Official Report 978KB pdf
The next item of business is a debate on cybercrime on behalf of the Criminal Justice Committee. I invite members who wish to speak in the debate to press their request-to-speak buttons.
15:27
I am very pleased to open this afternoon’s debate on behalf of the Criminal Justice Committee. I will start with the usual thank you to committee clerks and Scottish Parliament information centre colleagues for their support on this important piece of work.
This year, the committee has had a very busy programme—it has considered four separate bills at either stage 1 or stage 2—so the time that we had available for this inquiry was limited. However, we were aware that cybercrime is an important topic that we wished to consider, especially as it affects business, vulnerable individuals and wider society.
The short factual report that we have produced does not attempt to identify solutions. Rather, we wanted to identify the scope of the problem and to stimulate public debate. It is clear from the evidence that we have received that an increased focus on cybercrime and cybersecurity needs to be put front and centre every bit as much as our focus on the risks that are posed to us by issues such as climate change.
Turning to the impact on business, we undertook a one-off oral evidence session on 14 May with stakeholders representing the police, business and vulnerable individuals. That was followed up by written evidence from business, third sector groups and the Scottish Government. One issue that became immediately clear was the impact that cybercrime can have on all levels of businesses that play a vital role in our society. We heard from NatWest bank that it currently has to defend itself against an average of 100 million attempted cyberattacks every month. That requires a huge on-going investment in staff and technology, but such defensive actions are an essential part of modern-day business.
We also heard about the impact of a ransomware cyberattack on Scotland-based business Arnold Clark. Despite having an information technology department with more than 200 staff, 12 of whom were dedicated to cybersecurity, and having an IT budget of several million pounds per annum, cyber criminals were still able to breach Arnold Clark’s systems and steal large amounts of data. The attack, which was deliberately undertaken over the Christmas period to make it far more difficult for the company to respond, had a substantial impact on Arnold Clark’s business, with about 4,000 customers affected. Although the company recovered quickly, we were told that it is still feeling the after-effects of the attack today.
I am aware that the Economy and Fair Work Committee has recently been taking evidence on the use of artificial intelligence among Scottish businesses. The latest statistics show that 17.6 per cent of Scottish businesses use AI daily and that fraud accounted for about £1.7 billion last year, with most of it occurring through social and digital media. Last month, Forrit, an Edinburgh-based content management system company, told the committee that the AI tools that it has developed
“have blocked 3.9 million cyberattacks in the past three months”—[Official Report, Economy and Fair Work Committee, 5 November 2025; c 7.]
for one of its corporate clients. That shows that we can develop effective AI tools to protect businesses and our wider economy from cybercrime.
Our committee heard from Age Scotland about the continually evolving nature of the threat to vulnerable individuals. Although phishing emails and scam phone calls still represent a major problem, new AI tools that allow criminals to manipulate their image and voice present new risks to vulnerable groups. AI-enhanced fraud scams are making it increasingly difficult for people to identify that the person with whom they are engaging is not real. That allows criminals to build up trust with a victim, thereby increasing their ability to defraud people out of cash or valuable data. Research by Age Scotland shows that about 20 per cent of elderly people who experience online fraud do not report it to the police. Some do not report it because of embarrassment, whereas others do not do so because they believe that the police could do little to help them.
We learned that the type of fraud that is being perpetrated is changing. In the past, criminals would simply have sought money, but there is now a focus on stealing personal data, which cyber criminals can package and sell to other criminals on the black market. Helping members of the public to stay informed about the evolving threat and encouraging them to report such fraud to the police remains one of the greatest challenges that we face.
In relation to the policing response, prosecution and the law, using traditional policing methods to address cybercrime is extremely difficult. The borderless nature of the digital world means that it is virtually impossible to identify where a criminal might be located. Police Scotland told us that the action that it takes is often focused on gathering threat intelligence and finding out where the weaknesses are in the system, because its ability to trace and prosecute a criminal who could be based anywhere is far more limited.
The Cyber and Fraud Centre Scotland pointed out a loophole in the criminal law. At present, it is a criminal offence to handle stolen physical goods, but no such crime exists for handling or making use of data that has been stolen in a cybercrime. The law should seek to address that loophole.
I note that the UK Government’s Cyber Security and Resilience (Network and Information Systems) Bill has just been introduced in the House of Commons. Its focus is on the security and resilience of IT systems that we rely on to carry out essential activities, and it proposes stiffer penalties for cybercrimes. I would welcome hearing about the discussions that the Scottish Government is having with the UK Government on the bill.
This year marks the 30th anniversary of Microsoft’s launch of the Windows 95 home computer. Many people consider that to be the start of the general public’s move into the online realm. Since then, our everyday experience of the digital world has moved from it being an optional extra to it being a central part of our lives.
Anyone born after 1990 has grown up in the computer age, so a large percentage of our modern-day workforce is more cyber literate than our policies might recognise. However, we must continue to invest in cyber training for all employees to ensure that their resilience and awareness keep pace.
Unfortunately, many of our public sector IT systems have not kept pace, largely due to costs and the need to procure such systems on a large scale. Our evidence taking on both cybercrime and the budget highlighted the pressing need to ensure increased capital investment in vital public IT systems.
We saw earlier this year that cyberattacks on retailers left many Scottish communities with empty supermarket shelves. We also saw attacks targeting our local authorities, which impacted on schools and many other services. Our report points out a recent Audit Scotland analysis of a cyberattack on Western Isles Council, which highlighted various issues that local and national Government must address.
We also heard about the need to ensure that key criminal justice sector partners such as the police service, courts, the prosecution service and prisons are ready to meet new challenges as they move more of their operations on to digital platforms. Maintaining public confidence in how our criminal justice system responds to calls for help or gathers evidence of crimes must be central to the capital resources that we commit to modernising our IT systems.
As a digitally dependent society, we face many challenges from bad-faith actors—both individuals and nations. They wish to steal from us, sow discontent and undermine public confidence in democracy. Ensuring robust public and private sector IT systems and embedding cyber awareness as part of everyone’s daily life must be central to Scotland’s cyber resilience strategy.
I thank all those who gave evidence to the committee, and I look forward to hearing the rest of the debate.
I call the cabinet secretary, Angela Constance, to open on behalf of the Scottish Government.
15:37
Today’s committee-led debate is an ideal opportunity to set out the current picture of cybercrime in Scotland and the actions that we are taking and need to take across policing, Government, business and civil society to prevent harm, protect victims and strengthen our national resilience.
Cybercrime has changed the character of offending in Scotland. Five years ago, Police Scotland recorded 7,710 cybercrimes; today, the figure is 14,120—almost double pre-pandemic levels. Those are broad estimates from police records, but the direction is unmistakable. More crime—whether fraud, extortion or exploitation—is now committed online or enabled by digital means.
