Meeting of the Parliament 17 December 2025
I am grateful to the Criminal Justice Committee and all who contributed to the inquiry that resulted in the timely and important report that we are discussing today.
Cybercrime and cybersecurity are often discussed as abstract, technical or even distant issues. However, the report makes it unmistakably clear that they are none of those things. Cybercrime is not virtual harm—it is real harm. It is harm that lands on kitchen tables, in bank accounts, in workplaces and in the lives of people who are all too often already carrying the heaviest burdens.
The evidence that the committee gathered is sobering. Although there has been a recent decrease in estimated cybercrime compared with the previous year, levels remain far above those that were seen before the pandemic. Cybercrime now accounts for at least 5 per cent of all recorded crime in Scotland and for more than a quarter of sexual crimes. Nearly all crimes involving threat and extortion are now cyber enabled. Fraud, in particular, has been transformed by the digital environment, with estimates suggesting that almost half of all fraud now involves cyber methods.
Behind those statistics are people: older people who are targeted by increasingly sophisticated scams, often powered by AI and deepfake technology; workers whose personal data is stolen and traded repeatedly long after the original breach; staff in businesses and public services who are dealing with the stress, fear and disruption that is caused by ransomware attacks; island communities left without access to food because a supply chain was digitally attacked; and people in local authorities who are unable to deliver essential services because their systems have been compromised. The report rightly centres those human impacts.
I thank all those who gave evidence to the committee, and particularly those from organisations such as Age Scotland, who reminded the committee that many victims do not report cybercrime because they do not know where to turn, they fear that they will not be believed or they assume that nothing can be done. That is not a failure of those individuals; it is a failure of our systems. If people do not feel supported, trusted and protected, our response to cybercrime is already falling short.
The report also highlights a stark imbalance of power and resources. Large institutions such as banks are able to invest millions in cyber defence, employing hundreds of staff to monitor and block attacks, although even then, as the committee heard and as we have heard this afternoon, they are subjected to tens of millions of attacks every month. Small businesses, charities and third sector organisations simply do not have that capacity, nor do many public bodies that are forced to maintain ageing legacy systems while trying to meet growing digital demands. That imbalance matters. Cyber criminals need to succeed only once, and that one-time success can be devastating for people. Everybody else’s protections need to work all the time.
The approach of the Scottish Greens to the issue comes from a clear set of principles. We believe in safety and justice for all, but we also believe that how we pursue safety matters. We reject the false choice between security and rights. We do not believe that expanding mass surveillance, eroding privacy or normalising intrusive state powers will necessarily keep people safer in the long run. In fact, history tells us the opposite. That means that, although we support properly resourced, skilled and specialist policing to tackle cybercrime, we will always scrutinise proposals that risk widening surveillance without clear necessity, proportionality and democratic oversight.
Cybercrime is borderless and complex, but that cannot become an excuse for undermining civil liberties or treating everyone as a suspect by default. Instead, the report points us towards a more effective and more just approach. Prevention, resilience and accountability must sit at the heart of our response.
Prevention means investing in digital literacy and public awareness, particularly for older people and other groups that are most at risk. It means ensuring that reporting mechanisms are accessible, trusted and trauma informed. It means recognising that shame and fear are powerful silencers and that we must design systems that actively counter that.
Resilience means having sustained investment in public sector digital infrastructure, not piecemeal fixes. It means supporting small and medium-sized enterprises and the voluntary sector with practical help, and not just advice that they cannot afford to implement. It means recognising cybersecurity as essential public infrastructure and not as an optional add-on.
Accountability means asking difficult questions of those who profit from insecure systems. As the committee heard, stolen data can be traded again and again with devastating consequences, while responsibility is too often pushed back on to victims. We must seriously consider whether our legal frameworks adequately reflect the harm that is caused by the theft and trafficking of data, and whether corporations and platforms are doing enough to design systems that are secure by default.