 The next item of business is the debate on motion 5.7.3, in the name of John Swinney, on safe, secure and prosperous, achieving a cyber resilient Scotland. I invite members who wish to speak in the debate to press the request to speak buttons now. I call on John Swinney to speak and move the motion. Deputy First Minister, 12 minutes please. Thank you, Presiding Officer. As we debate cyber security today, our thoughts are with those affected by the despicable attack in Manchester with the implications for security that is now becoming clear, which was covered in the statement earlier on this afternoon by the First Minister. What has been re-emphasised over the last few weeks with the cyber attacks against the national health service and Monday's attack is that, unfortunately, we as an open society cannot prevent all harmful instances occurring. It is simply not possible. Opportunities have been and will, unfortunately, continue to be exploited by those who have the determination, the will and the capability to do so. What we must do is ensure that we do not let such issues drive us away from living our lives to the fullest and also taking the action that can involve reasonable steps for any Government or as individuals to undertake to understand the nature of these attacks and to take reasonable steps to prevent them from occurring. For those in a response role, it is our duty to ensure that our arrangements are such that we can respond effectively to prevent further harm and rigorously pursue those who seek to cause societal harm and to bring them to justice in all circumstances. Our focus in this afternoon's debate recognises the urgency for everyone to secure their technology, data and networks from the many threats that we face and proposes that citizens and organisations must become more resilient, aware of the risks and be able to respond and recover quickly from any kind of cyber attack. On 12 May, there was a global cyber attack, the impact of which affected the national health service across the United Kingdom. The scale and the speed of this attack was unprecedented and it demonstrates the absolute urgency for everyone to take steps to secure their technology, data and networks from the many threats that we face online. If we were to realise Scotland's full potential in the digital world and the opportunities that it offers to our citizens, businesses and organisations, then we must also equally be aware of the new risks that this environment presents and be able to respond effectively. I thank the cabinet secretary for giving way. He is quite correct that our response is vital, but so is prevention. One of the key issues with the recent attack was the volume of Windows XP installations in the health service. Does the Scottish Government have a target date for removing Windows XP from the IT estate across the Scottish Government? The key question that we have to address is how do we establish and maintain the most rigorous level of security possible around all systems that are utilised? That is the key question that has to be answered because there may well be, in certain circumstances, an appropriate use for some of the systems that Mr Johnson refers to. However, the crucial thing is that the security arrangements have to be in place to ensure that the necessary precautions are taken. I will come on to talk in more detail about all those precautions. Fundamentally, the key point that I would say to Mr Johnson is that there is an importance of ensuring that at all stages we take the necessary measures to address that point. If I look at some of the steps that we take already, clearly, our policy approach and the requirements that we place on organisations are designed to achieve exactly that objective. There can be a little doubt that the evolution of the internet has been the most significant development of our age. For business, digital transformation is ever present. It has been a game changer enabling increased efficiency and international reach, expanding markets, capabilities and opportunities. It has been and will continue to be a true innovative force driving economic development and prosperity. Never before has data had such a value and in its digital form its availability, integrity and security is critical to all businesses. Criminal exploitation of the internet is also growing rapidly. Data is the target and businesses and citizens have lots of that data. Unlike physical risks, cyber risks are much harder to grasp as criminals exploit both systems and human vulnerabilities. Business leaders must be prepared for the cyber threat, and more importantly, must ensure that their organisations take all steps possible to mitigate that threat. We are used to managing risk in the digital age, however we must also consider the cyber threat as another business risk. Any business that successfully can demonstrate that it is taking steps to protect its own and its customers' data as well as respond to and bounce back from any cyber attack is in a strong position to grow in the digital age. Organisations that can demonstrate their resilience to cyber crime can gain both a competitive advantage and increased consumer confidence. Developing cyber resilience as a core part of an organisation's business strategy will ensure that it continues to take full advantage of the internet age and flourish into the bargain. I am pleased to say that the Scottish Government and its partners are working together to build a strong and cyber resilient Scotland. We are taking action to ensure that we are adequately prepared, but I want to be clear with Parliament that this is not something that Government can do alone. This is also the responsibility of individuals and organisations who need to take the necessary steps to ensure that they keep safe and secure online. It has been widely commented that 80 per cent of cyber crime is indiscriminate and can be prevented by getting the basics right. That includes keeping software up-to-date, using proper antivirus software and making regular system backups. Those are simple measures that all users can and should take. Often, our technical defences are robust but are overcome by the inadvertent actions of an individual, by clicking on a link to a seemingly genuine-looking website or an infection potentially caused by opening attachments. Social engineering is one of the simplest ways of overcoming our technical defences. We should not blame users that they are not the weakest link, as is often said. They are our essential assets. Links and attachments are common in the workplace, and that is why they are exploited. Part of our response must therefore be to get the basics of online security correct. That includes raising the knowledge level and the awareness of all our citizens to the risks and the steps that they can take to reduce that. As we have learned from recent events, swift action in co-ordination and sharing information limited the impact of the NHS ransomware attack. However, we must also reflect upon the incident, identify the licence and more importantly share the licence with our partners so that we can help each other to put in place the appropriate and effective measures to combat cybercrime. Since I published Safe, Secure and Prosperous, a Cyber Resilience Strategy for Scotland back in November 2015, the Scottish Government has committed to providing strong leadership and direction to help our individuals, businesses and organisations to make the most of the online world. We have laid the foundations to make Scotland a cyber-resilient country. We have achieved much already by focusing delivery on key strategic priorities of leadership and partnership, awareness raising, education skills and professional development and research and innovation. Let me outline to Parliament some of the focus of our work to date. Dean Lockhart Would the cabinet secretary agree that additional availability of teaching computing skills at all levels of school would help to address some of those issues? Computing science is an integral part of the curriculum and it is part of education in some of the early stages of primary education. I have seen various coding initiatives in primary schools involving primary three, primary four pupils, so I am firmly supportive of the importance of ensuring that young people at the earliest possible ages are exposed to education on computing and are able to acquire the skills and attributes that are necessary for them to prosper. Let me set out to Parliament some of the focus of the work that has been undertaken as part of the Government's strategy that was launched in November 2015. First, as part of the leadership effort, we established the National Cyber Resilience Leaders Board in September 2016 to drive forward and implement the strategy across Scotland. That board is led by Hugh Aitken, the director of CBI Scotland, and the board is made up of key leaders from across the public, private and third sectors who are providing strategic direction across all our sectors. Secondly, the Digital Scotland Business Excellence Partnership has provided £400,000 to help businesses in Scotland to improve their cyber resilience and to work towards achieving the cyber essential standard. We have focused efforts on raising awareness to cyber risk. Since the beginning of this year, we have developed a joint cyber communications calendar that has been used by our partners to provide a consistent message across the board. We are linking close to that work in relation to Mr Greene's amendment today with the UK National Cyber Aware Campaign. In terms of learning and skills, we have already built cyber resilience into the curriculum for excellence and are working to embed it within digital skills, as I explained a moment ago to Mr Lockhart. We are also looking at how we can fill the gaps that we currently have in terms of the cyber security skills pipeline, particularly around apprenticeships and the qualifications that are on offer. We are working to build the capacity of cyber security research across higher education in Scotland. The University of Edinburgh has recently become an academic centre of excellence in cyber security research, acknowledged and endorsed by the national cyber security centre. The work has been about ensuring that we took early preparations to ensure that we were equipped as a country to meet the challenges that we now habitually face. I want to acknowledge the tremendous efforts of our national health service staff and the wider public sector in responding to the recent attack that took place and providing assurances around the security of their networks. There was considerable cross-sector engagement during the event and collaboration at this level is an essential element and helps to demonstrate confidence in the public sector's ability to respond to such ads. The investment that the Government is making in this area is specifically to support the range of hardware and software measures to protect the Government's ICT systems, infrastructure and data, to improve the Government's network monitoring capabilities, to boost staffing in this area that is vital to have the skills available to handle those challenges, to establish and expand a cyber security operations centre and corporate education awareness and training right across the board. We recognise that, ultimately, the focus of our public sector work is really about ensuring that we can gain our citizens' trust and we increasingly move towards digital public services. With that outcome in mind, we have established a cross-public sector group on cyber resilience. The group is made up of technical and business experts from central and local government, from health, procurement, education, academia and the third sector. All of them are focused on putting in place the necessary measures to protect the public sector ICT skills. It is essential across a range of different areas, whether it is on learning and skills, whether it is on the role of the private sector, whether it is on compliance with the EU general data protection regulation or the securing of our critical infrastructure, that we take efforts in a cohesive and coherent way to ensure that we are equipped to meet those challenges. That is the focus of the Government's strategy. That lies at the heart of the approach that we are taking, and we are doing that in an engaged and collaborative way with the private, third and public sectors to ensure that Scotland is a country that is able to demonstrate cyber resilience but is also able to use our cyber capability as a foundation for economic opportunity in the years to come. I move the motion in my name. Thank you very much. I call Jamie Greene to speak to and move amendment 5733.1. Mr Greene, eight minutes please. Thank you, Deputy Presiding Officer. Less than two weeks ago we witnessed one of the most severe, co-ordinated cyber attacks the world has ever