Cyber action plan for Wales: integrated impact assessment

In narrative form, please describe the issue and the action proposed by the Welsh Government. How have you applied / will you apply the five ways of working in the Well-being of Future Generations (Wales) Act 2015 to the proposed action, throughout the policy and delivery cycle?

In March of 2021 Welsh Government published its Digital Strategy for Wales. The strategy set out the overall vision for using a digital approach across sectors and Wales to ensure people experience modern, efficient, and streamlined public services. At its core, the strategy aims to stimulate innovation and help businesses succeed in a modern world, ensure people have the confidence they need to engage with their communities and build the knowledge and skills that people of all ages need to join the digital workplace and economy. The strategy is structured around the following six missions: Digital Services, Digital Inclusion, Digital Skills, Digital Economy, Digital Connectivity, and Data and Collaboration. Combined, the missions aim to generate improvements in all aspects of provision.

The Digital Services and Digital Economy missions acknowledge that for the strategy to succeed there needs to be a clear statement that sets out the ambitions, vision and activity for cyber in Wales. Specifically, the Delivery Plan, launched alongside the strategy, commits to publishing a Cyber Action Plan for Wales to bring together a coherent statement of ambition and activity on cyber in Wales. 

The challenges of the past few years have demonstrated the importance of digital in our lives. Digital tools and technologies are now often central to the way we learn, work, access public services and do business. Our reliance on digital, however, has also led to a stark increase in the risk of cyber-attacks which are becoming ever more common and sophisticated. Effective cyber defence and resilience, a strong cyber business sector and people, businesses and public servants who are cyber aware are crucial to achieving this. 

The Cyber Action Plan pulls these threads together and for the purposes of the plan, ‘cyber’ has multiple facets. It means that the people of Wales feel confident to be safe and legal online. It means that our businesses and public sector organisations are as productive, efficient, and resilient as possible. It means that people trust the digital public services available and the organisations operating them. It also means that our economy thrives from nurturing the industries of the future and that we are growing the right skills and talent here in Wales to support our cyber ecosystem. Cyber security underpins and provides the foundations for these goals to be realised.

Long term

The Cyber Action Plan will address four interlinked priority areas to ensure Wales is able to embrace and benefit from innovation in digital and cyber, while as a nation we are as resilient to cyber threats as we can be:

1. Growing our cyber ecosystem

Growing our cyber ecosystem supports our economic goals and will make us a more secure nation. The stronger our cyber sector in Wales, the stronger our national resilience and response to threat.

2. Building a pipeline of cyber talent

To grow our cyber ecosystem and to support the safety of our citizens, business and public services, we need a skilled workforce in Wales that are confident in the use of data, digital, technology and cyber security.

3. Strengthening our cyber resilience

Being cyber resilient means that people and organisations need to have the ability to prepare for, detect, respond to and recover from cyber-attacks. It is fundamental to achieving our vision, to our economic goals and ultimately to our national security.

4. Protecting our public services

The Digital Strategy for Wales contains a commitment to transform and improve public sector digital services, designed around user needs. Cyber security and service resilience needs to be baked into how services are designed and delivered to ensure they are trusted and as safe and secure as they can be.

People, government, and businesses are increasingly adopting a digital approach in the way they operate and engage with one another. The innovative and fast-paced nature of digital means that it is difficult to accurately predict how it will develop in the future and the challenges that may present themselves.

The speed at which innovation occurs will require regular reviews of the Cyber Action Plan to ensure it reflects emerging issues.

Prevention

The ability of organisations and services to identify, protect, detect, respond and recover from cyber threats and incidents sets the foundations to be able to fully exploit the benefits of digital. The Cyber Action Plan reinforces the importance of cyber security in the way people and businesses operate to help prevent or mitigate the damages and disruptions associated with cyber-attacks such as financial loss, reputational damage, loss of data/trust and national security concerns.

Working together now, across the boundaries between UK Government, Welsh Government, Local Authorities and other public bodies and services on cyber resilience will ensure the security of our digital public services and a higher likelihood that they will be protected from cyber-attacks and able to recover more quickly.

Integration

The goals of the Cyber Action Plan can only be delivered through collaboration and integration. In line with the Digital Strategy for Wales, the plan is designed to bring together the collective efforts and integrated working across the public sector, arm’s-length bodies, academia, business, education providers and cyber industry partners and experts. This includes working with UK Government departments on non-devolved matters, such as national security, to ensure Wales’ interests are heard and considered.

