Cyber resilience: learning and skills action plan 2018-2020

Introduction and Background

Digital technologies bring enormous opportunities for individuals, families, businesses and communities. They also bring new threats and vulnerabilities that we must manage safely and securely. The Scottish Government's Digital Strategy ^[1] states that digital skills (including cyber resilience) are fundamental to the life chances of our people and the economic success of our country.

Safe, secure and prosperous: a cyber resilience strategy for Scotland ^[2] ("the strategy"), was published in 2015. It set out the Scottish Government's vision for cyber resilience:

Scotland can be a world leader in cyber resilience and be a nation that can claim, by 2020, to have achieved the following outcomes:

(i) Our people are informed and prepared to make the most of digital technologies safely.

(ii) Our businesses and organisations recognise the risks in the digital world and are well prepared to manage them.

(iii) We have confidence in, and trust, our digital public services.

(iv) We have a growing and renowned cyber resilience research community.

(v) We have a global reputation for being a secure place to live and learn, and to set up and invest in business.

(vi) We have an innovative cyber security, goods and services industry that can help meet global demand.

These six outcomes are interdependent – progress towards one may underpin or drive progress towards others.

The strategy is closely aligned with the UK National Cyber Security Strategy ^[3] which sets out the UK Government's approach to making the UK secure in cyberspace. Cyber security is a reserved matter, but it has strong implications for the delivery and resilience of devolved services. As such, the Scottish Government works closely with the UK Government and the UK's National Cyber Security Centre ( NCSC) to ensure alignment between work on cyber resilience at the UK wide and Scottish levels.

More recently in Scotland, the Programme for Government ^[4] sets out the commitment to develop and implement a range of action plans to improve cyber resilience in the public, private and third sectors. It also committed to developing this learning and skills action plan, and to help realise the economic opportunity resulting from the growth of our cyber security goods and services sector in Scotland. These plans will help steer Scotland towards our vision of being a world leading nation in cyber resilience by 2020.

The Cyber Resilience Learning and Skills Action Plan ("the action plan") has been produced jointly by the Scottish Government and the National Cyber Resilience Leaders' Board ( NCRLB), drawing on the advice of partners from across key sectors. It sets out the actions the Scottish Government intends to take, working closely with the NCRLB and key partners from the public, private and third sectors, to build stronger learning and skills capabilities in cyber resilience and cyber security in Scotland.

The overarching aim of this action plan is to enable transformational cultural change through learning and skills in Scotland so that all sections of society and business benefit from being more cyber resilient. As the activities detailed are implemented, we must take account of the rapidly changing cyber security landscape, both in terms of technological advancement and the methods that criminals and hostile actors develop to exploit them. The Scottish Government will continue to work with delivery partners, supporting them to address new challenges and threats as they are identified.

Terms we use in this action plan

"Cyber resilience" and "cyber security"

As defined in the Strategy, "cyber resilience" refers to our ability to prepare for, withstand, rapidly recover and learn from deliberate attacks or accidental events in the online world. Cyber resilient people and organisations recognise that being safe online goes far beyond just technical measures. By building understanding of cyber risks and threats, they are able to take the appropriate measures to stay safe online and rapidly recover from a cyber attack – and this is the concept of cyber resilience.

For the purposes of this action plan we are distinguishing between cyber resilience and cyber security, with "cyber security" referring mainly to the technical aspects that help protect equipment and electronic data from cyber attack, and that contribute to the wider outcome of "cyber resilience".

"Learning" and "skills"

By "learning" we mean development of the knowledge, understanding and positive behaviours of all citizens. This includes workers in non-digital technology roles. Learning can take place:

• "informally" through awareness-raising and communications activity,
• "non-formally" in learning settings such as youth groups, community learning centres and local libraries, and
• "formally" in schools, colleges, universities or workplaces, through the delivery of courses and qualifications.

By "skills" we mean the development of cyber security specialist knowledge and skills to meet the demands of organisations in all sectors, now and in the future. Skills development generally takes place in formal settings, such as schools, colleges or universities, or through work-based training such as short courses or apprenticeships.

More effective learning and skills development will contribute to the achievement of all six outcomes of the strategy, with some examples of this contribution given below:

1. Our people are informed and prepared to make the most of digital technologies safely.

Informal, non-formal and formal learning will equip people with the basic knowledge and understanding of the risks involved in using digital technologies. Learning will enable them to make the most of digital technologies and take effective steps to protect themselves and their families in their day-to-day and working lives. It may also help young people in particular to understand the risks of becoming involved in online crime, and steer them to make informed choices in relation to their online activity.

