowledge from local, national and international
angles

Partners work together to target funding for cyber resilience research

Enterprise funding is targeted at innovative methods to support the cyber
resilience of individual or groups of enterprises
Q8
Do you agree with the main areas of focus for strengthening research and
innovation?
Yes
No
Are there other areas that should be considered?
At their meeting in Gaborone, Botswana in May 2014, Commonwealth Law
Ministers endorsed the Commonwealth Working Group of Experts on Cybercrime
report. The report stressed the global nature of cybercrime and that “any weak link
provided opportunities for criminals.” As such even jurisdictions with the capacity to
respond to cybercrime within their own borders will only be secure when other,
developing and small jurisdictions, are also able to respond to cybercrime.
The Consultation Paper notes that Scotland possesses “working bearing university
research”. This significant capability represents an opportunity not only for the UK
but all of the Commonwealth. As such consideration should be given to the role
that Scottish Higher Education institutions could play in assisting other
Commonwealth member states- and their own higher education institutions- to
develop the capacity to combat cybercrime. For example, this could be achieved
by adopting partnership models already being deployed by other UK institutions,
including the Open University and University of Oxford, in partnering with
institutions in small and developing Commonwealth jurisdictions to develop
syllabuses, teaching materials, joint courses and other capacity building tools. This
is based upon the recognition that the development of cybercrime safe havens
presents a significant risk to even the most developed jurisdiction. The Secretariat
notes that Higher Education policy is a devolved matter.
7
How will we use the strategy to achieve real change?
For each of the outcomes, the Scottish Government and its partners are developing a
detailed action plan setting out the short, medium and long term activities. These
specific measures will be published in early 2016. Within this action plan there will be
practical activities, projects and improvements to support individuals and
organisations to become more cyber resilient, as well as steps to build up the cyber
security goods and services sector in Scotland.
Q9
Are there additional actions that will help us achieve making Scotland and its
people more cyber resilient?
Review Commonwealth approach for developing national cybersecurity strategies.
As this makes clear the objectives outlined by the proposed strategy should be
routed in a risk-based assessment. Appropriate evaluation mechanisms are
required to monitor and validate progress towards implementation. This will rely
upon the careful selection of key performance indicators (‘KPI’). This is made
easier where quantitative measures are used in the evaluation process. For
example, in relation to Child Online Protection awareness raising, teachers who
have been provided with lesson plans and curricula can be surveyed after capacity
building events to find out how many lessons they have used the materials for and
the number of children in each class over a given period. This has been a useful
metric employed my some Commonwealth members in undertaking capacity
building activities.
A single agency with responsibility for the development and implementation of the
strategy is extremely useful. In particular this provides a clear point of contact for
partners, both nationally and internationally. Further it assists in mitigating the
potential for fragmentation between persons tasked with implementation of the
strategy. This may additionally be assisted by the clear identification of persons or
departments responsible for driving delivery of particular aspects of the strategy.
Managing relations between the multi-stakeholder group implementing the strategy
will be the task of the lead agency but should also be conditioned by local values
(as outlined by the proposed strategy) and the commitments made by the UK to
the values of the Commonwealth and other international regimes.
How will we know if we are succeeding?
The Scottish Government will be asking stakeholders to share their action plans and
keep track of milestones and progress on an annual basis. This will help to provide
regular annual updates to the national strategic implementation group.
Q10
Yes
Do you think the monitoring and evaluation arrangements are sufficient?
No
If not, what arrangements would you like to see?
8
There is a critical requirement for the regular review of the proposed strategy.
Cybercrime and Security represent a fast moving, dynamic area of public policy.
The key feature this being the phenomenal rate of technical progress, the result
being the considerable likelihood that gaps in the provision of any proposed
strategy will arise and become pronounced over time. This is particularly the case
where strategies or associated legislation make reference to specific types of
technology. This can undermine the effectiveness of the strategy. In order to
counter this strategies, as a whole, should be reviewed at a minimum every 3-4
years (this is the practice in relation to the UK strategy and is also recommended in
the Commonwealth approach for developing national cybersecurity strategies).
However, it may also be necessary to designate some items within the strategy as
necessitating review at more frequent intervals- perhaps even quarterly. As such it
may be more effective to adopt a flexible approach to reporting on progress from
stakeholders- with some parties reporting more frequently that every year and
some less, depending upon criteria including:

urgency of the task the stakeholder is responsible for;

rapid rate of development of threats; and

developing skills and knowledge of the participants.
Additionally, the necessary reporting periods may change over-time as
circumstances change.
There should also be clarity regarding the reporting obligations which are being
placed on any parties who are responsible for elements of both the UK Cyber
Security Strategy and the proposed strategy for Scotland. Without a clear
understanding of existing reporting requirements this could result in duplication of
reporting and an undue burden on implementers.
Q11
Yes
Have you ever experienced cyber crime (see examples on page 16)?
No
If so, did you report it? Please provide details.
Not applicable.
Q12
Yes
Would you be willing to share your experiences with us?
No
9