The people of Britain voted for an exit from the European Union in a historic referendum last week. While it’s unclear at this time if the country will actually leave the EU, if it does, the decision could have some consequences for both privacy and cybersecurity.
SecurityWeek has reached out to industry professionals to find out what they think about the implications of Brexit. The primary concerns appear to be related to the General Data Protection Regulation (GDPR), the impact on threat intelligence cooperation, the availability of cybersecurity talent, and how threat actors could leverage the news in the upcoming period.
And the feedback begins…
Stephen Cobb, senior security researcher, ESET:
“On the privacy front, Brexit severs the UK from the pending EU GDPR and potentially places the UK in a position similar to that of the US, struggling to reach an agreement on transnational data privacy protections. Given the close ties and operational similarities between the NSA and GCHQ, it is possible that EU data protection advocates will leverage Brexit to demand privacy assurances that the UK government, and some UK firms, may find onerous. At a minimum, the regulation of transnational data flows just got more complex. For example, US firms will have to deal with two data protection regimes (UK and EU) instead of one (EU).
If Brexit leads to increased social division and political tension, then there could be an uptick in hacktivisim. We saw this in the Balkans and it continues to be an issue in some former Soviet states. Bear in mind the tipping point may not be Brexit itself, but the political turmoil caused by aspirations to further devolution, such as Scotland leaving the UK to remain in the EU, or parts of Spain, even core countries such as France and the Netherlands where political parties seeking exit-referendums are now feeling emboldened.”
Mike Davis, CTO, CounterTack:
“I think there are two big issues that will come from Brexit. First, confusion is going to be rampant so the attackers who leverage social media, phishing, or fake advertising as their mechanism for delivering malware will be taking advantage of this for a long while to come. Many of the services provided by the EU such as the ability to be employed by 100+ countries relatively easily, goes away for UK citizens, so fake malicious job apps, etc will most likely flood the market.
The second is the data privacy rights the EU has pushed forward over the past few years. Now, the UK companies will have to abide by multiple data privacy rules. Many analysts believe other countries will leave too, making this problem get even worse. If a company in the UK wants to work with a company in Scotland and in Spain, they may have to have two separate security controls in place to satisfy both customers. This will be a massive burden on companies.
The data protection issues extend to non-EU countries too, as US companies will have to deal with multiple data privacy issues as they work with different ex-EU member countries.”
Rich Langston, Director, Product Management, Acalvio Technologies:
"The exit of the UK from the EU potentially has a major impact for consumers and businesses alike. Enterprises will need to track the progress of the exit carefully and understand which, if any, of the many EU privacy laws will still be enforced in the UK. A minor example would be the EU's requirements around revealing websites that use tracking cookies - will these apply to UK residents?
More importantly, EU data governance laws dictating that data stay in the EU may mean enterprises will need to migrate data from UK data centers to the continent. A concrete example of this is the "EU-US Privacy Shield" - an agreement not yet in effect that requires certain US companies to follow EU privacy laws for protecting the data of their EU customers. If this law doesn't apply in the UK, it could make things easier for US companies, but if they are storing EU citizens' data in the UK, they may need to rethink that strategy."
Joseph Carson, Head of Global Alliances, Thycotic:
"Over the coming years, the UK will have to renegotiate EU International Data Transfers as well as many trade agreements to have access to the EU market. Nevertheless, leaving the EU might benefit small local businesses however for the many companies who provide services from the UK to EU citizens will not be able to avoid the Data Protection Regulations as this is mandatory when controlling or processing EU citizens Personal Identifiable Information.
It is unlikely that due to Brexit the UK will lower the data protection requirements which are closely aligned with the EU GDPR today. UK citizens will want to have the same level of data privacy as their EU neighbors and will want to know when their data has been leaked online."
Troy Gill, Manager of Security Research, AppRiver:
“What will the ramifications of the Brexit vote be for collaborative cross-border efforts such as EC3. The European Cybercrime Centre (EC3), established under the EU Internal Security Strategy, has been active for several years and exists to strengthen the law enforcement response to cybercrime in the European Union. EC3 provides a hub for information sharing and investigation of cybercrime activity across member states. So how will the UK fit into this directive going forward? Hopefully they will find a way to not only keep this relationship afloat but to bolster the effort going forward.”
Dawn-Marie Hutchinson, Executive Director, Office of the CISO, Optiv Security:
"The GDPR applies when an organization stores/processes/transmits data that is about EU individuals or has the potential to identify individuals in the EU – not whether the company is in the EU. Ultimately, what matters most with regard to GDPR is who is the subject of the data, not where does it live.
The GDPR needs to be implemented by 2018. If an organization waits to see how/when/if England is able to separate itself from the EU, the implementation timelines for these very complex data protection rules could be reduced to an unmanageable timeline. This could result in fines as much as 4% of global revenue and personal fines for executives up to 20 million Euros. Therefore, it is impractical to wait out the England timeline and risk significant penalty. A side note: England has data protection standards of their own, and therefore many of the controls in the GDPR exist already.
Organizations need to find a data privacy and security lawyer with a tech focus in order to not only understand the GDPR, but operationalize the technical elements and understand the technical limitations.”
Todd Inkseep, Advisory Board Member, RSA Conference:
“Britain's exit from the EU creates the potential for yet another border; limiting data and information flows and creating challenges for transnational commerce. One of the biggest challenges in information security is creating the trust to coordinate and share information between companies and nations - whether that's the trust for privacy information to tailor marketing messages or threat intelligence and indicators of compromise.
For many countries, breaking the EU ties might reopen questions about which countries can be trusted with citizen and corporate information and how information should be managed crossing borders. Hopefully, the EU exit won't require wholesale renegotiation to rebuild trust and share the information needed to fight fraud and protect business information.”
