Article 50 of the Lisbon Treaty was invoked by Prime Minister Theresa May on March 29th, 2017. Which means that as of 11pm (GMT) on March 29th, 2019, the UK will no longer be a part of the European Union. Unless all 28 EU members agree to extend that deadline, or the UK has a second referendum which votes to stay. While neither sound particularly likely, neither does there being a deal between the UK and the EU setting out agreed terms of the departure. Indeed, Donald Tusk who is president of the EU council has this week warned that a no-deal scenario is now more likely than ever. At the same time, Theresa May is fighting to hold an ever more fractious Conservative party together while insisting that a deal is still achievable. Set against this backdrop of political uncertainty is a cybersecurity industry increasingly worried about the post-Brexit threatscape. Whether the UK crashes out of the EU without a Brexit deal or some sort of compromise agreement can be reached between the two sides, the impact upon cybersecurity is likely to be considerable and immediate.
I've been speaking to industry experts in order to get a feel for how a post-Brexit threatscape might map out. Following my conversations this week, the consensus of opinion can be handily divided into three main areas of cybersecurity concern: employment, regulatory compliance and information sharing.
Employment issues have been worrying the cybersecurity industry long before Brexit was even a word. The skills gap within the industry is well documented and has been proving difficult enough to address without the added pressure of Brexit impacting upon the freedom of movement of people between EU countries and the UK. I spoke to Laurie Mercer, a security engineer at HackerOne, who says that in the post-Brexit landscape organizations should be asking how they can leverage the world's best cybersecurity talent? "The majority of people with cybersecurity skills do not reside in the UK" Mercer told me, citing the fact that of the $38.2 million HackerOne has paid out in vulnerability hunting bounties only 4% has gone to British security researchers.
That the UK will need to discover new methods of attracting this kind of cybersecurity talent from beyond the UK is a no-brainer according to the Institute of Information Security Professionals (IISP) CEO, Amanda Finch. "The challenge is that we are already stretched" she points out "suffering a major shortage of skilled practitioners and trying to cope with a widening threat landscape, so these are complications we could do without." Especially as the uncertainty from the direction of Westminster is hardly doing much to dispel the 'hostile working environment' fears of those thinking about relocating to the UK.
"With a Brexit that restricts or reduces their current standard of life" Tom Huckle, head of cyber security and development at Crucial Group told me "it will most likely cause an exodus of expertise out of the UK cyber security sector." Huckle doesn't think it will be all bad news, deal or no deal, as the effect could be to encourage "our own generation of cyber security talent within the UK into overdrive to fill these gaps." Tayo Dada, founder of Uncloak.io, is also optimistic that those cybersecurity professionals already working in the UK will see a benefit from Brexit. "There will be a huge push in consultancy" Dada explains "stemming from the compliance requirements driven by the UK government who are already pushing businesses to invest in cybersecurity frameworks ranging from Cyber Essentials, ISO27001 and of course GDPR."
Did someone mention regulatory compliance? The legislative landscape as it impacts upon the cybersecurity sector was on the lips of many of the security thought leaders I contacted. Take Chris Moses, senior operations manager with Blackstone Consultancy expects to see an increase of cyber-attacks on the UK after Brexit courtesy of cybercriminals attempting to exploit bureaucratic loopholes as well as uncertainty and inconsistency in the regulations between the UK and Europe. "The way data is handled in Britain has so far been modelled on European regulation, with the General Data Protection Regulation (GDPR), an EU-wide regulatory regime which came into force in 2018" Moses says. Given that the UK has already carved GDPR into UK legal stone with the Data Protection Bill 2018 there aren't likely to be a lack of protections. However, Moses concluded the conversation by saying "individuals, even within the cyber world, will try and take shortcuts to avoid abiding with Data Protection regulation, which in turn will leave them as well as the public vulnerable to being victims of cyber-crime."
