Scotland at risk of major AI hack, expert warns

Experts have called for the Scottish Government to appoint a national cyber lead or risk a major AI-led data breach.

Speaking at Holyrood’s Public Sector Cyber Security West conference in Glasgow, Bill Buchanan, professor of applied cryptography at Edinburgh Napier University, sounded a note of caution on the growing cyber threat posed by AI.

He said AI will be “completely destructive” across all sectors and urged delegates to re-shape their resilience strategies to adapt to it.

“The days of experienced hackers and teams around the world will fade away and what we'll get is people who have virtually no skills or experience at all at hacking."

Buchanan continued: "Your organisation will now be attacked not by people but by AI agents that are tasked, don't get tired and cost a few dollars a day to run.

“It will completely flip everything. It will be a constant advanced persistent threat from an AI agent.”

It comes amid mounting pressure for the UK Government to boost its cybersecurity measures, after it was suggested its capabilities may not match the threat posed by cybercriminals. Last week, the National Audit Office found the government’s cyber resilience was “lower” than estimated, and warned it would fail to keep up with the rate of attacks on Whitehall that are  “likely to happen regularly”.

A situation that Paul Chapman, head of public sector cyber for the Scottish Government’s cyber resilience unit, said is likely to be the case north of the border.

“As I look across political bodies, a lot of the old challenges are still there. The legacy we grew up with. We've not designed the systems to be secure from the ground up.

“We've grown them over time and that brings with it a whole bunch of flaws and risks that we're still dealing with."

He added: “We have to move that [cybersecurity] baseline all the time.  And that's not easy. It's not cheap. It's very resource intensive.  And the independent assurance piece that goes with it has changed a lot over the last few years too. 

“And in the face of tightening budgets and skills becoming more and more difficult to get access, there's lots to do."

He added: “The National Audit Office report last week from the UK government point of view wasn't great. I can only imagine that we see a lot of the same issues that are flagged up in the Scottish public sector.

“So, maintaining a decent baseline and getting to a decent baseline is really a challenge.”

Buchanan also urged organisations to implement training schemes to manage AI’s impact on the job market.

“I think everyone will have to upskill. Evert single person in work will have to move up one level because the lower levels will be operated by AI bots and agents and so on. So, if we are at a certain level, we need to be moving up.

“We need to strengthen our technical expertise, our leadership. And that involves continual personal development and also academic study.”

However, Aisling Goodey, information security manager at Perth and Kinross Council, also warned delegates not to buy into the “hype” of the technology.

“I think the main challenge is the balance between our understanding of AI and our enthusiasm for AI. I think there's a lot of fear about being left behind. And there is a lot of community with AI. So, it's not necessarily an invalid fear. But because of that fear, I think a lot of people are just wanting to use AI for something. And we don't really know what we want to use it for.”

Buchanan also argued against the “siloing” of data, citing Scotland’s digital infrastructure as a key blocker in building a resilient and modern healthcare system.

“It happens all the time in the NHS, it siloes data into regions, and they don't share information with social care and so on. And when it comes to the citizen, the citizen is nowhere.

“I don't have any online healthcare record at all. I know it's coming but nobody has talked to the citizens about what that healthcare record should look like. Scotland and England will have a different healthcare record. That really worries me that we're going to have two systems again and I have no idea what that's going to look like.”

Last month, First Minister John Swinney confirmed an NHS app will begin rollout by the end of the year but failed to detail what attributes or features the platform will include.

Buchanan added: “We need a lead for cyber security and for the data architecture for Scotland to define how all that data is actually used.”