Paul C Dwyer
CEO - Cyber Risk International | President - International Cyber Threat Task Force
BREXIT + CYBER SECURITY
It is over two years ago since I wrote the article “10 Reasons BREXIT is Bad for Cyber Security”, since then, the UK has voted for Brexit and of course controversially there are suggestions that this vote may itself have been influenced by a nation states use of nefarious cyber tactics, such as those the Russians employed in the US 2016 election. The “Article 50 button” has been pushed and the EU has significantly changed the cyber regulatory landscape with GDPR and the NIS Directive.
Cyber threats continue to evolve and the lines between criminal, ideological and politically motivated attacks continue to blur. As too, do the lines between the truth and fake news, spun with a PSYOP flavour for maximum impact. The asymmetric impacts of cyber related risks are still a major aspect of cyber born threats. Being able to control or influence the opinion of hundreds of millions of people means being able to control democracy. Being able to control the utilities and critical national infrastructure of a country means not having to destroy it to restrict access to it. Being able to control access to and the integrity of the data of an enterprise means being able to control that enterprise.
The media is full of articles about a potential “hard” or “soft” Brexit and what that may mean in relation to “hard” or “soft” borders, indeed the Irish border itself. Let us now look at the some of the cyber aspects of Brexit, including “cyber borders”.
Following on from my previous article about 10 cyber related challenges of Brexit, we will now explore why businesses need to develop and enhance their cyber strategy in order to deal with these issues.
Brexit and Cyber Security
As the countdown to Brexit continues, what impact will it have on the continuing battle against cybercrime?
Cybercrime is booming. A report from the Centre for Strategic and International Studies, entitled the Economic Cost of Cyber Crime, put the global cost of cybercrime in 2017 at $600bn. Other sources report it surpassing drug trafficking as the number one crime and rank it as a trillion dollar global industry. The G7 cyber task force have identified it as a risk to the interconnected global financial sector and therefore requires a unified global response.
Unfortunately, Brexit puts that all at risk. From the ability to recruit staff to regulations, EU cooperation and the flow of data the UK government has some pretty big issues to fix before next March.
The exact impact will, of course, depend on the type of Brexit we get. Unfortunately, the prospects for a future Brexit deal appear to change by the day. As I write this, “no deal’s” stock is rising as Theresa May struggles to get her Brexit deal passed by her own MPs or the EU. The Governor of the Bank of England has warned that the prospects of a “no deal” Brexit have become ‘uncomfortably high’. If that happens, the impact on the cybersecurity sector would be profound.
The impact is already being felt. Earlier in the year, the UK Government issued a call for companies to beef up their cyber defences, as figures suggested four out of ten companies had experienced some form of cybercrime over the past 12 months. Unfortunately, in many cases, their efforts are thwarted by a lack of staff.
Companies already struggle with a skills shortage. Cybersecurity is a high-tech business. Attacks and defences are evolving all the time, which makes it increasingly difficult for skills to keep pace. Research from ESG (Environmental Social Governance) finds that the skills gap is growing and represents an existential threat.
A study from the Center for Cyber Safety found that 46% of companies in the UK say that a shortage of staff is having a significant impact on their customers and 45% said it was leading to breaches. It also suggested there could be a global shortage of 1.8million cyber security workers by 2020 – a 20% rise from a similar study made in 2015.
These problems are global. But as the quality of staff becomes increasingly important in preventing attacks, competition for the top talent will grow. Brexit threatens to reduce the UK’s attractiveness to the most talented people at a time when it needs them the most. A study from Deloitte finds that almost half of EU workers are considering leaving after Brexit.
Michel Barnier – EU Brexit Negotiator
“This trust doesn’t fall from the sky, there is no magic wand. This trust is founded on an ecosystem … If you leave this ecosystem you lose the benefits of this cooperation.”. One of the most important will be the UK’s future relationship with the body which facilitates cyber security collaboration across the EU – Europol.
The nature of this partnership will depend on how negotiations move forward, and while there’s plenty of good will on all sides to find something which works, this is far from a done deal.
