After the historic EU referendum result in June, Phil Muncaster takes a look at what the next steps are.
Well, it happened. It may have been a slim 52:48 majority but the country has spoken, albeit in a referendum many have argued should never have been called. The result is that the UK’s politicians will most likely feel obliged to act according to the “will of the people” and negotiate their way out of Europe. Few in the technology industry wanted this outcome: a pre-referendum poll of techUK members had 70% in favor of remain, but now we all have to deal with it.
The question remains though: deal with what exactly? The truth is that at the time of writing, Article 50 – the part of the EU Treaty which allows a member state to notify of its intention to leave the bloc – has yet to be triggered. In fact, it might not be triggered for some time to come, as political parties elect leaders, decide whether they need another general election, or even work out a way for parliament to veto the result of what was a non-legally binding referendum. In the meantime, there is uncertainty, and uncertainty isn’t good for any industry.
So what exactly will happen to the information security industry if or when the UK formally requests to leave the world’s biggest single market? What impact could a prolonged period of uncertainty have on us? After all, these are uncharted waters. No-one knows how long exit talks will take – two years perhaps? Three? Four? What’s more, this could be followed by several years of negotiations on getting back into the single market – which even most Brexiters admit is vital to the economic well-being of the country.
The status quo will be welcomed by some, as it means current agreements continue. The UK is still in the EU, and although this means it is still making those pesky financial contributions, it also brings rewards in the opposite direction. For example, the European Commission recently announced a €450 million ($500m) fund to encourage the development of innovative new cybersecurity products.
For one thing, we’re still sharing threat intelligence across borders. A CERT UK spokesman tells Infosecurity: “It is very much business as usual for us. As for the future, it is too early to speculate how things may change, but we are all agreed that information sharing is key, so no reason to think that will change.”
BH Consulting founder Brian Honan, special advisor to Europol, agrees. “I would hope that once the UK decides to formally leave the European Union that the appropriate agreements will be negotiated and put in place to ensure the minimal disruption to how UK law enforcement agencies will work with their counterparts within the EU and also with bodies such as Europol,” he tells Infosecurity.
“It should be noted that Europol does cooperate with law enforcement agencies outside the EU already and therefore implementing an arrangement with the UK would not be a new departure for them.”
People Power
When it comes to recruitment, things aren’t looking so rosy, however. MediVisas partner Victoria Sharkey is an immigration lawyer who is already seeing the referendum decision have a largely negative impact on the cybersecurity industry.
“The UK has just become a less attractive place for people to come and work, and this, tied in with the likely visa regulations, will deter EU nationals from coming here,” she says. “If you are a German infosec specialist, you may have taken a job in the UK because you can just come here without the need for a visa. If you now need a visa, you may as well go to the US. I feel that when we do leave that it is going to become significantly harder for UK employers to encourage the best in their industry to come and work in the UK.”
It’s also forcing UK nationals – especially those lucky enough to have secondary European citizenship – to move abroad, further reducing the talent pool, she says. A related issue is that a Brexit would put an end to EU funding for research, whilst forcing the UK government to tighten its belt to balance the books and in so doing cut its own funding budget. It could also lead to private R&D funding drying up, with large multi-national corporations and Venture Capital firms feeling they can’t make long-term plans for the UK anymore, Sharkey adds.
The prospect of Silicon Roundabout dissembling might please some people, but there is a genuine risk that the UK could undo all the good work it has put in over the past decade or so in encouraging a new generation of innovative start-ups to drive the digital economy onwards and upwards.
London has fought hard to become the start-up capital of Europe, but already rival cities are lining up to replace it. Germany's Freie Demokraten (FDP) Party even hired a van recently to drive through the capital displaying the message: "Dear start-ups, Keep calm and move to Berlin."
Uncertainty Creeps
Philip Letts, CEO of global enterprise services platform blur Group, has led both Silicon Valley and UK tech businesses. His assessment of the situation? “It’s bad news for investment, start-ups and tech focused purely on growth and the UK market.”
Letts predicts that, although the big US multi-nationals will want to stay in both the UK and EU, over time they could shift the majority of operations to the more lucrative mainland. “Business confidence is low and many will hunker down, try to avoid risk and wait for this to play out,” he adds.
“Of course, attracting the right talent is already challenging, but it's probably just got that bit harder. For me, the UK tech sector needs to focus on what it can control – customers, cost reduction and profitability – and continue to do what it does best – innovate – whilst making sure the world knows that the UK and its businesses absolutely remain global in their outlook.”
Chatham House associate fellow, Emily Taylor, is also concerned that a prolonged period of uncertainty could lead to various multi-national companies pulling data out of the UK and transferring it to European outposts. A potential clash between the coming Investigatory Powers Bill, or Snoopers’ Charter, and the European General Data Protection Regulation over bulk surveillance may also cause problems if the UK wants to stay in the single market, she adds.
“At stake is the legality of data flows between the UK and the EU. We've seen in response to the Safe Harbor decision that data can move offshore very quickly. There's uncertainty over whether planned data center build-outs will be stalled by Brexit,” she tells Infosecurity.
“Either way, it's a good idea for businesses, during this period of uncertainty, to continue to comply with data protection legislation. For now, these are still our laws, and in the future it may protect EU-UK data flows to be able to show compliance.”
That’s also the advice from the Information Commissioner’s Office (ICO) which, even if we were to leave the EU and not follow the Norway model, appears to favor harmonizing the UK’s data protection laws with those of Europe. Its statement soon after the referendum result had the following:
“With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organizations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case. Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.”
Doom and Gloom?
All told, it’s pretty tricky to find optimists in the cybersecurity space at the moment, but KPMG UK’s head of technology, Tudor Aw, thinks the industry is resilient enough to thrive outside the EU, referencing the tech sector’s positive response to the financial crisis.
He adds that as technology is “a key sector that underpins all other sectors” it will continue to receive growing levels of investment, in or out of Europe, as organizations seek to drive efficiencies and strategic growth.
“There are of course challenges ahead and the biggest of these is immigration. Even before Brexit, tech companies were commenting on the difficulties of recruiting tech talent. If we are to move to a points system, I would like to see the tech sector prioritized so that we can attract and recruit the very best tech entrepreneurs, investors and talent,” he tells Infosecurity.
“[But] the core attributes that have made the UK tech sector so strong and attractive remain in place, including an amazing talent base that has a long track record of creativity; great infrastructure and facilities; first class universities, a stable legal system; appropriate fiscal incentives; timezone advantages; and an ecosystem of advisors that support the needs of tech companies.”
Only time will tell, of course, but the information security industry is assured of one thing: we’re all going to be pretty busy over the next few years.