seen. This attack was not isolated to Scotland nor the UK. Our neighbours across the world reported attacks on their IT infrastructure, in some cases crippling their ability to deliver critical public services. On our shores, our NHS electronic network was hit. Doctors could no longer access patients' files. The effects were felt as hospitals were asking only urgent cases to come to A&E to ease the pressure on them. Appointments were cancelled, operations were cancelled, GP surgeries were unable to access records. The so-called WannaCry ransomware attack also targeted Germany's primary rail link, Deutsche Bahn and Spain's Telefonica. It is estimated that the ransomware attack affected 230,000 computers in over 150 countries. Europol described this attack as unprecedented in scale. Make no mistake, the events of 12 May 2017 highlighted the fragility of public IT infrastructure the world over. For all the benefits that economic digitalisation has brought us, the shift online has opened up an emerging threat from cybercrime and cyberterrorism. Estimates from the Scottish Business Resilience Centre put the cost to the Scottish economy from cybercrime at £393 million in the year 2015-16. Globally, that figure could be well over half a trillion US dollars per annum. In fact, it has become such a threat that the whole industry in cyber insurance has sprung up in recent years. The Scottish Conservatives will support any measures that the Scottish Government is taking to increase our resilience against further attacks. For that reason, we welcome the tone of the Government motion today and will be supporting it this afternoon. The Scottish Government has made references to cyber security in its most recent digital strategy document out this year and also in the previous cyber resilience strategy that was published in 2015. However, in light of recent attacks, we would like more detail on what specific action has been taken to protect public services, utilities and large public networks, in particular the monetary value of any such investment. The UK Government has invested heavily in cyber security last year, announcing £2 billion of investment. A new national cyber security centre was set up to operate out of London under the control of GCHQ. It is there to assist businesses, government bodies and academia across the UK in times of need, including those in Scotland. At the time, PWC commented, The UK Government was leading the way with cyber initiatives that it is putting in place. However, the Government cannot protect the UK alone. Businesses must understand the cyber threat that their organisations face and take strong protective action themselves. That is an important point that I would like to make today. There is a shared responsibility on all of us to ensure that we are prepared to deal with online threats. Our amendment asked the Scottish Government to ensure that it is having a proactive discussion with UK-wide enforcement and intelligence agencies and government bodies to ensure that a real collaborative approach is in place. I will also be liaising with my UK Government counterpart on highlighting any areas in the recent digital economy act that pertain to cyber crime and online protection that are relevant to Scotland. However, it is clear in the aftermath of the ransomware attack that evidence suggests that several hospitals did not install the updates that they had received prior, which left their systems vulnerable. Daniel Johnson was right to probe into that further today by asking if the Windows XP replacements or updates will take place in our NHS, because a co-ordinated upgrade and end-of-life plan is a necessary part of any large-scale IT project. The public sector should be no different to any mainstream corporation in that respect. Preparation is everything. The European Commission's 2016 digital progress report highlighted that half of the EU's population access public services via online platforms, and that number will surely only continue to grow. A crucial pillar in our preparedness against the tax is understanding that the threat is truly global. In a digital world, we are not shielded by being an island. A hacker in North Korea can attack a database in North Queensbury. Digital Europe, the digital industry's respected trade body, said recently that cyber security is important. However, the approach must be centred on better security practices to defeat evolving threats in a global landscape. The digital market is a borderless and virtual one. It is a workplace, like no other, with invisible but tangible threats. The Scottish Conservatives will support the Scottish Government's current cyber security plans, but our support is conditional on realistic and measurable plans being put in place. We want the Scottish Parliament to be regularly informed of progress being made. We want to see close collaboration between all Governments and agencies to ensure that a truly UK-wide cyber security framework is in place. We also think that Scotland could lead the charge against global cyber threats and cyber terrorism. I say that because last week I note that just another major Californian cyber security firm announced the office opening in Belfast, creating another 120 new jobs in an already quite buoyant cyber security and tech sector in the city. They were attracted to Belfast by InvestNI, who gave a £780,000 grant towards a new venture. InvestNI recently awarded £5.5 million to Queen's University to help fund a new centre for secure IT, totaling investment in that centre to £38 million. Belfast is clearly becoming the world's number one hub for cyber security, data analytics, fintech and blockchain technology. The skills required to fill those newly created posts are being nurtured locally in Queen's and Ulster universities. Although I appreciate the good work that is happening in Edinburgh, I also say why not in Glasgow or in Dundee? There must be more than words of goodwill and lip service paid to Scotland's IT and tech industries. Targeted investment, a bank of suitably skilled workers and a can-do-government attitude can and will have a material and positive effect on the industry. It opens up real opportunities for jobs and growth. Cyber security is so big in Northern Ireland right now that it has a 0 per cent unemployment rate. So, whilst I let that potential sink in, I look forward to hearing the Government's response to my comments today and also listening to the rest of the debate. This is an important debate and we simply have to get this right. I move the amendment in my name. Thank you very much, Mr Greene. I will call Clare Baker to speak to and move amendment 5733.2, Ms Baker, seven minutes please. Thank you, Presiding Officer. The last few days have been very challenging and distressing for us all and it is a critical, on-going situation and it is right that we prioritise and focus on that. My thoughts are with the families who are affected by the terrible attack on Monday night. However, turning to today's debate, we must ensure that we are as safe online as we are offline. Cyber security is an area that can often seem like a different language to many politicians and it is the same, it is true for much of the public. As we heard in the recent debate on keeping children safe online, the internet is central to modern life and, while it brings us many benefits, it also contains many risks. Cyber resilience is an important strategy and protecting against vulnerability for individuals as well as our agencies. The significant change to how we communicate, how we do business, how we create systems has brought considerable risks and we must always be vigilant. As quick and easy as it is for an MSP to send an email to a constituent, it can be just as quick and easy to send malware or to be able to find the one-week spot among millions of lines of code. I appreciate that, following the recent ransomware attack on our NHS, the Government has been active in helping businesses and organisations, but today's debate does appear reactive rather than proactive. While a specific attack on a specific target is difficult to predict, the threat of that attack is not. Although I appreciate the recent update from the Government regarding the extraordinary meeting of the National Cyber Resilience Leaders Board, there is a question to be asked about whether such meetings should always have to be extraordinary. The Scottish Government published its safe, secure and prosperous cyber resilience strategy in 2015. We are now two years into the five-year strategy and this recent attack on the NHS has clearly a setback to the confidence and security of information in our public services. While I am inclined to support—I will be supporting the Government's motion and I am inclined to support the Conservatives' amendment that welcomes the UK and Scottish Government strategies—I would like to put on record the recent report of the UK Public Account Committee of MPs, which said that the UK Government needs to raise its game in this area and describes significant skill shortages and the chaotic handling of personal data. In Scotland, we have the well-documented problems of I6 at Police Scotland and NHS 24, which raise questions about confidence and confidence in our infrastructure. However, I appreciate that the Government has given a commitment to a public sector action plan that will develop a set of guidelines and standards for all public sector bodies. However, as our amendment makes clear, such changes must also see investment to ensure that we can withstand future attacks, improvements in infrastructure, investment in expertise and advice, the capability to build resilience. All of those actions take resources and it is difficult for our public services to prioritise when there is so much pressure on them in terms of their service delivery. The national cyber resilience leader's board action plan is due to be approved by ministers in June, and I hope that Parliament will have the opportunity to scrutinise and monitor the implementation of the plan. When it comes to cyber attacks, we in Scotland must not stand alone. We need to work across the UK and beyond to understand potential threats, to learn from best practice and to halt attacks as and when they strike. That must begin with the recent attack on our NHS. We must ask why our hospitals and health centres were affected, yet the NHS in Wales was not. Did Wales take better pre-emptive action? Did the Scottish Government provide adequate instructions regarding cyber security prior to this recent attack, and was it given the priority that is necessary around the Cabinet table? I hope that those are issues that can be addressed in the Government's closing remarks. According to the Government strategy, cyber resilience is being able to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events in the online world. With the attack on the NHS, we know that Scotland is not yet fully prepared to withstand such attacks. While it has appeared to recover and deserves credit for that, we must now ensure that we are able to learn. The world is increasingly moving online. From socialising, to shopping, to learning, to leisure, the public, the old as well as young, are conducting large parts of their lives online. As local politicians, we know that many high street banks are closing with the argument that most of our transactions are taking place online. That is true for our businesses and organisations, with millions of pounds worth of transactions being transferred online daily. Cyber crime is a threat that we are all aware of, but it is also one that we believe to be under-reported. It is one that can be prevented if the right security, the firewalls and precautions are in place, yet computers' data and personal details are often left inadvertently exposed. Computer systems are left wide open in a way that you would not leave unlocked to your front door or the door of your car. It is part of the research that is found out that Britain ranks below Brazil, South Africa and China in terms of keeping phones and laptops secure, which is quite a concerning statistic. Around 80 per cent of cybercrime can be prevented if we just get the basics right, so strong passwords, downloading and installing security and, crucially, their updates, protecting our mobile devices and wireless networks, and being aware of suspicious emails, often claiming to be from your beautiful sources. As much as we look towards individuals and businesses to take responsibility, we must ensure that here in Scotland we have the resources to tackle such crimes once they take place. We are currently in the middle of policing 2026, and cyber security is one of the major challenges facing Police Scotland. We need to ensure that the right people are being recruited to fill the right roles, there is a clear need for a balanced workforce in our policing, and tackling cybercrime would benefit