How will leaving the EU impact on the UK’s cyber security? If Brexit is generally considered to be about ‘taking back control’ and striking our own deals, how does that sit with fighting cybercrime, a process that has relied on countries collaborating and sharing data?
And what will it mean for those highly skilled EU nationals who work within our cyber security sector? A sector already experiencing skills shortages.
There is no cyber crystal ball we can look through. What is certain however, is that, at least for the short term, a transitionary process will take place. We also have guidance on legal and data protection issues from the Information Commissioner’s Office (ICO).
So, let’s cut through some of the confusion and take a step into cyber security after Brexit.
Brexit transition period
A transition period is in place until December 31 2020 with the possibility of it being extended upon agreement from both sides – although this would seem to be unlikely. During this time most agreements currently in place will remain.
Although the UK has ceased its membership of the EU’s political institutions, including the European Parliament and European Commission, it will have to follow EU rules and regulations. The ICO says it will be ‘business as usual’ for data protection.
What is less certain is what will happen at the end of the transition period, especially if there isn’t a trade deal in place. Organisations will need to consider what the position will be at this point and how to prepare.
The availability of cyber talent
If Brexit brings about the end of free movement across UK borders, the cyber security talent pool – with its skilled EU nationals – may well be depleted further. It is predicted that Brexit will discourage many skilled job-seekers from coming to the UK, while the pipeline of supply from UK universities remains weak.
As reported in an extensive piece by InfoSecurity magazine, experts and IT security professionals have warned that Brexit could have a “chilling” effect on the country’s cyber security industry, by making cross-border intelligence sharing harder, and impacting jobs. What’s more, if EU countries develop attractive hubs of cyber security expertise it’s only likely to make the UK situation even worse for the availability of cyber talent.
Will GDPR still apply after the transition period?
Although the GDPR is an EU Regulation, it will still apply after the transition period. That’s because it will be incorporated into UK data protection law from the end of the transition. Many EU laws, including GDPR, will become UK laws upon exit. The UK will put its own version of GDPR into place, mirroring the exact regulations that have already existed up until this point.
So, in practice there will be little change to the core data protection principles, rights and obligations currently found in the GDPR. Anyone hoping that leaving the EU means a farewell to GDPR will have to think again.
What will the UK data protection law be?
According to the ICO, the Data Protection Act 2018 (DPA 2018), which currently supplements and tailors the GDPR within the UK, will continue to apply. The provisions of the GDPR will be incorporated directly into UK law from the end of the transition period, to sit alongside the DPA 2018.
Will the NIS Directive still apply?
Yes. The NIS rules cover network and information systems. They derive from EU law but are set out in UK law. They will continue to apply post Brexit.
According to the ICO if you are a UK-based digital service provider offering services in the EU, from the end of the transition period you may need to appoint a representative in one of the EU member states in which you offer services. You will need to comply with the local NIS rules in that member state. If you also offer services in the UK, you will also need to continue to comply with the UK rules regarding your UK services.
You may also find our article on the NIS Directive of help. The NIS Directive explained – compliance and guidance.
Can organisations rely on the EU-US Privacy Shield during the transition period?
Yes. During the transition period, UK data exporters and Privacy Shield participants can continue to rely on the Privacy Shield as a legal basis for transfers in the same fashion as they did before the UK left the EU.
Indeed, the United States Department of Commerce’s newly updated Privacy Shield and the UK FAQs confirms that Privacy Shield participants do not need to take any action to continue to rely on the Privacy Shield for personal data received from the UK during the transition period.
How will we work with the EU on cyber security after Brexit?
According to the European Parliament, the UK is a key partner when it comes to fighting terrorism in Europe. It has been, moreover, the second biggest contributor to Europol information systems – the agency that co-ordinates major investigations into Europe-wide organised crime.
So surely the EU will want to work with us and we’ll need to work with them post Brexit?
That’s certainly the view of Michel Barnier, the European Commission’s top Brexit negotiator. He told told attendees at the Web Summit in Lisbon in November 2019 that the EU and U.K. must join forces after Brexit to fight cyber-threats.
“Our new partnership should include the exchange of information on cyber incidents, attackers’ techniques, threat analysis and best practice, including when those target the correct functioning of democratic systems,” Barnier said. “Crucially, we need to have capacity to respond jointly to such attacks.”
The UK response to the WannaCry attack of 2017 is a good example of this kind of joint activity. The UK was instrumental in supporting investigations and enabling hundreds of arrests as part of the Joint Cybercrime Action Taskforce. That’s why EU and UK cooperation on cyber security is vital beyond Brexit as cyber-threats from hostile states intensify and increase in sophistication.
And yet, despite this, after 20 years of involvement, the UK no longer has a place on the team that manages Europol. New arrangements for a new partnership after the transition period have yet to materialise.
What are the threats to the supply chain?
Brexit will see new supplier relationships being formed, many outside of the EU. This risks disruption to the supply chain which may well have been stable and secure for a number of years. As companies form new relationships they might find themselves more vulnerable to a cyber attack based on the levels of information assurance and security present (or lacking) in their new supply chain partners.
As a consequence, UK businesses will need to introduce and adhere to more stringent and thorough supply chain auditing processes. This will require checking that potential new suppliers have robust security processes and tools in place and can comply with industry standards and regulations.
In the December 2019 election, the UK government pledged to ‘Get Brexit Done’ and we have now left the EU. Will we be more or less safe on our own?
If effective cyber security safety comes from co-operating with other countries and having the required skills present within our own country – cyber security post Brexit would seem to be at greater risk unless a new arrangement or ‘partnership’ can be found.
While the legislative issues would seem to be in place at least in the transition period, a post-Brexit UK may struggle to defend itself from cyber-attacks if cooperation with EU agencies and data security authorities declines, along with the levels of security present in the supply chain.
And, on the topic of new deals post Brexit, let’s not even mention the decision to allow Huawei access to 35% of the UK’s 5G network… So, when it comes to cyber security, Brexit certainly isn’t ‘done’ yet.