Before the EU referendum, AlienVault research found that 38% of people working in the IT industry feared that a Brexit would leave the UK more vulnerable to cyber attacks. Of course, the majority of UK citizens did vote leave and the UK is indeed heading for a Brexit. But are we also heading toward more threats and increased vulnerabilities?
Catching up with AlienVault’s Javvad Malik, CBR asked the security advocate what he thought the cyber security landscape would look like post-Brexit – though Malik did state that many aspects would remain uncertain until Article 50 is invoked and terms begin to be negotiated.
EB: Although the UK remains part of NATO and Five Eyes, do you think Brexit will make the UK more vulnerable to cyber attacks?
JM: “Nothing will significantly change from a technical perspective that would introduce more vulnerabilities to the UK’s cyber infrastructure. The only real change is whether attacks on the UK could stem from a nationalistic-perspective as form of retaliation for leaving the EU – however, there is little evidence to support the notion that leaving the EU will make the UK a preferred target.”
EB: Are there any specific threats the UK will face post-Brexit, that it wouldn’t as a member of the EU?
JM: “On the surface no specific threats come to mind that will impact the UK on leaving the EU. IT security largely remains border-agnostic. Criminals can setup and launch attacks anywhere in the world against any target.”
EB: How will the UK leaving the EU make it easier for cyber attackers to launch attacks? What sort of attacks are you anticipating to see post-Brexit?
JM: “We will probably see opportunistic attacks such as phishing scams which will claim that they have to follow a link or risk being deported, or re-enter their bank details or their money will be held by European Banks; the typical scaremongering or misinformation that is spread after any world event.
More than external, the internal social dynamics will likely lead to more threats.
There has been a marked increase in racial hate crime reported across the UK since Brexit. A natural assumption is that this will inevitably spill over into the cyber landscape – where any non UK entities (companies, groups, events) present or operating in the UK could face some forms of attacks.”
EB: In an industry which struggles to share intelligence, how will Brexit affect threat intelligence/data sharing in the UK?
JM: “There are three aspects to this – sharing technical intelligence, sharing personally identifiable information, and the legal prosecution part. From a technical intelligence sharing perspective, threat details will likely continue to be shared between enterprises in the same manner they are shared today. There are threat sharing communities set up globally, using platforms such as Open Threat Exchange (OTX) to collaborate on identifying the latest attacks.
Depending on whether or not the UK is considered to have adequate controls by the EU post-exit, it could impede the sharing of information which could be used to identify individuals. The impact is that the less information available, the more difficult it becomes to make accurate determinations.
This ties into the third point which is around prosecution and law enforcement. It is dependent upon the terms that are agreed, but it will be very likely that there will be some reduced cooperation in criminal investigation and policing between the UK and EU. This will have ramifications on how data is shared and the success rate in prosecutions.”
EB: What about data post-Brexit? Will sovereignty rules and GDPR affect how the UK stores and protects data?
JM: “This will be dependent on whether or not EU determines the UK to have adequacy to continue to operate in the safe data zone. Either way, any UK-based companies wishing to exchange data with Europe, will need to demonstrate adequate controls, so will be subject to GDPR (or equivalent) controls for assurance. Therefore, despite Brexit uncertainties, from an enterprise security standpoint, it is advisable that UK companies continue to pursue GDPR activities to achieve compliance.”
