General security

Brexit's Effects on Cyber Security

Pierluigi Paganini
July 7, 2016 by
Pierluigi Paganini

What is the Brexit? The term is short for "British exit" and refers to the exit from the EU of the UK Government following the referendum result of June 23, 2016.

While the economists and politicians are trying to understand the effects on the global economy, in this post we will focus on the cyber security industry.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

What will happen after the Brexit?

The results of the Brexit referendum vote have caused fear for many.  The most evident is the fall of the British currency, the pound, respect the dollar and the euro; this has as primary effect an increase in the cost of cyber security for the UK citizens.

Lionel Barbar editor of the Financial Times predicts that the first two quarters could face recession due to the post economic, financial stress.

However, don't forget that in this specific moment the cyber number and the level of sophistication of cyber threats are increasing as never before.

The cyber security is a pillar of any government that intends to expand its cyber capabilities, but this approach needs investments that contrast with the spectrum of a country that risks the recession.

Back to the impact of the cybercrime on a country that has left the EU, let consider the potential effect on the information sharing laws that were already in existence. Of course, the Brexit will have an influence on the current processes in place to share data related to data breaches. We need a legal framework that has to be approved by both sides defining new rules for the sharing of sensitive information related the members of the EU and the UK.

Another aspect to consider is the current involvement of the UK in the activities of the European law enforcement agencies.

Michela Menting, research director for ABI Research, noted that the British Government will need to review its role Europol and the European Cybercrime Centre (EC3), both organizations are crucial assets of the EU members in the prevention and fight off cyber criminal activities in Europe.

"Organized online criminal activities are undeniably best tackled from a cooperative, supra-national perspective, and the UK's isolation that may result from Brexit would be an unwelcome development in the fight against cybercrime," she said. "Further to this, new cybersecurity information and asset sharing structures will need to be put in place between the EU and the UK."

The lack of implementation of new processes of sharing can have concrete effects on the ability to respond to a new cyber threat.

The failure in sharing information on threat actors and their tactics, techniques, and procedures (TTPs) could allow the spread of the threat with serious repercussions for the target organizations.

Part of the IT industry expects that cybercrime will be on the rise, and information sharing will be reduced.

Another aspect to consider it the job market related to the cyber security that is already facing a skill shortage.

It is likely a significant impact on the recruitment of talented technical professionals and wreaks havoc in the regulatory compliance divisions.

Once the UK is out of the European Union, it would make even more difficult for UK businesses to attract talented professionals to compete with the US firms that can access to a larger market crowded of talented experts, including European ones. To cut ourselves off from the rest of Europe, therefore, does nothing to protect the UK's reputation as being open for business.

Today the research labs of many UK firms are composed of employees from other EU countries, these professionals work in London and travel around Europe for research and business purposes and return home to visit their family.

They are obviously concerned about the effects of the Brexit that may limit in a significant way their ability to move across the Europe is an easy way.

After the Brexit, many companies will leave London to remain in the EU. Another worrying phenomenon is the increase in employee exits from companies that will remain in the UK that have significant security and privacy implications. Every time an employee leaves a company, it triggers a series of measures described in the internal procedures to avoid the exposure of sensitive data. All accesses have to be removed and that sensitive information will no more accessible to the employee, but the likelihood of a security incident will increase in a significant way.

According to the recent Ponemon survey "Risky Business: How Company Insiders Put High Value Information at Risk," 47 percent of respondents say recently hired employees bring confidential documents from former employers that are a competitor. This is something organizations should be vigilant of in the coming months following the Brexit announcement."

Foreign companies that operate in the UK can decide for the above reasons to leave the country, and it is already happening, Ireland will be one of the most attractive alternatives.

The Brexit will create a huge vacuum from the business point of view in the cyber security industry. Today London represents a natural hub for startups that plan to offer cyber security services and products, in the future, these companies will move elsewhere searching for investors and capitals.

It is likely that other European cities will catch the opportunity to create new hubs for the cyber security industry.

The General Data Protection Regulation "GDPR" is scheduled to update their regulations which unify and strengthen existing laws for EU member states. Also, the Information Commissioner's Office "ICO" will force the UK to adopt the GDPR.

