web and mobile fRAUD
Break point over Brexit Point
As the UK presses the nuclear button of Brexit, one of Europe’s leading cyber experts predicts worrying times ahead.
The UK vote to leave the EU is not good news for cyber security, Paul C Dwyer, one of Europe’s leading online experts warns.
The man spearheading the International Cyber Threat Task Force (ICTTF) told subscribers to the Cyber Risk Newsletter that there are 10 reasons Brexit is not good for cyber security in the UK, or indeed EU.
In the article he lays out his reasons:
1. Cyber Laws Chaos
The cornerstone of “Cyber Law” in the UK is the DPA (Data Protection Act). This was written in 1995, three years before Google was incorporated. Legislation is struggling to catch up with innovation. It is planned to morph and develop the DPA into the GDPR (General Data Protection Regulation) on May 25th 2018. The concept is to be an even-handed holistic approach across the EU in relation to data protection. The legislation now having the added teeth of eye watering fines based on up to 4% of global turnover or €20m.
We really are dealing with an interesting timing issue on these aspects. What I mean is, this cocktail of legislation is going to create an even greater challenge for UK businesses. For example, let’s throw in the new Directive for Police and Criminal Justice that is set for 6th May 2018.
Now for the big kicker. The “Cyber Directive” that is the NIS (Network Information Security) Directive that comes into play in August this year.
Based on the Lisbon treaty, today’s vote signals “Notice” of leaving Europe, this legislation would still apply for a period, as there is a minimum two years notice period to leave the EU.
During any potential notice period, UK companies processing the information of EU citizens will still have to comply, but can only influence further policy developments from outside the camp.
2. B2B Cyber Intelligence Sharing
One of the most positive aspects of the upcoming “Cyber Directive / NIS” is that it will act as a positive catalyst for businesses to share cyber threat intelligence. The “me today, you tomorrow” acknowledgement of a pan European cyber neighbourhood watch for business, sharing and exchanging actionable cyber intelligence via a competent authority framework is a huge step against the bad guys. The UK not being “in” would of course diminish the effectiveness and capacity of that aspect.
3. Law Enforcement – Cyber Intelligence Sharing
The EC3 (European Cybercrime Centre) and J-CAT (Joint Cybercrime Action Taskforce) initiatives are the poster children for how law enforcement can successfully collaborate in dealing with cyber threats across Europe. The Secure Information Exchange Network Application (SIENA) enables that process and if the UK are no longer part of that it, it will have negative consequences.
4. The Geopolitics Factor
Geopolitics plays a direct role in cyber threats. What happens in the real “physical” world from a political stand point immediately effects the cyber “virtual” world. Many recent cases come to mind, including the Ukraine whereby US companies were attacked online. Physical borders being reinstated, and other real world nuances could feed into the ideology of online groups, or simply those wishing to be part of an online protest. We observe these ideologically motivated cyber threats from countless sources including the Syrian Electronic Army, ISIS and splinter groups from other major groups such as Anonymous.
5. Protecting CNI
On 23rd December 2015, the electricity grid of the Ukraine suffered a cyber attack. More evidence of conscious collusion between nation states, criminal groups and indeed the capacity of those with the wherewithal to effect a “kinetic” cyber attack. This means in the real world, utilities such as gas, electricity and indeed the Internet itself is interconnected as CNI (Critical National Infrastructure) from the UK across Europe. Again, another positive part of a holistic and harmonious approach to establishing a cyber security baseline across Europe via the NIS Directive, was to protect the infrastructure that supports our way of life. The entire EU will lose when the UK leaves. Indeed, it is losing the member with the most global outlook, the strongest military and the best diplomatic, intelligence and cyber capabilities.
6. Cyber Economic Disadvantage for UK
It is estimated that the NIS Directive will add €500 billion to the GDP of Europe. This is one of the many benefits that will be derived from it. The reality is, the UK are the front runners in Europe at maturing their cyber resilience and arguably best placed to benefit from the commercial fruits of the NIS Directive. However, if the UK starts creating its own “versions” of these directives, it will not avail of these commercial benefits. Just look at the US post 9/11. If we review the negative effect the US Patriot Act and indeed the complexities of “Safe Harbor” have had on innovation, cloud based technology, big data and indeed all related aspects, we can begin to appreciate the potential downside. There are over 400 cyber-related laws, regulations and frameworks from over 175 jurisdictions comprising over 10,000 overlapping and often conflicting controls. Post NIS and GDPR, business can operate in a less complex system, but if the UK do not they will be in the quagmire of cyber controls.
7. Confused Cyber Citizens
Have you a right to be forgotten? Can you issue a data access request? Should you sign up with a UK company or a EU based one? Will your data be transferable? What are the rules? The reality is cyber citizens will now be confused and will have increased challenges in understanding their rights as cyber citizens in relation to security and privacy.
8. Confusion of incident response protocol
Cyber incident response protocols are different across Europe as far as what you can and cannot do when investigating a cyber incident. The differences are often cultural and based on the history of nations. Germany, for example, is at one end of the privacy spectrum based on their state history. Cyber-criminal gangs, and indeed cyber terrorists’ activity is multi-jurisdictional and requires an easily understood and agreed rule set/protocols in responding, investigating and preventing cyber attacks.
9. Slow progress - Stagnation with Initiatives
I started this article with the indication that we are playing “catch up” with cyber related legislation. In one way, we could argue that we have sold our souls to the devil in relation to data access, sharing and innovation, and only now are reaping the consequence. EU legislation is about to take a leap frog forward and put EU states on a level global playing field with the US, and other major players that have the benefit of a “harmonised and holistic” approach to dealing with cyber threats. This morning we will be somewhat “Cyber Dazed” in relation to what is appropriate going forward. All the positive activity and efforts of the CPNI, Cabinet Office and GCHQ could potentially be compromised as a period of cyber instability creeps in. A period in which people are trying to figure out what is ok in the new world.
10. Cyber Black Swan
A black swan in risk terms is simply a massive unknown that can become normal. A post-Brexit UK may have many cyber black swans, but the reality is that nobody knows what the real cyber consequences are.