Brexit is already having an impact as the UK’s involvement is being wound down in advance of leaving until a new arrangement can be put into place. In an interview with the BBC, the former head of Europol, Sir Rob Wainwright, argued that the UK’s involvement with Europol would probably be less direct post Brexit.
“There will be a loss of influence, there's no doubt about that,” he said. “The seat at the table will either be fully gone or half gone,” he said. “And that means there will be a loss of
British influence, and I think it's a shame for the UK. I think it's actually a shame for our European partners as well.”
Negotiations will continue about how much cooperation the UK does or does not have with Europol after Brexit. It is in the interests of all parties to work something out, so the chances are there will be a deal of some kind. Several countries that are not part of the EU such as the US, Norway and Switzerland, already have operational agreements in place with EU. Even so, simply by leaving, the UK will reduce its influence and involvement.
Within Europol the entire process is faster, easier and more transparent. There is less paperwork and information travels more smoothly between all participants. Each have access to programmes such as the No More Ransom project, which improves cooperation and provides access to free anti-ransomware tools.
Britain’s exit could also have an impact on the rest of the world. Britain is a key figure key in the fight against cybercrime and, if their influence becomes diminished, it may compromise global efforts in the ongoing fight against cybercrime. The UK serves as a useful bridge linking the efforts of Europe and the rest of the western world. If Britain goes, so does that intelligence link.
Regulations and Data Flows
One area which will remain the same will be GDPR. Europe’s General Data Protection Regulation has had companies hopping about ever since it was announced. The UK very quickly proposed a bill to replicate GDPR last year which means the goals and provisions will become part of UK law.
On March 29, 2019 the UK will cease to be part of the EU and, barring any agreement or arrangements to the contrary, the export of personal data from the EU to or through the UK will be illegal.
The complication will be that, after Brexit, the UK will be considered a ‘third country’ for GDPR purposes. Data transfers would only be allowed to companies deemed to have adequate cybersecurity provisions.
The UK will need to come to a data transfer agreement to avoid significant pain. A report from the House of Commons Exiting the EU Committee warned of huge pain if there was a data transfer gap after leaving. It also warned there was a high chance of a legal challenge to any data agreement if it left regulatory gaps.
The stakes are high, from an EU perspective the flow of personal information will contribute to 3% of EU gross domestic product (GDP) by 2020.
The EU has said it can only decide on adequacy once the EU has assessed the UK’s legal framework around data. The report called for the government to start working towards the adequacy process to avoid any gaps post-Brexit. Were that to happen, the impact for everyone could be enormous.
The UK Government estimates that 75% of the UK's cross border data flows are with EU countries. The UK is disproportionality important to the worlds data economy as it accounts for over 11.5% of the data flow and just 0.9% of the world’s population and just 3.9 % of the world’s GDP.
Banning data transfers from Europe could make it almost impossible for many businesses to operate in the way it does. Estimates suggest that 75% of all the UK’s cross border data flows are with Europe. Companies are routinely moving data across borders and, without an “adequacy agreement”, this may become illegal.
It’s easy to assume that the UK would be able to secure an agreement with the EU, but this is not as straightforward as you might think. Agreements with other countries such as the US have taken years. Without an agreement companies may have to shift their data to a company which is GDPR compliant and UK firms could lose clients.
The UK Government are seeking to ensure that businesses sending personal information to or through the UK are not left marooned when the country leaves the EU. They are hoping to convince the Commission that UK law post Brexit will provide sufficient privacy protection, and is seeking an "adequacy decision" that will allow the data transfers to continue unabated.
Their efforts include a 15 page discussion paper seeking to underline the importance of data transfers in determining the UK's future relationship with the EU. Very little detail is offered and appears frail in comparison to the 260 page GDPR.
Going Separate Ways
The UK’s exit from the EU could also exacerbate differences in strategy that already existed, particularly around the issue of data. The UK has taken a significantly different stance on the use of mass data gathering and its use in intelligence than the EU where the emphasis has been on personal privacy and control of data.
