Digital time bomb: The UK is under pressure to get its cyber defences in order

It’s been a year since cybercriminals orchestrated one of the most severe attacks in Scotland to date.

Last February a hit on NHS Dumfries and Galloway’s IT system plunged the health board into a crisis.

Faced with an impossible choice – pay up or risk the leak of some of its most sensitive data – the board had its hands tied. But the hackers didn’t. Within a month, three terabytes of staff and patient data were published on the dark web. All living in the region were told to assume their personal information had been accessed.

Today the “ever-evolving threat of cybersecurity is always present”, a spokesperson for the health board tells Holyrood. The board remains “vigilant”, and all staff are now required to complete a mandatory programme of cybersecurity and information governance training on an annual basis to “ensure the fullest awareness of the ever-present threat to IT security”.

The attack on the health board is one of many which have hit Scotland in the past few years. In 2020, environment agency Sepa was victim of a serious hack, which as of 2022 had cost more than £5m. In 2023, Comhairle nan Eilean Siar’s IT system suffered a breach of which “the consequences are still very much felt” two years on, the council’s chief executive Malcolm Burr said during Holyrood’s Public Sector Cyber Scotland conference in Edinburgh. And last year thousands of rail passengers were left terrified after a hit on Network Rail’s Wi-Fi resulted in people being shown Islamophobic messages and details of terrorist attacks in Europe.

The list goes on.

Online threats are becoming a pressing issue across borders, with critical public infrastructure increasingly at risk. Cybercrime has evolved into a lucrative industry, a tool for espionage, and a means to gaining power.

The frequency and severity of attacks has raised the alarm across governments, but Shahid Raza, professor in cybersecurity at the University of Glasgow, agues there still is a “lack of willingness to put resources on the table to take care of it”.

Indeed, earlier this month the National Audit Office sent a stark warning when it revealed the UK Government’s cyber resilience levels were “lower” than estimated. The spending watchdog told ministers to take the report as a “wake-up call” to fix legacy IT systems, forewarning attacks are likely to happen on a regular basis. It is a situation that Paul Chapman, head of public sector cyber for the Scottish Government’s cyber resilience unit, believes is likely to also be the case north of the border. “We've not designed the systems to be secure from the ground up,” he said.

And an attack on the government could cause “significant” damage, Beverly Bowles, head of cyber at ScotlandIS, tells Holyrood. “It would filter through the supply chain and to all the organisations that are tied into it. I think people underestimate the impact that a cyber-attack will have on their business.”

One possible glimpse into the future was the CrowdStrike outage that took place last summer. It saw more than eight million Microsoft devices crash across the world, leaving passengers stranded in airports, forcing hospitals to postpone appointments and costing vital sales for small businesses.  

While caused by a faulty update, the outage demonstrated the chaos that a single digital failure can unleash – an issue that is only becoming more pressing as artificial intelligence (AI) reshapes cybercrime into a far more dangerous field. By accelerating and automating attacks, AI has the potential to amplify the risk posed by cyber threats, making breaches harder to manage. “There’s definitely been an increase in the sophistication of attacks and the volume of attacks. There's clearly an issue that's needing to be addressed,” Bowles says.

Although there has yet not been a major AI-powered cyber-attack, experts believe it won’t be long until it happens. Speaking at Holyrood’s Public Sector Cyber Security West conference in Glasgow, Bill Buchanan, professor of applied cryptography at Edinburgh Napier University, urged delegates to update their resilience strategies to manage the threat posed by AI, saying it will be “completely destructive” across all sectors. “Your organisation will now be attacked not by people but by AI agents that are tasked, don't get tired and cost a few dollars a day to run… It will completely flip everything. It will be a constant advanced persistent threat from an AI agent,” he said.

A ministerial appointment could help fix the issue, Bowles argues. “When you're looking at the UK as a whole, there is an opportunity for somebody to take that portfolio of cybersecurity and look at all the resources that there are. There are so many organisations that are working on providing free resources for cybersecurity upscaling, how to create a cyber strategy, how to implement it, etc. It’s not about the lack of information out there but about how do you collate all of it and get it under one umbrella to make sure that everybody is adopting it.”

But the approach taken towards AI could soon spark significant tension in the cyber sector. Earlier this month, in his address at the Paris AI summit, US vice-president JD Vance described the current approach towards AI as “too self-conscious” and “risk-averse”, hinting that having a “deregulatory flavour” will be a prerequisite for US cooperations moving forward.