The public’s experience mirrors that. The Scottish crime and justice survey estimates 524,000 incidents of fraud and computer misuse in 2023-24, which means that roughly one in 10 adults is affected. When organisations suffer a cyberincident, the knock-on effects on people can be severe. The Co-op cyberattack in April, for example, disrupted operations and supply chains, leaving some of our rural and island communities with empty shelves in local shops.
When West Lothian Council’s schools IT systems were hit, many schools experienced operational challenges, although exams were not affected due to well-rehearsed contingency plans.
Those incidents are stark reminders of the growing cyber threat and the importance of resilience across all parts of society. What does that mean for our justice system? Our courts, law enforcement agencies and prisons handle enormous amounts of sensitive information, including criminal records, evidence and personal details of victims and witnesses. One breach could expose that data, endanger lives and derail investigations.
Cybersecurity is not just about protecting data; it is about protecting trust. If systems are hacked or evidence is tampered with, confidence in fair trials collapses and, with it, the rule of law. Today, most evidence—emails, closed-circuit television footage and forensic data—is stored digitally. That makes it vulnerable to alteration or deletion, which could lead to wrongful convictions or acquittals.
Let us not forget operational continuity. Courts and law enforcement rely on digital platforms for case management, e-filing and virtual hearings. A ransomware attack could halt proceedings, delay justice and create massive backlogs. Justice systems are prime targets for organised crime and even state-sponsored actors seeking to disrupt governance or influence outcomes. Cybersecurity is not just an IT issue; it is the cornerstone of justice that safeguards the fairness, reliability and resilience of our digital legal systems. That means that prevention, early warning and rapid, well-coordinated incident response arrangements are just as important as detection and prosecution.
Police Scotland has strengthened its specialist capability in cybercrime investigations and digital forensics. The newly established cyber and fraud unit is consolidating the prevention of cyberfraud and digital harm under one command. Innovation is also happening at the front line of policing through the deployment of digital forensic vans and digital evidence detection dogs and the exploration of AI-enabled efficiencies as part of the policing in a digital world programme.
Those changes matter, but we must be realistic about the constraints and challenges. Over 90 per cent of crimes now involve some form of digital evidence, and that places sustained pressure on our investigative capacity. The digital evidence-sharing capability programme, which is funded by the Scottish Government, is tackling that challenge and is now live across all police divisions. Across the justice system, we must—guided by the Christie principles—deliver integrated and secure services, providing better outcomes and best value for the public.
Legislation must evolve, too. The Computer Misuse Act 1990 remains the backbone of legislation on cyber-dependent crime, but it predates contemporary security research. The proposal by the UK Government of a statutory defence for legitimate security research is welcome, and we will continue to engage with the UK Government on that matter.
Alongside that, the UK Government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill, as mentioned by Ms Nicoll. The bill will widen the scope of existing regulations to include managed service providers and data centres, it will harden essential services, and it will strengthen reporting. The bill will matter for Scotland. Some of our critical services and suppliers sit within its scope, for example health and drinking water. We will work with UK partners, regulators and industry to ensure smooth implementation.
The Scottish Government’s refreshed “Strategic Framework for a Cyber Resilient Scotland 2025–2030” sets the vision for a digitally secure and resilient nation. It is a renewed commitment to protecting our people, organisations and future in an increasingly digital world. None of that can be achieved by Government alone. Prevention at scale is essential, and Scotland has established a national ecosystem to strengthen its ability to be more responsive and future focused.
The CyberScotland partnership helps to drive practical resilience and awareness across public, private and third sectors. The Scottish cyber co-ordination centre—SC3—provides intelligence and early warning and manages incident response co-ordination for the public sector. In partnership with the National Cyber Security Centre and Police Scotland, SC3 is helping us to stay ahead of the threat and respond effectively to minimise the impact of incidents when they occur. I recently launched the SC3 cyber observatory, which will gather and analyse cyberthreat data and maturity insights from the public sector, allowing us to better target support and intervention.
We are also investing £300,000 this year to equip the public sector workforce with the skills needed to safeguard our essential services. In line with the National Cyber Security Centre, we are positioning the cyber essentials standard as the baseline security standard for all organisations in Scotland. Alongside that, we are driving the adoption of multi-factor authentication and encouraging regular back-ups, incident response planning and the use of incident response exercises.
There are five priorities in our fight against cybercrime, as part of our need for a secure and efficient justice system. The first involves sustaining and targeting investment in policing capacity, completing the build-out of Police Scotland’s cyber and fraud unit and refreshing front-line digital tooling. The second priority is to build on exemplar collaboration programmes, such as the digital evidence-sharing capability programme, to modernise our justice systems. The third is to enable legislation evolution, so that our laws are fit for today and resilient for the future. The fourth is to scale up prevention and skills. We must continue to build and enhance the capabilities of SC3 and the CyberScotland partnership and accelerate targeted prevention campaigns for specific sectors and communities. Fifthly and finally, to embed accountability for public bodies and critical suppliers, we need to move to a place of mandating minimum-security baselines and transparent risk reporting.
Cybercrime is now a mainstream risk to our economy, our justice system and our people. Scotland has strong foundations in place: specialist policing capability, evidence of a maturing public sector, SC3, our national incident response and co-ordination centre, and an active partnership that reaches from Government into business and civil society. Our task is to lock in all those gains.
Our focus, as always, is to keep people safe, protect essential services, bring offenders to justice and ensure that Scotland remains digitally secure and resilient. I am very grateful to the Criminal Justice Committee for its work.
I take this opportunity to remind all those members who are seeking to speak in the debate to check that they have pressed their request-to-speak buttons.
15:46
I welcome this opportunity to discuss cybercrime and the devastating impact that it can have on people and businesses. I thank the Criminal Justice Committee clerks for all their work to arrange the evidence sessions and compile the committee’s report.
As was made clear throughout the evidence sessions, this problem is not going away—in fact, it is getting worse all the time, and more people are doing it. The technology that they are using is becoming more advanced. The criminals have more resources behind them—either from serious organised crime gangs, which always get themselves involved when they think that there is easy money to be made, or because of the increasing role that bad states such as Russia, Iran and North Korea are playing in this area.
This is a global problem, of course, but even the statistics for Scotland paint a grim story. According to official recorded crime data, there were an estimated 7,710 cybercrimes in Scotland in 2019-20. By 2024-25, the figure had almost doubled to 14,120. That equates to 38 incidents a day, which cover everything from fraud and extortion to sexual abuse and exploitation. We know that many such crimes are never reported, so the true picture is likely to be far worse.