from that. We need to make sure that the best minds—for example, we know that the recent NHS situation was resolved by a self-taught individual—we need to ensure that this kind of person can work with Police Scotland to support our agencies in being cyber resilient and able to avoid and tackle cybercrime. Last year, I visited the Scottish crime campus in Garkosh, which is a world-leading facility hosting specialist crime fighters. It is proof that what they can be achieved with high-quality, highly skilled jobs alongside the right resources. We know that Police Scotland is facing a significant financial challenge. We need to make sure that our public services from the NHS that was attacked earlier this month to Police Scotland all have the proper resources and investments to withstand, prevent and tackle cybercrimes. Finally, partnership is so important. The Scottish Government must work with the UK Government and other devolved assemblies and agencies throughout the UK to ensure that we have the capabilities, the knowledge and the resources to keep us all safe and secure online. I move the amendment in my name. Thank you very much. I move to the open debate. Speeches are six minutes. Stewart Stevenson, do you follow by Donald Cameron? Mr Stevenson, please. Presiding Officer, on 9 February 1984, we saw the launch of the first real-time high-value payments system called CHAPS. I was the project manager for the Bank of Scotland and we were the first bank that was ready to implement. I will remember our excitement later that year when we made our first real-time irrevocable payment of over £1 billion. By 2011, the system had processed a quadrillion pounds of transactions, that is £1,000 million, followed by £15 million. To secure the transactions, I had to gain permission from the US Department of Defence and sign my life away to use what was categorised as weapons-grade encryption and digital signing software, which operated within a black box, which self-destructed if it attempted to open to examine its contents. The technology was and is as secure as you could possibly imagine. The objective today should be that every business and every individual should be in possession of similarly impenetrable security. We do, but we do not all choose to implement it. Even if we have—this is the point that I want to address—we do not necessarily use it in a way that allows it to be as secure as we might imagine. For the most part, it is not the technology that fails its humans who fail. The motion says that citizens must be aware of the risks, and John Swinney, in his opening remarks, said that it should not be Government alone. The history of human failure to use secure data systems goes back a very long way. 2,000 years ago, slaves had their heads shaved. Message was written on the scalp, the hair re-grew, and the slave was then sent to the message to somewhere else. That was all and well and good until people realised the method that was being used. Having a secret method provides no real security. Today, that remains true. Indeed, effective data security systems rely on having been published and scrutinised to confirm that the method is the sound one. What we need to do is keep the keys secret and to change them frequently. Mary Queen of Scots in the 16th century used a two-cover system to protect her confidential messages. The first was a secure box with two locks, a key for each lock. She held one key, the other key was held by the recipient. Nobody else got access to either key. The message put in the box, she locked her lock. The box went to the recipient, he used his key and locked his lock. He came back to Mary Queen of Scots, she unlocked her lock, it went back to the recipient, he unlocked his lock. It was a secure system for transmitting a message from A to B in the 16th century, nobody shared the key or had access to it. The second thing she had, the message in the box was encrypted using a letter substitution system, but here is where she fell down. She thought that the system was totally secure because it was transmitted securely and when the message came out of the box she forgot that it was now available to anyone passing to pick up the bit of paper. Queen Elizabeth picked up one of her messages, was able to unscramble the message and it formed part of the evidence that Mary Queen of Scots' trial that caused her to be executed. Data security is quite important. Napoleon had Legrand Schiff, the great code. Common letters on the alphabet were not always coded the same, so he could not break it down by analysing frequency. However, encoders started to use some of the spare codes over and over again as place names for where the fighting was, all-safe time and effort. Wellington's code-breaker was a guy called George Scovel and he managed because of that weak way a good system was used to break in. So, when he got to the Battle of Waterloo, Wellington knew what Napoleon's plans were and that led to the end of an empire, human error once again. The German enigma machine that they thought was unbreakable until 1945, actually broken by the Poles in 1932, Bletchley Park broke a later improved version because every day at 6 am the Germans sent a weather forecast out encrypted. The same format every day, the same time every day and that enabled Bletchley Park to break lots of other good things they had to do as well, what should have been a very secure system, human error. Most of us know how to drive a car, but rather few of us know how the mechanical bits work and how to fix them when they fail. So, too, we mostly know how to use computer, perhaps even use the security functions that are provided with it. Like a car, if we do not get an expert to service it regularly or to fix it when it fails, disaster looms, all businesses should have regular security check-ups. It will not be free, but the cost will be even higher of not doing it. It is like insurance, it is a product that you cannot buy when you want it. When your reputation is trashed and your customers are flown, the paying a little bit once a year would seem very cheap indeed. Finally, an example is the security problem in the modern world. I bought, as I usually do, a good-quality second-hand car. All the gadgets, including a Bluetooth connection for my phone, good technology, but an unaware previous owner of my car had left his entire phone's contact list in the memory of the car. Do you realise that you can do that, too? I am a good guy, I deleted it. You are such a good guy that you have to wind up now. Intriguing, though, says Mr Stevenson. In that case, let me caution chief executives, chairman of companies, do not use Bluetooth near car and let you know how to delete it from the memory. I am a good guy, I deleted it. You will not meet everybody as honest and trustworthy as I am. Oh, my goodness, Mr Stevenson. I cannot wait for your book to come out. Facts you did not know, but I am going to tell you anyway. Donald Cameron, to be followed by Liam McArthur, Mr Cameron, please. I would like to refer to my register of interest in the fact that I am on the board of two companies that invest in healthcare technology. It is significant that, on a day when we are all still digesting the horrific news of a violent and physical attack on our country, we today also debate the need to protect ourselves from cyberattacks. It is something that the Deputy First Minister mentioned and I entirely endorse what he said. While nothing can ever surpass the tragic loss of so many innocent lives that Manchester witnessed, it seems to me that one of the greatest challenges that we face as a society is the sheer number and variety of threats that we now must guard against. Our enemies come in many forms, from the deadly and murderous suicide bomber of Monday night to the sophisticated cyberwarriors of two weeks ago. The ransomware attack on IT systems that affected some 200,000 computers across 150 different countries was certainly one of the most unprecedented attacks that we have ever seen. I would like to concentrate my comments on the NHS. The fact that our own NHS was attacked is nothing short of spiteful, especially because of the delays to treatment that occurred to patients across the UK and in England in particular. We were relatively lucky in Scotland in that only 1 per cent of electronic devices were affected and a number of people who required their operations to be reschedules was minimal. However, the simple fact is that any delay to an operation or appointment or treatment as a result of this attack was frustrating to say the least. Thirteen health boards were affected and some GP surgeries. The Cabinet Secretary for Health and Sport made a Swiss statement last week and I am grateful for the clear manner in which she presented the known facts. Like her, I welcome that there have been no reports of patient data being compromised. I would also like to pay tribute to the IT staff in the NHS who worked extraordinarily hard to get all of the affected systems back up and running. As was reported last week, very few people knew how to fix this, but it is testament to those who were able to overcome it that they did so quickly. I also want to thank our front-line NHS staff who carried on serving the public as normal, even if it meant a lesser reliance on IT systems to do the job—they should all be commended. The health committee heard only yesterday from the Scottish Ambulance Service who said that there would be no operational impact and no loss of patient data during or after the attack. Deputy Presiding Officer, it is plain that there are several aspects of the attack that need to be tackled to ensure that attacks in the future can be thwarted as early as possible. Naturally, we cannot be expected to prevent every attack, but, as our reliance on various forms of IT continues to grow, so, too, will the likelihood of cybercrime. That cyberattack could have been far, far worse. It is clear that we need to do more to ensure that our IT systems in the NHS are up to date and that we can respond to future attacks as effectively as possible. According to the Scottish Business Resilience Centre, cybercrime cost Scotland around £394 million in 2015-16. It is an exceptionally lucrative market for those who know how to code and wish to use their talents to act maliciously. That is why we need to be on guard. However, we also need the people within our NHS and within the wider public and private sector who possess the relevant skills to combat attacks as and when they happen. That, in turn, requires people who are able to stress test IT systems on a continual basis so that systems are protected from new viruses and malicious attacks. I am sure that others have received an interesting briefing from the University of Abertau on that point, because they said that the defensive cybersecurity is already fairly well established in undergraduate and postgraduate programmes at university with skills such as cryptography and intrusion prevention being taught, but they point out that offensive cybersecurity courses are not as common and that there is a real need to consider investing in that particular avenue. What they say quite simply is that the best way to catch a thief is to think like a thief. While it is clear that there are major ethical questions that arise, particularly in giving a new generation the skills and abilities to hack maliciously, degree programmes like that might help to fill a skills vacancy that is all too evident across Scotland, Britain and the wider world. Turning back to the NHS, I want to focus on why the issues that I mentioned are particularly pertinent. We know that many of our NHS health boards continue to use out-of-date IT software, which in many cases cannot be updated for fear of having a negative impact on the technology that is currently used to serve and heal patients, such as MRI scanners, for example. That software and that updating needs to be reviewed. Also, the Cabinet Secretary for Health stated last week that she would seek to ascertain whether health boards have regular patching regimes in place, and it would be interesting to understand if that is indeed the case and whether she will report back to Parliament with an update on that at some point in the near future. Deputy Presiding Officer, it is abundantly clear that lessons need to be learned. Now is not the time for political posturing on this issue, but for all of us to debate, as we have, the actions that are required to ensure such incidents are dealt with swiftly without causing public fear and panic. We must take every precaution possible to protect one of the most vital public health services, the NHS. Fundamentally, I believe that it is long-term solutions that are required for an issue such as this. Short-term fixes simply will not suffice. We need to be constantly aware and let us learn from this and improve things for the better. We are in the stone