Some weeks have passed since the United Kingdom voted, by a margin of 52 per cent for and 48 per cent against, to leave the European Union, the organization it's been a leading member of since 1973. The tumultuous global reaction to the vote has those of us in information security (and others) asking what impact Brexit will have on cybersecurity.
There are two perspectives to be addressed in answering this question: The first concerns the direct and more immediate implications; and the second, more speculative, addresses possible longer-term, indirect effects.
In the near-term
The short-term, direct impact of Brexit on cybersecurity is likely to be minimal. The International Business Times has reported a surge in incidents of politically-motivated website hacking, especially against UK sites supporting EU integration and immigration. This may mark a trend in increased “hacktivism” by individuals targeting governmental institutions, critical national infrastructure, and/or media outlets, both within the EU and the UK. Although these organizations are already common targets of aggressive attack and reconnaissance activities, unexpected mischievous intervention by a State actor could certainly pose a significant threat.
That aside, the UK’s exit from the EU is unlikely to substantially affect European cybersecurity in the near-term. European national entities responsible for cybersecurity, for example, already benefit from extensive international cooperation through existing bi- and multi-lateral arrangements through defence, security, intelligence, and dedicated cybersecurity organisations (i.e., the various Governmental Computer Emergency Response Teams, or GovCERTS). Commercial entities ranging from banks, energy providers, retail organisations, and others similarly cooperate beyond national borders. These cooperative relationships will remain unchanged in the coming months.
More broadly, the European Commission has striven for some years to introduce new structures and regulations to create a pan-European cybersecurity architecture. It's also aspired to create a compulsory information sharing and pooling agency, at Union level, which would take partial competence for cybersecurity from the constituent nations.
The complexity of persuading 28 sovereign nations to agree on a topic as complicated and fast-evolving as cybersecurity has made progress towards these aspirations frustratingly slow. Individual nation states tend to regard national cybersecurity – at least of governmental structures, critical national infrastructure (the vital services which permit society to function), and defence – as an element of national security. That makes them reluctant to transfer responsibility and authority to a trans-national organisation which, by definition, has a base competence of the least sophisticated of its members. Hence, nations could potentially reserve ultimate sovereignty over these matters, while collaborating in others.
Whatever the case, Brexit will almost certainly delay EU initiatives to move competence from member nations to the Union. On a brighter note for the centralisers, it will remove the state least inclined to support such centralisation.
Will the UK remain in the European Free Trade Area, accede to the European Economic Area, or sever all ties with the EU? Until the UK’s eventual status becomes clear, it will remain a moot point to what extent UK data protection and privacy regulation will match that of the EU (which, itself, is contested by member States in some aspects). Only time will tell.
Although the referendum to leave has passed, Britain won’t formally express its intention to withdraw from the EU for some time yet. While a new government has been formed under the new Prime Minister, Theresa May, and the necessary Ministerial appointments have been made to negotiate and engineer withdrawal, a considerable body of work is required before withdrawal under Article 50 of the Lisbon Treaty can be formally invoked.
At the point of invocation, the stopwatch on a two-year timeframe for complete withdrawal will begin to tick – although exit could take longer given the complexity of the issues to be resolved.
As these matters unfold, the more speculative, indirect implications of Brexit will begin to take shape. Early indicators point to an ominous road ahead. We’ve seen international equity and currency markets down sharply, punishing UK shares and the British Pound, perhaps the start of a cycle of fluctuation and instability. (It's ironic that, one month after Brexit, the London Stock Exchange had recovered beyond its pre-Brexit levels, and the exchanges feeling the most pain are still in Frankfurt and Paris.)
The Pound has lost 10 per cent of its value in recent weeks, crashing to a 31-year low against the American Dollar before rebounding slightly. Some currency experts speculate the Pound could sink further, perhaps by as much as 30 per cent in coming months. A weak Pound means increasing costs of crucial imported materials, goods and services and, correspondingly, higher prices for consumers.
The Euro continues under pressure, and the EU’s economic outlook is not particularly rosy either. The UK economy, the world’s fifth largest, is the fastest growing in the EU; its unemployment rate is one of the lowest. There's real danger that with the exit of the UK – the second largest contributor to the EU budget – the EU could find itself in an unpleasant position, facing risk of recession or even depression.
The risk Brexit poses to commerce will affect specific industries more than others. Were unrestricted access to the Single Market to be cut off, for example, EU nations would lose a vital market for their goods and services (and vice versa, of course).
At the same time, London would become a less attractive place for maintaining banking operations – a disaster for the UK given its reliance on the City. Multinational firms with expensive EU headquarters in London might depart for similar reasons. Other sectors at high risk include tourism and manufacturing, along with those firms that rely on the frictionless movement of staff between the UK and the continent.
Lingering political uncertainty. Rising unemployment. Spiraling economic and commercial malaise. Taken together, these factors create fertile ground for lucrative cyber-criminal enterprises. The mere threat of a Brexit-spawned UK or EU-wide economic recession could realistically spur UK- and EU-based cyber criminals to step-up schemes and attacks, particularly as those with means to carry out phishing and other types of cyber-mediated fraud find themselves in greater need of ill-gained windfalls.
Globally, cybercrime is already known as a rapidly growing phenomenon. The 2016 PwC Global Economic Crime Survey cites cybercrime as the second most reported economic crime, affecting 32 per cent of organizations. The same survey notes that most organizations are inadequately prepared for cyber-attack, with only 37 per cent having a basic cyber incident response plan in place.
The only certainty in the months ahead is more uncertainty, but the implications of Brexit on cybersecurity are clear: Now is the time to prepare. UK and EU-based firms, as well as those in close contact with them, should reassess their current level of cyber preparedness and anticipate a potential environment in which cyber criminals become increasingly active.
Get started by checking out this white paper: Stronger Cybersecurity Starts with Data Management and learn about cybersecurity solutions from SAS.