The question that MSPs face is what to do about that. In the first instance, we must look to Police Scotland and the Scottish Government. I do not believe that this hugely complicated and difficult subject should be the source of an intense political blame game. Even if not a single person in Scotland was guilty of a cybercrime, the problem facing ordinary Scots from international threats would still be considerable. My contribution to the debate is therefore intended to be entirely constructive.
The police do great work in this area, but they need more support. The difficulties that the force faces when it comes to officer numbers and resources—not to mention the impossible environment in which the police work—have been well documented in the chamber. They have a specific ask on this topic, which I urge the Scottish Government to deliver in full.
Chief Constable Jo Farrell has said that Police Scotland needs £105 million just to stand still, in effect, when it comes to officer numbers, and that a further £33 million would enable her to strengthen the workforce. That includes £6 million specifically for tackling cybercrime. She has cited cybercrime as a major problem, while the Scottish Police Federation has said that the response to cybercrime is being weakened by a lack of cash.
When she delivers her budget in the new year, the Cabinet Secretary for Finance and Local Government must give the police every penny that they need. That money is important, because it has been proven that, when the justice authorities are supported, they can make an impact.
The banking protocol, whereby police work with bank staff to spot potential fraud in customer transactions, helped to save Scots £750,000 in the first three months of this year. Hundreds of incidents were prevented—often ones that would have involved elderly and vulnerable customers transferring money or handing over sensitive data to people who wanted only to exploit them and cause them harm.
The Edinburgh-based Cyber and Fraud Centre Scotland, which is headed by Jude McCorry, has done some great work to raise awareness and encourage businesses to work together to avoid themselves and each other being scammed. Its cyber and fraud hub has helped more than 500 victims over the past year, has prevented hundreds of thousands of pounds from being lost and, in some cases, has helped people to recover what was lost.
The organisation has also done great work on encouraging women to get involved in cybersecurity. Recent events brought together about 200 women and girls in the hope of guiding them towards a career in that area. We, in the chamber, are all well aware that, if we want the very best people to be involved, we cannot afford 50 per cent of the population thinking that it is not a subject area for them.
Cybercrime targets the most vulnerable people in our society. The despicable criminals who indulge in it do that on purpose. Their merciless exploitation of elderly people—taking advantage of the possibility that they are not up to date with technology or that they may be susceptible to being tricked—is inexcusable. Similarly, those who target young girls online in the hope of exploiting them sexually deserve the most severe punishments. We, in this country, can only do our bit while hoping that international agencies and foreign Governments step up, too.
Police in Scotland require more specialist skills, digital forensics and sustained investment. The Scottish Government must match its words with actions, to ensure that we have enough officers and capability in the wider justice system to hold to account those who are responsible.
Nobody is safe from cybercrime: from huge companies such as Jaguar and Marks and Spencer to small Scottish businesses; from major Government agencies, such as the Scottish Environment Protection Agency, to our smallest local authorities; and from wealthy individuals who are robbed of thousands to vulnerable people who lose everything that they own. That is why the problem deserves our utmost commitment and attention.
15:52
I am pleased to open on behalf of Scottish Labour. As a member of the Criminal Justice Committee, I thank my fellow committee members, the committee clerks and all stakeholders who were involved in the committee’s work on the issue.
The committee’s report is important and timely. Cybercrime rates across Scotland are at a significant level. As Sharon Dowey said, more than 14,000 cybercrimes were recorded in Scotland last year—a number that remains well above pre-pandemic levels. Cybercrime amounted to 5 per cent of all crimes recorded in Scotland last year, but digital technology and online spaces are being used to carry out more traditional crimes, too. We can see that from the fact that cybercrime accounted for 27 per cent of all sexual crimes reported last year.
In recent years, several high-profile cyberattacks have been launched against private companies and public bodies across Scotland—major companies such as Marks and Spencer, the Co-op, Adidas and H&M have been hit by cyberattacks this year alone. NatWest provided alarming evidence to the committee that its customers have to be protected from more than 100 million cyberattacks every month.
Earlier this year, Glasgow City Council, the City of Edinburgh Council and West Lothian Council all suffered cyberattacks that were aimed at disrupting online education services. Hackers managed to access a significant amount of information from NHS Dumfries and Galloway last year, including the confidential details of staff and patients. In 2020, SEPA endured one of Scotland’s worst-ever cyberattacks, when thousands of its digital files were stolen. Whether we look at cybercrime statistics or examples of cyberattacks, it is clear that cybercrime is an issue that affects all of Scotland, including individuals and organisations.
Two common themes emerged in the evidence that the committee heard on how we can better protect ourselves from cybercrime. The first theme was that the current state of Scotland’s cyber resilience is inadequate and must be improved. Digital participation in Scotland has continued to increase, particularly among older people, and more than 90 per cent of adults now use the internet for work or personal activities. That is to be welcomed, but it brings greater risks of cybercrime.
Previous results from the Scottish crime and justice survey found that nearly 5 per cent of internet users in Scotland had experienced computer viruses, received scam emails or had banking details stolen online. In addition, the Scottish household survey found that nearly 10 per cent of all adults in Scotland did not take any online security measures, such as not opening emails from unknown senders or not sharing personal information online. That is why some of the proposals in the Scottish Government’s cyber resilient Scotland framework that focus on improving cyber learning are welcome.
Embedding cyber learning in the school curriculum, expanding the availability of cyber learning resources and improving access to cyber learning opportunities for adults are all practical steps. The £300,000 that has been allocated for an upskilling fund to strengthen cybersecurity skills across the public sector is also very welcome.
However, I believe that the Scottish Government must do more to educate everybody—in particular, young men and boys—on the harmful effect that far-right and misogynistic online content can have on their behaviour, and to tackle the resulting sexism, misogyny and violence in schools. That is why I again call on the Scottish Government to bring forward a cross-campus strategy to tackle the issue. I think that that is relevant to today’s debate.
Although education is vital in improving cyber resilience, we must also look at other avenues to achieve that aim, such as legislation. The Online Safety Act 2023 has now come into force, and I urge the Scottish Government to work with the UK Government and Ofcom to ensure that it is effective, especially in the light of the fact that reports of online child abuse in Scotland have doubled in a year.
The Scottish Government should also make representations to the UK Government and Ofcom on ensuring that the provisions in the Online Safety Act 2023 that are designed to tackle fraudulent online advertising are implemented as soon as possible, and I encourage ministers to engage with the UK Government and Ofcom on how the Cyber Security and Resilience (Network and Information Systems) Bill will be implemented in Scotland, should it be passed at Westminster.