Even though the UK has decided to leave the EU, it is likely that British organizations will face data protection and cyber security laws influenced by the EU legal framework in the next months.

The UK's current regulatory regime, the Data Protection Act (DPA), is dated back 1995, and the Government plan to refresh it within May 25, 2018. A new directive for the law enforcement and the justice sector has also been finalized and must be passed into EU Member State law by 6th May 2018.

Any UK business operating with European firms in the EU market will have to comply with the GDPR despite the Brexit vote.

This is clear if we consider that the GDPR obligations will apply to organizations worldwide that process data belonging to EU citizens. Any UK business which has its staff or a group company operating in the EU will have to comply with the GDPR's provisions.

It is likely that European Members will ask the UK Government to reach an agreement on transnational data privacy protections.

"On the privacy front, Brexit severs the UK from the pending EU GDPR and potentially places the UK in a position similar to that of the US, struggling to reach an agreement on transnational data privacy protections. Given the close ties and operational similarities between the NSA and GCHQ, it is possible that EU data protection advocates will leverage Brexit to demand privacy assurances that the UK government, and some UK firms, may find onerous. At a minimum, the regulation of transnational data flows just got more complex. For example, US firms will have to deal with two data protection regimes (UK and EU) instead of one (EU)." Stephen Cobb, senior security researcher at ESET explained to SecurityWeek.

Does the UK remain in the European Economic Area?

If the UK remains part of the European Economic Area (EEA), it will be subject to European privacy laws. We have already assisted to a similar situation, the Norway, Iceland, and Liechtenstein are not part of the European Union, the sharing of personal data to the UK would remain free, and the UK would continue to be treated as any other European country under the privacy perspective.

Even if the UK does not remain in the EEA, the UK data protection laws will be considered by the European Commission as implementing an "adequate" level of protection to personal data.

In this scenario, despite transfers of personal data to the UK will be considered as non-EEA transfers they would remain free.

The technology lawyer Giulio Coraggio published an interesting analysis on how the Brexit impacts your European privacy strategy. Below an excerpt from his post:

"Will EU privacy law still be applicable in the UK?

The answer to that question depends on whether the UK is going to exit the European Union, but remain part of the European Economic Area (EEA) which would make it still subject to European privacy laws. Under such scenario, as it already happens with Norway, Iceland, Liechtenstein that are not part of the European Union, the transfer of personal data to the UK would remain free and the UK would continue to be treated as the other EU countries when it comes to privacy law.

If not, what will happen to data transfers after Brexit?

If the UK does not remain part of the EEA, it will not be subject to current EU data protection laws and to the upcoming General Data Protection Regulation (GDPR). As a consequence, transfers of personal data to the UK will be considered as non-EEA transfers.

However, as already declared by the UK Information Commissioner, it is quite likely that UK data protection laws will be considered by the European Commission as providing an "adequate" level of protection to personal data. This means that the transfer of data to the UK would remain free as it already happens for many countries such as Canada, Switzerland and Israel."

The experts from the research firm Gartner expects Brexit will have a significant impact on the IT market due to data privacy issues:

"Now many new long-term strategic projects will be put on pause and likely not restarted until 2017," states a study published by the Gartner.

Moreover, what about the Network and Security Directive "NISD"?

It is not a regulation, and the UK will no longer be obliged to implement the NIS Directive contrarily to Member States that will have to define legislation for it to become law within 21 months.

The European Commission highlights that The Network and Information Security Directive – proposed aims to ensure a common high level of cyber security in the EU. The pillars of the NIS directive are:

  • Improving Member States' national cybersecurity capabilities.
  • Improving cooperation between Member States, and between public and private sectors.
  • Requiring companies in critical sectors – such as energy, transport, banking and health – as well as key Internet services to adopt risk management practices and report major incidents to the national authorities.

Clearly, there is no reason for the UK Government to avoid implementing the NIS like other EU states.

The Britain's decision of exiting from the EU is building another wall that will have a significant impact on data and information flows and will create new challenges for transnational commerce.

In a time of mutual distrust, it will be very difficult to encourage the sharing of security information between companies and nations. Unfortunately, threat actors will be the unique players in benefiting of the Brexit turbulence.


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.