ON Christmas Eve last year, the Scottish Environment Protection Agency (Sepa) suffered a major criminal cyber-attack, the impacts of which are still not totally clear. Sepa has lost £2.5 million in income from industry permits and inspections, and it could be 2023 before it is fully operational.
By Sepa’s own admission Brexit, Covid and the cyber-attack have come together to make it virtually impossible to do all the key elements of its job.
Sepa was widely acknowledged internationally as a highly competent environmental regulator, playing a leading role in the EU as expert advisor and partner. Started in 1996, new responsibilities, powers and structures, largely implementing European Union (EU) law were added to its mandate over time. It regulates polluters, provides flood warnings, inspects industrial operations, responds to incidents and monitors and reports on the state of our environment. To do this, it visits sites, collects data, analyses performance and produces reports, including dealing with breaches and incidents through legal channels. All Sepa’s support and management information exists, of course, in an IT system.
Public services across the world have had to protect their mission, services, reputation and customers from criminals and casual hackers for as long as the internet and IT systems have existed. The attack therefore raises lots of questions around how this cyber-attack came to pass and how resilient Sepa was. How well protected were the critical systems? What did the senior management, board and the Government, to whom the organisation reports, know? When? And what did they do?
And what do we know now? What data has been lost? What impact will this have on long-term monitoring, both of polluters’ performance and of the environment itself?
With Sepa saying it could be another 18 months before it gets back to full functionality, two years partly or fully “off-line” is a very big deal.
Scotland left the EU in January. Despite some provisions in the Continuity Act, the critical roles of the European Commission and the Court of Justice of the EU have, as yet, not been fully or effectively replaced.
Environmental Standards Scotland (ESS) is the new kid on the block, set up by Scottish Government to police environmental performance in the EU Commission’s stead. It is just getting started and should play a significant role in helping ensure environmental law is observed in letter and spirit … in due course and if powers and budgets allow.
But what now is happening to public complaints or incident response? Are these systems working? Scotland and the UK are still not fully compliant with European access to justice requirements and we have no human right to a healthy, safe and clean environment. Yet.
For now, without robust oversight and governance, how confident can we be that all is well and that the environment – Scotland’s long-term core underpinning asset of clean water and air and land and well and sustainably and safely managed resources – is truly being protected? We have to hope that now everyone really is paying attention.
Campbell Gemmell is an Environmental Rights Centre for Scotland trustee, international environmental consultant and visiting Professor at Strathclyde University Law School as well as a former CEO of both Sepa and the South Australian EPA.
A more detailed version of this blog is available on https://www.ercs.scot/blog/Sepa-cyber-attacks-and-scotland-unprotected/.