GUEST BLOG: Ten reasons why Brexit could affect cyber security

By Paul C. Dwyer, 
president, International Cyber Threat Task Force

At ICTTF we say, “It takes a network to defeat a network”. The bad guys work as a network … and the good guys need to similarly.

Here are ten reasons Brexit is not good for cyber security in the UK, or indeed EU.

1. CYBER LAWS CHAOS

The cornerstone of ‘cyber law’ in the UK is the Data Protection Act (DPA). This was written in 1995 and to put the year into context, it was three years before Google was incorporated.

Legislation is struggling to catch up with innovation. It is planned to morph and develop the DPA into the General Data Protection Regulation (GDPR) on May 25th 2018. The concept being an even handed holistic approach across the EU in relation to data protection. The legislation now having the added teeth of eye-watering fines based on up to 4% of global turnover or €20m.

We really are dealing with an interesting timing issue on these aspects. What I mean is, this cocktail of legislation is going to create an even greater challenge for UK businesses. For example, let’s throw in the new Directive for Police and Criminal Justice that is set for May 6th 2018.

Now for the big kicker. The ‘cyber directive’ that is the Network Information Security (NIS) Directive that comes into play in August this year.

Based on the Lisbon treaty, even if the vote on June 23rd is deemed ‘notice’ of leaving Europe, this legislation would still apply for a period, as there is a minimum two years notice period to leave the EU.

The pro-Brexit group may say that leaving the EU means not having to comply, or be concerned with this kind of legislation, however, nothing could be further from the truth.

Look at the timing, it will still apply during any potential notice period, and of course common sense would dictate that the UK would still like to do business with the EU even in the event of a post Brexit era. This means UK companies processing the information of EU citizens will still have to comply, but can only influence further policy developments from outside the camp.

2. B2B CYBER INTELLIGENCE SHARING 

One of the most positive aspects of the upcoming NIS Directive is that it will act as a positive catalyst for businesses to share cyber threat intelligence. The ‘me today, you tomorrow’ acknowledgement of a pan-European cyber neighbourhood watch for business, sharing and exchanging actionable cyber intelligence via a competent authority framework is a huge step against the bad guys. The UK not being ‘in’ would of course diminish the effectiveness and capacity of that aspect.

3. LAW ENFORCEMENT – CYBER INTELLIGENCE SHARING 

The European Cybercrime Centre (EC3) and Joint Cybercrime Action Taskforce (J-CAT) initiatives are the poster children for how law enforcement can successfully collaborate in dealing with cyber threats across Europe.

The Secure Information Exchange Network Application (SIENA) enables that process and if the UK is no longer part of that it, it will have negative consequences.

4. THE GEOPOLITICS FACTOR

Geopolitics plays a direct role in cyber threats. What happens in the real ‘physical’ world from a political standpoint immediately affects the cyber ‘virtual’ world.

The pro-Brexit group may say that leaving the EU means not having to comply, or be concerned with this kind of legislation, however, nothing could be further from the truth

Many recent cases come to mind, including the Ukraine whereby US companies were attacked online. Physical borders being reinstated, and other real world nuances could feed into the ideology of online groups, or simply those wishing to be part of an online protest. We observe these ideologically motivated cyber threats from countless sources including the Syrian Electronic Army, ISIS and splinter groups from other major groups such as Anonymous. 

5. PROTECTING CNI

On December 23rd 2015, the electricity grid of the Ukraine suffered a cyber attack. More evidence of conscious collusion between nation states, criminal groups and indeed the capacity of those with the wherewithal to affect a ‘kinetic’ cyber attack.

This means in the real world, utilities such as gas, electricity and indeed the Internet itself is interconnected as Critical National Infrastructure (CNI) from the UK across Europe. Again, another positive part of a holistic and harmonious approach to establishing a cyber security baseline across Europe via the NIS Directive was to protect the infrastructure that supports our way of life.

The entire EU would lose out is the UK left. It would lose the member with the most global outlook, the strongest military and the best diplomatic, intelligence and cyber capabilities.

6. CYBER ECONOMIC DISADVANTAGE FOR UK

It is estimated that the NIS Directive will add €500bn to the GDP of Europe, this is one of the many benefits that will be derived from it.

The reality is, the UK are the frontrunners in Europe at maturing their cyber resilience and arguably best placed to benefit from the commercial fruits of the NIS Directive.

However, if the UK starts creating their own ‘versions’ of these directives, they will not avail of these commercial benefits. Just look at the US post 9/11. If we review the negative effect of the US Patriot Act and indeed the complexities of ‘safe harbour’ have had on innovation, cloud-based technology, big data and indeed all related aspects.

We can begin to appreciate the potential downside. There are over 400 cyber related laws, regulations and frameworks from over 175 jurisdictions comprising over 10,000 overlapping and often conflicting controls. Post NIS and GDPR business can operate in a less complex system, but if the UK do not they will be in the quagmire of cyber controls.

7. CONFUSED CYBER CITIZENS

Have you a right to be forgotten? Can you issue a data access request? Should you sign up with a UK company or a EU-based one? Will your data be transferable? What are the rules? The reality is cyber citizens will be confused and will have increased challenges in understanding their rights as cyber citizens in relation to security and privacy.

A post-Brexit UK may have many cyber black swans; the reality is that nobody knows what the real cyber consequences are

8. CONFUSION OF INCIDENT RESPONSE PROTOCOL

Cyber incident response protocols are different across Europe as far as what you can and cannot do when investigating a cyber incident. The differences are often cultural and based on the history of nations. Germany, for example, is at one end of the privacy spectrum based on their state history.

Cybercriminal gangs, and indeed cyber terrorists activity is multi-jurisdictional and requires an easily understood and agreed rule set/protocols in responding, investigating and preventing cyber attacks.

9. SLOW PROGRESS – STAGNATION WITH INITIATIVES

I started this article with the indication that we are playing ‘catch up’ with cyber related legislation. In one way, we could argue that we have sold our souls to the devil in relation to data access, sharing and innovation, and only now are reaping the consequence.

EU legislation is about to take a leap frog forward and put EU states on a level global playing field with the US, and other major players that have the benefit of a ‘harmonised’ and ‘holistic’ approach to dealing with cyber threats. It seems common sense that if the Brexit campaign is successful, a post June 23rd UK would be somewhat ‘cyber dazed’ in relation to what is appropriate going forward.

All the positive activity and efforts of the CPNI, Cabinet Office and GCHQ could potentially be compromised as a period of cyber instability creeps in. A period in which people are trying to figure out what is ok in the new world.

10. CYBER BLACK SWAN

A black swan in risk terms is simply a massive unknown that can become normal. A post Brexit UK may have many cyber black swans; the reality is that nobody knows what the real cyber consequences are.