GDPR was also on the mind of Bridget Kenyon, the global CISO of Thales eSecurity, who was quick to point out that she is not a lawyer. That said, Kenyon was concerned that while the UK can show equivalence between the protections afforded to data subjects in the UK and those in the EU currently, that might not always be the case. "If we look ahead 3-5 years it's inevitable that the GDPR will be updated" Kenyon says "what will happen to the UK version of the text and what if it chooses to change the penalties or other parts independently to the EU refresh cycle?" Adequacy decisions will then have to be made if the texts diverge in this manner and there may well need to be further protections along the lines of the EU-US Privacy Shield for example. "What complicates these extra processes and frameworks is that they may be argued to be ineffective at providing equivalent protection of data if they can be overridden by national law" Kenyon warns, concluding "this exact situation was seen with the predecessor to Privacy Shield, which was called the International Safe Harbor Principles and declared invalid in 2015 due to the fact that it could not override national laws which did not provide equivalent protections for personal data."
Global considerations are, as to be expected, the main cybersecurity industry concern within the post-Brexit security landscape. Ian Trump, head of cyber security for AmTrust International, is convinced that Brexit will provide an opportunity for cybercriminals to extensively attack UK infrastructure. "The perception of malicious attackers will be that UK law enforcement will be cut off from information sharing with the EU" Trump predicts, adding that "without agreements in force between the EU and UK, the life of cyber defenders will be made more difficult." Trump was far from being the only industry voice sounding warnings about how Brexit could negatively impact upon information sharing, something so vital in the fight against cybercrime.
Take Sebastien Jeanquier, principal security consultant at Context Information Security who suggests that the largest potential impact of Brexit on cybersecurity is to the organizations that deal primarily with elements of cybercrime identification, reporting and mitigation. Everything from the intelligence services in the UK such as the Government Communications Headquarters (GCHQ) and National Crime Agency (NCA), as well as their EU counterparts like Europol, the French General Directorate for Internal/External Security (DSGI/DSGE) or the German Federal Intelligence Service (BND). "More importantly, however, it potentially impacts the EU's tie-in to the intelligence network of the greater Five Eyes group of Australia, Canada, New Zealand, the UK and the US, in which the UK plays a very central role" Jeanquier was keen to point out, because thanks to "regulatory and legal compliance requirements it may become more difficult for these government organizations to cooperate with each other, or it may place restrictions on how deep such a cooperation can go with respect to the sharing of intelligence information that includes EU nationals."
It's not just the UK cybersecurity industry that is troubled by the potential threat intelligence sharing problem, in fact Jeff Curley, head of online digital at Radware UK, reckons his European counterparts are even more concerned. "My colleagues based in Germany and France tell me that the processes in place are essential to their work and the UK leaving Europe will have a detrimental effect on the security of the region" Curley explains "in particular, they have said that the ability to stay ahead of attack vectors will diminish. They can't see how it will be maintained at the level it is today without a very definite set of laws that keep intel sharing open."
All this at a time when a fragmenting geopolitical landscape means that nation state information sharing is more important than ever. "Inevitably, knowledge is power" says Dr Jamie Graves, CEO and founder of ZoneFox "in the wake of Brexit, whichever form it may take, the UK must re-negotiate its cybersecurity relationships across Europe and failure to do so will come at all our peril." Although not everyone is downbeat about the potential for post-Brexit threat intelligence. "The Government has indicated through its implementation of GDPR and Data Protection Act 2018 that it wants to implement world-leading data protection laws" Adam Louca, chief technologist for security with Softcat told me "which could exceed the EU making the UK one of the safest and secure places to store and process data." Indeed, Louca goes as far as to suggest that we could see the UK becoming, in effect, a 'digital Switzerland' as privacy and cybersecurity become more important to consumers and providers of technology.
I will leave the last word to Dr Cathy Mulligan, a research fellow in the innovation and entrepreneurship group at Imperial College Business School, who is sure that irrespective of what happens post-Brexit, cybersecurity will remain complex and requiring of a multi-lateral response. "No country is able to stand alone in the emerging digital era" Dr Mulligan insists "so co-operation around cybersecurity is something that I think we will see continue post-Brexit, irrespective of the deal that we see." Partly, she explains, because the EU needs the UK as much as we need them for one very good reason: "the many international communications cables to Europe land in the UK first" Dr Mulligan says, concluding "it would be expensive and not possible to replace those links quickly."
