Risk of cybercrime increases with Brexit ‘uncertainties’.

Britain today has a key role in the global fight against cybercrime.  If its influence is in any way diminished by Brexit, it will compromise the Worldwide efforts in the ongoing fight against cybercrime.

The UK is a lynch-pin between Europe and the rest of the Western world.  If Britain is not able to operate freely, that intelligence link will be lost.

We are conscious that we are approaching a ‘cliff-edge’ as it is referred to by the European Commission.  The UK’s position post-Brexit is far from certain. 

Warnings have come from both the UK Parliament and the European Union.  EU Chief negotiator, Michel Barnier, has said that the UK could find itself locked out of agreements such as the European arrest warrant, Eurojust and Europol.  Working through the details of these complex arrangements is a stretch given less than 9 months remain.  Barnier believes that security cooperation is based on trust - and, by leaving the EU, the UK puts that trust at risk.   

Meanwhile, cyber threats continue to evolve - and the lines between criminal, ideological and politically motivated attacks are increasingly blurred.  Nations have to be able to control their utilities and critical infrastructure, without having to render it useless through restricted access to it. 

Few of us are in a position to discriminate between ‘truth’ and ‘fake-news’ – which is now being spun through sophisticated and personally targeted algorithms for maximum impact.  This way of Influencing the opinion of hundreds of millions of people is a fundamental attack on democracy.

Few will not have received letters of apology from banks and businesses that we had every right to trust.  The latest has come today (15 August 2018) from Curry’s-PC World – and if any organisation should have been on their game, we might have expected the largest IT retailer to have been better prepared.   Instead personal details from up to 10 million UK households have been ‘accessed’ [full text in the reference section, below].

They are not alone.  One leading cyber expert thinks that four out of ten companies had experienced some form of cybercrime over the past 12 months.

Brexit is already having an impact as recruiting and retaining qualified and specialist experienced cyber-crime staff becomes more difficult – with nearly half of businesses reporting a skills shortage in this area.  This is set to increase as we have been reporting the evidence of increasing reluctance of EU workers to come to and settle in the UK – with uncertainties over registration, residency status and cost quoted.  And the quotas, application hurdles and costs of employing non-EU citizens preclude recruitment form the global pool.

The increasing importance of, and requirement for, data for both analytics and transaction has arrived in the 40 years that the UK has been a member of the EU – and the regulatory framework for this has been set at bloc level – for instance data exchange and privacy requirements such as GDPR.  At the moment of Brexit, the UK ceases to be bound by this EU framework.  As a ‘third country’ for GDPR purposes, data transfers would only be allowed to companies deemed to have adequate cybersecurity provisions. 

And thereby lies another Brexit ‘dichotomy’.  The EU has said it can only decide on adequacy once the EU has assessed the UK’s legal framework around data.  If the UK fails to complete this work before Brexit – in time for the adequacy assessment process – and assuming no gaps are identified – and all UK organisations exchanging data have implemented the framework – the impact could be huge.

The UK Government have the stated intention of ensuring that businesses can send and receive personal information to the EU through the “adequacy” provision (although this took several years to complete with other countries, such as the USA).  They have issued a 15 page ‘discussion’ paper that underlines the importance of data transfers in determining the UK's future relationship with the EU.  However, this is light on detail – and appears: “frail in comparison to the 260 page one on GDPR” according to one industry expert.

Another area of tension that already exists between the UK and EU may add to the difficulties of reaching agreement.  The UK Government enacted the ‘Investigatory Powers Act’ in November 2016.  This empowers police officers and tax inspectors to obtain lists of websites visited by UK citizens.  Telecos are legally required to hold this personal information and release it further to government bodies that: make grants; pay unemployment benefits; administer old age pensions; and that regulate gambling, farm workers, food health and air safety.

The Court of Justice of the European Union (ECJ) had already ruled that such powers are incompatible with EU law.  Whilst it is by no means clear what right of appeal, if any, the UK would have should they ‘fail’ the European adequacy assessment – since, post-Brexit, the status of the ECJ is as yet uncertain in such matters – their previous judgement may be taken as a fair indication of their leaning.  

Cybercrime counter measures need to be continually strengthened – at global, European, NATO, National and Organisational levels.  To counter threats, such as the 2017 WannaCry virus global attack that closed down the NHS - and Artificial Intelligence increasingly empowering a battle of the robots in the cybersecurity space - cyber security teams will need to be agile and innovative.

Cross-border collaboration will be crucial in keeping the world’s cybersecurity defences fit for purpose.  Brexit places a barrier in the way of that collaboration at a critical time for an uncertain and troubled World.  We will address issues of European collaboration as the Brexit negotiations progress – along with the results of work coming from academic studies that are under way and UK Parliamentary Select Committees who are addressing all aspects of Security and cooperation with EU agencies, such as: Europol, EC3 (European Cybercrime Centre); J-CAT (Joint Cybercrime Action Taskforce); and the Secure Information Exchange Network Application (SIENA) that enables SIS, the European Arrest Warrant, and more.


Curry’s-PCWorld – 15 August 2018: “Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.  This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result.  We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud.”

John ShuttleworthComment