Gone Phishing: Wales’ approach to cyber security

Published 29/05/2024   |   Reading Time minutes

Cybercrime is an evolving issue, with the UK’s National Cyber Security Centre's (NCSC) latest annual report highlighting increasing threats from state-aligned actors and artificial intelligence (AI). The report details threats from state-aligned actors, such as in China, Russia, Iran and North Korea, and other general threats from ransomware and cyber-enabled fraud. It also warns advances in AI technology will “almost certainly sharply increase the speed and scale of some attacks”.

The UK’s Cyber Security Strategy says the Welsh Government has responsibility to ensure devolved public services, such as health and education “are resilient to cyber risks”. The impacts of cybercrime are being felt within these devolved areas, with infrastructure such as the NHS 111 system and the Welsh Language Commissioner’s Office being targeted. The risks associated with attacks depend on the motivation of the perpetrator and can include the compromising of personal information or vital software being taken offline

Effectively addressing these issues requires international cooperation as threats can emerge from any country and can affect a number of nations.

This article considers the Welsh Government’s response to this global issue and summarises developments at the Senedd.

Welsh Government’s approach to cyber security

Cyber security is largely the responsibility of the UK Government, as the prevention, detection and investigation of crime, as well as national security are reserved matters. However, the list of First Minister’s responsibilities does include “national security, including counterterrorism and cyber security”.

In his previous role as Minister for Economy, Vaughan Gething MS, brought forward the Cyber Action Plan in 2023. It has four key priorities, which are to:

  1. Grow our cyber ecosystem;
  2. Build a pipeline of cyber talent;
  3. Strengthen Wales’s cyber resilience; and
  4. Protect Wales’s public services.

The different elements of the Plan, such as workforce, resilience and economy, are described as “not mutually exclusive”, and it explains that a thriving cyber sector, supported by skilled staff, is necessary to create resilient businesses and public services in Wales.

In May 2022, the Welsh Government announced £3 million over two years in a Cyber Innovation Hub to “help Wales to become a global leader” in the sector.

The Hub is led by Cardiff University with partners including Airbus, Alacrity Cyber, CGI, Thales NDEC, Tramshed Tech, and the University of South Wales. The Welsh Government also stated that by 2030, the Hub would have:

  • Grown the cyber security sector in Wales by more than 50% in terms of volume of businesses;
  • Attracted more than £20 million in private equity investment to scale around 50% of these businesses; and
  • Trained more than 1,000 cyber-skilled individuals.

The Hub published its inaugural annual report in November 2023 and, while it did not reference the above targets, it did outline actions to shape its skills and challenge-led innovation programme, which seeks to address cyber-related issues raised directly by businesses.

In 2024, Trade and Invest Walessaid “we have one of the biggest cyber security ecosystems in the UK, and one of the strongest in Europe”.

Cyber security is also prioritised within the Welsh Government’s International Strategy as one of three centres of excellence (alongside compound-semiconductors and the creative industries of television and film).

Developments at the Senedd

During a statement on tech and cyber sectors in June 2023, Members welcomed both the Cyber Action Plan and Cyber Innovation Hub.

Cyber-attacks continue to be highlighted during Senedd proceedings. These include the mass hack which affected BBC, British Airways and Boots, as well as the need for contingencies against risks posed by Russian or possibly Chinese-based hackers.

The Welsh Government has also been the subject of an attempted hack in April 2024, although the Trefnydd and Chief Whip, Jane Hutt MS, said investigations showed “no evidence that information held on our network was compromised”. She also said the Welsh Government is reviewing its cyber security controls to determine whether additional defensive measures are required, although there has been no further comment on the status of the review.

In 2022, the Economy, Trade and Rural Affairs (ETRA) Committee, wrote to the former First Minister, Mark Drakeford MS as part of its international agreements scrutiny. His response covered a range of actions, including engagement with Welsh public services to “encourage an organisational culture where cyber is everyone’s business”. Initiatives aimed at skills and learning, such as cyber security apprenticeships and adult employability programmes, were also listed.

Former Senedd Commissioner, Ken Skates MS, also set out steps taken to protect the Senedd’s own infrastructure at the Public Accounts and Public Administration Committee in October 2023.

International framework

In addition to developments in Wales, international cooperation remains key to effectively tackling cybercrime. Below are examples of key international agreements.

Welsh Government’s Bilateral International Agreements

Cyber security cooperation features in the Welsh Government’s bilateral international agreements with Brittany and Silesia.

Budapest Convention

The Council of Europe’s Budapest Convention “provides a legal framework for international cooperation”. 72 states, including the UK, are party to the Convention and 21 have signed or been invited to accede. The Legislation, Justice and Constitution Committee considered its second protocol in 2022.

UK-EU Trade and Cooperation Agreement (TCA)

The UK-EU TCA provides for cooperation on cyber security, in relation to international security, security of emerging technologies, internet governance, cyber security, cyber defence and cybercrime. As part of the TCA’s commitment to “establish a regular dialogue in order to exchange information”, the first cyber dialogue was held on 14 December 2023 in Brussels, with the next due to be held in London in 2024. Welsh Government officials were not listed as in attendance.

United Nations

Negotiations on a UN treaty on countering cybercrime started in 2021 but states have not found consensus on a number issues, including human rights and security concerns. Talks are due to reconvene in July 2024.

Conclusion

The Welsh Government developed its own cyber security strategy which seeks to protect Welsh public services while using the sector as an economic driver. However, its approach is contextualised within the broader landscape of UK and international action to tackle cybercrime.

The new First Minister has, in former statements on the Welsh Government’s Cyber Action Plan, made clear its global ambitions for the sector. He described the opening of a national security operations centre (SOC) as “a vital part of our Cyber Action Plan for Wales, which – one year since its launch – is making good progress to protect public services and strengthen cyber resilience and preparedness”. The SOC aims to help key services continue operations during a cyber-attack.

Whilst initiatives are subject to change, time will tell if current plans keep pace with this evolving technology.


Article by Madelaine Phillips, Senedd Research, Welsh Parliament