Nat Kausik, CEO, Bitglass:
"US-based security companies that favored London for business HQ in Europe are already rethinking their choice. Ireland is an attractive alternative."
Peter Merkulov, Vice President of Product Strategy and Technology Alliances, Globalscape:
“In light of the UK’s vote to leave the European Union, the U.S. and UK will likely be governed by a separate trans-Atlantic data sharing agreement, even as the EU considers the final language for the Privacy Shield agreement. In the meantime—and especially with the future of Privacy Shield very much in question as the deadline approaches—the message for U.S. companies doing business overseas is that they must take control of their own data destiny and set high standards for securing and managing data.
Whether or not there is agreement on Privacy Shield in July, the transfer of data across international borders, and the billions of dollars in commerce that relies on that data, must continue. It is imperative that such data be secure and that the policies of those organizations entrusted with its care and management respect the laws of our overseas partners and the privacy of their citizens.”
Ron Arden, Vice President, Fasoo:
"With the British decision to leave the European Union, we may see a trend of corporate headquarters choosing to leave London to stay under the EU. As a result, those organizations could see an increase in employee exits that may bring security and privacy implications. Employees, no matter their position within an organization, have access to sensitive systems and files. Anytime an employee leaves an organization, there should be certain security protocols in place to ensure all access has been removed and that confidential documents are not available and copied for future use.
According to the recent Ponemon survey "Risky Business: How Company Insiders Put High Value Information at Risk," 47 percent of respondents say recently hired employees bring confidential documents from former employers that are a competitor. This is something organizations should be vigilant of in the coming months following the Brexit announcement."
Nathan Wenzler, Principal Security Architect, AsTech Consulting:
"One of the most potentially damaging results of this decision may lie in the inability for British companies to easily hire talented Information Security professionals to meet the ever-increasing demand for these skillsets. One of the benefits citizens of EU nation-states possess is that they can freely travel and pursue work in any other EU member country. But, with Brexit approved by UK voters, organizations in England may have a much more difficult time finding the talent necessary to protect their critical data and systems. It is possible that the government may negotiate some sort of program to allow simple and fast-tracked visas for workers, but there is no guarantee the EU will approve such a measure.
Without a large and growing pool of IT and Information Security professionals to pull from, England may find itself in an entirely new crisis: short-staffed and unable to implement and maintain proper security programs to defend their citizens and organizations from data breaches, intellectual property theft, malicious hackers and other forms of cyberattacks."
Omri Dotan, CBO, Morphisec:
“If the UK does not exit the EU, it has to be compliant with all EU regulations including financial, privacy and others. These regulations tend to be the lowest common denominators that are acceptable to all participants, but all participants have to strictly adhere to. This is not only a taxing and limiting set of constraints but often they do not actually help improve security and may even distract from it. Where does the limit lie? It’s hard to say for sure, but the test is simple: if the answer to the question, “did I do this to be truly secure or just to be compliant?” is anything other than, “to be truly secure,” there is a danger you are creating rather than mitigating risk.
Complicating things, the Brexit turbulence and uncertainty present a good opportunity for cyber threat players to take advantage of the situation. Brexit provides the UK with the opportunity to decide what should be the balance between compliance-based strategy versus risk-based strategy. We suggest that for the foreseeable future UK enterprises should build and execute a security-based approach that enhances their defenses and focuses less on compliance. Whatever one thinks of Brexit, security has to be the focus, not compliance."
Dan Lohrmann, CSO, Security Mentor:
"It is very important for us, as security professionals, to watch the developments throughout the EU and the UK over the next two years in order to comprehend what will truly happen regarding technology and security.
One thing that is evident to me as an American who lived in the UK for nearly seven years is that our American heritage, history and future is closely aligned with the fate of the UK. The result of the Brexit referendum deeply affects the course of future, global events. As the unease settles on both sides, some of the basic questions will be answered, including: Will the UK remain in the free-trading bloc? What EU regulations (including data and privacy) will still apply in the UK? What actions will tech companies in the UK need to take to appease EU customers? What other EU member states will leave?
For more immediate effects, end users around the world should remain on their toes and be on the lookout for an immediate increase in scams, phishing attempts and websites that take advantage of the Brexit confusion to trick people into taking irrational actions related to Brexit and surrounding issues."
Eve Maler, VP Innovation & Emerging Technology, ForgeRock:
"Businesses with customers in the UK and EU already needed to prepare for the new GDPR regime. There is no question that these preparations must continue. And we can expect that the UK, as a major cybersecurity nation, will continue to deliver important guidance on the security and privacy of personal data of its citizens. ForgeRock is already playing a part in this guidance, for example, being used in the Blue Badge application pilot for privacy-enhanced online eligibility checking for disabled parking badges, a project underpinned by GOV.UK Verify, the government's identity assurance solution."
Vijay Basani, Co-founder, President, CEO, EiQ Networks:
"The United Kingdom leaving the EU creates a whole host of cybersecurity unknowns and shortcomings. First of all, the UK is likely to suffer from a shortage of cybersecurity professionals since they won’t be able to employ EU citizens as easily as they do now. Second, the EU’s new data protection regulations that come into effect in May of 2018 mean stricter handling of personal data that will impact the UK legally and financially if it does not comply.
Third, Brexit makes any sort of cooperation between the UK and the EU more difficult, and this has implications for how cybercrimes get resolved. Specifically, the UK relies on information sharing from other EU countries to fight cyber terrorism. Lack of cooperation on this front will mean increased risk or reduced ability to detect and protect against potential cyber attacks in the future for companies in the UK. While these effects won’t be seen until the UK actually leaves the EU, the uncertainty and confusion created by the historic vote add up to an even more challenging cybersecurity landscape.”