Hansard

Today’s committee-led debate is an ideal opportunity to set out the current picture of cybercrime in Scotland and the actions that we are taking and need to take across policing, Government, business and civil society to prevent harm, protect victims and strengthen our national resilience.

Cybercrime has changed the character of offending in Scotland. Five years ago, Police Scotland recorded 7,710 cybercrimes; today, the figure is 14,120—almost double pre-pandemic levels. Those are broad estimates from police records, but the direction is unmistakable. More crime—whether fraud, extortion or exploitation—is now committed online or enabled by digital means.

The public’s experience mirrors that. The Scottish crime and justice survey estimates 524,000 incidents of fraud and computer misuse in 2023-24, which means that roughly one in 10 adults is affected. When organisations suffer a cyberincident, the knock-on effects on people can be severe. The Co-op cyberattack in April, for example, disrupted operations and supply chains, leaving some of our rural and island communities with empty shelves in local shops.

When West Lothian Council’s schools IT systems were hit, many schools experienced operational challenges, although exams were not affected due to well-rehearsed contingency plans.

Those incidents are stark reminders of the growing cyber threat and the importance of resilience across all parts of society. What does that mean for our justice system? Our courts, law enforcement agencies and prisons handle enormous amounts of sensitive information, including criminal records, evidence and personal details of victims and witnesses. One breach could expose that data, endanger lives and derail investigations.

Cybersecurity is not just about protecting data; it is about protecting trust. If systems are hacked or evidence is tampered with, confidence in fair trials collapses and, with it, the rule of law. Today, most evidence—emails, closed-circuit television footage and forensic data—is stored digitally. That makes it vulnerable to alteration or deletion, which could lead to wrongful convictions or acquittals.

Let us not forget operational continuity. Courts and law enforcement rely on digital platforms for case management, e-filing and virtual hearings. A ransomware attack could halt proceedings, delay justice and create massive backlogs. Justice systems are prime targets for organised crime and even state-sponsored actors seeking to disrupt governance or influence outcomes. Cybersecurity is not just an IT issue; it is the cornerstone of justice that safeguards the fairness, reliability and resilience of our digital legal systems. That means that prevention, early warning and rapid, well-coordinated incident response arrangements are just as important as detection and prosecution.

Police Scotland has strengthened its specialist capability in cybercrime investigations and digital forensics. The newly established cyber and fraud unit is consolidating the prevention of cyberfraud and digital harm under one command. Innovation is also happening at the front line of policing through the deployment of digital forensic vans and digital evidence detection dogs and the exploration of AI-enabled efficiencies as part of the policing in a digital world programme.

Those changes matter, but we must be realistic about the constraints and challenges. Over 90 per cent of crimes now involve some form of digital evidence, and that places sustained pressure on our investigative capacity. The digital evidence-sharing capability programme, which is funded by the Scottish Government, is tackling that challenge and is now live across all police divisions. Across the justice system, we must—guided by the Christie principles—deliver integrated and secure services, providing better outcomes and best value for the public.

Legislation must evolve, too. The Computer Misuse Act 1990 remains the backbone of legislation on cyber-dependent crime, but it predates contemporary security research. The proposal by the UK Government of a statutory defence for legitimate security research is welcome, and we will continue to engage with the UK Government on that matter.

Alongside that, the UK Government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill, as mentioned by Ms Nicoll. The bill will widen the scope of existing regulations to include managed service providers and data centres, it will harden essential services, and it will strengthen reporting. The bill will matter for Scotland. Some of our critical services and suppliers sit within its scope, for example health and drinking water. We will work with UK partners, regulators and industry to ensure smooth implementation.

The Scottish Government’s refreshed “Strategic Framework for a Cyber Resilient Scotland 2025–2030” sets the vision for a digitally secure and resilient nation. It is a renewed commitment to protecting our people, organisations and future in an increasingly digital world. None of that can be achieved by Government alone. Prevention at scale is essential, and Scotland has established a national ecosystem to strengthen its ability to be more responsive and future focused.

The CyberScotland partnership helps to drive practical resilience and awareness across public, private and third sectors. The Scottish cyber co-ordination centre—SC3—provides intelligence and early warning and manages incident response co-ordination for the public sector. In partnership with the National Cyber Security Centre and Police Scotland, SC3 is helping us to stay ahead of the threat and respond effectively to minimise the impact of incidents when they occur. I recently launched the SC3 cyber observatory, which will gather and analyse cyberthreat data and maturity insights from the public sector, allowing us to better target support and intervention.

We are also investing £300,000 this year to equip the public sector workforce with the skills needed to safeguard our essential services. In line with the National Cyber Security Centre, we are positioning the cyber essentials standard as the baseline security standard for all organisations in Scotland. Alongside that, we are driving the adoption of multi-factor authentication and encouraging regular back-ups, incident response planning and the use of incident response exercises.

There are five priorities in our fight against cybercrime, as part of our need for a secure and efficient justice system. The first involves sustaining and targeting investment in policing capacity, completing the build-out of Police Scotland’s cyber and fraud unit and refreshing front-line digital tooling. The second priority is to build on exemplar collaboration programmes, such as the digital evidence-sharing capability programme, to modernise our justice systems. The third is to enable legislation evolution, so that our laws are fit for today and resilient for the future. The fourth is to scale up prevention and skills. We must continue to build and enhance the capabilities of SC3 and the CyberScotland partnership and accelerate targeted prevention campaigns for specific sectors and communities. Fifthly and finally, to embed accountability for public bodies and critical suppliers, we need to move to a place of mandating minimum-security baselines and transparent risk reporting.

Cybercrime is now a mainstream risk to our economy, our justice system and our people. Scotland has strong foundations in place: specialist policing capability, evidence of a maturing public sector, SC3, our national incident response and co-ordination centre, and an active partnership that reaches from Government into business and civil society. Our task is to lock in all those gains.

Our focus, as always, is to keep people safe, protect essential services, bring offenders to justice and ensure that Scotland remains digitally secure and resilient. I am very grateful to the Criminal Justice Committee for its work.