Differences surfaced with revelations about GCHQ’s surveillance practices during the
Edward Snowden affair in which it was found to have collected vast quantities of emails, Facebook posts and other communications. Claims were made that they may even have been in breach of the European Convention on human rights. Now as the two sides are going their separate ways, we may see those policy differences widen. Without a British voice in discussions, EU policy may move more toward data protection, while in the UK they may see more policies along the lines of Theresa May’s Snooper’s charter.
Theresa May – UK Prime Minister – Introduced the The Investigatory Powers Act 2016
This divergence will place pressure on infrastructure. Much of the critical infrastructure will remain interlinked with the EU, but when policies differ, risks could increase if all sides do not collaboratively agree on processes and standards. The NIS Directive will play a significant role here.
Questions also remain on what degree the UK will align itself with the efforts of its European neighbours. Working with the EU has been a good fit for a cybersecurity policy which focuses on the protection of organisations and individuals. Alternatively, the UK may shift its focus to NATO which would suit a more militarised type of cybersecurity infrastructure. Establishing the right infrastructure could involve a significant amount of investment in terms of finances and resources – one which may not have been fully understood as yet.
Convincing the EU is far from straight forward, in Nov 2016 the UK Government introduced the Investigatory Powers Act, nicknamed the "Snoopers' Charter". This facilitated thousands of police officers and tens of thousands of tax inspectors to see which websites UK citizens are visiting. It mandated for this personal information to be maintained by telecommunications operators. The controversial law also grants information access to officials at the government bodies that pay unemployment benefits and old age pensions, and that regulate gambling, farm workers, food health and air safety.
The Court of Justice of the European Union ruled that similar powers introduced under an earlier law, the Data Retention and Investigatory Powers Act of 2014, were incompatible with EU law. This is indicative of which way the court would lean if asked its opinion.
Irish Cyber Border
Collaboration has been a key to the success of many enterprises that straddle not just their workforce but their technological ecosystem across both islands.
This of course means the requirement to exchange data without significant burden is a fundamental imperative. Not alone do individual businesses require a strategy but collectively Ireland and the UK need a Cyber Brexit Strategy.
A High-Tech Arms Race
Many of the points we’ve discussed so far rely on conjecture. They all depend on what agreements. However, there is one group of people who won’t be worried about cybersecurity in the least: cybercriminals. They are harnessing new technologies to deliver ever-more sophisticated attacks.
The 2017 WannaCry virus which hit organisations around the world including the NHS demonstrated the international nature of this threat. The dangers are enormous. Although we haven’t seen a cyber terrorist attack against air traffic control as yet, it is always a risk. Any system which can be turned off or hacked will be at risk.
The rise of AI means we could also be seeing a battle of the robots in the cybersecurity space. Machine learning can be used to intelligently probe defences for weaknesses. Chatbots could mimic the speech and writing style of your email contacts to make phishing emails much more convincing.
To counter such attacks, cyber security teams will need to be agile and innovative. They will need to embrace new technologies to make sure they keep pace with the attacks coming their way. In a world in which the threat is increasingly international, so too must be the response. Cross-border collaboration will be crucial in keeping the world’s cybersecurity defences up to scratch. Unfortunately, Brexit places a barrier in the way of that collaboration at precisely the wrong time.
The Need for a Brexit Cyber Strategy
This challenge is not limited to the UK. Businesses around the world are planning for the effects of Brexit, particularly those that send EU citizens' personal data to or through the UK for storage or processing.
Every business has a strategy and every business requires a cyber strategy. A cyber strategy needs to be aligned with and support the business mission and should always be based on the inherent cyber risk of the business model. Understanding and calculating in inherent cyber risk of a business involves factoring in aspects such as Brexit.
Change brings opportunity and within the chaos and confusion that Brexit brings the innovative, the strong, the prepared and the opportunistic will not just survive but will thrive.
“Dublin is the top destination of the leading financial services companies that have already made statements on where they plan to set up their post-Brexit EU bases” Financial Times, Monday 10th July 2017
Need Help on Developing a Cyber Strategy
Cyber Risk International
P: +353-(0)1-905 3260
Related topics such as “Understanding EU Cyber Legislation and the Brexit Factor” will be discussed at this year’s European Cyber Summit in Dublin on Oct 24th – www.eucybersummit.com
About the Author
Certified an industry professional by the International Information Security Certification Consortium (ISC2) and the Information System Audit and Control Association (ISACA).
