Hansard

I am pleased to open on behalf of Scottish Labour. As a member of the Criminal Justice Committee, I thank my fellow committee members, the committee clerks and all stakeholders who were involved in the committee’s work on the issue.

The committee’s report is important and timely. Cybercrime rates across Scotland are at a significant level. As Sharon Dowey said, more than 14,000 cybercrimes were recorded in Scotland last year—a number that remains well above pre-pandemic levels. Cybercrime amounted to 5 per cent of all crimes recorded in Scotland last year, but digital technology and online spaces are being used to carry out more traditional crimes, too. We can see that from the fact that cybercrime accounted for 27 per cent of all sexual crimes reported last year.

In recent years, several high-profile cyberattacks have been launched against private companies and public bodies across Scotland—major companies such as Marks and Spencer, the Co-op, Adidas and H&M have been hit by cyberattacks this year alone. NatWest provided alarming evidence to the committee that its customers have to be protected from more than 100 million cyberattacks every month.

Earlier this year, Glasgow City Council, the City of Edinburgh Council and West Lothian Council all suffered cyberattacks that were aimed at disrupting online education services. Hackers managed to access a significant amount of information from NHS Dumfries and Galloway last year, including the confidential details of staff and patients. In 2020, SEPA endured one of Scotland’s worst-ever cyberattacks, when thousands of its digital files were stolen. Whether we look at cybercrime statistics or examples of cyberattacks, it is clear that cybercrime is an issue that affects all of Scotland, including individuals and organisations.

Two common themes emerged in the evidence that the committee heard on how we can better protect ourselves from cybercrime. The first theme was that the current state of Scotland’s cyber resilience is inadequate and must be improved. Digital participation in Scotland has continued to increase, particularly among older people, and more than 90 per cent of adults now use the internet for work or personal activities. That is to be welcomed, but it brings greater risks of cybercrime.

Previous results from the Scottish crime and justice survey found that nearly 5 per cent of internet users in Scotland had experienced computer viruses, received scam emails or had banking details stolen online. In addition, the Scottish household survey found that nearly 10 per cent of all adults in Scotland did not take any online security measures, such as not opening emails from unknown senders or not sharing personal information online. That is why some of the proposals in the Scottish Government’s cyber resilient Scotland framework that focus on improving cyber learning are welcome.

Embedding cyber learning in the school curriculum, expanding the availability of cyber learning resources and improving access to cyber learning opportunities for adults are all practical steps. The £300,000 that has been allocated for an upskilling fund to strengthen cybersecurity skills across the public sector is also very welcome.

However, I believe that the Scottish Government must do more to educate everybody—in particular, young men and boys—on the harmful effect that far-right and misogynistic online content can have on their behaviour, and to tackle the resulting sexism, misogyny and violence in schools. That is why I again call on the Scottish Government to bring forward a cross-campus strategy to tackle the issue. I think that that is relevant to today’s debate.

Although education is vital in improving cyber resilience, we must also look at other avenues to achieve that aim, such as legislation. The Online Safety Act 2023 has now come into force, and I urge the Scottish Government to work with the UK Government and Ofcom to ensure that it is effective, especially in the light of the fact that reports of online child abuse in Scotland have doubled in a year.

The Scottish Government should also make representations to the UK Government and Ofcom on ensuring that the provisions in the Online Safety Act 2023 that are designed to tackle fraudulent online advertising are implemented as soon as possible, and I encourage ministers to engage with the UK Government and Ofcom on how the Cyber Security and Resilience (Network and Information Systems) Bill will be implemented in Scotland, should it be passed at Westminster.

There are many other aspects of improving Scotland’s cyber resilience that I hope will be considered in today’s debate, such as the need for regulation to reduce the harms associated with AI technology, including deepfakes, and the need to ensure that digital technology that is used in the public sector is better protected from cyberattacks. I welcome the action that the Scottish Government is taking, such as its recent announcement on deepfakes.

The second theme that emerged in evidence to the committee in relation to tackling cybercrime was the need for the Scottish Government to invest more in cybersecurity. Organisations ranging from the Cyber and Fraud Centre Scotland to the Scottish Courts and Tribunals Service have identified the need for further investment. The committee heard from Police Scotland on the significant financial challenges that it faces, which Sharon Dowey mentioned, and how that affects its ability to tackle cybercrime.

I hope that the need for greater investment in cybersecurity will be explored further in today’s debate. It is important to note that the true scale of cybercrime across Scotland is likely to be greater than we expect, given that it often goes unreported by individuals and organisations. It is also likely to become a bigger issue in the future.

I hope that the Scottish Government will reflect on all the points that I have raised and that other members will raise on the need for cyber resilience and investment in cybersecurity.