The outcome of the recent referendum on the question of Britain’s membership in the European Union has many important implications. These range from the exact modalities of Britain’s future relationship with the EU and other EU-member states, the free movement of labour on the continent, the continued stability of the UK housing market, financial services sector and the overall economy to the question of the very future of Great Britain, and especially Scotland’s role in the Union. While many commentators have rightly pointed out that a very much under-appreciated aspect of Brexit concerns security, the issue of cyber security deserves particular attention in this context.
In our increasingly interconnected world, cyber security concerns everyone, from states, large corporations, SMEs to individuals, and attacks and security breaches are on the rise worldwide. The number and severity of breaches recorded are unprecedented, and the culprits are diverse, including the youthful hacker out of his parent’s basement, criminal gangs, hacktivists, terrorists to state-sponsored hackers.
The implications of a possible Brexit with regard to cyber security do not just touch on questions of the UK’s national security, but also on the continued competitiveness of the UK’s booming cyber security industry, one of the few remaining growth markets in a depressed global economy, as well as on the competitiveness and security of non-cyber related industries and services.
Impact of Brexit on the UK’s cyber security industry
Cybercrime is best combated in partnership with others and by establishing strong and resilient cooperative mechanisms for doing so, and the EU has done much in recent years to raise the level of, and harmonise, cyber security capabilities, regulations, information sharing and cooperation, and facilitate best practice, across the continent.
As Britain’s future relationship with the EU remains uncertain, in the coming months and years it will have to redefine several aspects of a relationship that has previously been taken for granted. This will include a decision on its future relationship with the European Crime Centre (EC3) and Europol as well as with the European Union Agency for Network and Information Security (ENISA) and the newly created European Cyber Security Organisation.
Irrespective of the specific details of its continued engagement with any individual EU agency, network or initiative, a full Brexit will at the very least mean that Britain will no longer have a say in devising any directives and policies the EU develops, and which will be implemented across Europe, and may be left having to play catch up after the fact.
A particular uncertainty in this context relates to the adoption of the EU’s General Data Protection Regulation (GDPR) and the Data Protection Act (DPA). While these regulations will come into effect before the UK potentially departs from the EU, there will be no obligation for the UK to uphold these regulations thereafter. Should the UK decide not to uphold these regulations, then it will become much more difficult, and costly, for UK companies to continue to do business in the EU on par with their European partners and competitors, and demonstrate compliance with its regulations and norms.
Similarly, it is uncertain whether the UK will adopt the new directive on security of network and information systems (NIS), which was adopted throughout the European Union in August.
Shortage of cyber professionals set to become worse
While an argument could be made that the United Kingdom might currently be ahead of its European partners with regard to its overall cyber security posture and measures, this advantage is set to wane as the UK’s pool of talented cyber security professionals diminishes over time – a very real prospect should the UK decide to end, or restrict in any meaningful way, the free movement of labour between the UK and EU member states.
According to Diane Miller of Northrop Grumman, a leading expert on the cyber profession, there is already an estimated shortage of 1.5 million cyber security professionals over the next five years, and new talent is not easy to come by. If travel restrictions were imposed, it would be significantly less attractive for talent to come and work, and build a career, in the UK.
Losing access to EU investment
Yet another way in which the United Kingdom will find itself affected by a Brexit is through the loss of access to the EU’s substantially increased investments into cyber security in recent years. Leaving the European Union will cut the United Kingdom off from the Union’s funding streams for cyber security initiatives, companies, and technologies, including the recently announced, and major, Public Private Partnership (PPP) programme, which is set to raise an expected €1.8bn of investment in cyber security.
When combined with the potential drop in the cyber security talent pool that the United Kingdom might experience in the years ahead, the loss of these advantages and funding streams will deal a big blow to the overall health and viability of the cyber security industry in Britain, and is unlikely to be compensated by investments from the UK government and private sectors.
How vulnerable we have all become to cyber crime should be clear at least since the US National Security Agency’s very own hacker group, the Equation Group, has fallen victim to a substantial security breach, having been hacked and some of their offensive toolkit of exploits and other cyber ‘weapons’ stolen and offered for auction, apparently by a previously unknown group of hackers calling itself the The Shadow Brokers.
The future relationship between Britain and the EU, or even the trajectory for how Britain will seek to extricate itself from the EU and revise, rewrite or create new laws, regulations and new mechanisms for cooperation, remain very much uncertain. When considering the potential implications for both the EU’s and the UK’s national, economic and citizens’ personal security, the competitiveness and growth of its respective cyber security industries and many related issues, there is not much room for error.