age of cyber security. That was the assessment of Dr Christopher Fry, Secretary General of the World Energy Council, 12 months ago. He went on to add that real learning will only come after the first major incident, and whether the recent global cyber attack will act as a catalyst for that real learning that Dr Fry talks about remains to be seen, but it is abundantly obvious and, as all speakers have already acknowledged, it is an area that will demand far greater attention going forward than it is perhaps commanded today. In that context, I very much welcome the opportunity to take part in this debate on creating a cyber-resilient Scotland and confirm that the Scottish Liberal Democrats will be supporting the Government's motion at decision time today. Unfortunately, due to a funeral back in my constituency, I will be unable to stay until the end of the debate. I apologise to you, Deputy Presiding Officer, to the Cabinet Secretary and to MSP colleagues. John Swinney's motion makes a number of very important points about the serious threats posed and the need for far greater vigilance on the part of individuals and organisations points that he reinforced in his earlier remarks. At the same time, I welcome the amendments lodged by both Jamie Greene and Claire Baker. Those, I think, helpfully reinforce the need to improve the way in which we report and capture the scale of cybercrimes, as well as the importance of building resilience across our public services and ensuring the closest possible working co-operation between UK and Scottish Governments and their partners. Without those elements at the core, our collective ambition to create a safe, secure, prosperous and cyber-resilient Scotland will inevitably be frustrated. In the brief time available to me this afternoon, Deputy Presiding Officer, I want to concentrate my remarks on those in some related areas. It is perhaps worth acknowledging at the start, however, that there are two types of cybercrimes. Those that use computer software as the tool and the end target for attacks, such as the recent ransomware attack that caused so much disruption notably across our health services, and I pay tribute to those in those health services for their endeavours. There are then cyber-enabled crimes that use computers simply as a conduit for criminal activities that also take place offline, such as identity theft and money laundering. It is safe to say that cyberattacks across the board have been on the increase in recent years and, unfortunately, appear somewhere short of being able to assess the true extent and the scale of those attacks. As HMISS highlighted in its crime audit last year, there is currently no comprehensive data on the extent of cyber-related crime in Scotland. It went on to recommend that Police Scotland developed the ability to tag all incidents and crimes that have a cyber element and assess the demands on policing in Scotland. Since carrying out its audit, HMISS has acknowledged that police officers have now been instructed to tag crime reports with cybercrime markers, but that still does not appear to extend to cyber-related incidents. Indeed, as recently as November last year, the Justice Secretary acknowledged in a response to a parliamentary question that I lodged that work is required to improve the evidence base on cybercrime and how such crime is defined, recorded and reported. What is also not clear is the extent to which Police Scotland's failed I6 programme, referred to by Clare Baker, is inhibiting the force's ability to track and combat cybercrimes. It has certainly deprived Police Scotland of the cost savings promised by ministers at the time of the merger, and that in itself will make more difficult the task of matching police resources to the scale of the cyber challenge. The Scottish Crime Reporting Board has also been asked to consider the extent to which current crime recording practice adequately captures the scale of cyber-enabled sexual crime and victimisation, particularly for children and young people, and to be helpful if the Justice Secretary in concluding this debate might be able to update Parliament in this regard. Meantime, we perhaps need to take care in talking about lower levels of crime overall if we are still unsure about the extent to which there has been a shift online rather than a reduction. Even now, there seems to be enough evidence to suggest something of a displacement effect with all the challenges that this presents in terms of identification, recording, investigation, et cetera. As I said earlier, John Swinney is absolutely right to emphasise the need for increased vigilance and care on the part of us as individuals. We all have a responsibility to do what we can to protect ourselves, albeit that some will inevitably need more help in achieving this than others. At the same time, however, the way in which Government and public bodies treat personal data and information requires greater care and consideration. Mr Swinney will be aware of the concerns that Scottish Liberal Democrats had about the Government's recent plans to create a super-ID database. Those concerns were shared by independent experts as well as the public. Sacrificing personal data in the interests of administrative efficiency is not acceptable, and I very much welcome the recent change of heart. In terms of organisations and businesses, there seems to be a growing recognition of the importance of the issue. However, as the Association of British Insurers pointed out in their briefing, while awareness levels among businesses about cybersecurity are high, around only half of them have the basic technical controls necessary, moreover, while preventing such attacks has to be the priority, where they occur, it is imperative that organisations and businesses have the advice, support and will with all to recover as quickly as possible. Not surprisingly, the ABI makes the case for the benefits of cyber insurance, but it is also worth acknowledging, as the Government does in its 2015 strategy, that we are fortunate in the UK to have an innovative cybersecurity goods and services industry, one that can help us to meet demand, not just here but also globally. For that reason, I hope that the Government will agree that it is in all our interest to ensure that this sector, alongside the work that has been done in our world-class research community, is nurtured going forward. In an increasingly digital age, our future prosperity depends on our ability individually and collectively to embrace and make the most of the digital technologies. While those technologies open up a bewildering array of opportunities, so too do they expose us to new risks. Preventing risk completely is an impossible in the digital arena, as it is anywhere else, but we must minimise those risks by raising awareness, being vigilant and building resilience, and I welcome the opportunity for Parliament to reinforce that message this afternoon. I declare an interest as a member of the British Computer Society, and I also associate myself with the comments of my colleagues this afternoon regarding the appalling incident in Manchester this week. Richard Phillips Fenman was an American theoretical physicist known as a pioneer of quantum mechanics, quantum computing and for introducing the concept of nanotechnology. He was also a Nobel physicist medallist. During his lifetime, Fenman became one of the best-known scientists in the world, including being ranked by the British Journal of Physics world as one of the 10 greatest physicists of all time. He assisted in the development of the atomic bomb during World War 2 and became known to a wide public in the 1980s as a member of the Rogers commission investigating the space shuttle challenge of disaster. But it is Mr Fenman's experience in Los Alamos and his early adventures that I would like to highlight today. Fenman was a joker, a mischief. To pass the time while working on the Manhattan project, he grew interested in locks and security. As he was working on perhaps the most sensitive project in human history, he took it upon himself to prove that security around him. That was a cross of great frustration and oins to the great and the good, but he believed that he was providing a necessary check to their balances. We might describe him today as a friendly ethical hacker, although I am sure that his bosses describe him as something else at the time. The truth is that Richard Feynman did not understand how to crack safes or crack locks, but he knew how to break a security system at its weakest point, the human element within that security system. I will highlight just a few of the human vulnerabilities that he exposed in his essay, Safe Cracker, Make Safe Cracker. First of all, he could pick locks. He said that all the secrets of the project, everything about the atomic bomb were kept in filing cabinets, which were locked with three-pin padlocks, and he said that they were as easy as pie to open. Having exposed the weaknesses of the first set of filing cabinets, they were replaced, and then Mr Feynman discovered that the new cabinets when left open, it was very easy to discover the first two digits of the combination. Indeed, it was easy as pie. After about two years of practice, he was able to do that within seconds and do it on the safes in the Manhattan in Los Alamos project, which also had the same locking mechanism as some of the filing cabinets. He discovered that when they were left open, he could just go along and take out at least the first two digits, but he understands humans as well, and he knew that more often the combination would be of significance to the person that was there. Having got two digits, he was able to look at dates in history, significant family dates of the people involved and guess at the combinations of many of the locks. He also knew that people would write down the codes for the locks, and even if they used a cipher that was almost always used with common mathematical cipher, he could decipher it being a mathematical genius. He also discovered that people frequently used the same combination for different locks. On explaining that to a senior military officer while visiting the uranium storage at Oakridge, he explained the dangers of leaving the cabinets open and leaving the safe open. He returned a few months later, hoping to see new security put in place to discover that he had been identified as the problem. Mr Feynman was no longer allowed to be left alone in a room, and he was accompanied at all time, but there was no instruction to keep the cabinets and the safes locked. However, his most significant discovery, and one that perturbed him because he thought that he had discovered a safecracker, was when he was asked to come and open a safe that had been left locked by a military commander who was no longer on site, and he needed it opened immediately. That being his greatest challenge, he was really excited and entered the room to discover that it was opened and had been opened by a technician. Months and months of worry and trying to work out what had happened, discussing things with the chap, trying to get to the bottom of it, eventually always revealed that the default settings of the safe delivered by the manufacturer had never been changed, and that technician knew what the default setting was. Re-use passwords, leaving way into systems unsecured, default settings that are left, and if anyone who was affected by the phone hacking scandal knows how easily that was used just recently. False sense of security when you have that physical safe in the corner or that little tick on your virus software that makes you think that you're secure from what's there. Failure to implement the solutions when the threat is revealed. What all tells us is that if we don't understand the threat, we can't protect against it. The British Computer Society has produced a number of leaders' briefings and strategy documents, and part two of their most recent sets is on security. There are five tips, and none of them are about computing. They are all about humans. Leadership from the management, cyber security policies, face-to-face delivery of training and a culture of openness that allows people to admit when they have made mistakes. That is a human problem that requires a human solution. As events this week so would tragically demonstrate, there are people who will willfully seek to attack in various ways individuals, communities, our services and the nation's vital infrastructure. In the area of cyber crime, it is increasingly apparent that threats and potential threats are becoming ever more organised and sadly effective. What we saw happen 10 days ago was not a random or one-off attack on the nation's infrastructure, rather it was the result of a predetermined and the determined act by organised forces. That is why equally our response and preparedness to deal with these kinds of attacks must also be determined. 