There are many other aspects of improving Scotland’s cyber resilience that I hope will be considered in today’s debate, such as the need for regulation to reduce the harms associated with AI technology, including deepfakes, and the need to ensure that digital technology that is used in the public sector is better protected from cyberattacks. I welcome the action that the Scottish Government is taking, such as its recent announcement on deepfakes.
The second theme that emerged in evidence to the committee in relation to tackling cybercrime was the need for the Scottish Government to invest more in cybersecurity. Organisations ranging from the Cyber and Fraud Centre Scotland to the Scottish Courts and Tribunals Service have identified the need for further investment. The committee heard from Police Scotland on the significant financial challenges that it faces, which Sharon Dowey mentioned, and how that affects its ability to tackle cybercrime.
I hope that the need for greater investment in cybersecurity will be explored further in today’s debate. It is important to note that the true scale of cybercrime across Scotland is likely to be greater than we expect, given that it often goes unreported by individuals and organisations. It is also likely to become a bigger issue in the future.
I hope that the Scottish Government will reflect on all the points that I have raised and that other members will raise on the need for cyber resilience and investment in cybersecurity.
15:59
I am grateful to the Criminal Justice Committee and all who contributed to the inquiry that resulted in the timely and important report that we are discussing today.
Cybercrime and cybersecurity are often discussed as abstract, technical or even distant issues. However, the report makes it unmistakably clear that they are none of those things. Cybercrime is not virtual harm—it is real harm. It is harm that lands on kitchen tables, in bank accounts, in workplaces and in the lives of people who are all too often already carrying the heaviest burdens.
The evidence that the committee gathered is sobering. Although there has been a recent decrease in estimated cybercrime compared with the previous year, levels remain far above those that were seen before the pandemic. Cybercrime now accounts for at least 5 per cent of all recorded crime in Scotland and for more than a quarter of sexual crimes. Nearly all crimes involving threat and extortion are now cyber enabled. Fraud, in particular, has been transformed by the digital environment, with estimates suggesting that almost half of all fraud now involves cyber methods.
Behind those statistics are people: older people who are targeted by increasingly sophisticated scams, often powered by AI and deepfake technology; workers whose personal data is stolen and traded repeatedly long after the original breach; staff in businesses and public services who are dealing with the stress, fear and disruption that is caused by ransomware attacks; island communities left without access to food because a supply chain was digitally attacked; and people in local authorities who are unable to deliver essential services because their systems have been compromised. The report rightly centres those human impacts.
I thank all those who gave evidence to the committee, and particularly those from organisations such as Age Scotland, who reminded the committee that many victims do not report cybercrime because they do not know where to turn, they fear that they will not be believed or they assume that nothing can be done. That is not a failure of those individuals; it is a failure of our systems. If people do not feel supported, trusted and protected, our response to cybercrime is already falling short.
The report also highlights a stark imbalance of power and resources. Large institutions such as banks are able to invest millions in cyber defence, employing hundreds of staff to monitor and block attacks, although even then, as the committee heard and as we have heard this afternoon, they are subjected to tens of millions of attacks every month. Small businesses, charities and third sector organisations simply do not have that capacity, nor do many public bodies that are forced to maintain ageing legacy systems while trying to meet growing digital demands. That imbalance matters. Cyber criminals need to succeed only once, and that one-time success can be devastating for people. Everybody else’s protections need to work all the time.
The approach of the Scottish Greens to the issue comes from a clear set of principles. We believe in safety and justice for all, but we also believe that how we pursue safety matters. We reject the false choice between security and rights. We do not believe that expanding mass surveillance, eroding privacy or normalising intrusive state powers will necessarily keep people safer in the long run. In fact, history tells us the opposite. That means that, although we support properly resourced, skilled and specialist policing to tackle cybercrime, we will always scrutinise proposals that risk widening surveillance without clear necessity, proportionality and democratic oversight.
Cybercrime is borderless and complex, but that cannot become an excuse for undermining civil liberties or treating everyone as a suspect by default. Instead, the report points us towards a more effective and more just approach. Prevention, resilience and accountability must sit at the heart of our response.
Prevention means investing in digital literacy and public awareness, particularly for older people and other groups that are most at risk. It means ensuring that reporting mechanisms are accessible, trusted and trauma informed. It means recognising that shame and fear are powerful silencers and that we must design systems that actively counter that.
Resilience means having sustained investment in public sector digital infrastructure, not piecemeal fixes. It means supporting small and medium-sized enterprises and the voluntary sector with practical help, and not just advice that they cannot afford to implement. It means recognising cybersecurity as essential public infrastructure and not as an optional add-on.
Accountability means asking difficult questions of those who profit from insecure systems. As the committee heard, stolen data can be traded again and again with devastating consequences, while responsibility is too often pushed back on to victims. We must seriously consider whether our legal frameworks adequately reflect the harm that is caused by the theft and trafficking of data, and whether corporations and platforms are doing enough to design systems that are secure by default.
One issue that emerged during the committee’s scrutiny that has not yet been touched on, and which relates to resilience, is insurance. Businesses are perhaps more able to absorb the cost of insurance, which is an important part of a business’s overall resilience to an attack.
Absolutely. Not everybody will be able to afford insurance, nor will everybody even think that it is something that they need to have. The fact that its affordability will put insurance out of reach of individuals or organisations needs to be part of our thinking about resilience and accountability.
The report does not offer easy answers, but it does offer clarity. Cybercrime is not just a policing issue; it is an issue of social justice, equality, workers’ rights and public services, and our response must be as interconnected as the systems on which our society now depends.
I look forward to hearing the rest of the speeches in the debate and then to working together to ensure that Scotland’s response to cybercrime is one that protects people, upholds rights and puts justice, not fear, at its core.
16:06
I join other speakers in thanking the members of the Criminal Justice Committee for allowing this debate to take place and, more important, for undertaking detailed scrutiny of this important issue. Audrey Nicoll comprehensively set out the breadth of issues that are covered in the report, which leaves little doubt about the amount of work that will need to be done to address the many and various challenges going forward.
Cybercrime often leaves victims, whether they are individuals or organisations, harmed in profound and lasting ways. Were we in any doubt about that, the subject of the item of business that preceded this debate should have dispelled that. Abuse by grooming gangs is a horrific exemplification of that, reflecting the way in which online harms are, as Maggie Chapman said, very real.
Those who have been the target of cyber-enabled fraud can lose their life savings and have their personal data harvested. The convener of the Criminal Justice Committee rightly pointed to the fact that, these days, data harvesting is often more of a motive for perpetrators than cash. Individuals who are subjected to the non-consensual distribution of private sexual images face enduring trauma, and companies whose online systems are compromised by hackers can be held to ransom and lose decades of work and the trust of customers.