The action plan sets out how together we can grow Wales’ cyber ecosystem, build a pipeline of cyber talent, strengthen our cyber resilience, and protect our public services. These actions will help us collectively meet our objectives and the Well-being goals.

In developing the plan, we have identified interdependencies between the objectives and actions proposed across the different sectors. The plan aims to maximise the interdependencies between our existing projects and investments in cyber to achieve greater outcomes for Wales. We will do this through collaborative working and joint action.

Collaboration

We have taken an iterative and collaborative approach to the development of the Cyber Action Plan. Activity related to cyber crosses multiple government portfolios and the Cyber Action Plan has been developed and refined in collaboration with officials across the Welsh Government, the Centre for Digital Public Services and the Welsh Local Government Association (WLGA) through a Cyber Programme Board.

The Cyber Action Plan also supports the missions under the Digital Strategy for Wales which cut across all Ministerial portfolios. The Digital Strategy for Wales was likewise developed and refined in collaboration with officials across the Welsh Government and with key stakeholders from across the public, private and third sectors in Wales.

Involvement

The action plan has been refined through engagement with interested stakeholders across Wales. Continued engagement will support regular reviews of the plan to ensure it remains relevant and deliverable for Wales. The delivery of the plan relies on joint efforts between government, public services, academia and industry.

Officials have also engaged with key external experts and relevant stakeholder groups through various mechanisms when developing the plan. An initial analysis of existing work was carried out and multiple external engagement events have been held to test the vision, priority areas and actions with interested stakeholders. This included an industry roundtable comprising representatives from industry, academia, skills, education, law enforcement, local government, UK Government, National Cyber Security Centre (NCSC), Chief Digital Officers and others.

Engagement with further groups has included SOCITM Cymru, Wales Warning, Advice and Reporting Point (WARP), Welsh Government Sponsored Bodies IT representatives, Digital Inclusion stakeholders, Digital Learning Cymru and the Wales Cyber Resilience Centre.

The development and aims of the Cyber Action Plan have also been subject to a blog published on the Welsh Government Chief Digital Officer’s blog. The intention is that further blogs to share some of the good work happening in Wales will be published in the lead up to the launch of the Cyber Action Plan. 

Stakeholders identified some key areas as being important for the success of the priorities identified. The need to include talent in the vision was raised to underline the importance of having the right skills in enabling the other benefits alongside ensuring the focus was wider than education, children and young people and provided opportunities for people of all ages. In addition, it was suggested that the plan should articulate the connections between the priority areas and the interdependencies between them.

In response to the feedback, we have ensured that the importance of talent has been recognised by including it within the vision statement and that the interdependencies that exist between the priority areas have been explicitly noted and an explanation on how they interact with one another. We have also ensured the breadth of opportunities for people of all ages to explore a career in cyber is considered and articulated.

Impact

To support and realise the benefits of digital change, Wales needs to ensure it is maximising the opportunities afforded by all areas of digital, including cyber. Cyber not only has the potential to grow our economy through a thriving cyber sector, it makes us safer as a nation. Innovation in digital must be underpinned by resilience to protect people, public services and businesses from cyber-attacks and hostile actors. These aspects are supported by having the cyber talent and skills which create opportunities for people of all ages.  

Damage from cyber-attacks can have lasting consequences beyond the initial direct loss of finances/data/reputation of an organisation.  Reduced confidence amongst the public and businesses will cause lasting damage on the economy and would disproportionately impact the vulnerable of society who rely more heavily on public services.

A joined-up and collaborative approach between cyber industry, government and academia will be essential in ensuring individuals, organisations and businesses know how to be as secure as possible in the digital space. This will involve:

• strengthening existing works and investments;
• maximising our partnerships and bringing together the different stakeholders operating in the cyber ecosystem;
• influence and promote cyber advice – encouraging collaborative working amongst stakeholders and provide a recognised voice for Wales’ security needs; and,
• support organisations and public services to understand the cyber security implications of emerging and wider technologies.

Costs and savings

The Cyber Action Plan does not commit any additional funding in its own right but, instead, provides direction for extracting the best value from our existing and future work and investments.

The change to digital services can provide considerable efficiency savings in how organisations operate, but failure to ensure their resilience to cyberattacks are equally as damaging. For example, the WannaCry attack on the NHS in 2017 cost the organisation £92m in cancelled appointments. Ensuring cyber resilience and preparedness can mitigate the probability of a successful attack and the cost of recovering from one.

