Some weeks have now passed since the United Kingdom voted by a margin of 52 percent to 48 percent to leave the European Union, of which it has been a leading member since 1973. The tumultuous global reaction to the vote has those of us in information security industry and others asking what impact Brexit will have on cyber-security.
There are two perspectives to be addressed in answering this question: the first concerning the direct and more immediate implications and the second, more speculative, addressing possible longer-term, indirect effects.
In the Near Term
The short-term, direct impact of Brexit on cyber-security is likely to be minimal. The International Business Times has reported a surge in incidents of politically-motivated website hacking, especially against UK sites supporting EU integration and immigration. This may mark a trend in increased “hacktivism” by individuals targeting governmental institutions, critical national infrastructure, and/or media outlets, both within the EU and the UK. Although these organisations are already common targets of aggressive attack and reconnaissance activities, unexpected mischievous intervention by a State actor could certainly pose a significant threat.
That aside, the UK's exit from the EU is unlikely to substantially affect European cyber-security in the near term. European national entities responsible for cyber-security, for example, already benefit from extensive international cooperation through existing bi- and multi-lateral arrangements through defence, security, intelligence, and dedicated cyber-security organisations (i.e., the various Governmental Computer Emergency Response Teams, or GovCERTS). Commercial entities ranging from banks, energy providers, retail organisations, and others similarly cooperate beyond national borders. These cooperative relationships will remain unchanged in the coming months.
More broadly, the European Commission has striven for some years to introduce new structures and regulations to create a pan-European cyber-security architecture. It has also aspired to create a compulsory information sharing and pooling agency, at Union level, which would take partial competence for cyber-security from the constituent nations.
The complexity of persuading 28 sovereign nations to agree on a topic as complicated and fast-evolving as cyber-security has made progress towards these aspirations frustratingly slow. Individual nation states tend to regard national cyber-security – at least of governmental structures, critical national infrastructure (the vital services which permit society to function), and defence – as an element of national security. That makes them reluctant to transfer responsibility and authority to a trans-national organisation which, by definition, has a base competence of the least sophisticated of its members. Hence, nations could potentially reserve ultimate sovereignty over these matters, while collaborating in others.
Whatever the case, Brexit will almost certainly delay EU initiatives to move competence from member nations to the Union. On a brighter note for the centralisers, though, at the same time, it will remove from the process the state least inclined to support such centralisation.
Will the UK remain in the European Free Trade Area, accede to the European Economic Area, or sever all ties with the EU? Until the UK's eventual status becomes clear, it will remain a moot point to what extent UK data protection and privacy regulation will match that of the EU (which, itself, is contested by member States in some aspects). Only time will tell.
Longer Term Implications
Although the referendum to leave has passed, Britain won't formally express its intention to withdraw from the EU for some considerable time yet. While a new government has been formed under the new Prime Minister, Theresa May, and the necessary Ministerial appointments have been made to negotiate and engineer withdrawal, a considerable body of work is required before withdrawal under Article 50 of the Lisbon Treaty can be formally invoked. At the point of invocation, the stopwatch on a notional two-year timeframe for complete withdrawal will begin to tick – although exit could take longer given the complexity of the issues to be resolved.
As these matters unfold, the more speculative, indirect implications of Brexit will begin to take shape. Early indicators point to an ominous road ahead. We've seen international equity and currency markets down sharply, punishing UK shares and the British Pound, perhaps the start of a cycle of fluctuation and instability. (It is ironic that, one month after Brexit, the London Stock Exchange had recovered beyond its pre-Brexit levels, and the exchanges feeling the most pain are still in Frankfurt and Paris.)
The Pound has lost 10 percent of its value in recent weeks, crashing to a 31-year low against the American Dollar before rebounding slightly. Some currency experts speculate the Pound could sink further, perhaps by as much as 30 percent in coming months. A weak Pound means increasing costs of crucial imported materials, goods, and services and, correspondingly, higher prices for consumers.
The Euro continues under pressure, and the EU's economic outlook is not particularly rosy, either. The UK economy, the world's fifth largest, is the fastest growing in the EU; its unemployment rate is one of the lowest. There is real danger that with the exit of the UK – the second largest contributor to the EU budget – the EU could find itself in an unpleasant position, facing risk of recession or even depression.
The risk Brexit poses to commerce will affect specific industries more than others. Were unrestricted access to the Single Market to be cut off, for example, EU nations would lose a large and important market for their goods and services (and vice versa, of course). At the same time, London would become a less attractive place for maintaining banking operations – a disaster for the UK given its reliance on the City. Multinational firms with expensive EU headquarters in London might depart for similar reasons. Other sectors at greatest risk include tourism and manufacturing, along with those firms that rely on the frictionless movement of staff between the UK and the continent.
Lingering political uncertainty. Rising unemployment. Spiralling economic and commercial malaise. Taken together, these factors create fertile ground for lucrative cyber-criminal enterprises. The mere threat of a Brexit-spawned UK or EU-wide economic recession could realistically spur UK- and EU-based cyber-criminals to step-up schemes and attacks, particularly as those with means to carry out phishing and other types of cyber-mediated fraud find themselves in greater need of ill-gained windfalls.
Globally, cyber-crime is already known as a rapidly growing phenomenon. The 2016 PwC Global Economic Crime Survey cites cyber-crime as the second most reported economic crime, affecting 32 percent of organisations. The same survey notes that most organisations are inadequately prepared for cyber-attack, with only 37 percent having a basic cyber incident response plan in place.
The only certainty in the months ahead is more uncertainty, but the implications of Brexit on cyber-security are clear: now is the time to prepare. UK and EU-based firms, as well as those in close contact with them, should reassess their current level of cyber preparedness and anticipate a potential environment in which cyber-criminals become increasingly active.
Contributed by Henrik Kiertzner, principal business solutions manager, SAS UK