The cyber attack on SEPA has raised questions about how our regulators regulate their internal systems, and what additional checks and balances are needed for effective environmental protection. Read more from the perspective of an ERCS trustee and former CEO of SEPA …
Background to SEPA
The Scottish Environment Protection Agency (SEPA) was created under the 1995 UK Environment Act. SEPA started operations as a new independent regulatory body in 1996. It brought together the roles and responsibilities of a number of previous regulators and advisors dealing separately with water and air quality and waste management as well as radiation protection duties. New responsibilities, powers and structures, largely implementing European Union (EU) law were added over time. A sustainable development duty, reformed permitting, and new flood management arrangements were also added.
SEPA regulates polluters, provides flood warnings, inspects industrial operations, responds to incidents and monitors and reports on the state of our environment. To do this, it visits sites, collects data, analyses performance and produces reports, including dealing with breaches and incidents through legal channels. All SEPA’s support and management information exists, of course, in an IT system environment.
SEPA was widely acknowledged internationally as a highly competent environmental regulator. It is one of the larger bodies in its sphere and often looked to for expert and peer inputs and advice, especially through its leading role in EU and other international networks.
After a transition year and much discussion about post-Brexit governance of the environment, Scotland left the EU in January. Despite some legislative reshaping of the environmental governance model for Scotland through the Continuity Act[1] the roles of the European Commission and the Court of Justice of the EU have, as yet, not been fully or effectively replaced.
The cyber attack
In late December, SEPA suffered a major criminal cyber attack which has apparently disabled the systems of the organisation. The full extent of the impact of this is only gradually emerging. Reporting in The Ferret,[2] ENDS,[3]the BBC[4] and elsewhere has highlighted some of the problems created, the costs associated with those problems,[5] and potential duration of disruption. Lots of questions have been raised.
What is the full extent of what has happened? Why did it happen? What does it all actually mean? What should be done about it? When will “normal service” be resumed? Could this happen again? What should others learn from this?
Coming coincidentally in the first year outside the EU, with the EU’s overseeing environmental guards having been dismissed, and during a time of COVID, what does this tell us about how well protected we and the environment of Scotland are?
Public services across the world have had to prepare and act to protect their mission, services, reputation and customers from criminals and casual hackers for as long as the internet and IT systems have existed. We now rely on such systems for our electricity, our health, our telecommunications… and for our environment protection. Attacks in the US, in Ireland and elsewhere have disrupted and “denied service” as well as resulted in ransoms being demanded and paid, services being seriously damaged and costs being incurred to get services back in place.
COVID, Brexit and the cyber attack have come together to make it virtually impossible, by the organisation’s own admission to do all the key elements of its job.[6] And while SEPA grew significantly in resource (both staffing and budget) during the years of new duties being added between 1996 and 2008, the post global financial crisis years and continuing austerity policies may also be a significant constraint on resilient public services.
Any interested and concerned observer must want to know how the internal elements of this came to pass. How well protected were the critical internal systems? What did the senior management, board and government, to whom the organisation reports, know and when, and what did they do? Did the system of internal and external audit reveal vulnerabilities and what was the response to these? Did the emergency planning and resilience systems work or fail? Was this adequately resourced? When did penetration testing last happen and what did it reveal? Was the board briefed on the risks? Were they content? Ditto Scottish Government? Where indeed does oversight responsibility for organisations and the environment itself actually sit?
Where does this leave SEPA and the Scottish environment?
And what do we know now? Has the full extent of systems loss been assessed and shared with those in responsible positions? What is the estimate of when full functionality will have been restored? What data have been lost and what impact will this have on long-term monitoring, both of polluters’ performance and of the environment itself? Will it affect statutory reporting and criminal cases? How will we know what is happening in the environment if systems remain offline or data recovery is sketchy or partial? Has bad behaviour of regulated activities occurred?
Effective organisations are of course also not just systems. They are made to work by people. So, how are staff coping? Lack of access to key resources must be very challenging. We understand that duplicate laptops, phones, email accounts etc. have been issued. What impact is this having on working methods? Combined with COVID, what has happened to inspection visits? And is this the same for environmental condition monitoring visits? Are these data available? Has compliance deteriorated or stayed the same? SEPA has said that new permits and other authorisations have been issued. If changes to existing permits are needed, can these be made?
And what is the disruption costing? SEPA charges companies to part-fund its services. Extra funds have been made available we understand to cover losses because charge payers haven’t paid or can’t pay. (The long term funding model was based on an assumption that the polluter should pay, hence fees and charges on polluters and applicants to regulatory schemes to cover one “half”, on the one hand, and a public good was being delivered and so the taxpayer should cover the other notional “half”). But the systems to log and assess charges have apparently been undermined. The charging schemes have been a key part of the long term demonstration of the principles of polluter pays and public benefit.
What now is happening to public complaints or incident response? Are these systems working? Scotland and the UK are still not fully compliant with European access to justice requirements and we have no human right to a healthy, safe and clean environment. Yet.
Transparency is another key principle in terms of the authorising environment for any public body, especially a regulator, but at this point, it is hard to get a full picture of what is happening. Most recently SEPA has said it could be another 18 months before it gets back to full functionality. Two years partly or fully “off-line” is a very big deal. Do we know what we don’t know? And is that a cause for concern? The new kid on the block, the guard of the guards policing environmental performance in the EU Commission’s stead, Environmental Standards Scotland (ESS), is just getting started and may well be able to play a significant role in helping ensure environmental law is observed in letter and spirit. ESS should help to address complaints and failures and generally tighten any looseness in governance and oversight, if powers and budgets allow, and subject to how it fits with existing elements of the governance system.
For now, without robust oversight and governance, and lacking the supranational oversight of the EU systems now gone, how confident can we be that all is well and that the environment – Scotland’s long term core underpinning asset of clean water and air and land and well and sustainably and safely managed resources – is truly being protected? We have to hope that now everyone really is paying attention. It rather seems that the case already set out for a coherent suite of actions: agency and Scotland level governance reform, a new commission, a new court and a much more engaged public – fully possessed and aware of their rights – has been made!
Campbell Gemmell is an ERCS trustee, international environmental consultant and visiting Professor at Strathclyde University Law School. He is also a former CEO of both SEPA and the South Australian EPA.
[1] UK Withdrawal from the European Union (Continuity) (Scotland) Act 2021.
[2] The Ferret, June 16 2021: https://theferret.scot/cyber-attack-cost-environment-watchdog-2-5m/ .
[3] ENDS Report: Exclusive: SEPA chief says cyber attack recovery will take years.
[4] BBC News, 23 June 21: Sepa cyber attack recovery could take years.
[5] The Scottish Government has already provided £2.5m but total costs seem likely to be substantially greater.
[6] SEPA website, 28 June 2021: https://www.sepa.org.uk/about-us/cyber-attack/ and Approach to the delivery of services until 30th June 2021 .