Approved by the National Crime Faculty and the HTCN High Tech Crime Network. He has worked extensively around the world, his diverse career spans more than 25 years working with military, law enforcement and the commercial sector.
Roles have included:
- President of the ICTTF International Cyber Threat Task Force
- Co Chairman of the UK NCA National Crime Agency Industry Group
- Advisor to NaCTSO (National Counter Terrorism Security Office)
- Advisor to NATO on Countering Hybrid Cyber Threats
- Advisor to UK Defence Committee DEFCOM in Parliament
- Deputy Chair – Organised Crime Task Force Industry Group – NI
- Interim Global CISO for Numerous Multi-National Organisations
- Advisor to Numerous Governments and Intelligence agencies
Paul is a member of a number of industry groups including the IoD (Institute of Directors), IIEA (Institute of International and European Affairs) and the IRM (Institute of Risk Management). As an accomplished serial entrepreneur he has successfully built a number of security practices in the UK & Ireland and in 2016 was identified by Business and Finance as one of Ireland’s Top 100 CEO’s.
His career started as a technical networking specialist, he then specialised, trained and qualified in a number of disciplines including but not limited to ethical hacking, forensics, international management systems, risk management, business continuity, international governance frameworks, financial service regulations, cyber laws and project mgt.
Paul C Dwyer is the author of: The Art of Cyber Risk Oversight
Contact: P: +353 (0) 1-905 3260 E:firstname.lastname@example.org W: paulcdwyer.com
Appendix A – 10 Reasons BREXIT is bad for Cyber Security
Original LinkedIn Article: Published June 10, 2016
At ICTTF we say “It Takes a Network to Defeat a Network”. The bad guys work as a network and the good guys need to also. Let me elaborate on some of these aspects
Here are ten reasons Brexit is NOT good for cyber security in the UK or indeed the EU.
1. Cyber Laws Chaos
The cornerstone of “Cyber Law” in the UK is the DPA (Data Protection Act). This was written in 1995 and to put the year into context, that was three years before Google was incorporated. Legislation is struggling to catch up with innovation.
It is planned to morph and develop the DPA into the GDPR (General Data Protection Regulation) on May 25th 2018. The concept being an even handed holistic approach across the EU in relation to data protection. The legislation now having the added teeth of eye watering fines based on up to 4% of global turnover or €20m.
We really are dealing with an interesting timing issue on these aspects. What I mean is, this cocktail of legislation is going to create an even greater challenge for UK businesses. For example, let’s throw in the new Directive for Police and Criminal Justice that is set for 6th May 2018.
Now for the big kicker. The “Cyber Directive” that is the NIS (Network Information Security) Directive that comes into play in August this year.
Based on the Lisbon treaty, even if the vote on the 23rd June is deemed “Notice” of leaving Europe, this legislation would still apply for a period, as there is a minimum 2 years notice period to leave the EU.
The Pro-Brexit group may say that leaving the EU means not having to comply, or be concerned with this kind of legislation, however, nothing could be further from the truth. Look at the timing, it will still apply during any potential notice period, and of course common sense would dictate that the UK would still like to do business with the EU even in the event of a post Brexit era. This means UK companies processing the information of EU citizens will still have to comply, but can only influence further policy developments from outside the camp.
2. B2B Cyber Intelligence Sharing
One of the most positive aspects of the upcoming “Cyber Directive / NIS” is that, it will act as a positive catalyst for businesses to share cyber threat intelligence. The “me today you tomorrow” acknowledgement of a pan European cyber neighbourhood watch for business, sharing and exchanging actionable cyber intelligence via a competent authority framework is a huge step against the bad guys. The UK not being “in” would of course diminish the effectiveness and capacity of that aspect.
