While economists and politicians continue to consider the cost of the British public’s June 2016 vote to exit (Brexit) the European Union (EU), the cybersecurity community is equally looking to assess the impact of the decision on the sharing of cyber-breach information internationally and what it means for cross-border data access.
The primary security concerns of Britain leaving the EU revolve around matters such as General Data Protection Regulation (GDPR); a loss of threat intelligence cooperation with Europe; an increasing cost of security (because of the falling value of the pound); and the loss of access to European technical expertise.
When the GDPR takes effect it will replace the data protection directive from 1995, which is a welcome update. The regulation was adopted on April 27, 2016, and enters into application on May 25, 2018, after a two-year transition period.
Thus GDPR is likely to go ahead in Britain. Technically, it must go ahead since it will become law before Britain actually leaves the EU. Practically, it will go ahead because it is the easiest way to maintain 'privacy adequacy' and continue easy trading between the UK and Europe.
Hence the concerns raised by GDPR may be the easiest ones to allay. This regulation, by which the European Commission intends to strengthen and unify data protection for individuals within the EU, also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Concerns have also been raised over the risk of cybersecurity suffering within Britain as a result of Brexit. It has been suggested that corporate security defenses will be weakened, and international threat intelligence sharing with Europe will diminish.
The view on diminished intelligence sharing with Europe assumes there will be less cooperation between the UK's National Crime Agency (NCA) and Europol. It has been argued that this simply will not happen given that the NCA's direct access to Britain’s intelligence agency GCHQ, and indirect access to the NSA via GCHQ, means that the UK is too valuable to exclude. Although the Five Eyes (an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States) loses its peering glass inside Europe, much of the world's communications still has to pass through GCHQ territory between Europe and the US.
With respect to the availability of skilled cybersecurity personnel falling away post-Brexit or the assumption that Britain's weakened buying power will stop British companies from investing in security, there is a view that Brexit could in fact offer an opportunity for a complete overhaul and rationalization of Britain’s cybersecurity infrastructure.
Michela Menting, research director for ABI Research, notes that the British government will need to review its role in Europol and the European Cybercrime Centre (EC3). Both organizations are crucial assets to EU members in the prevention and fight against cyber-crime in Europe. The lack of implementation of new processes of sharing could have concrete effects on the ability to respond to a new cyber-threat.
There is also the issue of Britain’s cybersecurity cooperation with other parts of the world beyond the US and the EU, including the Middle East. Earlier this year, for example, the UK Trade and Investment’s Defense and Security Organization – an arm of the British government – brought companies to Intersec, the three-day security, safety and fire protection expo in Dubai in the hope of landing lucrative contracts in cyber security, infrastructure and transportation.
Back in 2014 the UK said it would be prepared to help the UAE prepare its security for Expo 2020, including police training and surveillance equipment. From the 2012 London Olympics to the Commonwealth Games staged in three of its cities in the past 30 years, the UK has an extensive amount of knowledge in the field.
While in Qatar last year, UK Cabinet Office minister Francis Maude met with senior Qatar officials to discuss, among other things, cybersecurity at the FIFA 2022 World Cup, which is to be held in the country. He was quoted as saying Britain wanted to work very closely with the Qatar government in preparing for the World Cup, sharing lessons Britain had learnt with respect to establishing defenses against cybersecurity threats during the London Olympics.
With all the known and as yet unquantified factors playing out regarding Britain’s exit from Europe, it is clear that the country’s position in the global cybersecurity community is set to evolve and change. What will be critical is whether as a nation outside the authority of Brussels, Britain will be able to give assurances that it continues to maintain cybersecurity policies and standards at levels on par or exceeding those found in mainland Europe.
The recent announcement that GCHQ has launched a cybersecurity accelerator as part of a program to create two "world-leading" innovation centers is further indication that Britain intends to continue taking the development and improvement of cybersecurity particularly seriously. Prior to Brexit, in November 2015, then-Chancellor George Osborne said £1.9 billion (US$2.4 billion) would be made available for investing in cyber-defenses.
What remains to be seen is whether the various established cybersecurity clubs around the world will trust British standalone efforts in the field enough to offer them a seat at the top table of trusted cybersecurity alliances.
You can read more from DarkMatter at the RSA Conference blog, and please join us for RSA Conference Abu Dhabi, 15-16 November 2016.
Register here: www.rsaconference.com/events/ad16/register