And at the close of the conference, the US and the UK refused to sign the international agreement calling for an "open" and "ethical" approach to the technology's development – one backed by 60 other nations including France, China, Japan and Australia.

This decision echoed what Prime Minister Keir Starmer said during his AI speech in January: “We will go our own way on this.”

The UK has much to lose with adopting a laissez-faire strategy to the technology. Both Holyrood and Westminster have placed tech at the heart of their plans for public sector reform and some experts worry that a hands-off approach towards AI could unleash chaos.

Raza, whose research specialises in Internet of Things (IoT) technology, tells Holyrood: “When you have extreme digitalisation, like [having] everything connected, you open up opportunities for attackers. But this does not mean that we should not take advantage of digitalisation.

“Whenever we think of deployment of IoT or digitalisation we should think the same way as banks think when they have an online service. Banks make huge investments in cyber because they see the value in it. But if you go to municipalities where they have a simple service for dustbin monitoring, they are very simple to hack because there is no strong team, thinking and investment behind it. Cybersecurity is seen as a cost, but at the same time they want IoT.

“So of course we will continue hearing about new and fancy cyber-attacks. Awareness that it's [cybersecurity] important is not enough, we must invest in it as well. Investing in digitalisation or AI without cybersecurity would be a huge threat to society in coming years.

“Whether we want it or not, the bad guys will definitely use these AI technologies for malicious purposes.”

And as nations grapple with finding the right balance in this new AI era, one persistent challenge remains: the skills gap. The public sector, in particular, continues to struggle to attract top talent, often outmatched by the private sector's high pay offers.

Also attending Holyrood’s cyber conference in Edinburgh, Tim Court, head of cyber operations at the National Crime Agency, said policing authorities were “catastrophically under-resourced” to fight the growing rate of cybercrime, but acknowledged there is “no money” to plug the gap.

The struggle goes all the way up the public sector ladder. In 2023, the UK Government was mocked after advertising for a head of cybersecurity for the Treasury on a starting salary of £57,000. People took to social media, labelling it a “joke”, with the average base pay for a similar job standing at £128,696-£140,074, according to online recruiting site Glassdoor.

Moreover, as the demand for cybersecurity experts continues to soar, the talent pipeline could soon take another major hit, as retaining professionals has also become a tough challenge for many. The high-stress environment of the sector coupled with the complex demands has taken a toll on workers’ mental health.

Anabelle, a cybersecurity threats analyst at a British bank, whose name has been changed at her request, is reaching a tipping point. “I can’t disconnect”, she tells Holyrood. “It is so stressful to come to work and feel like you have the weight of the world on your shoulders, to know that if you make a mistake it is going to have a big and real impact on a lot of people.”

Despite graduating from university with a cybersecurity degree less than two years ago, the 23-year-old explains she feels “despair that she will never be good at what she does”. She continues: “If you want to survive in the sector you have to eat, sleep and breath cybersecurity, because it changes all the time.

“There is so much to learn that there is just no way to know it all. I have this constant feeling of inferiority. I want to only work my hours because after that I have a life, and my life isn’t cybersecurity. But this means I always feel like I am behind certain colleagues because cybersecurity changes constantly and you have to adapt constantly to new kinds of attacks.

“If you’re not continuously looking at the news and always on high alert, then you are not up to date. So, it is very frustrating because when I am off work, I don’t want my life to circle around it but sometimes it is just necessary because otherwise you will be completely out of the loop.”

Perhaps unsurprisingly, she is just one of many. Research by cybersecurity firm Blackfog showed more than nine in 10 cite stress and job demands as the main reasons for leaving the sector. Karen Meechan, chief executive of ScotlandIS, says “it's not if, it's when [a cyber-attack will happen], so the pressure is on our cyber professionals, who are waiting on it happening”. “They're trying to mitigate, plug all the gaps, update all the software, constantly aware of what's going on. And then if an attack does happen, the pressure they feel that they've missed something is huge.”

Future attacks are certain, and the sustainability of the UK’s cyber resilience hangs in the balance. In November, intergovernmental minister Pat McFadden warned Nato members of a looming Russian cyber-attack that could “turn the lights off for millions of people", and last month, during his first major speech as head of the National Cyber Security Centre, Richard Horne said the risk facing the UK is “being widely underestimated”. Horne sounded a note of caution that the gap between the dangers posed by cyber threats and the means to defend against them is "widening”.

The stakes are high, and time is running out.