Deal, No Deal: The State of U.K. Cybersecurity Post-Brexit
A topic inescapably in the minds of us Brits is what type of relationship will the U.K. maintain with the EU post our departure, which in one transitional form or another is slated to commence 29 March 2019.
The next few months are considered to be a pivotal period for defining what this relationship will look like and of as of right now there are many unknowns, including implications for the U.K.’s cyber assurance capability.
There are broadly three domains across cybersecurity that could be impacted by the character of the agreements struck: Skills access, legal matters and threat intel sharing.
It is sensible for security leaders in U.K. -headquartered businesses to start thinking about the potential impacts and considering plans to mitigate. The below is not an exhaustive exploration, just some initial food for thought.
It is presently estimated that 13% of the world’s cybersecurity skills resides in the U.K., which is the most of any EU nation. However, the present is not necessarily a great place to be. Recent research carried about by Indeed.com tells us that in the U.K. there is just one candidate for every three cybersecurity job vacancies. This is the second worst applications ratio in the world. This is not an indicator that the U.K. lags in cybersecurity talent per capita. Rather it is a reflection of the demand for cybersecurity personnel, which is itself driven by the importance of IT to the U.K.’s service-led economy.
Skilled migrants have a long-established role in topping up U.K. business requirements generally. A final deal with the EU that disrupts our ability to easily import part of our cyber-defender workforce without work visas may widen this gap somewhat. The thorn in the side of this matter is that the U.K. government is highly committed to reducing net migration, so it has not so far positioned loosening caps from countries outside of the EU for highly skilled and in-demand workers like Cyber Security Analysts.
Interestingly, recent conversations with Heads of Security suggest there is already a significant reduction in the number of applications from candidates from typically strong non-U.K. EU locations. They speculate the primary reasons as being the relative drop in the value of the pound and general unease about what their rights may be from 2019 onwards.
Given the risk posed by Brexit of further intensifying an already sizeable skills gap, the security leaders of U.K. businesses should be considering further means to reduce workforce requirements. Automation and managed services arrangements are sound places to start.
The U.K. government has emphatically embraced all of the EU’s data protection standards, including GDPR. GDPR in particular was considered by government mandarins to be the teeth that was missing from the U.K.’s cyber essentials scheme, benefiting citizens who have had their personal data stolen hand over fist.
It is hard to imagine an EU departure scenario whereby the U.K. government gets behind a roll back from these regulations and necessary enforcement. Doing so would simply kill the ability for the U.K. services sector to reach European consumers. It would also anger the general public whom have gratefully received the benefit – beyond the big sticks forcing organizations to be more careful with their data, there is less spam already!
Rather than standards compliance, a more probable area for damage to the U.K.’s cyber resilience is around criminal investigations and prosecutions. The primary reason that cybercrime is so rife across eastern countries is that hackers attack western victims and exploit the complexities of international investigations, prosecution and extradition. Whilst the U.K. has extremely capable agencies, at present it has access to a number of EU-operated law enforcement tools that we may not retain after Brexit. To name just two, the European Arrest Warrant (EAW) for capturing criminals evading justice across countries and Europol’s European Cybercrime Centre (EC3).
Of these two examples, retained access to Europol has been a particularly contentious matter to date – perhaps not surprising given the agency states their primary goal as “helping achieve a safer Europe for the benefit of all EU citizens.” U.K. headquartered businesses that have cross-EU-based operations would therefore be very sensible to commence establishing how they can continue to collaborate with EC3 through local arrangements in the result of a Brexit arrangement excluding the U.K. per se.
Threat Intel Sharing
From the candidates at risk of reduced capability following a highly diverged relationship, the most significant may perhaps be around reducing our access to shared threat intel.
Whilst the U.K. has its own extremely powerful agencies gathering threat intel on nation-state and serious cybercriminal threats (GCHQ, NSCS) there are many other sources that are EU projects. They include the European Union Agency for Network and Information Security’s (Enisa’s) Cybersecurity Incident Response Team (CSIRT) Network and Network and Information Security (NIS) Cooperation Group, plus also Europol.
The U.K. could retain access to these resources on a global basis if the topic of contributing to EU budgets is depoliticized, but as of right now the U.K. has never faced a more political topic than Brexit!
On a national security level the U.K. risks a net reduction in situational awareness against major cyber threats. It could be said we could cover the gaps over time. However, TI works best when the administrative costs to gather the data is minimized and there is no better way to minimize costs than to share them!
The above said, U.K. -headquartered businesses with cross-EU-based offices that have enjoyed the benefit of intel feeds from some of the above mentioned agencies could continue to do so through local office liaison. Plus of course increasing their involvement with organizations like the Cyber Threat Alliance (CTA), who have significant TI on Europe-wide threats.
In summing up, despite its strategic significance to both the U.K. (and also the EU of course), the cybersecurity dimension of Brexit has received very limited exposure in the press and media to date. As well as starting to think about what Brexit could mean for their businesses, it is the task of British cybersecurity leaders to elevate the topic to the general public and (for the brave!) politicians. Doing so is the only way to ensure that the security of our online digital economy and society is not diminished.