10 Reasons BREXIT is Bad for Cyber Security
10 Reasons BREXIT is Bad for Cyber Security

At ICTTF we say “It Takes a Network to Defeat a Network” . The bad guys work as a network and the good guys need to also. Let me elaborate on some of these aspects

Here are ten reasons Brexit is NOT good for cyber security in the UK or indeed the EU.

1.   Cyber Laws Chaos

The cornerstone of “Cyber Law” in the UK is the DPA (Data Protection Act). This was written in 1995 and to put the year into context, that was three years before Google was incorporated.  Legislation is struggling to catch up with innovation.

It is planned to morph and develop the DPA into the GDPR (General Data Protection Regulation) on May 25th 2018. The concept being an even handed holistic approach across the EU in relation to data protection. The legislation now having  the added teeth of eye watering fines based on up to 4% of global turnover or €20m.

We really are dealing with a interesting timing issue on these aspects. What I mean is, this cocktail of legislation is going to create an even greater challenge for UK businesses. For example, let’s throw in the new Directive for Police and Criminal Justice that is set for 6th May 2018.

Now for the big kicker. The “Cyber Directive” that is the NIS (Network Information Security) Directive that comes into play in August this year.

Based on the Lisbon treaty, even if the vote on the 23rd June is deemed “Notice” of leaving Europe, this legislation would still apply for a period, as there is a minimum 2 years notice period to leave the EU.

The Pro-Brexit group may say that leaving the EU means not having to comply, or be concerned with this kind of legislation, however, nothing could be further from the truth. Look at the timing, it will still apply during any potential notice period, and of course common sense would dictate that the UK would still like to do business with the EU even in the event of a post Brexit era. This means UK companies processing the information of EU citizens will still have to comply, but can only influence further policy developments from outside the camp.

2.   B2B Cyber Intelligence Sharing 

One of the most positive aspects of  the upcoming “Cyber Directive /  NIS” is that, it will act as a positive catalyst for businesses to share cyber threat intelligence. The “me today you tomorrow” acknowledgement of  a pan European cyber neighbourhood watch for business, sharing and exchanging actionable cyber intelligence via a competent authority framework is a huge step against the bad guys. The UK not being “in” would of course diminish the effectiveness and capacity of that aspect.

3.   Law Enforcement – Cyber Intelligence Sharing 

The EC3 (European Cybercrime Centre) and J-CAT (Joint Cybercrime Action Taskforce) initiatives are the poster children for how law enforcement can successfully collaborate in dealing with cyber threats across Europe. The Secure Information Exchange Network Application (SIENA) enables that process and if the UK are no longer part of that it, it will have negative consequences.

4.   The Geopolitics Factor

Geopolitics plays a direct role in cyber threats. What happens in the real “physical” world from a political stand point immediately effects the cyber “virtual” world. Many recent cases come to mind, including the Ukraine  whereby US companies were attacked online. Physical borders being reinstated, and other real world nuances could feed into the ideology of online groups, or simply those wishing to be part of an online protest. We observe these ideologically motivated cyber threats from countless sources including the Syrian Electronic Army, ISIS and splinter groups from other major groups such as Anonymous.

5.   Protecting CNI

On 23rd December 2015, the electricity grid of the Ukraine suffered a cyber attack. More evidence of conscious collusion between nation states, criminal groups and indeed the capacity of those with the wherewithal to effect a “kinetic” cyber attack . This means in the real world, utilities such as gas, electricity and indeed the Internet itself is interconnected as CNI (Critical National Infrastructure) from the UK across Europe. Again, another positive part of a holistic and harmonious approach to establishing a cyber security baseline across Europe via the NIS Directive, was to protect the infrastructure that supports our way of life. The entire EU would lose out is the UK left.  It would lose the member with the most global outlook,  the strongest military and the best diplomatic, intelligence and cyber capabilities.

6.   Cyber Economic Disadvantage for UK

It is estimated that the NIS Directive will add €500 billion to the GDP of Europe, this is one of the many benefits that will be derived from it. The reality is, the UK are the front runners in Europe at maturing their cyber resilience and arguably best placed to benefit from the commercial fruits of the NIS Directive.  However, if the UK start creating their own “versions” of these directives, they will not avail of these commercial benefits. Just look at the US post 9/11. If we review the negative effect of the US Patriot Act and indeed the complexities of “Safe Harbor” have had on innovation, cloud based technology, big data and indeed all related aspects. We can begin to appreciate the potential downside.  There are over 400 cyber related laws, regulations and frameworks from over 175 jurisdictions comprising over 10,000 overlapping and often conflicting controls. Post NIS and GDPR business can operate in a less complex system, but if the UK do not they will be in the quagmire of cyber controls.

7.   Confused Cyber Citizens

Have you a right to be forgotten? Can you issue a data access request? Should you sign up with a UK company or an EU based one? Will your data be transferable? What are the rules? The reality is cyber citizens will be confused and will have increased challenges in understanding their rights as cyber citizens in relation to security and privacy.

8.   Confusion of incident response protocol

Cyber incident response protocols are different across Europe as far as what you can and cannot do when investigating a cyber incident. The differences are often cultural and based on the history of nations. Germany, for example, are at one end of the privacy spectrum based on their state history.  Cybercriminal gangs, and indeed cyber terrorists activity is multi-jurisdictional and requires an easily understood and agreed rule set/protocols in responding, investigating and preventing cyber attacks.

9.   Slow progress – Stagnation with Initiatives

I started this article with the indication that we are playing “catch up” with cyber related legislation. In one way, we could argue that we have sold our souls to the devil in relation to data access, sharing and innovation, and only now are reaping the consequence. EU legislation is about to take a leap frog forward and put EU states on a level global playing field with the US, and other major players that have the benefit of a “harmonised and holistic” approach to dealing with cyber threats. It seems common sense that if the Brexit campaign is successful, a post June 23rd UK would be somewhat “Cyber Dazed” in relation to what is appropriate going forward. All the positive activity and efforts of the CPNI, Cabinet Office and GCHQ could potentially be compromised as a period of cyber instability creeps in. A period in which people are trying to figure out what is ok in the new world.

10.            Cyber Black Swan

A black swan in risk terms is simply a massive unknown that can become normal. A post Brexit UK may have many Cyber black swans, the reality is that nobody knows what the real cyber consequences are.

Hopefully this article was food for thought …


Paul C Dwyer  , Chief Executive Officer at Cyber Risk International

Source : LinkedIn