11 health boards were affected as was the Scottish Ambulance Service. Planned procedures were cancelled, people were asked not to visit A&E unless they needed urgent and immediate action. The response from the Scottish Government was swift. I do fear, however, that the response was too late. We have been warning the Scottish Government of the need for proper preparedness of Scottish public bodies to the growing threat of cyber crime for some time. In December 2016, freedom of information requests found that over half of our NHS boards had received ransomware attacks. At that time, we called for an urgent review of cyber security. Indeed, only as recently as January, there was a similar attack on Scotland's NHS staff with their details being hacked. On 25 January, ministers were informed of that attack on data breach. Again, we recalled that demand for a review of cyber security. In actual fact, that attack was back to 2010 when my colleague Richard Simpson, who is no longer in this chamber, has been asking questions regularly on cyber security and specifically on Windows XP since as far back as 2010. Despite those questions, there appears little or no action that has been taken by the cabinet secretary or fellow ministers. I think that that is quite alarming. I must say that it is also disappointing that the Cabinet Secretary for Health is not in the chamber today, given that this was a direct attack on our NHS infrastructure. A few specific questions that I hope the Deputy First Minister can address and I would be happy to take any interventions from him if he wants to answer any of those issues directly, because I think that it is in all our interests for us to get this right. First, why was the NHS in Scotland adversely affected by the recent cyber attacks, but the NHS in Wales was not? Why do we still have antiquated computer systems in our public sector infrastructure when we would not expect to have those antiquated systems either in our homes, in our parliamentary offices or indeed in this parliamentary chamber itself? Why was pre-emptive action not taken, as was done in similar places, for example, in Wales that helped to prevent cyber attacks? What specific warnings or advice has the cabinet secretary issued to NHS Scotland to ensure that adequate resilience against cyber attacks is in place? When was any such advice given? If that advice was given, will the cabinet secretary publish that advice as it would be welcome for other institutions who might also face similar attacks? What additional resources have been allocated by the Scottish Government in 2016-17 to specifically improve and secure against cyber attacks, not just to NHS Scotland but actually to all Scottish Government departments and all other agencies and organisations for which the Scottish Government has responsibility? It is also interesting to note that if any agency or department for which the Scottish Government has responsibility has ever paid any ransom at any time to those responsible for ransomware attacks and what advice the Scottish Government has issued on the required response to ransom demands from those responsible for cyber attacks, and again if that advice would be published. I think that it is clear for all to see that this attack could either have been prevented or indeed could have been less destructive if we had been both better prepared and better resourced. I think that the last 10 days have acted as a wake-up call to all of us in terms of making that happen. I welcome the fact that the Government has said that they will develop a set of standards and guidelines, but I say with regret that by 2018 it is not ambitious enough. Surely, we can all do better than that. Those are immediate attacks that are affecting our institutions right now. I think that waiting 18 months to be able to set out those robust guidelines and standards is too long. I hope that that is an issue that the Deputy First Minister can address in his closing remarks. In its first three months, the National Cybersecurity Chief Executive Office reported that the centre had handled 188 high-level cyber attacks. It has been reported that it blocked 34,550 potential attacks on Government departments and members of the public in the past six months alone. That is 200 cases a day. I do not think that we should be waiting 18 months to have that strategy in place. We should also be quicker in moving towards accreditation of all public sector organisations to make sure that they have the essential minimum standards in place to be able to respond in a much clearer and more consistent way. I hope that the Deputy First Minister and the Cabinet Secretary for Justice will address those issues head on. I hope that they have listened to my genuine concerns about what is happening around our infrastructure, that we end the catalogue of IT failures that I have seen across the public sector and that instead we can focus and make sure that those attacks do not happen again. The motion that we will support tonight calls on everyone to secure their technology. I think that that is wise advice. With regard to personal security, we all know the steps that we can take. With regard to that, we will be giving guidance from Police Scotland. The cybersecurity, most of us know roughly what to do. The cabinet secretary for education highlighted some of the training that has gone on to inform future people. I am concerned about the whole IT industry, to be perfectly honest, and said that with regard to equipment that I have hidden here, I was told that it would have to be replaced because we no longer support older versions. It is quite clear that when it comes to IT, others tell us what to do and the price that it will cost us. That is consumerism at large. The analogy with the car that George Stevenson alluded to does not apply, because we would not have a situation when they say that, as of next year, we will stop repairing your car and you will not be able to get spare parts for it. That knocks out the standard procedure that we all should go about, and that is that we inspect something, we repair something and we replace something. I am told that we do. If that is the case, that is a further example of consumerism. The idea is that those corporations are holding us to ransom. Cybercrime, as my colleague Liam McArthur said, is underreported, and it is important that we assess all the risks that we put in place to ameliorate those risks. Of course, the risks are known. They are largely known, and many believe that the source of the risks that is turned into this attack are known, too. Specific hacking tools in this attack were developed by the US intelligence agency, the NSA. It would have to ask whose interests are served by any action like that. They were recently leaked by a group thought to be preempting retaliation by the US security services for hacking the democratic national committee in the run-up to the presidential election. The plot, perhaps for a movie, had significant effects. A number of people have talked about the NHS being targeted. That is not the case. It is important how we frame the attack. Quite rightly, if that is the starting point, we should ask why people would attack a healthier system. The NHS was not attacked, so the vulnerability in windows that was targeted, and, like many, I would thank the public servants who responded positively to that. Regardless of where people were, the attack was a global attack, and it is something that will require international cooperation. It was widely expected. To quote Patrick Harvie, he says, "...resilience of systems need to be thought of more in line with public health rather than acute care." That is a health analogy that bears some relevance. Security services in the MWD have no doubt will assure us that they have appropriate protection levels. Indeed, we heard from Stuart Stevenson that a number of decades ago, weapons-grade encryption was entirely possible—possible where finance was concerned. It is no doubt a big cost associated with that. However, we know that when a Government is prepared to spend more than £200 billion on replacing a weapons system, money is not a problem. As I said, we also know that we need to assess the risks. I commend a report by the Jimi Reid Foundation, No Need to be Afraid. The motion talks about safety, security and prosperity, and that is entirely right. We know that in liberal democracies, across the world, the risks are all the same. The first and foremost one is cyber-attack. The second one relates to climate change, access to food and water, and then onwards to individuals acting alone, none of which Trident would address. I think that it is careful how we frame this debate. We need a free and open internet, and it is the role of Government to protect its citizens from undue surveillance and such attacks, because the surveillance results in state and private sector who use data and metadata to monitor and manipulate citizens. That has the potential to—yes, indeed. Jamie Greene Thank you for taking the intervention. What is the Green Party's position on the Government being able to access encrypted data where we know that it has been used for terrorist purposes? John Finnie The Green Party's support of all reasonable measures to do this is about proportionality. The level of surveillance that is being suggested by the UK Government, and indeed that takes place at the moment, does not help things at all. We take people with us as how we deal with things, but it has the potential to impact on democratic participation as well, and that is more than just about voting. In the short time that I have left, I was encouraged to talk about the Shadow Brokers, apparently a group of hackers who dumped a set of files, a collection of several alleged NSA hacking tools for Microsoft Windows systems, likely including multiple unknown exploits or zero days. You can see—I am reading this because I do not know much about it—a zero day apparently is a bug that is unknown to the software vendor, or at least it is not patched yet, which means that it is almost guaranteed to work. We need to have international cooperation, and we need to understand the relationship between the expenditure of public money and the IT systems. I am going to read from our digital rights, our civil rights document, which concludes by saying, that it should not be left to the Googles and apples of the world to dictate the future and entice the rest of us to come along for the ride. Government and society must create the space for shared consideration of the challenges and opportunities that lie ahead. I call Willie Coffey to be followed by Liam Kerr. Thanks very much, Presiding Officer. There is nothing new or surprising about ransomware and the havoc that it can cause to vital data and computer systems. What is probably more worrying is that organisations were caught out by this latest one. Talk to software people, and none of them will be surprised at all at the extent or the speed with which it managed to propagate itself around the world. It did not specifically target our NHS and it only got through to about 1 per cent of their systems, but that was still about 1,500 systems in total that should not have been exposed. The one-acrypt malware that caused the problem was basically in the same class of ransomware that has been doing the rounds for years, starting with the AIDS Trojan in 1989 that encrypted file names but not the data itself. Even then, the demand was that a ransom be paid to restore the file name encryption back to normal. That current one was both a Trojan, meaning that masquerades are something else, something recognisable, and it is also a worm that propagates itself around the network, looking for hapless victims without the protection that they need. So a little surprise then that such a quick impact was so widespread. Interestingly, the virus software itself had what is called a kill switch contained within it. This is a simple line of computer code that checks if a web address is registered and can be located on the internet. If it is, then the virus does not activate itself. As I understand it, this is how it was spotted and then stopped. The web address was simply registered and that stopped the virus from further executing. So why did it happen at all? Basically because some computer systems, as members have said, were out of date and not protected from it. It is a wee bit like forgetting to modernise the locks in your doors and windows and even your alarm systems in your house when the clever burglar is lurking outside with more sophisticated means than ever before of bypassing them to gain entry. No surprise at all really then that this occurred and it will occur again, if no doubt. We have to stop using outdated computer systems that are themselves no longer protected but still connected to servers and networks. Data critical systems