2. Our businesses and organisations recognise the risks in the digital world and are well prepared to manage them.

Organisations in Scotland's public, private and third sectors will benefit from:

• embedding cyber resilience learning into workplace training for people at all levels of an organisation, including senior managers and board members.
• understanding the cyber security skills they need to draw on (whether by employing specialists or by procuring services) in order to be as cyber resilient as possible.
• being able to employ workers who have learned the basics of cyber resilient practices during their education, as well as any more specialist skills as part of vocational training.

3. We have confidence in, and trust, our digital public services.

The likelihood of damaging cyber security breaches affecting digital public services and the citizens and businesses they serve will be reduced if public bodies can improve their cyber resilience by drawing on the skills of cyber security professionals and ensuring their staff understand and use fundamental cyber resilient practices. Demonstrating that Scottish digital public services are cyber resilient is likely to become increasingly important to earning the trust of citizens and organisations in Scotland.

4. We have a growing and renowned cyber resilience research community.

Our universities need knowledgeable and skilled individuals to undertake cyber security research, to spark and drive innovation and to retain and attract more talent to Scotland.

5. We have a global reputation for being a secure place to live and learn, and to set up and invest in business.

By embedding cyber resilience into our education and lifelong learning system, and by ensuring an adequate supply of skilled professionals, we can strengthen Scotland's infrastructure, society and economy. Scotland can be recognised as a country of expertise and knowledge in cyber security, and one that is attractive to inward investors.

6. We have an innovative cyber security, goods and services industry that can help meet global demand.

Our increased supply of home-grown talented and skilled professionals will meet the needs of employers in all sectors, address the recognised skills shortage, and also grow our cyber security goods and services industry.

The scope of this action plan

This action plan has a broad scope, stretching from basic informal learning (awareness raising), through to formal cyber security skills development. It also includes actions to build a thriving research community that can promote research, attract teaching talent and encourage investment to Scotland that will, in turn, build the knowledge and skills that drive innovation. Research and innovation will contribute to Scotland's ability to compete in a global cyber security goods and services market, which we expand upon in a separate action plan that focuses on the economic opportunity of cyber resilience for Scotland.

The continuum diagram below illustrates a fundamental principle of this action plan: that we will not achieve a cyber resilient Scotland that benefits from economic opportunities in cyber resilience and digital more broadly, unless cyber resilience is embedded across our learning and skills system.

basic awareness → learning for all → skills development → economic opportunity

• awareness raising
• embedding cyber resilience in curricula
• embedding cyber resilience in workplace learning
• developing cyber security specialist skills
• upskilling in cyber security
• building research capability and capacity

An expanded version of this diagram is attached at Annex A .

This action plan also supports the delivery of action plans being developed to build cyber resilience and security within our public, private and third sectors. Cyber resilience forms a core part of wider digital ambitions for Scotland, and it is closely aligned to a range of Government ambitions such as increasing internet safety, digital participation and digital skills more broadly.

Our intention is not to create more layers of governance as a result of this action plan, but to seek ways to embed or integrate the actions set out in this plan within wider strategies and programmes.

This approach is already being implemented effectively in a number of key policy areas. For example, cyber resilience (in relation to learning and skills) forms a key part of the following recently-published strategies:

• Realising Scotland's full potential in a digital world: A Digital Strategy for Scotland (March 2017) ^[5]
• Science, Technology, Engineering and Mathematics: education and training strategy ^[6]
• Enhancing Learning and Teaching Through the Use of Digital Technology (September 2016) ^[7]

The Scottish Government will continue to actively promote cyber resilience across relevant evolving policies, strategies and programmes.

Measuring the impact of this action plan

This action plan will be measured using a set of indicators that will be agreed with delivery partners. We will monitor progress using these indicators on a quarterly basis during the lifetime of the action plan.

Monitoring and measuring will be overseen by the National Cyber Resilience Leaders' Board.

Principles

The following four principles will underpin all our activities in relation to learning and skills:

Principle 1

Cyber resilience is enabling: it is about getting the most out of online digital technologies while mitigating risk in a proportionate way.

Principle 2

Creating a cyber resilient country requires a cultural shift: all providers and stakeholders in our education and lifelong learning system should commit to making cyber resilience an integral part of their work.

Principle 3

Cyber resilience is a dynamic area: we need to continually innovate and refresh our knowledge and communication to take account of changing technological and cyber crime challenges.

Principle 4

Cyber resilience learning opportunities should be inclusive of everyone.