Katy Clark and Audrey Nicoll spoke about the extent of cybercrime and the fact that large organisations can find themselves being subjected to millions of attacks over the course of a month. The investment that businesses put into IT departments to try to brace against those attacks has a cost. However, Maggie Chapman is right that, although businesses may be most at risk and most in need of resilience being put in place, all organisations in the public, private and third sectors need to have resilience.
Much of the crime is not new, but technology is allowing it to be carried out in a different and more effective way and to target a wider cohort of potential victims. The growing use of AI and other emerging technologies means that that trend is set to continue and get worse, as Sharon Dowey rightly said.
How do we rise to meet those growing challenges? More focus by the Parliament—including the type of inquiry that the Criminal Justice Committee carried out—is a start. If we, as legislators, are to put in place appropriate and robust safeguards and protections, we need to develop a detailed understanding of what is happening and how that is likely to change.
The nature of these issues means that we will require a collaborative working approach between Parliaments and Governments, not just here, in the UK, but internationally. As I said, building greater cyber resilience into systems and networks across the public, private and third sectors is crucial, and we need to continually raise awareness among the public of the risks and how to minimise them.
The scale of the challenge is shown by the fact that cyber-enabled fraud is estimated to account for nearly half of all frauds in 2024-25. The committee heard that, perhaps unsurprisingly, that type of crime increasingly targets more vulnerable groups, including the elderly. The demographic trend of an ageing population and the pace at which technological change is happening are creating a perfect storm. Perpetrators evolve and adapt their techniques and tactics, making the work that is done by Police Scotland, community organisations and others through public awareness campaigns exceptionally difficult. We are dealing with the ultimate moving target. That is why the Scottish Liberal Democrats have been clear in calling for Police Scotland to have enhanced support in the area and to be given the tools that it needs.
I am grateful to the Scottish Police Authority for its briefing, which sets out many of the ways in which Police Scotland has sought to invest and adapt to the changing challenge. I suspect that, during the past decade, when there has been a bit of an obsession with officer numbers—for reasons that I understand—we have perhaps lost sight of the debate that we need to have about the types of skills and resourcing that policing requires now and into the future. Staying one step ahead of organised crime gangs and other types of criminals is not straightforward, but our police and, indeed, our entire criminal justice system need to be given a fighting chance. Others have pointed to the need for resourcing to enable that.
As an islander, I was interested in, although not surprised by, the evidence that Jude McCorry of the Cyber and Fraud Centre gave on how island communities are at a particular risk of being left without food supplies due to cyberattacks on supermarkets and supply chains.
As we try address the digital divide, we recognise that the digital space is levelling the playing field and opening up access to services in a way that is hugely beneficial, but at the same time it expands the risk of individuals and organisations being susceptible to becoming victims of fraud. As somebody who represents an island community, I see that very clearly. If we are to continue to move towards the modernisation of critical services, which is clearly necessary, we must be prepared to address the myriad of cybersecurity risks that will accompany that process.
It would be remiss of me not to return to the growing issue of online sexual violence and abuse, which has been amplified by the availability of deepfake technology and other generative AI tools, and which disproportionately impacts young women and girls. That issue has been driven largely by the rise in toxic masculinity in our society—Katy Clark made that point—and it will therefore require reform on a systemic level. Education will be key to changing attitudes, but there will also be a role for industry to play. Technology companies should not be given free rein to introduce new tools, systems or platforms into the market unless they have been built with safeguarding and responsibility in mind. Regulators must be proactive while also making clear the responsibilities and obligations on technology companies that operate in that space.
As a former member of the Criminal Justice Committee, I do not want to tell its current members what they should be doing, but it could recommend in its legacy report that future committees should return to the issue regularly. Putting my convener’s group hat on for a second, I note that it is also an issue that would benefit from cross-committee working.
For now, I thank Audrey Nicoll and the members of the committee for allowing this debate to take place. We will need to do more work on the subject, but this has been a decent start.
We now move to the open debate. I advise members that there is some time in hand.
16:14
I welcome the opportunity to speak in this debate on the very short report that the Criminal Justice Committee has published on cybercrime and cybersecurity in Scotland.
Unlike Liam McArthur, who is a former member of the committee, I am current member of the committee, but I was not a member at the time that it undertook the activity or its report. I commend the convener and my colleagues for the work that they undertook.
The report makes it clear that cybercrime is no longer a marginal or technical issue. It is now a central challenge for justice, for economic security and for democratic resilience. Although the most recent figures show a reduction in recorded cybercrime compared with the previous year, as Katy Clark set out, levels remain significantly higher now than they were before the pandemic. As Police Scotland told the committee, it estimates that cybercrime constitutes around 5 per cent of all recorded crime. Cyber-enabled offending now makes up a substantial proportion of fraud, sexual crime and threats and extortion, so its impact is very real and significant.
Even then, those figures tell only part of the story, because, as Sharon Dowey mentioned, many cybercrimes go unreported, particularly when victims feel embarrassed, uncertain or powerless—something that we know is often a feature of someone’s experience when they have been caught out by a scam.
The evidence from Age Scotland was particularly striking in highlighting the impact of cybercrime on older people. AI-enabled scams, impersonation and increasingly convincing fraudulent communications are eroding confidence and causing real distress. The fact that a significant proportion of victims do not report those crimes should concern us deeply. Prevention, education and accessible reporting mechanisms are therefore essential.
We should recognise that cybercrime does not affect all people or organisations equally. Larger institutions, such as banks, have the means and ability to invest heavily in sophisticated cyberdefences. The evidence from the financial sector illustrated the scale of the attacks that it faces and the scale of the resource that is required to defend against them. I do not denigrate the seriousness of the impact on our financial institutions, but, by comparison, small businesses, charities and individuals simply do not have their capacity, yet are also exposed to the threat of cybercrime. That imbalance is one of the challenges that we need to consider as we move forward.
The committee heard evidence from businesses such as Arnold Clark that demonstrated that even well-resourced organisations can be brought to a standstill by a single successful attack. The consequences were not limited to data loss or financial costs; individuals were affected as well—customers were stranded, staff were unable to work and essential services were disrupted. We should bear in mind that when a business is impacted, individuals are also impacted.
Cybercrime should therefore not be understood only as theft but as a form of disruption with tangible human and economic consequences. That same point applies in the public sector and has been made about the substantial attack on SEPA. Cyberattacks on local authorities, public bodies and supply chains can interrupt education, social care, food distribution and transport. In an increasingly interconnected digital environment, disruption in one system can quickly cascade into many others. I believe that that reality should concern us all, because it speaks directly to societal results.