should be upgraded and we must make sure that we regularly accept software security patches that are in offer. In fact, I do not think that you can turn off Windows 10 security updates but some experts in the chamber might advise us on that. To protect data itself, experts suggest adopting what they call a three-to-one backup strategy. That means that you should have three copies of all your data, two of which are in local devices but on different mediums, and then one off-site somewhere in case the obvious risk of physical damage or loss of the premises themselves. There is a debate on going about the role in this of the national security agency in the USA that was mentioned by John Finnie, who, it is claimed, knew about the malware some time ago but did not tell Microsoft about it to enable him to fix it. Microsoft had already stopped providing security updates for Windows XP around about 2014 and so anybody using XP was increasingly vulnerable. Ironically, the NAC itself was hacked and her data was dumped online, exposing that vulnerability, which was duly exploited by the malware writers and the result was what happened earlier this month. Clearly, that raises serious questions about data security even within Government agencies in the USA and whether there should be a presumption in favour of protecting systems as soon as a threat is known or whether it is acceptable to withhold information about cyber attacks in the interests of intelligence gathering. Back here, members may be aware that, a year tomorrow, we will see the European Union's general data protection regulation, GDPR, mentioned by the cabinet secretary, coming into effect. I anticipate that the Scottish Government's action plan coming next month will embrace this and offer some guidance for all our public sector data users. I am pleased to note too that the UK Government will be implementing the EU regulation despite its intention to leave the EU itself. Perhaps another example of how we can't really leave the digital single market in Europe. It applies to both data controllers and data processors and if we are covered by the Data Protection Act, it is likely that it will also be covered by the GDPR. The principles behind the regulation cover things like an individual's right to be informed, rights of access, right to have error rectified and the right to have personal data deleted if you request it, sometimes known as the right to be forgotten. Crucially, in the context of today's debate, article 5 of the regulation sets out the requirements in terms of data security. There are clearly many difficult challenges here for all organisations who control and process personal data. From what I can see, any breaches of that regulation could result in potential fines up to €20 million or 4 per cent of your turnover, which ever happened to be the greater. Data security is increasingly important in the modern world that we live in. From lone hackers who may engage in this for mischief to organised international criminals and terrorists who may be financially or politically motivated, the challenges are real and the risks are substantial. Good resourcing, planning, intelligence, vigilance and keeping systems in data up to date and safe are probably our best and only line of defence against the inevitable further attacks that we expect and to control our data that will surely come our way soon. Let's hope that we are ready for all of those challenges when they come. The Digital Technology is at the centre of our lives, our society, our economy. Whether it is the new tech start-up developing apps in the garages of Suburbia, stock markets where money is flying between countries and the blink of an eye, smartphones that we are glued to or the internet of things, with every new breakthrough it can seem that the opportunities are endless. But with opportunities come challenges and threats. The recent Wanna Cry ransomware attack was the biggest of its kind in history and demonstrated again the need for urgency and vigilance. It hit between two and 300,000 computers in 150 countries around the world. Computers run by groups as varied as Renault, Deutsche Band, Telefonica, FedEx, Russia's Interior Ministry and, of course, the NHS across this country. The attacks showed just how digitally interconnected we are, the risks that arise and how anyone anywhere can be a hero or a villain. It was a damaging and cowardly attack, and those responses must be held to account. But the reasons people hack a various and there is no one type of cyber criminal, they could be the board adolescent testing their new skills against security systems and I saw that in relation to the Wanna Cry attack, some experts suspect a single teenage hacker. They could be organised gangs pursuing fraudulent or illegal deals online. They could be the politically motivated hackers trying to find and leak state secrets. They could be state or commercially sponsored spies trying to grab classified papers and I saw according to today's times, North Korea has emerged as a credible suspect for the Wanna Cry virus. They could be terrorist groups looking to hack at the very fabric of our society, so attacks can be hard to predict, detect and destroy, which is why cyber resilience is so important. Preparing for attacks, building up firewalls brick by brick, code by code, withstanding the onslaught when it comes, rapidly recovering from an incident and learning from the attacks so they are not repeated. I note, as Donald Cameron did earlier, Abertau's university's briefing suggests that we refocus from an overly defensive approach, such as cryptography and intrusion prevention, to organisations looking much more at offensive cyber security, in effect engaging security agents who think and act like a malicious hacker, utilising the same tools and techniques and if that proposition is accepted then we have a need to train them. That is worthy of consideration and I did note with interest that particular university's proposals around a cyber quarter industry cluster in Dundee and also the cabinet secretary's comments earlier on the University of Edinburgh. Who is responsible for keeping us safe and secure online? In a way, we all are, individuals and businesses. The Royal Society of Edinburgh suggested in 2015 that 30 per cent of Scots lack basic digital skills and I would be interested to hear in the Government's closing how that will be addressed. According to the Scottish Business Resilience Centre, 42 per cent of Scots use the same password for multiple accounts and many did not even change it when they were advised to after a security breach. As individuals, we can create stronger passwords, update software, install anti-virus software, use screen locks on our mobiles and exercise caution on public wi-fi. As for businesses, Liam McArthur was right to refer earlier to the Association of British Insurers SME Guide to the Cyber Insurance, which states that 74 per cent of businesses say that cyber security is a high priority, but only 52 per cent of businesses have the basic technical controls outlined in the Government's cyber essential scheme. A UK Government survey estimated that, in 2014, 81 per cent of large corporations and 60 per cent of small businesses suffered a cyber breach, with an average cost between £600,000 and £1.15 million for large businesses and £65,000 to £115,000 for SMEs, 66 per cent of which did not consider their businesses to be vulnerable, says cyber threats in the first place. Of course, the Scottish and UK Governments have a significant role to play, along with the public sector more generally, in leading by example. The Conservative amendment rightly welcomes that both the UK and Scottish Governments have published cyber security strategies. As the UK Government's recent strategy puts it, we need to defend, deter and develop our cyber security capabilities. We should be factoring in cyber resilience into all new services and encouraging the sharing of information about threats. We should strengthen our critical national infrastructure sectors, such as energy, transport and the wider economy. Law enforcement has to have the tools to track, apprehend and prosecute cyber criminals and hit back when appropriate. Promoting awareness and education is key. Our tech-savvy children and young people should be encouraged to think also about cyber resilience. We should teach cyber security basics to the pensioner, setting up online banking for the first time or Skyping their family overseas. There are economic reasons to develop IT skills, with an estimated 11,000 new IT jobs needed each year to meet current demand. An average median full-time earnings for tech specialists is 30 per cent higher than the Scottish average. At the events of a fortnight ago showed us the need for vigilance and urgency in protecting ourselves online. As everything in our daily lives becomes more connected, the challenges are only going to get more complex. Yet there are practical steps that individuals, Governments and businesses can take to take the sting out of the tail of attacks and, ideally, stop them from happening in the first place. That is why I will be voting for the motion today, albeit that I will also vote for the amendments in Jamie Greene's name and Clare Baker's name, which rightly add to the debate. The last contribution in the open debate is from Ash Denham. We are living in an age where technology is fundamental for individuals, for businesses and the public sector alike. Whether it is communicating with family and friends, accessing information, selling a product or providing social services like healthcare, technology and the vast amounts of data that go with it are everyday components of our society. Because that technology has become so commonplace, it is easy to overlook the security measures that are so vital to defence against cyberattacks. Because it is difficult to picture, digital security is not as palpable as locking your door against intruders, it does not come with the same urgency that one feels for a highly trained police and military force to protect against would-be cyberattackers. However, as technology has become the norm, so do you have threats from those who would seek to use the technology to inflict damage or harm? That is why, as chair of the National Cyber Resilience Leaders Board, Hugh Aitken, he said that cyber security is everyone's business, and we need to ensure that all organisations have appropriate safeguards in place. Indeed, we witnessed this nearly two weeks ago now when NHS computer systems right across the UK were impacted by a cyberattack that reached most corners of the world. Over 200,000 computers across 150 countries were impacted, including some of the biggest businesses, such as FedEx, Renault and Telefonica. Thankfully, no patient data from Scottish health boards were compromised and quick steps were taken to immediately isolate computer systems affected by the attack. The ransomware that wreaked this global havoc—wanna cry or wanna crypt, as it is sometimes known—was only stopped after a security researcher from Devon found what is known as its kill switch. The reality is that the types of cyber incidents and attempted cyberattacks will continue. It is no longer sufficient to be merely cyber secure. We must also be cyber resilient. Organisations, businesses and the public sector must be prepared to respond, to react and then get up and running again as soon as possible. Debbie Aschenden, a leading cyber security professional and academic, uses the phrase, people are not patches. Patches help to close loopholes that malware can exploit, but there is often a vulnerability in the workplace. Employees can sometimes be a target, and turning them into the strongest line of defence is important and also possible. The wanna crypt ransomware exploited a vulnerability in the Windows server message block protocol, but it likely gained entry via a phishing attachment, or so-called social engineering, both of which use deception and are becoming more frequent and more sophisticated. According to data from Wombat security technologies, there were 1.2 million of these types of phishing incidents worldwide in 2016, and that is up 65 per cent on the previous year. That data also found that work-related phishing scams are more successful at getting people to click on them. As such, decisions that employees make every day can be instrumental for organisational cyber security. Organisations can invest in employee education in order to improve that security. Simulation tools, which are short and snappy and include up-to-date current scenarios and then are run multiple times through the year, are ideal for improving employee awareness, because we all have a shared responsibility to ourselves and our families and in our workplaces to ensure that the right protections are in place on the various technologies that we use. In fact, as we have heard, 