3. Law Enforcement – Cyber Intelligence Sharing
The EC3 (European Cybercrime Centre) and J-CAT (Joint Cybercrime Action Taskforce) initiatives are the poster children for how law enforcement can successfully collaborate in dealing with cyber threats across Europe. The Secure Information Exchange Network Application (SIENA) enables that process and if the UK are no longer part of that it, it will have negative consequences.
4. The Geopolitics Factor
Geopolitics plays a direct role in cyber threats. What happens in the real “physical” world from a political stand point immediately effects the cyber “virtual” world. Many recent cases come to mind, including the Ukraine whereby US companies were attacked online. Physical borders being reinstated, and other real world nuances could feed into the ideology of online groups, or simply those wishing to be part of an online protest. We observe these ideologically motivated cyber threats from countless sources including the Syrian Electronic Army, ISIS and splinter groups from other major groups such as Anonymous.
5. Protecting CNI
On 23rd December 2015, the electricity grid of the Ukraine suffered a cyber-attack. More evidence of conscious collusion between nation states, criminal groups and indeed the capacity of those with the wherewithal to effect a “kinetic” cyber-attack . This means in the real world, utilities such as gas, electricity and indeed the Internet itself is interconnected as CNI (Critical National Infrastructure) from the UK across Europe. Again, another positive part of a holistic and harmonious approach to establishing a cyber security baseline across Europe via the NIS Directive, was to protect the infrastructure that supports our way of life. The entire EU would lose out is the UK left. It would lose the member with the most global outlook, the strongest military and the best diplomatic, intelligence and cyber capabilities.
6. Cyber Economic Disadvantage for UK
It is estimated that the NIS Directive will add €500 billion to the GDP of Europe, this is one of the many benefits that will be derived from it. The reality is, the UK are the front runners in Europe at maturing their cyber resilience and arguably best placed to benefit from the commercial fruits of the NIS Directive. However, if the UK start creating their own “versions” of these directives, they will not avail of these commercial benefits. Just look at the US post 9/11. If we review the negative effect of the US Patriot Act and indeed the complexities of “Safe Harbor” have had on innovation, cloud based technology, big data and indeed all related aspects. We can begin to appreciate the potential downside. There are over 400 cyber related laws, regulations and frameworks from over 175 jurisdictions comprising over 10,000 overlapping and often conflicting controls. Post NIS and GDPR business can operate in a less complex system, but if the UK do not they will be in the quagmire of cyber controls.
7. Confused Cyber Citizens
Have you a right to be forgotten? Can you issue a data access request? Should you sign up with a UK company or an EU based one? Will your data be transferable? What are the rules? The reality is cyber citizens will be confused and will have increased challenges in understanding their rights as cyber citizens in relation to security and privacy.
8. Confusion of incident response protocol
Cyber incident response protocols are different across Europe as far as what you can and cannot do when investigating a cyber incident. The differences are often cultural and based on the history of nations. Germany, for example, are at one end of the privacy spectrum based on their state history. Cybercriminal gangs, and indeed cyber terrorists activity is multi-jurisdictional and requires an easily understood and agreed rule set/protocols in responding, investigating and preventing cyber-attacks.
9. Slow progress - Stagnation with Initiatives
I started this article with the indication that we are playing “catch up” with cyber related legislation. In one way, we could argue that we have sold our souls to the devil in relation to data access, sharing and innovation, and only now are reaping the consequence. EU legislation is about to take a leap frog forward and put EU states on a level global playing field with the US, and other major players that have the benefit of a “harmonised and holistic” approach to dealing with cyber threats. It seems common sense that if the Brexit campaign is successful, a post June 23rd UK would be somewhat “Cyber Dazed” in relation to what is appropriate going forward. All the positive activity and efforts of the CPNI, Cabinet Office and GCHQ could potentially be compromised as a period of cyber instability creeps in. A period in which people are trying to figure out what is ok in the new world.
10. Cyber Black Swan
A black swan in risk terms is simply a massive unknown that can become normal. A post Brexit UK may have many Cyber black swans, the reality is that nobody knows what the real cyber consequences are.
Hopefully this article was food for thought ……