In-brief: The UK’s decision to leave the EU will have vast implications in the area of information security: from the standing of laws governing cyber crime and e-commerce to the decisions made by information security and technology firms that use the UK as their base for EU Operations, according to an analysis by ABI Research.
The news this morning is all about voters in the UK voting to leave the European Union, after four decades of cross-Channel cooperation. The ramifications of the success of the Leave vote are yet to be fully understood – by anyone, the UK public and lawmakers included. Needless to say, the implications for “cyber” are hardly at the top of most pundits’ list of talking points.
For the readers of this blog, though, that’s a darned good question. I was pleased to read Michela Menting’s astute analysis over on the ABI Research blog. Menting, who is a Research Director at ABI, does a good job sketching out the consequences for the UK both in terms of information security policy and business.
In some ways, the “cyber” take on the Brexit is a microcosm of the entire challenge facing the UK government on Friday morning. Notably: most of the UK’s existing cyber security legislation is based on broader, EU legislation and directives, such as those on e-Commerce and Data Protection in the early 2000s, the EU Directive on Data Retention in 2006, and so on. In the area of cybercrime, Menting notes that the EU proposed a Council Framework Decision in 2005 on attacks against information systems which was later implemented as Directive on Attacks against Information Systems, adopted in August 2013. From her analysis:
The UK has adapted all of these in some shape or form into national legislation.The UK will have to rule on the continued applicability of these instruments, as well as how they will address the incoming GDPR and NIS Directive. It is likely that the UK will not substantially alter existing legislation, as this may potentially jeopardize how UK organizations deal with clients and customers not just in Britain but in the rest of the EU. Going forward, both the GDPR and the NIS Directive state that operators and data controllers will be covered by the legislative requirements if they operate within EU markets and involve EU citizens. Seeing the high level of trade that the open market has brought in the UK in the past 4 decades, many UK organizations will need to comply if they want to continue trading and operating in EU markets. The UK will likely adopt national legislation in line with both instruments.
In addition to legislation, the UK will need to review its role within EU law enforcement and information security agencies notably the European Police Office (Europol) and the European Union Agency for Network and Information Security (ENISA). The Union has bolstered efforts recent years with the publication of the EU Cyber Security Strategy and the creation of the European Cybercrime Centre (EC3) within Europol in 2013. EC3 has become the focal point in the EU’s fight against cybercrime, supporting member states and EU institutions in building operational and analytical capacity for investigations and cooperation with international partners. The UK’s involvement in these institutions will again depend on the country’s ability to negotiate favorable terms regarding its role. Organized online criminal activities are undeniably best tackled from a cooperative, supra-national perspective, and the UK’s isolation that may result from Brexit would be an unwelcome development in the fight against cybercrime. Further to this, new cybersecurity information and asset sharing structures will need to be put in place between the EU and the UK.
On the economic front, Menting observes that the same dynamic is at play as in the rest of the tech industry. Namely: information security firms that set up shop in the UK as a launching pad to the European market will now need to rethink that decision, given that the UK and EU are parting ways. That doesn’t mean they’ll leave the UK, but it may mean that they greatly reduce their presence there in favor of countries like Ireland (or maybe Scotland) as well as France, Germany or Netherlands in order to continue to be able to work seamlessly within the EU.
In short: there’s much uncertainty and much work to be done to untangle UK cyber security laws – and consider that this is just one, small area. There’s no reason to think that the UK will depart wildly from laws it already has on the books, but it seems likely that much work still will have to be done as this messy divorce proceeds.
Read more here: Brexit v. EU: A Cybersecurity Perspective | ABI Research