It is important to recognise—this has been touched on in the debate—that not all cyberthreats originate from criminal networks that are motivated solely by financial gain. We now operate in a global context in which hostile state actors routinely use cyber capabilities as tools of influence, espionage and destabilisation. Attacks on public institutions, democratic processes and critical infrastructure demonstrate that cyberactivity has, sadly, become a normalised instrument of hostile state power, and Scotland is not insulated from those dynamics. Our public services, universities, research institutions and digital infrastructure are part of a wider international system. Hostile cyberactivity may not always target Scotland directly, but it can still have direct effects here through attacks on UK-wide systems and supply chains, or through disinformation, which I believe is one of the greatest challenges of our age. Such activity is designed to undermine trust in democratic institutions.
The overlap between state-sponsored cyberactivity and organised criminal methods, including ransomware and data theft, further complicates detection and response. That is why co-ordination and partnership are critical. Effective responses to cyberthreats, whether criminal or state sponsored, depend on close co-operation between Police Scotland, UK agencies, international partners and the private sector. I therefore welcome the continued engagement with the National Cyber Security Centre and the work of the CyberScotland partnership and the Scottish cyber co-ordination centre.
Liam McArthur is probably right that there has been too much emphasis on the headline figures for police officer numbers. We should be turning our attention to whether the police force and other parts of the system are properly equipped to respond to the threats that we face.
Audrey Nicoll rose—
I see that the convener wants to intervene. She may be about to make this point, but I will make my point and then hear hers.
We will have to consider the issue through the committee’s budget scrutiny of the evidence that has been provided to us thus far.
On the point that Jamie Hepburn has eloquently set out about how organisations or individuals respond, one point that came out in committee was the narration by Arnold Clark of how it responded to a unique, unusual, significant and serious event, and what should be done, particularly when a ransom is demanded. That is an important part of the overall resilience strategy.
I agree. That speaks to the need for us to ensure that Scotland continues to build its own cyber resilience. The elements that Audrey Nicoll laid out must be part of that.
The refreshed cyber resilient Scotland framework for 2025 to 2030 is an important step. Of course, that has to be matched by investment and practical support, particularly for smaller businesses, charities and community organisations, which might lack in-house expertise.
There is also a broader question about whether our legal frameworks are keeping pace with the realities of cybercrime, particularly in relation to stolen data. The harm that is caused by data breaches can be repeated and prolonged, affecting victims long after the initial attack.
Cybercrime sits at the intersection of criminal justice, economic security, national resilience and democratic trust. It is driven by organised crime, enabled by rapid technological change and, increasingly, exploited by hostile states that seek to undermine open societies. Addressing it requires more than reactive enforcement; it requires prevention, partnership, investment and public confidence. I agree with Liam McArthur that the area warrants further attention, which the Parliament should continue to give it.
16:22
I thank the Criminal Justice Committee for bringing the debate to the chamber. I am sure that I am not alone in worrying about the rise of cybercrime in Scotland. We can see from the Criminal Justice Committee’s report that cyber criminals were able to nearly double their output overnight in response to the pandemic, as their supply of in-person victims dried up.
In addition, certain crimes lend themselves much more readily to becoming cybercrimes; there is a statistical propensity for that with sexual crimes and with threats and extortion. New technologies such as deepfakes and generative AI have enabled a whole new kind of fraud and deception. Many of our constituents are worried that they or a loved one will fall victim to an AI-generated request for money, although that pales in comparison with the violation of deepfake pornographic imagery.
The Scottish Government must ensure that Police Scotland is adequately resourced and prepared, not for the crimes of the last century, but for the crimes of this century and beyond. That includes ensuring that the police have the powers to investigate and act if a new type of crime has been committed. The Parliament must be swift and flexible, and it must bring in appropriate legislation accordingly.
However, the ability to identify crime will not be enough. As often as not, the culprits are far outside the UK, and a stronger cyberdefence is paramount. Schools should be our first port of call in giving children the experience of identifying unfriendly links and invitations. That needs to be an active Government initiative, not simply a hope that teachers who are already hard stretched will be able to rise to the challenge.
Schools and community centres should also be hubs where parents and grandparents can learn what to do should their child—or even they—fall victim to cybercrime, because it will be a learning curve for us all. Maybe we should resurrect the old 1950s public information films, just to make people aware.
I, too, have been approached by many older residents who are out of their comfort zone with digital platforms. The Bank of Scotland’s decision to close the last branch in Larkhall highlighted that issue, with many feeling that in-person services were the last backstop between them and cyber criminals.
The Government should do all that it can to protect in-person banking services, in particular to prevent older constituents from falling victim to financial cybercrime. Some criminal ploys have existed for a long time—fleecing emails, for example, and malign links on social media, often in the guise of bots. However, AI has introduced a new level of capability to mislead vulnerable groups and businesses on an industrial scale.
I would hope that all my colleagues would be against those things, but I read a few weeks ago that the First Minister was in favour of the Iranian bots because they are pro-independence for some reason. That aside, at some point or another, everyone in this chamber will have been on the receiving end of abuse and insults because of some point of view that they might have held in the past. Basically, doing that on social media is a cybercrime and should never be considered acceptable.
Cybercriminality, in any shape or form, regardless of how it is manifested, is committed by calculated cold villains and no one is immune from it. The Scottish Government needs to be industrious and dynamic in its legislation to protect the public and businesses, and criminals need to be prosecuted with vigour. No doubt the worst is yet to come. As technology rapidly improves, those who are currently considered immune from AI deception may be the most vulnerable. It may be that entirely new types of cybercrime emerge that are far beyond what we can comprehend today.
We are at the start of a fantastic journey, on which we will see lots of great things. However, we should take heed, as we do not know where we will end up or what perils await in these uncharted waters.
16:27
We are all potential victims of cybercrime—and the sad fact is that thousands of people in Scotland have been. Since 2019, the annual number of recorded cybercrimes has doubled from 7,710 to just over 14,000. That is probably the tip of the iceberg, because those are only the numbers that are recorded.
We all rely on websites, apps, systems and data in our daily lives. Although they bring great benefits, the convenience comes at a cost. Cyberoffending, coupled with online harm, is increasing, whether that is people who are seeking to exploit the vulnerable or using online activities as a vehicle for offending behaviour.
It is, indeed, the growing crime of our times, which is why cyber resilience and digital safety are more important than ever. I am pleased to hear about the many Scottish Government initiatives that the cabinet secretary outlined.
Cyberthreats are evolving rapidly, technology is ever-changing and becoming more sophisticated, and it is our shared responsibility to meet the challenges that Scotland faces. That is why I was pleased that the Criminal Justice Committee took such valuable evidence to allow us to produce a report on cybercrime, which is about where we are now and where we must go in the future.