Mechanism

No legislation is proposed. The Cyber Action Plan sets out the actions which will support the delivery of the ambitions articulated in its vision. The plan will be updated to reflect changing priorities and needs throughout the lifespan of the plan.

How have people most likely to be affected by the proposal been involved in developing it?

The Cyber Action Plan has been developed through engagement and collaboration with stakeholders and cyber subject matter experts. The Cyber Action Plan will support the delivery of the Digital Strategy for Wales which was developed following extensive engagement with stakeholders, including the public sector, private sector, third sector, businesses and the public and interest groups including those representing children, those who are disabled and groups from a range of diverse backgrounds. 

The general public have not been involved in the development of this proposal as the plan seeks to enhance the delivery approach of cyber across a range of sectors. Instead, the Cyber Action Plan has focused on engaging with the stakeholders that will contribute to the delivery and success of the plan or represent the groups on which it may impact. These include public sector organisations, the private sector, businesses, academia and industry experts. In addition, blog posts have also been utilised to reach further engagement from interested stakeholders.

What are the most significant impacts, positive and negative?

Although the Cyber Action Plan is not likely to have a substantial direct impact on its own, the improved coordination, collaboration and direction of growing our cyber ecosystem, building a pipeline of cyber talent, strengthening our cyber resilience and protecting our public services will have a meaningful impact on enhancing outcomes in each of these areas.

The four priority areas of the plan are interlinked and interdependent with improvements in each area providing a benefit to one another. Partnerships between industry and academia can provide insight into how new technologies can support us and improve the resilience of businesses and public services. In turn, that fosters the creation of new cyber companies in Wales and supports the growth of our economy. Co-ordinating and building a pipeline of cyber talent will feed this growth, bolstering our resilience and security, provide meaningful skilled employment to the people of Wales, improving their ability to remain safe and legal online and enhance our nation’s security. These all come together to create an attractive environment for inward investment providing a further boost to our cyber-ecosystem.

It’s the bringing of these priority areas together that provide the biggest impact of the Cyber Action Plan, ensuring they are harmonised and aren’t developed in isolation - allowing them to maximise each other’s impact whilst being under-pinned by being as secure as we can as a nation.

In light of the impacts identified, how will the proposal:

• Maximise contribution to our well-being objectives and the seven well-being goals, and/or,
• Avoid, reduce or mitigate any negative impacts?

Although indirectly, the Cyber Action Plan contributes and touches upon all the national well-being goals. Cyber innovation and talent can lead to greater economic opportunities and a more prosperous and resilient society. Improvements in people’s confidence and skills to engage digitally and safely online will improve social cohesion, create a more healthy and equal society through accessing digital public services and support the use of the Welsh Language.

Potential increases in remote working, better use of data and implementation of technology can help support reductions in carbon usage, which will contribute to the efforts to reduce climate change.

Ensuring our digital public and third sector services are as safe, secure, and resilient as they can will support the ways of working described in the Well-being of Future Generations (Wales) Act. Digital public services provide the opportunity to provide efficient, long-term consistent experiences for citizens.

However, the Plan will not deliver these benefits on their own but through the on-going individual projects and investments. The impacts of those actions will be fully assessed as necessary.

How will the impact of the proposal be monitored and evaluated as it progresses and when it concludes? 

While the Welsh Government has a clear leadership role in the delivery of this action plan, we cannot achieve this alone. It requires a whole of society approach and the collective efforts of public services, industry, academia, law enforcement and government at a local, national and UK level including Arm’s-Length and Sponsored Bodies.

Some matters in the plan are non-devolved; however, to deliver the plan we must embrace partnership working, collaboration and coordination across sectors and with the UK Government, breaking down existing silos to reach our ambitions.

As the Welsh Government we will review and monitor this action plan. We will also work with partners to measure the implementation of the plan and update on its progress.

The Rights of Children and Young Persons (Wales) Measure 2011 places a duty on the Welsh Ministers to pay due regard to the United Nations Convention on the Rights of the Child (UNCRC) and its Optional Protocols when exercising any of their functions.

Policy objectives

The Cyber Action Plan has been developed to address the need for a clear statement that sets out the ambitions, activity, safety, and security required to support digital change as identified by the Digital Strategy for Wales.

The Cyber Action Plan will not have a direct impact on children and young people. However, it does set direction and ambition for current and future activity across Wales’ cyber ecosystem and portfolio areas, supporting the goals of the Digital Strategy for Wales. The main impacts will be from enhanced outcomes of existing work and investments which will have an indirect benefit on children and young people.

