With the big European referendum just weeks away, Phil Muncaster assesses the impact a Brexit could have on UK information security.
Between Westminster posturing and political expediency, shameless scaremongering and unseemingly jingoism, the debate over whether a ‘Brexit’ could affect the UK’s cybersecurity industry has largely been ignored by those who should know better. A poll by Tech London Advocates of its 3,000 senior members in March found a resounding 80%+ want to stay in the EU, but there are some who remain undecided or actively hostile to the status quo.
The government has been happy in the past to claim that cybercrime costs this country as much as £27 billion each year, but it has been reluctant to articulate the impact an exit from the European Union would have on cybersecurity – across public and private sectors. The truth is there are potentially far-reaching repercussions of leaving the world’s largest single market – a region we share vital threat information, employ cybersecurity professionals from, and are about to share data protection laws with.
Securing the Future
Information sharing is one of those areas of cybersecurity which is still undervalued by organizations. There are compelling arguments suggesting better exchange of key threat intelligence and the like – between public and private sectors and between businesses – improves organizations’ readiness to respond to threats.
However, the fear of giving away a competitive advantage, or allowing sensitive information to slip into the public domain, potentially impacting the all-important share price, has been difficult to allay. In a post-Snowden world, these concerns have been joined by the feeling that over-sharing with data-hungry intelligence agencies may be counter-productive.
While there aren’t Europe-wide mechanisms for sharing threat intelligence as of yet, there is at a law enforcement level, where Europol co-ordinates things. Its director, Rob Wainright, has already argued that the UK is dependent on the EU to help protect its security interest – no doubt including security in cyberspace. If it leaves, the UK might be able to renegotiate some kind of agreement on info sharing but it won’t have the benefits it currently has, such as “direct access to our database, the ability to involve itself into our intelligence projects and many other areas,” he said back in February.
Brian Honan is a security consultant and special advisor on internet security to Europol’s European Cybercrime Centre (EC3). While stressing he doesn’t speak for Europol, he echoes Wainright’s views.
“Europol’s mandate is to support law enforcement authorities throughout the EU. Should the UK leave the EU then they would not fall under Europol’s mandate and as a result it is likely that different mechanisms would have to be put in place for Europol to work with UK law enforcement agencies,” he tells Infosecurity.
“Europol shares information under its obligations under The EU Data Protection Directive, and other EU regulations, and may have to implement different mechanisms to share certain data with the UK should it leave the EU. Similarly, how the UK shares information with Europol would also have to be reviewed.”
However, Adrian Davis, European managing director at certifications organization (ISC)2, argues that as most info-sharing goes on at a professional rather than institutional level, Brexit would have little impact in this area.
“When it comes to infosecurity knowledge exchange, the key thing is not just sharing knowledge among intelligence agencies, but encouraging the transfer of knowledge across all sectors, from banks to SMEs, both inside Europe and beyond,” he tells Infosecurity.
“The best way to achieve this is through transnational social networks that can bring together infosecurity workers and knowledge from every sector of the economy to create a diverse pool of infosecurity insight drawn from an array of professional perspectives.” In fact, European-wide information sharing initiatives may be nothing more than a pipe dream, such are the differences between member states, he adds.
Incidentally, European security agency Enisa’s only prepared comment for Infosecurity is that at this point in time it “promotes best practices for information sharing and this will continue.” CERT-UK, meanwhile, would not comment directly but says it is “committed to sharing information where appropriate following the vote and will continue to encourage this.”
Plugging the Gaps
Another potentially major impact of leaving the EU on the UK’s information security industry is that this would immediately halt the free flow of labor so despised by pro-leave campaigners, who suggest immigration is ‘out of hand.’ The flip side of this argument, of course, is that where there are industries with clear skills gaps, such as cybersecurity, a Brexit could potentially make it a lot harder for UK businesses to employ talent from the continent to fill such holes.
Currently, sponsored information security professionals are covered under the Tier 2 visa system – which relates to sectors where there is an official skills shortage. A UK business would sponsor the application and candidate, and if successful that person becomes a PAYE employee. Yet Victoria Sharkey, a partner at immigration law firm MediVisas, argues that a Brexit will reduce the volume of candidates UK firms could hire from.
“As it is unlikely that the limit for Tier 2 visas will be extended this will obviously restrict choice and some employers will find that they are unable to recruit as they wish,” she tells Infosecurity.
The problem is even more pronounced for those employing temporary staff. “It will affect contractors the most, as Tier 2 visas are only for employees. There is no visa which allows contracting,” explains Sharkey. “This may mean that many people who currently want to come to the UK in order to contract would be reluctant to work in the UK as they would be forced to become PAYE employees.”
(ISC)2’s Davis agrees that this could happen, but adds that a skills crisis could be averted if qualifications and experience are prioritized under a new points-based immigration system, as long as those creating the criteria understand the sector.
Out in the Cold?
Perhaps the elephant in the room when it comes to IT security and Brexit is the coming EU General Data Protection Regulation (GDPR). The most fundamental and far-reaching reform to the region’s data privacy laws in decades, it will introduce significant new rules around the right-to-be-forgotten, data portability and mandatory breach notifications, and impose tough penalties on serious transgressors of up to 4% of annual turnover. There are also requirements in there for mandatory data protection officers, and an olive branch for large multi-nationals, which will only have to report to one regulator, wherever their HQ is based.
Many organizations already down the long road to compliance before the likely 2018 deadline will be wondering whether they should halt these preparatory efforts until the Brexit vote in June.
Not so, according to Allen & Overy partner, Nigel Parker. “First, preparing for the GDPR is a significant and long-term project for larger businesses operating across multiple jurisdictions, so there isn’t time to sit back and wait for the result. Secondly, our expectation is that post-referendum the UK would be more likely than not to amend existing data protection legislation to ensure alignment with the GDPR, to enable free movement of personal data from EU countries to the UK,” he tells Infosecurity.
“Taking this into consideration, many companies operating across multiple jurisdictions will feel that the best course of action is therefore to continue to prepare for the GDPR in the expectation that even if the UK did leave the EU, a data protection regime which imposes similar requirements to those in the GDPR would be likely to apply.”
Others argue that a Brexit could cause massive upheaval from a data protection point of view, severely impacting the UK’s digital economy. Chatham House associate fellow, Emily Taylor, is concerned that if the controversial Investigatory Powers Bill passes into law this could require an agreement between the UK and EU in the same manner as the Privacy Shield deal hammered out by the US and European Union, in order to allow data on EU citizens to be stored in the UK.
While ‘Vote Leave’ proponents will argue this can be done, the risk is that while lawmakers are thrashing out a deal – and Privacy Shield took the best part of three years – the market could vote with its feet.
“Given that the Court of Justice of the EU has shown itself pretty allergic to bulk data collection, as envisioned in the Investigatory Powers Bill, there is a risk post-Brexit that the free flow of data between the EU and UK could be impeded,” Taylor tells Infosecurity.
“Moving data is quicker and easier than moving people, buildings or entire businesses. So, if there’s uncertainty over the legal, political or economic conditions, data will often start moving before the laws or policies catch up.”
With the most internet-dependent economy of any G20 nation, this would put the UK in a difficult position. Amazon and Microsoft have both announced new data centers in the UK for this year, adding to the hundreds that are already here belonging to major international cloud providers.
“These companies have a choice where they can store and process their data, and they can move the data offshore quickly should the law require it,” Taylor concludes.
“In this scenario, our homegrown data industries would suffer. Access to valuable EU markets would be in doubt, and the UK’s appeal as an international data center location could diminish.”