We listened to fascinating but sometimes chilling evidence from banks, charities, retailers, Police Scotland and organised crime experts about the toll that combating this ever-growing scourge is taking on them. We learned that some cyberthreats cannot realistically be fully mitigated, regardless of how much preventative spending takes place. Major systemic vulnerabilities often have roots in legacy technologies and outdated practices, so wider digital and cultural transformation is often required to tackle the underlying cause.
For other risks, making the best use of the systems and services that are already in place is often more effective and better value for money than buying in advanced security solutions.
On the plus side, there is no doubt that the digital economy is driving Scotland’s economic growth and shaping our future, and that it brings great opportunities. The Scottish Government’s approach is built on strong partnerships across sectors, reinforcing the point that collective effort is critical if we are to safeguard people and unlock the economic potential of our secure digital future. That includes continued engagement with the UK Government and the National Cyber Security Centre on reserved security matters, alongside our European partners.
That is why the Scottish cyber co-ordination centre promotes effective detection and response processes with a strategic framework. The framework details actions and supports to help people, businesses and organisations across Scotland to recognise and prepare for the inevitable cyberthreats. In addition, the centre’s cyber observatory, in particular, will be vital in alerting organisations to potential threats. The centre aims to improve incident response, recovery and intelligence sharing, and to get a much better understanding of cybersecurity.
Collaboration is at the heart of the SNP Government’s strategy, because no Government can tackle cyber challenges alone—Scotland is no exception. Speaking about the challenges of investigating cybercrime, Assistant Chief Constable Stuart Houston of Police Scotland told the committee:
“these crimes are often borderless and are, on occasion, perpetrated outwith the UK.”
He went on:
“Quite often, a network of people are involved in the larger ransomware attacks. In the past, organised crime groups would operate in networks of people who knew one another, but we need to be alive to the fact that people now often operate in networks where they have only seen someone through a screen.”
David Keenan, chief information officer with Arnold Clark, who was mentioned earlier, spoke to the committee about the impact of a major cyberattack that happened to the business in December 2022. It was a ransomware attack in which a large amount of sensitive customer and corporate employee data was stolen. The criminals deliberately planned the timing of the attack over the Christmas period, when staffing levels in the organisation would be reduced and it would take longer for staff to detect and respond to the attack.
Mr Keenan said:
“In the days immediately after the attack on Arnold Clark, when we were unable to operate our systems for a period, more than 4,000 customers were expecting to come and make use of our services. More than 700 people who had bought a car were expecting to take delivery of that vehicle. Some 2,000 people who either had their car in for a service or had booked in to have their car serviced were unable to have that work done. We were unable to provide our rental service to more than 1,500 people who had planned to make use of it, many of whom were holidaymakers who were travelling from abroad ... That was the direct impact on customers.”
He went on to say that the cyberattack also had a major impact on the wellbeing of staff of Arnold Clark and their ability to do their job. He said:
“At the time of the incident, we had well over 200 members of staff in IT, with a multimillion-pound budget and 12 members of staff who were dedicated to cybersecurity, but that still was not enough to protect us.”
He went on:
“Ultimately, a cybercriminal has to be lucky only once, but we have to be lucky against every single attack.”—[Official Report, Criminal Justice Committee, 14 May 2025; c 5, 7.]
That was a very well-made point.
In her oral evidence to the committee, the chief constable of Police Scotland, Jo Farrell, said:
“Poverty, geopolitics, cybercrime and civil unrest are driving a high level of demand, and the challenge for policing is evolving rapidly. That is illustrated by the increase in online harm and threat and in violence associated with organised crime, as well as a high level of protests. The threat is now.”—[Official Report, Criminal Justice Committee, 5 November 2025; c 26.]
That is a fitting remark to end with. The threat is now, and we must continue to innovate to find ways to combat it.
16:33
Like other members, I am delighted to speak in the debate as a member of the Criminal Justice Committee. Scotland thrives when it is confident, connected and secure in today’s world, and that means being a digitally secure and resilient nation. Digital technology can no longer be considered a separate sector of our economy. It underpins almost everything that we do, from how businesses trade and grow, how public services are delivered and how families stay in touch to how communities organise themselves. Digital systems shape our daily lives and Scotland’s future prosperity. They are driving economic growth, opening up new opportunities and helping Scotland to compete in a global stage.
As other members have said, however, that opportunity brings responsibility. As our reliance on digital technology grows, so, too, does the importance of cyber resilience and digital safety. We all depend on websites, apps, systems and data, often without even giving it a second thought. They make life more convenient, efficient and connected, yet, in a digitally connected world, convenience comes at a cost.
Cyberthreats are increasing in scale and sophistication. Incidents of cyberoffending and online harm are increasing in number, whether that is criminals seeking to exploit vulnerable people, disrupt essential services or use online activity as a gateway to wider offending. The point was made to us as a committee that such risks are no longer abstract or confined to large organisations but affect individuals, families, small businesses, charities, schools and public bodies alike. In many cases, crimes that we once thought of as traditional, such as fraud, domestic abuse, stalking and exploitation, now have a clear cyber or digital dimension.
The new reality has profound implications for policing and public safety. This morning, ahead of the debate, the Scottish Police Authority wrote to the committee about that. Police Scotland’s 2030 vision, which was launched last year, recognises the changing landscape and has a clear focus on safer communities, less crime, supported victims and a thriving workforce. Crucially, it includes a commitment to strengthen Scotland’s response to cybercrime and fraud, which includes establishing a dedicated cyber and fraud unit and developing specialist skills and training across the workforce. The SPA provides robust oversight of that work through its policing performance committee, which ensures transparency, scrutiny and public accountability.
We are already seeing tangible progress. Police Scotland has established its cyber and fraud unit, which will continue to evolve as demand grows. Work is already under way to join the UK-wide fraud and cybercrime reporting and analysis service, which will help to improve intelligence, consistency and victim support. Alongside that, the policing in a digital world programme is equipping officers and staff to respond to cybercrime using the four Ps approach: pursue, protect, prepare and prevent.
Innovation plays a vital role. The introduction of tools such as the child abuse image database, which uses face-matching technology, has transformed how officers work by using artificial intelligence to reduce the time that is spent reviewing images and to allow greater focus on identifying victims and safeguarding children. Digital forensic vans are speeding up investigations and reducing the time that people are separated from their devices. Police Scotland’s cyber alarm is supporting businesses and organisations across Scotland to identify vulnerabilities and protect themselves from attack.