80 per cent of cybercrime can be prevented by doing basic software updates, particularly for antivirus software, and by making regular or even daily system backups. Otherwise, it is like making sure that your windows are shut, your door is bolted or even having a security guard posted outside, but then if you accept an unscheduled parcel delivery while you are distracted by talking on the phone. At the national level, antivirus vendor Silance has shown not so much or not much as off-limits. It demonstrated that hacking the USA's most popular voting machine, showing tallies could be altered by outside interference. There may be then a need for a type of national shield that would sit on top of existing cyber security system and hunt for threat actors, analyse events that are on-going and also behaviours, and then it could flag up suspicious activity. AV Chesla of MPOW described it as potentially an intelligent layer on top observing and monitoring could be part of a defence infrastructure that would also be able to collaborate and then importantly share that information across national boundaries. Following a 16 May meeting of the national cyber resilience leaders board here in Scotland, delivery on an action plan to defend against potential cyber attacks in the future in Scotland was accelerated, and this plan will include support for 121 public sector organisations to make sure that they get proper training and accreditation needed to fight these on-going cyber incidents. The Scottish Government is taking steps to enhance resilience, things like exercises that are being organised for health boards and other agencies so that they are able to learn lessons and mitigate the risks of future incidents. Additionally, the Government's refreshed digital strategy, which was published in April, will be supported by 36 million for the digital growth fund over the next three years to help businesses to develop cyber security, data analytics and software engineering skills in their staff. Those positive actions will help towards the Government's goal of making Scotland a world leader in cyber resilience, where we approach threats with urgency, keep our data and network secure and stay aware of the constant cyber risks, making sure that they never outstrip the benefits that technology brings to our society. We now move to the closing speeches, and I call Mary Fee up to six minutes please. Thank you Presiding Officer. In discussing our shared ambitions to make Scotland a safer place online, I want to start by talking about issues that are still very raw and very emotional, given the last 48 hours in Manchester. My heart is with the families of the young people whose lives were so cruelly taken with the injured and with the people of Manchester. The response immediately following the senseless bombings shows the care and humanity that remains and will strengthen because we will not give in. That response came in all forms. As first responders bravely ran into unknown dangers, as emergency services assisted the injured, strangers taking others to safety and the wider community offering shelter, food and transport. Online communication played a vital role in assisting people and shows how integral it is in our lives. That is why we must promote safety and security in all our online activities and online communications. In our increasingly technological world, means of communicating are expanding, and sometimes it seems almost daily they are expanding and making our world a much, much smaller place. The Government vision highlights the need for people to be informed and prepared for businesses and organisations to recognise risk and for a growing cyber-resilient community. No one can argue with that ambition. We all have a responsibility to protect ourselves. We need to think about our own online security and how many of us use the same or similar passwords when we are online. We shop online more, we order food and drink online, we bank online, we talk and share thoughts and memories, and to many people like myself, that concept brings new opportunities. Online commerce is growing in Scotland, and by working with the business community, we must ensure that the internet remains a safe place to carry out business. I do not pretend to be as informed as some are about cyber security and cyber resilience. However, reading through the Scottish Government's strategy to prevent and tackle cyber attacks, I see a lot of very positive ambition. I believe that to continue to prevent further attacks and promote online safety, we must place a much greater emphasis on education. The internet will continue to play a major part in our society, and teaching young people at school is a preventative step for generations to come. As for our ageing and vulnerable population, we rightly promote online access to the internet. However, that must go hand-in-hand with online safety and with the right support and help to allow them to access the internet. Countries across the world need to respond to the increased risk of cyberattack. We need a global response to ensure that we are all safe. As Claire Baker pointed out, much of what we are talking about in relation to cyber security can sound a foreign language to the public and to some politicians. The recent ransomware attack has brought the issue to light and has raised awareness of the threat that hackers can pose. Our public services need to have the resources available to ensure further attacks do not bring down computer systems and affect service users. Following the statement in Parliament last week and again today, Anas Sarwar has raised concerns and warned of the dangers for the NHS, highlighting freedom of information requests and parliamentary questions, as by my former colleague Dr Richard Simpson. Questions dating back to 2010 and the Government response has been less than satisfactory and action is needed and needed now. The evolving nature of online crime changes year on year. Although the Government has produced a very positive and very ambitious strategy, it is vital that the strategy is updated every year and that this chamber is kept informed of the level of risk and attack that our public bodies face. That has been a very timely, consensual and constructive debate, with agreement from across the chamber of the need to improve our online safety. We must work with the rest of the UK on that issue. That is why a future Labour Government would include cyber warfare and cyber security as part of a complete strategic defence and security review, and it is vital that our cyber security forms an integral part of our defence and security strategy. A Labour Government would introduce a cyber security charter for companies working with the Ministry of Defence. Turning to the debate, several speakers highlighted the role that education can play. Jamie Greene spoke of the global impact of the latest attack, and Stuart Stevenson, in his own inimitable way, spoke of human failings across the century, and Liam McArthur spoke of cyber crime. Scottish Labour's amendment to the Government motion speaks of the importance of investing in our public services to ensure that they are safe and secure across their networks. Local authority budgets are under pressure, however the Government should ensure that local authorities are supported to develop and maintain cyber security across all our public bodies. Similarly, third sector organisations and businesses will benefit from a collaborative approach. The Scottish Government's aim is to create a cyber-resilient Scotland, and we will work with it to do that. We will support the Government motion tonight and the Tory amendment, and I hope that the Government will support our amendment. We have had an interesting debate today, with a wide range of issues discussed. We have also heard some remarkable data about the central role of the digital world in every aspect of our life nowadays. Let me add a couple of other data points to this. In the business context, the contribution of the digital economy in the UK is now over £1 billion per year. In a global context, there are over £1.3 billion daily active users of Facebook, including many members in the chamber. Closer to home in the UK, we spend more time on media and communications than we do sleeping. I am sure that members in the chamber will recognise that. We have also heard that when things go wrong, a cyber attack can have a massive impact. As the recent attack on the NHS highlighted, let me add my commendations to the remarkable response of the NHS first to the cyber attack two weeks ago and now to the on-going tragic events in Manchester. Given our growing dependence on online technology and the risks that we face, we welcome today's cross-party support for the need to increase cyber resilience in Scotland. We will be supporting the Government motion and Labour's amendment this evening. I want to pick up three points that were raised during the debate. First, what do we mean by cyber resilience? Second, what are the key risks that we need to address in this increasingly digital world? Finally, what steps can be taken to maximise cyber resilience in Scotland? Turning to what does cyber resilience mean, because it is not necessarily clear to everyone what that might mean, John Swinney and Jamie Greene highlighted in their opening remarks that the concept of cyber resilience stretches far beyond what we might consider to be cyber security. It is not just about having a firewall or downloading a new patch to prevent viruses getting through. Cyber resilience involves a whole range of other measures. It is about preparing for and defending against attacks or accidental system failures. It is about being ready to rapidly recover from those events and having contingency plans in place. Cyber resilience is particularly important for large organisations that may cause systemic risks if they are attacked—for example, the NHS or large banks. For those organisations, cyber resilience is about having a whole system approach to cyber risk. For those large organisations, the World Economic Forum has set out a list of cyber resilience measures that it recommends that organisations that may have a systemic risk should implement. First, it should have the very latest operating systems and platforms in use. As we saw with the attack on the NHS, if it does not have the up-to-date systems in place, the virus can very easily spread. Secondly, having contingency plans in place ready to activate if there is a systems failure. I commend everyone involved in the NHS for the rapid response to the recent cyber attack in terms of getting the system back up and running. It also means better digital training for everyone in the organisation. A recent report by the Royal Society of Edinburgh indicated that 30 per cent of the Scottish population lacks basic digital skills. As Liam Kerr said, that is something that we need to address. The large organisations that may cause systemic risk also need to develop a culture of awareness of what cyber risk may look like. Cyber attacks are very often focused on the weakest link in an organisation. We have heard that that can very often be individuals opening emails that are addressed to them, but which allows an entry point for the cyber attack. We have heard that human weakness in the area of encryption has been a common factor throughout history. I did not expect to be referring to Mary Queen of Scots today or Napoleon on a debate on cyber, but Mr Seamson made sure that we had a bit of historical context in which to view the topics today. For smaller organisations who may not have the scaler budget for some of the measures that I have set out, as recommended by the World Economic Forum, they can still take important steps, as explained by Willie Coffey. Keeping software updated as far as possible, external backup of data, installing antivirus software, using strong passwords as well as staff training and raising awareness. There is also a role to be played by the enterprise agencies in providing support and training in cyber resilience. That is something that we would recommend in phase 2 of the enterprise and skills review. We should consider putting some policy measures in place that the enterprise agencies prioritise cyber resilience as part of their portfolio. We have to recognise that all of those additional measures will involve significant investment across public and private sectors, but the risks and costs of neglecting cyber resilience is significantly higher. We saw graphic examples of that, as Donald Cameron said, in the context of the attack on the NHS 10 days ago. Attack is also increasing in the private sector. According to the British Chambers of Commerce, one in five British firms was hit by a cyber attack last year, and just a quarter of firms in the UK think that they have adequate security measures in place to protect themselves. That cost of cyber