Post-Brexit Cybersecurity – Implications on Risk and Uncertainty
Who knows what is going to happen with Brexit, or when the United Kingdom will officially leave the European Union, with a deal or not. (Although at the time I write these lines a delay or revoke of Article 50, the formal process of leaving, seems likely.)
If we could describe post-Brexit cybersecurity with one word that unquestionably would be “uncertainty.” And with uncertainty presenting opportunities that cybercriminals will try to exploit, as cybersecurity professionals working in the first line of defense, it is our job to predict, quantify, and mitigate the increased risks and possible negative effects of this momentous development.
With the cybersecurity challenges Europe is facing today and in the future being many and very complex, to better understand the ramifications a “no deal” Brexit will have on our overall cybersecurity posture we must carefully examine its direct and indirect implications looking closely at the following categories:
- Current and future legal frameworks
- Governing the transfer of data
- The threat landscape
- Incident handling
- Effects on the workforce
- Privacy and security
A brief look at current and future legal frameworks
With our world today depending even more on the Internet and new developments like the cloud and sophisticated AI becoming parts of our everyday lives, the EU had to modernize its outdated data protection laws (such as the EU Data Protection Directive 1995). As a result, it enforced in 2018 to all its 28 Member States two key legislations designed to govern cybersecurity and privacy issues:
- the General Data Protection Regulation (GDPR), to regulate data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA), and also regulate the export of personal data outside the EU and EEA areas.
- the EU Network and Information Security Directive (NIS), to provide legal measures to boost the overall level of cybersecurity in the EU.
The United Kingdom, still being an EU Member State, integrated both legislations into its national legal system: GDPR with the Data Protection Act 2018 and the NIS Directive with the NIS Regulations 2018. This political choice demonstrated that the UK strategically desires to closely follow and be compliant with the new EU regulations.
To solidify its decision the UK government in December 2018 published two notices (“Data protection if there’s no Brexit deal” and “Amendments to UK data protection law in the event the UK leaves the EU without a deal on 29 March 2019”) to provide more details on how the UK Data Protection Law and the NIS Directive will work in the event the UK leaves the EU without a deal.
The good news is that post-Brexit there will be no immediate change to the UK’s data protection standards – GDPR will remain in the UK legal system – and the UK’s independent supervisory authority on data protection will remain the same (Information Commissioner Office, or ICO). Also, the NIS Directive will continue to apply in the UK after it exits the EU.
Looking at the near future, we anticipate that the e-Privacy Regulation, a regulation designed to replace the Privacy and Electronic Communications Regulations (PECR) and to govern the processing of personal data in connection with electronic communications services, will be passed by the EU parliament in late 2019. Member States will have one year to implement the new regulation and whether (and how) the e-Privacy Regulation will be applied in the UK is still unknown.
In conjunction with the e-Privacy Regulation, and as part of the EU Cybersecurity strategy, the European Commission proposed a new Cybersecurity Act designed to increase the scope and powers of the European Union Agency for Network and Information and Security (ENISA) to better support Member States with cybersecurity threats, and in December 2018 the European Parliament, the Council, and the European Commission reached a political agreement on the act.
The EU Cybersecurity Act will establish a framework for European Cybersecurity Certificates (I’m simplifying, but try to imagine something similar to an ISO 27001 standard), with its aim being the boosting of cybersecurity of online services and consumer devices. Practically, this will mean that businesses operating inside the EU must be compliant with the framework.
Finally, the European Data Protection Board (EDPB) very recently published (November 2018) a draft guidance on the territorial scope of the GDPR and provided the criteria (“establishment” and “targeting” criteria) of how the various EEA data protection authorities will assess the application of the GDPR to non-EEA countries. The Guidelines provide clarification around the boundaries of what constitutes an establishment in the EU, the status of tourists and factors that determine whether data subjects in the EU are being targeted and the conditions of appointment of an EU representative for non-EU controllers and processors, matters that UK businesses must deal with in the near future.
