Meeting of the Parliament 17 December 2025
I welcome the opportunity to speak in this debate on the very short report that the Criminal Justice Committee has published on cybercrime and cybersecurity in Scotland.
Unlike Liam McArthur, who is a former member of the committee, I am current member of the committee, but I was not a member at the time that it undertook the activity or its report. I commend the convener and my colleagues for the work that they undertook.
The report makes it clear that cybercrime is no longer a marginal or technical issue. It is now a central challenge for justice, for economic security and for democratic resilience. Although the most recent figures show a reduction in recorded cybercrime compared with the previous year, as Katy Clark set out, levels remain significantly higher now than they were before the pandemic. As Police Scotland told the committee, it estimates that cybercrime constitutes around 5 per cent of all recorded crime. Cyber-enabled offending now makes up a substantial proportion of fraud, sexual crime and threats and extortion, so its impact is very real and significant.
Even then, those figures tell only part of the story, because, as Sharon Dowey mentioned, many cybercrimes go unreported, particularly when victims feel embarrassed, uncertain or powerless—something that we know is often a feature of someone’s experience when they have been caught out by a scam.
The evidence from Age Scotland was particularly striking in highlighting the impact of cybercrime on older people. AI-enabled scams, impersonation and increasingly convincing fraudulent communications are eroding confidence and causing real distress. The fact that a significant proportion of victims do not report those crimes should concern us deeply. Prevention, education and accessible reporting mechanisms are therefore essential.
We should recognise that cybercrime does not affect all people or organisations equally. Larger institutions, such as banks, have the means and ability to invest heavily in sophisticated cyberdefences. The evidence from the financial sector illustrated the scale of the attacks that it faces and the scale of the resource that is required to defend against them. I do not denigrate the seriousness of the impact on our financial institutions, but, by comparison, small businesses, charities and individuals simply do not have their capacity, yet are also exposed to the threat of cybercrime. That imbalance is one of the challenges that we need to consider as we move forward.
The committee heard evidence from businesses such as Arnold Clark that demonstrated that even well-resourced organisations can be brought to a standstill by a single successful attack. The consequences were not limited to data loss or financial costs; individuals were affected as well—customers were stranded, staff were unable to work and essential services were disrupted. We should bear in mind that when a business is impacted, individuals are also impacted.
Cybercrime should therefore not be understood only as theft but as a form of disruption with tangible human and economic consequences. That same point applies in the public sector and has been made about the substantial attack on SEPA. Cyberattacks on local authorities, public bodies and supply chains can interrupt education, social care, food distribution and transport. In an increasingly interconnected digital environment, disruption in one system can quickly cascade into many others. I believe that that reality should concern us all, because it speaks directly to societal results.
It is important to recognise—this has been touched on in the debate—that not all cyberthreats originate from criminal networks that are motivated solely by financial gain. We now operate in a global context in which hostile state actors routinely use cyber capabilities as tools of influence, espionage and destabilisation. Attacks on public institutions, democratic processes and critical infrastructure demonstrate that cyberactivity has, sadly, become a normalised instrument of hostile state power, and Scotland is not insulated from those dynamics. Our public services, universities, research institutions and digital infrastructure are part of a wider international system. Hostile cyberactivity may not always target Scotland directly, but it can still have direct effects here through attacks on UK-wide systems and supply chains, or through disinformation, which I believe is one of the greatest challenges of our age. Such activity is designed to undermine trust in democratic institutions.
The overlap between state-sponsored cyberactivity and organised criminal methods, including ransomware and data theft, further complicates detection and response. That is why co-ordination and partnership are critical. Effective responses to cyberthreats, whether criminal or state sponsored, depend on close co-operation between Police Scotland, UK agencies, international partners and the private sector. I therefore welcome the continued engagement with the National Cyber Security Centre and the work of the CyberScotland partnership and the Scottish cyber co-ordination centre.
Liam McArthur is probably right that there has been too much emphasis on the headline figures for police officer numbers. We should be turning our attention to whether the police force and other parts of the system are properly equipped to respond to the threats that we face.
Audrey Nicoll rose—