Gathering evidence and engaging with children and young people

In preparing the Cyber Action Plan engagement has taken place with key external industry experts and relevant stakeholder groups through various mechanisms including; industry expert roundtables, Welsh Government Sponsored Bodies sub-group meetings, briefing sessions with members from Society for innovation, technology and modernisation (SOCITM), the Wales Warning, Advice and Reporting Point (WARP) and the Welsh Government’s Digital Inclusion Programme Board made up of external stakeholders related to digital inclusion. This is alongside collaboration with UK Government and the National Cyber Security Council and publishing blogs on the development of the plan.

The Cyber Action Plan has not directly engaged with children and young people, but has engaged with organisations that work within education such as Digital Learning Cymru. The plan’s proposed collaborative approach to cyber with our partners will help identify opportunities to, and improve, communication with children and young people on potential future impacts.

Analysing the evidence and assessing the impact

The action plan enhances a number of United Nations Convention on the Rights of the Child (UNCRC) articles.

Article 16: Right to privacy

The improvement of digital skills and confidence in using digital services supports children’s rights to privacy. Ensuring children and young people understand how the information about themselves they put online or create through using digital services is key to helping them make informed, ethical choices about how much they put online, and how to deal problems if they occur.

Article 17: Right to access information via the media

The media is increasingly moving away from traditional channels into the digital space; ensuring that all children have the skills and confidence to safely go online, and an understanding of the benefits and limitations of online media are key to them being able to access information from the media.

Article 23: Children with disabilities accessing services and engage with their wider communities

Ensuring resilience and trust in new digital services, that will meet stringent accessibility services, will ensure that children who are disabled will be able to access digital services independently wherever possible. Ensuring all children have appropriate skills and confidence to go online will also support disabled children to engage with their communities, including online or digital communities.

Article 24: Right to the best possible health, and health care

Although this is an indirect impact – ensuring resilience and embedding disaster planning within digital services will ensure access to health care is uninterrupted by cyber threats and increases trust and confidence in using digital service methods.

Article 28: Right to an education

The pandemic has shown how important digital skills in general are for children’s education. Ensuring children have the right skills to access digital educational resources and the confidence to do so support their right to an education.

Article 31: Right to leisure, play and culture

Digital provides many opportunities for leisure, play and culture; from online gaming to virtual tours of cultural sites and collections. Ensuring children have the ability, skills and confidence to go online safely is essential to protect their rights to access leisure, play and culture in the digital age.

Articles 34 and 36: Protection from sexual and other forms of exploitation

Developing good digital skills, confidence and online safety awareness will help protect children from all forms of exploitation. Co-operation on a national level enhances this further with legislation such as the Online Safety Bill which is specifically aimed to enhance safety online.

Ministerial advice and decision

As explained above, the Cyber Action Plan does not have a direct impact, but instead will provide indirect impacts through improved outcomes of existing work and investments. This will be made clear within the advice provided. 

Communicating with children and young people

If you have sought children and young people’s views on your proposal, how will you inform them of the outcome?

Not applicable.

If your policy affects children and young people, remember to produce child-friendly versions of any public document relating to your proposal. Please contact the Children’s Branch for further advice.

Monitoring and review

It is essential to revisit your CRIAs to identify whether the impacts that you originally identified came to fruition, and whether there were any unintended consequences.

Where you are taking forward secondary legislation, it will not be sufficient to rely on the CRIA for the primary legislation; you will need to update the CRIA to consider how the details of the proposals in the regulations or guidance may affect children.

The policy lead can revisit the published version of their CRIA, rename it as a review of the original CRIA, and update the evidence of impact. The reviewed impact assessment should be presented to Ministers with any proposals to amend the policy, practice or guidance. This review CRIA should also be published.

Please outline what monitoring and review mechanism you will put in place to review this CRIA. 

Following this review, are there any revisions required to the policy or its implementation?

While Welsh Government has a clear leadership role, alongside UK Government, in the delivery of this action plan, it cannot be achieved alone. It requires a whole of society approach and the collective efforts of public services, industry, academia, law enforcement and government at a local, national and UK level including Arm’s Length and Sponsored Bodies.

As a devolved government we can consider the levers available to us, however, the success of this plan depends on more than those levers in isolation. To deliver this action plan we must embrace partnership working, collaboration and coordination across sectors; breaking down existing silos to reach our ambitions.

As the Welsh Government we will review and monitor this action plan. We will also work with partners to measure the implementation of the plan and update on its progress.