Governing the transfer of data
On 6th of February, 2019 the UK government published another updated guideline with the title “Using personal data after Brexit” to further advise UK-based companies on what they should do in the event of a “no deal” Brexit. Practically the new guideline reinforces the original position that post-Brexit UK businesses will still be able to send personal data from the UK to the EU and that the UK will continue to allow the free flow of personal data from the UK to the EU (and the EEA area).
Data originating from the remaining 27 Member States of the EU and coming into the UK is a different story though. Data falling into this category must comply with GDPR and it is illegal for an EU Member State business or organization to export data to a non-EEA entity without specific legal safeguards in place. Since post-Brexit UK will be considered a “third country,” UK businesses will be subject to these safeguards.
Trying to decode the future, when newer EU regulations come into force, another way to regulate the flow of data between the EU and the UK is for both entities to enter into a bilateral agreement similar to the EU-US Privacy Shield. The Privacy Shield is a legal mechanism that allows companies to comply with data protection requirements when transferring personal data from the EU to the US in support of transatlantic trade.
Current & Post-Brexit Threat Landscape
In the UK the number of data breaches reported to the Data Protection Commission rose by almost 70% last year, totaling 4,740 breaches during 2018, with 3,542 of those breaches recorded in the seven months after the General Data Protection Regulation came into force (nearly 45 reported incidents per day).
We also experienced high profile data leaks like the NHS, Timehop, and Ticketmaster incidents, and organizations such as universities, businesses, online stores, and social media (like Facebook) have been subject to breaches. These compromises affected millions of people.
Still, this is the tip of the iceberg. Even more serious attacks occurred like the ones from Snakemackerel, an espionage-motivated cyber threat group that used a BREXIT-themed bait document to deliver the Zekapab malware into very sensitive targets like the Organization for the Prohibition of Chemical Weapons (OPCW), the United Kingdom Defense and Science Technology Laboratory (DSTL), and the United Kingdom Foreign and Commonwealth Office (FCO).
It is very probable that other hacking groups are paying very close attention to political developments and may try to take advantage of the latest news headlines in order to develop more sophisticated phishing attacks designed to deliver malware, such as Zekapab.
Also, with the UK’s critical national infrastructure facilities being at risk of facing a large number of cyberattacks in the near future, losing the close cooperation with the EU means that Britain will be less able to respond effectively to such threats.
Today all European businesses, organizations, and citizens can utilize a mechanism that was established by the current EU legal framework to assist them in the event of a cybersecurity incident. The mechanism allows them to only notify the Lead Supervisory Authority in their country (what we define as “one-stop shop”) for advice, to carry out investigations, or to inform and coordinate with Lead Supervisory Authorities in other EU Member States in cases of a cross-border cybersecurity incident.
In a post-Brexit cybersecurity future, the UK will no longer be a member of this legal mechanism and UK based businesses and organizations in the event of a cross-border cybersecurity incident (that comprises data of EU citizens) will legally need to notify not only the UK Lead Supervisory Authority (ICO) but also each Lead Supervisory Authority in each EU Member State relevant to the incident. On top of this Herculean task is the high risk that the business can be subject to heavy fines from both the UK and the EU authorities.
The time it takes authorities to respond to an incident is also a crucial factor in order to effectively fight cybercrime. Another possible problem that will escalate is how the Information Commissioner’s Office (ICO) – the UK’s independent authority responsible for the public’s information rights (which does a remarkable job by the way) – will be able to handle the increasing incident demand given that it already is overwhelmed and overloaded with data breach reports.
Effects on the Workforce
What concerns me most, and I see it everywhere in the industry especially from the hands-on technical point of view, is the EU’s and also the UK’s huge cybersecurity skills shortage. A lot of high-profile UK companies are dependent on international talent to supplement the limited numbers of UK security professionals. With Brexit limiting the right of free movement and enforcing stricter working visa requirements, it could have a significant impact on the ability of Britain to hire adequate staff to fight against cybercriminals and nation-state threats.