We must be clear about the scale of the challenge. The number of recorded crimes with a cyber element continues to grow, and new performance measures that have been introduced by Police Scotland show a rising volume of cyber-tagged crimes. However, those figures still underestimate the true picture. Many offences, from fraud to domestic abuse, are enabled by everyday technology and leave a digital footprint, even if they are not yet consistently recorded as cyber-related. Improving our understanding of that complexity is essential if policing resources are to be effectively directed and victims are to be properly supported.
Digital forensics is therefore central to modern justice. The ability to identify, extract and present digital evidence is now integral to investigations, yet demand is increasing faster than capacity. The Scottish Police Authority continues to scrutinise Police Scotland’s approach to building a sustainable digital forensic capability, because it recognises that evidential integrity, public trust and victim confidence all depend on it. Meeting those challenges is a shared responsibility, and the Government has a vital role to play, but it cannot act alone, which is a point that has just been made by Rona Mackay. The Scottish National Party Government is determined to do everything that it can within its powers to strengthen cyber resilience. It will work closely with Police Scotland, the Scottish Police Authority, the UK Government and the National Cyber Security Centre on reserved matters, and it will work, where appropriate, with our European partners.
Our wider approach is rooted in partnership. We work with industry, academia, the third sector and local government, because collective effort is essential if we are to safeguard people and unlock the economic potential of a secure digital future. Collaboration is not an optional extra; it is the only effective response to threats that constantly evolve. That is why Scotland places such emphasis on preparedness, detection and response. The Scottish cyber co-ordination centre plays a crucial role in promoting effective incident response and recovery, which helps organisations to act quickly and confidently when incidents occur. That work is guided by the strategic framework for a cyber resilient Scotland, which was developed with partners through the CyberScotland partnership. A key development in that framework is the cyber observatory, which will strengthen intelligence sharing, improve early warning of emerging threats and help to target support to where it is needed most. Together, those efforts will help to ensure that cyber resilience is embedded across sectors rather than treated as an afterthought.
A secure digital environment builds trust. Trust enables investment. Investment supports growth and inclusion. Growth, in turn, strengthens Scotland’s ability to thrive in an increasingly digital world. Cyber resilience, at its best, fosters confidence to innovate, connect and ensure that Scotland is ready to meet the challenges of today and tomorrow. By continuing to work together, we can ensure that Scotland remains not only digitally connected but digitally secure, resilient and fit for the future.
Like other members, including Liam McArthur, I thank the Criminal Justice Committee, particularly its clerks, for allowing us to provide good scrutiny of the matter. We must continue to scrutinise it well into the future, particularly as the threat of cybercrime grows.
We move to closing speeches.
16:40
I am very grateful for the contributions that have been made during the debate. It is clear that there is a shared recognition across the chamber that cybercrime poses a profound and evolving challenge for Scotland. Where we might differ is not on the seriousness or urgency of the threat but on how we respond to it.
The committee report that we are debating is careful, evidence based and grounded in lived experience. It shows us that cybercrime is not confined to laptops and servers. Such crime reaches into every corner of our society. It disrupts businesses, undermines public services, damages mental health and erodes trust, and it does so in ways that disproportionately affect those with the least power and the fewest resources.
That is why the Scottish Greens will continue to argue that any response to cybercrime must start with people, not technology alone. Victims must be believed, supported and protected. Reporting systems must be clear, accessible and properly resourced. Prevention must be given at least as much weight as enforcement. As Liam McArthur and other members noted, that all means that the education, awareness raising and support that we provide for people must be appropriately tailored to the right audience, whether it is older people at risk of scams, young people who spend more and more of their lives in digital spaces or organisations that hold valuable data and information.
Maggie Chapman has made the point that the pathways for reporting cybercrime and cyberfraud must be as empathetic and supportive as they can be. As a number of members have observed, people often feel a sense of shame about what has happened. Particularly with elderly people, there can often be a sense that admitting to what happened might call into question their capacity, which might have wider consequences, so we must be as empathetic and supportive as we can be. However, I think that it is inevitable that it will be very difficult to get everybody to feel confident in reporting such crimes.
I absolutely agree. That is why we need to take a holistic view and ensure that everybody who supports older people has conversations to reassure those people that they will not be treated as daft or stupid and that their admissions about what happened to them will not be used as an excuse to change their care situation or anything like that. That is imperative.
Sharon Dowey, Davy Russell and other members spoke clearly about the need to ensure that Police Scotland has the resources that it needs. I want to be clear: we support investment in specialist skills, modernised systems and co-operation across borders when crime is transnational. Police Scotland, the courts and the wider justice system must be equipped for the world that we now live in, not the one that we wish still existed. That might mean having challenging conversations with some people. Policing is changing, so we cannot just do more of what we did decades ago, even if that is what some people expect or want.
As we have heard, some of our legislation will need radical updating in order to be fit for purpose. However, I will continue to sound a note of caution: cybersecurity must not become an excuse or a gateway for expanding intrusive surveillance or weakening fundamental rights. Safety that is built on fear, secrecy or overreach is not sustainable. Trust is created not by treating everyone as a potential threat, but by ensuring transparency, accountability and respect for human rights.
Several members, including Rona Mackay and Fulton MacGregor, have spoken about artificial intelligence and emerging technologies. Those developments raise urgent questions not only about how crime is committed but about how power is exercised. We must ensure that new tools do not deepen existing inequalities, embed bias or create systems that are impossible to challenge or understand.
We have also heard this afternoon, from Jamie Hepburn and others, that our public services—and, indeed, many of the other services that we all rely on at different points in our lives—are targeted by different ill-intentioned actors. We must ensure that the services—and the infrastructure that they rely on—are secure and resilient; we cannot just patch systems that are already creaking under the strain of technological advancement.
The report also reminds us that responsibility cannot rest solely with individuals. Too often, people are told to be more vigilant, to be more careful and to be more cyber aware, while operating in digital environments that are designed without their safety in mind. We need stronger expectations and regulations for organisations, platforms and suppliers to build security into systems from the outset and to take responsibility when failures occur.
Cybercrime exposes the cracks in our social and economic structures. It exploits isolation, poverty, underinvestment and digital exclusion. Therefore, addressing it effectively means addressing those underlying conditions as well.
I welcome the committee’s decision to draw Parliament’s attention to these issues, and I urge the Scottish Government to respond with ambition as well as urgency. Cyber resilience must be treated as core public infrastructure. Support for small businesses, charities and local authorities must be practical and sustained, and any legislative or policy changes must be rooted firmly in human rights and social justice. The challenge before us is not simply to become more secure but to become more just. If we rise to that challenge, Scotland can lead not only in technological resilience but in showing that safety and freedom are not opposites—they are mutually reinforcing partners.
Air ais
Protecting Children From Harm