The British decision to leave the European Union seems to have surprised everyone and caused knee-jerk reactions around the world. The immediate response has sent the pound tumbling and raised suggestions that Britain is now a sitting target for cyber criminals. Let’s start with the facts. Firstly, Britain is not yet leaving the EU. The referendum has only advisory status on the government, and only the government can choose to leave.
That will require a majority vote in Parliament to invoke article 50 of the Treaty of Lisbon — and that won’t happen while David Cameron is prime minister. It is not guaranteed that Parliament will get that majority since the majority of MPs do not wish to leave. If and when article 50 is invoked it will start a two year period where both sides negotiate exit terms. During all of this period, the UK will remain a full member of the European Union. And it is in everyone’s interest to reach an amicable and smooth exit.
The primary security concerns revolve around General Data Protection Regulation (GDPR) issues, a loss of threat intelligence cooperation with Europe, an increasing cost of security (because of the falling value of the pound), and the loss of access to European technical expertise. Each one of these should be considered rationally.
GDPR is likely to go ahead in the UK. Technically, it must go ahead since it will become law before the UK actually leaves the European Union. Practically, it will go ahead because it is the easiest way to maintain ‘privacy adequacy’ and continue easy trading between the UK and Europe. This immediately removes one of the big issues: there will be no need for US companies to move servers from London to The Hague simply to conform to GDPR.
“In fact,” comments Drew Koenig, a former corporate CISO and now security solutions architect at Magenic, “the new GDPR guidelines voted in this year and going into effect April 2018 is not geographically focused. Brexit or not, all countries in the agreement, which the UK is, will have to abide by the GDPR rules where EU citizens’ data is housed whether the servers are in France, the UK or the US. Brexit does not remove or lessen security obligations, nor should it.”
Koenig sees the Brexit challenges as economic rather than security. “For the US, decisions to stay in or out of the UK will come down to what the new trade agreements and financial industry impacts will be. Companies may move in or out of the UK for those economic reasons, tax shelters, currency strength, etc — but from an information security standpoint I don’t see anything changing in the security requirements or being a driver to move.”
This introduces one of the big unknowns for the next decade: will the Transatlantic Trade and Investment Partnership (TTIP) be agreed, and what effect will it have on EU law and trading arrangements? If the US, Europe and the UK all sign, it will be a far bigger trading block than the EU alone. Added to this, the UK economy, the fifth largest in the world, will have greater freedom of movement outside of the EU. The government will be completely free to make the UK as attractive as possible to foreign investment and companies.
Ilia Kolochenko, CEO and founder of High-Tech Bridge believes that the UK is and will remain an attractive destination for both investment and technical expertise. “When talents from developing countries come to the UK,” he told SecurityWeek, “they intentionally choose to come for the quality of life and strong economy — something the majority of EU members don’t have these days. Investors will probably also keep their assets in the UK, moreover some will invest more while the pound is weak.” In other words, Brexit will have little effect on the UK’s technical ability — if anything, it is likely to make it stronger.
This leaves us with the final suggestion: that cyber security within the UK will suffer. There are two primary concerns. Firstly that corporate security defenses will be weakened, and secondly that international threat intelligence sharing with Europe will diminish.
For the latter, it assumes there will be less cooperation between the UK’s National Crime Agency (NCA) and Europol. This simply will not happen. The NCA’s direct access to GCHQ intelligence, and indirect access to to the NSA via GCHQ, means that the UK is too valuable to ostracize. Although the Five Eyes loses its eye inside Europe, much of the world’s communications still has to pass through GCHQ territory between Europe and the US.
For the former, the assumption is that the UK’s weakened buying power will stop UK companies from investing in security. It is certainly true that in the short term the same budget will buy less product — but whether this will weaken security is a moot point. Few companies have a fully rational defense. In most cases it has grown haphazardly over the years. This may be a good opportunity for a complete overhaul and rationalization, saving money and actually improving security at the same time. This is necessary anyway as UK companies — and other companies around the world — prepare their business and security processes ready for GDPR.