crime is estimated by the Scottish Business Resilience Centre to be around £394 million last year, and on a UK-wide basis, that figure is staggering £11 billion. Given all of that, given the cost of what can go wrong if we do not have the necessary protections in place, we believe, as our amendment to the motion sets out, that additional steps, additional investment, additional education and awareness of cyber resilience is necessary. Let me conclude by considering briefly what steps can be taken going forward to maximise Scotland's cyber resilience, and again, our amendment sets out some of those steps. We support the Scottish Government's current cyber security plans, but we would like to see specific proposals in response to the recent cyber attacks brought before this Parliament for debate. We also want to see closer collaboration with the UK Government and the new national cyber security centre. That includes active participation with the UK-wide industrial strategy as a platform to expand our skills base in the digital sector. We have heard that the UK Government is investing more than £2 billion to increase our skills base and develop our digital technology across the UK. Finally, as I raised with the cabinet secretary, we also want to see action taken to increase the number of STEM teachers across Scotland, including an increase in the number of teachers who are qualified to teach computing skills. That will be critical to enable future generations to deal with the increasingly complex digital world. I move the amendment in Jamie Greene's time. Are you telling me that Mr Greene did not do that already? You did. That has moved twice. I call Michael Matheson to close this debate up to nine minutes, please. Thank you, Presiding Officer, and I am very grateful for the contributions that have been made here this afternoon by members, many of which have been very valuable contributions, raising a range of very notable and interesting points to deserve further consideration. We will accept both the amendments that are proposed here this afternoon and the tone and nature of the debate. It has demonstrated a real genuine interest in making sure that, in Scotland, we do as much as we can in order to enhance and improve our cyber security as a country. There is no doubt, Presiding Officer, that the digital revolution has the potential to enhance everyone's life in Scotland. However, it is also vital that our security and our economy have, in a way in which we use the digital technology for the running of essential services and in supporting our critical infrastructure as a country, that we do so with a system that is safe, secure and that is also important and resilient. No one in this chamber should be under any illusion about the threat that we face from cyber attacks and the enormous challenge that Scotland and the UK countries across the world face from cyber attacks. We all have an important role to play in tackling the issue of cyber security and in making sure that we see it as a shared responsibility in order to deal with the threats that we face online. That is something that no Government alone, the Scottish Government, the UK Government or even the European Union alone can tackle. It is something that we all have to accept as a collective responsibility on our part to work collaboratively in order to address the risks that are associated with cyber security. That issue was highlighted by Jamie Greene in his contribution about the importance of collaboration and working in partnership in order to tackle the issue of cyber security. That is something that we as a Government take very seriously and was set out in the strategy that was published by the Deputy First Minister back in November 2015. A key part of that is not only about bringing together Governments where it will be the Scottish Government and the UK Government, whether it is bringing together the work that we do as a Government with the new national cyber security centre, but it is also about bringing together all of those different parts of our sector that we have a part to play in delivering on cyber security. That is the public sector, the private sector and the voluntary sector. There is no point in us taking forward a particular approach within the public sector and also having robust systems in place if we do not share that understanding and that expertise with the private sector. Equally, in the private sector where they have expertise is well how we can harness that and utilise that within our public sector and in our voluntary sector are equally important. That is the approach that we as a Government are determined to take forward. I will give way to Mr Greene. Jamie Greene I do not disagree with anything that the member has said. How in practice will that work, the collaboration between the public sector in terms of its own investment, private sector and vice versa? What are the means for a collaboration in that respect? Michael Matheson That is the very issue that I was going to come on to. That is why we created and the Deputy First Minister created the National Cyber Resilience Leaders Board, chaired by the chief executive of CBI Scotland that has the voluntary sector there, it has the public sector there and it has the private sector. Various organisations all working in a collaborative fashion in order to learn from one another and to support one another in tackling some of the issues around cyber security. Scotland is the only part of the UK that has that structure in place in order to make sure that we have that collaboration. I have no doubt that the experience that we have had with that over the past few weeks in helping to support us with the cyber attack that we recently faced is a lesson that could be utilised in other parts of the UK, in which we would be more than happy to share our experience with the UK Government and the benefits that could come from that. I want to turn to some of the specific issues that have been raised and to address some of the myths that have been peddled in the course of this debate, particularly the issue about that being an attack on NHS. That was not an attack on the national health service. As was illustrated by Jamie Greene and others, more than 150 countries were affected by the cyber security attack. Public sector organisations in different parts of the world were affected by that as well. We have to recognise that that is not something simply that we are not doing enough in the public sector. It is about the increasing complexity and the challenges that we face with cyber security. The reality is that many of our public bodies, NHS and others, private sector companies, are facing security attacks on a daily basis through cyber crime. I will give way to Clare Baker. Clare Baker. I thank the cabinet secretary for taking intervention. I fully accept the point that that was not an attack on the NHS. If that was suggested in the comments made by myself, that was due to time limitation, I think, and I can explain the whole situation. However, the fact that the NHS was affected by a global attack did expose some weaknesses within our public sector that need to be addressed. Michael Matheson. Absolutely. It is very important that we recognise the effect that it had on some parts of our NHS. There are clear lessons to be learned there. The reality is that the NHS in Wales was affected by it. I was participating in the Cobra meetings to discuss this issue and the Welsh Government represented it because of some of the challenges that they were faced with it. There is no doubt that the NHS in England were more adversely affected than any other part of the NHS in the UK. If you look at our own individual boards here, there were two of our biggest boards that were not affected by it, but we then had some of the other boards that were affected by it to a limited degree and then were the other boards that were affected by it to a greater degree as well. We have to understand why that was the case, why were some of our NHS boards in Scotland not affected by it at all, some who were only affected by it on a limited basis and others at a greater level. That is one of the important things. Let me make the point first, if you do not mind. That is why the important measures that we are taking forward through the national leadership board that we have established will be doing the lessons learned exercise, an exercise that will involve NHS Scotland, the wider public sector in Scotland, the private sector in Scotland and it will also involve the third sector in Scotland. Unfortunately, we have also had the benefit of the expertise from KPMG, who have offered to host that particular event so that we can make sure that we will learn as much as we can from this particular type of attack on this matter. I do not recall the member being here for the debate, but I want to make progress on the points that were raised. I can also make the point when members were raising the issue of cybercrime. Cybercrime is an important issue, and it is a growing issue, and the complexity of it is growing as well, because the reality is that the organisations that are behind cybercrime are not individuals who are operating from their own bedroom. Those are sophisticated, seriously organised crime groups who are operating using multi-million-pound systems in order to perpetrate cyberattacks. That is why, as a country, we need to make sure that we work in a collaborative fashion. I have the benefit of having the insight that is provided through the EC3 programme, run by Europol, working in a collaborative fashion right across Europe in order to tackle the issue of cybercrime. It is absolutely crucial that we maintain and that we protect that partnership in tackling cybercrime, because we know that it is underreported and that it is a growing issue. That is why, in moving forward with 2026, we also need to make sure that we have a workforce within the police service that is able to respond to those types of issues effectively as well. In drawing my remarks to a close, there have been many valuable points that have been raised in the course of the debate. I have no doubt that the Deputy First Minister will take away and give consideration to, as we move forward in looking at how we can improve the way in which we deliver cyber security in this country. Key to that is to recognise that we all, as individuals, have a part to play in how we operate our own computer-based systems. The companies that we know as well, the roles that they can play and the role that the public sector can play in tackling cybercrime, and the work that we will take forward with the strategy is determined to make sure that we do that here in Scotland. That concludes our debate on building a cyber-resilient Scotland. The next item of business is consideration of motion 5.765, in the name of Joe Fitzpatrick, on behalf of the Parliamentary Bureau, setting out a business programme. I would ask any member who wishes to speak against the motion to press their request-to-speak button now, and I call on Joe Fitzpatrick to move motion 5.765. Moved. Thank you very much. No member has asked to speak against the motion. The question is that we agree motion 5.765. Are we all agreed? The next item is consideration of motion 5.766, in the name of Joe Fitzpatrick, on behalf of the Bureau, setting out a timetable for the Forestry and Land Management Scotland Bill at stage 1. I would ask any member who wishes to speak against the motion to press their request-to-speak button. I call on Joe Fitzpatrick to move motion 5.766. Moved. Thank you. No member has asked to speak against the motion. The question is that motion 5.766 be agreed. Are we all agreed? We are. The next item of business is consideration of two motions on the approval of SSIs. I would ask Joe Fitzpatrick to move motion 5639 and 5768. Moved together. Thank you very much. We come to decision time. There are five questions. The first question is that amendment 5733.1, in the name of Jamie Greene, which seeks to amend motion 5733, in the name of John Swinney, on safe, secure and prosperous, achieving a cyber-resilient Scotland, be agreed. Are we all agreed? We are agreed. The next question is that amendment 5733.2, in the name of Claire Baker, which seeks to amend the motion in the name of John Swinney, be agreed. Are we all agreed? We are agreed. The next question is that motion 5733, in the name of John Swinney, as amended, be agreed. Are we all agreed? We are agreed. The next question is that motion 5639, in the name of Joe Fitzpatrick, on approval of an SSI, be agreed. Are we agreed? We are agreed. The next question is that motion 5768, in the name of Joe Fitzpatrick, on approval of an SSI, be agreed. Are we all agreed? We are agreed. That concludes decision time. We now move on to members' business, in the name of Finlay Carson. We will just take a few moments for members to change seats.