Hansard

We are all potential victims of cybercrime—and the sad fact is that thousands of people in Scotland have been. Since 2019, the annual number of recorded cybercrimes has doubled from 7,710 to just over 14,000. That is probably the tip of the iceberg, because those are only the numbers that are recorded.

We all rely on websites, apps, systems and data in our daily lives. Although they bring great benefits, the convenience comes at a cost. Cyberoffending, coupled with online harm, is increasing, whether that is people who are seeking to exploit the vulnerable or using online activities as a vehicle for offending behaviour.

It is, indeed, the growing crime of our times, which is why cyber resilience and digital safety are more important than ever. I am pleased to hear about the many Scottish Government initiatives that the cabinet secretary outlined.

Cyberthreats are evolving rapidly, technology is ever-changing and becoming more sophisticated, and it is our shared responsibility to meet the challenges that Scotland faces. That is why I was pleased that the Criminal Justice Committee took such valuable evidence to allow us to produce a report on cybercrime, which is about where we are now and where we must go in the future.

We listened to fascinating but sometimes chilling evidence from banks, charities, retailers, Police Scotland and organised crime experts about the toll that combating this ever-growing scourge is taking on them. We learned that some cyberthreats cannot realistically be fully mitigated, regardless of how much preventative spending takes place. Major systemic vulnerabilities often have roots in legacy technologies and outdated practices, so wider digital and cultural transformation is often required to tackle the underlying cause.

For other risks, making the best use of the systems and services that are already in place is often more effective and better value for money than buying in advanced security solutions.

On the plus side, there is no doubt that the digital economy is driving Scotland’s economic growth and shaping our future, and that it brings great opportunities. The Scottish Government’s approach is built on strong partnerships across sectors, reinforcing the point that collective effort is critical if we are to safeguard people and unlock the economic potential of our secure digital future. That includes continued engagement with the UK Government and the National Cyber Security Centre on reserved security matters, alongside our European partners.

That is why the Scottish cyber co-ordination centre promotes effective detection and response processes with a strategic framework. The framework details actions and supports to help people, businesses and organisations across Scotland to recognise and prepare for the inevitable cyberthreats. In addition, the centre’s cyber observatory, in particular, will be vital in alerting organisations to potential threats. The centre aims to improve incident response, recovery and intelligence sharing, and to get a much better understanding of cybersecurity.

Collaboration is at the heart of the SNP Government’s strategy, because no Government can tackle cyber challenges alone—Scotland is no exception. Speaking about the challenges of investigating cybercrime, Assistant Chief Constable Stuart Houston of Police Scotland told the committee:

“these crimes are often borderless and are, on occasion, perpetrated outwith the UK.”

He went on:

“Quite often, a network of people are involved in the larger ransomware attacks. In the past, organised crime groups would operate in networks of people who knew one another, but we need to be alive to the fact that people now often operate in networks where they have only seen someone through a screen.”

David Keenan, chief information officer with Arnold Clark, who was mentioned earlier, spoke to the committee about the impact of a major cyberattack that happened to the business in December 2022. It was a ransomware attack in which a large amount of sensitive customer and corporate employee data was stolen. The criminals deliberately planned the timing of the attack over the Christmas period, when staffing levels in the organisation would be reduced and it would take longer for staff to detect and respond to the attack.

Mr Keenan said:

“In the days immediately after the attack on Arnold Clark, when we were unable to operate our systems for a period, more than 4,000 customers were expecting to come and make use of our services. More than 700 people who had bought a car were expecting to take delivery of that vehicle. Some 2,000 people who either had their car in for a service or had booked in to have their car serviced were unable to have that work done. We were unable to provide our rental service to more than 1,500 people who had planned to make use of it, many of whom were holidaymakers who were travelling from abroad ... That was the direct impact on customers.”

He went on to say that the cyberattack also had a major impact on the wellbeing of staff of Arnold Clark and their ability to do their job. He said:

“At the time of the incident, we had well over 200 members of staff in IT, with a multimillion-pound budget and 12 members of staff who were dedicated to cybersecurity, but that still was not enough to protect us.”

He went on:

“Ultimately, a cybercriminal has to be lucky only once, but we have to be lucky against every single attack.”—[Official Report, Criminal Justice Committee, 14 May 2025; c 5, 7.]

That was a very well-made point.

In her oral evidence to the committee, the chief constable of Police Scotland, Jo Farrell, said:

“Poverty, geopolitics, cybercrime and civil unrest are driving a high level of demand, and the challenge for policing is evolving rapidly. That is illustrated by the increase in online harm and threat and in violence associated with organised crime, as well as a high level of protests. The threat is now.”—[Official Report, Criminal Justice Committee, 5 November 2025; c 26.]

That is a fitting remark to end with. The threat is now, and we must continue to innovate to find ways to combat it.