Additionally, UK-based universities will experience fallouts in the relations with their EU based educational partners, losing access to huge amounts of EU research funding in the process. This will have a negative effect on their ability to produce the necessary future talent and research to fill the cybersecurity skills gap.
Effects on Competitiveness
It is widely accepted that leaving the single market will significantly impact UK businesses. With this thought in mind, UK-based companies offering cybersecurity services and products are very likely to face great difficulties trying to attract European customers. Building cooperation at an EU level being crucial to their growth (and even survival) post-Brexit it is probable that these companies will move some (or all) of their operations to a country within the single market, with very negative effects to Britain’s capability to fight cybercrime.
Looking at competitiveness at an international level, Brexit will hurt both the UK and the EU in terms of companies gaining market share on the international cybersecurity stage, with the US being the leading player on the market and Asian countries constantly gaining share.
Privacy and security
One of the EU’s founding principles is the respect of human rights of its citizens, and Brexit poses a significant risk to the privacy of people living in the UK. A post-Brexit UK will no longer be bound by the EU’s Charter of Fundamental Rights that requires that surveillance on citizens must be proportionate to any harm to privacy, and it is very likely that this will be exploited by many UK agencies. For example, the UK government has taken steps to weaken some forms of encryption since 2016 and requires Internet Service Providers to store sensitive user browsing history.
The post-Brexit UK’s ability to defend against cyberattacks in the future will depend on how well it will cooperate with European agencies and data security authorities. Information sharing is crucial to the UK’s cyberdefense strategy as many companies and organizations experience similar attacks and by sharing knowledge, threats can be dealt with faster and with a higher success rate. Also, if the UK loses its full membership in agencies like Europol, databases like the European Arrest Warrant System or other intelligence sharing agreements, it would significantly reduce its ability to defend against cross-border cyberattacks and other types of crimes.
What we can do to prepare?
On the legal front, at least for the foreseeable future, day-to-day compliance requirements will not change much and UK companies receiving data transfers from the EU must be compliant with GDPR. At a minimum they should keep all their employees updated with the latest developments in GDPR (especially with its implementation in the UK legal system), providing training courses on the law itself and appoint a designated Data Protection Officer or nominate someone to keep up-to-date with all things GDPR.
An extra measure is to research more closely into what we call standard contractual clauses. The European Commission can decide that standard contractual clauses offer sufficient safeguards for the protection of data being transferred internationally. It has issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or EEA.
On the cybersecurity front, UK companies have to deal with a disappearing IT defense perimeter, the rapidly expanding attack surface (especially if they choose to move operations to other EU Member States), the widening cybersecurity skills gap, and the increasing sophistication of cyberattacks, with hacking groups exploiting even political developments as a tool to design an attack.
We understand how extremely difficult it can be for even the best and most advanced cybersecurity teams to deal with these issues, and here is where AI could deliver an effective solution to the overall strategy of an organization’s cybersecurity defense.
A subcategory of artificial intelligence called Machine Learning (ML) can be very effective when it is trained with high volumes of data originated from the environment in which it will be deployed. With ML’s greater strength being outlier detection (or anomaly detection) – the basis of Network Traffic Analysis – it could pick up anomalies within an organization’s environment and report them more quickly than a member of the cybersecurity team could.
At minimum companies must update their security awareness training strategy and retrain all their employees to be able to identify the new threats and possible attempted attacks, with sophisticated phishing being a priority, and on how to report a breach.
To conclude my thoughts on a positive note, no matter the implications and challenges that a “no deal” Brexit will bring, the global cybersecurity community will never stop operating like a band of brothers with a common goal, will still exchange information, knowledge, and tools, and still collectively work to better secure our societies. It’s in our DNA.