As the Scottish independence debate heats up, much attention has been focused on defence and how an independent Scotland could defend itself in the modern world.
This discussion has been largely limited to the military hardware, bases and personnel that would be needed, as well as the risks and opportunities linked to the move from UK armed forces to a Scottish defence force.
Less attention has been focused on the security of an independent Scotland's national IT infrastructure. This is a critical aspect of a modern nation's defences. What could an independent Scotland's cyber security strategy look like? Who would deal with cyber security in the event of independence?
Loading article content
The Scottish Government's White Paper says a single security and intelligence agency would have responsibility for cyber security functions. This new agency would, through necessity, maintain a close relationship with the existing UK intelligence agencies. In the short term, any Scottish Intelligence Agency would co-operate closely with GCHQ.
The first step with any security strategy is figuring out what can and should be defended and the threats that apply to assets. In the Scottish context, the principal resource to be defended would be Scottish commercial and economic interests such as intellectual property and energy systems.
This is in contrast with the rest of the UK, which has a clear focus on foreign and domestic counter-terrorism and counter-insurgency activity. Clearly, the move to an independent government would lead to a change in priorities for the security services, which could include:
l Moving away from mass surveillance and a dragnet approach to intelligence gathering.
l Concentrating cyber security defences on critical economic and commercial interests, building on the experience of other European countries such as Estonia. Estonia is considered to be the world leader in national cyber defence after a co-ordinated Russian cyber attack in 2007.
l Making domestic counter-insurgency and counter-terrorism work, such as that undertaken by GCHQ and MI5, less of a priority.
l Supervision of the intelligence service becoming open and democratically accountable.
There are significant caveats around a Scottish Intelligence Agency's room for manoeuvre on some of these points. The physical network layout throughout Scotland and the UK means that very few connections from other countries land in Scotland, with most landing in Cornwall near GCHQ's listening post at Bude. This means that, at least in the medium term, internet and corporate network traffic would be subject to UK Government surveillance, regardless of the wishes of the Scottish Government. It is likely that a condition of support from allied intelligence agencies would be co-operation in sharing signals intelligence with other agencies.
Should Scotland reject independence, it is unlikely that much will change in terms of the existing cyber security apparatus. GCHQ is home to some of the most brilliant minds in IT security who are a considerable asset to the UK. By remaining in the Union, it could be argued that Scotland would continue to gain access to top-quality security services with, collectively, a great deal of experience in national cyber defence.
There are, of course, risks associated with remaining under the present security regime. Principally, this is around the concentration on counter-terrorism. While there is little doubt that the UK as a whole is a significant target for traditional and electronic terrorism, it is not at all clear that Scotland also faces the same level of threat. With the concentration of cyber security resources in the South of England, Scottish commercial and economic assets could be exposed to greater threat under the present regime than in a more focused framework.
Whichever way the vote goes, it is clear that there are opportunities and risks for Scotland on both sides.