Brexit – how might it affect cyber security?

In Information Security ByTeam Acumin / 8th July 2016

The results of the recent referendum mean that within two or more years, the United Kingdom will leave the European Union. The exit will affect many areas of British life, including the economy, immigration and trade with Europe, but will it have a significant effect on cyber security?

At this early stage before Britain has negotiated a leaving strategy, there are many uncertainties about exactly how cyber security, and indeed cyber security jobs, will be impacted.

Data protection

The first area of concern is data protection. The UK Data Protection Act of 1998 is due to be superseded by the European General Data Protection Regulation. This was passed in Brussels last December and is due to come into force in 2018. This regulation includes the “right to be forgotten” which gives people the right to withdraw their consent for data to be held by an organization.

The regulation also stipulates that data can only be held if explicit consent is given. Presently, there is the presumption that user data can be stored.

Individuals will have the right to see records concerning themselves and also be able to transfer their data to another organisation.

The new European regulations will establish that data belongs to an individual and not to the organisation that stores it.

Various European authorities will monitor cyber security. Under the new regulations, any data breaches have to be notified to the relevant authorities within 72 hours.

If Britain has not left the EU by the time European General Data Protection Regulations come into force in 2018, then all British organisations will need to abide by the new rules. After Britain leaves the European Union, the regulations should not apply to businesses solely operating within the UK, but as soon as a business deals with Europeans outside of the UK, all data handling and protection must abide by the new regulations.

There is the possibility that United Kingdom data protection laws will be amended so that they are closer to the European regulations. If you are responsible for data protection in an organisation, then it makes sense to plan security systems that will comply with the new regulations, as Britain is unlikely to have left the European Union when they come into force.

If the data protection regulations in Britain differ too widely from the rest of Europe, this could confuse people. Many people are signed up online for both European and UK companies and their data protection could be complicated by the different regulations that affect data gathering.

After a series of high-profile hacking attacks in recent years, people are demanding a high standard of data protection. This will not change when Britain leaves Europe. Ideally, standards of protection need to be similar in all countries.

Cyber crime

Of course, cyber criminals don’t care whether Britain stays or leaves the EU, as they do not recognise country borders. After Brexit, cybercrime will continue to grow. There will be a continuing need for organisations and law enforcement agencies in Europe and the rest of the world to share information to combat cybercrime.

Being a non-European member does not mean that Britain will be isolated. Norway and Switzerland are examples of two independent companies that maintain close ties with Europe and have extensive trade with Europe. These countries hold European-based data and can cooperate with their European partners to combat data breaches.

Some security personnel fear that information sharing will diminish after Brexit and leave Britain more open to cyber attacks, but the examples of Norway and Switzerland indicate that this may not happen. Britain has a reputation for expertise in cyber security, and this is unlikely to change.

Another area of concern is extradition. Presently, if a European cybercriminal attacks a British computer network, or a British one flees to Europe, then it is relatively easy to extradite them to face justice in a UK court. After Britain leaves the EU, this could be made more difficult.

Cyber security personnel

If there is a curb on immigration following withdrawal from the EU, this could make it more difficult for British companies to recruit European cyber security experts. If a skill shortage of highly trained cyber security personnel happens, then the government may make exceptions to allow European cyber personnel to live and work in Britain.

Another option is to base cyber security personnel outside of Britain. Several European and United States companies have cyber security departments in Poland and the Irish Republic, where costs are lower.

British cyber security workers could find that opportunities for living and working in Europe are restricted and they may be attracted to countries such as the USA, which pay higher wages.

Penetration testing

There are many UK-based cyber security companies that are experts in penetration testing and sell their technology all over the world. Sales of cyber security technology to European countries should not be affected by Brexit, although if the pound remains weak against the euro, these products will be cheaper to buy by European countries.

University funding

Many universities receive EU funding for cyber security research. After leaving the EU, these funds will not be available. It is too soon to know whether the government will allocate money to make up for this reduction is funding.

Critical data structure protection

Critical infrastructure utilities such as gas, electricity and water can have particularly devastating effects on a country if they are sabotaged by cyber attacks. The European Union is working on measures to protect the infrastructure that supports the European way of life. Without Britain as part of Europe Union, the UK will not be part of this European infrastructure protection initiative.

Uncertainty

The feeling of most cyber security experts is that there is uncertainty. Indeed, Paul C Dwyer of the International Cyber Threat Task Force summarises:

“A black swan in risk terms is simply a massive unknown that can become normal. A post Brexit UK may have many Cyber black swans, the reality is that nobody knows what the real cyber consequences are.”