By Professor Campbell Gemmell
ON Christmas Eve last year, the Scottish Environment Protection Agency (Sepa) suffered a major criminal cyber-attack, the impacts of which are still not totally clear. Sepa has lost £2.5 million in income from industry permits and inspections, and it could be 2023 before it is fully operational.
By Sepa’s own admission Brexit, Covid and the cyber-attack have come together to make it virtually impossible to do all the key elements of its job.
Sepa was widely acknowledged internationally as a highly competent environmental regulator, playing a leading role in the EU as expert advisor and partner. Started in 1996, new responsibilities, powers and structures, largely implementing European Union (EU) law were added to its mandate over time. It regulates polluters, provides flood warnings, inspects industrial operations, responds to incidents and monitors and reports on the state of our environment. To do this, it visits sites, collects data, analyses performance and produces reports, including dealing with breaches and incidents through legal channels. All Sepa’s support and management information exists, of course, in an IT system.
Public services across the world have had to protect their mission, services, reputation and customers from criminals and casual hackers for as long as the internet and IT systems have existed. The attack therefore raises lots of questions around how this cyber-attack came to pass and how resilient Sepa was. How well protected were the critical systems? What did the senior management, board and the Government, to whom the organisation reports, know? When? And what did they do?
And what do we know now? What data has been lost? What impact will this have on long-term monitoring, both of polluters’ performance and of the environment itself?
With Sepa saying it could be another 18 months before it gets back to full functionality, two years partly or fully “off-line” is a very big deal.
Scotland left the EU in January. Despite some provisions in the Continuity Act, the critical roles of the European Commission and the Court of Justice of the EU have, as yet, not been fully or effectively replaced.
Environmental Standards Scotland (ESS) is the new kid on the block, set up by Scottish Government to police environmental performance in the EU Commission’s stead. It is just getting started and should play a significant role in helping ensure environmental law is observed in letter and spirit ... in due course and if powers and budgets allow.
But what now is happening to public complaints or incident response? Are these systems working? Scotland and the UK are still not fully compliant with European access to justice requirements and we have no human right to a healthy, safe and clean environment. Yet.
For now, without robust oversight and governance, how confident can we be that all is well and that the environment – Scotland’s long-term core underpinning asset of clean water and air and land and well and sustainably and safely managed resources – is truly being protected? We have to hope that now everyone really is paying attention.
Campbell Gemmell is an Environmental Rights Centre for Scotland trustee, international environmental consultant and visiting Professor at Strathclyde University Law School as well as a former CEO of both Sepa and the South Australian EPA.
A more detailed version of this blog is available on https://www.ercs.scot/blog/Sepa-cyber-attacks-and-scotland-unprotected/.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules here